Hmm, interesting AV evasion technique: Seemingly legitimate app, but the
download page gives both a malicious DLL and the main executable, the main
executable uses LoadLibrary insecurely.
On Feb 22, 2012 9:33 AM, "ACROS Security Lists" wrote:
> Hi Jeff,
>
> > I don't believe a PE/PE+ executable n
Hi Jeff,
> I don't believe a PE/PE+ executable needs a DLL extension to
> be loaded by LoadLibrary and friends.
True, any file can be loaded this way, but our pretty extensive experimenting
showed
extremely few cases where legitimate applications (in this case mostly
installers)
loaded anythi
Malware has been using it to spread through local shares and also using it
as easy privilege escalations for known trusted software. Like I said and
have always said, the vectors are going to be local and for further
compromise.
On Mon, Feb 20, 2012 at 4:22 PM, Sanguinarious Rose <
sanguiner...@oc
On Mon, Feb 20, 2012 at 2:28 PM, Jeffrey Walton wrote:
> Hi Mitja,
>
> On Fri, Feb 17, 2012 at 11:32 AM, ACROS Security Lists wrote:
>>
>> This blog post reveals a bit of our research and provides an advance
>> notification of
>> a largely unknown remote exploit technique on Windows. More import
On Sat, Feb 18, 2012 at 4:00 PM, Kyle Creyts wrote:
> Did this talk _really_ get accepted at RSA? Wow.
While other conferences might be more appropriate, the acceptance
underlines the problem with insecure library loading on Windows. Its
still a big problem.
Windows is not alone, and Linux suffer
Hi Mitja,
On Fri, Feb 17, 2012 at 11:32 AM, ACROS Security Lists wrote:
>
> This blog post reveals a bit of our research and provides an advance
> notification of
> a largely unknown remote exploit technique on Windows. More importantly, it
> provides
> instructions for protecting your computer