Steganographic malware via altered transparency value pixels in ad network banners.

Razer rayzer at riseup.net
Sun Dec 11 17:41:48 PST 2016



On 12/11/2016 01:07 PM, rooty wrote:
> LMFAO -
>
>
> https://securelist.com/blog/virus-watch/74297/png-embedded-malicious-payload-hidden-in-a-png-file/
>
>
>


This is related but you miss the 'nuance', troll.

Why is that funny? Because you're just a crude bot with an owner who
knows how to use a search engine.

Rr




> -------- Original Message --------
> On Dec 11, 2016, 6:04 AM, John Newman wrote:
>
>
>     You're an utter fool if you don't, at the bare minimum, run a
>     fucking adblocker plugin.
>     ABP exists for Firefox, chrome, Safari and as a dedicated browser
>     for android...
>
>     Interesting story tho..
>
>     -- 
>     John
>
>     On Dec 10, 2016, at 3:56 PM, Razer < rayzer at riseup.net
>     <mailto:rayzer at riseup.net>> wrote:
>
>>     Apparently this had been going on for a couple of years...
>>
>>>
>>>     "The criminals were able to send banner ads and javascript to
>>>     their targets' computers by pushing both into ad networks. These
>>>     networks aggressively scan advertisers' javascript for
>>>     suspicious code, so the criminals needed to sneak their bad code
>>>     past these checks.
>>>     To do this, they made tiny alterations to the transparency
>>>     values of the individual pixels of the accompanying banner ads,
>>>     which were in the PNG format, which allows for pixel-level
>>>     gradations in transparency. The javascript sent by the attackers
>>>     would run through the pixels in the banners, looking for ones
>>>     with the telltale alterations, then it would turn that tweaked
>>>     transparency value into a character. By stringing all these
>>>     characters together, the javascript would assemble a new
>>>     program, which it would then execute on the target's computer.
>>>     This new program triggered a network request to a site
>>>     controlled by the attackers, which repeatedly checked the
>>>     target's computer to see if it was running inside a virtual
>>>     machine (a telltale sign of a paranoid user, possibly a security
>>>     researcher who would figure out what was going on) or whether it
>>>     had any anti-virus software. Once it was satisfied that the
>>>     target was not in a position to detect active attacks, it
>>>     launched exploits targeted at Internet Explorer/Flash to hijack
>>>     the machine and gather the user's keystrokes, with a special
>>>     emphasis on bank-industry information."
>>
>>
>>     http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html
>>
>>     More:
>>     http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
>>
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4778 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20161211/fd43e518/attachment.txt>


More information about the cypherpunks mailing list