SoylentNews is people
SoylentNews
In his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account. Now hackers have learned the same trick. Only instead of a mistress, they’re sharing their love letters with data-stealing malware buried deep on a victim’s computer.
Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.
With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden.
(Score: 2) by strattitarius on Wednesday October 29 2014, @06:21PM
in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.
is that is a very misleading statement. I realize Wired is read by quite a few amateurs, but the way that is worded makes it sound like this could only occur thanks to Windows, IE and Gmail, which as most of us know is completely and totally wrong. And sure enough there are comments on wired about using FireFox or Thunderbird for mail or how this is a Windows only issue. He even suggests you may need to block Gmail, but doesn't seem to realize how easy this would be with any other webmail service.
I wonder if it actually even uses IE? I would think that would end up being more complicated to hide than just forming the HTTP requests yourself. I don't know, but I know TFA didn't bother with such specifics and instead started spouting a bunch of useless and incorrect advice.
Slashdot Beta Sucks. Soylent Alpha Rules. News at 11.
(Score: 2) by frojack on Wednesday October 29 2014, @06:50PM
Python on windows?
Hidden IE window, (like no one would notice that running in task manager?)
The whole story sounds fishy. If you have access to the computer to install malware
why would you use such clumsy means and send it through Gmail Drafts?
Why not just send it directly to some cloud or offshore server.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by strattitarius on Wednesday October 29 2014, @06:54PM
Slashdot Beta Sucks. Soylent Alpha Rules. News at 11.
(Score: 2) by Joe Desertrat on Thursday October 30 2014, @05:07AM
Hidden IE window, (like no one would notice that running in task manager?)
I doubt that you, or the average Soylent reader, is a target of these attacks. I would bet that 90% of Windows users only see the task manager if they accidentally open it, and in that case close it without doing anything. If they do look at it, most of what they see is gibberish to them and they are afraid to touch it. Of course, your second point holds in this case, but it is probably still easier and less traceable to stick it in some online e-mail draft than to set up or infiltrate a server for the purpose.
(Score: 1) by NeoNormal on Thursday October 30 2014, @01:42PM
> If you have access to the computer to install malware
> why would you use such clumsy means and send it
> through Gmail Drafts?
My first thought too. Just seems to complicate things and create higher visibility.
(Score: 3, Insightful) by PizzaRollPlinkett on Wednesday October 29 2014, @07:33PM
Wired is written by quite a few amateurs, too. I'd like to see a real source like Krebs or someone discuss this issue.
(E-mail me if you want a pizza roll!)
(Score: 1) by terrab0t on Thursday October 30 2014, @06:33PM
My guess is that offices concerned about security have software on workstations that monitors processes that make network requests and software on both the workstations and servers that monitor where network requests are being made to.
A process directly contacting some suspicious HTTP or IRC address is uncommon, suspicious behaviour. It's easy to pick that out of the noise of legitimate network use and flag it for investigation. You could even whitelist which processes on a workstation can use the network.
Internet Explorer sending and receiving encrypted data from gmail.com is a routine occurrence. Detecting spyware that operates this way is much harder. You need to fall back to virus scanning and malware databases to catch this.