Possibility – scenario replay (implant Rootkit on BIOS causes ATM machine crazy)

The troubleshooting concept ideally that bring up hypothesis boldly while prove it conscientiously and carefully. Similar concept can apply to cyber incident investigation. Found that a security vulnerability found by security researcher Christopher Domas. The Intel chips design limitation is that vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System. The management mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to utilize the most privileged of execution modes and potentially overwrite secure features in the boot environment. Christopher Domas exploit uses the UEFI code features to install a rootkit sucessful during his POC in Black Hat conference. From techincal point of view, this is indeed a design limitation in CPU, it looks that we are not able to using 0x06000832 memory address. Notice that a new microcode patch is going to remediate this design limitation. The hacker implant rootkit to ATM system through malware infection through CPU design bug is a possible. The remaining issue is that how to execute infection to hundreds of ATM machines. The headline news did not provide the detail, if the investigator confirm all the ATM machines are compromised. We can speculate that the malware source might hidden in their SNA server farm or internal network. The Mainframe connectivity methodology from traditional by hardware controller integrate to LU 6.2 (APPN). The Cisco network products and specifics technology DLSW (Data Link Switch) can cope with Mainframe switch major node architecture. Thereby it is hard to say that ATM machine infrastructure is running in isolate network nowadays.

For more detail about memory sinkhole attack, please refer to below URL


For details about related articles, please refer to below URL for reference.

Digital world – digital dinosaur attack Taiwan ATM machine (crooks stolen estimated T$70m (US $2.2m))

The most hottest cyber attack topics happened last week. Yes, a DDOS attack occurred on HSBC UK and US web portals. But the crooks jailbreak ATM machines in Taiwan looks more attractive. Sound amazing, traditional ATM machines communication link run on private network (Frame relay or ATM OC3). It is indeed real time transaction process working with back end Mainframe system. From security point of view, the media type of connection is restricted and such a way reduces the risks on cyber attack and virus infection. Recall ATM incident occured in 2009. Russian nationality hackers found the vulnerabilities on ATM vendor side (DIEBOLD). They develop malware form attack implant to ATM system DLL file (Dbddev.dll). It looks impossible that infect of the ATM machine with malicious program to steal credit card details and PINs. But the hackers looks great, they can hooks the ATM system process successfully and gain the privileges. ThisTrojans as Troj/Skimer-A.

How was today? The digital dinosaur attack Taiwan ATM machine, crooks stole an estimated T$70m (US $2.2m).

The ATM incident happened in Taiwan banking system not belongs to DIEBOLD. They were made by German manufacturer Wincor Nixdorf. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone. Sound strange! Right?

Virtual realityReflections:

1. Without insertion of ATM Card can draw the cash

Possible causes: ATM machine operation system from earlier generation of IBM OS/2 migrate to windows OS platform. Is there any vulnerabilities occurs on window OS side. A critical security flaw announced by Microsoft last week, a printer spooler bug causes privileges escalation or MS16-087 for short.

2. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone. 

All ATM machines will go through backbone SNA gateway connected to backend system (Mainframe). From IT architecture point of view, SNA gateway located in data center sever farm. There is possibilities encounter malware infection during windows update processes. For example, do the DNS cache poisoning to return an incorrect IP address, diverting traffic to the counterfeit web site.

3. Well known OS platform

Windows based OS platform not difficult to implant a root kit to gain the control of the system. Hacker can through many channel to achieve their goal. For example, they will find the target person and company by SCAM mail. They can jump into the internal network and compromise the system when target person (victim) fall into their trap (compromised web site).

For more details about this incident, please refer to below URL:


Additional information:

Wincor-Nixdorf’s product catalog gives insight into the operating systems its ATMs currently support.

The ProCash 280 lists its compatible software as Windows XP Professional SP3, Windows POSReady 2009 and Windows 7.

Are there any security weaknesses to 4G mobile network? Or it is trustworthy?

Let’s review how cellphones work? Quick & Dirty

1G – frequency-division multiple access (so called analogue cellphones)

It divide the frequency band available into little segments and let each person send and receive on a slightly different frequency.

2G – time-division multiple access (so called digital cellphones)

Phone calls were transmitted by sampling the sound of people’s voices and turning each little segment into a numeric code. As well as sharing phone calls between different frequency bands. The design concept is that giving each phone user a short “time share” of the band. The mobile telephony system splits up every calls into digital chunks and sends each chunk at a slightly different time down the same frequency channel.

3G – code-division multiple access (so called high speed digital cellphones)

The fundamental design of idea for code division multiple access are sharing the features of both TDMA and FDMA.  So a number of different callers can use the same radio frequencies at the same time. The 3G networks are a combination of IP and mobile signalling protocols (SS7).

4G – orthogonal frequency-division multiple access (so called high speed broadband cellphones)

A evolution of the three earlier generation of technologies (TDMA, FDMA, and CDMA). With OFDMA technology, signals are digitally coded, chopped into bits, and sent on separate sub-channels at different frequencies. Since signal has been coded and therefore they are not interfere with each other on the same frequency. But the 4G mobile networks are all IP based network. The 4G LTE networks typically include a number of security features that make communications secure.

4G mobile network – Is it trustworthy?

As we know hacker can hack WhatsApp and Telegram by fooling the network causes by Signalling system 7. SS7 is vulnerable since 2008. Mobile phone network services provider has employed security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access. In the long run, SS7 might going to obsolete in future because of modern technology fast growing trend. The 3G networks are a combination of IP and mobile signalling protocols (SS7). From cellphones users assurance view point, it is better to migrate their services to 4G mobile network instead of 3G.

Just how secure is 4G?

With 4G technology, encryption is only mandatory over the main Radio Access Network (RAN). The traditional crypto and side-channel attacks, 4G security features are able to addressed. The out of band management on 4G network has security considerations. Since the ‘backhaul’ portion of the network is unencrypted by default. For those company integrate their IT infrastructure to 4G network, they must setup a site to site VPN tunnel (IPsec) connect to other side end point. The primary weakness in 4G security is that its use of cryptography does not provide end-to-end security. It only encrypts the traffic between the phone and the base station, but there is no encryption while the data is communicated over the wired network. This means that there is no security against a malicious or compromised carrier.

Unforeseen attack vector due to speedy network

The 4G cellphones that have been infected with malware and are under the control of hackers could also become part of a ‘botnet’, and be used to conduct more advanced attacks, due to the increased bandwidth of 4G. The average download speed for 4G LTE is about 20Mbps. It is faster than traditional 3G network speed 6 times. The Multicast Video delivery scheme in OFDMA-based 4G wireless networks, to optimize multicast video traffic. On the other hand multicast video delivery, which is vulnerable to malicious video flooding attacks. The cyber attack has been changed. From traditional non mobile type network migrate to mobile computing network. The high network speed boost up DDOS power unintentionally. This is the major factor cause distributed denial-of-service (DDoS) attacks rapidly increase.

Theoretical mobile network bandwidth infographic:

Additional key factor :

4G mobile network lure hackers engage cyber attack. It is a jump board. A critical flaw was discovered in the ASN.1 compiler used by leading telecommunications and networking vendors. ASN.1 is an essential ingredient for achieving the lightning-fast mobile broadband networks of the 21st century. Protocols such as 4G: LTE RRC, LTE S1/X2 and IEEE 802.16m WiMAX are defined using ASN.1. Since the extent of the vulnerability of ASN.1 has yet to be determined. And such a way let the 4G mobile network inherent risk increases.

Short term conclusion:

The 4G mobile network looks not secure compared to other mobile network.

Reference: Flaw found ASN.1 & SS7



The crypto key change of modern technology world – Mobile computing devices (BYOD)

The scandal of NSA hacking tools and surveillance program. Who’s the hero protect world wide privacy? The the largest market research firm (MarketsandMarkets) forecasts the global BYOD market to grow from $71.93 billion in 2013 to $266.17 billion in 2019. You might have question? How to protect your personal data privacy? Even though law enforcement especially NSA couldn’t cracked under normal circumstance?

The trend of security technology

A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and decryption process. A cryptographic algorithm works in combination with a key—a word, number, or phrase—to encrypt the plaintext. The same plaintext encrypts to different ciphertext with different keys. As times go by, the encryption algorithm becomes more complex. Many encryption algorithm (3DES, AES, AES 256) appears in the world.

Steal crypto Key

If the hacker engage a side-channel attack,he must through brute force or by exploiting a weakness in the underlying algorithm. Since the crypto key store on hard drive. The simple idea is that extract the key and certificate in the disk.

In order to avoid steal crypto keys and certificates, Apple establish defensive mechanism.

Apple secure key store in the chipset. The Apple processor contains an on-board, AES cryptograhic key called the Global ID (GID) that is believed to be shared across all the current ‘iDevices’. This GID key is used to un-wrap the keys that decrypt the corresponding boot firmware code stored in system non-volatile memory .

Chipset architecture shown as below:

Microsoft’s struggle for balance and control (windows OS includes windows phone)

If the encryption key is stored in the operating system itself rather than using a hardware. It’s possible for hacker extract the keys and certificates. BitLocker disk encryption requires a TPM. TPM stands for “Trusted Platform Module”. It’s a chip on your computer’s motherboard that helps enable tamper-resistant full-disk encryption.

BitLocker Drive Encryption is built into the Windows 10 operating system and uses … TPM v1.2 Chip

TPM version 1.2 Chip – A very generic description of the TPM is that it performs RSA encryption, decryption, and signing in the hardware.

Atmel AT97SC3204T Trusted Platform Module



Meteor shower – Apple iPhone

It is hard to imagine that hacker can jailbreaks Apple iphone device over the air! Oh, a national level of action task can do anything! No need to mention this news too much. You can find out the details when you do a google search, right? OK, we discuss those vulnerabilities into a little bit details. There are total no. of three vulnerabilities found by security experts (CVE details shown as below):

CVE 2016-4657: WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

CVE 2016-4656: The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

CVE 2016-4655: The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.

Surprise, it jailbreak the iPhone over the air!

Step 1. Hacker lure the victim execute a click on SMS, a automatic redirect action engaged and forward iPhone to web site (sms.webadv.co) and download the payload immediately.The objective is going to delivery WebKit applications vulnerability.

Attacking WebKit Applications by exploiting memory corruption bugs:

Design weakness:

Every WebKit object is RefCountedBase object

Mobile Safari and most of WebKit Apps leak address – Fill in another object and use the JS pointer of the old object to read information of the new object



Step 2.1:  CVE-2016-4656 (Kernel Information Leak Circumvents KASLR)

It is the most difficult part because Kernel Address Space Layout Randomization
(KASLR) mapping the kernel into different and unpredictable locations in memory. The attacker has found a way to locate the kernel by using a function call leaks the kernel’s actual memory location to be mapped. For instance, it is possible to leak information about memory layout using format string vulnerabilities.

Remark: format string exploits can be used to crash a program or to execute harmful code

Step 2.2: CVE 2016-4657 (Memory Corruption in Kernel leads to Jailbreak)

The JavaScript core of WebKit uses JIT, to do this it require an area of memory which is both writable and executable. With the reverse engineer software like malware. A function so called “allocateJIT” is the perpetrator. If a syscall instruction is executed from within JIT shared memory. The malicious software  can execute privilege escalation.  The last stage is deploys a number of files deployed in a standard unix tarball.

Observation – Why was apple only release the patch can fix this design bug?

Predict that Apple added their own privilege checks in the kernel; only processes which pass these checks are allowed to use JIT.

Is that mean the national security agency can export the data from iphone? There is no need to request escrow key from Apple?

Since above flaws let mobile phone compromised. Hacker can remote control the phone for recording voice call, take photo shot send to their end. The personal data inside iphone is available to export. From technical point of view, there is no need to request escrow key! See how important of the overall design? Although the crypto mechanism  integrate to hardware mitigate the risk, however a flaw such a way crack down the Apple protection wall!




About xor DDOS malware

XOR DDOS – Tsunami SYN Flood ramping up to 140 Gbps attack against public network backbone.

XOR DDOS attack aggressive last year (2015). Xor DDOS attack triggers by Botnet. The attack capability able to reproduce 150Gbps attack vector. Since the coverage of mobile computing especially cellphone users on demand today. The OS kernel of mobile phone is linux. The architecture of XOR DDOS attack relies on botnet. And the attack target is Linux OS.
This type of attack growth rapidly today. The hackers through TCP 3502 port connect to victim device trigger attack.The objective of attacks are based on flood mechanism (Syn flood and DNS flood).

Historical changes of the MD-5 checksum values:

Oct 2015 – 238ee6c5dd9a9ad3914edd062722ee50

Oct 2015 – 2edd464a8a6b49f1082ac3cc92747ba2

Nov 2014 – fd3f2c810f4391be2e6b82429c53c318 (Attack target specify Linux OS)

Hackers custom cocktail attack mechanism:

SYN and DNS floods generated by the Xor.DDoS Malware have very specific characteristics. The payload consists of garbage memory data, this memory capable to store passwords and ssh private keys.

The attacker will send many SYN packs to victim host with multiple sources. The attack will be launched on port 22 (ssh). This attack is very effective if syn_cookies are turned off. Please be remind that syn_cookies turned off by default on Linux.SYN cookies are now a standard part of Linux and FreeBSD.

DNS floods are symmetrical DDoS attacks. These attacks attempt to exhaust server-side assets (e.g., memory or CPU) with a flood of UDP requests. Since DNS servers rely on the UDP protocol for name resolution, and is a Layer 3 attack. With UDP-based queries (unlike TCP queries), a full circuit is never established, and thus spoofing is more easily.

Design objective of XOR malware:

SYN Cookies is a simple DDoS defence today, and probably suitable for all Internet hosting including mail server and corporate web servers. 500 units of compromised mobile computing devices with an average 200 Kbs of bandwidth each launching an attack will fully utilize your 100Mbs network link.

Attack target:

From technical point of view, SYN Flood and DNS flood are effectively suspend the network connectivity and domain name lookup function. It clearly shown that engage this attack to ISP or Cloud services provider might bring a Tragedy to their business. As far as I know, ISP or Cloud services provider have mechanism to detect botnet in their network and monitor the malicious communications between bot and C&C server. But for victim hosts, since it is not run in the internal network. Even though you install malware detector, define Yara rule looks not help! I believed that this is one of the key topic which headache the ISP and cloud services provider.

For mitigation of the attack, a discussion will continuous on the next phase.