Timing attacks has proven practical since 96' as shown in a paper by Paul C. Kocher. In his paper Paul demonstrate how, by effectively measuring the amount of time required for private key operation, one could completely uncover the private key. This attack was shown to be effective against widely known crypto-systems such as Diffie-Hellman, RSA and DSS.
Almost ten years later on 2004, another research paper was published by Dan Boneh and David Brumley, entitled "Remote Timing Attacks are Practical" claiming that timing attack as shown in Paul C. Kocher paper are also practical remotely. Their research shows a successful attack against a remote instance of Apache server using OpenSSL running on local network.
Then, in Crosby paper and also in Daniel Mayer & Joel Sandin paper they documented an extensive bench-marking work to determine what is actually the smallest processing time frame that can be measured across the different hardware and networking setups.
Now, to tell you the truth, I didn't know a thing about these publications or much of the existence of timing attacks when I found this vulnerability in Zeus botnet's server-side about three years ago. Even though i didn't use much of the mentioned knowledge in my research, I decided to give this intro for people who would like to expand their knowledge about these attacks.
The vulnerability I've discovered is basically a timing attack which enable a remote attacker to resolve the length in characters of the reports directory name by carefully measuring the response time of the server. While this vulnerability maybe considered as low risk, as well as found on fraudulent piece of software, I find its nature to be a very interesting and intriguing case-study which could be of a good use for future researchers.
Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts
Saturday, October 24, 2015
Monday, December 22, 2014
Backoff Point of Sell malware
On July 29, 2014, the US-CERT (Computer Emergency Readiness Team) issued an alert regarding a new Point of Sale malware it dubbed Backoff - the first public disclosure of this threat. The name was probably coined after a string found in the code of one of the versions of the variant that was analyzed by the US CERT.
The Backoff threat is currently targeting mostly US businesses, and has managed to compromise more than a thousand different business entities. Its main target as POS malware is to obtain the magnetic data gathered from credit/debit cards swiped in point of sale stations. The data is then sent to a Command & Control (C&C) server operated by the fraudster.
The product of a private financial fraud group, this threat is continuously being developed, and has been operating since October 2013 according to evidence collected in the wild. In this report I provide the full story of the Backoff operation, including: bot analysis, a behind- the-scenes look at the Backoff server-side and how it operates, background information on its operator, and statistics on the geographic distribution and reach of the malware based on my research.
Full research paper
The Backoff threat is currently targeting mostly US businesses, and has managed to compromise more than a thousand different business entities. Its main target as POS malware is to obtain the magnetic data gathered from credit/debit cards swiped in point of sale stations. The data is then sent to a Command & Control (C&C) server operated by the fraudster.
The product of a private financial fraud group, this threat is continuously being developed, and has been operating since October 2013 according to evidence collected in the wild. In this report I provide the full story of the Backoff operation, including: bot analysis, a behind- the-scenes look at the Backoff server-side and how it operates, background information on its operator, and statistics on the geographic distribution and reach of the malware based on my research.
Full research paper
Subscribe to:
Posts (Atom)