lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Aug 2012 16:10:36 -0700
From: Matt Howard <>
To: Christian Sciberras <>
Subject: Re: DLL Hijacking Against Installers In Browser
 Download Folders for Phish and Profit

1. The attack is aiming at a very low hanging fruit, so low in fact it
probably fell on the ground once and has a few bugs on it, this is the
nature of phishing. If the redirect is well designed or the method of the
delivery is convincing enough, they will click save assuming that only
execution of it would be dangerous, the vendor page will be convincing
enough in itself (theoretically) to lead them to the update/install. Even
if they assumed it was sketchy chances are they would still leave it in
their downloads folder or remove the entry from their list of previously
downloaded files not running it.. Not clicking the installer wouldn't be a
loss either because the next update/install they run (be it days, weeks, or
months) will likely load the DLL.

2. That was a dumb addition on my part, every time DllMain is entered it
will launch calc.exe, if I had removed the comment from that line it would
have exited on the first execution but instead this will launch for each
call.. Which is sometimes quite a bunch, not ideal for testing lots of
installers but fun to watch?

On Mon, Aug 13, 2012 at 3:02 PM, Christian Sciberras <>wrote:

> I've got two concerns about this:
> 1. Either way you put it, I can't see how one can make a convincing
> argument out of downloading a DLL file.
> Asking laymen, they'd ask "what's a dll for? weren't updates done with
> exe/msi/etc? why's it got that funny icon?"
> 2. I'm a bit curious about your choice of code, and why you commented out
> exit(0); (what's the point anyway?)
> Cheers,
> Chris.
> On Mon, Aug 13, 2012 at 7:19 PM, Gynvael Coldwind <>wrote:
>> Well, what can I say - your write up is accurate.
>> Though last time I've seen it, around 5 years ago, it was still called
>> DLL spoofing and not DLL hijacking, and was one of the arguments why
>> "carpet bombing" (automatic download) in Safair/Chrome must be fixed
>> :)
>> E.g.
>> --
>> gynvael.coldwind//vx
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter:
>> Hosted and sponsored by Secunia -

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists