(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: Instagram)

A Russian-speaking hacking group that, for years, has targeted governments around the world is experimenting with a clever new method that uses social media sites to conceal espionage malware once it infects a network of interest.

According to a report published Tuesday by researchers from antivirus provider Eset, a recently discovered backdoor Trojan used comments posted to Britney Spears's official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers. The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.

Turla is a Russian-speaking hacking group known for its cutting-edge espionage malware. In mid-2014, researchers from Symantec documented malware dubbed Wipbot that infiltrated the Windows-based systems of embassies and governments of multiple European countries, many of them former Eastern Bloc nations. A few months later, researchers at Kaspersky Lab discovered an extremely stealthy Linux backdoor that was used in the same campaign, a finding that showed it was much broader than previously believed. Turla has also been known to use satellite-based Internet connections to cover its tracks. In March, researchers observed Turla using what was then a zero-day vulnerability in Window to infiltrate European government and military computers.

Read 6 remaining paragraphs | Comments


In part 1, I gave some examples to recover XOR keys from encoded executables if we knew some of the content of the unencoded file (known plaintext attack).

In this part, I give some examples to automate this process using my xor-kpa tool.

xor-kpa.py takes 2 files as input: the first file contains the plaintext, and the second file the encoded file. We are going to search for string This program cannot be run in DOS mode width:852px" />

xor-kpa displays some potential keys, in ascending order of extra characters.

Value Key is the recovered key, and Key (hex) is the hexadecimal representation of the key (in case the key would not be printable).

Keystream is the keystream, from which xor-kpa extracted the key by looking for repeating strings.

Extra is the difference between the length of the keystream and the length of the key. If this is just one character, the proposed key is very unlikely to be the encoding key. Output can be filtered by requiring a minimum value for extra by using option -e.

Divide is the number of times the key is present in the keystream.

And counts reports the number of times the same key was recovered at different positions in the encoded file.

So by using this known plaintext (This program cannot be run in DOS mode) with the encoded file, xor-kpa proposes a number of keys. In this example, the key with the highest number of extra characters is the actual encoding key (Password).

Another way to recover the key we saw yesterday, is looking for sequences of null bytes (0x00) which have been encoded. xor-kpa.py can do this too, by giving 000000000000... as plaintext. We could create a file containing null bytes, but it width:852px" />

The key was recovered, and the count is very high, so it width:852px" />

Please post a comment is you have ideas for other known plaintexts in executables.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google Android libnl CVE-2017-0553 Remote Privilege Escalation Vulnerability
PuTTY 'ssh_agent_channel_data()' Function Integer Overflow Vulnerability
MuPDF 'jstest_main.c' Stack Buffer Overflow Vulnerability
Adobe Flash Player APSB16-10 Multiple Unspecified Memory Corruption Vulnerabilities
libxslt 'libxslt/preproc.c' Type Confusion Remote Denial of Service Vulnerability

Enlarge (credit: Ars Technica)

When reporters at The Intercept approached the National Security Agency on June 1 to confirm a document that had been anonymously leaked to the publication in May, they handed over a copy of the document to the NSA to verify its authenticity. When they did so, the Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed—and it included encoded watermarking that revealed exactly when it had been printed and on what printer.

The watermarks, shown in the image above—an enhancement of the scanned document The Intercept published yesterday—were from a Xerox Docucolor printer. Many printers use this or similar schemes, printing faint yellow dots in a grid pattern on printed documents as a form of steganography, encoding metadata about the document into its hard-copy output. Researchers working with the Electronic Frontier Foundation have reverse-engineered the grid pattern employed by this class of printer; using the tool, Ars (and others, including security researcher Robert Graham) determined that the document passed to The Intercept was printed on May 9, 2017 at 6:20am from a printer with the serial number 535218 or 29535218.

Read 1 remaining paragraphs | Comments

Shadow Multiple Local Security Vulnerabilities
[security bulletin] HPESBGN03752 rev.1 - HPE IceWall using OpenSSL, remote Denial of Service (DoS)
[security bulletin] HPESBHF03756 rev.1 - HPE Network Products including Comware 7, iMC, and VCX running OpenSSL, Remote Denial of Service (DoS), Disclosure of Sensitive Information
QEMU CVE-2017-9330 Denial of Service Vulnerability
QEMU 'display/virtio-gpu.c' Denial of Service Vulnerability
Internet Storm Center Infocon Status