lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Apr 2012 09:01:53 -0500
From: "Adam Behnke" <adam@...osecinstitute.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Hacking AutoUpdate by Injecting Fake Updates

We all know that hackers are constantly trying to steal private information
by getting into the victim's system, either by exploiting the software
installed in the system or by some other means. By performing routine
updates for their software, consumers can protect themselves, patching known
vulnerabilities and therefore greatly reducing the chance of getting hacked.

Commonly used software, such as MS Office, Adobe Flash and PDF reader (as
well as the browsers themselves) are the major targets for exploits if left
unpatched. In the past, fake patches for Firefox, IE, etc. displayed
messages informing users that updated versions for a plugin or the browser
were available, prompting the user to update their software. For example,
the page will tell the user that updating their Flash version is critical.
Once the user clicks the fake update, it will download malicious content
(like, for example, the Zeus Trojan) to the victim's computer, as well as
perhaps a rogue anti-virus, asking the user to pay in order to remove the
infections. Similar attacks have been done in the past for various browsers,
too.

When you think about it, how many people are really cautious about the
updates, the type of update or the link from where they are downloading and
installing the update? Obviously, there are very few people that are really
cautious and vigilant about updates, therefore making the success rates for
those exploiting the users high. 

Read more about how to perform a few different AutoUpdate man-in-the-middle
attacks that work against Java, AppleUpdate, Google Analytics, Skype,
Blackberry and more: http://www.ethicalhacking.com







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ