Hacker News new | past | comments | ask | show | jobs | submit login

I may be wrong, but these days doesn't malware have a loader (which has a hook in the boot cycle at some point) and a payload (which usually poses as an innocent file tucked away on your system somewhere). Even if you wholesale recover your data and include the payload, there is no loader hooked into your newly-installed system, rendering the payload a digital bullet without a corresponding gun. As far as I'm aware, infecting your MP3s or JPEGs was more something ye olde worms did, no?



Trying to make distinctions like this gets you back to "figuring out how you were owned", i.e. determining the transmission vectors and threats.

The reality is that decoders for complex file formats often have buffer overrun and code execution flaws. If such mechanisms were used in the original attack or if the malware has worm-like abilities to extend the attack from your compromised machine, then wouldn't it me likely that more such corrupted data is also being staged to your machine?

Also, a very real risk would be the huge number of little scripts and configuration files which offer embedded scripting syntaxes. A naive victim might think they can install a new OS and just "recover their custom configuration files", but they are really recovering the attacker's configuration which can include the actual malware activation or other fail-safe reinfection mechanisms.


The loader hook could well be in your .profile. Or the infection vector could be a naughty PDF just waiting to be thumbnailed again after a reinstall.


Could you elaborate are you referring to a specific PDF vulnerability? Could you share a link to it? Thanks.


This should do:

> In the first demo, I just select the PDF document with one click. This is enough to exploit the vulnerability, because the PDF document is implicitly read to gather extra information.

> In the second demo, I change the view to Thumbnails view. In a thumbnail view, the first page of a PDF document is rendered to be displayed in a thumbnail. Rendering the first page implies reading the PDF document, and hence triggering the vulnerability.

> In the third demo, I use my special PDF document with the malformed stream object in the metadata. When I hover with the mouse cursor over the document (I don’t click), a tooltip will appear with the file properties and metadata. But with my specially crafted PDF document, the vulnerability is triggered because the metadata is read to display the tooltip…

https://blog.didierstevens.com/2009/03/04/quickpost-jbig2dec...


There were wormable vulns in both ffmpeg-thumbnailer and Gnome’s thumbnailer in the past months.

So you shouldn’t trust that this doesn’t happen again.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: