No need to shoot down drones! Many of them can now be hijacked

A security researcher has devised a method of hijacking a wide variety of radio- controlled airplanes, helicopters, cars, boats and other devices that use a popular wireless transmission technology.

The attack was developed by Jonathan Andersson, manager of the Advanced Security Research Group at Trend Micro DVLabs, and targets a “wideband, frequency-agile 2.4GHz signal protocol” called DSMx. This protocol is used in radio-control (R/C) toys, including in drones, that are owned by millions of users.

Andersson’s attack exploits weaknesses in DSMx and was presented in detail Wednesday at the PacSec security conference in Tokyo. The researcher built a device that he dubbed Icarus, using off-the-shelf electronic components and software-defined radio (SDR). With it, he can take over the control of drones or other R/C devices and lock out their real owners in seconds.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

Qualcomm agrees to buy NXP for over $37 billion

Microprocessor maker Qualcomm is spending its way out of a stagnating mobile phone industry, offering to buy NXP Semiconductors, a company with a strong position in automotive chips, for more than US$37 billion.

Qualcomm formalized its offer Thursday, barely a month after rumors began circulating that a deal was in the offing.

NXP has only just digested its own multibillion acquisition, of Freescale Semiconductor, which closed in December 2015.

The combination of Qualcomm and NXP will have annual revenue of around $35 billion, Qualcomm said. That’s still well behind the $55 billion Intel reported for its full fiscal year 2015, although catching up.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Hardware Systems

Microsoft adds macro blocker to Office 2013 to stymie old-school attackers

Microsoft yesterday said that it had added a malware-in-macros blocker to Office 2013 after customers demanded that it expand the feature beyond the latest version, Office 2016.

“The predominant customer request we received was for this feature to be added to Office 2013,” the Microsoft Malware Protection Center team wrote in an unsigned blog post Wednesday.

IT administrators have been able to block macros from running in Office 2016 since March. Enterprise IT staff can craft group policies to restrict macros, completely block them, or amplify the warnings users normally see before a macro is opened.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Security

Penclic Mini Keyboard K2 and NiceTouch T2 review: Input devices not worth your consideration

“Scandinavian design” is a term Americans typically equate with the minimalism and simplicity of Ikea, a wildly popular brand of international retail stores peddling Swedish-made furniture with frequently unpronounceable names. Although the stuff is well-made, assembling it can often be an exercise in frustration.

After spending time with a unique keyboard and trackpad combo manufactured in the same country, I’m now convinced Swedes are intentionally designing products for the sole purpose of making foreigners tear their hair out.

Mini Keyboard K2

Penclic Mini Keyboard K2 ($50 on Amazon) sounds like a great idea—a compact, low-profile wireless input device with soft touch keys and an ergonomic (dare I say Scandinavian?) design that slopes upward along the back. Only five millimeters thick, less than a foot wide, and just over six inches deep, the K2 looks nice and is small enough to consider portable.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Hardware Systems

How the Dyn outage affected Cloudflare

Last Friday the popular DNS service Dyn suffered three waves of DDoS attacks that affected users first on the East Coast of the US, and later users worldwide. Popular websites, some of which are also Cloudflare customers, were inaccessible. Although Cloudflare was not attacked, joint Dyn/Cloudflare customers were affected.

Almost as soon as Dyn came under attack we noticed a sudden jump in DNS errors on our edge machines and alerted our SRE and support teams that Dyn was in trouble. Support was ready to help joint customers and we began looking in detail at the effect the Dyn outage was having on our systems.

An immediate concern internally was that since our DNS servers were unable to reach Dyn they would be consuming resources waiting on timeouts and retrying. The first question I asked the DNS team was: “Are we seeing increased DNS response latency?” rapidly followed by “If this gets worse are we likely to?”. Happily, the response to both those questions (after the team analyzed the situation) was no.

CC BY-SA 2.0 image by tracyshaun

However, that didn’t mean we had nothing to do. Operating a large scale system like Cloudflare that deals with the continuously changing nature of the Internet means that there’s always something to learn.

Back in July 2015 Dyn had an outage that also affected some of our customers and we changed our handling of so-called infrastructure DNS records in response to prevent a similar problem, from any provider, affecting Cloudflare.

Based on what we learned last Friday we are making some changes to our internal DNS infrastructure so that it performs better when a major provider is having problems or an outage (whether caused by DDoS or not). To understand those changes it’s helpful to take a look at the role of DNS and what we saw on Friday.

A little bit about DNS

The Domain Name System (DNS) provides an address book service for the Internet. It is responsible for converting the friendly, human-readable domain names we type into our web browsers to IP addresses for websites. Let’s walk through the life of an example web request to see where DNS plays a role.

We can start by entering a web address into our browser, The browser translates this name into an IP address so it can contact the server that’s hosting the page, it will do this using DNS. We can make these DNS queries ourselves using the dig command line tool to see what values are returned.

$ dig A
;        IN  A

;; ANSWER SECTION:    10  IN  A    10  IN  A  

The DNS data model is split into two core concepts, names and records. The name here is and the record type we have queried is A, which is used to store IPv4 addresses. There are other types of records for storing other types of data, e.g AAAA records for IPv6 addresses. We can see from the answer above that there are two IPv4 addresses for; the browser picks one of these to use.

Records in the DNS also have an associated TTL which defines how long the data should be cached for, these records have a TTL of 10 seconds. This means the browser can store this information and skip making further DNS queries for the domain for the next 10 seconds.

For Cloudflare customers, the answer will contain our Anycast IPs instead of the origin ones (the IP addresses of the web hosting provider). The browser will then send requests to us, and we will serve content from our cache or proxy the request to the origin web server.

There are two common ways of configuring origins on Cloudflare. The first is to specify A and AAAA records, which explicitly provides us with the IP addresses of the origin. In this situation, our network knows ahead of time where it can contact the origin, so no further DNS resolution is required. For example, if uses Cloudflare and has specified 2001:db8:5ca1:ab1e as the IP address of the origin server in the Cloudflare control panel, we can connect directly to the origin server to retrieve resources.

The other is to use a CNAME, which is a pointer to another DNS name.

When our servers receive a request with the origin configured using a CNAME, we have to perform an external DNS lookup to resolve the target of the CNAME to IP addresses. This information is cached, based on the TTL defined on the CNAME record. In this case, our ability to serve content (that is not in the cache) entirely depends on an external DNS lookup to resolve the CNAME to IPs.

For example, suppose had set up a CNAME in the Cloudflare control panel pointing to it would be necessary to look up the IP address of before contacting the origin server.

In many cases the target of a CNAME is handled by a third party DNS provider. If the third party provider is unable to answer our query, we are unable to resolve the domain to an origin IP and cannot serve the request.

What Friday’s Dyn outage looked like

As Dyn says in their discussion of the DDoS attack there were three distinct waves. For Cloudflare that manifested itself in two periods during which our internal DNS query error rate spiked.

The first attack started at 1110 UTC and mostly affected DNS resolution on the US East Coast. This world map from our monitoring systems shows the Cloudflare data centers where the DNS error rate was spiking because of the Dyn outage.

The green dots on the map are Cloudflare data centers that were unaffected by the Dyn DDoS. The largest effect was on the US East Coast, although the attack had a knock-on effect in Singapore and some parts of Europe. This is most likely because the architecture of the Internet does not directly line up with geography. Locations that are physically disparate can sometimes appear ‘close’ on the Internet because of undersea cables or decisions on how to route traffic.

The chart shows the DNS error rate in each Cloudflare data center affected by the outage. It’s possible to see the attack ramp up rapidly and then remained sustained until Dyn was able to tackle it.

Later in the day the attackers returned with greater force and had a worldwide impact. This map shows the Cloudflare data centers seeing errors because Dyn was inaccessible. As you can see almost the entire planet was affected (with the exception of our China locations; we’ll return to why below).

Once again it’s possible to see the attack ramping up at 1550 UTC and continuing for some time. Dyn reports that the attack was fully mitigated at 1700 UTC.

Media and Dyn reported a third wave of attacks later on Friday, but Dyn mitigated that wave immediately and so fast that it did not have any affect on Cloudflare protected websites and applications and did not show up in our systems.

Why China was unaffected

During the most intense period of attack on Dyn our locations in China were almost completely unaffected. That’s because we handle DNS a little differently inside China.

To cope with sometimes fluctuating network conditions inside China our data centers are configured to keep DNS records for origin servers cached in our servers for longer than the rest of the world. This caching meant that even though Dyn was down and couldn’t be reached from anywhere (including China) we still had cached DNS records for sites that used Dyn on our China servers. Thus we were able to reach origin servers and continue serving content. That shows up as green dots on the map above.

Unfortunately, there’s a downside to hanging on to DNS records for a long time: if one of our customers changes their origin’s DNS records we’ll keep using the old DNS records and IP addresses. That could lead to downtime, or poor service.

The ideal system would recheck DNS records frequently so that changes are reflected quickly but in the event that the upstream DNS provider was unavailable (because of an attack or other outage) it would be able to use the DNS records it has cached.

Doing so is known as ‘serve stale while revalidating’. Our upstream DNS resolvers will cache records checking frequently for changes. If the upstream DNS is unavailable we’ll continue to serve from cache until it’s possible to refresh the DNS records.

We are testing and rolling out that change now and expect this to greatly diminish the impact of events similar to the Dyn DDoS for all of our customers who use CNAME’d DNS records that rely on a third-party DNS provider.


The Internet is a shared space. Because companies, people, and institutions work together we have a global, connected network that allows us to work and play from almost anywhere. Cooperation means that we work together on standards and interoperability to keep the network running and evolving.

But the Internet is very complex and, as with many things, the devil is in the details and operating Internet infrastructure is a process of constant improvement. Although the Dyn DDoS felt scary to many people unfamiliar with how the Internet operates, such attacks result in a stronger network. Just as Cloudflare is making changes to its software and configuration, so are others across the net.

We are always looking to hire smart people interested in making DNS and the Internet better for everyone. Jobs can be found here.

Read more here:: CloudFlare

Privacy group shoots legal arrow at Privacy Shield

Privacy Shield, the legal agreement allowing businesses to export Europeans’ personal information to the U.S., is under fire.

An Irish privacy advocacy group has challenged the adoption of the decision in the EU’s second-highest court, Reuters reported Thursday, citing sources familiar with the case.

Privacy Shield entered effect in July, replacing the Safe Harbor framework, which had itself fallen victim to a legal challenge in October 2015. The new agreement supports transatlantic commerce worth US$260 billion, U.S. Secretary of Commerce Penny Pritzker has said, and has consequences for many companies offering cloud services to consumers.

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Internet

Microsoft unveils Creative Update and the Surface Studio

NEW YORK — Microsoft yesterday announced a slew of software and app updates, as well as both improved and entirely new hardware devices. While rumors have floated around about the next Windows 10 update from Microsoft, suggesting it would carry the name “Redstone 2,” the update Microsoft unveiled is called Creators Update.

As its name suggests, it’s aimed at creators, which Panos Panay, chief of devices at Microsoft, emphasized extends to more than artists or those with jobs traditionally considered creative. Microsoft’s definition includes anyone who creates anything — be it in Word, PowerPoint, Excel or Photoshop. Panay says everyone should have intuitive, functional software that allows the user to create the best documents, images and files possible.

Continuity updates

It’s hard not to compare Microsoft to Apple. One of the strongest aspects of Apple products comes from its tightly knit ecosystem of apps and operating systems, which sync seamlessly across iOS and MacOS devices. You can go from your iPhone to iPad to MacBook without skipping a beat and Windows wants to bring that same convenience to its users.

[ Related story: 5 reasons the Surface Pro 4 is fit for the enterprise ]

With the Creators Update, you will gain more of this type of continuity with the capability to send text messages from any Android or Windows phone directly on your desktop, similar to iMessage. Your most commonly accessed contacts will also appear as bubbles in the task bar, allowing you to easily send, check or search all of your emails, messages and shared files with that contact. And if you want to share a photo or video, you can simply click the Share Charm in Microsoft Apps, which will instantly suggest your favorite contacts so you can share with one tap.

The Creators Update will start rolling out in the spring, but it will be free for all devices currently running Windows 10.

Surface Book improvements

While the highly rumored Surface Pro 5 never made the stage, Microsoft did announce updates to its Surface Book. The Surface Book, which is a high-performance notebook-tablet hybrid, has been updated to include an Intel Core i7 processor, improved graphics — which Microsoft claims will be three times better than those on the highest configuration of the 13-inch MacBook Pro — a second fan for cooling and a purported 16-hour battery life.

However, Microsoft remained silent on the device’s design, which ultimately remains the same. It’s notable because one of the biggest gripes of Surface Book users is the gap that exists between the display and the keyboard, which is a result of the hinge. It appears you will have to wait another year to see if that design issue is addressed. You can currently preorder the updated Surface Book and this new configuration will retail for $2,399.

Surface Studio

Microsoft also unveiled a new addition to the Surface family — the Surface Studio. A sleek, aluminum, all-in-one desktop computer. The Studio boasts a 28-inch display with 13.5 million pixels, which Panos noted is 63 percent more pixels than you’ll find in a 4K TV. According to Microsoft, the Surface Studio boasts the thinnest LCD screen ever created, measuring 1.33 millimeters, as well the thinnest overall touch-display at just 12.33 millimeters thin. The flexible display can also rotate back to a 20 degree drafting angle, making it a good fit for designers.

[ Related story: Patriots coach Bill Belichick benches Microsoft’s Surface, says it’s undependable ]

The Surface Studio retails for $2,999, and is available to pre-order. Microsoft did caution that the device will be in short supply with limited quantities available for the upcoming holiday season.

Surface Dial

Microsoft also introduced the Surface Dial, a small, spherical, puck-like device that acts as a companion to all Surface devices. In fact, it will be retroactively compatible with the Surface Pro 3, Surface Pro 4 and the first iteration of the Surface Book. Connected by Bluetooth, and running on two AAA batteries, the Dial can be used off to the side, almost like a mouse, using haptic feedback to interpret common gestures that will activate different actions on the display. The Dial lets you zoom in or out, manipulate content, select new colors to draw with, alter the perspective of a 3D image and change settings on the device such as brightness or volume, among a number of other features.

Alternatively, you can also press the device directly on the screen to bring up menus, working seamlessly as you navigate the display with the Surface Pen. This specific feature works only on the Studio, but it could mean a lot for artists — allowing them to use the Surface Pen in one hand, while navigating menus with the Dial, never having to put the Pen down once.

The Surface Dial will be available November 10, and will retail for $99; if you pre-order a Studio, you’ll receive the Dial for free with your shipment.

3D and HoloLens

Paint has been a standby Windows program and, for the most part, it’s form and function has remained mostly the same. But with the Creators Update, Paint is getting an overhaul to include 3D technology. You will now be able to import 2D images and create 2D sketches that can be transformed into 3D images. There’s also integration with Minecraft, allowing you to create, share and 3D print their creations on a Microsoft community website, Remix 3D. 3D creations carry over into other programs as well, with the capability to import them into PowerPoint or Word to bring life to documents and presentations.

HoloLens also received some updates. Manufacturers such as Dell, Lenovo, Asus, Acer and HP will now sell VR headsets starting as low as $299. As demonstrated at the event, HoloLens will allow you to go on virtual vacations, relax in your virtual home, and access the same apps and programs you would on your desktop via VR goggles.

Related Video

To read this article in full or to leave a comment, please click here

Read more here:: IT news – Hardware Systems

Inside the Gootkit C&C server

Inside the Gootkit C&C server

The Gootkit bot is one of those types of malicious program that rarely attracts much attention from researchers. The reason is its limited propagation and a lack of distinguishing features.

There are some early instances, including on Securelist (here and here), where Gootkit is mentioned in online malware research as a component in bots and Trojans. However, the first detailed analysis was published by researchers around two years ago. That was the first attempt to describe the bot as a standalone malicious program, where it was described as a “new multi-functional backdoor”. The authors of that piece of research put forward the assertion that the bot’s features were borrowed from other Trojans, and also provided a description of some of Gootkit’s key features.

In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment variable ‘crackme’ in the downloader’s body. This feature was not present in the early versions. Just as interesting was the fact that we were able to gain access to the bot’s C&C server, including its complete hierarchal tree of folders and files and their contents.


As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.

The Trojan’s main propagation methods are spam messages with malicious attachments and websites containing exploits on infected pages (Rig Exploit Kit). The attachment in the spam messages contained Trojan-Banker.Win32.Tuhkit, the small initial downloader that launched and downloaded the main downloader from the C&C server, which in turn downloaded Gootkit.

Examples of infected pages used to spread the Trojan

While carrying out our research we detected a huge number of the initial downloader versions that were used to distribute the Trojan – most of them are detected as Trojan.Win32.Yakes. Some of the loaders were extremely odd, like the one shown below. It clearly stated in its code that is was a loader for Gootkit.

Inside the Gootkit C&C server

Section of code from one of the initial downloaders

Some versions of Gootkit are also able to launch the main body with administrator privileges bypassing UAC. To do so, the main loader created an SDB file and registered it in the system with the help of the sdbinst.exe utility, after which it launched the bot with elevated privileges without notifying the user.

‘Crackme’ check

The new version of Gootkit is distinct in that it checks the environment variable ‘crackme’ located in the downloader body. It works as follows: the value of the variable is compared to a fixed value. If the two values differ, the bot starts to check if it has been launched in a virtual environment.

Inside the Gootkit C&C server

Checking the global variable in the downloader’s body

To do so, the bot checks the variable ‘trustedcomp’, just like it did in earlier versions.

Inside the Gootkit C&C server

Checking the bot’s body for launch in a virtual environment

The Trojan’s main body

The Trojan’s main file includes a NodeJS interpreter and scripts. After unpacking, the scripts look like this:

Inside the Gootkit C&C server

NodeJS scripts that make up the Trojan’s main body

The scripts shown in the screenshot constitute the main body of the Trojan. Gootkit has about a hundred various scripts, but they are mostly for practical purposes (intermediate data handlers, network communication DLLs, wrapper classes implementations, encoders etc.) and not of much interest.

The Trojan itself is distributed in an encrypted and packed form. Gootkit is encrypted with a simple XOR with a round key; unpacking is performed using standard Windows API tools. The screen below shows the first 255 bytes of the transferred data.

Inside the Gootkit C&C server

The Trojan’s packed body

The first three DWORDs denote the sizes of the received, unpacked and packed data respectively. One can easily check this by subtracting the third DWORD from the first DWORD, which leaves 12 bytes – i.e., the size of these variables.

Stealing money

Interception of user data is done the standard way, via web injections into HTTPS traffic (examples of these web injects are shown below). After the data is sent to the C&C server, it is processed by parsers, each of which is associated with the website of a specific bank.

Inside the Gootkit C&C server

Fragment of parser code

Communication with the C&C

In the version of Gootkit under review, the C&C address is the same as the address from which the Trojan’s main body is downloaded; in earlier versions, these two addresses sometimes differed. While generating a request, the Trojan uses its unique User Agent – any request that does not specify a User Agent will be denied.

Inside the Gootkit C&C server

The unique GootKit User Agent

Communication with the C&C comes down to the exchange of a pre-defined set of commands, the main ones being:

  • Request a list of files available to the Trojan (P_FS:FS_READDIR);
  • Receive those files (P_FS:FS_GETFILE/FS_GET_MULTIPLEFILES);
  • Receive update for the bot (P_FS: FS_GETFILE);
  • Obtain screenshot (P_SPYWARE:SP_SCREENSHOT);
  • Upload list of processes (P_SPYWARE:SP_PROCESSLIST);
  • Terminate process (P_SPYWARE:SP_PROCESSKILL);
  • Download modules (P_FS: FS_GETFILE);
  • Receive web injects (P_ SPYWARE:SP_SPYWARE_CONFIG).

Inside the Gootkit C&C server

The bot’s main commands and sub-commands

The C&C addresses (two or three in number) are hardwired in the loader’s body and can also be saved in the registry. The body of the data packet may vary depending on the request type, but always includes the following variables:

  • Size of data packet, plus eight;
  • Check value XORed with a constant;
  • Command type;
  • Command sub-type.

In the screen below, the C&C requests registration information from the bot during its first launch.

Inside the Gootkit C&C server

Request from C&C, example of variables

The response in this case will contain detailed information about the infected computer, including:

  • Network adapter parameters;
  • CPU details, amount of RAM;
  • User name, computer name.

Regardless of the request type, data is communicated between the C&C and the bot in the format protobuf.

When the main body is downloaded, the address that the loader contacts typically ends in one of the following strings:

  • /rbody32;
  • /rbody64;
  • /rbody320.

Mystery solved…rather easily

We found a configuration error that often appears on botnet C&C servers and took advantage of it to capture a complete tree of folders and files, as well as their contents, from one of the GootKit C&C servers.


Contents of GootKit C&C server

The C&C server contains a number of parsers for different banking sites. These parsers are used (provided the user data is available) to steal money from user accounts and to send notifications via Jabber. The stolen data is used in the form of text files, with the infected computer’s IP address used as the file name.

Inside the Gootkit C&C server

Stolen data and logs on the bot’s C&C server

Inside the Gootkit C&C server

Example of stolen data in one of the text files

Other data (bank transfers and logs) is also stored in text file format.

Inside the Gootkit C&C server

Parser logs

An analysis of the bot’s web injects and parser logs has shown that the attackers primarily target the clients of German and French banks.

Inside the Gootkit C&C server

Distribution of web injects across domain zones

Inside the Gootkit C&C server

Excerpts from parser logs

Analysis of the server content and the parsers made it clear that the botnet’s creator was a Russian speaker. Note the comments in the screen below.

Inside the Gootkit C&C server

A fragment of script including the author’s comments in Russian

Moreover, Gootkit most probably has just one owner – it’s not for sale anywhere and, regardless of the downloaders’ modifications or type of admin panel, the code in NodeJS (the Trojan’s main body) is always the same.

Inside the Gootkit C&C server

Examples of Gootkit web injects


Gootkit belongs to a class of Trojans that are extremely tenacious, albeit not very widespread. Because it’s not very common, new versions of the Trojan may remain under the researchers’ radar for long periods.

It should also be noted that the users of NodeJS as a development platform set themselves certain limitations, but simultaneously get a substantial degree of flexibility and simplicity when creating new versions of the Trojan.

Kaspersky Lab’s security products detect the Trojan GootKit and all its associated components under the following verdicts:

  • Trojan-Banker.Win32.Tuhkit (the initial downloader distributed via emails);
  • Trojan.Win32.Yakes (some modifications of the main downloader);
  • HEUR:Trojan.Win32.Generic (the bot’s main body, some modifications of the downloader).



Read more here:: Securelist