back to article Intruder alert: Cyber thugs are using steganography to slip in malware badness

Common or garden cybercrooks have taken to using steganography – the art of hiding secret information within another image or message file – to run a click-fraud scam. Steganography has long been the stuff of spy trade-craft and cypherpunk novels, but now cybercrooks have made the practice downmarket by applying it to the Lurk …

  1. amanfromMars 1 Silver badge

    FFS...Get Real

    "Common or garden cybercrooks..."...What the fcuk are you smoking?i

    1. frank ly

      Re: FFS...Get Real

      I think it means they only have two eyes, not five eyes.

      1. Stevie Silver badge

        Re: two eyes, not five

        I'll remind you of the memo of 8th Aug inst. Re: defamatory language in usage by embassy staff to whit: The practice of referring to the members of the Groaci diplomatic mission as "sticky-fingered five-eyes" will cease forthwith under penalty of extra duty in voucher reconciliation and expense report filing.

      2. amanfromMars 1 Silver badge

        Getting Real ... Big Time. And when all just AIDream and IT Spin too ....

        Whatever Next to Do is Always the Abiding Question.

        I think it means they only have two eyes, not five eyes. ...frank ly

        Ahha, and quite so, frank ly, that was just the point I making although obviously not clearly ..... binocular vision rather than panoramic thinking being a common or garden trait for crookedness everywhere, even in these new fangled and quantum entangling cyberspace times and matters.

        I think it a mistake though to imagine and not realise that Five Eyes have proven and continue to confirm that they themselves are two eyed in all the novel and noble fields that now greatly matter in Global Command Head Quarters with Virtual Remote Control [and which be both a unitary and binary and tertiary affair for those into the Great Order of Sublime InterNetworking Things and Singularities]

        To paraphrase a blast from the past ..... Ask not what your intelligence servers can do to you, for they can do anything, tell them what you can do for and/or to them if they be smart enough to wannabe smarter still and more than just static listening post devices and status quo machinery. ..... http://youtu.be/PzRg--jhO8g

    2. Arctic fox
      Headmaster

      @amanfromMars 1 Re: "What the fcuk are you smoking"

      Sorry old chap, no offence intended and all that, but isn't that usually our line whenever we read one of your posts?

      1. amanfromMars 1 Silver badge

        Re: @amanfromMars 1 "What the fcuk are you smoking" ... as per Arctic fox

        Sorry old chap, no offence intended and all that, but isn't that usually our line whenever we read one of your posts? .... Arctic Fox

        Hi, Arctic fox,

        Is the great common sense shared here ...... http://geer.tinho.net/geer.blackhat.6viii14.txt .... your line too, or just what you have to work with?

  2. Tom 35

    So how do current versions get installed?

    "Early versions of Lurk spread through an HTML iFrame on compromised websites that relied on a Flash-based exploit (CVE-2013-5330) in order to infect the computers of passing surfers."

    How do current versions install? The stenography stuff is just for updates and commands after it's already installed.

    1. chris lively

      Re: So how do current versions get installed?

      This is what I was wondering as well.

      Who cares if updates are hard to detect. It still requires a program on the infected computer to receive and process the image correctly. THAT should be detectable; evidenced by the fact they say 350k computers are compromised.

      1. fearnothing

        Re: So how do current versions get installed?

        From a network security analyst's perspective, an infection event only has to get past the equipment and notice of an analyst one time. Updates have to evade detections every time they are run. Hiding update activity makes it harder for people like me to pick up on the few that slip through the AV net.

    2. Anonymous Coward
      Anonymous Coward

      Re: So how do current versions get installed?

      read here

      http://www.secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/

      Clue, DLL (thats a windows file)

  3. Mage Silver badge

    Hmmm

    Put your original Trojan in a nice free mouse / glide pad / keyboard / USB TV stick (from $6) / USB memory stick.

    Use this and the email / webmail interface trick too.

    Send to selected executives, ministers etc ...

    Why bother with random public.

  4. Anonymous Coward
    Big Brother

    The export Table from a Lurk sample

    "The seemingly random noise in the right-half of the images is the actual malware code that is extracted by calling several Windows graphics API functions." ref

    1. Tom 35

      Re: The export Table from a Lurk sample

      Yes, hidden inside the DLL file. How did the DLL file get on the computer? They make a point of telling us how the OLD version is spread, but then go on to tell us how the new version hides, and how it updates. Nothing about how it is spread.

      1. Anonymous Coward
        Pint

        Re: The export Table from a Lurk sample

        SecureWorks clients almost certainly have the skinny on the new mechanism(s). We don't contribute to their economic well-being so....

  5. Wzrd1

    FUD

    Signature detection doesn't work. Use *our* signatureish BS.

    I'm looking on my watch for the blowme button....

    1. amanfromMars 1 Silver badge

      Re: FUD, when All you Need is LOVE, is more than just Expandingly Expensive

      Signature detection doesn't work. … Wzrd1

      Quite so, Wzrd1, and it will never work because of ……

      I've spoken elsewhere about how we are all intelligence agents now, collecting on each other on behalf of various overlords.[RSA] There are so many technologies now that power observation and identification of the individual at a distance. They may not yet be in your pocket or on your dashboard or embedded in all your smoke detectors, but that is only a matter of time. Your digital exhaust is unique hence it identifies. Pooling everyone's digital exhaust also characterizes how you differ from normal. Privacy used to be proportional to that which it is impossible to observe or that which can be observed but not identified. No more -- what is today observable and identifiable kills both privacy as impossible-to-observe and privacy as impossible-to-identify, so what might be an alternative? If you are an optimist or an apparatchik, then your answer will tend toward rules of data procedure administered by a government you trust or control. If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be my definition: the effective capacity to misrepresent yourself.

      Misrepresentation is using disinformation to frustrate data fusion on the part of whomever it is that is watching you. Some of it can be low-tech, such as misrepresentation by paying your therapist in cash under an assumed name. Misrepresentation means arming yourself not at Walmart but in living rooms. Misrepresentation means swapping affinity cards at random with like-minded folks. Misrepresentation means keeping an inventory of misconfigured webservers to proxy through. Misrepresentation means putting a motor-generator between you and the Smart Grid. Misrepresentation means using Tor for no reason at all. Misrepresentation means hiding in plain sight when there is nowhere else to hide. Misrepresentation means having not one digital identity that you cherish, burnish, and protect, but having as many as you can. Your fused identity is not a question unless you work to make it be. Lest you think that this is a problem statement for the random paranoid individual alone, let me tell you that in the big-I Intelligence trade, crafting good cover is getting harder and harder and for the exact same reasons: misrepresentation is getting harder and harder. If I was running field operations, I would not try to fabricate a complete digital identity, I'd "borrow" the identity of someone who had the characteristics that I needed for the case at hand. … Dan Geer, Cybersecurity as Realpolitik

      However, I would not wholeheartedly agree that to “borrow” the identity of someone who had the characteristics that I needed for the case at hand was a better answer than to pay them handsomely to continue doing what they be doing and which has been found to be so attractive and appealing. After all, with Uncle Sam mooting the possibility and therefore the probability of paying 10x the worth of a catastrophic and disruptive zeroday vulnerability exploit to finders and keepers/explorers/crack hackers/virtual field entrepreneurs, and it being in all likelihood a most acceptable practical solution to a virtually impossible to police and prevent problem, why ever risk failing badly with anything pilfered and phished from a relative stranger who would know of the danger. Goodness know what would be lurking in the source code, to spring forth uncontrolled and uncontrollable by second and third parties, in the future, for that is the reality which some, who may be more than just a few and of alternative thoughts, have programmed into the System of Systems for the Sublime InterNetworking of Things in a Beta AI Controlled Future and Live Operational Virtual Environment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021