back to article How to marry malware to software downloads in an undetectable way (Hint: Please use HTTPS)

Be thankful it's only a proof-of-concept of a hack: German researchers have shown that internet software distribution mechanisms can be turned into virus vectors, without modifying the original code. The Ruhr University boffins – Felix Gröbert, Ahmad-Reza Sadeghi and Marcel Winandy – have developed an on-the-fly mechanism for …

  1. Pascal Monett Silver badge

    Ooohhhh! A terrible attack is available in the lab !

    But then it is revealed that it needs a man-in-the-middle configuration to work. And even HTTPS can defeat it. Researchers even say only governments can easily implement it.

    In other words : carry on citizens, nothing to see here.

    1. Destroy All Monsters Silver badge
      Thumb Down

      Re: Ooohhhh! A terrible attack is available in the lab !

      Are you stupid?

    2. Anonymous Coward
      Anonymous Coward

      Re: Ooohhhh! A terrible attack is available in the lab !

      But then it is revealed that it needs a man-in-the-middle configuration to work

      I wouldn't be so dismissive. All you need is DNS pollution or an infected proxy server to make that work and open FTP* is still used in /FAR/ too many places (don't just think DOWNload, also think of UPload for distribution).

      I have a feeling they have unearthed something that has been in use for quite some time, probably since someone started turning images upside down in a network proxy that fed the network on a hacker conference.

      (*) as opposed to SSH, for instance

    3. Adam 1

      Re: Ooohhhh! A terrible attack is available in the lab !

      Whilst it can be defeated by HTTPS, that isn't really the ideal technology to transfer large files because it limits proxy servers' ability to serve those downloads. The server is also then encrypting each packet in the file with the session key which is even more overhead. Publishing the sha256 hash of the download is much more efficient. The main problem is that if you can intercept the file download it is trivial to intercept and change the page with the expected hash. That page could be delivered over https.

  2. Destroy All Monsters Silver badge
    Mushroom

    Yeah...

    yum update via https when?

  3. Cronus
    Holmes

    Perhaps some novelty but...

    Many years ago I found myself with access to somebody open Wi-Fi router which had default passwords for the admin interface. With that in mind it seemed fairly obvious that manually setting the DNS server in the DHCP settings would allow me to redirect the owner of the router's traffic.

    Whilst not as complex as the binder described here I was able to cobble together an infection tool that would essentially proxy requests and inject code into a binary as it was downloaded in about 2 days. I'd already written a tool years before that allowed for adding new sections to PE executables and it was only a matter of converting it to be able to work on-the-fly by buffering just enough of the PE header to know where to to the entry point for the program to before letting the rest pass through until it came time to tacking on the extra malicious code on the end.

    I never actually used the code as it was more a proof-of-concept/I wonder if I could do it kind of thing but it worked in my own test environment.

    1. TRT Silver badge

      Re: Perhaps some novelty but...

      Only if they were using DHCP configured DNS and not a DNS configured in the OS or in, say, a security conscious browser, or an IP address hard coded into an update or software delivery application.

      1. Anonymous Coward
        Anonymous Coward

        Re: Perhaps some novelty but...

        Only if they were using DHCP configured DNS and not a DNS configured in the OS or in, say, a security conscious browser, or an IP address hard coded into an update or software delivery application.

        If you have access to the router, it's fairly trivial to re-direct traffic intended for "210.79.50.244" to 192.168.1.252... Or wherever else you want to send it..

  4. Anonymous Coward
    Devil

    Humm

    I can devise harmless torrents files that get concatenated with...whell, you know what :-P

  5. Anon5000

    So, exactly the same as the techniques for 'targeted surveillance network injection appliances' that the NSA and co have been trying/using. Just a little bit late with this paper especially now this technique has come to light as already being used in recent leaks.

  6. Michael Wojcik Silver badge

    What's new here?

    Have I missed something? Modifying HTTP payloads is old, old news. The specific attack described in the article (haven't had time to look at the paper) is essentially identical to the one in the OWASP MITM wiki entry. It's Sin 8 in 19 Deadly Sins of Software Security (first edition, 2005).

    Attacking non-secured HTTP traffic with a MITM is so commonplace no one even talks about it these days; for the past 10 years or so, all the attention's been on ways to fool users who think they have a secure connection. See for example Mike Perry's summary of a couple of MITM downgrade vulnerabilities, or Moxie Marlinspike's 2009 BlackHat presentation, or Eric Johanson's 2005 piece on IDN homograph attacks. Or any of a million other things.

    Insecure traffic is insecure.

    1. Hargrove

      Re: What's new here?

      My gut reaction as well. As another commenter noted "I have a feeling they have unearthed something that has been in use for quite some time."

      In fact, it seems intuitive that if I wanted to hide malicious executable code, it would be easier to do in an executable software download than in a straight data file. (The way OS's are designed there may no such thing as straight data file anymore, but that's another set of issues.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon