Comments: Indistinguishable from random...

It's too bad I have so many others things going on right now, including moving to Colorado.

The reason we thought it couldn't be done perfectly was that the recipient needs to know which key to use to decrypt, and that information the "Which key should you use to decrypt this packet" information, cannot itself be encrypted by that key, of course.

I remain interested! Keep me posted!

Posted by Zooko at May 21, 2006 06:45 AM

FTR: it occurred to me that the datalength of the packet is always going to be a multiple of 16. That tells us that it is using a modern block cipher at least. If one wanted to hide that then adding 0-15 random bytes would do that.

Posted by Iang at July 1, 2006 02:22 PM


That's not typical of malware. Most sophisticated malware employs stronger encryption, but the trade-off for the attacker is that its traffic can trigger a red flag at the network layer. "Entropy and complexity is used by most [malware developers]," James says. "In the world of encryption detection of malware at the network layer ... you watch the traffic generated by it and if the measure of randomness/entropy is high," that could be a sign of malware with crypto, he says.

Flame's creators either used easily cracked encryption to camouflage the attack, or it could be a function of the size of the overall code, he says. "They didn't want you to detect that they were hiding anything. They wanted to look like common data," James says. "It did the opposite of what everyone is expecting with malware. And that's what helped it stay undetected for so long."


Posted by Flame isn't.... at June 28, 2012 07:49 PM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x55575b66a688) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.