Malware using good crypto

Sat Aug 1 23:52:45 EDT 2009

Interesting article. Anyone here have experience trying to
reverse-engineer malware that uses really good crypto?

Udhay

http://voices.washingtonpost.com/securityfix/2009/07/clampi_trojan_the_rise_of_matr.html?wprss=securityfix

<quote>

It is not unusual for malware authors to obfuscate various components
that are nested inside one another like so many Matryoshka dolls all in
a bid to stymie researchers and anti-virus companies. But Stewart said
the criminals behind Clampi have encrypted or obfuscated nearly every
aspect of the malware -- including the lists of e-commerce sites
targeted, the data stolen, and Clampi's various feature plug-ins --
multiple times, and with very strong encryption (Matryoshka Mafia image
courtesy FreakingNews.com).

Typically, password-stealing Trojans contain a list of a few dozen
banking institutions that the malware will look to steal data from if
the victim visits those sites. But according to Stewart, Clampi's
authors aren't just targeting banking sites.

"They are targeting institutions where users may enter data that might
be useful in stealing money, such as utilities, retail, online casinos,
banking, insurance, accounting services, credit bureaus," Stewart said.

Stewart says Clampi is targeting credentials from some 4,600 Web sites,
though so far he says he's only be able to identify about 1,400 of
those. The list below gives the reader some idea of the breadth of sites
targeted by this malware:

Advertising networks
Utilities
Email marketing
Stock brokerages
Market research databases
Online casinos
Retail
Career sites
Insurance
Banking
Credit card companies
Accounting Services
Wire transfer services
Mortgage lenders
Consumer databases
Webmail
Foreign Postal Services (Non-US)
Software
Military/Government information portals
Recommendation engines
ISPs
Various News blogs
File upload sites

According to Stewart, the information stolen by Clampi is sent from the
victim PC to a Web server controlled by the attackers using a
randomly-generated session key with 2048-bit RSA encryption. This
technology is used to obfuscate data being stolen, so that in theory,
only the attackers who have the encryption key can intercept or read the
stolen data.

"On top of that, they're using 448-bit Blowfish encryption," Stewart said.

</quote>
-- 
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com