SoylentNews

martyb writes:

Kaspersky Warns of Encryption-Busting Reductor Malware:

Kaspersky says it has uncovered a new malware infection that is able to decode encrypted TLS traffic without the need to intercept or manipulate it.

Known as Reductor, the malware was spotted in April of this year[...].

"Besides typical RAT functions such as uploading, downloading and executing files, Reductor's authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers," Kaspersky explains.

[...] Rather than try to man-in-the middle traffic or steal keys, the Kaspersky team found that the Reductor malware works by infecting the browser (either Chrome or Firefox) itself.

"The solution that Reductor's developers found to mark TLS traffic is the most ingenious part," Kaspersky explained.

"They don't touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process's memory."

By compromising the random number generator, the malware's operators would know ahead of time how the traffic will be encrypted when the victim establishes a TLS connection, and have the ability to mark that traffic for later use. From there, the malware can easily decode the traffic and see what the transmitted data is, then send anything of interest back to the command server.

Because this data can be decoded, the attacker has no need to actually tamper with the traffic while it is in transit, and thus is able to function without alerting security tools or administrators that something is amiss.

Original Submission