Smoke Loader and Pale Moon

General discussion and chat (archived)
User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Smoke Loader and Pale Moon

Unread post by TwoTankAmin » 2018-07-04, 22:04

I was reading an article on ZDnet:
This password-stealing malware just added a new way to infect your PC
One of the new tactics by the malware involves an injection technique not seen in the wild until just days ago.
By Danny Palmer | July 4, 2018 -
https://www.zdnet.com/article/this-password-stealing-malware-just-added-a-new-way-to-infect-your-pc/

Here is the part which motivated me to post this thread:
While there's still plenty of Smoke Loader attacks which look to deliver additional malware to compromised systems, in some cases the malware is being equipped with its own plug-ins to go straight onto performing its own malicious tasks.

Each of these plugins are designed to steal sensitive information, specifically stored credentials or sensitive information transferred over a browser - the likes of Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird can all be used to steal data.
I am wondering if P M users are at risk. Apparently, the new threat from this attack, which has been around and being modified for some time, normally gets delivered by email, However, it seems it can also get in through a browser.
Last edited by TwoTankAmin on 2018-07-04, 22:06, edited 1 time in total.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: Smoke Loader and Pale Moon

Unread post by Nigaikaze » 2018-07-04, 22:24

In that article they (and the Talos blog) describe the initial infection vector as a malicious Word document with embedded macros. One of the linked articles describes other infection vectors as being previously-identified vulnerabilities in Microsoft Jscript & VBscript engines as well as Adobe Flash. Don't allow macros to run in Word docs from untrusted sources, make sure Windows is up-to-date on security patches, and make sure you're running the latest version of Adobe Flash (or better yet, uninstall Adobe Flash) and you should be fine.
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Smoke Loader and Pale Moon

Unread post by Moonchild » 2018-07-04, 22:31

Although the injection method is nasty and can be used on pretty much any Windows GUI program that is running in the same session, it's still your normal run-of-the-mill trojan that can only latch on to your system if YOU execute it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Re: Smoke Loader and Pale Moon

Unread post by TwoTankAmin » 2018-07-05, 19:28

I refused to upgrade Flash beyond the last ESR version 18.0.0.382. It is set to ask to run or never run depending on my mood. I do not blindly do Microsoft Windows updates any more, They are often system breakers. The Windows 7 May and June security only updates had lots of issues, so I passed on them. I do not use macros and have them turned off in word.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: Smoke Loader and Pale Moon

Unread post by Nigaikaze » 2018-07-05, 19:32

TwoTankAmin wrote:I refused to upgrade Flash beyond the last ESR version 18.0.0.382.
Then you are vulnerable.
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: Smoke Loader and Pale Moon

Unread post by Moonraker » 2018-07-05, 22:23

Nigaikaze wrote:
TwoTankAmin wrote:I refused to upgrade Flash beyond the last ESR version 18.0.0.382.
Then you are vulnerable.
Not really.
i only use the flash player on one game site only so i am far from vulnerable unless that one particular site became infected.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: Smoke Loader and Pale Moon

Unread post by Nigaikaze » 2018-07-06, 00:11

That's one way to try to mitigate your vulnerability, but as you say, it still leaves you vulnerable. The specific Flash vulnerability exploited here was resolved in Flash version 28.0.0.161. All versions of Flash below that are vulnerable to that particular exploit.
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: Smoke Loader and Pale Moon

Unread post by Moonraker » 2018-07-06, 15:34

I was using v11.2 of flash for years on linux with no issues but of course adobe had decided to stop updating flash on linux until recently.but for performance the older versions worked just fine.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Re: Smoke Loader and Pale Moon

Unread post by TwoTankAmin » 2018-07-06, 16:46

I laugh at being told what is safe and not safe. The sad truth is there is nothing safe. What there is are new versions that become safe from old attacks but are then vulnerable to new attacks. Since the dawn of time there have been "safes" and there have also been "safe" crackers.

Here is the thing. I have been using the web since 1998. I have yet to get a virus, to be infected by malware etc. With my current system I gave up using Norton or other external AV program. I do have some anti-malware stuff and I do block most of what sites try to put on my box when I visit. But what keeps me safe is how I do things. Most people get hacked, get malware etc. because they are unwilling to modify their behavior. Some pundits say people get hacked etc. because of what they do. I would put it differently. I say people don't get hacked because of what they don't do.

To paraphrase "Trust but verift" so that it applies to the digital age, "Mistrust until you verify." :D
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: Smoke Loader and Pale Moon

Unread post by Nigaikaze » 2018-07-06, 23:47

TwoTankAmin wrote:I laugh at being told what is safe and not safe.
In your first post, you specifically asked what sort of risk there was to PM users. It is a fact that the version of Flash that you are running is vulnerable to one of the exploits that this malware uses. If this is your reaction to being told what the risk is, then why do you bother wasting time asking what the risk is in the first place?
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Re: Smoke Loader and Pale Moon

Unread post by TwoTankAmin » 2018-07-08, 16:25

In your first post, you specifically asked what sort of risk there was to PM users. It is a fact that the version of Flash that you are running is vulnerable to one of the exploits that this malware uses. If this is your reaction to being told what the risk is, then why do you bother wasting time asking what the risk is in the first place?
Well let me try to explain it to you. Yes I have an old version of flash. However, this doesn't in and of itself make me vulnerable to anything if it is not active. So when is it active? Onlt on a very very few sites which I tend to trust. So if you were to chart my use of the net and then the amount of time that flash is in use we are talking about less than 1% of the time. This is what I mean when I say it is not so much your software which keeps you safe when online, it its your behavior. So when discussing the use of Flash, I can control if and when it runs. Flash is either set to ask or not to load.

Now lets turn to the use of a browser. I have little control over any browser I use. Yes I can mess around with settings, and yes I can choose to use software designed to protect me. However, most such software is backwards looking. It only handles what has been discovered. Yes, such programs should be updated regularly. The problem is it is impossible to defend against any attack of which one is unaware. Those doing bad are as smart and skilled as those doing good. The problem is neither I, nor the average user, is in any way equipped to understand any of what really goes on under the hood.

Finally, I can choose not to run Flash and macros. I cannot choose not to use a browser. I must use one to access the net from my PC. (I do not do mobile computing in any form.) But I can choose where I go and what I do on the net.
Last edited by TwoTankAmin on 2018-07-08, 16:25, edited 1 time in total.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Smoke Loader and Pale Moon

Unread post by Moonchild » 2018-07-08, 19:08

Bottom line is the risk isn't any greater (or smaller) than any other trojan.
The browser isn't inherently vulnerable to this exploit unless you make it so (by having vulnerable flash active on sites you can't fully trust -- and even if you trust the sites, are you sure they never use flash for any other purpose like an ad?... because that would be when having a vulnerable plugin will bite you...), by opening executable attachments you didn't expect or ask for, or opening word documents from strangers and allowing macros to run. The only thing "new" about smoke loader is that once it has compromised your machine it will be harder to detect because it can masquerade itself as a legitimate program you would normally use. But avoiding getting your system compromised in the first place is your normal defense against this just like any other malware distributed this way.

So ultimately the bold title of the article is very misleading, but in this day and age of screaming murder at the first hint of something new, I'm not surprised. It's not a "new way to infect your PC".. it's a "new way to hook into your other programs when your PC is already infected"
Last edited by Moonchild on 2018-07-08, 19:15, edited 2 times in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked