Google speeding up end-to-end crypto between data centers worldwide

On Friday, Google told The Washington Post that it was accelerating the implementation of end-to-end encryption between its data centers worldwide.

The search giant did not immediately respond to a request for comment from Ars.

“Google has data centers around the world, and when you have an e-mail stored, it’s stored at [something like] six data centers around the world,” Chris Soghoian, a privacy expert at the American Civil Liberties Union, told Ars. “Every single bit of data is now going to be encrypted, so now if the government is listening to that fiber, they won’t get that data.”

Read 3 remaining paragraphs | Comments


Majority of Tor crypto keys could be broken by NSA, researcher says

The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency (NSA), a security researcher has speculated.

Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own "hostile" exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key. The analysis came a day after revelations that the NSA can circumvent much of the encryption used on the Internet. While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the US spy agency.

"Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys," Graham wrote in a blog post published Friday. "Assuming no 'breakthroughs,' the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips; they've got fairly public deals with IBM foundries to build chips."

Read 3 remaining paragraphs | Comments


Chemical Attack in Syria Used as Enticement in Targeted Attack

Targeted attacks are a daily occurrence and attackers are fast to employ the latest news stories in their social engineering themes. In a recent targeted attack, delivering a payload of Backdoor.Korplug and caught by our services, we observed an attacker taking advantage of a recently published article by the Washington Post in relation to chemical attacks in Syria. The attacker took the full text of the article and used it in their own malicious document in an effort to dupe victims into believing the document was legitimate.

Chemical attacks 1.png

Figure 1. Part of malicious document containing the stolen text

The attack follows the standard Backdoor.Korplug modus operandi, which we have previously blogged about, of delivering an attached malicious .doc file containing a vulnerability, Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551 - Bloodhound.Exploit.497), to the target through email.

Chemical attacks 2.png

Figure 2. Example of targeted email using chemical attack in Syria theme

Symantec will continue to monitor for new and similar threats, such as those detailed in this blog. We also recommend that users refrain from opening any suspicious emails and, as always, we advise customers to use the latest Symantec technologies and incorporate the latest Symantec Consumer and Enterprise solutions to best protect against attacks of this kind.

Hesperus (Evening Star) Shines as Latest ‘Banker’ Trojan

Hesperus, or Hesperbot, is a newly discovered banker malware that steals user information, mainly online banking credentials. In function it is similar to other “bankers” in the wild, especially Zbot. Hesperus means evening star in Greek. It is very active in Turkey and the Czech Republic and is slowly spreading across the globe.

This sophisticated malware uses of different modules for specific purposes, injects HTML scripts into bank-related websites, stores all modules and data in encrypted form, encrypts its configuration file, uses the Twofish encryption algorithm with an HMAC-SHA512 hash key, employs WinScard.dll to read smart cards, and communicates with its control server over SSL. It also uses the current standard technique of injecting its entire code into attrib.exe and then into explorer.exe. Thus its communications appear to be from the legitimate file explorer.exe.

I analyzed a recent binary, compiled on September 2, and found that its control server is very active. The main binary is custom packed. After unpacking, it contains a string suggesting dropper_x86.bin is its original name:

  • MD5: 72AD2AF02C98068DE5FD9F9AE2C5B750. Compiled Date: Monday, Sep. 2, 2013, 11:18:20

Dropper_x86.bin contains two binaries specific to the operating system:

  • Core_x86.bin for 32-bit OS. MD5: 524C3F6F5D6968557AB000B920D42D9E. Compiled Date: Monday, Sep. 2, 2013, 10:46:05
  • Core_x64.bin for 64-bit OS. MD5: 5D7E115CD6269FDDFB75AE76E5D5221A. Compiled Date: Monday, Sep. 2, 2013, 10:46:16  – 64 Bit EXE

These binary files have one export function, “_hesperus_core_entry,” hence the bot name.

Following strings suggest possible geographic locations for infections:


The main binary unpacking code:


This code starts attrib.exe in a suspended state and injects its code. It drops a few files into the %APPDATA% directory as .dat and .bkp files.

User information such as computer name/username, encryption key, main binary file, downloaded malicious modules, and configuration file are stored in a different .dat.

The .bkp files are backup files for .dat files.


Data in  .dat and .bkp files is encrypted using the Twofish encryption algorithm with an HMAC-SHA512 hash key.


After injecting code into explorer.exe, the malware connects to its control server using HTTPS to evade general antimalware detection. Its communications appear to come from the legitimate explorer.exe system file. Moreover, the domain names of the control servers appear to be legitimate domain WHOIS service requests. Using valid SSL traffic makes the malware even harder to detect.

Using SSL, the Trojan downloads other malicious modules from its control server. These are used to hide virtual network computing, and for keylogging, screen recorder, smart card reader, socket secure protocol proxy, etc.

These modules are:

  • hvnc_mod_x86.mod
  • keylog_mod_x86.mod
  • sch_mod_x86.mod
  • socks_mod_x86.mod

The malware communicates with other legitimate websites such as,,, etc.


The associated control server domains:


Another variant downloads other malware from a different URL and collects and sends user email addresses to

MD5: A79D1E01A05C262DC0A8DA5C577CAF89. Compiled Date: Thursday, Aug. 29, 2013, 9:01:08


Another variant (MD5: 4107E4C91B197C483C320DA13EF27F95. Compiled Date: Monday, Sep. 2, 2013, 11:12:21) sends infection information using POST to