« Mountain-America.net Phish Uses Valid SSL Certificate
Fedex Kinko’s Smart Cards Hacked »

Recent Haxdoor Distribution Breaks SSL via Pharming

Secure Science Corporation released an advisory regarding the fact that the latest Pharming techniques utilized within malware has broken SSL. Chapter 5 of Phishing Exposed, a book by Lance James, who happens to work for Secure Science, demonstrated this technique in his book as an upcoming threat that phishers will take advantage of. The report on how this SSL Pharming attack occurs can be found on the advisories page at Secure Science.

This entry was posted on Tuesday, February 14th, 2006 at 4:53 pm and is filed under Emerging Threats, Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Recent Haxdoor Distribution Breaks SSL via Pharming”

  1. Someone Else Says:
    February 19th, 2006 at 10:43 am

    Have hackers "Broke" SSL?…

    Seems that there has been some rumbling that SSL encryption has been broken recently, which is quite……

  2. Lance James Says:
    February 19th, 2006 at 1:27 pm

    I liked the explanation Robert, but there is something that you’re under-playing here. The web browser is supposed to do it’s job. The issue isn’t that there is a trojan that can hook into IE and grab all traffic before it’s encrypted, the issue is that it performed a successful man-in-the-middle by using a mixed-certificate technique to bypass the “EDUCATION” of SSL and the authentication. An example of this is here:

    http://ip.securescience.net/exploits/ssl_mix.html

    This demonstrates 4 frames 2 of which are SSL protected, and 2 which are not. No matter what browser we demonstrate this from, there are no warnings, pop-ups, or anything about non-secure pages, secure pages, and as we all know there is no Lock at the bottom. If you reverse the roll:

    https://slam.securescience.com/threats/mixed.html

    We see my Cert (which shouldn’t alert, some browsers in mozilla still don’t like Thawte), and we also have two frames with two separate SSL certs on the page. No warnings, and the SSL lock states that it’s what the domain has. This is a problem with cross-user attacks as well as Trojans that Pharm because they easily fake “authentication” which is the intent of SSL for the home user, to authenticate the site and make sure they are there. The education around this for pharming is to use SSL to verify you are at the site. Well - in this report, this proves that not all cases will work.

Leave a Reply

You must be logged in to post a comment.