Hello, welcome to the Monday, March 6th, 2017 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier looked at some recent malware and found that the malware doesn't use standard image hosting sites to load its images from

at least for one of the images.

It was using an unsuspecting third-party site that just happened to have the right progress

bar image that this particular malware author liked. This can have some bad repercussions

for the site hosting the image as it may show up now in various threat intelligence reports

as an indicator of compromise leading back to the site being blocked.

Really unfortunate if this happens to you and not terribly much you can do about it, you can prevent some of this deep linking by looking for referrher headers and blocking any foreign

referr headers from your site. But again, remember, referrer headers aren't always

sent, so you have to at least allow for requests that don't send a referer at all. And if you would

like to learn more about analyzing malware, in particular de-obsuscation, DDA put together a nice example of an obfuscated malicious document.

In this case, additional characters were used to pad and obfuscate the malicious code.

The DA will show you how to remove the padding characters and how to reverse the embedded PowerShell script

in this particular case.

Also interesting but not really new that the script does take advantage of the event viewer

exploit to bypass UAC.

And as a reminder, it's not just Adobe's PDF reader that is vulnerable.

Fox IT has a patch for its fandom PDF and PDF reader product.

So in case you use these products to evade Adobe exploits, make sure you patch it soon.

They have certainly been exploited in particular against the

Fox ID PDF reader in the past. And Google's SHA-1 collision has been put to use to

...