本帖最后由 ericdj 于 2016-1-31 23:10 编辑
Written by Dirk Kollberg on January 8, 2016. 11:21 am
Translated by ericdj on January 21, 2016
In acomment on Reddit this week, user “moeburn” raised the possibility of newmalware circulating for Smart TVs: My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.
It was an LG Smart TV with a built in web browser, and she managedto get a DNS Hijacker that would say “Your computer is infected please send usmoney to fix it” any time she tried to do anything on the TV.
在本周Reddit网站其中一个的讨论帖(发表于2016.01.05)中,用户moeburn提出了针对于智能电视的新的流行性恶意软件: 我姐妹的电视上感染了一个病毒,她无论何时按下电视遥控器任何按键,就会看到一个DNS劫持者留下的信息“您的电脑已经感染,想要修复的话必须打钱给我们!”
TheReddit post included this image:
We immediately got to work trying to figure out if this threat was targeting connected televisions specifically or whether this was an accidental infection.Trying to connect to the webpage mentioned in the URL from the photo does notwork — the domain name does not resolve to an IP at the moment. We used our favorite search engine and found many hits while looking for thedomain. Besides the host “ciet8jk” (ciet8jk.[maliciousdomain].com), 27 other hosts have been assigned to that domain name and pointed to same IP address. The domain ***-browser-alert-error.com was registered on August 17th 2015.
我们马上行动起来,尝试弄清楚这个威胁是否专门针对联网的电视还是这仅仅是一次偶然性感染。我们尝试连入图片中显示的URL,但是无法访问——主机地址并不能马上解析到一个IP地址。 当使用我们最常用的搜索引擎搜索这个域名的时候,我们发现了不少命中的记录。除了主机“ciet8jk”(ciet8jk.[maliciousdomain].com),仍有其他27个主机分配到这个域并指向相同的IP地址。 域名***-browser-alert-error.com在2015年8月17日注册。
Two days later, an IP address was assigned: It appears that there were just a few days when this scam was online and thus,we’re sure the image from the TV is at least four months old. These kind of attacks are nothing new, so we started looking for a server which iscurrently online to see what exactly the page tries to do. Unfortunately, we weren’t able to find a live page from that very source, but while searchingfor the alert message shown in the photo, we found similar domains used for thesame scam. 似乎这次欺诈事件在网上公开之前已经发生了已经有几天,因此我们相信那张TV的图片截了有至少四个月。 这种攻击并不是没有出现过,因此我们开始查找已经在线的服务器,看看这个页面具体有何企图? 不幸地是,我们并不能从那些资源里找到在线的网页,但是当寻找图片上显示的警报信息,我们发现了使用相同伎俩的相似域名。 ***sweeps-ipadair-winner2.com ***-browser-infection-call-now.com The last domain listed is still online but there is no reply from the server.
All the domain names mentioned have been blocked by Kaspersky Web Protectionfor several months. Interestingly, all the IPs belong to Amazon’s cloud (54.148.x.x, 52.24.x.x, 54.186.x.x).
Although they used different providers to register the domain, they decided to host themalicious pages in the cloud. This could be because if offers another layer of anonymization, because it’s cheaper than other providers or because they were unsure about the traffic and needed something scalable. Still unable to find a live page, we kept searching for parts of the alert message and one hit took us to HexDecoder from ddecode.com. This is a webpage that de-obfuscates scripts or entire web pages. To our surprise, all previous decodings were saved and are publically viewable. 列出的最新的域名仍然在线但是服务器并不进行响应。上文列出的所有域名都已经在几个月前就被Kaspersky网络保护模块拦截了。 有意思地是,所有的IP地址都在Amazon云的IP范围内(54.148.x.x,52.24.x.x, 54.186.x.x)。 考虑到目前仍然不能找到在线的网页,我们不断搜索部分警告信息,其中一条搜索结果启发我们访问HexDecoder(ddecode.com)。这个网页可以加密或者解密脚本乃至整个网页。出乎我们意料的是,我们之前保留的所有加密内容都可以解密并公开查看。
Thisled to a decoded script and the original HTML file.
The script checks the URL parameters and displays different phonenumbers based on the location of the user. 这个脚本检查URL参数,并且根据用户的地理位置显示不同的电话号码。
Phone numbers: DEFAULT (US) : 888581****
France : +3397518****
Australia : +6173106****
UK : +44113320****
NewZealand : +646880****
SouthAfrica : +2787550**** The JavaScript selecting the phone number was uploaded to Pastebin on July 29th2015 and it includes all the comments that were also present in the sample wegot from HexDecoder. This is another indicator that this is not a new threat. 这段用于筛选电话号码的JavaScript代码由Pastebin于2015年7月29日上传,代码包含了所有我们从HexDecoder获取的样本出现的所有内容。这是出现了新威胁的另一个暗示。
Now having the right sample, we took a look on a test machine and got this result,which is quite close to what we can see on the image from the SmartTV: 我们获取到了正确的样本,就在测试机器上运行,得到了测试结果,这和我们从那台智能电视中拍到的照片非常接近。
The page loads in any browser and displays a popup dialog. As you can see above, iteven works on Windows XP. If you try to close the dialog or the window, it will pop up again. 网页可以在任何浏览器中加载,并弹出一个对话框。正如上图所示,对话框甚至能在WindowsXP系统中弹出。哪怕你尝试关闭对话框,它还是会再次弹出。
We also ran the file on a LG Smart TV and got the same result. It was possible toclose the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browseror network settings. 我们也在LG智能电视中运行这个文件,并且得到相同的结果。我们可以关闭浏览器,但是它并没有改变任何浏览器或者DNS设置。重启浏览器也可以解决这个问题。有一种可能是Reddit网站出现的这个案例中还出现了其他的恶意软件,它们改动了浏览器和DNS设置。
Keep in mind that you should never call those numbers! You might get charged per minute or someone at the end of the line might instructyou to download and install even more malware onto your device. So in this case, it’s not a new type of malware specifically targeting Smart TVs, buta common threat to all internet users. There are also reports that this scam has hit users on Apple MacBooks; and since it runs in the browser, it can runon Smart TVs and even on smartphones. Thesekinds of threats often get combined with exploits and may take advantage ofvulnerabilities in the browser, Flash Player or Java. If successful, they mayinstall additional malware on the machine or change DNS settings of your systemor home router which may lead to similar symptoms. Such behaviour could not be observed in this case, since they malicious pages havebeen removed already. 请注意不要拨打这些号码!这段通话也许是按分钟收费或者和您通话的那个人也许会唆使您下载并安装其他更多的恶意软件。 因此对于开篇提到的这种情况,它并不是一种针对智能电视的特别的恶意软件,只不是是针对所有网民们的一种常见的威胁。也有报道称这种伎俩已经入侵了AppleMacBooks用户了,恰恰是因为它在浏览器中可以运行,它才能运行在智能电视甚至是智能手机中。
Keep in mind, there might be vulnerabilities in the software on your TV! Therefore it’s important to check if your device is up to date. Make sure you installed the latest updates for your Smart TV! Some vendors apply updates automatically, while others leave it to the user to trigger the update manually. PC和智能手机,而不是智能电视:l 用户很少使用智能电视浏览网页,也只是偶尔从网页下载应用——因为这是移动设备的情况。
l 厂商预装的系统并不一样:安卓电视,火狐系统,Tizen系统和Web OS系统。 l 也许会出现同一型号硬件的操作系统并不相同,恶意软件很难实现兼容。 l 和PC或者移动设备相比,更少的用户会在电视上浏览网页或者浏览邮件。
But remember, for example, that it’s possible to install an app from a USB stick. If your TV runs Android, a malicious app designed for an Android smartphone mighteven work on your TV. In a nutshell, this case isn’t malware specifically targeting Smart TVs, but beaware that such websites, as with phishing generally, work on any OS platform you’re using. Keep your eyes open! 但是请记住,比如,可能从USB盘中安装应用。如果您的电视运行安卓系统,针对安卓智能机的恶意应用也许甚至会在您的电视上运行。 总而言之,这个情况并不是特别针对智能电视的恶意软件引起的,但是请明白,这些网站,以及常见的钓鱼网站,可以在您使用的任何操作系统平台上出现。
原文地址:https://securelist.com/blog/incidents/73229/malware-on-the-smart-tv/ |
发表于 2016-1-21 15:23:18
楼主
