Something seen in a writeup about packet interception and injection where Finspy was mentioned but the way they encapsulated how the injection works in to a few sentences was too good not to share:
Quote:
|
Binary Mode is a flag to enable detection of a windows binary PE header on the wire, modify it in transit and inject loader + payload into the download ahead of the real binary. The real icon is preserved. Upon execution, the downloaded file would run the loader which executed the payload then cleaned the downloaded file on disk, such that it was the originally requested file. By this time, the payload would be memory resident. Finally, the real binary would be executed. This technique would work even with self-checking binaries. Update Mode is a flag to simulate reponses of update checks for iTunes, WinAmp, and other popular applications at the time. These responses were served from FinFly and spoofed applications into updating with infected versions. It is possible to set both flags for a target. TrojanID is the payload to inject. FinFly could be loaded with several different trojans and a target dependent payload could be set. UTrojanID is the payload for update mode. These columns contain an ID which references the trojan from a simple RAM based filesystem created at load time with pre-built arrays. Compltd Count is the number of confirmed infections based on the fact that the target TCP/IP stack had acknowledged all the packets sent to it at the end of the session.
|
The Register now has an article on it:
Time to ditch HTTP – govt malware injection kit thrust into spotlight