How a malicious help file can install a spyware keylogger

Discussion in 'malware problems & news' started by Dermot7, Sep 10, 2012.

Thread Status:
Not open for further replies.
  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    Dermot7, Sep 10, 2012
    #1
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Pretty clever!

    The use of creating boobytrapped files to load or run malicious executables goes back quite a few years.

    While today's exploits rely mostly on social engineering tactics, at least 8 years ago, cybercriminals were using different file types in remote code execution exploits. Here are a few from that period:

    http://urs2.net/rsj/computing/tests/files_exec


    ----
    rich
     
    Rmus, Sep 10, 2012
    #2
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Actually the use of .HLP for malware etc purposes dates back quite a number of years. I don't have specifics to hand, but due to my hearing about such a vector, i've selected ProcessGuard to block/prompt me each & every time :)

    pg.gif

    If i DENY it, then i get this

    inv.gif

    Personally i don't expect to be infected in such a way :p but it pays to be cautious. Plus after a disguised .HLP was alowed to run, it would need to also run the other files, such as .EXE/SYS/DLL etc. PG & other protection would automatically also block/prompt me each & every time, to those too :thumb:

    People with similar software/solutions can/could do the same.
     
    CloneRanger, Sep 10, 2012
    #3
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Here are a couple:

    http://blog.trendmicro.com/calling-windows-for-help-may-lead-to-vulnerability

    http://www.virusbtn.com/news/2011/09_14.xml

    With PG set up the way you show, can you run a legitimate Help file on your system?


    ----
    rich
     
    Rmus, Sep 10, 2012
    #4
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Good examples :thumb:

    Yes, by clicking ALLOW. But whenever i Allow something that's normally Prompted, i do NOT also tick Always perform this action as that would make the action from then on allowed on All such files, unless i reconfigured the permissions back again.

    As it only takes a few seconds to Allow or Deny, it's no big deal for me, & unless i'm installing or running something new etc, i don't get prompted all the time. I'm sure you are in a similar situation with DeepFreeze.
     
    CloneRanger, Sep 10, 2012
    #5
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,221
    Mrkvonic, Sep 12, 2012
    #6
  7. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    After PDFs and Images, Help files...
    What's next? o_O
     
    PJC, Sep 12, 2012
    #7
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Just a FYI. Windows Help format is not supported in Vista and later. You have to manually obtain the Windows Help program (WinHlp32.exe) if you want it.

    -http://support.microsoft.com/kb/917607-
     
    safeguy, Sep 12, 2012
    #8
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...