Full Disclosure mailing list archives

Re: Downloads Folder: A Binary Planting Minefield

From: "ACROS Security Lists" <lists () acros si>
Date: Wed, 22 Feb 2012 18:32:30 +0100

Hi Jeff,

I don't believe a PE/PE+ executable needs a DLL extension to 
be loaded by LoadLibrary and friends.


True, any file can be loaded this way, but our pretty extensive experimenting showed
extremely few cases where legitimate applications (in this case mostly installers)
loaded anything other than <something>.dll. The operating assumption here is that the
initial executable (installer) is friendly but whatever it loads with LoadLibrary*
can be potentially malicious. The attacker can therefore not choose which file the
initial executable will load with LoadLibrary* but must plant a file that the
executable is already set to load.

Perhaps a scanning/cleansing tool would be helpful.


Certainly. In the mean time, "del Downloads\*" is a free and efficient superset of
that ;-)

Cheers,
Mitja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Downloads Folder: A Binary Planting Minefield ACROS Security Lists (Feb 17)
- Re: Downloads Folder: A Binary Planting Minefield Kyle Creyts (Feb 19)
  - Re: Downloads Folder: A Binary Planting Minefield Jeffrey Walton (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Jeffrey Walton (Feb 20)
  - Re: Downloads Folder: A Binary Planting Minefield Sanguinarious Rose (Feb 20)
    - Re: Downloads Folder: A Binary Planting Minefield Grandma Eubanks (Feb 20)
  - Re: Downloads Folder: A Binary Planting Minefield ACROS Security Lists (Feb 22)
    - Re: Downloads Folder: A Binary Planting Minefield Nate Theis (Feb 22)
- Re: Downloads Folder: A Binary Planting Minefield Kurt Dillard (Feb 21)