This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More

Code obfuscation has been around for a long time. The obfuscated C contest first ran way back in 1984, but there are examples of natural language obfuscation from way earlier in history. Namely Cockney rhyming slang, like saying “Lady from Bristol” instead of “pistol” or “lump of lead” instead of “head”. It’s speculated that Cockney was originally used to allow the criminal class to have conversations without tipping off police.

Code obfuscation in malware serves a similar purpose — hiding from security devices and applications. There are known code snippets and blacklisted IP addresses that anti-malware software scans for. If that known bad code can be successfully obfuscated, it can avoid detection. This is a bit of a constant game of cat-and-mouse, as the deobfuscation code itself eventually makes the blacklist. This leads to new obfuscation techniques, sometimes quite off the wall. Well this week, I found a humdinger of an oddball approach. Morse Code.

Yep, dots and dashes. The whole attack goes like this. You receive an email, claiming to be an invoice. It’s a .xlsx.hTML file. If you don’t notice the odd file extension, and actually let it open, you’re treated to a web page. The source of that page is a very minimal JS script that consists of a morse code decoder, and a payload encoded in Morse. In this case, the payload is simply a pair of external scripts that ask for an Office 365 login. The novel aspect of this is definitely the Morse Code. Yes, our own [Danie] covered this earlier this week, but it was too good not to mention here. Continue reading “This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More”

Phishing With Morse Code

All of us have seen our share of phishing emails, but there are a lot more that get caught by secure email gateways and client filters. Threat actors are constantly coming up with new ways to get past these virtual gatekeepers. [BleepingComputer] investigated a new phishing attack that used some old tricks by hiding the malicious script tags as morse code.

The phishing attack targets Microsoft account login credentials with an HTML page posing as an Excel invoice. When opened, it asks the user to re-enter their credentials before viewing the document. Some external scripts are required to render the fake invoice and login window but would be detected if the links were included normally. Instead, the actor encoded the script links using dots and dashes, for example, “.-” equals “a”. A simple function (creatively named “decodeMorse”) is used to decode and inject the scripts when it runs in the victim’s browser.

Of course, this sort of attack is easy to avoid with the basic precautions we are all familiar with, like not opening suspicious attachments and carefully inspecting URLs. The code used in this attack is simple enough to be used in a tutorial on JavaScript arrays, but it was good enough to slip past a few large company’s filters.

Phishing attacks are probably not going to stop anytime soon, so if you’re bored, you could go phishing for phishers, or write some scripts to flood them with fake information.

Speech To Morse Code, Courtesy Of Google

Google has been responsible for unleashing some pretty incredible hardware and software on the world, but they can only take partial credit for the voice to Morse code gadget that [WhiskeyTangoHotel] recently completed.

With the Google AIY Voice Bonnet, [WhiskeyTangoHotel] had everything he needed to pick up on human speech and turn that into text the Raspberry Pi can parse and act on. Usually this would get passed to some kind of virtual assistant software, but in this case, a Python script breaks the speech down into individual characters and looks up their Morse representations. All those “dits” and “dahs” are then sent to one of the Pi’s GPIO pins, to which a relay has been connected.

At this point, you’ve got an interesting little toy that can sit on your desk and turn your speech into audible Morse code as the relay clicks and clacks its way through the message. In fact, if you don’t have a ham radio license, this is probably where you should stop. But if you’ve done the appropriate paperwork to transmit over the air, the relay can be connected to a radio to actually transmit messages.

If you think giving Google access to the content of your Morse code messages is a step too far, you’ll just have to learn it yourself. It might not be necessary to get your amateur license anymore, but that doesn’t mean it’s not worth knowing.

Continue reading “Speech To Morse Code, Courtesy Of Google”

Learning Morse Code The Ludwig Koch Way

Most countries have dropped the requirement for learning Morse code to become a ham radio operator. Because of that, you might think Morse code is dead. But it isn’t. Some people like the nostalgia. Some like that you can build simple equipment to send and receive Morse code. Others like that Morse code is much more reliable than voice and some older digital modes. Regardless of the reason, many people want to learn Morse code and it is still a part of the ham radio scene. The code has a reputation of being hard to learn, but it turns out that is mostly because people haven’t been taught code in smart ways.

I don’t know if they still do, but some youth organizations used to promote some particularly bad ways to learn the code. The second worse way is to learn “dots and dashes” and many people did learn that way. The very worst way was using an image like the adjacent one to try to map the dots and dashes into letter shapes. This chart dates back to at least 1918 when a Girl Guides handbook printed it.

Even if you are a visual learner, this is a bad idea. The problem is, it is nearly impossible to hear sounds at 20 or 30 words per minute and map them to this visual representation. Another visual method is to use a binary tree where left branches are dots and right branches are dashes.

If you only need to master 5 words per minute to get a merit badge, you might get away with this. But for real use, 5 words a minute is very slow. For example, this sentence would take about 3 minutes to send at that speed. Just that one sentence.

So what are the better ways? Let’s take a look.

Continue reading “Learning Morse Code The Ludwig Koch Way”

Machine Learning System Uses Images To Teach Itself Morse Code

Conventional wisdom holds that the best way to learn a new language is immersion: just throw someone into a situation where they have no choice, and they’ll learn by context. Militaries use immersion language instruction, as do diplomats and journalists, and apparently computers can now use it to teach themselves Morse code.

The blog entry by the delightfully callsigned [Mauri Niininen (AG1LE)] reads like a scientific paper, with good reason: [Mauri] really seems to know a thing or two about machine learning. His method uses curated training data to build a model, namely Morse snippets and their translations, as is the usual approach with such systems. But things take an unexpected turn right from the start, as [Mauri] uses a Tensorflow handwriting recognition implementation to train his model.

Using a few lines of Python, he converts short, known snippets of Morse to a grayscale image that looks a little like a barcode, with the light areas being the dits and dahs and the dark bars being silence. The first training run only resulted in about 36% accuracy, but a subsequent run with shorter snippets ended up being 99.5% accurate. The model was also able to pull Morse out of a signal with -6 dB signal-to-noise ratio, even though it had been trained with a much cleaner signal.

Other Morse decoders use lookup tables to convert sound to text, but it’s important to note that this one doesn’t. By comparing patterns to labels in the training data, it inferred what the characters mean, and essentially taught itself Morse code in about an hour. We find that fascinating, and wonder what other applications this would be good for.

Thanks to [Gordon Shephard] for the tip.

Learn Morse Code, Clockwork Orange Style

You might have to provide your own wrist straps and eye clamps, but if you want to learn Morse code, [Seth] has a web site for you. You can get code practice using the Farnsworth method and each letter is flashed before you as it is sent, which we assume will burn it into your brain.

Why learn Morse code now? Just about all countries now have at least some no code ham licenses and many have taken code off the tests completely. However, there are still many hams that use the code even today. Why? The personal challenge is part of it and perhaps nostalgia. However, it is also true that Morse code transmitters and receivers are dead simple to build and can get through where other simple radios can’t.

Continue reading “Learn Morse Code, Clockwork Orange Style”

Morse Code Catches Google Swiping Lyrics

We think of Morse code in terms of dots and dashes, but really it’s a kind of binary code. Those symbols might as well be 0s and 1s or any other pair of characters. That attribute is exactly what led to a sting operation a music lyric site called pulled on Google. At issue was a case of song lyrics that had allegedly been stolen by the search giant.

Song lyric sites — just like Google — depend on page views to make revenue. The problem is that in a Google search the lyrics appear on the search page, so there is no longer much incentive to continue to the song lyric site. That’s free enterprise for you, right? It is, but there was a problem. It appears that Google — or, according to Google, one of their partners — was simply copying’s lyrics. How does Genius know the song lyrics were copied? According to news reports in the Wall Street Journal and other sources, they used Morse code.

Continue reading “Morse Code Catches Google Swiping Lyrics”