[OWASP-Ireland] HTML malware

Chris Madden chris.madden at trintech.com
Mon Feb 27 12:11:19 EST 2006


Removing comments with an app firewall would be a quick-fix solution.

Longer term, an amended version of the malware could parse content/payload
that could be inserted anywhere in the html (or for example associated
images) i.e. not in the comments or the first 64 bytes (and still be
invisible to the end user and any html scanner). 

If the malware used steganography then it would be very difficult to limit
the malware by filtering its content/payload.

Chris

> -----Original Message-----
> From: Owen Connolly [mailto:ojc at networkarchitects.ie]
> Sent: 27 February 2006 16:52
> To: Tony Palmer; owasp-ireland-admin at lists.sourceforge.net;
> eoin.keary at ritsgroup.com; owasp-ireland at lists.sourceforge.net
> Subject: Re: [OWASP-Ireland] HTML malware
> 
> I actually think that's a pretty good idea.  As we know by now, it's only
> a matter of when this attack works in the wild, so maybe we should
> recommend this as an initial response until we get a clearer picture!
> 
> Cheers,
> 
> 
> Ojc
> -----Original Message-----
> From: "Tony Palmer" <tony.palmer at vordel.com>
> Date: Mon, 27 Feb 2006 16:33:30
> To:<eoin.keary at ritsgroup.com>, <owasp-ireland at lists.sourceforge.net>
> Subject: RE: [OWASP-Ireland] HTML malware
> 
> Maybe a simple fix would be for app firewalls to remove all comments from
> downloaded files. By definition they are not required by browsers. I
> forsee another sledgehammer policy already!
> T
> 
> -----Original Message-----
> From:   eoin.keary at ritsgroup.com [mailto:eoin.keary at ritsgroup.com]
> Sent: 27   February 2006 16:17
> To: Tony Palmer;   owasp-ireland at lists.sourceforge.net
> Subject: RE: [OWASP-Ireland]   HTML malware
> 
> 
> Yep,
> sounds to me like a certain element of    recon/statistical gathering :0)
> 
> Thing is, do application firewalls or client side security look for
> malicious data in comments or should they?
> 
> 
> **********************************
> Eoin Keary   CISSP
> Senior Consultant
> Rits Information Security
> 2052  Castle    Drive
> Citywest Business Campus
> Co. Dublin
> 
> Tel:  353   (01) 642 0500
> Fax: 353 (01) 466 0468
> Email:   eoin.keary at ritsgroup.com
> Web:   www.ritsgroup.com
> **********************************
> This email contains   information which may be confidential or privileged.
> The information is   intended solely for the use of the individual or
> entity named above.  If   you are not the intended recipient, be aware
> that any disclosure, copying,   distribution or use of the contents of
> this information is prohibited.    If you have received this electronic
> transmission in error, please   notify me by telephone or by electronic
> mail immediately. Any opinions   expressed are those of the author, not
> Rits. This email does not constitute   either offer or acceptance of any
> contractually binding agreement. Such offer   or acceptance must be
> communicated in writing.
> 
> 
>                        "Tony Palmer"         <tony.palmer at vordel.com>
> 27/02/2006 15:22
> 
> 
>         To:                <eoin.keary at ritsgroup.com>
>         cc:
>                 Subject:        RE: [OWASP-Ireland]         HTML malware
> 
> 
> Hmm,
>      Install yourself and wait for instructions. Ill bet whats in between
> the   comment tags are base64 encoded execution commands, or similar. This
> is   somebody setting up a zombie network possibly for sale. The number of
> hits on   his site being a count of how many machines are at his disposal.
> Neat.
> T
> -----Original Message-----
> From:   owasp-ireland-admin at lists.sourceforge.net   [mailto:owasp-ireland-
> admin at lists.sourceforge.net] On Behalf Of   eoin.keary at ritsgroup.com
> Sent: 27 February 2006   14:50
> To: owasp-ireland at lists.sourceforge.net
> Subject:   [OWASP-Ireland] HTML malware
> 
> 
> http://isc.sans.org/diary.php?storyid=1147
> 
> 
> Hi,
> Good document on some malware guys at SANS found.   Raises some
> interesting ways  in which malware is going.
> 
> 
> 
> **********************************
> Eoin Keary CISSP
> Senior   Consultant
> Rits Information Security
> 2052  Castle    Drive
> Citywest Business Campus
> Co. Dublin
> 
> Tel:  353   (01) 642 0500
> Fax: 353 (01) 466 0468
> Email:   eoin.keary at ritsgroup.com
> Web:   www.ritsgroup.com
> **********************************
> This email contains   information which may be confidential or privileged.
> The information is   intended solely for the use of the individual or
> entity named above.  If   you are not the intended recipient, be aware
> that any disclosure, copying,   distribution or use of the contents of
> this information is prohibited.    If you have received this electronic
> transmission in error, please   notify me by telephone or by electronic
> mail immediately. Any opinions   expressed are those of the author, not
> Rits. This email does not constitute   either offer or acceptance of any
> contractually binding agreement. Such offer   or acceptance must be
> communicated in writing.
> 
> This e-mail is business-confidential and may   be privileged. If you are
> not
> the intended recipient, please notify us   immediately and delete it. If
> the
> email does not relate to Vordel's   business then it is neither from nor
> authorized by Vordel. Thank   you.
> 
> 
> This e-mail is business-confidential and may be privileged. If you are not
>  the intended recipient, please notify us immediately and delete it. If
> the
>  email does not relate to Vordel's business then it is neither from nor
>  authorized by Vordel. Thank you.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Owen Connolly
> Technical Director
> http://www.networkarchitects.ie
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> OWASP-Ireland mailing list
> OWASP-Ireland at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-ireland




More information about the Owasp-ireland mailing list