Steganographic malware via altered transparency value pixels in ad network banners.
John Newman
jnn at synfin.org
Sun Dec 11 06:04:11 PST 2016
You're an utter fool if you don't, at the bare minimum, run a fucking adblocker plugin.
ABP exists for Firefox, chrome, Safari and as a dedicated browser for android...
Interesting story tho..
--
John
> On Dec 10, 2016, at 3:56 PM, Razer <rayzer at riseup.net> wrote:
>
> Apparently this had been going on for a couple of years...
>>
>> "The criminals were able to send banner ads and javascript to their
>> targets' computers by pushing both into ad networks. These networks
>> aggressively scan advertisers' javascript for suspicious code, so the
>> criminals needed to sneak their bad code past these checks.
>>
>> To do this, they made tiny alterations to the transparency values of the
>> individual pixels of the accompanying banner ads, which were in the PNG
>> format, which allows for pixel-level gradations in transparency. The
>> javascript sent by the attackers would run through the pixels in the
>> banners, looking for ones with the telltale alterations, then it would
>> turn that tweaked transparency value into a character. By stringing all
>> these characters together, the javascript would assemble a new program,
>> which it would then execute on the target's computer.
>>
>> This new program triggered a network request to a site controlled by the
>> attackers, which repeatedly checked the target's computer to see if it
>> was running inside a virtual machine (a telltale sign of a paranoid
>> user, possibly a security researcher who would figure out what was going
>> on) or whether it had any anti-virus software. Once it was satisfied
>> that the target was not in a position to detect active attacks, it
>> launched exploits targeted at Internet Explorer/Flash to hijack the
>> machine and gather the user's keystrokes, with a special emphasis on
>> bank-industry information."
>
>
> http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html
>
> More: http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2920 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20161211/8af50703/attachment.txt>
More information about the cypherpunks
mailing list