| ||
 Daemon.be is a security research group from Western Europe. We use this blog to refine our own thinking on information security issues. |
| ||
By Maarten Van Horenbeeck Over the last few months, a relatively significant number of RAR files have shown up in various targeted attacks we've looked at. Archivers are very interesting targets. Generally, you upgrade software when you require new functionality, or when the software informs you that an upgrade has been made available. WinRAR, a very popular archiver, hasn't really added significant new functionality to its feature set. The reason is quite easy to understand: you expect your archiver to create archives. It doesn't need to do much more. It also doesn't trigger you to upgrade all that often. Over all, it's a useful tool, but it remains just that. A tool. This may explain the following little graph, which shows you the different pieces of software that were targeted in one ongoing attack, focused against one organization, which we've been tracking for quite some time now:
Quite popular indeed, WinRAR. Winrar has been affected by quite a few vulnerabilities in the versions leading up to WinRAR 3.6. In February of this year, a vulnerability was found in the handling of password encrypted RAR archives using the unrar command line tool. Another bug, identified in 2006, was rooted in incorrect handling of LHA archives by WinRAR. In 2005, two bugs in Winrar 3.51 each allowed an attacker to create malicious RAR files which then executed code on affected systems. Yesterday, an interesting sample called "pictures.rar" was attached to an otherwise benign e-mail message. To people using the vast majority of file scanning based AV solutions, the file didn't even look all that suspicious. Below is a list of coverage at the time of distribution. Note that the engines which did identify the file actually share engines:
When opened on a recent WinRAR 3.6, the application refused to open the file. On an older WinRAR 3.4.2 on an XP system however, more interesting things happened. The RAR archive triggered a buffer overflow vulnerability in WinRAR, after which code was executed which dropped an Alternate Data Stream (ADS) at: C:\windows\system32:system32.exe While it’s trivial to extract ASCII files from ADS streams, it’s relatively difficult to do the same with binaries. There are several freeware tools available which can do this, but the free versions generally restrict you from reading ADS from within the Windows directory. The easiest command-line solution is CAT.exe from the Windows 2000 resource kit, or you can copy file and accompanying ADS to another directory using Robocopy (a command line replacement for xcopy which does support data streams) and then use whatever tool you wish. Once extracted, the UPX packed file could easily be unpacked. It had virtually no AV detection, and injects code into the Internet Explorer process. Next, iexplore.exe performs a DNS lookup for the following host: sds.bi-apple.net This host currently resolves to 63.64.63.64, which is really a fictional IP address that is used by this specific group (I like to refer to them as "threat agents") quite regularly, apparently to "park" their attack hosts when not in use. Finally, the tool attempts to set up an obfuscated connection to that server on port 3460. While we're still looking at the backdoor, a member of the DarkMoon family, it appears to have at least some keylogging functionality. Most interesting, it does almost all from memory, with only a 9k binary stored on-disk. | ||
| Post Comment |
| |||
| <a href=http://ttdppgod.exactpages.com>australopithecines mating habits <a href=http://sdpopcf.digitalzones.com/dawn-of-war-codes.html>look at it <strong>dawn of war codes</strong></a> <a href=http://bpazgwe.b-w-h.com/cause-gulf-syndrome-war.html>interesting information <b>cause gulf syndrome war</i></a> <a href=http://zgsosij.exactpages.com/galaxy-resource-star-war.html>So <strong>galaxy resource star war</i></a> <a href=http://tdwxqpm.freewaywebhost.com/battle-civil-scene-war.html>look at it <i>battle civil scene war</b></a> <a href=http://reahuro.freesite.org/john-wayne-war-movie.html>interesting information <i>john wayne war movie</i></a> <a href=http://tbmzugb.fcpages.com/book-drug-guest-war.html>look at it <strong>book drug guest war</b></a> <a href=http://uedjmgc.designcarthosting.com/civil-war-book-review.html>Look <i>civil war book review</b></a> <a href=http://tdwxqpm.freewaywebhost.com/lego-site-star-war.html>About <i>lego site star war</b></a> <a href=http://bxicfup.bravepages.com/f22-total-air-war.html>i'm sured that it interestingly <i>f22 total air war</b></a> <a href=http://ucgazkb.envy.nu/bush-war-iraq-imminent.html>About <b>bush war iraq imminent</b></a> <a href=http://oirt.info/a/civil-war-inventions.html><h3>About <strong>a/civil war inventions</b></h1></a> <a href=http://oirt.info/h/italo-turkish-war.html><h3>So <strong>h/italo turkish war</i></h3></a> <a href=http://oirt.info/b/civil-war-jokes.html><h3>It's <i>b/civil war jokes</strong></h2></a> <a href=http://oirt.info/i/algerian-war-photos.html><h2>look at it <strong>i/algerian war photos</b></h3></a> <a href=http://oirt.info/a/civil-war-economy.html><h3>look at it <i>a/civil war economy</strong></h3></a> | |||
| Posted by Heneslott | |||
| |||
| <a href=http://wow2look4u.com/j/90s-teen-movie.html>Look <strong>90s teen movie</i></a> <a href=http://besttape4u.com/f/drug-stats-teen.html>About <strong>drug stats teen</b></a> <a href=http://88videosex.com/b/asian-quilt-fabric.html>It's <strong>asian quilt fabric</strong></a> <a href=http://88videosex.com/f/asian-grill-loveland.html>i'm sured that it interestingly <strong>asian grill loveland</b></a> <a href=http://88videosex.com/d/asian-listen-music.html>look at it <b>asian listen music</i></a> <a href=http://tape4udirect.com/b/asian-style-furniture.html>look at it <strong>asian style furniture</strong></a> <a href=http://redtape4u.com/g/fat-teen-porn.html>look at it <strong>fat teen porn</i></a> <a href=http://88videosex.com/a/asian-sensations-chat.html>So <strong>asian sensations chat</strong></a> <a href=http://besttape4u.com/f/elle-teen-magazine.html>interesting information <i>elle teen magazine</i></a> <a href=http://wow2look4u.com/b/healthy-teen-weight.html>It's <b>healthy teen weight</b></a> <a href=http://redtape4u.com/b/asian-award-excellent.html>i'm sured that it interestingly <i>asian award excellent</b></a> <a href=http://besttape4u.com/e/cute-teen-list.html>interesting information <i>cute teen list</i></a> <a href=http://88videosex.com/a/asian-sex-object.html>Look <strong>asian sex object</i></a> <a href=http://besttape4u.com/c/commit-suicide-teen.html>Look <b>commit suicide teen</i></a> <a href=http://88videosex.com/b/asian-review-ts.html>interesting information <i>asian review ts</i></a> <a href=http://88videosex.com/g/asian-food-distributors.html>helpful information <i>asian food distributors</strong></a> <a href=http://redtape4u.com/c/armoire-asian-tv.html>look at it <i>armoire asian tv</strong></a> <a href=http://redtape4u.com/f/fingering-a-teen.html>look at it <strong>fingering a teen</strong></a> <a href=http://tape4udirect.com/d/asian-movies-free.html>helpful information <i>asian movies free</b></a> <a href=http://tape4udirect.com/h/bound-asian-women.html>interesting information <i>bound asian women</strong></a> | |||
| Posted by Altereejade | |||
| |||
| http://you-porns.info/index.html youporn
| |||
| Posted by youporn | |||
| |||
| Hello, nice site look this:
http://you-porns.info/youporn-x.html youporn x End ^) See you Nice site! Good. Cool. | |||
| Posted by mdf | |||
| |||
| http://forums.vogue.com.au/member.php?u=88197 youporn | |||
| Posted by youporn | |||
| |||
| <a href=http://tape4udirect.com/i/interracial-relationships-asian.html>look at it <strong>interracial relationships asian</strong></a> <a href=http://tape4udirect.com/j/asian-style-lamp.html>So <i>asian style lamp</b></a> <a href=http://tape4udirect.com/h/california-asian-population.html>helpful information <strong>california asian population</i></a> <a href=http://wow2look4u.com/f/bbs-boy-teen.html>interesting information <strong>bbs boy teen</strong></a> <a href=http://tape4udirect.com/g/asian-racist-jokes.html>It's <i>asian racist jokes</b></a> <a href=http://redtape4u.com/e/brittany-murphy-tits.html>So <strong>brittany murphy tits</strong></a> <a href=http://besttape4u.com/c/christian-teen-poem.html>It's <i>christian teen poem</i></a> <a href=http://redtape4u.com/i/dirty-teen-lesbian.html>i'm sured that it interestingly <b>dirty teen lesbian</strong></a> <a href=http://besttape4u.com/a/depression-teen-treating.html>It's <b>depression teen treating</strong></a> <a href=http://88videosex.com/b/asian-pic-xxx.html>look at it <strong>asian pic xxx</strong></a> | |||
| Posted by alcoceece | |||
| |||
| http://forums.vogue.com.au/member.php?u=88327 viagra for woman | |||
| Posted by viagra-for-woman | |||
| |||
| http://forums.vogue.com.au/member.php?u=88350 cheap airlines | |||
| Posted by cheap-airlines | |||
| |||
| http://forums.vogue.com.au/member.php?u=88409 darvocet | |||
| Posted by darvocet | |||
| |||
| http://forums.vogue.com.au/member.php?u=88411 didrex | |||
| Posted by didrex | |||
| |||
| http://forums.vogue.com.au/member.php?u=88483 anime sex | |||
| Posted by animesex | |||
| |||
| black lesbian fucking : <a href=http://kptwqhip.25am.com>free lesbian anal porn</a>
lesbian little sister - <a href=http://dizmwayk.1afm.com>little april lesbian sex</a> free lesbian foot fetish , <a href=http://qtaqnskj.1afm.com>canadian chat lesbian</a> lesbian ass sucking , <a href=http://sfzsfegi.1afm.com>dvd lesbian porn</a> gallery lesbian rimjob : <a href=http://ieicavgo.1afm.com>lesbian porn live chats</a> japanese jav lesbian .. <a href=http://xbweibho.1afm.com>lesbian teen topanga</a> lesbian miami florida .. <a href=http://lttrcevw.1afm.com>free lesbian online video</a> courtney gallery lesbian lightspeed : <a href=http://dfefwieu.1afm.com>drinking lesbian movie piss</a> anime hentai lesbian sex .. <a href=http://edhdfmia.1afm.com>lesbian licking wet pussy</a> black amateur lesbian - <a href=http://enoelkvg.1afm.com>kudrow lesbian lisa</a> free lesbian teen thumbnail : <a href=http://rnpqdloo.1afm.com>lesbian strap teacher</a> lesbian g spot sex : <a href=http://grliceqd.1afm.com>lesbian spanking picture</a> japanese school lesbian ; <a href=http://mekaiher.1afm.com>lesbian sister twin</a> lesbian porn sex toy , <a href=http://dwcvrqlm.1afm.com>jenna haze lesbian sex</a> lesbian bedtime stories - <a href=http://fqohysbq.1afm.com>cam lesbian rating web</a> lesbian dildo love , <a href=http://ikvnlduc.1afm.com>kissing lesbian photo</a> hot lesbian little , <a href=http://mgmdofdv.1afm.com>ebony gallery lesbian</a> constructing lesbian identity ; <a href=http://aidaueef.1afm.com>lesbian slave toilet</a> lesbian love lines - <a href=http://gdbnonxd.1afm.com>de gratuit lesbian photo</a> andrea lesbian lowell , <a href=http://yojfuebe.1afm.com>lesbian spanish chat</a> free lesbian movie pic , <a href=http://oifrxfls.1afm.com>lesbian showering gallery</a> big boob lesbian cop - <a href=http://lyayygvq.1afm.com>eating lesbian picture pussy</a> hairy lesbian picture sex - <a href=http://ajxooibe.1afm.com>dirty old lesbian</a> famous lesbian toons .. <a href=http://osfaecxg.1afm.com>lesbian spanking movie</a> lesbian married to man .. <a href=http://aamqxplu.1afm.com>lesbian strap teen</a> girl lesbian seducing ; <a href=http://hnapjaco.1afm.com>lesbian sweet threesome</a> lesbian playing pussy - <a href=http://uqdbzhel.25am.com>caligula gallery lesbian</a> free lesbian soft porn - <a href=http://ryaiwihc.25am.com>dildo.jpg lesbian strap</a> kissing lesbian sexy video , <a href=http://mfueavla.1afm.com>kiss lesbian soft</a> download lesbian porn - <a href=http://pseefave.25am.com>download lesbian porn shrub</a> communal lesbian living ; <a href=http://sipkazsw.1afm.com>ditty bops lesbian</a> hot lesbian dildo fucking : <a href=http://sltdaxoa.25am.com>black lesbian sex pics</a> | |||
| Posted by AcrorkarireAl | |||
| |||
| http://cheap-cigarettes.you-porns.info/index.html cheap cigarettes | |||
| Posted by cheapcigarettes | |||
| |||
| Hello, nice site look this:
End ^) See you Nice site! Good. Cool. | |||
| Posted by pdf | |||
| |||
| http://aol-mail.you-porns.info/index.html aolmail | |||
| Posted by aolmail | |||
| |||
| Hello, nice site look this:
End ^) See you Nice site! Good. Cool. | |||
| Posted by googl | |||
| |||
| Hello, nice site look this:
[url=http://forums.vogue.com.au/member.php?u=88674 aolmail[/url] End ^) See you Nice site! Good. Cool. | |||
| Posted by yahoo | |||
| |||
| Hello, nice site look this:
http://forums.vogue.com.au/member.php?u=88705 santabanta End ^) See you Nice site! Good. Cool. | |||
| Posted by pdf | |||
| |||
| http://spirit-airlines.you-porns.info/index.html spirit airlines | |||
| Posted by spiritairlines | |||
| |||
| Hello, nice site look this:
http://spirit-airlines.you-porns.info/spirit-airlines-reviews.html End ^) See you Nice site! Good. Cool. | |||
| Posted by bbs | |||
| |||
| Mutsbrits <a href=http://google.com >google</a>
Lokidiobiatog CititbruriTuh http://google.com | |||
| Posted by Dalpimpurtupt | |||
| Entry 4 of 37 |
| Last Page | Next Page |