Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Downloads Folder: A Binary Planting Minefield

From: Nate Theis <nttheis () gmail com>
Date: Wed, 22 Feb 2012 16:50:24 -0800
Hmm, interesting AV evasion technique: Seemingly legitimate app, but the
download page gives both a malicious DLL and the main executable, the main
executable uses LoadLibrary insecurely.
On Feb 22, 2012 9:33 AM, "ACROS Security Lists" <lists () acros si> wrote:


Hi Jeff,


I don't believe a PE/PE+ executable needs a DLL extension to
be loaded by LoadLibrary and friends.


True, any file can be loaded this way, but our pretty extensive
experimenting showed
extremely few cases where legitimate applications (in this case mostly
installers)
loaded anything other than <something>.dll. The operating assumption here
is that the
initial executable (installer) is friendly but whatever it loads with
LoadLibrary*
can be potentially malicious. The attacker can therefore not choose which
file the
initial executable will load with LoadLibrary* but must plant a file that
the
executable is already set to load.


Perhaps a scanning/cleansing tool would be helpful.


Certainly. In the mean time, "del Downloads\*" is a free and efficient
superset of
that ;-)

Cheers,
Mitja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: