Steganographic malware via altered transparency value pixels in ad network banners.
Razer
rayzer at riseup.net
Sun Dec 11 10:50:52 PST 2016
On 12/11/2016 06:04 AM, John Newman wrote:
> You're an utter fool if you don't, at the bare minimum, run a fucking
> adblocker plugin.
> ABP exists for Firefox, chrome, Safari and as a dedicated browser for
> android...
>
> Interesting story tho..
>
> --
> John
>
Have to admit that's a pretty creative hack... A cut above kiddies
brute-forcing their way into a mysql database
Rr
> On Dec 10, 2016, at 3:56 PM, Razer <rayzer at riseup.net
> <mailto:rayzer at riseup.net>> wrote:
>
>> Apparently this had been going on for a couple of years...
>>
>>>
>>> "The criminals were able to send banner ads and javascript to their
>>> targets' computers by pushing both into ad networks. These networks
>>> aggressively scan advertisers' javascript for suspicious code, so
>>> the criminals needed to sneak their bad code past these checks.
>>> To do this, they made tiny alterations to the transparency values of
>>> the individual pixels of the accompanying banner ads, which were in
>>> the PNG format, which allows for pixel-level gradations in
>>> transparency. The javascript sent by the attackers would run through
>>> the pixels in the banners, looking for ones with the telltale
>>> alterations, then it would turn that tweaked transparency value into
>>> a character. By stringing all these characters together, the
>>> javascript would assemble a new program, which it would then execute
>>> on the target's computer.
>>> This new program triggered a network request to a site controlled by
>>> the attackers, which repeatedly checked the target's computer to see
>>> if it was running inside a virtual machine (a telltale sign of a
>>> paranoid user, possibly a security researcher who would figure out
>>> what was going on) or whether it had any anti-virus software. Once
>>> it was satisfied that the target was not in a position to detect
>>> active attacks, it launched exploits targeted at Internet
>>> Explorer/Flash to hijack the machine and gather the user's
>>> keystrokes, with a special emphasis on bank-industry information."
>>
>>
>> http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html
>>
>> More:
>> http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3980 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20161211/bf8f0d0e/attachment.txt>
More information about the cypherpunks
mailing list