undefined | Better HN

0 pointsChuckMcM12y ago0 comments

Or display any compressed image, or even download compressed javascript that you aren't going to run. A number of exploits that malwaredomains.com finds are objects that are either normally or optionally compressed, and constructed in such a way to exploit an issue with the decompression software used.

If I'm both curious and suspicious (so in my most tin-hatish of moods) I fire up a virtualbox instance with a clean image, look at the site, and then delete that virtual machine image. That seems to also have an unintended prophylactic effect since virus investigators like to run viruses in VMs so malicious payloads don't fire if they detect they are running in a VM (at least according to the F-secure blog).

But either way, my point was that just visiting a site that wants to get you is a risk, whether or not you think you are protected.

0 comments

3 comments · 1 top-level

dfc12y ago· 2 in thread

I googled "site:malwaredomains.com compression" and nothing turned up. Can you recall any instances? Do you know where they get the data from? I must be missing something obvious but I don't see where the describe the how the list is created.

NB: I am not disagreeing with you I am just curious to look at some of the recent compression vulnerabilities.

ChuckMcMOP12y ago

Here is a great place to start: https://www.google.com/search?q=jpeg+decoder+exploit&oq=jpeg...

Note there have been various fixes, and you can often tell when you see one because you get a 'broken image' icon rather than a picture and an new friend. The compressed Javascript exploits were primarily tied to pdfs apparently (you can search for 'compressed js exploit') and then look for "gif decoder exploit" and of course the whole cross site scripting thing which when you're building a web site to compromise people its not a 'bug' that it has a cross site exploit vulnerability per se :-)

Basically anything that 'decompresses' is effectively a data driven computation engine where the bad guys can feed an arbitrary stream of data into that engine to make it do unexpected things. Whether it was the font exploits in Stuxnet and elsewhere or pdf exploits or jpeg exploits. Sadly it has been a target rich environment in the past.

dfc12y ago

My fault. I was looking for the javascript compression vulnerabilities. I'm sorry I did not mention that.

j / k navigate · click thread line to collapse