Undetectable steganography on endpoints expected to be used / communicated during normal usage. Mostly natsec. You can repro it by setting up a synthetic network with similar characteristics or fingerprints to some sanctioned region, and generate 10,000 synthetic honeytrap files to attempt to open (use your imagination); capture and diff all network traffic on identical actions (open file ⇒ read / manipulate some specific cells ⇒ close file). Then note the abnormalities in how much is communicated and how.
Thanks, that’s what I figured. Did you find this by accident? I’m curious what techniques work well to reveal this kind of stuff; I expect it to be pretty common.
I found it based on a hunch, then confirmed it with experimentation. I gained additional conviction when backtesting the experimentation on various historical versions of excel.exe, and noting that the phenomenon only appeared in excel.exe versions shortly after (measured in months) government requested a “read-only” copy of the source code for Excel held in escrow. This has occurred historically in the past (e.g., https://www.chinadaily.com.cn/english/doc/2004-09/20/content_376107.htm and https://www.itprotoday.com/microsoft-windows/microsoft-gives-windows-source-code-to-governments) but subsequent instances of this were allegedly/supposedly classified. Nevertheless, following those instances, the phenomenon appeared, indicating possible compromise of Excel.exe.
Really interesting research. I would like to subscribe to your newsletter.
I have seen similar steganographic telemetry before (Dassaults Solidworks CAD software, and other enterprise licensed applications, go to incredible eztents to enforce licensing) but didn’t expect data-level probing like this. I’d imagine similar scripts for e.g EURion detections in Photoshop.
I always dismissed “lessons on trusting trust” style attacks as mere hypotheticals, but backdoors operating on the level of Excel cells is now making me reconsider that notion.
Vary the filename/path from short (one character) to max length and run the above repro, and notice the increase in bits communicated if and only if the filename/path is long, all other factors being held constant. Same for varying the data. There is no reason why Excel.exe should be interpolating this information with all the standard telemetry and connected experience stuff disabled. Even the fact that it is occurring is interesting, and doesn’t require hypotheses for its origin.
Undetectable steganography on endpoints expected to be used / communicated during normal usage. Mostly natsec. You can repro it by setting up a synthetic network with similar characteristics or fingerprints to some sanctioned region, and generate 10,000 synthetic honeytrap files to attempt to open (use your imagination); capture and diff all network traffic on identical actions (open file ⇒ read / manipulate some specific cells ⇒ close file). Then note the abnormalities in how much is communicated and how.
Thanks, that’s what I figured. Did you find this by accident? I’m curious what techniques work well to reveal this kind of stuff; I expect it to be pretty common.
I found it based on a hunch, then confirmed it with experimentation. I gained additional conviction when backtesting the experimentation on various historical versions of excel.exe, and noting that the phenomenon only appeared in excel.exe versions shortly after (measured in months) government requested a “read-only” copy of the source code for Excel held in escrow. This has occurred historically in the past (e.g., https://www.chinadaily.com.cn/english/doc/2004-09/20/content_376107.htm and https://www.itprotoday.com/microsoft-windows/microsoft-gives-windows-source-code-to-governments) but subsequent instances of this were allegedly/supposedly classified. Nevertheless, following those instances, the phenomenon appeared, indicating possible compromise of Excel.exe.
Really interesting research. I would like to subscribe to your newsletter.
I have seen similar steganographic telemetry before (Dassaults Solidworks CAD software, and other enterprise licensed applications, go to incredible eztents to enforce licensing) but didn’t expect data-level probing like this. I’d imagine similar scripts for e.g EURion detections in Photoshop.
I always dismissed “lessons on trusting trust” style attacks as mere hypotheticals, but backdoors operating on the level of Excel cells is now making me reconsider that notion.
What other explanations for this network traffic have you investigated and on what basis did you reject those explanations?
Vary the filename/path from short (one character) to max length and run the above repro, and notice the increase in bits communicated if and only if the filename/path is long, all other factors being held constant. Same for varying the data. There is no reason why Excel.exe should be interpolating this information with all the standard telemetry and connected experience stuff disabled. Even the fact that it is occurring is interesting, and doesn’t require hypotheses for its origin.