The Open Source library of the Mars detector software is maliciously exploited.

Source: Internet
Author: User
Tags palo alto networks

The Open Source library of the Mars detector software is maliciously exploited.

Recently, Palo Alto Networks released a report saying that the Open Source library of the Mars detector software was maliciously exploited.

Phishing Attacks

According to the Palo Alto Networks report, in December 24, 2015, the Indian ambassador to Afghanistan received a phishing email containing a new type of malware, if downloaded and installed, a backdoor is automatically installed on the computer. Of course, the email is pseudo-constructed, and the email contains an RTF (Rich Text Format) file. The vulnerability was exploited by the CVE-2010-3333, a Microsoft Office RTF analyzer Stack Overflow Vulnerability. Automatically decompress and install the package on the computer. The Trojan program downloaded to the computer is the most threatening.

The malicious program is called a "Rover" by researchers because it relies on opencv and OpenAL open-source libraries.

FreeBuf Encyclopedia: OpenCV and OpenAL

OpenCV is a cross-platform computer vision Library released based on the BSD license (Open Source). It can run on Linux, Windows, and Mac OS Operating Systems.

OpenAL (Open Audio Library) is a cross-platform sound API for free Software. It was initially developed by Loki Software to port Windows commercial games to Linux. But now the biggest leader is innovative technology, and receives continuous support from Apple and free software/open source enthusiasts.

Both of them have been used in famous Mars exploration robots, especially opencv, in a wide range of application fields, human-Machine Interaction, object recognition, image segmentation, face recognition, Motion Recognition, motion tracking, robotics, motion analysis, machine vision, structure analysis, and safe driving of vehicles.

OpenCV official tutorial Chinese version (For Python) PDF

Install the required OpenCV2.4.1 package in Ubuntu Linux

Install OpenCV2.4.2 on Ubuntu 12.04

OpenCV in CentOS cannot read Video Files

Summary of installing OpenCV 2.4.5 in Ubuntu 12.04

Install OpenCv2.1 in Ubuntu 10.04

Face Recognition System Based on QT and OpenCV

Install OpenCV 2.4.9 in Ubuntu 14.04 and 13.10

OpenCV details: click here
OpenCV: click here

Malicious attack steps

Once the malware is executed, the Registry will be changed after the computer restarts. Path: HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ "System Application" = c: \ system \ WindowsSecurityService [2 or 32.16.exe.

The malicious program will execute the following six processes:

1. Heartbeat

Heartbeat consists of two core parts: Heartbeat monitoring and resource management. Heartbeat monitoring can be performed through network links and serial ports, and supports redundant links, they send messages to each other to tell the other party their current status.

If the message sent by the other party is not received within the specified time period, the other party is deemed invalid. In this case, the resource management module must be started to take over the resources or services on the other host. That is to say, the C2 server is checked every five seconds.

2.

Every 60 Minutes, upload the computer desktop (c: \ system \ screenshot.bmp) to the C & C server in BMP format.

 

3. Search for files on mobile storage devices

Find a mobile storage device and copy it to c: \ system once every five seconds.

4. Record keyboard hitting records

Record the keyboard hitting record every 10 seconds and upload it to the C & C server. storage location: c: \ system \ log.txt.

5. Search for specific files on the hard disk

Searches for office files every 60 minutes and uploads them to malicious attackers. File Extensions: pdf, doc, docx, ppt, pptx, xls, and xlsx.

6. Install the complete backdoor program

In addition, the backdoor program also provides a function that allows attackers to use malware to take photos (c: \ system \ camera.jpg) or record videos (via a webcam) and audio (via a microphone ), of course, attackers can do this as long as they want.

Although the malware Rover lacks the characteristics of some new malware, it seems that it has successfully bypassed the security system and initiated targeted attacks. At present, the most important thing is to understand this situation to avoid attacks.

* Reference Source: softpedia, paloaltonetworks, compiled by FB xiaobian dear rabbit, from FreeBuf hacker and geek (FreeBuf. COM)

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.