токсичный
June 14, 2017 1:50 PM Subscribe
According to a report published Tuesday by researchers from antivirus provider Eset, a recently discovered backdoor Trojan used comments posted to Britney Spears's official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers. The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.
She's toxic.
posted by sexyrobot at 2:44 PM on June 14, 2017 [7 favorites]
posted by sexyrobot at 2:44 PM on June 14, 2017 [7 favorites]
1. Does this rely on infected users being fans of Britney Spears?
2. Is 45 a fan of Britney covfefe
posted by adept256 at 2:51 PM on June 14, 2017
2. Is 45 a fan of Britney covfefe
posted by adept256 at 2:51 PM on June 14, 2017
Oops, I did it again. . . .
posted by gsh at 2:54 PM on June 14, 2017 [1 favorite]
posted by gsh at 2:54 PM on June 14, 2017 [1 favorite]
Object Oriented Programming did it again?
posted by adept256 at 2:57 PM on June 14, 2017 [4 favorites]
posted by adept256 at 2:57 PM on June 14, 2017 [4 favorites]
L̖̭͕̗̥̯ͩ̏ͅê̻̯̟͍͎̓͑̈̄̾ͨͭ̏a̭̥̬͔ͯ̍͐̆̽v̠̭͙͓͔̺̿ḛ͍̺̗̗͙̺̌̈́ ̖͓̲͓̖̾ͅͅb͖̦̼͎̘̻̱̐̐ͨͣr̼̠̣̗͐̍̀ͥ͛i͕͎̜̣̹̩̙͚̼͌͗͂̈́͗t͓͇̺̔͗ͫ̍n̻̼̏̾ͪ͛͆̚ȅ̫̟̖̲̘̹̝̙̣ͬ͗̆ͦͩ͌y̘̼̖̰̗͕͙͂̊̇̆͐ ̞̩͚͇͈̒å̪̱̬͔̼͛̏ͫ̈́̂͛l̬̤̰̺͚͗̇ͣ̔ͬ̊̄o̰̳͔͈̱̤̓̃̒nͨ̊͆ͬ̐̚ͅe͇̫̲͙̬͖͛̎̅̂̑!͇͉͇̣̠̘̙̱̓̽!̮̺̬̟̲͍̗ͮ́͛̏͆̿͒̐!̖̦͍͊̌ͬ͑̐̚
posted by lalochezia at 2:57 PM on June 14, 2017 [11 favorites]
posted by lalochezia at 2:57 PM on June 14, 2017 [11 favorites]
It's not a scoop, not yet a legend.
posted by grumpybear69 at 4:02 PM on June 14, 2017 [5 favorites]
posted by grumpybear69 at 4:02 PM on June 14, 2017 [5 favorites]
The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.
I would have thought the idea was to make the C&C burn-able, to weaken that link back to the attackers. Does this somehow also make the client infection harder to find?
posted by Western Infidels at 4:06 PM on June 14, 2017 [1 favorite]
I would have thought the idea was to make the C&C burn-able, to weaken that link back to the attackers. Does this somehow also make the client infection harder to find?
posted by Western Infidels at 4:06 PM on June 14, 2017 [1 favorite]
spock: "This story is at least 6 days old."
I'm afraid I don't understand this complaint.
posted by Chrysostom at 4:07 PM on June 14, 2017 [14 favorites]
I'm afraid I don't understand this complaint.
posted by Chrysostom at 4:07 PM on June 14, 2017 [14 favorites]
I would have thought the idea was to make the C&C burn-able, to weaken that link back to the attackers. Does this somehow also make the client infection harder to find?
If the malware has to connect directly to sketchy-site.horse to check for orders, you can detect an infection by just looking at your network traffic. But if the malware's just reading facebook, well that's the same kind of traffic lots of people do normally.
posted by aubilenon at 4:29 PM on June 14, 2017 [5 favorites]
If the malware has to connect directly to sketchy-site.horse to check for orders, you can detect an infection by just looking at your network traffic. But if the malware's just reading facebook, well that's the same kind of traffic lots of people do normally.
posted by aubilenon at 4:29 PM on June 14, 2017 [5 favorites]
If the malware has to connect directly to sketchy-site.horse to check for orders, you can detect an infection by just looking at your network traffic.
My reading of this description is: the malware checks Instagram to see if it should connect to sketchy-site.horse or sketchy-site.beaver or whatever. Then it does indeed connect, albeit thinly disguised by bit.ly. Maybe I'm mistaken, this isn't my field at all.
That connection to bit.ly will show up in a log; I think the forward it produces will also. No? If passing through bit.ly is enough to disguise the client, then why doesn't it just connect to bit.ly explicitly?
posted by Western Infidels at 6:17 PM on June 14, 2017 [1 favorite]
My reading of this description is: the malware checks Instagram to see if it should connect to sketchy-site.horse or sketchy-site.beaver or whatever. Then it does indeed connect, albeit thinly disguised by bit.ly. Maybe I'm mistaken, this isn't my field at all.
That connection to bit.ly will show up in a log; I think the forward it produces will also. No? If passing through bit.ly is enough to disguise the client, then why doesn't it just connect to bit.ly explicitly?
posted by Western Infidels at 6:17 PM on June 14, 2017 [1 favorite]
If passing through bit.ly is enough to disguise the client, then why doesn't it just connect to bit.ly explicitly?
My understanding is that this lets them change the URL on the fly. So if sketchy-site.horse (or the bit.ly link to it) gets blocked, they just post a new comment which the malware will decode for a new URL.
posted by airmail at 7:23 PM on June 14, 2017 [2 favorites]
My understanding is that this lets them change the URL on the fly. So if sketchy-site.horse (or the bit.ly link to it) gets blocked, they just post a new comment which the malware will decode for a new URL.
posted by airmail at 7:23 PM on June 14, 2017 [2 favorites]
That connection to bit.ly will show up in a log; I think the forward it produces will also. No?
Yes. The forwarding just instructs the browser to connect to a new URL.
posted by WaylandSmith at 7:47 PM on June 14, 2017 [1 favorite]
Yes. The forwarding just instructs the browser to connect to a new URL.
posted by WaylandSmith at 7:47 PM on June 14, 2017 [1 favorite]
#2spooky4me #surreal
This is the #cyberpunk future we were promised.
What I find fascinating is how well the comment with the address encoded in it blends in with the other comments. The comment section for Britney's Instagram is, admittedly, a pretty low bar for a Turing test but it does makes me wonder how it was generated. Since the program ID's it by hashing the comments they must be #Generating thousands of random comments until they get a hash collision. The numbers and capital letters look like they might be pulled from a dictionary of appropriate hashtags and the lowercase #Letters in the URL get encoded by adding the Zero Width Joiners to the main comment text which might be from some kind of pervy Markov chain or could be copying from previous comments and #adding in 'typos' to make sure it includes all of the right characters. #9
posted by metaphorever at 9:47 PM on June 14, 2017 [3 favorites]
This is the #cyberpunk future we were promised.
What I find fascinating is how well the comment with the address encoded in it blends in with the other comments. The comment section for Britney's Instagram is, admittedly, a pretty low bar for a Turing test but it does makes me wonder how it was generated. Since the program ID's it by hashing the comments they must be #Generating thousands of random comments until they get a hash collision. The numbers and capital letters look like they might be pulled from a dictionary of appropriate hashtags and the lowercase #Letters in the URL get encoded by adding the Zero Width Joiners to the main comment text which might be from some kind of pervy Markov chain or could be copying from previous comments and #adding in 'typos' to make sure it includes all of the right characters. #9
posted by metaphorever at 9:47 PM on June 14, 2017 [3 favorites]
That connection to bit.ly will show up in a log; I think the forward it produces will also.
Sure but they don't have to even post anything to instagram until they're ready to send out a command, right?
posted by aubilenon at 10:23 PM on June 14, 2017
Sure but they don't have to even post anything to instagram until they're ready to send out a command, right?
posted by aubilenon at 10:23 PM on June 14, 2017
is the act of commenting somehow inherent into the human condition?,
Perhaps Language is the virus
posted by eustatic at 10:41 PM on June 14, 2017
Perhaps Language is the virus
posted by eustatic at 10:41 PM on June 14, 2017
posted by metaphorever
Eponysterical doesn't even begin to describe this comment
posted by OverlappingElvis at 9:42 AM on June 15, 2017 [1 favorite]
Eponysterical doesn't even begin to describe this comment
posted by OverlappingElvis at 9:42 AM on June 15, 2017 [1 favorite]
« Older Driving cross-country as intentionally black as... | Extremely fun home! Newer »
This thread has been archived and is closed to new comments
posted by rebent at 2:40 PM on June 14, 2017 [5 favorites]