back to article Favicons used to update world's 'most dangerous' malware

Developer Jakub Kroustek has found new features in the dangerous Vawtrak malware that allow it to send and receive data through encrypted favicons distributed over the Tor network. The AVG security bod reveals the features in a report (pdf) into the malware which is considered one of the worst single threats in existence. He …

  1. dan1980

    Okay, ignoring the obvious suckiness of it all, that's actually pretty cool.

    1. This post has been deleted by its author

      1. Crazy Operations Guy

        Pass simple messages through oppressive government firewalls? Set it up so that a regular law-abiding news site would encode a link to their 'revolutionary' site that is constantly moving and changing domain names. It would be nearly impossible for the government to figure out where the links are coming from and are forced to lay whac-a-mole on the actual counter-government site.

        You could also incorporate a checksum of the page you are viewing to determine if content has been injected or modified.

    2. Michael Wojcik Silver badge

      Side channel is side channel. This isn't even a particularly clever one. Other malware has used HTTP image retrieval as a side channel; it's just one way to disguise your C&C traffic. It's a lot less ambitious than, say, IP over DNS, and even that is pretty obvious to anyone with an IT-security background.

      People have used power consumption and timing as covert channels. They've used process IDs as covert channels. They've used apparent typographical errors in text as covert channels. Researchers showed that modem activity lights leaked enough information to be inadvertent side channels, so it wouldn't be surprising if someone tried using them deliberately as a covert channel.

      Every channel is a potential covert channel. If it transfers information, someone's going to try to use it for something other than its intended purpose.

  2. Anonymous Coward
    Anonymous Coward

    speaking of

    Please add a favicon to The Platform

  3. Sarah Balfour

    Darren Pauli, see me after class!

    "You'll know YOUR infected…"

    Darren, please correct the above, and then write it 1,000 times in your lunch break. Well, that's what used to happen when I was at school, basic spelling and grammar errors were an instant detention.

    Reg, sack yer sub-ed - oh, wait, you don't HAVE, a sub-ed, do ya…? Well off with yer ed, then!

    1. frank ly

      Re: Darren Pauli, see me after class!

      Nowadays, you get detention for not using the Tips and Corrections link.

  4. I. Aproveofitspendingonspecificprojects

    What will the stooopid do?

    It must take intelligence to run a net of bots yet I still end up a winner of stuff like this:

    ......Your e-mail has been AWARDED the sum of (2.5)MIILLION EUR(OS). Requested Details.

    Name:

    Last Name:

    Ph:

    We await your response. Regards,Mrs Vicente Dora.

    Can't make up their minds how to say how much it is, don't even know who won and the lousy spelling and grammar don't inspire me to believe I am more clever than people who are going to be duped by me.

    So how do they mastermind all this shit?

    And what's a Ph: ?

    1. Doctor Syntax Silver badge

      Re: What will the stooopid do?

      "So how do they mastermind all this shit?"

      I thought that had been explained by now. If you have to be stupid to reply then the scammers know the replies are from suitably stupid suckers.

      "And what's a Ph: ?"

      A doctorate that's been doctored?

    2. dan1980

      Re: What will the stooopid do?

      Phone number.

      1. DropBear
        Trollface

        Re: What will the stooopid do?

        "Phone number."

        I'd answer "2.6 (measured via ingested litmus paper)" but I'm afraid they wouldn't get it at all...

    3. Anonymous Coward
      Anonymous Coward

      Re: What will the stooopid do?

      Ah, @I. Aproveofitspendingonspecificprojects

      the lousy spelling and grammar don't inspire me to believe I am more clever than people who are going to be duped by me

      Maybe they are just looking for people who can't spell approve?

    4. Michael Wojcik Silver badge

      Re: What will the stooopid do?

      the lousy spelling and grammar don't inspire me to believe I am more clever than people who are going to be duped by me

      Microsoft Research's Cormac Herley published a paper a few years back arguing that there's an economic advantage to making untargeted spam and phishing messages deliberately stupid. It reduces the number of responses from people who are going to later wise up and stop corresponding before the phisher extracts money from them. The paper's worth reading - it treats phishing as a binary classification problem.

      Herley, with Dinei Florêncio, also argued, back in 2008, that phishing is a low-cost, low-skill, low-profit endeavor and that the profit from it is hugely overestimated. Once in a while someone gets a big payout - the stories that show up in the news - but for the most part it's basically subsistence scavenging. So it's generally not done by the people who create the malware or own the botnets. They lease their resources to the hordes of small-time phishers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like