How a malicious help file can install a spyware keylogger

Discussion in 'malware problems & news' started by Dermot7, Sep 10, 2012.

Thread Status:
Not open for further replies.
  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Pretty clever!

    The use of creating boobytrapped files to load or run malicious executables goes back quite a few years.

    While today's exploits rely mostly on social engineering tactics, at least 8 years ago, cybercriminals were using different file types in remote code execution exploits. Here are a few from that period:

    http://urs2.net/rsj/computing/tests/files_exec


    ----
    rich
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Actually the use of .HLP for malware etc purposes dates back quite a number of years. I don't have specifics to hand, but due to my hearing about such a vector, i've selected ProcessGuard to block/prompt me each & every time :)

    pg.gif

    If i DENY it, then i get this

    inv.gif

    Personally i don't expect to be infected in such a way :p but it pays to be cautious. Plus after a disguised .HLP was alowed to run, it would need to also run the other files, such as .EXE/SYS/DLL etc. PG & other protection would automatically also block/prompt me each & every time, to those too :thumb:

    People with similar software/solutions can/could do the same.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Here are a couple:

    http://blog.trendmicro.com/calling-windows-for-help-may-lead-to-vulnerability

    http://www.virusbtn.com/news/2011/09_14.xml

    With PG set up the way you show, can you run a legitimate Help file on your system?


    ----
    rich
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Good examples :thumb:

    Yes, by clicking ALLOW. But whenever i Allow something that's normally Prompted, i do NOT also tick Always perform this action as that would make the action from then on allowed on All such files, unless i reconfigured the permissions back again.

    As it only takes a few seconds to Allow or Deny, it's no big deal for me, & unless i'm installing or running something new etc, i don't get prompted all the time. I'm sure you are in a similar situation with DeepFreeze.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
  7. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    After PDFs and Images, Help files...
    What's next? o_O
     
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Just a FYI. Windows Help format is not supported in Vista and later. You have to manually obtain the Windows Help program (WinHlp32.exe) if you want it.

    -http://support.microsoft.com/kb/917607-
     
Loading...
Thread Status:
Not open for further replies.