Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing Data With Obfuscated Code

Posted by Soulskill on from the malware-arms-race dept.

Weblver1 writes "A recent report by web security firm Finjan shows how easily data can be accessed on PCs by malware which circumvents existing defenses. With the use of obfuscated code, antivirus software and static Web filters could not identify the scrambled attack code as a threat. The report walks through a real-life scenario of the infection process step-by-step, and tracks what happens to the stolen data. This demonstrates how stealing sensitive data has become unbearably easy — especially, given the abundance of easy-to-use DIY crimeware toolkits. Finjan's report is available here (PDF, registration required). Shortly after this report, Security firm RSA has released their findings of a huge amount of stolen 'virtual wallets' in one of the largest discoveries of stolen data from computers compromised by the Sinowal trojan. While the trojan can be traced back to 2006, it managed to become more productive over time with frequent variants. Given the scale, ease of use, and hiding techniques making infections extremely difficult to find, no wonder today's crimeware achieves such 'impressive' results."

2 of 101 comments (clear)

  1. Re:Run a decent firewall.... by ShinmaWa · · Score: 5, Informative

    Outbound firewalls are for people who don't know what they're doing

    What an incredibly ignorant and stupid thing to say.

    I definitely know what I'm doing and I use my outbound firewall to its fullest extent. Having the ability to proactively determine what software can and can't touch the network, be it establishing a connection or binding to a port, in conjunction with a proper hardware solution provides not only good protection, but also serves as an early warning system when an unknown program attempts to go to an unknown site for an unknown reason.

    Granted, outbound firewalls are not perfect. If a whitelisted application is compromised, then it this firewall doesn't provide much protection. This is why outbound firewalls should be but one of several items in your security toolbox.

    However, to wave your hand and claim they are only for people who don't know what they are doing shows a level of arrogance that usually gets corrected only after you are compromised.

    --
    The /. Effect: Thousands of users simultaneously accessing a site to not read its content.
  2. Re:Obfuscation 101 by bone_idol · · Score: 5, Informative

    Best Use of Light and Spheres:

            Anders Gavare
            Gibraltargatan 82-156
            SE-412 79 Gothenburg
            Sweden

            http://www.mdstud.chalmers.se/~md1gavan/

    Judges' Comments:

            To build:

            make gavare

            To run: ./gavare > ioccc_ray.ppm

            For users of systems that distinguish between text and binary mode
            (you know who you are), add a library call that specifies binary mode
            for stdout as the first statement of main(),
            or use freopen("ioccc_ray.ppm", "wb", stdout) and do not use redirection.

            A freely distributable command-line version of Microsoft Visual C
            exhibits an optimizer bug when compiling this entry. Disable /Og for
            best results.

            The judges were able to figure out how to control position
            (in all 3 coordinates), size, and color (to some extent) of the balls.

    Selected Author's Comments:

            It is possible to write some kinds of programs in C without using reserved
            words. For very short and trivial programs, it usually isn't very hard to
            write a variant using no reserved words, but with this program I want to
            show that also non-trivial programs can be written this way. This IOCCC
            entry contains no reserved words (I don't count 'main' as a reserved word,
            although the compiler gives it special meaning) and no preprocessor
            directives.

            The program is a small ray-tracer. The first line of the source code may
            be modified if you want the resulting image to be of some other resolution
            than the predefined. The 'A' value is an anti-alias factor. Setting it to
            1 disables the anti-aliasing feature (this makes the output look bad), but
            setting it too high makes the trace take a lot more time to complete.

            The ppm image can then be viewed using an image viewer of your own choice.
            (Running the ray-tracer may take several minutes, even on fast machines,
            so be patient.)

            I am very much aware about the fact that I'm breaking the guidelines. For
            example, the word 'int' is a reserved word and therefore all variable
            declarations are implicit. There will no doubt be _lots_ of warnings,
            no matter which compiler is used. Still, the source code should be word-
            length-independent and endianess-independent.

            Another reason for writing code without using reserved words is that many
            text editors will make all reserved words turn BOLD when printed on
            paper. Since I care for the global environment, we shouldn't waste any
            more laser toner, or ink, than necessary. Everyone should write C code
            with no reserved words, and our world will be a better place.