Android Malware ZNIU exploits DirtyCow to gain root privileges

Nearly a year after the disclosure of the Dirty COW vulnerability that affected the Linux kernel, cybercriminals have started exploiting the vulnerability against Android users.

Publicly disclosed last year in October, Dirty COW was present in a section of the Linux kernel—a part of virtually every Linux distribution, including Red Hat, Debian, and Ubuntu—for years and was actively exploited in the wild.

The vulnerability allows an unprivileged local attacker to gain root access through a race condition issue, gain access to read-only root-owned executable files, and permit remote attacks.

Security researchers from Trend Micro published a blog post on Monday disclosing that the privilege escalation vulnerability (CVE-2016-5195), known as Dirty COW, has now been actively exploited by a malware sample of ZNIU, detected as AndroidOS_ZNIU.

The ZNIU malware was detected in more than 40 countries last month, with the majority of the victims found in China and India. The malware was also detected in the U.S., Japan, Canada, Germany, and Indonesia. As of this writing, more than 5,000 affected users have been detected.

The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) mechanism in Android’s Linux kernel and install a backdoor which can then be used by attackers to collect data and generate profit through a premium rate phone number.

ZNIU’s leveraging of Dirty COW only works on Android devices with ARM/X86 64-bit architecture. However, this recent exploit can bypass SELinux and plant a root backdoor, while the PoC can only modify the service code of the system.


The ZNIU malware often appears as a porn app downloaded from malicious websites, where users are tricked into clicking on a malicious URL that installs the malware-carrying app on their device. Once launched, ZNIU will communicate with its C&C server. If an update to its code is available, it retrieves it from the C&C server and loads it into the system. Simultaneously, the Dirty COW exploit will be used to provide local privilege escalation to overcome system restrictions and plant a backdoor for potential remote control attacks in the future.


After entering the main UI of the device, the malware will harvest the carrier information of the user. It then transacts with the carrier through an SMS-enabled payment service, allowing the malware operator to pose as the device owner. Through the victim’s mobile device, the operator behind ZNIU will collect money through the carrier’s payment service. In one of the samples, in its code the payments were directed to a dummy company, which, based on network traffic, was located in a city in China. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator. If the carrier is outside China, there will be no possible SMS transaction with the carrier, but the malware will still exploit the system to plant a backdoor.

The main logic of ZNIU’s native code works as follows:

1. Collect the model information of the device.

2. Fetch appropriate rootkits from the remote server.

3. Decrypt the exploits.

4. Trigger exploits one by one, check the result, and remove exploit files.

5. Report if the exploit succeeded or failed.

The researchers found the malware has already infected more than 5,000 Android users across 40 countries in recent weeks, with the majority of victims found in China and India, while other resides in the United States, Japan, Canada, Germany and Indonesia.

Google has released an update for Android that, among other fixes, officially fixes the Dirty COW vulnerability. The tech giant also confirmed that its Play Protect now protects Android users against this malware.

The easiest way to prevent yourself from being targeted by such clever malware is to avoid downloading apps from third-party sources and always stick to the official Google Play Store.


BAD TASTE GNOME Vulnerability leads to Code Injection in Linux

A new vulnerability(CVE-2017-11421) has been discovered by German security researcher Nils Dagsson Moskopp dubbed as BAD TASTE , which is a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.

The POC has also been disclosed here.

“Thumbnail generation for MSI files in GNOME Files executes arbitrary VBScript.” states Moskopp.

The code injection vulnerability resides in “gnome-exe-thumbnailer” — a tool to generate thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to have Wine application(a free and open-source software that allows Windows applications to run on the Linux operating system) installed on their systems to open it.

while navigating to a directory containing the .msi file, GNOME Files takes the filename as an executable input and run it in order to create an image thumbnail.

For successful exploitation of the vulnerability, an attacker can send a crafted Windows installer (MSI) file with malicious VBScript code in its filename, which if downloaded on a vulnerable system would compromise the machine without further user interaction.

Create MSI Files

Create a file named poc.xml with the following content:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="">
<Product Version="1.0"/>

Execute the following Bourne Shell code:

wixl -o poc.msi poc.xml
cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"

Trigger Execution

Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.

“Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exethumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.” explained the expert.

The expert highlighted that the problem is triggered due to the presence of just one line of code in /usr/bin/gnome-exe-thumbnailer:

DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \

“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.” Dagsson Moskopp added. 

Remedy (for users)

Delete all files in /usr/share/thumbnailers. Do not use GNOME FilesCinnamon Nemo or Mate caja. Uninstall any other software that facilitates automatically executing parts of filenames as code.

Remedy (for developers)

Do not parse files with bug-ridden ad-hoc parsers. Fully recognize inputs before processing them. Do not use templates, use unparsers instead. Read about LANGSEC.

SHELLBIND Malware exploits SambaCry to backdoor NAS devices

A new malware dubbed as SHELLBIND exploits the recently patched CVE-2017-7494 Samba vulnerability attacking Internet of Things devices.

CVE-2017-7494 is a seven-year-old remote code execution vulnerability that affects all versions of the Samba software since 3.5.0. The flaw has been patched by the development team of the project.

The vulnerability dubbed as SambaCry, because of its similarities to the Windows SMB vulnerability exploited by the WannaCry ransomware .

Despite being patched in late May, the vulnerability is currently being leveraged by a new piece of malware to target the Internet of Things (IoT) devices, particularly Network Attached Storage (NAS) appliances, researchers at Trend Micro warned.

Samba is open-source software (re-implementation of SMB/CIFS networking protocol), which offers Linux/Unix servers with Windows-based file and print services and runs on the majority of operating systems, including Linux, UNIX, IBM System 390, and OpenVMS.

Shortly after the public revelation of its existence, the SambaCry vulnerability (CVE-2017-7494) was exploited mostly to install cryptocurrency mining software—”CPUminer” that mines “Monero” digital currency—on Linux systems.

SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.

This trick allows a remote attacker to execute arbitrary code on the targeted system.

Experts at Trend Micro discovered that the ELF_SHELLBIND.A is delivered as a SO file to Samba public folders, then the attacker load and execute it by exploiting the SambaCry vulnerability.

The analysis published by Trend Micro states that :“This more recent malware is detected as ELF_SHELLBIND.A and was found on July 3. Similar to the previous reports of SambaCry being used in the wild, it also opens a command shell on the target system. But ELF_SHELLBIND.A has marked differences that separate it from the earlier malware leveraging SambaCry. For one, it targets internet of things (IoT) devices—particularly the Network Attached Storage (NAS) devices favored by small to medium businesses.” 

After uploading the .SO file to the Samba public shared folder, the attacker needs to guess the absolute local filename and send an IPC request to trick the server into loading and running the locally-stored program file.


Once the malware is loaded via said Export function, it starts by calling the function change_to_root_user, which is required by the Samba daemon (specific to SMBv2) to run as root or as the EUID of the current user. The malware then detaches itself from whatever parent process it is running under (a Samba server process) and daemonizes its process (via the function detach_from_parent). Once deployed on the targeted machine, the malware establishes communication with the attackers’ command and control (C&C) server located in East Africa, and modifies firewall rules to ensure that it can communicate with its server.“169[.]239[.]128[.]123” over TCP, port 80.

After successfully establishing a connection, the malware grants the attackers access to the infected device and provides them with an open command shell in the device, so that they can issue any number and type of system commands and eventually take control of the device.

“Once the connection is successfully established and authentication is confirmed, then the attacker will have an open command shell in the infected systems where he can issue any number of system commands and essentially take control of the device,” continues Trend Micro.

nt pipe support = no

to the Samba configuration file and restarting the network’s SMB daemon.

The change will limit clients from accessing some network computers.

The maintainers of Samba already patched the issue in Samba versions 4.6.4/4.5.10/4.4.14, so you are advised to patch your systems against the vulnerability as soon as possible.

Just make sure that your system is running updated Samba version.

Also, attackers need to have writable access to a shared location on the target system to deliver the payload, which is another mitigating factor that might lower the rate of infection.