Jump to content

I've Been Shot! Thank God For Av!


Pwnd2Pwnr
 Share

Recommended Posts

Hey-row Hak5...

I was browsing new movie releases from Vudu.com. I click on my browser, proceed to type "vudu.com" and the DUH DUH DUH of Kaspersky told me that the site attempted to download a trojan. Great... so I called vudu, cancelled my account, and decided to see what the hell was going on. I ran a check against the script... and... well... scan the site with an audit tool (i like w3af) and tell me what you find. Can I post my results? Ehhh.... not sure if that is breaking TOS...

once I get permission from one o the admins... I will post my results... until then... can someone recreate my lab test and check the script on Vudu.com?

I don't think auditing is illegal... but who knows in the snowball effect of policy makers...

Link to comment
Share on other sites

Normally, I would think that... but I checked the scripts... the cache was not from the Vudu.com server... this was verified on the phone. The lady said she had worked there for years and never has had that issue. I was frankly upset... I have spent A LOT of money through there UV service. But, as I was telling her of the issue, she said that there servers were down. Now, unless I am a person that leaves all coincidences at the door, I would agree, "Hey, it is just a false positive."... but the fact the servers were acting strange and that they "reset themselves", as the lady put it, is a great cause for alarm. Recreate my lab, bobby, I wonder if you will see the faults in the js as I did...

Link to comment
Share on other sites

No I sure didn't look at the site buddy. However I do go to several sites, one being tuts4you.com, which is a tutorial site and it's blocked by Kaspersky. I also have a friend who recently who wrote a completely legitimate packer, he posted it on his blog, and 2 days later every piece of software using that packing is blocked and flagged as a trojan because the av developers are too lazy to figure out how to unpack it and would rather just block all software using it, legit or not.

Flip side to that coin, is that I've built .exe's that while they were packed and had a small level of obfuscation, they had very transparent and known malicious windows API calls and they were undetected. Most av's don't even verify DNS integrity which would take like 10 lines of code and stop tons of attacks. Many don't verify hosts file entries either. Who knows, maybe the site you went to did get pwned, but I don't trust in av's so much.

Link to comment
Share on other sites

No I sure didn't look at the site buddy. However I do go to several sites, one being tuts4you.com, which is a tutorial site and it's blocked by Kaspersky. I also have a friend who recently who wrote a completely legitimate packer, he posted it on his blog, and 2 days later every piece of software using that packing is blocked and flagged as a trojan because the av developers are too lazy to figure out how to unpack it and would rather just block all software using it, legit or not.

Flip side to that coin, is that I've built .exe's that while they were packed and had a small level of obfuscation, they had very transparent and known malicious windows API calls and they were undetected. Most av's don't even verify DNS integrity which would take like 10 lines of code and stop tons of attacks. Many don't verify hosts file entries either. Who knows, maybe the site you went to did get pwned, but I don't trust in av's so much.

I like how you put that. I see your logic and I agree with you. I reported the issue to a friend of mine in Nashville, and he said what you said. But, to add an admin to any given server, it needs to reset its root, right? Maybe I am being overly cautious, but hey, it beats the hell out of getting my information stolen (if it hasn't already :[). Thanks, bobby, you get the metaphorical cookie! It is macademia nut with white chocolate!

Link to comment
Share on other sites

  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...