Marcus Murray gave a great talk at TechEd Berlin 2009: “Hack-Proofing Your Clients Using Windows 7 Security”. In one of his demos, he showed a trojaned Excel spreadsheet. The spreadsheet was a simple text-based game, but it had a malicious component that executed surreptitiously while the game was played.
As I’ve done several hacks with Excel macros in the past, this made me realize that social engineering is a key element to get people to run macros from a spreadsheet of unknown origin.
Several people have asked me about de details of the vulnerability I exploited in my PDF Info Stealer PoC. But that’s not important. It’s not about the exploit, it’s about the payload: the info stealer. As I’ve written in my previous post, I don’t even need an exploit to get users to execute the info stealer. If I put the info stealer inside an Excel spreadsheet and social engineer the targeted users to execute the macros, I’ve achieved my goal without exploiting a software vulnerability.
I present you Frisky Solitaire:
Frisky solitaire is more compelling than text-based Excel games, because of the graphics. I took Solitaire from ReactOS, turned it into a DLL and embedded it with my memory loading shellcode into Excel macros (the same technique as I developed for cmd.dll and regedit.dll). I imagine that a simple game like Solitaire in Excel can go viral inside a company, when you know that many corporations disable standard Windows games on their desktops and Terminal Servers.
But in a crude attempt at social engineering the male population of a targeted company, I added an element of nudity to the game. The implied message of the game’s title is that winning games increases nudity. I know, I’m talking about basic instincts here, but it still does the trick…
So I imagine that this game can become popular with a large part of the male employees of a targeted company. And that they wouldn’t question the fact you have to execute Excel macros to play a game. Sounds plausible, no?
Of course, you guessed it: Frisky Solitaire is trojaned with an info stealer… No need to exploit a software vulnerability to steal info. Given that here too, everything is done in memory, detection is unlikely.
View full post on Didier Stevens
Related Posts
- Info Stealer targets Jailbroken iPhones
A week has barely passed since the first iPhone worm (Worm.iPhoneOS.Ikee) came ‘rickrolling’ into our collective awareness, and now we already have its first official copycat!A new Trojan has been spo... - PDF Info Stealer PoC
An info stealer is malware that steals credentials or files from its victims.
Info stealers don’t require admin rights to perform their task, and can be designed to evade or bypass AV, HIPS, DLP... - Another Adobe Flash Zero-Day Found, Embedded in Word Documents
An exploit for another zero-day vulnerability in Adobe Flash Player was very recently found just a couple of weeks after Adobe patched a similar critical vulnerability, which was actively exploited an... - How to access my home computer from another PC? Learn with Panda Security
Published by Blanca Carton, Abril 2011
How many times you wished you could have accessed documents stored in your home PC when you were out? In my case, many. And I hate to say “I cannot send it right... - BSNL, Bangalore website yet another victim of malicious code injection
BSNL, Bangalore telecom district has become yet another victim of poor website security and has been infected with malicious JavaScript code. This time, the code points to a malicious domain used by t... - Another day, another PS3 security story
Not so long ago, we heard news of a “Playstation 3 rootkit” which turned out to be rumours based on misinterpretation of comments made in IRC.Today, we wake up to the alleged rel... - Another Facebook phishing scam run
Phishing scams in Facebook. It's not new and it's not sophisticated. But they still catch the unwary and they're still happening now, with only minor tweaks in tactics.
End 2010, we saw a run of ph... - Another round of bots for MSRT
This month we add another bot to the MSRT family list – Win32/Cycbot. Cycbot was discovered in August 2010 and has quickly become prevalent.
It seems that Cycbot’s creators called it &ldqu... - Analysis of Chcod, another DDoS Trojan
We have done some analysis on the Chcod malware family, also known as Ogran, which has been showing up in our sandboxes since at least August 2009. Like the Yoyoddos and Avzhan trojans, this family i... - Another M00P Group Member arrested
Pardon me while I have a Matrix-moment imagining this conversation. Matthew Anderson is sitting in a small room, and Detective Constable Bob Burls is flipping through the charges against him. "Miste...
Posted on 02 May 2010. Tags: another, Frisky, Info, Solitaire, Stealer
As Ed Skoudis once said to Josh Wright, “Dude … that’s just evil.” – John
[...] Frisky Solitaire – Another Info Stealer – didierstevens.com No need to exploit a software vulnerability to steal info. [...]
Search-and-send: Solitaire works fine, too…
A few days ago, Didier Stevens demonstrated the danger that comes along with PDF files. In his blog he showed how easy it is to spread malicious PDF files in order to search-and-send confidential information to the Internet. In his new posting he does …
Auch Solitaire sucht und versendet beliebige Dateien…
Nachdem Didier Stevens in seinem Blog einem Beitrag veröffentlicht hatte, der beschreibt, wie ein PDF-Exploit auf einem Rechner nach Daten sucht und diese danach ins Internet versendet, realisiert er das in seinem aktuellen Beitrag ganz ohne Exploit. Z…