How to marry malware to software downloads in an undetectable way (Hint: Please use HTTPS)

Boffins demo how traffic redirect can endanger code


Be thankful it's only a proof-of-concept of a hack: German researchers have shown that internet software distribution mechanisms can be turned into virus vectors, without modifying the original code.

The Ruhr University boffins – Felix Gröbert, Ahmad-Reza Sadeghi and Marcel Winandy – have developed an on-the-fly mechanism for injecting code into a download. As they write in their paper [PDF] hosted at PacketStorm:

“Our algorithm deploys virus infection routines and network redirection attacks, without requiring to modify the application itself. This allows to even infect executables with a embedded signature when the signature is not automatically verified before execution.”

They use what they call a binder to concatenate the original application and the malicious code. “Upon starting the infected application the binder is started. It parses its own file for additional embedded executable files, reconstructs and executes them, optionally invisible for the user,” they write.

Since the application is intact, “one can attach malware even to an executable with a embedded signature and still succeed to execute the malware under certain circumstances”.

The two components of the proof-of-concept are called Cyanid (to fetch, modify and filter the HTTP downloads) and Calcium, the binder that infects the binaries.

A successful attack depends most of all on the ability to redirect traffic, as shown below.

Ruhr University's malware architecture

Traffic redirection plus malware injection equals trouble. Image: Ruhr University

Governments, the paper notes, could be in a position to exploit network nodes between a sender and receiver to hijack the traffic (or, for that matter, vulnerable routers could be exploited to the same end).

To mitigate against such attacks, the researchers say, software distributors need to tighten up their delivery mechanisms, to defend against traffic hijacks. OpenVPN, IPSec or HTTPS would help here, they state, provided one can trust the certificate chain.

Presumably, cryptographic code-signing would work too, again if the necessary certificates involved can be reliably obtained and verified as authentic.

Providing, say, a SHA-256 digest of the download isn't much help though, they suggest, because while the user or OS could check against a hash, “the reference values would have to be obtained through a trusted channel” – which may not be available. Users would have to get hold of a valid hash some other way, which isn't convenient.

Antivirus software could be modified to check for binder behaviour, they add, and “trusted virtualisation” architectures could also help, since the secure, verifiable boot process helps isolate critical applications. ®


Other stories you might like

  • Apple's latest security feature could literally save lives
    Cupertino is so sure of Lockdown Mode it's offering $2m to bug hunters to break it

    Apple's latest security feature won't be used by most of its customers, but those who need Lockdown Mode could find it to be a literal life saver.

    The functionality, coming with iOS/iPadOS 16 and macOS Ventura, dramatically shrinks an iDevice's attack surface by disabling many of its features. It's designed to protect the small number of Apple users who, "because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware," Apple said in a statement. 

    Lockdown, thus, effectively reduces the number of potential vulnerabilities spyware could exploit to compromise a device, cutting the possible routes into surveillance targets' kit.

    Continue reading
  • Has Intel gone too far with its Ohio fab 'delay' stunt?
    With construction unceremoniously underway, x86 giant may have overplayed its hand

    COMMENT The way Intel has been talking about the status of its $20 billion Ohio fab project, you would be forgiven if you assumed that construction on the Midwest mega-site has been delayed in light of Congress struggling to pass a large subsidies package that would support new American chip factories.

    When Intel delayed a groundbreaking ceremony for the Ohio manufacturing site two weeks ago out of frustration over the subsidies inaction, some headlines may have given you the impression the semiconductor giant was putting off construction entirely.

    However, an Intel spokesperson made it clear to The Register and others at the time that the start date for construction had not changed.

    Continue reading
  • Hive ransomware gang rapidly evolves with complex encryption, Rust code
    RaaS malware devs have been busy bees

    The Hive group, which has become one of the most prolific ransomware-as-a-service (RaaS) operators, has significantly overhauled its malware, including migrating the code to the Rust programming language and using a more complex file encryption process.

    Researchers at the Microsoft Threat Intelligence Center (MSTIC) uncovered the Hive variant while analyzing a change in the group's methods.

    "With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," the researchers said in a write-up this week.

    Continue reading
  • What do you mean your exaflop is better than mine?
    Gaming the system was fine for a while, now it's time to get precise about precision

    Comment A multi-exaflop supercomputer the size of your mini-fridge? Sure, but read the fine print and you may discover those performance figures have been a bit … stretched.

    As more chipmakers bake support for 8-bit floating point (FP8) math into next-gen silicon, we can expect an era of increasingly wild AI performance claims that differ dramatically from the standard way of measuring large system performance, using double-precision 64-bit floating point or FP64.

    When vendors shout about exascale performance, be aware that some will use FP8 and some FP64, and it's important to know which is being used as a metric. A computer system that can achieve (say) 200 peta-FLOPS of FP64 is a much more powerful beast than a system capable of 200 peta-FLOPS at just FP8.

    Continue reading
  • Meta's AI translation breaks 200 language barrier
    Open source model improves translation of rarer spoken languages by 70%

    Meta's quest to translate underserved languages is marking its first victory with the open source release of a language model able to decipher 202 languages.

    Named after Meta's No Language Left Behind initiative and dubbed NLLB-200, the model is the first able to translate so many languages, according to its makers, all with the goal to improve translation for languages overlooked by similar projects. 

    "The vast majority of improvements made in machine translation in the last decades have been for high-resource languages," Meta researchers wrote in a paper [PDF]. "While machine translation continues to grow, the fruits it bears are unevenly distributed," they said. 

    Continue reading
  • Tracking cookies found in more than half of G20 government websites
    Sorry, conspiracy theorists, it's more likely sloppy webdev work rather than spying

    We expect a certain amount of cookie-based tracking on retail websites and social networks, but in some countries up to 90 percent of government sites have implemented trackers – and serve them seemingly without user consent. 

    A study evaluated more than 118,000 URLs of 5,500 government websites – think .gov, .gov.uk. .gov.au, .gc.ca, etc – hosted in the twenty largest global economies – the G20 – and discovered a surprising tracking cookie problem, even among countries party to Europe's GDPR and those who have their own data privacy regulations.

    On average, the study found, more than half of cookies created on G20 government websites were third-party cookies, meaning they were created by outside entities typically to collect information on the user. At least 10 percent, going up to 90 percent, come from known third party cookies or trackers, we're told.

    Continue reading

Biting the hand that feeds IT © 1998–2022