Information security digest, 18.10-18.11

DDoS attack without head… A powerful and very unusual DDoS attack was discovered in mid-October. The attack was unusual in that it employed a version of the Phantom JS headless

DDoS attack without head…

A powerful and very unusual DDoS attack was discovered in mid-October. The attack was unusual in that it employed a version of the Phantom JS headless browser toolkit, which is a Web app developer’s tool for testing and simulating user browsing of an application. It mimics human behavior so effectively that it’s a challenge for mitigation services to deal with. Apparently, the Phantom JS was used for the first (and probably not the last) time to organize a DDoS attack.

Read more


…And without help

Another atypical DDoS attack was detected in late September. It was a massive nine-hour barrage that leveled an unrelenting 100 Gigabits of traffic at its peak. The most outstanding thing about this attack was that it did not use any amplification (like DNS reflection), which means they had 100 Gigabits of available bandwidth on their own.

Read more


Spreading malware in Dropbox

In October, criminals targeted Dropbox users with a bogus password reset email that, when clicked, infected victims’ machines with a Zeus-family malware. The authors of the fake messages used traditional methods of social engineering techniques to lure gullible users to malicious pages. Although for some reason these pages imitated pages of Microsoft, not Dropbox. The fake page claimed the user’s browser was out of date and needed to be updated. The criminals suggested downloading a new version of Internet Explorer, Chrome or Firefox. Clicking anything in the linked notification page downloaded a file ieupdate.exe. The file was a Trojan that is part of the Zeus family.

Read more

The end of October and the first half of November proved to be filled with somewhat ‘exotic’ incidents


Facebook Android application bug as a hacking tool

The vulnerability in the official Facebook and Facebook Messenger apps for Android allows any app on an Android device to read and capture the Facebook access token and hijack the Facebook account. The discovered bug affected the official Facebook and Facebook Messenger apps for Android, both of which are designed to send requests via a secure HTTPS connection. All users of Facebook apps for Android are strongly recommended to change their passwords.

Read more


Bitcoin possibly cracked, but most likely not

A serious scandal erupted in early November concerning online crypto-currency Bitcoin. Two Cornell University experts, Ittay Eyal and Emin Gün Sirer, published a new academic paper that said there is a fundamental flaw in the Bitcoin core protocol that could allow a small cartel of participants to become powerful enough to take over the mining process and gather a disproportionate amount of the value in the decentralized system. To avoid this, you need a practical fix to the protocol that is easy to deploy and will guard against the attack as long as 3/4ths of the miners are honest.

Although fairly soon after Eyal and Sirer made their arguments, they were disproved by other experts who claimed that the authors of the paper made conclusions based on several false assumptions.

The article by Eyal and Sirer, like any other academic work, is going to be reviewed and revised by experts, and the process may take a long time.

Meanwhile, in the heart of Vancouver, Canada the world’s first ATM opened to convert bitcoins to Canadian dollars and vice versa.

Additional information



Zero day exploit for Microsoft Word

A few days ago Microsoft released a bulletin that described a newly discovered vulnerability (CVE-2013-3906) in several flagship products of the company and reported some detected exploits for it. Attackers have already been using them for targeted attacks.

The vulnerability is a remote code execution vulnerability that exists in the way Microsoft Office/Microsoft Word handle specially crafted TIFF images. The detected exploits use the heap spray technique by writing their own code to the address 0x08080808 in the heap – the area of application’s dynamically allocated memory.

Read more


The safe was not safe

The Australian service, which advertised itself as the most secure bitcoin wallet, was compromised twice. According to the explanation posted on the site of the service, the attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker also managed to bypass 2FA due to a flaw on the server host side. The two hacks totaled about 4100 BTC, which is equal to about $1.2 million.

Read more


Google as evidence

In early November unidentified attackers found a way to leverage Google search engine bots to help launch SQLi attacks against websites.

In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B. Search engine bots are seldom shunned so their use by criminals is quite dangerous.

Read more: [1], [2]


AutoCAD Trojans

Security experts from China found two new AutoCAD Trojans. The only purpose of the Trojans was to change the start page of the browser on users’ computers to show unsolicited advertising or point to some navigation site, so that the owner of the site can get a large amount of web traffic, which can then be converted into large sums of money.

Trojans that change the start page settings are not new. Kaspersky Lab specialists have dealt with them as well as with malware for AutoCAD. However, these are the first Trojans that changed the settings of the browser from AutoCAD only.

So far the new Trojans have spread to China, India and Vietnam.

Read more


Attack on the battlefield

The PC version of Battlefield 4 became the target of a powerful DDoS attack, leaving the game unplayable for some. The attack may result from numerous players’ discontent with the quality of the long anticipated game. Battlefield 4 players encountered excessive bugs in the purchased game.

Read more