AirHopper Malware Uses FM Signals to Steal Data from Isolated Computers


Security researchers at the Cyber Security Labs at Ben Gurion University in Israel have developed a proof-of-concept malware that can transmit sensitive information between isolated networks and mobile phones using FM radio signals.

The researchers demonstrated a vulnerability in “air-gapped” networks when there is no physical connected (wired or wireless) with the external world, but instead a directly or indirectly through a less secured network. Also since a growing portion of modern smartphones contain FM radio receivers, a skilled attacker can use the AirHopper malware to infect a computer’s graphics card.

From there, they can  configure a nearby smartphone’s radio signals from its’ DSP (Digital Signal Processing) chips using electromagnetic radiation associated with the video display adapter. This combination of a transmitter with a widely used mobile receiver creates a command and control (C&C) channel where the attacker can easily transmit signals from the air-gapped network and translate the signal into text at a distaof up to 23 feet and speed of 13-60 Bytes per second.

Reverse Proxies Against Malicious Request Loops

Cloudflare reports that reverse proxy as one of the best preventative strategies against loop attacks. Malicious request loops occur when an attacker can force multiple service providers to send each other an unending stream of web services requests in a loop. This request loop can result in attacks such as resource exhaustion and denial of service at the service provider.

Due to this vulnerability, reverse proxies are one of the best methods to mitigate constant request streams. While a forward proxy acts as an intermediary for its associated clients to contact any server, a reverse proxy acts as a “middleman” intermediary for its associated servers to be contacted by any client, which can hide the existence of the origin server or servers.

When an HTTP(S) request enters Cloudflare’s network, a reverse proxy returns a cached response for the request or makes a request to the website’s origin server and returns that response. When a request comes through the network is not cached, CloudFlare creates a new request for the origin server. Outgoing requests get a “Via” header containing the HTTP protocol version of the incoming request under a specific pseudonym, such as “Via: 1.1 cloudflare.”

If a request comes into the network with “cloudflare” in the Via header, an error is returned which short-circuits the loop. Ultimately, a proxy server can inspect and modify requests, which can significantly reduce balance loads on its’ origin server from incoming requests and take earlier steps to initiate takedowns against possible DoS or DDoS attacks.

MiniUPnP Vulnerability

Universal Plug And Play (UPnP) allows Internet applications to configure home routers and gateways, bypassing manual port forwarding configuration. Networked devices can discover each other inside local networks and automatically establish working configurations that enable data sharing, media streaming, media playback control and other services.

However, UPnP can be easily subjected to vulnerabilities when an attacker can target systems behind the firewall and expose sensitive information in the local network. MiniUPnP, a lightweight UPnP client, has a vulnerability (CVE-2015-6031) where their devices communicating behind a firewall, or a buffer overflow. The vulnerability gives an attacker to execute remote commands on the target’s IoT device, with potential to access inside the local network and gain sensitive information inside.

MiniUPnP is also utilized as a software implementation in peer-to-peer applications such as Tor or Bitcoin mining applications. Cisco observed an attacked against Bitcoin-qt Wallet where attackers established phony UPnP server on the local network that would serve up an XML file with long descriptors. Cisco offers Stack Smashing Protection (SSP) against buffer overflows which protects vulnerable buffers in a stack with a stack cookie, or canary. The canary value, when destroyed by a stack buffer overflow, shows that a buffer preceding it in memory has been overflowed. By verifying the canary value, execution of the affected program can be terminated, neutralizing the potential attack.

Dridex Banking Malware

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems, and often targets British banks. Using a malicious spam e-mail with an Office document attachment, Dridex attempts to trick the intended target into opening the attached document. Once opened, the malicious macro-embedded document triggers the Dridex malware, specifically TSPY_DRIDEX.WQJ onto the target’s computer. As soon as it’s’ executed, Dridex monitors any banking-related activity and can steal banking credentials and then attempt to generate fraudulent financial transactions.

More recently, Dridex has evolved to include a new technique called DNS cache poisoning, which involves changing DNS settings to redirect a victim to a fraudulent banking site. After a target victim lands on the fake site, Dridex collects authentication credentials and two-factor authentication codes sent to a command-and-control servers and are verified.

Next Big Threat on IoT Devices: AI Malware

With the Internet of Things (IoT) trending this year, one of the emerging threats that could start appearing in IoT devices is threat morphing, or malware that evolves constantly to change in appearance while keeping the malware functionality intact. Typical normal defenses cannot countermeasure or neutralize the threat because the malware will assume a different form by the time it’s discovered.

There are two types of threat morphing that contains this unique functionality: polymorphic code and metamorphic code. Polymorphic code mutates while keeping the original algorithm intact. While infecting new files, it changes its binary code by creating usable, slightly modified copies of itself. A polymorphic code would have an encrypted virus program body (EVB) and a virus decryption routine (VDR).

When an infected application launches, the VDR decrypts the EVB back to its original form and the code will run as written. Once it has run, the virus is re-encrypted and subsequently added to another vulnerable host application. The polymorphic code is rewritten with each iteration into a more successful version so it can potentially morph into a sophisticated malware the longer it stays in the system and becomes even harder to detect.

On the other hand, metamorphic code is the more complex version where it is capable of changing both its code and signature patterns and often uses multiple transformation techniques that including code permutation and expansion, code shrinking and garbage code insertion, and register renaming. Ultimately, it can constantly create variants of itself under some type explication.

Scroll to Top