Walden Systems Geeks Corner News New Malware Hijacks HTTPS Rutherford NJ New Jersey NYC New York City North Bergen County

New Malware Hijacks HTTPS

Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Researchers found a new malware strain, called Reductor, that enables hackers to manipulate Hypertext Transfer Protocol Secure (HTTPS) traffic by modifying a browser's random numbers generator, used to ensure a private connection between the client and server. Once infected, Reductor can spy on a victim's browser activity. What makes Reductor unique is how hackers install the malware on targeted systems and how they manage to circumvent HTTPS protections. Reductoris similar to the COMpfun trojan. The COMpfun malware was initially found in 2014. Kaspersky has linked COMpfun to the threat group Turla. However, Kaspersky said a direct link to Turla is not clear.

The first of two main attack vectors for infecting its victims is by COMpfun infected systems pulling down and installing a version of the malware. The second attack vector occurs when targets download software from third-party sites. the hackers the ability to patch clean software on the fly while it was being downloaded from legitimate websites to users' computers. The software installers came from the warez websites, which hosts pirated software. While the original installers aren't infected, they would end up on the victims' PCs carrying malware. Researchers think that the software installer replacement happens on the fly.

Once a system is infected, Reductor moves on to spy on internet communications. It does this by patching a browser’s pseudo random number generators, used to encrypt the traffic between a user's browser and a websites via HTTPS. Instead of attempting to manipulate network packets themselves, hackers target the Firefox and Chrome browsers and their pseudo random number generation functions. Pseudo random number generation is used during the creation of a secure HTTPS connection between a client and server. After a browser and website negotiate a TLS handshake, the PRNG creates a random pre-master secret that will be used to secure the connection. The pre-master secret needs to be unpredictable for the connection to be secure.

Researchers haven't seen malware developers interacting with browser encryption in this way before. The sophistication demonstrated by Reductor's creator suggests a professional organization, typically associated with nation-state actors.