Ars Technica used in malware campaign with never-before-seen obfuscation (opens in new tab)

(arstechnica.com)

89 pointsiroddis2y ago37 comments

37 comments

25 comments · 7 top-level

kurthr2y ago· 5 in thread

Browse news in a throwaway VM instance that doesn't directly have password management. GoogleNews has served me several trojans, because I'm inherently clicking on unknown links. This attack was interesting, because it didn't leave Ars, but I would fear those who target HN with outlinks.

They can serve malware only to targeted domains so you may be the only one hit.

Even more targeted and obscured is to include several keywords in an article of interest that lead to a single controlled page optimized for search engines, which again serves targeted malware.

LeoPanthera2y ago

> GoogleNews has served me several trojans, because I'm inherently clicking on unknown links.

[Citation Needed]

Extraordinary claims require extraordinary evidence, and I find this extremely difficult to believe. No news outlet linked to from Google News is going to send you a "trojan", or any other kind of malware.

You may have misunderstood how the malware described in the article works - simply visiting Ars would not infect you, or anyone.

kurthr2y ago

Thanks for your question. It should be fairly clear that I'm not talking directly about the Ars issue. That isn't about an outlinked article (Ars doesn't aggregate quite that way) the way Google and HN do. However, using a VM separate from the browser sandbox is a nice way to anonymize and prevent any leaks/damage that can occur. I'm interested to know why you think this hasn't happened since most serous compromises are an untrusted link click away (esp in windows).

The first time was in about 2012. There was a news link off of GoogNews (not the site itself obviously, and an outlink as described). The "News" trojan link page seemed to be up for only a short while and then blocked, since later searches for the title were completely missing. I'm guessing Google probably caught it on their end since it was probably infecting everyone who clicked. I only noticed it reasonably quickly due to a rapid change in network activity, but it had already escaped the browser sandbox and was downloading more.

Drive forensics that day didn't show anything obvious on Friday, but the next Monday a trojan was found that had been using a zero-day. Since then I've used a VM for random browsing (it's not a panacea, but it's easy enough to do). If you believe that's ineffective, I'd like to understand more. A couple of times in the 13 years since, the AV in the VM has caught viruses and I don't really browse much except news from Google, Yahoo, HN, Ars, etc in that VM.

1 more reply

nequo2y ago

I would be curious to learn more about Google News abuses too. It doesn’t sound completely far fetched. Google search is known to have served up malicious websites masquerading as legitimate ones. For example, here’s one that was disguised as gimp.org:

https://news.ycombinator.com/item?id=33384236

Unlikely that such an attack would make it far on HN though.

1 more reply

rolltrunhert2y ago

The article explains how ars was used for a second stage payload.

The device would have to be initially compromised by other means (by usb drive in their slides).

Browsing ars did not expose any users.

Did you read, or just writing comments anyway?

kurthr2y ago

Yeah, I read the article on Ars before it showed up here (it's a day old). It seemed more like it was to obscure CC server and payload location.

I was talking about outlinks anyway.

krackers2y ago· 4 in thread

>Devices that were infected by the first stage automatically accessed the malicious string at the end of the URL. From there, they were infected with a second stage.

I'm guessing the only reason it is done this way is to make network activity less suspicious than if the device were to connect to some novel 3rd party domain?

ploum2y ago

It is simply a way for the first stage to keep an updated URL where to download instructions about what to do. Hardcoding URL won’t do it because your URL might be taken down quite quickly.

In my days, this was done by connecting to an IRC room and listening for specific messages. I find this way of doing it way more complicated and prone to errors (an IRC client is quite easy to do and there’s no realistic way to prevent anybody to send a strange message in a given room)

alamortsubite2y ago

Maybe I'm missing something, but whether the first stage points to Ars/Vimeo or directly to the bad-guys, the URL has to be hardcoded somewhere. I think the comment you replied to is probably on the right track; hiding behind a legit intermediary seems a lot less suspicious if someone inspects the payload on the drive.

1 more reply

netsharc2y ago

Yeah but a socket connection to an IRC server and port will probably trigger a network monitoring firewall that a computer in the network has been compromised... A connection to arstechnica.com, the IT admin might even think "Cool, I didn't know that Bob from accounting is into tech..."

1 more reply

mintplant2y ago

This led to many ISPs blocking IRC connections :(

1 more reply

scosman2y ago· 3 in thread

Good to see them reporting on it. So many publications wouldn’t.

creatonez2y ago

I found it funny how Ars Technica (owned by Condé Nast) had some of the best reporting offering scathing criticism of Reddit (also owned by Condé Nast) while Steve Huffman was destroying the website by killing off the API and leaving volunteer moderators without the tools they need to deal with spam. I'm not sure how common this is, but it was refreshing to see journalists doing their job properly despite being faced with a massive conflict of interest.

jbm2y ago

> Steve Huffman was destroying the website by killing off the API and leaving volunteer moderators

Did this really happen? The site seems to be as busy as normal and with the same opinions being expressed everywhere.

Don't get me wrong, I think that was a huge loss and I don't use Reddit anymore as a result.

3 more replies

hackeraccount2y ago

Up to a point Ars does what it takes to generate clicks. I can't tell if they post more nakedly political content now then they used to but whenever I see that sort of thing on the site it depresses me.

Like a picture of scantily glad woman on a link (Will you see more if you click it? Who knows but there's one way to find out for sure ... ) the end result if it delivers or not is a vague feeling of being manipulated. That the editors think less of me then I'd like.

But who knows, certainly the political stuff on it usually doesn't appeal to my politics so maybe it's just unhappiness that they don't share my views.

AtlasBarfed2y ago· 3 in thread

Base64 is never-before seen?

This isn't even very advanced stenography, am I right?

Heck, something like the network buffer datastore seems a lot more advanced.

dabber2y ago

> Base64 is never-before seen?

Maybe they're referring to using a prominent website as a C&C server? Wait... no, they've seen that before when they reported, in 2017, on a:

> "backdoor Trojan used comments posted to Britney Spears's official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers." [0]

So they must be talking about the novel use of an image in the staged delivery? Oh... nevermind, that can't be it either because their reporting on VPNFilter in 2018 mentioned:

> "stage 1 relies on a sophisticated mechanism to locate servers where stage 2 and stage 3 payloads were available. The primary method involved downloading images stored on Photobucket.com and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field of the image." [1]

So yeah, I guess Ars hasn't seen Base64 before it was embedded on their site.

[0] https://arstechnica.com/information-technology/2017/06/russi...

[1] https://arstechnica.com/information-technology/2018/06/vpnfi...

foobiekr2y ago

smuggling things past firewalls is trivial. base48 or some other nonsandard scheme or encrypt a zip file and use a bananaphone scheme to make the content look low entropy. No firewall will flag that.

bonton892y ago

What is bananaphone? Based solely on the video I'm assuming you repeat data over and over again wasting space to obscure the actual type of content.

1 more reply

rising-sky2y ago· 2 in thread

So in other words, this is harmless unless the target was previously infected with the malware `explore.ps1`. This URL just acts as a trigger to activate the malware? Do I have that somewhat right?

scosman2y ago

Not a trigger. Just a payload. On a domain the government can’t seize/shutdown. Kinda interesting, but I imagine they can just extract all the target urls from the malware and get hosts to block?

alamortsubite2y ago

Yes. Though that pizza looks pretty gross.

hamandcheese2y ago· 1 in thread

This seems novel in the same way that "<thing>... but on the internet" is a patentable idea.

It seems no different in concept than a spy signaling another spy by leaving something in a public space.

peddling-brink2y ago

The “but on the Internet” part is not novel either. Any site that allows text entry and public viewing may deal with this.

https://bitofhex.com/2020/05/31/youtube-is-my-c2/

Perhaps using the picture of a pizza is novel?

technion2y ago

Every time I read about a massive company ransomware event: excel macros, mimimatz, phishing

Any time something is actually described as a novel technique: cryptominer. Ugh.

j / k navigate · click thread line to collapse

37 comments

25 comments · 7 top-level

kurthr2y ago· 5 in thread

They can serve malware only to targeted domains so you may be the only one hit.

Even more targeted and obscured is to include several keywords in an article of interest that lead to a single controlled page optimized for search engines, which again serves targeted malware.

LeoPanthera2y ago

> GoogleNews has served me several trojans, because I'm inherently clicking on unknown links.

[Citation Needed]

You may have misunderstood how the malware described in the article works - simply visiting Ars would not infect you, or anyone.

kurthr2y ago

1 more reply

nequo2y ago

https://news.ycombinator.com/item?id=33384236

Unlikely that such an attack would make it far on HN though.

1 more reply

rolltrunhert2y ago

The article explains how ars was used for a second stage payload.

The device would have to be initially compromised by other means (by usb drive in their slides).

Browsing ars did not expose any users.

Did you read, or just writing comments anyway?

kurthr2y ago

Yeah, I read the article on Ars before it showed up here (it's a day old). It seemed more like it was to obscure CC server and payload location.

I was talking about outlinks anyway.

krackers2y ago· 4 in thread

>Devices that were infected by the first stage automatically accessed the malicious string at the end of the URL. From there, they were infected with a second stage.

I'm guessing the only reason it is done this way is to make network activity less suspicious than if the device were to connect to some novel 3rd party domain?

ploum2y ago

It is simply a way for the first stage to keep an updated URL where to download instructions about what to do. Hardcoding URL won’t do it because your URL might be taken down quite quickly.

alamortsubite2y ago

1 more reply

netsharc2y ago

1 more reply

mintplant2y ago

This led to many ISPs blocking IRC connections :(

1 more reply

scosman2y ago· 3 in thread

Good to see them reporting on it. So many publications wouldn’t.

creatonez2y ago

jbm2y ago

> Steve Huffman was destroying the website by killing off the API and leaving volunteer moderators

Did this really happen? The site seems to be as busy as normal and with the same opinions being expressed everywhere.

Don't get me wrong, I think that was a huge loss and I don't use Reddit anymore as a result.

3 more replies

hackeraccount2y ago

But who knows, certainly the political stuff on it usually doesn't appeal to my politics so maybe it's just unhappiness that they don't share my views.

AtlasBarfed2y ago· 3 in thread

Base64 is never-before seen?

This isn't even very advanced stenography, am I right?

Heck, something like the network buffer datastore seems a lot more advanced.

dabber2y ago

> Base64 is never-before seen?

Maybe they're referring to using a prominent website as a C&C server? Wait... no, they've seen that before when they reported, in 2017, on a:

So they must be talking about the novel use of an image in the staged delivery? Oh... nevermind, that can't be it either because their reporting on VPNFilter in 2018 mentioned:

So yeah, I guess Ars hasn't seen Base64 before it was embedded on their site.

[0] https://arstechnica.com/information-technology/2017/06/russi...

[1] https://arstechnica.com/information-technology/2018/06/vpnfi...

foobiekr2y ago

smuggling things past firewalls is trivial. base48 or some other nonsandard scheme or encrypt a zip file and use a bananaphone scheme to make the content look low entropy. No firewall will flag that.

bonton892y ago

What is bananaphone? Based solely on the video I'm assuming you repeat data over and over again wasting space to obscure the actual type of content.

1 more reply

rising-sky2y ago· 2 in thread

So in other words, this is harmless unless the target was previously infected with the malware `explore.ps1`. This URL just acts as a trigger to activate the malware? Do I have that somewhat right?

scosman2y ago

Not a trigger. Just a payload. On a domain the government can’t seize/shutdown. Kinda interesting, but I imagine they can just extract all the target urls from the malware and get hosts to block?

alamortsubite2y ago

Yes. Though that pizza looks pretty gross.

hamandcheese2y ago· 1 in thread

This seems novel in the same way that "<thing>... but on the internet" is a patentable idea.

It seems no different in concept than a spy signaling another spy by leaving something in a public space.

peddling-brink2y ago

The “but on the Internet” part is not novel either. Any site that allows text entry and public viewing may deal with this.

https://bitofhex.com/2020/05/31/youtube-is-my-c2/

Perhaps using the picture of a pizza is novel?

technion2y ago

Every time I read about a massive company ransomware event: excel macros, mimimatz, phishing

Any time something is actually described as a novel technique: cryptominer. Ugh.

j / k navigate · click thread line to collapse