Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Chrome Encryption Firefox Security

Russian Malware 'Patches' Chrome and Firefox To Fingerprint TLS Traffic (zdnet.com) 13

An anonymous reader quotes ZDNet: A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers' internal components. The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers...

According to a Kaspersky report published this week, hackers are infecting victims with a remote access trojan named Reductor, through which they are modifying the two browsers. This process involves two steps. They first install their own digital certificates to each infected host. This would allow hackers to intercept any TLS traffic originating from the host. Second, they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions. These functions are used when generating random numbers needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.

Turla hackers are using these tainted PRNG functions to add a small fingerprint at the start of every new TLS connection.

The attack is being attributed to Turla, "a well-known hacker group believed to operate under the protection of the Russian government," ZDNet reports. And though the remote-access trojan already grants full control over a victim's device, one theory is the modified browsers offer "a secondary surveillance mechanism" if that trojan was discovered and removed. Researchers believe the malware is installed during file transfers over HTTP connections, suggesting an ISP had been compromised, according to the article.

"A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files."
This discussion has been archived. No new comments can be posted.

Russian Malware 'Patches' Chrome and Firefox To Fingerprint TLS Traffic

Comments Filter:
  • by at10u8 ( 179705 ) on Sunday October 06, 2019 @06:41PM (#59276810)
    but the analysis includes several .dll files, so they must mean that this is about Windows
  • hackers are infecting victims with a remote access trojan named Reductor

    Pardon me for asking, but what was the names of the Operating Systems and what was the method of infection.

    securelist.com [securelist.com]: “Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected ho
  • Since Chrome is affected, does that mean that Opera and Edge are also affected?
  • by Opportunist ( 166417 ) on Monday October 07, 2019 @03:34AM (#59277630)

    The infection seems to have happened due to downloads from http. Which implies that the source was not the place the (infected) software was downloaded from but that the data stream has been redirected and the intended file replaced with the malicious one. Which in turn means that they either had help from an ISP or that the ISP was hacked before (you can read TFA for details).

    In other words, finally stop downloading from http.

    No, verification of checksums isn't going to cut it, because if I can manipulate the file you download, manipulating the website to display the matching sha1 is trivial. Unless you have a secondary source for the checksum (and who does?), you're essentially comparing bogus data with bogus data.

  • Secondary Surveillance or Reinfect

    Because when the certs are tainted you could not only decrypt the traffic but change it or am I wrong, so it can be used to inject malious data into a TLS secured connection and not only pure-http.

    Defense
    a.) when you are redoing an infected computer, wipe it completely, check all thumb drives, ext. drives, burned cd, etc..

    b.) Do not get programs through unsecured http lines

    c.) Use of signature check - nearly nobody does it

    d.) Use of virustotal - At least a lowlevel check. H

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...