WannaCry kill switch hero faces new charges.

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     FBI's new charges against Marcus Hutchins has led to the Kronos banking trojan and the UPAS Kit backdoor being linked in the news over the past week. A new analysis this week shows that the similarities between the two are not conclusive. Hutchins came to public attention in May of last year after discovering a hardcoded "kill switch" for the WannaCry ransomware that stopped the infamous campaign in its tracks. He was hailed a hero by the security community, given that WannaCry was at the time wreaking havoc in more than 150 countries, impacting large and small companies alike and causing millions in damages worldwide.

     The accolades didn,t last, in August 2017, the FBI charged him with cybercrime for contributing to the development of the Kronos malware. Kronos has been around since June 2014, according to Malwarebytes, and began life as a banking trojan with ties to the leaked Zeus source code, as its name suggests. More recently, according to an analysis from Proofpoint, criminals have been seen using it as a downloader for follow-on malware, like point of sale skimmers. Hutchins, who is living in California on bail while he awaits his court date, was handed fresh charges last week, the FBI is now alleging that he conspired with the same person who first advertised Kronos on the Dark Web, one Russian-speaking Vinnyk, according to Malwarebytes. The indictment was to distribute the UPAS Kit malware, which is a backdoor spy-bot that is mainly used in the wild to download other malicious components.




     Despite the differences between the payload functions, researchers decided to take a look at the two codebases to see if any links could be made. Bboth pieces of malware operate as user land rootkits, i.e. malware that uses various techniques in order to cover its own tracks and hide from system monitoring mechanisms. These are not very common in the wild in general. In a comparison of the UPAS Kit and the Kronos banking trojan, researchers also found a few other areas of overlap. For instance, UPAS Kit makes usage of multiple low-level ntdll functions and resolves their addresses during run-time.

     While it may serve as a way to thwart analysis, this is not a very sophisticated trick on its own. A similar method is used in the Kronos malware to achieve the same goal. However, in this case the function names are not kept in cleartext in the binary, but as string hashes. There is also some overlap on the order of loaded functions in the order in which the table entries reside within the binary. There's also a similarity in the implementation of the MD5 function in that they both create a mutex name in a similar manner. There's also a similarity when it comes to conducting a successful injection. UPAS Kit and Kronos take different tacks. Both present an attempt to elevate the malware's process token to SeDebugPrivilege, which is not mandatory for the injection to succeed.



     Meanwhile researchers found thatUPAS and Kronos differ substantially. For instance, both avoid detection by identifying the ThreatExpert sandbox, and perform checks to see if VMWare is running. In terms of process though, how the equivalent checks are made differ quite a bit. Kronos' checks cover more scenarios than UPAS Kit, which may imply that the evasion procedures were written by different authors, or the same one taking a different approach to the problem.

     The reverse-engineering analysis also uncovered that the hooking method used by Kronos are different from UPAS Kit, even though here too, there are similarities. Although both conduct inline hooking, Kronos uses a more stable and safe implementation. Inline hooking introduces a concurrency issue whereby a context switch that occurs before all stolen bytes are overwritten may cause a system crash if the hooked function is called since it's code is not in a consistent state. The Kronos hooking method uses an atomic write of the prologue bytes using the instruction "lock cmpxch8b." The hooking engine of UPAS Kit is a lot simpler, and instead carries out an unsafe write with WriteProcessMemory function. When it comes to the hook functions themselves, eight of them appear in a similar form within Kronos, and serve the exact same purposes. This suggests that part of the rootkit component in those binaries was possibly reused.