Reflected File Download attack to spread 0-Day Worm Over Any Social Networks

Discussion in 'malware problems & news' started by Minimalist, Oct 14, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm sorry but I do not see how this would evade security tools. A firewall would stop the outbound connection + why would you run some app that you did not even download?

    Fom the article:

    "The technique defined by Hafif is able to evade detection, the malware doesn’t trigger any system warnings, so the victim will have no perception of an ongoing attack. The researcher explained that current security measures like antivirus software and firewalls cannot avoid the infection."
     
  5. guest

    guest Guest

    I don't see this can be classified as a worm, at least not by the classical definition. Honestly this is a stereotypical trick, nothing really fancy in this so-called RFD. Unless I misunderstood the "Google Chrome" part?
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It seems to me now that the methods used are different. From hxxp://www.effecthacking.com/2014/10/social-engineers-attacks-web-users-via.html :
    I wouldn't be surprised to see this one used in the wild, if I understand it correctly.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It's explained better here: New Web vulnerability enables powerful social engineering attacks.

     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I found a paper from 2008 that seems to describe the same issue: hxxp://dl.packetstormsecurity.net/papers/attack/Aspect_File_Download_Injection.pdf .
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978

    The Scripting & BAT issues can be controlled with for eg, AnalogX Script Defender http://www.analogx.com/contents/download/System/sdefend/Freeware.htm You can add in Lots of other extentions for interception too !

    sd.png

    Having a CMD intercepter/blocker installed, for eg ProcessGuard etc, would take care of that !

    I have both installed
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Funny how nobody want's to help protect themselves from this ?
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I use SRP and have most script file type blacklisted.
     
  14. guest

    guest Guest

    Hail SRP! No, wait... hail AppLocker! Honestly some anti-executables will only protect you from EXEs only, they don't even provide protection for DLLs, let alone BAT scripts. And yet they charge you for quite some cash out of your wallet. >_>
     
  15. BoaterDave

    BoaterDave Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    62
    Location:
    Devon, England
    Hi guys and gals! :)

    Has anyone studied THIS document yet? https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view

    I'd be interested to know if you feel that this is something different to what is described in this Wiki: http://en.wikipedia.org/wiki/Drive-by_download

    Cheers!

    Dave
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you for the reference :). This document is mentioned in blog post Reflected File Download - A New Web Attack Vector.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi CloneRanger,

    It seems to me that protection is rather straightforward:

    White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif.
    https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view
    New Web vulnerability enables powerful social engineering attacks
    http://www.pcworld.com/article/2835...bles-powerful-social-engineering-attacks.html
    Are there banks that really do things like that? My bank has a "Message Center" on its web site where members view intercommunication.

    Another financial institution I use will send an email about something, with the directive to log onto the site and go to the particular page to view the topic in question. No direct links to click.

    All security information from such institutions I use clearly state *not* to click on links from emails purporting to be from said institution.

    If a victim is enticed to click on a link to download an executable file -- well, I don't know what added protection can be installed to cover all of the possible vectors that have been mentioned in these articles.

    It seems to me if a user is knowledgeable of sophisticated anti-malware security (SRP, scriptblockers) mentioned here, that user is certainly well-versed in basic security measures and is not likely to be fooled. Eg, to click on a link to update a piece of software rather than going to the vendor's site via the user's bookmark.


    ----
    rich
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ Rmus

    Hi, when i said "Funny how nobody want's to help protect themselves from this ?" I just wondered why nobody had commemnted on AnalogX Script Defender. With this people can easily & quickly add in as many file types as thet like to protect against, Not just Scripts !

    Yes, Lots !

     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The Krebs article is good, but doesn't say how the bank instructed the customer:
    • email with direct link to download the software?
    • email telling the customer to log on to the bank site for information and instruction for downloading the software?
    Big difference.

    If the first, I'm happy to have a security-aware bank!


    ----
    rich
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    One of the banks I trust is USAA's bank. They send nothing in email, but they have a page on their site pertaining to security, and they off Rapport there.

    Pete
     
  21. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,436
    Location:
    U.S.A.
    FYI. A few samples:

    https://marquettesavings.com/ResourceCenter/TrusteerSoftware.aspx
    https://unitedbankohio.com/Pages/TrusteerRapportPhishingEmails.aspx
    https://www.vistbank.com/privacy/trusteer-phishing-alert/
    https://techhelplist.com/index.php/spam-list/179-new-critical-update-trusteer-rapport-bofa-virus
     
  22. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,936
    Location:
    UK
    Some UK banks/building societies prompt you to install Trusteer when you login. Personally I won't use it (it doesn't like Opera anyway) as I've seen quite a few machines with issues after installing it.
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Here's just bank 2 examples of different approaches.

    coop.png

    http://www.co-operativebank.co.uk/business/businessonlinebanking/trusteer

    nat.png

    http://www.nationwide.co.uk/support/support-articles/security/trusteer-rapport/how-it-works

    With Nationwide we can Instantly see the link address, & could research it before clicking & downloading. With the CO-OP even though it links to the real address, it "could" go anywhere ! I know most of us on here could hover over & then check it out, but how many regular surfers out there would/do ? Not many in my experiences over the years. And how many would even check out the visable link, before clicking ? Again i doubt if many would !

    Copycat bank etc www's used to look crap, but in recent years as you know, the bad guys can/do stream the real bank www's in real time, but inject code to highjack the log in areas etc. So i guess they could simulate a real bank www & present a button like the CO-OP which DL's a nasty !

    I know we wouldn't get caught out, but many would.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    OK, but isn't this thread about clicking specially crafted links in emails?


    ----
    rich
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, I didn't pick up on that! Instinctively, I always think "protect themselves" starts with the user's actions/decisions, not a security product.
    Since there are so many file types that can be used in attacks, how does the user know which ones to add to the list? For example, I just discovered these executable filetypes in /system32 that I never knew are executables!
    • .acm
    • .ax
    • .lrc
    • .OCA
    • .rll
    There may be others...

    -rich
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.