Re: Malvertising

[Gregory Hicks <ghicks () cadence com>]

> Date: Tue, 11 Dec 2007 00:22:43 -0800
> From: "Daniel H. Renner" <dan () losangelescomputerhelp com>
> To: funsec () linuxbox org
> Subject: Re: [funsec] Malvertising
>
> As was seen when MySpace visitors were hit last October in attacks via 
> advertising banners, and a year ago when 1 million MySpace visitors were 
> hit via banners, and when Falk-Ag was hit, and when...
>
> Can you say "hosts file"?

I can.  But how does this help?

> Sincerely,
>
> Daniel H. Renner
> President
> Los Angeles Computerhelp
> A division of Computerhelp, Inc.
> 818-352-8700
> http://losangelescomputerhelp.com
>
>
>
> funsec-request () linuxbox org wrote:
> > Date: Thu, 6 Dec 2007 21:53:45 -0600
> > From: <rms () computerbytesman com>
> > Subject: [funsec] Malvertising 
> > To: <funsec () linuxbox org>
> > Message-ID: <004a01c83884$c4785c80$4d691580$@com>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > http://isc.sans.org/diary.html?storyid=3727
> >
> >  
> >
> > Malvertising
> >
> > Published: 2007-12-06,
> > Last Updated: 2007-12-06 17:06:55 UTC
> > by William Salusky (Version: 1) 
> >
> > Malvertising (malicious advertising) is a reasonably fresh take on an online
> > criminal methodology that appears focused on the installation of unwanted or
> > outright malicious software through the use of internet advertising media
> > networks, exchanges and other user supplied content publishing services
> > common to the Social Networking space.  The most popular Malvertising vector
> > active "in the wild" is a result of the client rendering of Adobe Flash SWF
> > files that contain maliciously coded Flash ActionScript.  In my own limited
> > (but growing) experience, Malicious SWF files may share one or more of the
> > following features:
> >
> > *   They are often protected from casual swf decompiler tools though the
> > use of commercial SWF encryption tools
> > *   May contain complex de-obfuscation routines to hide the actual
> > intent of any embedded ActionScript.
> > *   May directly contain exploit code used to attack the client
> > *   May act solely as the drive-by vector in performing a 'GetURL'
> > equivalent referral to the actual upstream exploit host
> > *   May primarily be a Social Engineering attack to confuse or trick a
> > user into accepting the installation of software
> > *   Contains time sensitive payloads which do not go 'live' until a
> > specific date and time.
> >
> > In light of a growing problem that has the potential to effectively place
> > every internet user at risk, even when only visiting sites they would
> > otherwise fully trust, there is at least a new tool available to assist the
> > security researcher community with a means to better identify malicious SWF
> > files.  The timing for this is excellent, as I have personally only learned
> > of this tool just this morning.  This particular tool is the OWASP hosted
> > project named 'SWFIntruder'.  I will be doing my own deep dive into the
> > details of it's use for inclusion into my own SWF analysis tool bag.  The
> > personal SWF analysis tool bag happens to include two other freely available
> > (also cross platform) SWF file decompilers:
> >
> > SWFIntruder : https://www.owasp.org/index.php/Category:SWFIntruder
> > swfdump      : http://www.swftools.org/ (source available)
> > and 'flare'     : http://www.nowrap.de/flare.html  (binary only)  :(
> >
> > We may expand on how you might consider applying security mitigations for
> > this threat type as a protection for the average user which may include your
> > spouse, parents, children, corporate network users, etc... in a future
> > diary.  Please do write in with your own insights into the malvertising
> > problem space.
> >
> > William Salusky
> > Handler on Duty :)
> >
> >  
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

-------------------------------------------------------------------
Gregory Hicks                        | Principal Systems Engineer
Cadence Design Systems               | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1
San Jose, CA 95134

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision."

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.