What technique has Michael used to disguise this keylogging software?

Michael is a junior security analyst working for the National Security Agency (NSA) working
primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use
to decipher encrypted messages including Government Access to Keys (GAK) and inside
informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the
Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use
custom-built algorithms or obscure algorithms purchased from corrupt governments. For this
reason, Michael and other security analysts like him have been forced to find different methods of
deciphering terrorist messages. One method that Michael thought of using was to hide malicious
code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by
known terrorists, and then he is able to glean email addresses to some of these suspected
terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then
sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes
and also logs all keyboard activity into a hidden file on the terrorist’s computer. Then, the
keylogger emails those files to Michael twice a day with a built in SMTP server. What technique
has Michael used to disguise this keylogging software?

Michael is a junior security analyst working for the National Security Agency (NSA) working
primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use
to decipher encrypted messages including Government Access to Keys (GAK) and inside
informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the
Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use
custom-built algorithms or obscure algorithms purchased from corrupt governments. For this
reason, Michael and other security analysts like him have been forced to find different methods of
deciphering terrorist messages. One method that Michael thought of using was to hide malicious
code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by
known terrorists, and then he is able to glean email addresses to some of these suspected
terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then
sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes
and also logs all keyboard activity into a hidden file on the terrorist’s computer. Then, the
keylogger emails those files to Michael twice a day with a built in SMTP server. What technique
has Michael used to disguise this keylogging software?

A.
Steganography

B.
Wrapping

C.
ADS

D.
Hidden Channels



Leave a Reply 3

Your email address will not be published. Required fields are marked *


Cosmo

Cosmo

Hmm…

The question is a little bit tricky. If I understand correctly,the trojan (keylogger) is just bind to a harmless .txt file, but it is not hidden as ADS. It could be, but ADS works only on NTFS file system. Is there any hint about file system?

Is there any other information that leads to ADS? I don’t see it.

I think that the answer is wrapping, not ADS.

“Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment…” – It is exactly the same procedure how “The Beast” works, isn’t it? It binds a trojan with a harmless file…

mac

mac

Because you are connecting your key-logger to a readme.txt (.TXT file type is the key) file not a program that ends in .exe, you have to use ADS. Wrappers wrap to .exe files to hide the executable payload.

nash

nash

Its true that the program containing the key logger is a .txt. However, you cannot send ADS across networks and as Cosmo notes in his message, its completely FS dependent. If the receiver downloads it to a FAT volume, the stream will be lost.

Steganography could work but given its .txt cover file, its not possible.

Looks like a bad question……………without much thought.