Could they be using TheReg's comments
would explain the a AManFromMars comments?
Cyber-spies are increasingly attempting to hide their command and control operations in plain sight by burying their command infrastructure in the forums of internet heavyweights, including Microsoft. FireEye and Microsoft have successfully shut down the Chinese threat actor APT17’s use of the MSFT TechNet blog to hide their …
On a slightly more serious note: It's quite easy to use plausible(-ish) generated text as a covert channel. One method which should be familiar to anyone who's worked in the area is to adapt Shannon's technique for gauging the efficacy of a natural-language parser, which is basically to run it backward and see it produces natural-sounding text.
So, you take a natural-language model like a PCFG or a MEMM, "tap" it to expose the internal stochastic state,1 and stick it in your sender and receiver. There are plenty of open-source ones available.
To send data, you take the datastream and feed it through the model backward as the state probabilities, picking suitable words pseudorandomly. This produces a stream of text that fits the model, so if the model is decent, you get plausible generated text.
The receiver parses the resulting text and records the state as the model evaluates it, recovering the stream.
It's not clear from the article or blog post how BLACKCOFFEE was encoding the message on the TechNet forums, and the PDF link doesn't work, but since they were just encoding an IP address they probably weren't doing anything this sophisticated. But yeah, you can use techniques like this to get a pretty fat covert channel out of plain text - fatter than what you could do with regular steganography (like varying word choice, whitespace, typos, etc), and less obvious than simply blatting control data out.
1Note this turns your Hidden Markov Model into one that isn't hidden, which is mildly interesting from a theoretical point of view.
The Product Key used to install Windows is invalid. Please contact your system administrator or retailer immediately to obtain a valid Product Key.
Or more generally, all channels are channels. If you can send a signal, you can send information.
Research in this area basically boils down to a form of traffic analysis. It's essentially the same as, say, trying to identify machine-generated online reviews, or any other sort of channel abuse.
People have been demonstrating all sorts of deliberate and accidental covert channels in modern IT systems for decades, with things like EMF leakage, power analysis, IP over DNS, etc.
The proposal that any system will be able to keep encrypted
messages off it is false. It is too easy to hide messages in
traffic. Any claim that review by a sysop will even slow it
down is extremely overoptimistic. It is a trivial task to
hide anything in a message. Even if you read every message
in all the echos, you cannot find all the hidden ones.
I guarantee that those that claim to remove encrypted messages
off their message base will be those most likely to have them
posted on their machine unknowingly. How many people can even
try reading all messages on their systems? Not many...
I can reassure you that even those who don't have a life, it
is impossible you can review every permutation of a message.
Having stated that you will review your message base for
all the hidden meanings only makes you more liable for your
Hint: Read the second column vertically for the example the post carries ;)
Note: Easier to read with a monospaced typeface.
No, these are bots trying to "follow the price" of another bot that has a programming error as I understand it.
The initial high price that causes other bots to inflate their prices needn't be a bug. It could be one seller trying to inflate all the bot-controlled prices when that seller has another channel for advertising a real, much lower price.
If I had a used book store, and lacked ethics, I'd be looking at ways to surreptitiously inflate book prices on Amazon Marketplace and the like, to improve my store's competitiveness. And that's one obvious way to do it.
some zombie networks have previously made use of Twitter profiles as a communication channel
Reviewing the reports of that incident, it appears they were using regular tweets, not Twitter profiles, as the channel.
There are plenty of legitimate applications that use Twitter as a channel. It's easy for programs to send and receive tweets, so Twitter is basically hosting a fairly reliable broadcast message service. Why build your own, if Twitter will give you one for free? And one that's easy for developers to monitor and inject messages into in the bargain?
Using Twitter isn't sneaky. It's an obvious choice of an appropriate technology for many applications. Not those that need high reliability or confidentiality or authentication, etc; but there are many that don't.
FireEye decided not to release any real details on this activity. RSA published a blog post showing exactly how the IP address was encoded and how to decode it. As well as signatures and rules to look for malware on your system that uses it. FireEye just gave a few MD5 hashes for a small set of samples it saw.
Biting the hand that feeds IT © 1998–2019