WWW Malware Hides in Images

There’s new malware toolkit that uses steganography to hide in images:

For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites.

Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files.

In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads.

The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites.

Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character.

Slashdot thread.

Tags: adware, exploits, malware, steganography

Posted on December 7, 2016 at 8:06 AM • 107 Comments

Comments

Piper • December 7, 2016 9:21 AM

TLDR: Turn off JavaScript.

I use NoScript in Firefox.

Peter File • December 7, 2016 9:31 AM

Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads

That’s the root point: allowing a paying party to deliver arbitrary code on ad campaigns. Although the scheme is clever, it’s nothing else than obfuscated code.

The question is what do the ad network companies to prevent or mitigate this? They obviously don’t deelply analyze the code -not an easy thing to do- to detect subterfuges like that. However, JS delivery is an “added value” they sell to advertisers so putting restrictions on that is shooting at their own feet.

As you said before with the vulnerabilities of Internet of Things, this needs regulations. Meanwhile, ad blockers are even more justified.

Iblock • December 7, 2016 9:37 AM

TLDR: Block ads.

Stegosaurus • December 7, 2016 9:42 AM

“The script will then attempt to load the banner and read the RGBA structure. If a malicious version of the image was received, it will decode some Javascript and variables from the alpha channel”

In other words, the malware is hiding javascript code inside the PNG image in order to evade detection.

“The victim doesn’t even need to click on the malicious ad content; all it takes is to visit a website displaying it.”

That’s the best kind of drive-by download! No user interaction required.

“If no indication of monitoring is detected, it creates an iframe (just one pixel in size) at coordinates off the screen, sets its window.name property (this name will be used later) and redirects to TinyURL via https. TinyURL then redirects to an exploit landing page via http.”

No exploit is complete without using iframes to serve up webpages the size of a pixel. Get out your magnifying glass! Oh wait, the pixel is also located off the screen. Nevermind.

I find exploit analysis like this fascinating. It’s amazing how imaginative malware authors are in finding new ways to hide their exploit code from machine learning algorithms and human security researchers.

Basically if you have javascript, and especially flashplayer enabled then you’re going to get burned from drive-by download malvertising eventually. Unless you’re running the browser in a virtual machine on something like Qubes OS.

Don’t feel bad. I’ve been burned from drive-by download ads multiple times in the past. The worst part is you don’t even know it’s happened to you or that you’ve been infected.

Detailed anaylasis with pictures.

http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

Wael • December 7, 2016 9:43 AM

from the word steganography, which is a technique of hiding content inside other files.

Nope! It means hiding the existence of content or message as opposed to cryptography, which means hiding the meaning of content or message!

intermediary ULR

What’s a “ULR”? I didn’t know they hired dyslexic editors!

There is no innovation here. It’s just an application of stego-kits for malware purposes instead of using the tool for stealth communications.

This isn’t an easy attack to mitigate.

Max • December 7, 2016 9:52 AM

Link to original article:

http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

They don’t say which ad network was serving the malware. Well, it doesn’t matter. Any “ad blocker” will stop it. “Ad blockers” are security products!

Ad Blockers • December 7, 2016 10:01 AM

I heard ad block users are considered thieves by website operators.

Wael • December 7, 2016 10:02 AM

@Max,

Any “ad blocker” will stop it.

That may be true for this instance of payload delivery. Won’t stop the class of attacks, though. The assumption is the user wants JavaScript enabled, too.

hawk • December 7, 2016 10:07 AM

So what… why can’t they explain how the JS code attacks the machine. App developers know just because you can run JS in the browser it’s not like the user downloaded an executable. In other words there must be another vulnerability. And Wael is right, merely concealing the presence of data is not the same as concealing its meaning. More sophisticated attacks might hide across time, even in the form of TCP flags or packet errors. You would never find it in a million years.

Bruce Ediger • December 7, 2016 10:16 AM

@Ad Blockers – “thieves”? Really? Who owns my computer? I do. Who gets to decide what runs on my PC? I do. Simple, basic property rights that are settled law and ethics for thousands of years. I’m very afraid that your “website operators” are confused, and anti-free market. The second I am required to run something by law (but not by morality, that will never happen) I have had my human property rights abused. “Thieves” – ha ha ha! I laugh at your “website operators” and call them a silly person!

oliver • December 7, 2016 10:25 AM

Who has take over this blog? This can not be Bruce who is posting this drivel lately!!
These last few posts have been nothing but bullshit and movie-plot-threads.

That can’t be Bruce posting that?

Clive Robinson • December 7, 2016 10:25 AM

@ Wael,

This isn’t an easy attack to mitigate.

Turning of javascript altogether is a start…

Which is what I’ve done many years ago (for security reasons) as I’ve mentioned on more than a few occasions. But, many responders said I was being a little paranoid… OH look is that a chicken I see walking up the path 😉

As others like to point out it’s “freemarket economics”, so my suggestion is everybody turns java script off. If you can not get at site content, (Google I’m Looking at You) is that realy any loss?

When people stop visiting sites with javascript enabled either by the site or those the site does business with then, hopefully they will get the message…

Javascript should without a doubt be killed of in it’s entirety, it’s akways been a security liability and it always will be a security liability, as such it needs a bullet between it’s eyes.

Wael • December 7, 2016 10:41 AM

@Clive Robinson,

Turning of javascript altogether is a start…

There are two perspectives to consider: Firstly, for readers of this blog, there are many ways of protection as discussed in the past. The second perspective is the general population who know very little about computers, the internet, and operating systems — let alone information security. These users are also a vector of attack against the security savvy.

I don’t turn java script off, but I used to use Ghostry, which apparently is doing some shady things, last I heard.

I also use my real name, don’t use Tor or annoyimizing proxies. We are supposed to be in a free society that allows free speech, or is that just a slogan?

Marcus • December 7, 2016 10:50 AM

Adobe Flash is what made this all possible. Everything else was just window dressing.

The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user’s PC, and forcibly download and launch into execution various strains of malware.

Wael • December 7, 2016 10:54 AM

@Clive Robinson,

Back on track so we don’t digress so early in thread…

Turning of javascript altogether is a start..

Then you have potentially mitigated an instance of an attack. You haven’t taken care of the class of attacks. You basically took an aspirin without knowing what’s causing the headache or fixing the root cause.

JavaScript was one payload delivery method. Is it the only method? What about other strains that use completely different flows (but still use stego and the basic described method?)

Bordeaux Bums • December 7, 2016 11:20 AM

@Wael

That’s a slogan. You weren’t really asking a question, I guess.

Wael • December 7, 2016 11:39 AM

@Bordeaux Bums,

You weren’t really asking a question, I guess.

Well, tongue in cheek…

Wael • December 7, 2016 11:56 AM

JavaScript needs to enable finer grain controls. Binary controls as in completely on or completely off isn’t cutting it. What we need is a tool or a control that allows the user to enable or disable certain functionalities. Not sure such a thing exists, and I don’t feel like looking.

Wael • December 7, 2016 12:10 PM

@Clive Robinson,

as such it needs a bullet between it’s eyes.

I agree with this harsh assessment. What will it be replaced by?

Slime Mold with Mustard • December 7, 2016 12:11 PM

When I try to convince people to turn off their Java Script, I usually get a shrug, even from people aware of the risk. As far as I know, all media players require it. Running a VM seems a hassle for most people. Welcome to Cute Cat-bot World.

Slime Mold with Mustard • December 7, 2016 12:15 PM

@ Bruce

Thank you for running a blog that does not require JS to either view or post comments

ab praeceptis • December 7, 2016 12:22 PM

Wael

No, Clive Robinsons statement is more akin to saying “I don’t need a smartphone or wifi. Not using them I don’t lose much and gain quite a lot in terms of security”

Sure, that alone doesn’t provide all around security but it does close down quite some entry points for ugly vermin.

r • December 7, 2016 12:36 PM

@Wael,

Take a gander at uMatrix by gorhill, I’ve been playing with it since it was Chrome only and called HTTP Switchboard. He’s got some good development towards breaking up the interconnects of a browser.

Clive Robinson • December 7, 2016 12:45 PM

@ Wael,

You basically took an aspirin without knowing what’s causing the headache or fixing the root cause.

I look on it as not taking medicine but as “Not Smoking”. That is like smoking it’s unsafe behaviour at any level (as any competent doctor will tell you).

As for “fixing the root cause” did you know that for over 40% of those that die from heart issues, the Doctors can not tell you why it happened?

Perhaps the multi level “onion” model –not Tor– needs to be considered along with the fact of fifty vectors per thousand lines of code, even in signed code… Not all of those vectors will lead to a successfull attack on their own, but it an attacker can line a number up the right way then you are owned.

However if you can stop an attacker lining up the vectors then that attack type fails. Javascript appears to be one of the tools of choice currently attackers are going to use for lineing up the vectors for such an attack… So cutting out javascript stops the attack and many similar ones.

The other thing, why on earth should I let unknown code run on my machine stealing not just CPU cycles, but other resources, especially my network bandwidth that I have to pay for as mobile broadband is not “an all you can eat buffet”.

As far as I’m concerned javascript, java and flash are things you should in no way let near your computer from the Internet, you realy do not know what you are getting and from who even when it’s signed.

Oh there is one thing I can guaranty, which is these “ads4views” sites in noway will take liability for what they are causing to get on your computer in the way of nasties and will fight every inch of the way to stop such a liability being imposed on them.

Thus the ads4views content should be avoided. If their content will not give them the revenue in other ways, then maybe it’s time they shut up shop and went the way of the dinosaurs… The larger ones tend to preach freemarket / libertarian ideals, if they “want to live by the sword maybe they should die by it…” I’ve considerably less than zero sympathy for them, or for that matter those who accept the ads, afterall they have been known to be bad news for well over a decade now.

To argue otherwise is just going to perpetuate the problem, and as you say other computers become infected which just makes these ads4view sites the equivalent of “Typhoid Mary” at the very least…

Wael • December 7, 2016 12:55 PM

@r,

Take a gander at uMatrix by gorhill

That rings a bell. I’ll look at it in my next available time slot,

@ab praeceptis,

but it *does* close down quite some entry points for ugly vermin.

Sure! At what price? He can’t watch YouTube. That’s not the answer, though! Would it be an acceptable “security” solution to say: I’ll never use any computers, phones or digital media to close “Securiy holes”?

Clive Robinson • December 7, 2016 12:57 PM

@ Wael,

I agree with this harsh assessment. What will it be replaced by?

Why should it be replaced with anything?

Why should I have untrusted code shoved down my throat, when the shover accepts no liability for harm, use of resources, etc, etc?

What was tha name of that lemon, with the dodgy fuel tank, where the been counting types decided a few deaths were the better option than fixing the tank? Was it a Ford Pinto, and what happened when a judge found out?

ab praeceptis • December 7, 2016 1:15 PM

Wael

“Acceptable” is largely a subjective thing.

To offer an example: One might have a “dirty” VM for youtubing. Is that acceptable? For some yes, for others not.

I personally, while seeing practical problems with it, do value Clive Robinsons hard stance. For one it’s a perfectly valid one for some. More importantly, though, it provokes an overdue and urgent discussion/reflection by taking an extreme position.

And btw, it’s not our fault that one is pretty much forced into extreme positions, as there are very few screws to tune the javascript cancer. Basically it comes down to either keeping it turned on or to shut it off.

And yes, I did use the term cancer intentionally because that’s what javascript has become.

Ergo Sum • December 7, 2016 1:30 PM

The more appropriate title would be ads are spreading malware, ergo old news…

Nothing new here, maybe the different delivery method, but the result is the same. The malware does check for number of security protection and quietly exits, if found. Yes, even antivirus causes this malware from executing…

I am with Bruce Ediger, I do what I want to on my system, not the websites and ad companies. If these companies can guarantee that no malware distributed by them and will be financially responsible for the damage if they do, I may reconsider allowing ads…

hm • December 7, 2016 1:36 PM

@ Clive Robinson and Wael, Re: “Why should it be replaced by anything”

I certainly agree with the crappiness of JavaScript and run NoScript except when really needed. Especially the resource drain and slowdown, even without security bugs. But just saying “don’t use Javascript” is not enough of an answer because it’s enabled by default for most of the population, and not so easy to run without on phones/tablets. So this only helps experts, and only on the desktop.

Perhaps a better plan would be to come up with a “Restricted JavaScript” API that dumps as much unsafe stuff as possible, especially removing parts of the DOM model access outside limited same-origin policy.

Then “real” webapps such as email or maps could explicitly be given access, similarly to phone apps requesting “App FooMail needs access to your contacts”, and users could grant access only when needed. Meanwhile pages that just need internal menus would just have access to their own in-page menus.

Also, perhaps, a security enhancement so that if a top level page loads a sub page via or then it could specify security restrictions, e.g. . Extensions like ublock or NoScript could then also force these restrictions on.

The key issue is that unless restrictions on JS are on for the default majority of users, websites will still tend to use these features and those of us with NoScript will have to deal with some pages where things like tab menus don’t work.

Compare this to Flash where Apple’s very public decision to drop this on iOS meant that websites have been migrating away.

Dr. I. Needtob Athe • December 7, 2016 1:53 PM

Why can’t there be an undetectable ad blocker? It seems to me that a browser add-on could download a complete web page and simply trash the parts you don’t want to see or execute without the server detecting anything.

r • December 7, 2016 1:55 PM

As per javascript enforced on your phones.

Android is roughly linux

compile links2/lynx/links/w3m/elinks

same goes for anyone who’s arguably concerned over the TBB and HTBB

for those on ff/chrome pick up umatrix for finer grained controls beyond noscript.net

r • December 7, 2016 2:00 PM

The problem is there are no inline-deobfuscators-and-analyzers

plus don’t think that just because they’re using images now means that they can’t switch to using a malware to issue search engine queries for any other steganographic c&c data or straight encrypted stuff that could be hosted indirectly (via google/yahoo/bing caches) ETC.

This is not new stuff

We saw intermediary communication being performed by an ADMIRAL to speak with his mistress and also by malware using the same mechanism of “drafts”.

Segregation and isolation are absolute musts.

Who’s still got a copy of DSL from 2000?

CallMeLateForSupper • December 7, 2016 2:08 PM

@All

I second what Clive Robinson said:
“Javascript should without a doubt be killed of[f] … it needs a bullet between it’s eyes.”

Regular readers might remember my saying essentially the same things here several times. I smiled when I read the second quoted statement (above) because it is a slight twist on my opinion[1] of JS: Enabling Javascript provides you with the opportunity to shoot yourself in the head.

[1] For years I have recited it to anyone expressing concern about their online security. Sadly, I don’t know of even one case where the advice found fertile ground.

r • December 7, 2016 2:11 PM

This is the two way street with defensive communication though,

If we sit here and discuss using translate.google.com or proxy.ixquick.com the only thing we are doing is communicating weaponizable technology to others who may or may not be watching.

This is why tact is paramount, to communicate the breadth and theory without communicating EXACT mechanisms.

We are seeing automated cross hosting using dropbox and others.

If your .js’s aren’t signed and verified small limited scriptlets your engine is going to run sugar through it’s tank at some point or another.

Oh haha, last thing.

The implementation of webkit on older android phones has a checkbox in it’s settings in android which allows the turning off of js.

EvilKiru • December 7, 2016 2:19 PM

@Dr.: “Why can’t there be an undetectable ad blocker?”

Because web sites use JavaScript to detect whether or not their ads are being blocked?

CallMeLateForSupper • December 7, 2016 2:22 PM

@Clive
“What was tha name of that lemon, with the dodgy fuel tank… Was it a Ford Pinto”

It was. Mine was dark blue. German 4-speed manual transmission; 1600cc Cortina engine. The rest was junk.

” and what happened when a judge found out?”

I don’t recall (no pun). I sold the Pinto to a student for $200 and put the entire experience out of mind.

hm • December 7, 2016 2:34 PM

@ r

Re: webkit on older android checkbox to turn off js — current Safari on iOS also has a setting to turn off JavaScript. But the question is what fraction of end-users outside this blog actually turn this off — guess: close to zero.

Re: “Javascript should without a doubt be killed off”, I agree for general usage at least, but the question is how to actually get there. I.e. how to get to the point that Firefox or Chrome disables this by default like people are now doing for Flash?

There are probably some legitimate low-risk client usages of scripting, such as show/hide elements for tab switching, or possibly “Show overlay before movie” although I hate this. Hence my suggestion to define a much smaller API by default and let any site that thinks they need a fuller API such as AJAX for a full webapp ask for permission.

Wael • December 7, 2016 3:19 PM

@ab praeceptis,

“Acceptable” is largely a subjective thing.

If you didn’t say “largely”, I would say it’s debatable. At the surface of it, probably. If you decompose it and simplify it to: Reject a “needed” feature for added security or subtracted weakness, then it’s more objective. The subjective part is confined to “needed”.

And yes, I did use the term cancer intentionally because that’s what javascript has become.

I’m not a proponent of JavaScript either. It’s not the language! It’s the capability it provides. The capability itself is the weakness, not the language alone.

@Clive Robinson, @hm,

Why should it be replaced with anything?

To provide the needed capabilities?

Why should I have untrusted code shoved down my throat,

You don’t have to! There is a price to be paid, and I don’t like that either.

So cutting out javascript stops the attack and many similar ones.

I’m not disputing that! What I’m saying is disabling Java script will eliminate a class of attacks that leverage it, and potentially the instance of stego malware described in this thread; it will not stop the stego class of attacks… we’ll need additional so-called “controls”

Btw: few things annoy me more than these adds popping out from everywhere, or adds we’re forced to “view” on YouTube. I never watch them and skip them at the earliest opportunity. These adverts never influenced my purchase decision making, and I question the effectiveness of the billions spent on them.

albert • December 7, 2016 3:54 PM

“…ESET has declined to name the sites where the malvertising campaign was active,…”

Why not? Their names need to be broadcast worldwide. These folks need to be held accountable, and holding their feet to the fire is the only way to do it*.

Dollars to donuts isn’t a good bet anymore, but those websites services are probably available elsewhere.

The malware industry is the psychotic step-son of capitalistic information technology.

I, too, am of the opinion that Java needs to be killed. Might as well kill Flash while we’re at it. The cure is obvious.

Lots of websites will not work without Java. That’s why I use NoScript, but it can never be perfect.

Next time you hire a website developer, tell them you don’t want Flash or Java as see what they say.

I wonder how many folks do business with advertisers whose ads ‘sit on’ other companies websites?

. .. . .. — ….

*the best way is boycott their business by not visiting their website.

Clive Robinson • December 7, 2016 4:05 PM

@ Wael,

To provide the needed capabilities?

Now you are starting to think in the right direction.

Back in the days of terminals all the program logic and state were kept where they belonged –for the security of both parties– on the server.

HTTP broke the security model by being statless at the server, this required state to be worked badly ibto the client web browser, and out the back window went security.

Since then things have only got worse with web developers pushing more and more program logic at the client and relying on broken protocols that were ill thought out in the first place to maintain a modicum of privacy but by no means security.

So the real question is “Can the genie be put back in the bottle, or are we realy living with the concequences of the box that Pandora misappropriated and opened to everybody’s cost?”

Personaly I think as with Flash and java, javascript can be depreciated and got rid of within a year or two at the most if the will was there (without going to the lengths of Y2K madness).

The result will be more security for both sides of a service and considerably less risk for individuals from third party attack by impersonation etc. The downside is very much the same as it currently is with MITM attacks due to using broken protocols and failed CA security.

Wael • December 7, 2016 4:24 PM

@Clive Robinson,

To provide the needed capabilities?

The browser is an execution environment. It’s sandboxed, but that boundary is penetratable. Even if it’s impenetrable, there are still weaknesses. To replace JavaScript with something else that provides the same model, may not improve the situation much.

Wael • December 7, 2016 4:50 PM

@Clive Robinson,

Can the genie be put back in the bottle

But of course!

We only need to identify the Jinni, the bottle, and the phisherman 😉

Impossibly Stupid • December 7, 2016 4:54 PM

@Peter File • December 7, 2016 9:31 AM

The question is what do the ad network companies to prevent or mitigate this? They obviously don’t deelply analyze the code -not an easy thing to do- to detect subterfuges like that. However, JS delivery is an “added value” they sell to advertisers so putting restrictions on that is shooting at their own feet.

One obvious solution is to not allow ads to have arbitrary code supplied by the advertiser, but just a limited library of functionality supplied by the network. I mean, now many “special” things really need to be done to display a legitimate ad for a product? But restraint never seems to be in style with any of these people so long as the promise of money is on the table.

George Engel • December 7, 2016 5:21 PM

@Wael

Sure! At what price? He can’t watch YouTube.

That is an exaggeration, as surely you know. There is indeed a price, and its size is worth asking.

And naturally, people will disagree about the value of the goods being paid for.

But downloading videos from youtube’s servers, and watching them, can be done perfectly well without interpreting javascript in a browser.

I don’t turn java script off, but I used to use Ghostry, which apparently is doing some shady things, last I heard.

Regulatory Capture is an expected outcome, when one participates in a borked system of pernicious incentives and trusts a malleable fallible regulator to mangle it into a meadow of rainbows and unicorns.

I also use my real name, don’t use Tor or annoyimizing proxies.

Then you have something in common with Tarek Mehanna, Mumia Abu-Jamal, Fred Hampton, Martin Luther King, August Spies, Albert Parsons, and Adolph Fischer.

Good company!

We are supposed to be in a free society that allows free speech, or is that just a slogan?

Speaking freely is something one either does, or does not.

It is a category error to assert that the practice of doing so is “allowed”.

r • December 7, 2016 5:36 PM

We need a central script repository like namespace.github.io for authentication whitelisting standardization and distribution.

This whole ultradistributed monolithic jquery situation is ridiculous.

And it still doesn’t solve the ‘trusted’ issue completely as the Certificate Authority problem still looms overhead.

There’s another problem though related to the obfuscation problem, it’s that the entity of javascript allows for SMC including (I believe) the namespace itself.

E.g. Can I restrict a function name to a single imported entity? Say Somelib.somefunc(); as opposed to Anylib.somefunc();

Wael • December 7, 2016 5:43 PM

@George Engel,

Then you have something in common with…

And what would that be? A dead or an mprisoned man? 🙂

Wael • December 7, 2016 5:47 PM

@r,

Take a gander at uMatrix by gorhill

Seems like it’s a demanding plugin. A lot of work… not my cup of tea 😉

r • December 7, 2016 5:52 PM

@Wael,

It’s only demanding if you don’t use it to turn everything off.

With umatrix you can blacklist all sorts of things on a global scale, the best thing to do is just use it to turn off everything (images included), and then only turn on small portions (like images) for a single site.

You can turn off CSS Images Scripts Plugins XHR Cookies everything down to the host level, unfortunately you can’t whitelist single scripts but you can whitelist sources so it’s a great way to strip the functionality of the browser down to a much smaller feature set quickly.

Wael • December 7, 2016 5:57 PM

@r,

I like the white list approach. Will give it a try then…

Wael • December 7, 2016 6:17 PM

@George Engle,

Following Mehanna’s sentencing, the ACLU released a statement saying that the suppression of unpopular ideas is contrary to American values, and that the verdict undermines the First Amendment.[10] Specifically, it stated, “Under the government’s theory of the case, ordinary people–including writers and journalists, academic researchers, translators, and even ordinary web surfers–could be prosecuted for researching or translating controversial and unpopular ideas.“

Umm… where do we get Tor from?

@Ratio, my friend: You see that? Quit writing in them foreign scripts, dude!

r • December 7, 2016 6:44 PM

@Gorhill, Wael, All 😉

The only features I find missing in uMatrix are an secure/insecure https toggle; the ability to block individual files e.g. file1.js, file2.css, file3.gif; and a right click functionality for blocking bothersome elements like in uBlock.

I modify firefox’s about:config “image.http.accept” to include only jp[e]g png and svg. The default for my version reads: “/” which is generally a bad idea if you’re the enemy of gif89a’s like myself.

image/jpeg image/jpg image/png image/svg image/gif image/art image/bitmap image/bmp you/get/the/idea/that/”/“/is/bad

So, with a little bit of work you can work out some semi-fine grained controls over what you want to accept and not – but don’t forget that javascript and html are both capable of <embed> && <object> so the images I suspect can still be rebuilt and displayed once they are smuggled across via html/js/vbs.

I’m not sure that content-type can’t just be bypassed anyways, what’s to stop someone from sending a valid jpeg in place of a png?

About the youtube-esqe video injection problem, I’m not sure how that’s handled as I’m sure it’s not done via splicing video files… There are problems with varying forms of that too depending on how it’s implemented js/vbs/html5/html, even if it’s not implemented in a manner indicating client side script certain media formats allow for scripts themselves as we saw 2(?) weeks ago with the 68k asm working from inside of an individual audio(?) format?

I generally support the playlist-based ad-injection styling youtube has adopted within their video stream I don’t appreciate being fed unvetted scriptlets from every friggen uncontrollable unpredictable dark corner of the internet.

SVG I believe presents much of the same problems of containing it’s own language as the afore mentioned embedded 68k emulation hack.

We recently had a jp[e]g exploit, previously we’ve had png gif89a art… wav avi mkv mp3&&id3 pretty much everything gzip zlib RCE’s… TLS exploits… Compressor collision and unmasking attacks…

The list goes on.

Wael • December 7, 2016 6:53 PM

@r,

I modify firefox’s about:config

The only thing I changed in about:config was default font size on Firefox running on FreeBSD with a 4K monitor. I couldn’t read a thing! Thanks for sharing this… very insightful!

Robert Oppenheimer • December 7, 2016 7:17 PM

Couldn’t you sandbox the ads, meaning they will be displayed, but it is up to the user if they want to actually view them.
If the ad contains malware, it is sandboxed and nothing happens.

The user doesn’t have to view the ad, while the website thinks the ad has been displayed: everyone happy?

=AVEDEV(G148:G164)

r • December 7, 2016 8:00 PM

sandboxing externally through something like firejail (or sandboxie) or sandboxing internally like in chrome java and flash?

Sandboxing helps yes, it lowers certain attack surfacii but it introduces others – sandboxing errors that lead to escapes so it’s not necessarily better in the face of authentication standardization centralization and whitelisting.

Virtualization emulation and deobfuscation all lead to the same trade off, less existing attack surface through the addition of a whole nother field to play on for errors and escapes.

Blacklisting sources from providing unvetted and unauthenticated monolithic code is just about the best thing you can do from within the current model imnsho.

By sandboxing things, you also may be covering up other implementation errors that may have been discovered through a process of audit and implementation like with the situation in and around the openbsd project and it’s children.

Where nation states are concerned, sandboxing imo is largely irrelevant – for the most part through against a randomly occurring random attack sandboxing and virtualization should provide enough of a buffer to permit denial to the attacker.

r • December 7, 2016 8:25 PM

1st link SFW,

http://securityaffairs.co/wordpress/22334/malware/zeus-banking-malware-nestles-crucial-file-photo.html

2nd link NSFW

http://www.xylibox.com/2014/04/zeusvm-and-steganography.html

The only difference between then and now, is before it was C&C information and now it’s exploit code to avoid persistent and inline AVs from detecting the payloads.

Inline, meaning both inline to your browser and inline to packet and stream-reassembly.

Sometimes, the best place to hide something is in plain view.

r • December 7, 2016 8:33 PM

I forgot to honorably mention .ico and .cur

Accept: If image/* is dangerous then / is worse.

Zues Deuce • December 7, 2016 8:53 PM

https://www.schneier.com/blog/archives/2015/06/duqu_20.html

Duqu two did it too…

Thoth • December 7, 2016 8:58 PM

@Clive Robinson

There are the perspectives of the people trying to make money from advertising, the browser makers who needs people to develop on their platform and play nice with advertisers, those who are normal users and finally those who actually care about the issue (the security guys like us) and finally those who somewhat care but also wants to make a buck out of “security”.

The advertisers don’t care and they are like all businesses, trying to squeeze as much profits out as possible whether it is good or bad. They are mostly the unscrupulous crooks that are bogging down security on a global basis that will lobby if anyone makes a move they see is against them.

The browser makers have been lobbied by the unscrupulous crooks and so had to play nice in order to at least preserve their user base.

The normal users may at times find advertising as irritating but they do not care. The good old .. “I am just a normal user .. hack me and so what ??!” attitude.

Those who care but are resource constraint or at least like EFF, they committed to the Privacy Badger project but I wonder if those tools are enough. There is the will to improve but lack the “strength” to carry out what the will wants.

There are those who are unscrupulous who wants to make a buck from having preferential security treatment and one of them is Adblock Plus. So called “registered” sites will not be block by ABP or may even be promoted by ABP and ABP gets paid for doing so. These are the worst of the kinds in security. These are the people who are making a buck while people unknowingly have their browsers be subjected to preferential treatment.

If you run down the above list of actors, it is the unscrupulous advertising agencies who don’t want to keep find ways of ensuring their ads are clean and trying to make every cent they can from aiding in malvertising, the browser makers trying to keep their profits and userbase by closing 1.5 eyes or even 2 eyes to the issue at hand and the worst is the unscrupulous security engineers who create “preferential adblockers” which reminds me of the good old days of pirating on the high seas or those highway robberies in broad daylight.

I have tried to sit down and talk to content publishers and they are totally adamant that there is no way to fix malvertising and content publishers need ads for cash (which is understandable) and they see doing anything to advertising (including blocking JS and rich client interaction) as a sin.

As you can see, the industry itself is like a rotting cesspool… rotting from every single corner no matter how you look at it.

Sometimes, I wonder if humanity will lead humanity itself to it’s own eventual destruction ….

Andy • December 7, 2016 9:01 PM

Awhile ago multi able times I wrote a program that would inject into ring0 kernel of Windows, and from there any program that was created in virtual memory, and program you open, it loads a header code, which is hidden from the program, this thing, did basic encryption xor ticcount then decode,encode hidden to the program, but the program was still encrypted, unless you had the 64bit tick on program creation your code couldn’t run asm code.
Ideas…

r • December 7, 2016 9:21 PM

I find exploit analysis like this fascinating. It’s amazing how imaginative malware authors are in finding new ways to hide their exploit code from machine learning algorithms and human security researchers.

If you think the back and fro is interesting next time you see Mr. Bontchev here ask him for some war stories from the days of the BBS.

It is interesting, and it is important to study this stuff.

If ab and nick and appearently clive had their way we’d all be on thin clients with major DRM and whitelisting it seems.

Ah, the pitfalls of STRANGE.

ab praeceptis • December 7, 2016 9:26 PM

Frankly, I see just basically two possibilities: a) either nobody really works on or cares about safe browsing or b) they’re all stupid and incapable.

Obviously, it’s a).

I see two major problem cores. One is the insane umpteenth attempt to make somethings safer by adding complexity (actually a euphemism for “tacking on ever more crap”). The other is the unhealthy mixture of stupidity and ignorance on the users side and raw greed on the software producers side.

And, please, don’t unnerve me with “but mozilla is the good guys!” – that’s bullshit. mozilla is but one, possibly slightly different, player on the race course towards ever “richer user experience” (a euphemism for “make your app fart in stereo and jump some color box while doing it – that’s what both the retards ot there and the advertisement spammers want”).

To make the festering outbrake in the loony bin worse, others enter the “pestilence can be fun!” track, too. html committees.

Because we need videos in the browser and an office suit, too. Hell, I’m waiting for the day when some committee, mozilla und google bring us the first online bathroom for the browser.(But then, maybe that isn’t a sensible expectation as they already have created a gigantic toilet bowl with jumping boxes and videos).

About the only useful and sensible thing in that whole field I saw in more than a decade was CSS.

You want a more reasonable and safer internet? Simple. Go on a “UX developer” killing spree and be sure to have enough TNT with you to wake up the ignorant “supersmart engineers” at google and mozilla. And while you are at it, throw some bombs on the advertisement industry; because they are about the only ones who actually profit from that whole criminal idiocy.

Thoth • December 7, 2016 9:53 PM

@ab praeceptis

It’s all about cash. Advertising makes money while protection doesn’t. Naturally the resources would flow to whatever makes cash and avoid whatever that doesn’t generates revenue.

Liabilities placed on browser makers, advertising agencies, content publishers and so on for failing to do the proper security would be weak or non-existent since it’s all about who controls the lobbying groups and it’s again money and resources that makes the world tick.

End of the day, it’s all about human greed that have grown out of control. Same problems that is gnawing away at security systems and non-security systems as a whole.

r • December 7, 2016 10:02 PM

@Thoth, ab

It’s also about envelope pushing, until very recently getting something to even what? EAL2 ? was excruciatingly time consuming.

Just like how linux was playing catchup for years on the UI front… it doesn’t pay to appear institutional, users want fun.

If, IF they don’t mind a headache it’s alright.

Now that we have features, we need a feature set freeze and either a massive audit effort or a considerably less difficult rebuild in something like RUST.

Ray • December 7, 2016 11:12 PM

The author of research paper says to keep all software patched and up-to-date in order to avoid being a victim of malvertising.

Most manufacturers of Android phones don’t support their products or offer security patches to their customers.

Quite a few customers might not have money to buy a new phone every year or two. I guess this means basic online security is a privilege reserved only for people with higher incomes who can afford to buy a new phone every year running the latest version of Android.

That seems wrong and discriminatory to me. Poor people deserve security too.

Andy • December 8, 2016 1:11 AM

@r
RUST seems the better option than what I was saying, patch it at the source.
Market’s and all, I don’t think money incentives will solve this, there are other uses for a bot net and will always be.
I think now days it’s the linkage between parts on ever scale.

Ratio • December 8, 2016 1:21 AM

@Wael,

Quit writing in them foreign scripts, dude!

Thanks, man! Appreciate the heads up. 🙂

Imagine the trouble I’d be in if I’d been shilling for إلحاد and капитали́зм again! 😛

@r,

I modify firefox’s about:config “image.http.accept” to include only jp[e]g png and svg.

Sorry to disappoint you but that doesn’t really do anything. (You’re changing the value of the HTTP Accept header Firefox will send, but a server can send any response it likes. The Accept header is a hint for the server, no more. Keyword: content-negotiation.)

SVG I believe presents much of the same problems of containing it’s own language

HTML, CSS, PNG, JPG, GIF, HTTP, SVG, etc are all languages that your browser interprets. (You may need to squint to see this.) Javascript is just much trickier to interpret safely than the others.

The real problem here was Flash, by the way, not Javascript.

Oh, and the defense against this attack? Have a recent Python install (see the appendix). Take that, all you so-called safe languages with your static types and your formal specs!

Wael • December 8, 2016 1:28 AM

@Ratio,

Yea! Imagine that! Lol 🙂

Ratio • December 8, 2016 1:41 AM

@Wael,

On second thought, one of those might not be such a good idea… I’ll leave it to you to guess which one. 😉

Interesting question: which words would be “safe” in other scripts?

Wael • December 8, 2016 2:29 AM

@Ratio,

I’ll leave it to you to guess which one. 😉

You already shilled for atheism 😉

Interesting question: which words would be “safe” in other scripts?

Who knows. Depends on the phase of the moon, I guess. imo, nothing that looks like Arabic is safe. And people see things that are not really there. Math could be trouble as well.

My turn to ask you an interesting question: what’s the thread diversion angle, if threads take three hours to digress from the subject proper? Hint: na! I won’t give you any 😉

PS: I typed “phase of the moon” in simplified Chinese but the comment got blocked…

Clive Robinson • December 8, 2016 3:31 AM

@ Thoth, ab praeceptis,

It’s all about cash. Advertising makes money while protection doesn’t. Naturally the resources would flow to whatever makes cash and avoid whatever that doesn’t generates revenue.

The joys of the “freemarket”, but it’s actually worse than the revenue flowing one way or the other.

Some people are actively doing what many suspected the AV industry was upto which was building blind spots that are as good as being backdoors. You have those who write ad-blocker code “except for the favourd few” thus they are taking money from both sides. Look on it as a weapons deal selling to both sides in a war, or physical security people selling master keys to criminals. It’s not just unethical, it’s immoral and potentialy illegal (yes there is legislation from other areas that is sufficiently broad to make it punishable behaviour through a court…).

But the problem with ad-blockers is like that of AV software. We’ve seen how malware writers run their code against 80% or more of the AV software out there, tunning their attacks to not be seen. The same goes on with ad-blocking software but it just does not get talked about.

Likewise the use of black/white lists, they are often talked about as though they are the same because they use the same underlying mechanism. But they are realy quite different. With a black list you are taking reaponsability for saying “I don’t trust you”, where as with a white list you are actually saying “Please don’t abuse me”. Thus abdicating your responsability to another who you have no control over.

There are two solutions to this ad-ware issue. A, Legislate against it. B, Remove the financial insentive.

I suspect that the back pockets of legislators will get way to weighed down with Judas incentives, thus it’s down to us as individuals to not use ad4view sites as strict policy.

@ Wael,

With regards U-lube as I’ve mentioned in the past I don’t have anything to do with them. Aside from my security and data cost concerns, I’ve generally much better things to do with my time. But I also don’t do “On Line Media” either, the DRM aspects are again an abdication of responsability. They claim they can not trust a few “Pirates” yet they deny everyone their fair use rights, it’s fairly obvious they are not telling the truth, and I see that as a deal breaker before they even approach me…

And please don’t try the old “You don’t know what you are missing…” line[1] I am sufficiently aware of what the upsides and the downsides are and I am content with my choice not to enter such an obvious exploitative market.

[1] It’s like the old joke about “Going for a ride with a tiger” with the punch line of “Nobody has ever come back… to complain”.

Impossibly Stupid • December 8, 2016 8:57 AM

@ab praeceptis

Frankly, I see just basically two possibilities: a) either nobody really works on or cares about safe browsing or b) they’re all stupid and incapable.

Obviously, it’s a).

No, it’s mainly b). I’ve done consulting at a number of places, and I’ve noticed that it tends to fall on management to make the decision whether or not to care about security (or any other issue), but as a consequence of their not caring they actually end up hiring incompetent developers to implement their plans, because no smart and capable people are willing to put up with the nonsense. If the money is in malware, or any other criminal software enterprises, it simply could not be a better time to hire smart people who need the work and have a slightly twisted moral compass.

Mark • December 8, 2016 10:24 AM

Interesting, if my memory serves me correctly, wasn;t there a jpeg one about 15 year ago similar to the png exploit ?

Ohh, why no comment on snoops Bruce ?

http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/

I suppose being U.S.A. and I.B.M. makes life hard to actually comment independently these days.

Anon • December 8, 2016 10:36 AM

Are they sure the malware is in the actual pixel data?
A PNG file contains sections, and the spec says to simply ignore sections it doesn’t recognize. Embedding extra/malicious data to a PNG is literally as simple as concatenating the file with another that has the correct section header and the resulting file still opens as normal by all viewers I am aware of.

It seems this would be a more natural way to embed code in PNG than fiddling with low order bits.

Gerard van Vooren • December 8, 2016 12:44 PM

@r,

You have some good points about configuring the browser. I appreciate these. Please let me give you advice, take it or leave it, but a while ago you said that you thought of yourself as a windbag. If you stick with technical issues I am quite sure that people take you seriously. After all you do have the practical knowledge, which I think is much more important than the yet another discussion about the yet another micro-kernel-paper.

albert • December 8, 2016 1:00 PM

@Anon,
Any portion of the .png file can be read. If you are referring to ‘chunks’, then it’s simple; just ignore all ‘ancillary chunks’ (as the decoder does). That still leaves the the image data, hence the steganographic approach.
. .. . .. — ….

Nick P • December 8, 2016 1:02 PM

@ r

“If ab and nick and appearently clive had their way we’d all be on thin clients with major DRM and whitelisting it seems.”

Does this or this look like a thin client to you? They’re fully UNIX/Linux boxes with critical stuff isolated to stop common failures or attacks. The first style has at least four, commercial offerings for desktops with the other having 2-3 (QNX the innovator & longest-running). They’ll hook you up for large sums of cash with OEM licensing also available. FOSS has little interest in such architectures but a few projects ongoing.

Although, if doing Nizza style, I’d prefer a security-enhanced BSD with Mac OS X usability for the legacy OS over Linux if I had to choose among mainstream stuff. If non-mainstream, BeOS or QNX-based (see Blackberry Playbook) since they killed everything else in handling concurrency, reliability, & performance together. Unlike this shit box & Linux combo I’m temporarily using that struggles doing PDF & a web site at the same time on its Celeron CPU. Haha.

ab praeceptis • December 8, 2016 1:35 PM

Nick P

Addendum: Much of what you, Clive, I and some others say isn’t even about the desktop but rather about infrastructure.
Having a considerably better infrastructure we can actually afford some tolerance for end user desktop crap.

So, the quoted remark that you were kind and partient enough to respond to, is quite nonsensical.

Moreover that quoted remark seems to be guided by the grossly mistaken perspective that we preach that safety/security is a matter of not having fun and colours but sitting, to put it into an image, in almost empty primitive asketic monk cells.

Bullshit!

Safety/security has its basis in good engineering. True, safety/security is also to do with reason, for instance, with the ratio between cost/risk and benefit; but mainly it’s a question of good engineering, preferably with and experienced and activated brain.

Example for the ratio I just mentioned: Would it really be an unbearable sacrifice to drop the capability to watch videos in a browser? No! We do have video players and we could perfectly well watch youtube stuff outside the browser.

Another hint: The very servers providing all the web-crap are managed through “poor” text consoles. No jumping boxes, no spinning coloured balls, no clicky clicky. Yet somehow the earth seems to not have stopped spinning nor do we know of masses of admins needing psychiatric treatment due to working in a “poor” monk cell environment.

Clive Robinson • December 8, 2016 4:37 PM

@ r

“If ab and nick and appearently clive had their way we’d all be on thin clients with major DRM and whitelisting it seems.”

As I’ve indicated unlike black listing, whitelisting is a bad idea because you are abdicating trust there control to a third party which is never ever wise (CIA moto with unofficial rider is “In god we trust, all others we check forever”).

As for thin clients, in small user groups/teams they have advantages in that centralization solves a lot of otherwise awkward problems and thus can prevent a number of security weaknesses.

For instance backups of disks local to a users computer means that you need access to them when doing the backup, you also need it at a very high security level or very low hardware level. The best time is when the user is not using their computer. Because users have habbits, like turning their computer off you need a mechanism whereby you can turn it on remotely to do the backup.

Thus you potentially have a massive security hole, where the users HD contents get sent across the network at the command of any other computer that knows the right “incantation”…

With a centralized system and thin (diskless) clients there is no need to have a magic wakeup system etc. Thus things can be made a lot more secure.

However all of that is besides the point I’m making in this thread, which is not running some third party code on your system that you have no means of checking, and in all honesty the security of the execution environment is mediocre at best, and a distinct liability most times.

r • December 8, 2016 5:07 PM

And now we have a complete discussion, thanks guys. 😉

@Wael, sorry for steering you wrong it seems both they (not the above but a responder) and myself are right: switching out image/* or / only makes a difference with the servers you are connecting to. I couldn’t duplicate the gif restriction on ubuntu ff50.0.2 but I thought it worked on my gentoo ff-esr but nope – it’s server dependent sry.

Wael • December 8, 2016 5:12 PM

@r,

No worries!

My Info • December 8, 2016 6:36 PM

a malvertising campaign that has been active on several high profile websites.

There are more of those than there are rats living in the walls behind the restaurants at Union Station downtown Washington, D.C.

Yes I know. We “consume” all that content and we must pay for it by eating the rat droppings that are forced along with it.

HIV causes AIDS, and an incompletely understood interaction among Rattus rattus, Rattus norvegicus, Xenopsylla cheopis, and Yersinia pestis causes Plague.

Wael • December 8, 2016 6:52 PM

@My Info,

HIV causes AIDS

How confident are you?

My Info • December 8, 2016 7:37 PM

@Wael

Many variations on that:

Logical proposition #1: HIV causes AIDS

Logical proposition #2: If a Doctor says HIV causes AIDS, then HIV causes AIDS.

Logical proposition #3: If the majority of Doctors say HIV causes AIDS, then HIV causes AIDS.

Logical proposition #4: If a highly esteemed Doctor says HIV causes AIDS, then HIV causes AIDS.

Where’s the research? It’s hidden behind paywalls: there are multi-billion-dollar government studies on some alleged correlation between the intactness of men’s foreskins and their HIV status. Which brings us to

Logical proposition #5: San Francisco barbers and New York rabbis cause AIDS. Studies say the barbers have connections in Los Angeles, and the rabbis actually come from New Jersey.

Nick P • December 8, 2016 7:48 PM

@ ab praeceptis

That last part was funny and true. People whose companies are stuck on mainframes get shit done on terminal apps every day. Except for the bouncing balls: that’s how the legacy of the Amiga began. 😉

@ Clive

“whitelisting is a bad idea because you are abdicating trust there control to a third party which is never ever wise (CIA moto with unofficial rider is “In god we trust, all others we check forever”).”

That’s common but not fundamental. Plenty of whitelisting schemes put the owner in control. Most market share goes to others because owners didn’t want to be in control. Convenience first.

“As for thin clients, in small user groups/teams they have advantages in that centralization solves a lot of otherwise awkward problems and thus can prevent a number of security weaknesses. ”

This is true. My company does it. We get along fine. I recommend it for corporate environments that are concerned about productivity and security. Just gotta make sure they aren’t Slow As (Censored). Only hole in their scheme seems to be the bosses having real desktops. I believe the juiciest information is also on those. 😉

“Thus you potentially have a massive security hole, where the users HD contents get sent across the network at the command of any other computer that knows the right “incantation”…”

The right backup and/or VPN system can solve that one, though. The remaining vectors work on thin clients, too, since they’re just machines running the same vulnerable apps on some other system.

@ Wael

re AIDS

Barret had a piece debunking Deusberg that I thought was worth checking for validity or refutation. Interestingly, QuackWatch.org is down but a site quackpotwatch.org is up talking about a court ruling against his credibility. These games are so fun.

In any case, the most interesting things I remember when looking into this were the following claims:

A US biowarfare researcher wants to develop a virus that will be the first to destroy the immune system of its target. Gives a timeline. Gets funding. HIV and AIDS, the first to destroy the immune system, show up in that timeline.
The groups they show up in are groups government hated a lot at the time with lots of abuse and experimentation going their way. Also showed up in areas government delivered vaccines, etc. Almost exclusively in these.

The governments explanation or what I heard from authority figures back then was people either having sex with or ritualistically drinking the blood of some monkeys before it jumped species, then continents via travel, and then almost exclusively hit gay men in California that presumably were into the Africans. And dirty needles. Sounded like an air-tight case to me. On top of it, homophobic officials have a legit reason to officially oppose homosexuality. Win win for people liking both air tight-cases and fundamentalist version of Jesus.

Nothing to see here.

Wael • December 8, 2016 8:38 PM

@Nick P, @My Info,

Hmmm. Just wanted to share and see the reaction.

Nick P • December 8, 2016 8:51 PM

@ Wael

re “Just wanted to share and see the reaction.” Fox News has positions open. 😛

re HIV/AIDS dispute. The medical community is both helpful and full of shit. The government… based on their files & employee accounts… was at maximum effort for shady stuff from 60’s-80’s with them chilling out a bit after that on domestic front. The kinds of sites that would teach me medicine just repeat status quo of connected people. The kinds that would reveal conspiracies repeat the truth and lies of those who write books about them. I don’t know up from down with the topic. 🙂

@ All
(esp Clive)

Clive brought Margaret Hamilton to my attention. Irritated me that I hear more about Atwoods and such regarding software quality than people whose team did 6+ feet of specs & assembly in rope memory in space with user failures while their code still saved the mission. Now, jtsummers on Hacker News told me about another badass woman named Nancy Leveson. Sexism apparently bit me too given I had seen references to Therac report for years by a Leveson but assumed it was a guy having never seen a woman in IT up to that point. (rolls eyes) Turns out, she was a forerunner in the 1980’s pushing software safety who did the exemplary work I heard about on air traffic control and other things. Her method for specifying & verifying systems in executable way is very similar to other things I’ve seen in high-assurance. Either she inspired them or there was convergence.

Here’s the links to her site, book, and company:

Nancy Leveson’s homepage

Engineering a Safer World

Safeware Engineering’s Prodcuts

I particularly love how the article says she wrote everything she knew about high-assurance design then got wiser or more confused. Exactly what happened to me after a decade including the good discussions on this blog. I’ve been redoing fundamentals over past year or two. At a much slower & less confident pace as well. Hmm. 😉

Wael • December 8, 2016 9:28 PM

@Nick P,

I don’t know up from down with the topic. 🙂

Same here, among many other topics 🙂

Clive Robinson • December 9, 2016 12:25 AM

@ Nick P,

Asyou mentioned NASA, Astronaut John Glen has died aged 95,

http://www.dispatch.com/content/stories/local/2016/12/john-glenn/john-glenn.html

@ Wael

I’ve mentioned the use of phages to fight infections in the old communist block countries where modern antibiotics were just not available for many reasons. Which is kind of important now due to our capitalist short sighted nature antibiotics nolonger work as well as they did. Well this might be of interest,

http://nautil.us/issue/43/heroes/will-viruses-save-us-from-superbugs

Ratio • December 9, 2016 2:28 AM

@Wael,

what’s the thread diversion angle, if threads take three hours to digress from the subject proper?

Oh, that’s ٤٢. Easy as π. 😉

(Numbers are still “safe”, right? Right?!)

Wael • December 9, 2016 3:24 AM

@Clive Robinson,

the use of phages to fight infections in the old communist block

That’s very interesting! I sent the link to my little brother to see what he thinks. Honey is also a potent antibacterial agent! They should have coated the guy’s heart with some honey 🙂

@Ratio,

Oh, that’s ٤٢

I’m impressed! Excellent guess. You needed some sort of unit after the number! What is it? 42 cucumbers? JPEG pictures (trying to stay on topic)? Frogs? Or degrees?

Numbers are still “safe”, right?

Hindi scripts (٤٢) for numbers are currently (emphasis on currently) safe. The Arabic representation “42” may not be as “safe”. Incidentally, @Clive Robinson can tell you a lot about his friend Douglas Adams. But he still won’t tell you the secret of 42!

Ratio • December 9, 2016 4:05 AM

@Wael,

You needed some sort of unit after the number!

Nothing gets past you, huh? 😉

Obviously, I meant 42 mumbles. 😉

Hindi scripts (٤٢) for numbers are currently (emphasis on currently) safe.

If 42 is Arabic and ٤٢ is Hindi, what do you call ४२ (42 in Devanagari)?

Wael • December 9, 2016 4:19 AM

@Ratio,

what do you call ४२

Looks like alpha-zeta… Something between Sumatra and Bali: JavaScript.

Ken Swift • December 9, 2016 3:03 PM

@ Wael

Can the genie be put back in the bottle

But of course! We only need to identify the Jinni, the bottle, and the phisherman 😉

that sounds like a oral sufi parable recorded by Idries Shah, my learned fellow ( you ,that is)

Wael , for everyone not as legendary as Clive who has the superhero powers to forgo javascript and email et cetera, (but he only wears the cape at night) the sub human class can use U Block Origin or U Block (one is a fork) . In your case the ads preceeding a youtube clip will cease to exist. Can you imagine, those youtube injected ads must have exponential scope for dangerous steno – all that bandwidth – compared to a flashing banner ad.
U block Origin for cancelling ads and No Script , and U Block Matrix which has a great reputation. Thanks @r for insight about using it more effectively. Definitely suggest you check out U Block As long as javascript exists, as long as we can’t stop the class of attacks, we can mitigate to a really large extent with U Block plain and simple. Stopping telling the laywomen and laymen to turn off javascript which they won’t do – tell them to install U Block.
@ Wael what does your handle mean? Oh, wait, thats right it’s your real name

@ ab praeceptis

Frankly, I see just basically two possibilities: a) either nobody really works on or cares about safe browsing or b) they’re all stupid and incapable…….etc

you are hilarious! Love your candour and your wisdom. It rocks. But beware they whom engage you in the morning before you’ve had your cafe au lait!

@ r
Re: Firefox and about:config
Are you aware of the extensive work done on modifying the about:config for privacy and security (hundreds of changes including some hidden ones) by Pants whom posts here as Hairy Bannana? They have compiled an extensive list.
Read discussion in this recent thread:

https://www.schneier.com/blog/archives/2016/11/firefox_removin.html

@ Nick P @ Wael
Thanks for HIV/AIDS quality. Nice application of InfoSec mindset, Nick. Not the place to dissect the topic but can’t resist sharing some data points I’ve gathered:

it’s not the disease that kills, it’s the drug treatment that assuredly kills. So, someone coming back from a test with very very low HIV blood cell count, or a false positive, starts drug treatment and begins the gradual decline into mortality. Alternatively, someone else gets a positive test and either does nothing / refuses treatment and instead eats well and does yoga,clean lifestyle = no disease symptoms whatsoever. So if you know someone with HIV – tell them to refuse treatment and do their own research

Other points include there is no, actual, scientific data in existence that demonstrates AIDS exists/ that HIV turns into AIDS / that either of them actually kill you. I came across a petition or paper recently undersigned by long list of respected international scientists affirming that hiv was just a plain old boring retrovirus with the most elementary cellular attributes, poor replication and defense systems and generally no outstanding or unusual attributes whatsoever – and that it had only the tiniest proportion of the actual research and attention every other virus receives. Instead had a totally disproportionate amount of money spent on unqualified treatment protocols.

The brilliant JG Ballard (I bet @ Clive is a fan) has a great short story twist on ‘1984’ whereby everyone is so scared to have sex because of HIV, that the birth rates have plummeted & the State has enforced sexual service duty for everyone of age. One wears the choice of given ‘amorous’ costume and on appointed nights knocks on the door of the given stranger they are required to liase with. Along the lines of 1984, a male and female conspire to secretly not have sex every time they meet. The story culminates with them being sprung by sexual enforcement officers – the punishment for the male being, he has to have sex every day with hundreds upon hundreds of desirable women

@ Nick P you’d like the one by Ballard about how Reagan started WW3 but it only last for 7 minutes before it was cancelled

@Nick P

@ All
(esp Clive)
“All humans are equal, but some are more equal than others” I kid, I kid.

Wael • December 9, 2016 4:40 PM

@Ken Swift,

that sounds like a oral sufi parable recorded by Idries Shah, my learned fellow ( you ,that is)

Nope, not oral Sufi. Has a lot more to it than that! But that will get us a few feet deep into religion 😉 Read about prophet Solomon (King in Judeo-Christian.)

Wael • December 9, 2016 6:18 PM

@Ken Swift,

what does your handle mean? Oh, wait, thats right it’s your real name

Names too have meanings, bubba! Lousy translation. Ask @Ratio for help…

Dark Flying Thing w Tentacles • December 9, 2016 9:12 PM

I noticed this article when it came across the wire. It is interesting, as it combines two of my favorite aspects of modern attack and defense. Client side attack & steganography.

While not currently a malware analyst, steganographical methods of covert communication and processing in exploitation and malware (rootkit level malware, especially) have always been the mandatory choice.

Because if you are storing or sending data across the wire without some manner of steganography, then it is either encrypted or plain text or otherwise easy to pick out of the haystack.

Why is encrypted data easy to pick out of the haystack?

Because encryption is, by design, extremely entropic, and the formula for processing level of entropy is highly simple and effective.

For an anomalous behavior analyst (to perhaps, invent a term, for researchers working on attack or defense technology of that manner, specifically those looking for previously unknown exploits of previously unknown vulnerabilities, and previously unseen malware)…….

The sort of attacks which are bypassing all major defenses relying on white and black list systems, or systems with very poor logic…….

Being able to detect data across the wire or otherwise on live systems which are designed not to be seen by inspectors definitively means detecting encrypted information is paramount.

In fact, I was pleasantly surprised by one of the Trump new hires pointing out that those using encryption are more worth inspecting then those not. And while he did not add this, what is especially interesting is those using encryption unusually, is much more interesting then those using encryption usually.

I am not talking “impressed” morally. But, technically.

One very common strategy over the years, of course, has simply been piggy backing commonly used encryption.

But, almost by definition, attacks will be performing performing behavior “out of band” from regular encryption usage. In other words, by many factors, “regular encryption” usage can be patterned, and invariably, very irregular encryption usage can certainly stand at extremely distinctively.

Forgive me for keeping this very abstract, very general. But it really can be stated this way, with confidence.

Which leaves, invariably steganography, or hiding in plain sight.

Security by obscurity? Perhaps, on the surface. But systems are already adhering to exactly such a system if they are attempting to in, somehow, piggyback existing patterns of encryption usage.

One major problem with almost any traditional form of steganography is, ultimately, in some measurable way, shape, form…. a new anomalous pattern emerges, and one which certainly has predictable attributes.

For instance, while compression has a tendency to increase entropy, just as encryption does… steganography has a tendency to dramatically decrease it.

The letters — all good folks here should know from childhood! E-T-O-N… for instance, hidden in something else, almost invariably will require not any longer simply four characters, but now many more.

Steganography adds invariably weight to covert information.

Even if you afterwards compress that product, even if you smooth it over with a system to make it as entropic as possible, it adds weight.

This is very much why, historically, there has been a general rule, that the meatier the data you are putting the covert information in…. the better the steganographical possibilities.

How, can this be avoided?

Or, other comments and criticism.

Ken Swift • December 10, 2016 2:16 AM

@ All

Following on from Clives very helpful comments about blacklist vs whitelist,
I just checked the whitelist built into No Script in the options – the whitelist I have never actually added anything to myself

I was horrified to discover it has netflix, youtube, google maps, live.com, hotmail.com , jsquery – a whole heap of nonsense

@ Wael

I was teasing when I said ‘what does your handle mean, oh thats right it’s your real name’ Because of your earlier comment about using your real name and believing in the right to free speech 😉

Ken Swift is actually a legend, and it’s not me – but he is indeed a real person

Wael • December 10, 2016 4:32 AM

@Ken Swift,

I was teasing

I wasn’t. I play for bloooood 🙂

r • December 10, 2016 10:10 AM

So, discussion is what you want huh?

How can that specific attack against the advertisers be mitigated?

In it’s current form, easily – don’t allow images to pass through to your customers unmodified.

r • December 10, 2016 10:11 AM

It’s not like the developer was using ECC to allow error correction incase his bittedness is manipulated changing a bit or two along the length of the image would break his current impl.

r • December 10, 2016 10:14 AM

But, aside from being dependant on a single but very capable transparency layer care must be taken with any stripping attack because steganography doesn’t cover a binary fully in modifications leaving holes that can be manipulated further without effecting the encoding mechanism.

r • December 10, 2016 10:18 AM

The likely reason for including this escalation is that any (technically) xss and communication methods are being observed/scrutinized by the advertiser[s] in question.

Stegano in a parallel image allows the scriptlet to carry a full tool chest without having it scrutinized.

As for the whitelist in noscript, it should always be top priority to whiten the whitelist on your first load.

lskdfjjl • December 10, 2016 12:04 PM

A lot of you sound old and grumpy, and really bitter. The new web is great; sure there are some security issues, but that is usually the cost of anything that is successful.

1st arrondissement mob mentality • December 11, 2016 12:28 PM

@lskdfjjl

Nice ad hominem. Would bite/10.

Impossibly Stupid • December 11, 2016 5:02 PM

@Dark Flying Thing w Tentacles

The way you write . . . seems to carry the weight of steganography. 🙂

For instance, while compression has a tendency to increase entropy, just as encryption does… steganography has a tendency to dramatically decrease it.

The letters — all good folks here should know from childhood! E-T-O-N… for instance, hidden in something else, almost invariably will require not any longer simply four characters, but now many more.

Because to be any less means it’s a form of compression. Hiding 8 bit values as other 8 bit values is not hard, and that is almost certainly what was done with the malware in question (even if they only manipulated the least significant bit(s) of the larger image). But, yeah, if you want to hide words in other words, there’s going to be significant overhead, just as if you wanted to instead hide an image in an image.

How, can this be avoided?

Pick data and transformations that better map between the “entropy” of the source and target domains. I just did something along these lines for encoding locations. If, for example, you have a 32 bit value representing the latitude, with all 0s meaning the South Pole and all 1s meaning the North Pole, you could just use the 8 bit values for N and S to represent them, because you’re being “smart” about how the system works holistically. It’s a bit of a knapsack problem if you try to do it with random data, though.

easy money • December 12, 2016 7:42 PM

Easy technique to use and exploit other vulnerabilities. Jar exploit can be used to in many ways, to unpack malicious code targeting av for instance. RGB values could be thought as benign, and many exploits will target simple values to employ in novel ways. EXIF would likely get more attention, considering the large amount of commonly and not understood possibilities, RGB can slip in data under the radar. Conforming to rules, side stepping others, and “throwing a snapper in the works” are possible ways to simply target existing system components and abuse them.

You can enter EDID information into monitor firmware written in notepad in windows fairly easily. Many of windows sub processes can be abused using existing files and system components with some extra help.
Even good technical knowledge can be used against the user to tempt someone to click on a prompt, given the likeness of certain approaches and predictable behavior.

I came across a few of these people who write advertising malware, many simply motivated financially, with some from families with criminal backgrounds. An attitude that malware is just another form of business and does not involve physical violence, or smuggling seems to attract them. Some of their circle include people who’d quite comfortable stuff a locally endangered bird in a piece of pipe and fly it for 24 hours across the world without a second thought. Funnily enough their offers of money didn’t seem to attract me to promoting their “advertising software”.

Exploiting flash and SQL were just as popular as any other easy exploit. They’ve written a bunch of these malvertising programs and let them lose with little thought to how the end product could be used and modified in the wild. Many contain efficient and new ways of distributing themselves, leaving behind vulnerabilities opened simply to deploy their packages more widely.

Andy Marks • January 28, 2017 6:42 AM

Hello:
I didn’t read all the comments but want to make a point about this particular attack. One thing we fail to see in some news articles about exploits is mitigation. Schneier is one of the best security people out there and I will continue to read, but the fact is this exploit can be greatly reduced or eliminated in multiple ways:

Keep Flash up-to-date
Don’t use Flash
Set your browser to ‘ask to activate’ Flash if setting is available in your browser
Run an ad-blocker such as Ublock Origin
Script blocker
Run your browser on an OS in a virtual machine. If that machine becomes infected, restore from backup or use the pricier snapshot technology to instantly restore to save point.

Combinations of the above will greatly reduce infection chance. Doing 1, 3, and 4 reduces chance to near zero, probably for virtually all drive-by downloads not just this type.

WWW Malware Hides in Images

Comments

Leave a comment Cancel reply