This is a cross-post from my company‘s blog that I posted today.
The injection of malicious <script src="malicious.js"> JavaScript tags on a massive scale into everyday popular and reputable Web sites, commonly visited by the casual surfer at home (and at work), has been the trend. Today, as my team and I here at Security Labs made our routine rounds around the block to spy on what the bad guys are up to next, we discovered a somewhat weak but interesting piece of malicious code, whose techniques date back to the early days of encryption – the substitution cipher.
Wikipedia has a good introduction on this topic:
In cryptography, a substitution cipher is a method of encryption by which units of plaintext are substituted with ciphertext according to a regular system; the “units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing an inverse substitution.
Doing a character for character substitution, using a keyword of “MALCODE“, we get:
Plaintext: Â ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext: MALCODEHIJKFBNGPQRSTUVWXYZ
Using that mapping, we can encrypt a message from a hypothetical botnet master to his/her herd of bots from this:
LAUNCH THE DDOS ATTACK NOW
to this:
FMUNLH THO CCGS MTTMLK NGW
It’s a very trivial algorithm, and extremely weak in terms of the protection it provides (by today’s standards), but it is definitely good enough to conceal the true message from casual prying eyes. This was certainly as good as bulletproof during the days of Julius Caesar (wow, we’ve come a long way!).
(more…)
