Windows 10 News and info | Forum
May 30, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Hackers Patch Web Browsers to Track Encrypted Traffic  (Read 122 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31433

I Do Windows

WWW Email
« on: October 08, 2019, 11:04:43 AM »

Researchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim's computer.

The threat adds to the victim host Transport Layer Security (TLS) certificates, which help carry out man-in-the-middle (MitM) attacks on encrypted traffic.

Modifying browsers' PRNG functions

Named Reductor, the threat was spotted in a campaign at the end of April that continued at least until August.  Apart from TLS traffic manipulation, it comes with the typical assortment of remote access functions - upload, download, and execute files.

The interesting part is the actor's solution to marking the encrypted traffic of interest. They studied the code in Mozilla Firefox and Google Chrome and patched their pseudo-random number generator (PRNG) functions.

The PRNG function is used in browsers to generate a random sequence of numbers at the beginning of a packet for the initial handshake when the encrypted connection is negotiated with the server.

Reductor modifies the browsers' PRNG code to add hardware and software-based identifiers that are unique for each victim. This way, they can follow encrypted traffic from a compromised host all over the web.

"That places the actor in a very exclusive club, with capabilities that few other actors in the world have," say security researchers from Kaspersky.

To maintain the pseudo-random aspect of the PRNG, Reductor uses the certificates (cert_hash) it drops on the victim's computer that is XORed repeatedly for the first four-byte hash. The second four-byte hash is built using the hardware properties (hwid_hash) of the system - SMBIOS date and version, Video BIOS date and version and hard drive volume ID.

"The latter three fields are encrypted using the first four bytes initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo-random, but with the unique host ID encrypted inside."

Reductor does not run a MitM attack itself, but the installed certificates help with this objective and replace legitimate installer with a malicious variant "on the fly."

This theory was confirmed when the researchers found that the installers at the source were not tainted, yet the victim received a compromised version.

The analysis is based on the behavior of the client the researchers had no visibility into what happened on the server-side.

In their investigation, Kaspersky analysts found that Reductor has "strong code similarities" with COMPfun, a trojan from 2014 that they believe is linked to the Turla APT group. This connection, though, is based only on the victimology.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 30, 2020, 02:39:28 PM