Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:I have a sneaking suspicion (Score 1) 32

Why wouldn't they? At a minimum, modern governments have an obligation to protect their constituents from espionage, and in some cases that means using software exploitation to gain the upper hand. Of course, such powers can be abused, but all to often we choose to ignore their necessity.

Comment Re:I have a out of this world solution (Score 2) 70

Well, it depends largely on context. The question isn't always, "what does this malware do?" A lot of the time it's, "is this malware?" In the former case, sure, the appearance of innocuousness is going to evoke even more curiosity, and something like this will be little more than a speed bump. But in the latter case (which is by far the more common scenario), simple anti-forensics can prove very effective in evading detection.

Think about it, if you've got a backlog of hundreds or even thousands of questionable files, how much time can you really commit to each one? Reversing all of them is probably out of the question. Most samples will get the regular treatment: fire up a fresh VM with some instrumentation, run the sample, and check for artifacts indicative of malicious behavior. Depending on the sophistication of the tooling, such artifacts may or may not be discovered. Considering the extremely low cost of implementation (probably a few lines to enumerate doc files), this was a good call on part of the attackers--a few minutes of work for a chance at flying under the radar for a bit longer.

That said, there are plenty of open source tools available to dump VBA macros from Office documents, so the cost isn't exactly on par with reversing something like object code, but I still think the attackers made the right call here.

Comment Re:I have a out of this world solution (Score 1) 70

Actually, the summary explicitly states that the purpose of this malware's behavior is to thwart human analysts testing in a fresh environment. It's not the most impressive technique, but it is a cheap way to increase the defender's costs, given the potentially high price of reverse engineering.

Slashdot Top Deals

He keeps differentiating, flying off on a tangent.