Threaded Mode | Linear Mode

DarthTrader · Aug. 19, 2008, 03:00 AM

We now have a POC for the evil Clipboard Hijack thing which has been in the news:
http://blogs.zdnet.com/security/?p=1733

Quote:Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.
...

POC:
http://raffon.net/research/flash/cb/test.html

Kye-U, is it possible to strip this hijack as you did with the ani exploit some time ago?

Thanks,
DarthTrader

***Kye-U*** · Aug. 19, 2008, 03:26 AM

Yes, it is possible to kill this hijack if I can find out what the hex values of the function/exploit is Smile!

I'll do more reading into it tomorrow!

Siamesecat · Aug. 19, 2008, 07:30 AM

What I see with the demo exploit with Firefox on both Windows and Mac OS is that the clipboard has had a URL placed into it which stays there as long as the tab from the site is still open. As soon as I close that tab, the clipboard will then return to normal and accept new content. Same thing with Safari on Mac as well.

DarthTrader · Aug. 19, 2008, 11:04 AM

You can download the PoC from here: Smile!

http://raffon.net/research/flash/cb/test.swf

DarthTrader · Aug. 19, 2008, 08:42 PM

Here's a good blog entry with some sample code:
http://msmvps.com/blogs/spywaresucks/arc...45042.aspx

43unite · Aug. 20, 2008, 01:58 PM

http://www.sophos.com/security/blog/2008...g_from=rss
The fact that victims report experiencing these issues after browsing legitimate, popular sites, suggests that malicious Flash is the culprit. The attackers are probably using the setClipboard() method within ActionScript embedded in Flash content. Maybe the attackers have poisoned some ad-stream as a way of hitting large volumes of users?

http://livedocs.adobe.com/flash/9.0/main/00002187.html
setClipboard (System.setClipboard method)

DarthTrader · Sep. 04, 2008, 09:31 PM

Bump. Please see this new Flash malware technique:
http://msmvps.com/blogs/siljaline/archiv...flash.aspx

Oddysey · Sep. 11, 2008, 03:20 PM

Sorry if I sound like I'm having the last laugh...........

Anyone here remember when hpguru and I used to go 'round and 'round about how Flash was able to sneak in under your radar, and pilfer almost anything off your hard drive? The Self-Annointed One proclaimed that it couldn't happen, even though I pointed out, quite clearly, that Flash uses a scripting language that is modeled on, and uses a superset of, javascript.

I knew of this 5 or 6 years ago, but I will freely admit that I was a crank, even back then. Wink

BTW, the time since the last malware attack on any of my machines is now up to 8-1/2 years. Smile!

It's too easy to practice safe hex! Cheers

Oddysey

***ProxRocks*** · Sep. 11, 2008, 04:05 PM

you got me beat by roughly one year...
my last will-never-forget-hit was while running Firefox...

i was a year into college and just started a co-op electrical engineering job...
coworkers were using IE and Netscape (Navigator or Communicator, don't recall)...

i was the wet-behind-the-ear college kid that knew EVERYTHING...

i installed Firebird, as it was called at the time, as all of us college kids were "sold" on Phoenix and stuck with it when it renamed to Firebird...

told all the coworkers that they were "stupid" for using IE and Netscape (pre-bloat years, but still bloated nonetheless)...

two weeks pass and the IT department gets called in and it took them two days to fix my computer, an office computer that wasn't used for any warez or p0rn sites, just general browsing...

the ol' wet-behind-the-ears college kid shouting at the top of my lungs for nearly two weeks how Firebird is king, IE/Netscape "sucks", Firebird is "safest", and here i am, the one that gets hit with "something", crashes my computer and nobody can fix it in-house, IT gets called in from out-of-state...

i've used "the dead bird" since, but i do NOT fall to the RHETORIC that it's the "safest" browser - FALSE sense of security, plain and simple...

Siamesecat · Sep. 12, 2008, 07:12 AM

Just how does this malware benefit from having forced something into your clipboard? How do they force a paste into somewhere?

***ProxRocks*** · Sep. 12, 2008, 08:41 AM

not sure, but a Firefox 2.0.0.16 user at the office has been "complaining" about this problem for about two weeks...

the nuisance, in his eyes, who is deadset convinced that Firefox is the "safest" out there, is, in his view, NOT that "security" has been "comprimised", who cares if something is "pasted" to the clipboard, at least 'they' are only WRITING to the clipboard, not READING from it, but the point is that the ONLY way for him to REGAIN "control" of the clipboard for use in OTHER applications is to REBOOT...

i LAUGH at this guys "false sense of security" about every THIRD DAY when he gets "hit" with a clipboard vulnerability that causes his sound card to start "clicking" or when he gets a popup in Firefox... i am all too happy to incessantly point out to him that i haven't had ANY popups in OVER six-and-a-half YEARS...

in MY eye, a POPUP is a "security risk", you're 'pinging' a web server you had no intent on 'pinging'...

Siamesecat · Sep. 15, 2008, 05:19 AM

With the sample exploit, I did not have to reboot to get back control of the clipboard. All I had to do was shut off the Flash item that locked it.