Vunerable with UAC/DEP/ASLR/EMET/AV/FW

Discussion in 'malware problems & news' started by CloneRanger, Jun 16, 2012.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Not exactly straightforward to do, but still as a PC = :D
     
  2. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    I wonder if this post (and link) is allowed here.
     
  3. guest

    guest Guest

    Fake.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    lol what?

    He does actually do it. The exploit against Java works and Kaspersky doesn't see it. Whether it's "real" or not is besides the point.

    I see nothing about EMET on there though, not that it really matters.
     
  5. guest

    guest Guest

    The script kiddies can't reproduce the ****. I think it's fake lol
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Download the toolkit yourself.

    Nothing I saw there is surprising. A Java exploit being used and an antivirus bypassed.
     
  7. guest

    guest Guest

    I'm talking about the comments below the article. Script kiddies are commenting that the procedures don't work.

    I won't download this crap lol
     
  8. guest

    guest Guest

    BTW, did you test it?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Nope. I would but I'm lazy. I bet brandicandi will though.

    If they can't recreate it it's likely because they're running a patched java or they can't figure out how to use the toolkit lol

    Windows 7 gets hacked all the time. This isn't really new or exciting.

    edit: Yeah, the people commenting don't know hwo to use metasploit lol
     
  10. guest

    guest Guest

  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah, because Java 0days are in such short supply lol
     
  12. guest

    guest Guest

    This won't work against updated AVs from main companies.

    At the time the article was written, dunno.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Of course it will. It's only a matter of crypter.
     
  14. guest

    guest Guest

    You're adding additional steps to the described procedures.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Apparently.
     
  16. guest

    guest Guest

    So this thing doesn't work anymore.

    To work it would require different things from what the attacker describes:

    - a very outdated AV in the victim's PC or decent obfuscation skills from the attacker

    - months old JRE in the victim's PC

    Not even talking about the huge (IMO) social engineering effort that is unlikely to easily succeed.
     
  17. guest

    guest Guest

    And testing a new malware against virustotal, jotti and similar services isn't reliable. The detection rate of a locally installed AV tend to be superior to what those services show.

    So the attacker also has to have appropriately configured VMs with running updated AVs or a similar setup that allows him to test against the real AV.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    lol since when does it take an outdated AV for a hacker to bypass it? Heuristics get at bset 70% detection rate and usually with a large amount of false positives when they're that high.

    And JAva 0 days happen often too and the time to patch is ages. Besides, the updater is crap and most users are running out of date versions anyways.

    The attack is trivial and nothing new but it's entirely valid.
     
  19. guest

    guest Guest

    Note the "or decent obfuscation skills from the attacker" in my previous post.

    The Oracle updater is even removing the old version now!!!! It's improving!! rofl

    I think it's unlikely to succeed against a relevant percentage of users.
     
  20. guest

    guest Guest

    Also, Microsoft and Mozilla tend to automatically disable known vulnerable plugins in their browsers (including vulnerable versions of JRE) with their own automatic patching mechanisms.

    Microsoft calls that the "Killbit" update.

    So I bet this attack would also need an outdated version of IE or Firefox.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Pretty sure Java 7 doesn't remove JAva 6 and crypter is all it takes to bypass an AV without heuritics.

    And this attack would be very successful consider how many users run out of date Java and how often we see 0days for it.
     
  22. guest

    guest Guest

    But Java 6 is being actively patched.

    Java 7 is still in "kind of beta" (not exactly beta, but not exactly ready for the masses too).

    As I said before: Microsoft and Mozilla tend to automatically disable known vulnerable plugins in their browsers (including vulnerable versions of JRE) with their own automatic patching mechanisms. Microsoft calls that the "Killbit" update. So I bet this attack would also need an outdated version of IE or Firefox.
     
  23. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Any decent criminal avoids VT et al because the sample will be distributed among vendors if detected.
    Dedicated malware AV scanners are used like f.i. in RedKit; link

    Lots of companies are 'forced' to use/keep using older versions and many consumers are unaware that certain software can/will install an (old) java version.
    Besides 'the unaware' who know zilch about stuff like "updating".
    The percentage seems big enough for gangs to sell a rehash of known exploits in a gentle GUI, making money on the ones who make money targeting the exploits.
    Java offers all kinds of business models.
     
  24. guest

    guest Guest

    These are usually restricted in other ways.

    True. But as I said before: Microsoft and Mozilla tend to automatically disable known vulnerable plugins in their browsers (including vulnerable versions of JRE) with their own automatic patching mechanisms. Microsoft calls that the "Killbit" update. So I bet this attack would also need an outdated version of IE or Firefox.

    Windows/Microsoft Update is set to automatic install for more than 92% of the userbase according to Microsoft stats.

    Maybe.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Anyone notice the list of trackers on that site, including the DMCA?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.