Golden keys from the (first) crypto wars have come back to haunt us.
When a web client makes a secure connection to a web server (using HTTPS), it starts by sending a 'Hello' message in which it announces which cipher suites it supports. The web server then chooses one, presumably the one that offers the best security, and this will be used to encrypt the traffic.
A downgrade attack occurs when an attacker situated between client and server convinces them to use a weaker cipher suite. In itself this shouldn't be problem: even the weaker suites are supposed to provide ample security, but it can be used to facilitate the exploit of a vulnerability in a weaker cipher suite, similar to attacks that force the connection to use the older SSL 3.0 protocol to exploit POODLE.
Dénes Óvári explains how to store code in lossily compressed JPEG data.
Malformed PDFs have become a common way to deliver malware. Naturally, when this started to happen, anti-virus products began scanning inside PDF files for traces of malicious code and, equally naturally, malware authors started to obfuscate that code to circumvent scanners.
Not everything can be used to store code though. Data streams compressed using lossy compressors like JPXDecode and DCTDecode are deemed unsuitable for storing any kind of code. After all, the lossy compression means one should not be able to retrieve an exact copy of the uncompressed data. For performance reasons, scanners therefore usually ignore this data.
Use of email authentication technique unlikely to bring any advantage.
Last week, Trend Micro researcher Jon Oliver (who presented a paper on Twitter abuse at VB2014) wrote an interesting blog post about a spam campaign that was spreading the 'TorrentLocker' ransomware and which, unusually, was using DMARC.
TorrentLocker is one of the most prominent families of encryption ransomware — a worryingly successful kind of malware that first appeared two years ago. The malware initially implemented its cryptography rather poorly, but has since become one of the most successful of its kind.
Micky Pun and Neo Tan analyse the banking trojan that is best known for spreading through Skype.
Since the close of the VB2014 conference in Seattle in October, we have been sharing VB2014 conference papers as well as video recordings of the presentations. Today, we have added 'Caphaw - the advanced persistent pluginer' by Fortinet researchers Micky Pun and Neo Tan.
Caphaw (also known as Shylock) is a bit of a rarity among today's botnets: its source code hasn't been leaked and the malware has never been offered for sale on underground forums, suggesting that the same group of people wrote the code and maintained the botnet.