Steganographic malware via altered transparency value pixels in ad network banners.
Razer
rayzer at riseup.net
Sun Dec 11 17:41:48 PST 2016
On 12/11/2016 01:07 PM, rooty wrote:
> LMFAO -
>
>
> https://securelist.com/blog/virus-watch/74297/png-embedded-malicious-payload-hidden-in-a-png-file/
>
>
>
This is related but you miss the 'nuance', troll.
Why is that funny? Because you're just a crude bot with an owner who
knows how to use a search engine.
Rr
> -------- Original Message --------
> On Dec 11, 2016, 6:04 AM, John Newman wrote:
>
>
> You're an utter fool if you don't, at the bare minimum, run a
> fucking adblocker plugin.
> ABP exists for Firefox, chrome, Safari and as a dedicated browser
> for android...
>
> Interesting story tho..
>
> --
> John
>
> On Dec 10, 2016, at 3:56 PM, Razer < rayzer at riseup.net
> <mailto:rayzer at riseup.net>> wrote:
>
>> Apparently this had been going on for a couple of years...
>>
>>>
>>> "The criminals were able to send banner ads and javascript to
>>> their targets' computers by pushing both into ad networks. These
>>> networks aggressively scan advertisers' javascript for
>>> suspicious code, so the criminals needed to sneak their bad code
>>> past these checks.
>>> To do this, they made tiny alterations to the transparency
>>> values of the individual pixels of the accompanying banner ads,
>>> which were in the PNG format, which allows for pixel-level
>>> gradations in transparency. The javascript sent by the attackers
>>> would run through the pixels in the banners, looking for ones
>>> with the telltale alterations, then it would turn that tweaked
>>> transparency value into a character. By stringing all these
>>> characters together, the javascript would assemble a new
>>> program, which it would then execute on the target's computer.
>>> This new program triggered a network request to a site
>>> controlled by the attackers, which repeatedly checked the
>>> target's computer to see if it was running inside a virtual
>>> machine (a telltale sign of a paranoid user, possibly a security
>>> researcher who would figure out what was going on) or whether it
>>> had any anti-virus software. Once it was satisfied that the
>>> target was not in a position to detect active attacks, it
>>> launched exploits targeted at Internet Explorer/Flash to hijack
>>> the machine and gather the user's keystrokes, with a special
>>> emphasis on bank-industry information."
>>
>>
>> http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html
>>
>> More:
>> http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4778 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20161211/fd43e518/attachment.txt>
More information about the cypherpunks
mailing list