Information Security News
WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.
Friday's installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customized malware for Windows-based computers. The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.
"Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating system," one user guide explained. "An operator uses the Grasshopper builder to construct a custom installation executable." The guide continued:
At this point, Ars readers have heard countless tales of computer users being forced to pay significant sums to unlock files encrypted with malicious ransomware. So we were a bit surprised when word started to trickle out about a new bit of ransomware that doesn't ask for money. Instead, "Rensenware" forces players to get a high score in a difficult PC shoot-em-up to decrypt their files.
As Malware Hunter Team noted yesterday, users on systems infected with Rensenware are faced with the usual ransomware-style warning that "your precious data like documents, musics, pictures, and some kinda project files" have been "encrypted with highly strong encryption algorithm." The only way to break the encryption lock, according to the warning, is to "score 0.2 billion in LUNATIC level" on TH12 ~ Undefined Fantastic Object. That's easier said than done, as this gameplay video of the "bullet hell" style Japanese shooter shows.
As you may have guessed from the specifics here, the Rensenware bug was created more in the spirit of fun than maliciousness. After Rensenware was publicized on Twitter, its creator, who goes by Tvple Eraser on Twitter and often posts in Korean, released an apology for releasing what he admitted was "a kind of highly-fatal malware."
In a previous diary, I explained how pictures may affect your website reputation. Although asuggestedrecommendation was to prevent cross-linking by using the HTTP referer, this is a control that I do not implement on my personal blog, purely for research purposes. And it successfully worked!
As you can see a group of website defacer (MagelangN00bs) is using a direct link to an image on my blog as favicon file. I think that they used my image because it looks like the Indonesian flag with a black hat width:800px" />
Well, nothing fancy, just a logo, some nasty music... Let width:800px" />
And what about the targets? After cleaning the referers (Google being of course the top-1), 90 websites were reported as defaced. Some examples:
The group is still active and new websites are defaced almost every day. Once again, this is agood example of the power of HTTP referers.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant