Win 8 CAPTCHA Malware

Wednesday, July 3, 2013 @ 10:07 AM gHale


A social engineering trick could work to disguise the OK to run malicious code on Windows 8 machines.

A keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. The catch is, however, instead of fooling victims into generating fake Facebook likes, the keyjacking involves disguising a “run executable” dialogue box within a CAPTCHA challenge.

RELATED STORIES
Trojan Speaks Local Languages
Trojan Takes Over Google Docs
Trojan Uses Fake Adobe Certificate
Botnet Hurt, so are Researchers

Attackers cover up the dialogue box with a window that looks like a CAPTCHA, with R as the first character a victim can type in. This R input authorizes the computer to Run a downloadable file on a potential attack page.

Valotta created a proof-of-concept demo that shows how a sign-up to a movie-streaming site can end up loaded with a fake CAPTCHA challenge that executes potentially hostile code, providing users press “R”.

“The attack technique allows for remote code execution on Internet Explorer and Google Chrome with a minimum user interaction. I’m actually talking of typing one key [on IE] or making one click [on Chrome],” Valotta said.

The attack works on IE9 and IE10 (Windows 7) and on Chrome for Windows 8, said Valotta, who added the approach doesn’t work on IE8 because the browser features pop-up warnings.

The basic ruse behind the attack is not new, but Valotta’s research shows the approach works on Windows 8 machines and not just in older executable warnings on Win 7 and earlier versions of Windows.

There are a couple of limitations to the technique, even on Win 8 machines with improved clickjacking defenses. First, the malign application needs to make it past Microsoft’s Smartscreen Reputation check.

The other hurdle is the attacker would need to defeat Microsoft’s User Access Control, which enforces a warning whenever an application requires administrative privileges.



Leave a Reply

You must be logged in to post a comment.