back to article Kaspersky warns of encryption-busting Reductor malware

Kaspersky says it has uncovered a new malware infection that is able to decode encrypted TLS traffic without the need to intercept or manipulate it. Known as Reductor, the malware was spotted in April of this year and is believed to be the work of an espionage-focused hacking crew known as Turla. The malware is thought to be …

  1. J. Cook Silver badge

    Translation: We're doomed.

    It's a neat trick, at least.Don't break the encrpytion, break the weakest link that contributes to the encryption.

    1. sbt Silver badge
      Unhappy

      Re: Translation: We're doomed.

      Crumbs, indeed.

      I've been waiting for a example of an exploit that justifies serious application lock-down/code-signing and traceability. As someone who needs to roll-my-own applications and install my own choice of OS at times, I've resisted the push by Apple and co for features like TPMs, Gatekeeper and SIP to be mandatory. I've got good firewalling and user discipline around trusted sources and checksumming, but it's still a worrisome development. I may have to switch to a small target browser.

    2. Michael Wojcik Silver badge

      Re: Translation: We're doomed.

      Breaking the CPRNG is one of the oldest tricks for modern computer-based cryptanalysis, of course. It's how the original Netscape SSL implementation was first publicly broken.

      In that case, it was Netscape's weak seeding of the CPRNG which was attacked - a completely passive attack (i.e. the researchers were able to break the CPRNG by observing the target machine and deriving enough of the seeding entropy to reduce the seed space to something that could be brute-forced). With Reductor it's an active attack, compromising the CPRNG in memory.

      Another infamous attack on the CPRNG was the Dual_EC_DRBG scandal, where the NSA tried to push a compromised CPRNG into the industry, assisted (perhaps inadvertently, perhaps deliberately) by RSADSI.

  2. Anonymous Coward
    Anonymous Coward

    3 or 4 or 5 ?

    Whodunnit?

    A 3 letter agency?

    A 4 letter agency?

    Someone with 5 eyes?

    1. amanfromMars 1 Silver badge

      Re: 3 or 4 or 5 or 8?

      How about an 8 armed vampire squid ..... for a little/lot of insider trading advantage/fantasy market continuance?

      Whatever can be, invariably inevitably always is, and relies catastrophically on belief being only suspended due to mass ignorance in sees of arrogant complex misdirection and simply outrageous fake denial?

      The posit here is that some of the more sophisticated of professional things are much more likely to be private/pirate enterprise doing it for themselves rather than being quite common in the public nation-state backed actor field ....... although there are many reasons to expect that is a current situation in fundamental flux and disruptive future change.

      1. NetBlackOps

        Re: 3 or 4 or 5 or 8?

        Mutant squid? Six versus eight. Then again, public/pirate makes more sense. What requires a Ph.D. this month/week requires mere menial hackwork this one.

        1. herman Silver badge

          Re: 3 or 4 or 5 or 8?

          A squid has ten tickles. An Octopus only has eight tickles.

    2. Tom Paine Silver badge

      Re: 3 or 4 or 5 ?

      Turla.

      https://twitter.com/campuscodi/status/1180093691467325441

  3. Alister Silver badge

    and, for at least one victim, through a popular warez website over HTTP

    I didn't realise warez was still a thing - it must be 20 years since I used a warez site.

  4. Anonymous Coward
    Anonymous Coward

    And this, ladies & gents ..

    .. is why the Americans had to get rid of Kaspersky in a screaming hurry.

    These sorts of neat tricks require the kind of concentrated effort a state can easily buy, and Kasperky's consistent refusal to whitelist government spyware (over years of operation) and detailed analysis and disclosure of what they come across must have buggered up quite a bit of spying.

    If their Mac software wasn't such a *pain* to run I'd have them on my Mac too.

    1. Tom Paine Silver badge

      Re: And this, ladies & gents ..

      Dude. It's Turla. Hint: they're not the US.

      1. Anonymous Coward
        Anonymous Coward

        Re: And this, ladies & gents ..

        "Dude. It's Turla. Hint: they're not the US."

        I don't know if you're aware of this or not Tom but the hardest thing for researchers to do is to say who the malware authors actually are.

        The CIA in the US has even created a framework called Marble to inject symbols and comments into malware code to make it look like the malware was created by agents from a different country of origin.

    2. aks Bronze badge

      Re: And this, ladies & gents ..

      The USA couldn't issue the whitelist to Kapersky as anybody with access to the whitelist would know how to cripple it. When Kapersky discovered one NSA exploit and reported it, that's when they became persona non grata.

  5. Pascal Monett Silver badge

    Turla, another group of highly intelligent people gone over to the Dark Side

    Well, at least that kind of tool should be restricted to attacking people that that state is interested in, right ?

    Us plebs should be unaffected then, right ?

    Please say yes.

    1. Tom Paine Silver badge

      Re: Turla, another group of highly intelligent people gone over to the Dark Side

      Sure, until you plebs drift into the "legitimate target" category. Or the "unfortunate but acceptable collateral damage" one.

      1. Michael Wojcik Silver badge

        Re: Turla, another group of highly intelligent people gone over to the Dark Side

        And until other, less-discriminating attackers learn and adopt the techniques developed by the nation-state attackers. Attacks become worse over time, and become more common over time.

  6. adam 40 Bronze badge

    How is it even possible to patch the binary unless you have root access?

    Ohhh - wait - you aren't running in Windoze still are you???

    1. Michael Wojcik Silver badge

      Re: How is it even possible to patch the binary unless you have root access?

      From the Linux mprotect(2) man page:

      On Linux, it is always permissible to call mprotect() on any address in a process's address space (except for the kernel vsyscall area). In particular, it can be used to change existing code mappings to be writable.

      Yes, there's pkey_mprotect(2). There's PaX. There's SELinux. But there are plenty of Linux systems out there where ordinary processes are not running with page-permission enforcement. And the same goes for some other POSIXy OSes. (Some online discussions suggest that MacOS enforces "maximum protections" for pages which prevent using mprotect to change existing rx pages to rwx; I haven't investigated.)

    2. david 12 Silver badge

      Re: How is it even possible to patch the binary unless you have root access?

      If you were running Windoze, you wouldn't have a problem. Because Windoze provided TLS at the OS level. It's only the infection of cross-platform browsers (including more recent MS open-source cross-platform browsers) providing their own TLS that provided the platform for this exploit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019