funsec mailing list archives
Re: Malvertising
From: Gregory Hicks <ghicks () cadence com>
Date: Wed, 12 Dec 2007 12:51:49 -0800 (PST)
Date: Tue, 11 Dec 2007 00:22:43 -0800 From: "Daniel H. Renner" <dan () losangelescomputerhelp com> To: funsec () linuxbox org Subject: Re: [funsec] Malvertising As was seen when MySpace visitors were hit last October in attacks via advertising banners, and a year ago when 1 million MySpace visitors were hit via banners, and when Falk-Ag was hit, and when... Can you say "hosts file"?
I can. But how does this help?
Sincerely, Daniel H. Renner President Los Angeles Computerhelp A division of Computerhelp, Inc. 818-352-8700 http://losangelescomputerhelp.com funsec-request () linuxbox org wrote:Date: Thu, 6 Dec 2007 21:53:45 -0600 From: <rms () computerbytesman com> Subject: [funsec] Malvertising To: <funsec () linuxbox org> Message-ID: <004a01c83884$c4785c80$4d691580$@com> Content-Type: text/plain; charset="us-ascii" http://isc.sans.org/diary.html?storyid=3727 Malvertising Published: 2007-12-06, Last Updated: 2007-12-06 17:06:55 UTC by William Salusky (Version: 1) Malvertising (malicious advertising) is a reasonably fresh take on an online criminal methodology that appears focused on the installation of unwanted or outright malicious software through the use of internet advertising media networks, exchanges and other user supplied content publishing services common to the Social Networking space. The most popular Malvertising vector active "in the wild" is a result of the client rendering of Adobe Flash SWF files that contain maliciously coded Flash ActionScript. In my own limited (but growing) experience, Malicious SWF files may share one or more of the following features: * They are often protected from casual swf decompiler tools though the use of commercial SWF encryption tools * May contain complex de-obfuscation routines to hide the actual intent of any embedded ActionScript. * May directly contain exploit code used to attack the client * May act solely as the drive-by vector in performing a 'GetURL' equivalent referral to the actual upstream exploit host * May primarily be a Social Engineering attack to confuse or trick a user into accepting the installation of software * Contains time sensitive payloads which do not go 'live' until a specific date and time. In light of a growing problem that has the potential to effectively place every internet user at risk, even when only visiting sites they would otherwise fully trust, there is at least a new tool available to assist the security researcher community with a means to better identify malicious SWF files. The timing for this is excellent, as I have personally only learned of this tool just this morning. This particular tool is the OWASP hosted project named 'SWFIntruder'. I will be doing my own deep dive into the details of it's use for inclusion into my own SWF analysis tool bag. The personal SWF analysis tool bag happens to include two other freely available (also cross platform) SWF file decompilers: SWFIntruder : https://www.owasp.org/index.php/Category:SWFIntruder swfdump : http://www.swftools.org/ (source available) and 'flare' : http://www.nowrap.de/flare.html (binary only) :( We may expand on how you might consider applying security mitigations for this threat type as a protection for the average user which may include your spouse, parents, children, corporate network users, etc... in a future diary. Please do write in with your own insights into the malvertising problem space. William Salusky Handler on Duty :)_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 San Jose, CA 95134 I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. "A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision." "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Malvertising rms (Dec 06)
- <Possible follow-ups>
- Re: Malvertising Daniel H. Renner (Dec 12)
- Re: Malvertising Gregory Hicks (Dec 13)
- Re: Malvertising Daniel H. Renner (Dec 13)