Steganographic malware via altered transparency value pixels in ad network banners.

Razer rayzer at riseup.net
Sat Dec 10 12:56:25 PST 2016


Apparently this had been going on for a couple of years...

>
> "The criminals were able to send banner ads and javascript to their
> targets' computers by pushing both into ad networks. These networks
> aggressively scan advertisers' javascript for suspicious code, so the
> criminals needed to sneak their bad code past these checks.
> To do this, they made tiny alterations to the transparency values of
> the individual pixels of the accompanying banner ads, which were in
> the PNG format, which allows for pixel-level gradations in
> transparency. The javascript sent by the attackers would run through
> the pixels in the banners, looking for ones with the telltale
> alterations, then it would turn that tweaked transparency value into a
> character. By stringing all these characters together, the javascript
> would assemble a new program, which it would then execute on the
> target's computer.
> This new program triggered a network request to a site controlled by
> the attackers, which repeatedly checked the target's computer to see
> if it was running inside a virtual machine (a telltale sign of a
> paranoid user, possibly a security researcher who would figure out
> what was going on) or whether it had any anti-virus software. Once it
> was satisfied that the target was not in a position to detect active
> attacks, it launched exploits targeted at Internet Explorer/Flash to
> hijack the machine and gather the user's keystrokes, with a special
> emphasis on bank-industry information."


http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html

More:
http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2356 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20161210/f5899234/attachment.txt>


More information about the cypherpunks mailing list