Blog

A whole bunch of Windows applications is vulnerable to a so-called binary-planting attack which allows for remote code execution. Microsoft released a security advisory about this issue which isn’t easy to fix properly. This issue arises due to the (defined and well documented) behavior of Windows when loading libraries by an application. A .dll to load gets searched in a certain standard path list. This list also includes the current working directory, which is the place a document gets opened from for example. When a file with the name of a DLL which the corresponding application needs to load is placed into the working directory, it will get loaded – this can be a malicious DLL though. ...

If you’re as big as Google, there’s no such thing as a small product launch. So when Google introduced voice calls into its webmail service Gmail, essentially launching a Skype competitor, it was bound to be a popular feature. How popular, exactly? Well, according to a tweet from Google, the users seem to love it, as more than one million calls were placed in the first 24 hours since the feature went live. ...

The following internet advice which may have a subject title such as above could just get you killed. Like any other middle aged, balding, over-weight chap my mother still worries about me. So when her friend sent this to her and many other people, she forwarded it to me first:- Just in case!!! Let’s say it’s 6.15pm and you’re going home (alone of course), after an unusually hard day on the job. ...

Like a lot of seedy stuff, this started with a Twitter post:. The current working version of Mozilla’s Firefox browser is 3.6.8. Version 4 is in beta testing. You get them FREE from Mozilla.. Why would you need a crack (program with its password broken) or a keygen (application that generates a password for a password-protected program) for something that is FREE? Well, there’s a sucker born every minute and the folks at this warez (pirated software) site are betting there are a lot of them using Twitter. ...

File-sharing organization Pirate Bay has been controversial for a long time, like maybe the length of its entire existence. It’s been in the news recently because a number of governments are trying to shut it down. That’s a situation ripe for social engineering. We found this scheme this morning: a number of typo-squatting sites carrying the following. (Note: the REAL Pirate Bay site is thepiratebay.org.) What would lead a victim to this? The phony site piratebay.com (below) comes up as the third result on a Google search for “piratebay” or fourth for “pirate bay.” ...

Microsoft has posted an advisory that explains the “DLL preloading attacks” and offers a work-around tool that “allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis.” When an application loads a .dll file, but doesn’t name a full path name,Windows searches a pre-defined set of directories for it. Exploiting this, an intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code. ...

One of the most common scenarios we observe on a daily basis are users coaxed into phishing campaigns and malicious applications on Facebook. As we interact with our friends and family on social networks, we tend to trust of any and all of the information that appears to be from our “trusted network.” However, Facebook is one of the most trolled social networks by cyber criminals. They are waiting for you to make a mistake and once you make it, they will be sure to hack you and exploit your friends trust through your newly hacked account. ...

Here’s one of the latest Facebook phish attempts: videos of “beautifull” girls: It might look like the Facebook login page, but, check out the URL. I don’t think you want to log in to Facebook there.

Back in November 2007, I’ve seen this technique used by one of the variant of Worm called W32/Drom. The technique was not to execute the malicious file or component of the worm but to prevent Antivirus Program from running. The Worm queries the following Antivirus registries to get the Installation Path, once acquired, it creates a folder named “ws2_32.dll” with Hidden and System attributes on that location. As I test this technique, it prevented the program from running as it first loads the “ws2_32.dll” folder in the current directory. ...

Sigh… The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days. In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect. ...