Steganographic malware via altered transparency value pixels in ad network banners.

rooty arpspoof at protonmail.com
Mon Dec 12 10:24:40 PST 2016 

http://tinyurl.com/qjdper2









-------- Original Message --------
Subject: Re: Steganographic malware via altered transparency value pixels in ad network banners.
Local Time: December 11, 2016 5:41 PM
UTC Time: December 12, 2016 1:41 AM
From: rayzer at riseup.net
To: cypherpunks at lists.cpunks.org






On 12/11/2016 01:07 PM, rooty wrote:

LMFAO -


https://securelist.com/blog/virus-watch/74297/png-embedded-malicious-payload-hidden-in-a-png-file/





This is related but you miss the 'nuance', troll.

Why is that funny? Because you're just a crude bot with an owner who knows how to use a search engine.

Rr






-------- Original Message --------
On Dec 11, 2016, 6:04 AM, John Newman wrote:


You're an utter fool if you don't, at the bare minimum, run a fucking adblocker plugin.
ABP exists for Firefox, chrome, Safari and as a dedicated browser for android...


Interesting story tho..

--
John


On Dec 10, 2016, at 3:56 PM, Razer <[](mailto:rayzer at riseup.net)rayzer at riseup.net> wrote:



Apparently this had been going on for a couple of years...



"The criminals were able to send banner ads and javascript to their targets' computers by pushing both into ad networks. These networks aggressively scan advertisers' javascript for suspicious code, so the criminals needed to sneak their bad code past these checks.
To do this, they made tiny alterations to the transparency values of the individual pixels of the accompanying banner ads, which were in the PNG format, which allows for pixel-level gradations in transparency. The javascript sent by the attackers would run through the pixels in the banners, looking for ones with the telltale alterations, then it would turn that tweaked transparency value into a character. By stringing all these characters together, the javascript would assemble a new program, which it would then execute on the target's computer.
This new program triggered a network request to a site controlled by the attackers, which repeatedly checked the target's computer to see if it was running inside a virtual machine (a telltale sign of a paranoid user, possibly a security researcher who would figure out what was going on) or whether it had any anti-virus software. Once it was satisfied that the target was not in a position to detect active attacks, it launched exploits targeted at Internet Explorer/Flash to hijack the machine and gather the user's keystrokes, with a special emphasis on bank-industry information."



http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html

More: http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4964 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20161212/ddb8cda6/attachment.txt>

More information about the cypherpunks mailing list