Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

English Shell Code Could Make Security Harder

ScuttleMonkey posted more than 4 years ago | from the little-bobby-tables-takes-up-writing dept.

Security 291

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."

cancel ×

291 comments

Sorry! There are no comments related to the filter you selected.

In other news... (-1, Flamebait)

Knightman (142928) | more than 4 years ago | (#30209196)

...3 researchers develops their own x86-assembler.

Re:In other news... (5, Informative)

blueg3 (192743) | more than 4 years ago | (#30209276)

Good job not reading the article.

It's not that shellcode can be written in text and then compiled to an executable form. It's not that shellcode can be compiled to an intermediary form, translated or compiled into machine instructions by a piece of code (this is common in malware now, to pass input restrictions -- as the article says). It's that the executed machine instructions themselves -- the compiled binary data that can be run raw on an x86 processor -- looks like English text.

Re:In other news... (2, Insightful)

Knightman (142928) | more than 4 years ago | (#30209332)

And how do you suppose they generate the text then? They have a system they train with text pulled from various sources, then they use it to generate an innocent looking text that can be executed with a predicted result, no? In other words, an assembler/compiler....

See, I did read the pdf....

Btw, I missed that there where 4 researchers, not 3...

Re:In other news... (1)

blueg3 (192743) | more than 4 years ago | (#30209376)

No, an assembler or compiler takes as input text in a high-level language and generates executable machine code.

This takes as input executable machine code and generates executable machine code with a very narrowly-defined statistical property. (Simpler, but important, statistical properties have been done previously -- e.g., the Metasploit filters.)

Re:In other news... (3, Interesting)

Knightman (142928) | more than 4 years ago | (#30209416)

An assembler/compiler doesn't necessarily use a high-level language input.

In this instance they (as you say) 'takes as input executable machine code and generates executable machine code with a very narrowly-defined statistical property' which tells me they have an assembler that reads executable code and assembles executable code that looks like English text, in other words an assembler.

Re:In other news... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30209478)

Dude, you won, here's you trophy.

Now please excuse the rest of us while we laugh at you for being such a pedantic ass.

Best place to hide a tree (1)

Cryacin (657549) | more than 4 years ago | (#30209536)

Is in a forest...

And now for a car analogy...

Re:In other news... (2, Funny)

mysidia (191772) | more than 4 years ago | (#30209512)

FAIL. It cannot be an assembler if the input is not assembly.

It's a translator.

Re:In other news... (-1, Troll)

Knightman (142928) | more than 4 years ago | (#30209530)

And who defines what the assembly is? The ones writing the assembler. Sheesh..

Re:In other news... (2, Interesting)

calmofthestorm (1344385) | more than 4 years ago | (#30209464)

No, it translates assembly to different assembly that's also English. This is actually a rather interesting piece of work. They didn't just write a program that converts assembly to English assembly, they wrote one in English assembly.

Re:In other news... (2, Informative)

blueg3 (192743) | more than 4 years ago | (#30209518)

Technically, machine code -- assembly is the pseudo-English text version of machine code.

But otherwise, yes.

Re:In other news... (2, Interesting)

mysidia (191772) | more than 4 years ago | (#30209524)

It is indeed a translator.

It doesn't translate assembler code.. it translates x86 machine code.

(Which also implies that it cannot be an assembler, since assemblers only accept Assembly code as input)

Re:In other news... (4, Informative)

DoctorBit (891714) | more than 4 years ago | (#30209702)

It's a translator that takes any arbitrary x86 machine code as input, and produces as output functionally equivalent self-modifying machine code that starts off looking like English text. The same approach also works with other non-x86 machine codes, and other languages, such as Russian, French, etc... Very interesting work. It goes to show that for an OS to allow any code to self-modify can produce results that are very difficult to predict. Self-modifying code has an almost biological nature.

Re:In other news... (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#30209772)

And how do you suppose they generate the text then? They have a system they train with text pulled from various sources, then they use it to generate an innocent looking text that can be executed with a predicted result, no? In other words, an assembler/compiler....See, I did read the pdf....

You really see nothng noteworthy about this? (Or are you just trying to cover up from getting called out in not reading TFA with a hasty skim and blasé attitude - I've done that myself a time or two...)

Re:In other news...Christmas gifts (-1, Troll)

coolforsale122 (1684852) | more than 4 years ago | (#30209342)

http://www.coolforsale.com/ [coolforsale.com] Dear ladies and gentlemen Hello, In order to meet Christmas, Site launched Christmas spree, welcome new and old customers come to participate in the there are unexpected surprises, look forward to your arrival. Only this site have this treatmentOur goal is "Best quality, Best reputation , Best services". Your satisfaction is our main pursue. You can find the best products from us, meeting your different needs. Ladies and Gentlemen weicome to my coolforsale.com.Here,there are the most fashion products . Pass by but don't miss it.Select your favorite clothing! Welcome to come next time ! Thank you! http://www.coolforsale.com/productlist.asp?id=s76 [coolforsale.com] (Tracksuit w) ugg boot,POLO hoody,Jacket, Air jordan(1-24)shoes $33 Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35 Handbags(Coach lv fendi d&g) $35 Tshirts (Polo ,ed hardy,lacoste) $16 free shipping Thanks!!! Advance wish you a merry Christmas.

Re:In other news...BAN THE PARENT (4, Informative)

HEbGb (6544) | more than 4 years ago | (#30209390)

This is the sixth spam message this user has posted, will SLASHDOT please BAN this guy already? Come on.

Re:In other news...BAN THE PARENT (5, Informative)

Tynin (634655) | more than 4 years ago | (#30209438)

This is the sixth spam message this user has posted, will SLASHDOT please BAN this guy already? Come on.

He must be making new logins. I've seen him posting for a few weeks, he surely has more than 6 spams that I've seen alone. Going on that idea... lets see:
http://slashdot.org/~coolforsale117 [slashdot.org]
http://slashdot.org/~coolforsale116 [slashdot.org]
http://slashdot.org/~coolforsale115 [slashdot.org]
http://slashdot.org/~coolforsale114 [slashdot.org]
http://slashdot.org/~coolforsale112 [slashdot.org]
http://slashdot.org/~coolforsale110 [slashdot.org]

No doubt there is a TON of them. So I'd guess they are banning him, he just keeps making new uids (and siphoning a ton of moderation points to keep him marked at troll / offtopic). I know I've used many mod points keeping this bastard down.

Re:In other news...BAN THE PARENT (1)

ColdWetDog (752185) | more than 4 years ago | (#30209458)

Maybe we should slashdot his sight. Or give him to /b/

Re:In other news...BAN THE PARENT (1)

negRo_slim (636783) | more than 4 years ago | (#30209778)

in b4 not your personal army

Re:In other news...BAN THE PARENT (2, Funny)

Ethanol-fueled (1125189) | more than 4 years ago | (#30209798)

At least the /b/ spammers are polite enough to do their homework and know the demographic (all /b/ spams are porn). Air Jordans and POLO hoodies for Slashdot? And handbags and UGG boots, even though there are no women on Slashdot. At least try to sell us motherboards and shit...

Re:In other news...BAN THE PARENT (1)

Falconhell (1289630) | more than 4 years ago | (#30209916)

Blinding him seems a little harsh!

We could all look at his SITE simataneously at some point though!

I have also wasted a ton of mod points on this idiot.

Its hard to think of a worse place for trying to spam than Slashdot eh?

Re:In other news...BAN THE PARENT (2, Insightful)

spud603 (832173) | more than 4 years ago | (#30209582)

Is it spam, or is it shellcode? things like "this treatementOur goal" look fishy to me.

Re:In other news... (-1, Offtopic)

QuantumG (50515) | more than 4 years ago | (#30209832)

Whoever modded this up is a retard.

Let this post stand as an example of all that is wrong with the Slashdot moderation system.

Idiots.

haha (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30209204)

first. närå.

The syntax should not matter.. (-1, Offtopic)

Wovel (964431) | more than 4 years ago | (#30209208)

This is no different than adding any other shell...If your security is relying on an inline inspection for commands specific to a particular shell, you have already lost.

Re:The syntax should not matter.. (3, Informative)

benjamindees (441808) | more than 4 years ago | (#30209250)

They don't mean shell commands. They mean code that exploits a vulnerability in order to start a shell.

Re:The syntax should not matter.. (1)

Wovel (964431) | more than 4 years ago | (#30209318)

Thanks, I read the article after I posted. So they discovered a way to attack machines that have already been compromised..If your security is relying on an inline inspection for specific commands, you have already lost. All that reading to change three words.

Re:The syntax should not matter.. (1)

istartedi (132515) | more than 4 years ago | (#30209344)

Yes, but if a machine on your network has "already lost", you'd probably like to know that.

Re:The syntax should not matter.. (4, Insightful)

Wovel (964431) | more than 4 years ago | (#30209374)

And nothing in their article is helping with that. They assume they are exploiting a software vulnerability. If I know there is a software vulnerability, there are 1 million and 1 less complex ways for me to blow right by any inline scanner. (One stupid enough not to look and see what the actual bytes were anyway)

Re:The syntax should not matter.. (2, Informative)

x2A (858210) | more than 4 years ago | (#30209640)

It's a research paper, not an exploit, not instructions on how to make an exploit, not recommendations on how to make an exploit. God what's with you people on this site, you can't just see something for what it is, you have to see it for how it serves no purpose to you or how you can do it so much better.

If they could exploit a machine by sending a point across, they'd get it past you lot every time, you'd never detect that huh.

Re:The syntax should not matter.. (2, Insightful)

istartedi (132515) | more than 4 years ago | (#30209668)

There are indeed times when I think that we built the Internet, and that it taught us only one lesson:

I'm right and you're wrong.

This is not quite as concise as "42". Also, a second Internet will have to be built to determine who is "I" and who is "you".

Re:The syntax should not matter.. (1)

dubaiguy (1684890) | more than 4 years ago | (#30209694)

If they could exploit a machine by sending a point across, they'd get it past you lot every time, you'd never detect that huh.

Haha. I love this. Spot on.

Re:The syntax should not matter.. (0)

Anonymous Coward | more than 4 years ago | (#30209270)

Indeed, colour and shape should be irrevelant to the toxicity of our shells!

Btw, I, for one, welcome our new incisive literary overlords!

This is (4, Funny)

Anrego (830717) | more than 4 years ago | (#30209212)

quite terrifying :(

If hackers convert arbitrary x86 shell code into sentences that read like spam, but are natively executable .. we're all screwed :(

We'll either need to tighten up how architectures execute instructions to make it harder to execute shell code in the first place.. or come up with sophisticated AI to help filter out the shell code. Of course, as soon as we do that, hackers will develop AIs which can write convincing (and even compelling) shell code.. and THEN what the hell do we do.

Now where I live you can get a pretty decent hair cut for $17 (they even trim up the beard). You can't get anything fancy.. but a decent, professional-ish type haircut is definitely no problem.

My employer is giving us a pretty generous Christmas vacation.. really looking forward to that!!

Also this time of year is great cause CHRISTMAS is everywhere :D

Re:This is (0, Offtopic)

StuartHankins (1020819) | more than 4 years ago | (#30209234)

Did I miss something or did you just totally change topics twice in your post? Haircut? Vacation?

Go outside, you need some fresh air!

Re:This is (4, Funny)

BradleyUffner (103496) | more than 4 years ago | (#30209262)

I beleive you missed the virus he just sent you. :)

Re:This is (0)

Anonymous Coward | more than 4 years ago | (#30209792)

Did I miss something

Yes.

Re:This is (1)

aurelianito (684162) | more than 4 years ago | (#30209280)

Mode parent insightful. He is showing how this "shellcode" would look like.

Re:This is (4, Informative)

Wovel (964431) | more than 4 years ago | (#30209358)

Guess you missed their "compromised" machine assumption. "..After successful exploitation of a software vulnerability, we assume that a pointer to the shellcode..." . The sky is not really falling any faster today than it was yesterday.

Re:This is (5, Informative)

blueg3 (192743) | more than 4 years ago | (#30209426)

Pinning down terminology use by security researchers is tricky.

In this case, what they mean is that the system has a vulnerability that enables code from a remote source to be executed, and that the input from the remote source is being run through a filter that attempt to identify executable code (in order to block it) versus English text.

On an already-secure system, this makes no difference at all. Those don't exist, much. If you were relying on a "looks like executable code" filter to protect you, this is a tip that it's not that secure. The paranoid should already assume so (based on things that already are available in Metasploit, if nothing else).

Re:This is (2, Insightful)

afidel (530433) | more than 4 years ago | (#30209486)

Isn't this what NX is supposed to stop, execution of arbitrary data as code?

Binaries that opt out of NX (2, Informative)

tepples (727027) | more than 4 years ago | (#30209542)

Isn't this what NX is supposed to stop, execution of arbitrary data as code?

Then you compromise a binary that has opted out of strict NX, such as a Java virtual machine that needs to dynamically recompile JVM bytecode to x86 bytecode.

Re:Binaries that opt out of NX (1)

afidel (530433) | more than 4 years ago | (#30209628)

Yes, but that should dramatically reduce your attack surface, well except for stupid Flash Player and Acrobat, Adobe can't code their way out of a paper bag.

Re:This is (1)

blueg3 (192743) | more than 4 years ago | (#30209550)

Yes -- in theory, could should be W xor X: writable or executable, but never both. This is then solved neatly. However, this is often not the case. It's a little bold on Von Neumann machines, where the code and data are the same, to hope that code and data can be cleanly separated reliably.

The most egregious case is interpreters, where data that's passed around is turned into executable code dynamically. Less egregious but still unsafe is dynamically-generated code, which must be both writable and executable.

Re:This is (1)

XDirtypunkX (1290358) | more than 4 years ago | (#30209880)

But it doesn't have to be both writable and executable at the same time, unless the generated code is self modifying.

Re:This is (2, Interesting)

nneonneo (911150) | more than 4 years ago | (#30209886)

Unfortunately, this does not fully solve the problem. Say, for instance, that you've managed to get a buffer overflow on a system, and you now have control over the stack (which is marked RW, but not X). Then, you overwrite the return address of the current function to mprotect() and stick some arguments on it which change the stack protection to RX (there are good reasons for doing this in actual practice, e.g. executable compressors like UPX, or executable thunks on the stack); this type of attack is known as a "return-to-libc" attack. If you can successfully overwrite the next lower return address as well, then you can ensure that your shellcode is executed after mprotect returns.

Even if we assume that the stack is permanently fixed at RW, this does not prevent heap spray attacks which place executable code on the heap and overwrite return addresses on the stack to point at the heap. If the heap is marked RW, then we can just repeat the same process as used above to call mprotect.

Prohibiting execution on writable segments seems sensible, but in the face of functions which can change the protection bits, it is ineffective. Further, simply restricting the use of those functions is potentially too restrictive, as in the case of some runtime environments which rely on the ability to execute dynamically generated trampoline code to implement key features (for instance, GCC may generate trampoline code to call nested functions), as you mentioned with your second paragraph.

Re:This is (3, Insightful)

blueg3 (192743) | more than 4 years ago | (#30209898)

Even better: inputs that can overwrite the stack can perform arbitrary code execution even if the stack is never executable, via "return-to-libc" programming.

Re:This is (2, Funny)

mysidia (191772) | more than 4 years ago | (#30209554)

I propose the x86 instruction set be altered to add an additional byte to every instruction, a NUL byte or NUL word, so every instruction will have an additional 2 to 8 bytes of overhead, at least 1 must be set to all bits 0, and the following byte must be set to all bits 1.

Since the NUL byte cannot be expressed in a sentence and commonly causes I/O to terminate (i.e. delineates the end of the string), x86 code can then not be disguised as a sentence.

Also, the following byte being all bits 1, assures that the instruction cannot be transmitted over protocols that do not provide 8-bit support.

Further, the all-bits 1 sequence should be removed from ASCII and banned from use by any network protocol: to transmit such bits, you must encode in Base64.

Re:This is (2, Insightful)

x2A (858210) | more than 4 years ago | (#30209692)

Well then that won't be the x86 instruction set, will it?

Re:This is (2, Interesting)

mysidia (191772) | more than 4 years ago | (#30209852)

No, it won't be the legacy x86 instruction set.

But we can call it the "Secure x86 instruction set" or the "Enhanced x86 instruction set"

Market it properly, and everyone will switch to it, because they think it's faster and safer.

Re:This is (1)

Blakey Rat (99501) | more than 4 years ago | (#30209676)

I know, I'm going to have to stop saving and trying to execute all my incoming spam messages.

Maybe I'll try executing my IMs...

Oh great - that love letter from the IRS (3, Funny)

rcpitt (711863) | more than 4 years ago | (#30209232)

just formatted my hard disk and installed Windows 7 - how low can you get :(

Re:Oh great - that love letter from the IRS (1)

mysidia (191772) | more than 4 years ago | (#30209642)

That's nothing... I typed "The quick brown fox jumps over the lazy dog" into an e-mail message I was sending on my iPhone, and it suddenly morphed into a Zune..

I guess a similar technique works on the ARM processor also :-(

Re:Oh great - that love letter from the IRS (1)

roguetrick (1147853) | more than 4 years ago | (#30209826)

You think thats exceptional, after I read that my head morphed into a facsimile of Ballmer's 0:`-( ))

Confused (1)

MichaelSmith (789609) | more than 4 years ago | (#30209258)

Does TFA talk about shell code or assembler code?

Re:Confused (0)

Anonymous Coward | more than 4 years ago | (#30209294)

There the same thing, shell code is assembly code injected into a security vulnerability (like a buffer overrun) to start a shell.

Re:Confused (3, Informative)

The MAZZTer (911996) | more than 4 years ago | (#30209380)

Nope, you're confusing assembly code and shell/machine code, which are two different things.

Assembly is text-based, and is readable for people who know the language. Each operation is a keyword, and some take arguments. It's basically the lightest-weight possible programming language (although it's not really considered a programming language, it's so light weight!) A computer cannot run assembly code directly.

Machine code is what you get if you take the assembly and run it through an assembler to produce code that the computer can understand. The computer can then execute it. It is not human readable unless you've memorized which opcodes correspond to which assembly keywords. Far easier to pipe it through a disassembler to get the assembly code back and read that.

To answer the GP's question this sounds like they mean shell code. It wouldn't be very useful as assembly code anyway. ("To claim your free iPod, run this sentence through masm and run the resulting EXE file.") Most people don't have an assembler and the ones who do aren't usually susceptible to malware anyway.

Re:Confused (1)

MichaelSmith (789609) | more than 4 years ago | (#30209420)

Its a bit like people who put obscure perl code in their sig, waiting for somebody to run it out of curiosity.

Re:Confused (1)

Nazlfrag (1035012) | more than 4 years ago | (#30209728)

This is machine code that is restricted to only those opcodes found in English phrases with tricks to get other opcodes via self modification. Quite nifty really.

Re:Confused (2, Insightful)

icebraining (1313345) | more than 4 years ago | (#30209320)

It's a shellcode [wikipedia.org] ; it's actually written in machine code.

Re:Confused (1)

blueg3 (192743) | more than 4 years ago | (#30209340)

Shellcode is machine code. That is, compiled assembler.

It's just a logical extension of the shellcode filters that Metasploit already provides. If you hadn't thought it through, though, it's an important proof-of-concept.

Re:Confused (1)

Blakey Rat (99501) | more than 4 years ago | (#30209718)

Shellembler code.

Common mistake.

This very comment (5, Funny)

ewg (158266) | more than 4 years ago | (#30209288)

Why, this very comment prints a list of prime numbers less than one hundred!

Re:This very comment (4, Funny)

The MAZZTer (911996) | more than 4 years ago | (#30209400)

Where do the numbers print out I don't see325072$OGO^%$#G@!!)%@^)&@!^%$$36PEER TIMEOUT

OMG! (5, Funny)

mhajicek (1582795) | more than 4 years ago | (#30209302)

Now your brain can catch a virus just by reading!!!1

Re:OMG! (5, Funny)

Nethead (1563) | more than 4 years ago | (#30209338)

Leave the bible out of this!

Re:OMG! (4, Interesting)

wizardforce (1005805) | more than 4 years ago | (#30209526)

You joke but what is a meme (religions are "memes") really other than a self replicating piece of language? The *extreme* bits act in many ways like a virus does: self replication, performing specific tasks, adapting to their environment (like some of the more insidious malware) and neither viruses nor memes can replicate on their own; they need a "host."

Re:OMG! (5, Funny)

Nethead (1563) | more than 4 years ago | (#30209586)

So now that you've explained my joke, do you get it?

Re:OMG! (0)

Anonymous Coward | more than 4 years ago | (#30209712)

...

Re:OMG! (1)

roguetrick (1147853) | more than 4 years ago | (#30209892)

Thanks for the sub-wikipedia summary level class on memes, professor. Maybe next you can present to us your grand theory on how girls don't like nice guys, or some other such bullshit.

Re:OMG! (1)

Vyse of Arcadia (1220278) | more than 4 years ago | (#30209910)

You read a lot of Neal Stephenson, don't you?

Re:OMG! (0)

Anonymous Coward | more than 4 years ago | (#30209932)

Funny you mentioned that.. I have that giant brick of a book Cryptonomicon sitting on the shelf right now.

Re:OMG! (1)

NotQuiteReal (608241) | more than 4 years ago | (#30209912)

No, I Say "OMG", You Say "Ponies!".

Re:OMG! (1)

enoz (1181117) | more than 4 years ago | (#30209384)

The English language is infected, do not translate this message.

Re:OMG! (1)

MBCook (132727) | more than 4 years ago | (#30209448)

Ah, The Funniest Joke in the World [wikipedia.org] . Oddly topical for this topic, eh?

Re:OMG! (1)

enoz (1181117) | more than 4 years ago | (#30209900)

I was referencing Pontypool [imdb.com] but that Monty Python skit is also relevant.

Re:OMG! (0)

Anonymous Coward | more than 4 years ago | (#30209598)

Shades of Neal Stephenson's "Snow Crash" [wikipedia.org] , in which the language of ancient Sumeria was not merely a spoken language, but a sort of programming (of the human brain) language as well, which made it possible to create a "virus" that could spread just by seeing a certain bit pattern or hearing a particular phrase.

That was rather pretty (2, Interesting)

jaymz2k4 (790806) | more than 4 years ago | (#30209324)

I just have to point out how well that PDF looked from a purely graphic point of view... That is all. Interesting content to boot.

Re:That was rather pretty (1)

Wovel (964431) | more than 4 years ago | (#30209392)

I actually agree it was good looking and a fairly interesting read.

Re:That was rather pretty (2, Informative)

sten ben (1652107) | more than 4 years ago | (#30209510)

Looks like LaTeX [latex-project.org] with a CHI [rwth-aachen.de] template. But maybe that was what you were getting at? Pretty it is.

Re:That was rather pretty (2, Informative)

gzipped_tar (1151931) | more than 4 years ago | (#30209556)

The PDF file itself was generated using Adobe Distiller for Mac. Not sure what is used to generate the original. Since they were using Adobe, it's not likely that they were using LaTeX.

Re:That was rather pretty (2, Informative)

sten ben (1652107) | more than 4 years ago | (#30209592)

Since they were using Adobe, it's not likely that they were using LaTeX.

Except the .dvi file extension. And: Creator: dvips(k) 5.97 Copyright 2008 Radical Eye Software

Acrobat was probably only used to convert the ps to pdf.

Re:That was rather pretty (4, Informative)

dubaiguy (1684890) | more than 4 years ago | (#30209648)

It's latex with an ACM template. I'm pretty sure their workflow was latex (.dvi) to dvips (.ps) to Acrobat Distiller (.pdf).

Re:That was rather pretty (1)

sten ben (1652107) | more than 4 years ago | (#30209700)

I stand corrected, it seems CHI uses ACM with some tweaks.

oblig (1, Funny)

Anonymous Coward | more than 4 years ago | (#30209414)

Has anyone really been far even as decided to use even go want to do look more like?

OK this explains a lot (1)

gzipped_tar (1151931) | more than 4 years ago | (#30209474)

Newsflash: It's not the elusive and mystified http://hardware.slashdot.org/comments.pl?sid=1196619&cid=27553143 [slashdot.org] SlashDotFS. Those gibberish spam posts here are actually designed to crash and pwn Windoze suxx0rs...

Re:OK this explains a lot (1)

mysidia (191772) | more than 4 years ago | (#30209690)

I don't think it's a SlashdotFS but a SlashdotDHT.

Used for file distribution (DHTs indicating IP address, and such, maybe)

Or a more nefarios possibility: for botnet command and control / reconassaince. E.g. communications back channel... master node posts on various websites

But yeah, they could contain shell code, even digitally signed shell code, and we'd never know for sure, I guess.

Antelope museum (5, Funny)

beej (82035) | more than 4 years ago | (#30209580)

Consume more trains, Elvis! He, and snorkels, drink elephant's sock puppet master. Steamed cabbage can reverse big piles of ducks. Additionally, cheese log cabin nightmare.

You're screwed now, x86 suckas!

Re:Antelope museum (1)

Dogbertius (1333565) | more than 4 years ago | (#30209658)

I remember in an assembler course on HC12's: -Remember, when ACCumulator A and ACCumulator B get togther, the SEX operation takes places to make ACCumulator D, and pray to the FSM that the next operation isn't STD!!!!!! http://www.prenhall.com/pack/appendices/Pack-barbappA_FF.pdf [prenhall.com]

Re:Antelope museum (1)

Twide (1142927) | more than 4 years ago | (#30209688)

Two Words. Google Translate Clearly I have been receiving infestation after infestation for years, now I FINALLY know what's going on here.. So much for Don't be Evil !!!!

Re:Antelope museum (1)

Tablizer (95088) | more than 4 years ago | (#30209844)

Steamed cabbage can reverse big piles of ducks.

I have ways to mod you to 10 if you can produce a Youtube vid of that.
         

I'm screwed (1)

nedlohs (1335013) | more than 4 years ago | (#30209634)

Since the first thing I do with all my emails is save the text and run it as a binary executable.

I CAN BE PLAYED ON RECORD PLAYER X (2, Insightful)

rpresser (610529) | more than 4 years ago | (#30209706)

Let the T-C wars continue!

We're doomed! (1)

REggert (823158) | more than 4 years ago | (#30209736)

Oh noes! If only we had a way to detect and filter text that looks like spam....

Re:We're doomed! (1)

dubaiguy (1684890) | more than 4 years ago | (#30209784)

Except they're not sending SPAM (i.e., email). The OP just says that it "reads" like SPAM. Their shell code is delivered via an exploit. Good luck running a SPAM filter on every byte stream sent to your computer.

This still means there's an interpreter (1)

uuddlrlrab (1617237) | more than 4 years ago | (#30209776)

...so, as the article suggests, AV's/firewalls will look for that. And if there's a library of some sort that contains the translations, mightn't the executable portion of the payload bear some similarities to an unpacker? I'd assume they'd be unpacking (probably into the same hidden portion of memory as it) some sort of lookup table/library in order to function properly, as, presumably, they wouldn't want to include the lookup values in the exe as it would increase size & risk of detection.

So what? (2, Interesting)

Fnord666 (889225) | more than 4 years ago | (#30209794)

I guess I don't see the big deal in this paper. Yes, they can encode the shell code into English sentences. It's still meaningless to the recipient and should raise suspicion. It would be far easier to use simple steganographic techniques to embed the shell code into any image transmitted between two systems. The recipient would not suspect any alteration and filters would not have the original image for comparison. Just a thought. Maybe I should write a response paper.

Re:So what? (1)

nneonneo (911150) | more than 4 years ago | (#30209914)

When the recipient is a computer system and no humans are involved, this becomes far more dangerous (and besides, these messages look like educated spam rather than total gibberish, and would probably even pass a simple spam filter).

Basically, the paper is talking about defeating signature or heuristic analysis of shellcode. Normal shellcode looks nothing like English text, whereas this code has a very similar statistical distribution to real English text, meaning that heuristics likely would not flag the code as suspicious. Once it's in the system, all it takes is an exploit of almost any form to compromise a system.

Linux version (5, Funny)

noidentity (188756) | more than 4 years ago | (#30209796)

They also came up with a Linux version, which even works on non-x86 architectures, all the while looking like plain English:

"Please type the following on your command-line:

rm -rf *

Thank you."

This is sooo old (0)

Anonymous Coward | more than 4 years ago | (#30209836)

That you could do this was shown waaaay back in letter submissions to PC Magazine back in the 80's. This is not new AT ALL.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>