Full Disclosure mailing list archives
Re: DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit
From: Matt Howard <dreaminheks () gmail com>
Date: Mon, 13 Aug 2012 16:10:36 -0700
1. The attack is aiming at a very low hanging fruit, so low in fact it probably fell on the ground once and has a few bugs on it, this is the nature of phishing. If the redirect is well designed or the method of the delivery is convincing enough, they will click save assuming that only execution of it would be dangerous, the vendor page will be convincing enough in itself (theoretically) to lead them to the update/install. Even if they assumed it was sketchy chances are they would still leave it in their downloads folder or remove the entry from their list of previously downloaded files not running it.. Not clicking the installer wouldn't be a loss either because the next update/install they run (be it days, weeks, or months) will likely load the DLL. 2. That was a dumb addition on my part, every time DllMain is entered it will launch calc.exe, if I had removed the comment from that line it would have exited on the first execution but instead this will launch for each call.. Which is sometimes quite a bunch, not ideal for testing lots of installers but fun to watch? On Mon, Aug 13, 2012 at 3:02 PM, Christian Sciberras <uuf6429 () gmail com>wrote:
I've got two concerns about this: 1. Either way you put it, I can't see how one can make a convincing argument out of downloading a DLL file. Asking laymen, they'd ask "what's a dll for? weren't updates done with exe/msi/etc? why's it got that funny icon?" 2. I'm a bit curious about your choice of code, and why you commented out exit(0); (what's the point anyway?) Cheers, Chris. On Mon, Aug 13, 2012 at 7:19 PM, Gynvael Coldwind <gynvael () coldwind pl>wrote:Well, what can I say - your write up is accurate. Though last time I've seen it, around 5 years ago, it was still called DLL spoofing and not DLL hijacking, and was one of the arguments why "carpet bombing" (automatic download) in Safair/Chrome must be fixed :) E.g. http://gynvael.coldwind.pl/?id=55 -- gynvael.coldwind//vx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit Matt Howard (Aug 13)
- Re: DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit Gynvael Coldwind (Aug 13)
- Re: DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit Christian Sciberras (Aug 13)
- Re: DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit Matt Howard (Aug 13)
- Re: DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit Christian Sciberras (Aug 13)
- Re: DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit Gynvael Coldwind (Aug 13)