Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit
From: Matt Howard <dreaminheks () gmail com>
Date: Mon, 13 Aug 2012 16:10:36 -0700

1. The attack is aiming at a very low hanging fruit, so low in fact it
probably fell on the ground once and has a few bugs on it, this is the
nature of phishing. If the redirect is well designed or the method of the
delivery is convincing enough, they will click save assuming that only
execution of it would be dangerous, the vendor page will be convincing
enough in itself (theoretically) to lead them to the update/install. Even
if they assumed it was sketchy chances are they would still leave it in
their downloads folder or remove the entry from their list of previously
downloaded files not running it.. Not clicking the installer wouldn't be a
loss either because the next update/install they run (be it days, weeks, or
months) will likely load the DLL.

2. That was a dumb addition on my part, every time DllMain is entered it
will launch calc.exe, if I had removed the comment from that line it would
have exited on the first execution but instead this will launch for each
call.. Which is sometimes quite a bunch, not ideal for testing lots of
installers but fun to watch?



On Mon, Aug 13, 2012 at 3:02 PM, Christian Sciberras <uuf6429 () gmail com>wrote:

I've got two concerns about this:


1. Either way you put it, I can't see how one can make a convincing
argument out of downloading a DLL file.
Asking laymen, they'd ask "what's a dll for? weren't updates done with
exe/msi/etc? why's it got that funny icon?"

2. I'm a bit curious about your choice of code, and why you commented out
exit(0); (what's the point anyway?)


Cheers,
Chris.




On Mon, Aug 13, 2012 at 7:19 PM, Gynvael Coldwind <gynvael () coldwind pl>wrote:

Well, what can I say - your write up is accurate.

Though last time I've seen it, around 5 years ago, it was still called
DLL spoofing and not DLL hijacking, and was one of the arguments why
"carpet bombing" (automatic download) in Safair/Chrome must be fixed
:)
E.g. http://gynvael.coldwind.pl/?id=55

--
gynvael.coldwind//vx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault