Michael is a junior security analyst working for the National Security Agency (NSA) working primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find different methods of deciphering terrorist messages.
One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into a hidden file on the terrorist’s computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server.
What technique has Michael used to disguise this keylogging software?
A.
Wrapping
B.
Hidden channels
C.
Steganography
D.
ADS
Hello,
I do not understand the answer.
I would say:
– “wrapping” to create the readme.txt send to terrorists
– “ADS” to hide files on the computer
– “hidden channels” using the embedded SMTP server
So everything except stenography.
Help is welcome!
Buz
I thought so too but after looking it over a bit more it seems that stego is the answer because
– wrapping is for trojans, a keylogger is not classified as a trojan
– ADS is to hide files on the computer, however this is sent in an email
– hidden channels, he is not disguising the software with the SMTP server it just uses a built in server to send the emails to him.
I could be totally wrong but this seems to be the logic they are using after studying the question.
The stego answer does not make sense though since it is not an image file but seems to be the “best” answer out of the bunch.
stego is the correct answer see this link:
http://www.giac.org/paper/gsec/2760/current-steganography-tools-methods/104695
specifically:
“Syntactic and semantic methods of steganography in text files utilize
modification of “diction and structure of text without significantly altering meaning or tone” (Bender, et.al, p.334). This is accomplished by rephrasing sentences or using synonymous pairs of words, each of which constitutes a particular value. For example alternating between using the words “happy” and “content” in a document could indicate binary ones and zeros.”
To my knowledge, if you use steganography to hide a file (in this case a keylogger which is an executable) within another file, you need to decrypt it back to get the executable(the keylogger) and then run it. But with wrapping (like for the case of trojans), if you wrap an executable within another file, then when you execute/run/open that file, the “wrapped” file (the keylogger) is also executed!!!
If the question is assuming that the terrorist is going to check and decrypt hidden files within the readme.txt, then I believe the answer steganography makes sense because when he will decrypt it, he will most defintely run the executable which is a keylogger.
However, if the terrorist is just going to open the readme.txt, the keylogger will not activate I believe if it has been “steganographed”. If wrapped, it would execute. In this case, answer is Wrapping.
It depends on how you look at the question but the answer seems to be steganography on many dumps….
anyway, correct me in case am wrong somewhere…
ADS is being dismissed because its being sent in a email?
What if ADS was used as part of the installer asked at the end if you would like to read the readme.txt file you click yes and now the keylogger is running. Although a wrapper would serve the purpose better but the question specifically references the readme text file.
I don’t believe stenoragraphy is the correct answer (texted or image based).
#1. no mention of pictures. A txt file would be massive in order to contain enough hidden data to be an application.
#2. The biggest point to bring up is you have to use a application to “un encrytp” (not really encryption thought) the hidden data out of the text file or image.
This is just a bad question.
Stego
I have the same idea. C