[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Downloads Folder: A Binary Planting Minefield

To: <noloader@xxxxxxxxx>
Subject: Re: [Full-disclosure] Downloads Folder: A Binary Planting Minefield
From: "ACROS Security Lists" <lists@xxxxxxxx>
Date: Wed, 22 Feb 2012 18:32:30 +0100

Hi Jeff, 

> I don't believe a PE/PE+ executable needs a DLL extension to 
> be loaded by LoadLibrary and friends.

True, any file can be loaded this way, but our pretty extensive experimenting 
showed
extremely few cases where legitimate applications (in this case mostly 
installers)
loaded anything other than <something>.dll. The operating assumption here is 
that the
initial executable (installer) is friendly but whatever it loads with 
LoadLibrary*
can be potentially malicious. The attacker can therefore not choose which file 
the
initial executable will load with LoadLibrary* but must plant a file that the
executable is already set to load.

> Perhaps a scanning/cleansing tool would be helpful.

Certainly. In the mean time, "del Downloads\*" is a free and efficient superset 
of
that ;-)

Cheers,
Mitja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Downloads Folder: A Binary Planting Minefield
  - From: Nate Theis

References:
- [Full-disclosure] Downloads Folder: A Binary Planting Minefield
  - From: ACROS Security Lists
- Re: [Full-disclosure] Downloads Folder: A Binary Planting Minefield
  - From: Jeffrey Walton

Prev by Date: Re: [Full-disclosure] Circumventing NAT via UDP hole punching.
Next by Date: Re: [Full-disclosure] RSA and random number generation
Previous by thread: Re: [Full-disclosure] Downloads Folder: A Binary Planting Minefield
Next by thread: Re: [Full-disclosure] Downloads Folder: A Binary Planting Minefield
Index(es):
- Date
- Thread