[onerng talk] Malware replacing PRNG in memory
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Oct 4 00:29:29 BST 2019
Jim Cheetham <jim at gonzul.net> writes:
>https://securelist.com/compfun-successor-reductor/93633/
>
>An interesting disassembly of a new malware strain, which amongst other
>tricks alters the PRNG functions of the Firefox and Chrome browsers, so it
>can use them as an additional covert comms channel.
That's pretty advanced stuff, it includes a built-in mini-disassembler to find
the appropriate locations in the code and patch them, and it's more than just
a simple replace-A-with-B, it significantly rewrites the functionality of the
code. Well worth a read.
Peter.
More information about the Discuss
mailing list