silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
Researchers have discovered a new malware strain, dubbed Reductor, that allows hackers to manipulate Hypertext Transfer Protocol Secure (HTTPS) traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server.
Once infected, Reductor is used to spy on a victim’s browser activity, said the Global Research and Analysis Team (GReAT) at Kaspersky, which discovered the malware. Researchers said Reductor is being used for cyber espionage on diplomatic entities that are part of the post-Soviet republics known as Commonwealth of Independent States.
Once a system is infected, Reductor moves on to surveil internet communications. It does this by “patching” a browser’s pseudo random number generators, used to encrypt the traffic between a user’s browser and a websites via HTTPS. In other words, instead of attempting to manipulate network packets themselves, adversaries target the Firefox and Chrome browsers and their pseudo random number generation functions.
“They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation functions in the process’s memory,” researchers wrote.
Pseudo random number generation (PRNG) is used throughout cryptography. In this case, it is used during the creation of a secure HTTPS connection between a client and server or browser and website. After a browser and website negotiate a TLS handshake the PRNG creates a random “pre-master secret” (or number) that will be used to secure the connection. The pre-master secret needs to be unpredictable for the connection to be secure.
New Malware Hijacks HTTPS Traffic
Dubbed Reductor, this malware can manipulate HTTPS traffic by tweaking a browser’s random numbers generator.
threatpost.com