[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110408220249.GE12726@sentinelchicken.org>
Date: Fri, 8 Apr 2011 15:02:49 -0700
From: Tim <tim-security@...tinelchicken.org>
To: Maksim.Filenko@...b.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cipher detection
> Here're some more examples:
>
> dummy@...mple.com GGobQ2bsqd64PXVAmaDiDBg=
> eummy@...mple.com GWobQ2bsqd64PXVAmaDiDBg=
> dummy@...mple.co GGobQ2bsqd64PXVAmaDiDA==
> dummy@...mple.@ex GGobQ2bsqd64PXVAmaDBBg0=
> dummy GGobQ2Y=
> dumm GGobQw==
> eummy GWobQ2Y=
> eumm GWobQw==
> example.com GWcXQ2/AqYi6P2g=
> dxample.com GGcXQ2/AqYi6P2g=
> 11111@...mple.com TS5HHy7sqd64PXVAmaDiDBg=
> 11111 TS5HHy4=
>
> Looks like a base64+xor, am I right? And that's enough information for me.
Yes, it is looking like a fixed key stream XORed with the plaintext.
Note that this could mean they're using any number of "good"
encryption algorithms (block cipher in OFB mode, stream cipher) with a
fixed IV. This means the encryption is very broken, but it doesn't
necessarily mean they are using some half-baked custom obfuscation
technique. They could be, but be careful with your accusations.
HTH,
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists