South Korea suspected “diablo hotel”, head of invasion of foreign hotel

hotel users tend to be dark all muddled up. When you attempt to use WiFi in five-star hotels, tend to have a pop-up dialog telling you to update the Adobe. So you helplessly, click on the “download”, but out of the malicious exe file.

but you don’t know is that these sophisticated hackers in the network of the hotel has been lurking for a few days, just waiting for you to take the bait. Them as early as you here a few days ago in the network into the malicious software, in you leave after a few days and then delete the software.

this is not my words orpiment, but Kaspersky lab and responsible for the WiFi third-party companies came to the conclusion after investigation to a hotel in Asia. Kaspersky said the hackers active for at least seven years, some Asian luxury hotel guests for the precise attack like surgery, or use the method of phishing attacks or peer-to-peer (P2P) network.

Kaspersky researcher named the group DarkHotel a. (hotel), at the same time other single track fishing attack and attack the P2P network security companies will also be they called Tapaoux. Basic this help a hacker can be determined from the latest active beginning in 2007, using a variety of sophisticated means and the pedestrian tracking technology (pedestrian techniques) lure victims take the bait. Hotel hackers for high value goal, this seems to be a creative and bold move.

with the passage of time, the business grew, this will help the hackers also gradually hand spread to more hotels and guesthouses. Most of the targeted hotel is located in Asia, there are some in the United States. Kaspersky said would not publish the name of the hotel, but mention the hotel less fit for investigation.

comparable to NSA level mechanism of hacking

these hackers means including zero differential attack and kernel keyboard entry recorder. Zero differential attack can help the phishing attack, and the kernel keylogger can gradually from the attacker computer make important data and information. They will also break some relatively weak digital signature key, generate some certificate let people register their malicious software, by this way, let the malicious software with legal software ma3 jia3.

it is clear that our enemy is very powerful, caused great threat to us. They use the kernel keylogger is extremely rare, including certificates of reverse engineering, and for the understanding of difference of zero attack was enough to let them enter the advanced ranks of the world.

their attacks around the nuclear power, they will also be America’s defence bases are listed as the target.

phishing attack target range is very wide, most high-profile executive level characters, such as a media, the director of the Asia, another government agency or non-government organization officials, or is the executive of the United States. Their main target seems to be in Korea, Japan and India. Official, said a spokesman for almost all Asian countries associated with nuclear power have been included in the scope of the attack, apparently they attack is nuclear energy as the center. Even in the United States defense base and scattered in different parts of the world economic development and investment related executives are their “fish”. Is not optimistic they to America’s defence industry recently conducted a raid.

hackers as if adopted a two-pronged strategy: let more victims with P2P activity involved, then through phishing attacks more accurate. Under the attack of P2P, the initial stage is tens of thousands of victims received a botnet virus malicious attacks. If hackers found in the process seems to be the identity of the attacker is very interesting and worth exploring, so they would have chosen this man, and further action, installation “back doors” in the system, all the files and data “stolen”.

as of recently, hackers set up about 200 for command and control server to implement attacks. Kaspersky to roughly identified 26 server area, even in some of them. They can see on the server logs, recorded a lot of infected systems. As a result, hackers log becomes the researchers to establish a “safety case” the medium of the zombie virus, it tell us that help the hacker is not prevail in the P2P competition. In October, hackers have closed many servers, the estimate is they are aware of the researchers of the Kaspersky to them on the track.

the official spokesman said Raiu, behind every emergency shut down the server, is not to let you see a panic in the smoke.

all signs point to South Korea

to pursue this panic, perhaps because the indications are that the source of these activities seem to be from a key ally the United States, South Korea. The researchers found that if a machine code page is pointing to South Korea, malicious software will automatically shut down. Hackers has been found in log in Korean, and seems to be connected with South Korea a coder.

the nature of the keyboard recorder and remote alarm is suggested that give us tell us DarkHotel is likely to be a national-level activity, at least is backed by a government activity. If really so, then let us defense security very embarrassed.

Raiu tell everybody the keylogger is he as a security researchers over the years, met the most complicated are the best one. The kernel type of malicious software is very rare and difficult to stop. Walk the machine core instead of the commonly used software user interface, it’s very difficult for the malware discovered by general antivirus software or test system. But want to use the kernel malware incisively and vividly also need to be very cautious, because it will make the whole system easy to collapse.

the core of Kaspersky lab security researcher Vitaly Kamluk share said: the kernel level of technique is very rare, needs high skills. You have to be very carefully for a variety of tests to ensure that its stability.

Raiu also said that actually choose kernel malware is a very strange thing, because simply four lines of code can easily in the user interface of the application of embedded admitted to a keyboard. But this help a hacker would prefer to use the kernel of the keyboard input, need 300 bytes, this is very unusual, even crazy. Change a perspective, the people doing it for their own coding technology is full of confidence. He knew his coding and irreplaceable.

according to Raiu speculate that the new recorder is well-designed South Korea in 2007 a man named Chpie programmers in a similar piece of original on the basis of the kernel recorder. Before the one without the complicated now, but still can be seen that they have to use the same code, so now it is updated version.

in addition to sophisticated keylogger, landed in malicious software hackers for the use of digital certificates also let we suspect that there must be the official government support behind it. Hackers found in Malaysia and deutsche telekom’s digital certificate certification authority be signed in the use of a 512 – bit key. This 512 – bit key is very weak, it’s easy to let hackers loophole, generate their own certificate allowing users to register their malware.

although the certificate has existed for some time, but this help is in “advanced” continuous threat of hackers actually rarely use this technique. Raiu know, almost can’t find the similar case. So, we can call it shakes the hacker mechanism of the national security agency.

although said above these shocking enough, but the most worrying DarkHotel and curious where is it in the hotel and the actual operation.

jie a DarkHotel the secret behind the

Kaspersky researcher DarkHotel initially found to be in in January of last year, when they found a series of automatic alarm system of the client computer infection. They immediately follow the track to Asia, which some of the hotel. Kamluk went to the hotel field trying to find the guests how the computer was invaded, but he found nothing. Hotel has also made no positive response. But it is not nothing, he found that all the hotels are being attacked are using the same WiFi third-party companies.

some hotel network infrastructure is owned by all his hotel, others are chosen and service companies. Kamluk visiting two hotel wi-fi service companies are reluctant to come forward is not willing to open his own name, but they are still very fit in hacker assist in the investigation. They provided the picture of the server and rapid response, log to help keep track.

although hackers are very careful, almost did not leave any trace, the researchers still found a few lines originally should not exist in the hotel in the system of the command line.

one time, the researchers found in a Unix server directory for a malicious Windows executable program. The file has been deleted, but has a delete records. Based on this, hackers Kamluk judgment to avoid the hotel normal working hours, take into their malware to lure the guest take the bait.

they begin to work early in the morning, but the hotel staff at that time did not come to office. Wait until the hotel staff, who had a field day hackers began to busy drummed up their malicious software. Hotel manager, says all this is not a whim, but long-term planning. They have made in the past few years, slowly permeate, search into the hotel systems and networks.

how many the hotel we don’t know their specific attacks. But they are definitely not casually pick hotel, but conditional choose according to qualification. They often pick inside the hotel occupancy is always they want to understand and attack people.

when victims tried to connect the WiFi, there will be a dialog popup remind them to update the Adobe Flash player, but also to provide them with a file, it has a digital signature on it. It looks very convincing, let the victim cannot help to download. If they really choose the download, the Trojan invasion. Key point is that the tip is when user haven’t connect WiFi, so even if they connect WiFi, after giving up when they click on the “accept” and the moment I choose to download the hacker is a victory. Malware is not immediately enter the working state. It will quietly there for six months in the victim’s computer, and then to “wake up” and control center server connection. Raiu analysis so that is designed to avoid certain executives or have the identity of the person on a trip to Asia on a business trip after return, the government or the IT department will be on the computer a thorough search, so can’t make a move when I just got back, and to “latent”.

in some of the hotel, only a handful of the attack target. But in some other system, hackers a black is black, large, and even in some places as long as you try to connect wireless network will be attacked.

sometimes, a delegation during check-in, hackers can launch attacks, trying to hacking into the computers of all members. Raiu think these members of the delegation of network and computer are protected very well and should be hackers with conventional fishing methods cannot catch objects.

Kaspersky is still not clear how the hackers into the hotel’s server. They didn’t use those criminals by means of hackers. DarkHotel hackers into the system, do some of the hands and feet, and then erase the trace of all this. In the log, the researchers found no system of the back door. A reasonable explanation is that the hackers or never come in, or very perfect erase all traces. Otherwise, is that they should be, to help them achieve these attacks.


You may also like...