miniDuke new virus -- kickin' it old school?

Started by Darren Dirt, February 27, 2013, 05:01:31 PM

Previous topic - Next topic

Darren Dirt

http://www.google.com/search?q=miniDuke&tbm=nws

http://www.theverge.com/2013/2/27/4035776/sophisticated-miniduke-hack-spies-on-european-governments
Quote
it was designed to capitalize on an exploit within Adobe's Reader application. According to Kaspersky, perpetrators demonstrated "extremely effective social engineering techniques" by sending out infected PDF documents containing "highly-relevant" data to lend them a sense of credency. Once it has been installed, the malware ? without a user's knowledge ? seeks out predetermined Twitter accounts for encrypted instructions. If Twitter is unavailable or an account has been deleted, the malware is also capable of searching Google for directives.

http://arstechnica.com/security/2013/02/bizarre-old-school-spyware-attacks-governments-sports-mark-of-the-beast/
Quote
Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

...testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

"When we started looking at the backdoors themselves, we said, 'Now this is very interesting' because it's certainly professionally done and it takes us back to a golden age of the incredibly complex viruses and coding techniques that were used when 29A was around," Kaspersky Lab expert Kurt Baumgartner told Ars. "29A was the elite of the elite when it came to virus writing. Everybody hoped that their stuff never got out, because they were writing metamorphic, viral engines. They advanced viral code that they maintained in their magazine."

"The uses of encryption here along with taking these old assembler techniques and pushing them into a malware package that incorporates a highly resilient infrastructure implementing communications with high-availability services like Twitter and Google is just weird," Baumgartner said. "We're calling a backdoor DLL with no imports weird, which it is. It takes an old-school virus writer to come up with something like that."


summary analysis here: http://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor

fascinatingly detailed here: http://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

So a real virus written by a true hacker instead of some dude with a virus writing IDE

Nice...
By Grabthar's Hammer

Thorin

A post about a wonderfully complex virus that takes advantage of a flaw in Adobe's PDF Reader, and for more details you provide a link to a PDF document :P

An' yeah, not a script kiddie.  We should get Steve Gibson from Gibson Research to dissect it.
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Darren Dirt

Quote from: Thorin on February 27, 2013, 05:41:16 PM
An' yeah, not a script kiddie.  We should get Steve Gibson from Gibson Research to dissect it.
reverse-engineer level: ASSEMBLY!


Quote from: Thorin on February 27, 2013, 05:41:16 PM
A post about a wonderfully complex virus that takes advantage of a flaw in Adobe's PDF Reader, and for more details you provide a link to a PDF document :P

Only if you care about the more detailed analysis. And hey, you can save it to a TEMP folder and use a non-Adobe reader!
_____________________

Strive for progress. Not perfection.
_____________________