Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware, eBay, and You.

Published: 2005-12-07
Last Updated: 2005-12-07 17:52:56 UTC
by John Bambenek (Version: 1)
0 comment(s)
ISC reader Gareth Attrill pointed us to an eBay auction that has some escaped HTML code that sneaks in a link that tries to get a trojanized .jar (usage.jar) file loaded on anyone who loads the listing.  The latest .dat for McAfee immediately detected (and deleted) the code as Exploit-ByteVerify.  The lister most likely managed to bypass other protections that otherwise prevents this kind of code from being inserted into item listings.  Both eBay and the ISP that is hosting the malware have been notified.

The impact of this kind of attack is probably small, but it does present an interesting new vector for tricking users into going to locations that include the standard class of passive web browser exploits.  Something like this using code that wasn't immediately known to the AV vendors and using an item that was very popular (say an XBOX 360 at release) could create a situation ripe for widespread exploitation. 

Any site that allows users to enter HTML or images could theoretically be misused this way and illustrates the importance of validating end-user input, both in restricting what they can put in, and in the case of images that there is no exploits in the image files.  These checks need to be repeated instead of checking only when entered so that new DATs can examine existing files that may have gotten in before new DATs were implemented.

John Bambenek, bambenek *at* gmail *dot* com
0 comment(s)

What? No URL?

Published: 2005-12-07
Last Updated: 2005-12-07 02:04:54 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
The scenario goes something like this:  We get information that there is a potentially malicious site doing some not so nice things.  After investigating and working to figure out what is going on, we finally post an entry to let people know that there is an evil site out there and exactly what you will get if you visit that site. (Yes we also report it to try to get it taken down) Well, for most people, that's enough, but for others there is an insatiable urge to know exactly where that site is located which prompts an email to us asking that very question.   There are all sorts of reasons for why people want to know where the site is and my reasons for writing this are not to be little any of them as many of them are valid.   Its actually to try to set the record straight on why we try to avoid posting the URL to sites that are doing malicious things.  Here are a couple of reasons:

First, for some unknown reason, it is in our human nature to want to click on anything clickable!  Maybe its the rebel in us all, a form of expression.  Regardless of who you are, we all click on URLS, especially on sites that we trust.  How many viruses have you had to fight off at your organization from users clicking on links in email they got?  Well, we don't want to contribute to that infection rate.  However, if you are one of the very few, probably could be counted on one hand, who actually types every single URL, my hats off to you!!  But for the rest of us, we don't post the URL to malicious sites to help protect folks from themselves and that insatiable urge to click on things.     If we were to point users to a URL which has malware on it like (Don't click on that link) then there is a chance a security minded user could accidently click the link while copying it to an email or another window.  Whether your a newbie or an oldie, accidents do happen.

Second (you'll need to think devious), if you are a bad guy and you want to stay up on some of the latest exploits or if you have done some exploiting and wonder if someone is on to you, where would you look?  Well, major security sites with forums would be a good start.  A place where you can see what are the latest happenings as they are posted.   Since good guys as well bad guys visit our site,  we don't post the links to keep the "bad guys" from getting their hands on new malware or pointers to the latest exploit code.   The last thing we want to do is to help further their endevors.  Sure, if they want it they can probably find it, but we're not going to make it easy for them and they'll have to get it some where else.  We all need to be responsible with what we post and make available.  Things that can be used for good can be used for evil as well.

Hopefully this cleared up things for folks as to why we don't post the full URL to malicious sites or post the links to exploit code for that matter.  We really enjoy helping everyone and part of that is protecting everyone who visits the site.
0 comment(s)
Diary Archives