June 19, 2021

Black Hat: Document Exploit Techniques

(LiveHacking.Com) – Sung-ting Tsai (AKA TT) and Ming-chieh Pan have demonstrated, live at the Black Hat conference, multiple ways in which Microsoft Word documents can be exploited and used to deliver malware.

Although Microsoft has implemented multiple security measures in Office and Windows, it is still possible to craft documents to exploit vulnerabilities in other media embedded in the files. For example a hybrid document can be created with an embedded Flash file and it is the Flash file which opens the way for the exploitation.

Although Adobe has also strengthened Flash by adding sandboxing to limit the ability of potential rogue processes to access local files, TT demonstrated a way to get around the new measures by using an mms:// link that will make Windows open IE, which in turn will cause Windows Media Player to open. Using that simple workaround, TT said that an attacker could create an attack that might be able to steal user’s cookies, passwords or other information.

Windows XP is Petri Dish For Rootkit Infections

(LiveHacking.Com) – A six month study, by the AVAST Virus Lab, has found that 74% of rootkit infections originated from Windows XP machines, compared to 17% for Vista and only 12% from Windows 7 machines.

Window XP is the most common PC operating system with around 49% of avast! antivirus users running it compared to the 38% with Windows 7 and the 13% with Vista.

And the problem seems to be that there are a large number of pirate copies of XP which don’t run automatic updates as they can’t be validated by the Windows Genuine Advantage validation process. This leaves the out-of-date and upatched OS open to all kinds of attack, even old ones long patch by Microsoft.

“Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher.

Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their favorite target for even the newest TDL4 rootkit variants.
The study found that rootkits infecting via the MBR were responsible for over 62% all rootkit infections. Driver infections made up only 27% of the total. The clear leader in rootkit infection were the Alureon(TDL4/TDL3) family, responsible for 74% of infections.

Experts from AVAST Software will be attending the upcoming Blackhat events in Las Vegas on August 3-7, 2011.