[onerng talk] Malware replacing PRNG in memory

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Oct 4 00:29:29 BST 2019

Jim Cheetham <jim at gonzul.net> writes:

>An interesting disassembly of a new malware strain, which amongst other
>tricks alters the PRNG functions of the Firefox and Chrome browsers, so it
>can use them as an additional covert comms channel.

That's pretty advanced stuff, it includes a built-in mini-disassembler to find
the appropriate locations in the code and patch them, and it's more than just
a simple replace-A-with-B, it significantly rewrites the functionality of the
code.  Well worth a read.


More information about the Discuss mailing list