back to article Yahoo! Answers used to cloak command and control networks

Two malware instances have converted numbers to words in a novel attempt to cloak the IP addresses of command and control servers. Researchers within Palo Alto's "Unit 42" team say the malware points to location references within text written on certain public pages including Yahoo! Answers and Quora. The unusual initiative …

  1. frank ly

    Deja Vu

    I've seen text like that before on Google searches, for many years. I'd always thought that it was 'keyword stuffing' but perhaps this is a technique that's been used for a while.

  2. Nifty Silver badge

    Nothing new under the sun?

    This rather reminds me of numbers stations that you could stumble across on shortwave radios in the 70s and 80s.

    https://en.wikipedia.org/wiki/Numbers_station

    1. Version 1.0 Silver badge
      Happy

      Re: Nothing new under the sun?

      Ah, the Lincolnshire Poacher rebooted - why go to all the computational expense of steganography when you can just sit around in plain sight?

  3. Badger Murphy
    Alert

    Did you guys finally run out of exclamation points?

    This article has by far the fewest exclamation points in it of any Yahoo!-related article I have ever seen on this site!

    Be straight with us, is there a shortage?

    1. disgruntled yank

      Re: Did you guys finally run out of exclamation points?

      Well, Tom Wolfe has a new book out; it's a wonder I can afford to write scripts with she-bang lines.

    2. allthecoolshortnamesweretaken

      Re: Did you guys finally run out of exclamation points?

      Another side effect of Brexit, perhaps?

  4. Robert Helpmann??
    Childcatcher

    Degrees of Uniqueness

    Although we cannot link the two clusters of activity by their infrastructure, the technique used to resolve domains is unusual.

    So unusual there are is a vocabulary built around describing this sort of technique - masking, etc?

  5. Aodhhan

    ...and useless

    OMG, I sniffed the packets and they all showed abc.waalsx.bobafett.wxoidgyd!!!

    Just kidding. Good grief.

    At least initially, there has to be a call out to a particular server. Not too tuff to drop these packets, then sit back and wait for back/forth communication. You can also set up a lab server with a firewall to prohibit a class of IPs at a time and see which fires off and gets dropped (there are scripts for this, or at least, it's easy to write one). Change it the next day, and narrow it down. C'mon, this isn't brain surgery.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like