Hello, welcome to the Tuesday, September 11th, 2018 edition of the Sansanet Storm Center's

Stormcast. My name is Johannes Ulrich and if I'm recording from Jacksonville, Florida.

It's always great if we get malware samples from readers and listeners. The latest one we got wasn't so far remarkable in that

the reader noticed that the PowerShell script that sort of started it all did search for two

very specific strings. These two strings, Dikona and Clyrod 3, were used to extract malware from a link file.

Now, the way this worked is that the attacker used the find string command.

That's essentially your crap for Windows.

And then the link file included additional data at the end of the proper link file that then

turned out to be the malware after it was extracted using the find string command.

It appears that this trick does fool some anti-malver because it only scans the proper link

file and nothing then beyond the end of

this file or what it considers the end of the file.

And we have another reason why blacklists don't work.

Apparently the Tor browser, which still includes the old style NoScriptScript plugin can be tricked into executing arbitrary

JavaScript just by using a somewhat malformed content type adder. If you're using text slash

HTML semicolon slash JSON, then JavaScript is being executed even if no script is in its strict security setting

that's supposed to prevent any JavaScript from running.

This only worked in the old Torprowser 7, not in the current version Torprowser 8,

and with auto update, you're probably not going to get exposed to the old

version of Tor browser. I think it was yesterday that talked about AdWare Doctor, which

was somewhat suspect software that was removed from the App Store after it turned out that it leaked users' browser

history. Well, turns out that advert doctor wasn't alone and that shouldn't really be a big

...