Full Disclosure mailing list archives
Re: Downloads Folder: A Binary Planting Minefield
From: "ACROS Security Lists" <lists () acros si>
Date: Wed, 22 Feb 2012 18:32:30 +0100
Hi Jeff,
I don't believe a PE/PE+ executable needs a DLL extension to be loaded by LoadLibrary and friends.
True, any file can be loaded this way, but our pretty extensive experimenting showed extremely few cases where legitimate applications (in this case mostly installers) loaded anything other than <something>.dll. The operating assumption here is that the initial executable (installer) is friendly but whatever it loads with LoadLibrary* can be potentially malicious. The attacker can therefore not choose which file the initial executable will load with LoadLibrary* but must plant a file that the executable is already set to load.
Perhaps a scanning/cleansing tool would be helpful.
Certainly. In the mean time, "del Downloads\*" is a free and efficient superset of that ;-) Cheers, Mitja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Downloads Folder: A Binary Planting Minefield ACROS Security Lists (Feb 17)
- Re: Downloads Folder: A Binary Planting Minefield Kyle Creyts (Feb 19)
- Re: Downloads Folder: A Binary Planting Minefield Jeffrey Walton (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Jeffrey Walton (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Sanguinarious Rose (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Grandma Eubanks (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield ACROS Security Lists (Feb 22)
- Re: Downloads Folder: A Binary Planting Minefield Nate Theis (Feb 22)
- Re: Downloads Folder: A Binary Planting Minefield Sanguinarious Rose (Feb 20)
- Re: Downloads Folder: A Binary Planting Minefield Kurt Dillard (Feb 21)
- Re: Downloads Folder: A Binary Planting Minefield Kyle Creyts (Feb 19)