Malware and pirated ebooks

[DNSB]

Interesting item in The Hacker News on pirated ebooks now being used by ViperSoftX malware for attacks. There have been proof of concept ebooks with malware for years but looks like they have finally been weaponized though this is more due to using .rar archives to store them.

See ViperSoftX Malware Disguises as eBooks on Torrents to Spread Stealthy Attacks for more information.

[Sirtel]

Seems to me that the ebooks themselves don't contain malware, the archives do. Why should anyone want to run an unknown executable from a random rar archive when they actually wanted an ebook is beyond me, but people are capable of doing some very stupid things.

[theducks]

Many (Many) years ago, I had a case where Norton AV, checking my email, actually caused the deployment of a virus in an archive attachment.
(They fixed that flaw within hours)
The actual e-mail was SPAM, that I did not even open and sent to the bit bucket.. But the damage was already done.

[Quoth]

Quote:

Originally Posted by Sirtel

Seems to me that the ebooks themselves don't contain malware, the archives do. Why should anyone want to run an unknown executable from a random rar archive when they actually wanted an ebook is beyond me, but people are capable of doing some very stupid things.

Agree with all of that.


I think it must be a slow aday for Hacker News.

[j.p.s]

Quote:

Originally Posted by Sirtel

Seems to me that the ebooks themselves don't contain malware, the archives do.

That might change, since EPUBs support javascript.

[JSWolf]

Quote:

Originally Posted by Sirtel

Seems to me that the ebooks themselves don't contain malware, the archives do. Why should anyone want to run an unknown executable from a random rar archive when they actually wanted an ebook is beyond me, but people are capable of doing some very stupid things.

Click here to infect your computer

OK. CLICK

[Cactus Chef]

Do RAR's even offer much compression on an EPUB? The other day I was trying to send my wife some EPUBs over email and tried zipping them to get them under the 25mb attachment limit, but the ZIP file barely shaved more than a meg or two off the filesize versus just sending the EPUBs individually. 7-zip wasn't much better, and I couldn't guarantee that she had 7-zip installed on her PC. I ended up just sending her two emails.

[DiapDealer]

Hardly matters on Windows these days. Defender is flagging/deleting just about every downloaded archive that contains executables as a severe threat (including executables that Defender doesn't flag when downloaded uncompressed). Quite annoying actually. You don't want to tell Defender to stop scanning ALL downloaded archives, but ... sheesh! Not everything out there is Wacatac.B!ml. Dial it down a notch Microsoft!

[j.p.s]

Quote:

Originally Posted by Cactus Chef

Do RAR's even offer much compression on an EPUB?

An EPUB is a zip file. Zipping a zip is never going to give significant further compression. In some cases the file will get larger. Using a different general purpose compression algorithm on an already well compressed file will be unlikely to result in significant further compression.

[ownedbycats]

Quote:

Originally Posted by Sirtel

Seems to me that the ebooks themselves don't contain malware, the archives do. Why should anyone want to run an unknown executable from a random rar archive when they actually wanted an ebook is beyond me, but people are capable of doing some very stupid things.

From the article:

Quote:

Attack chains propagating the malware are known to employ cracked software and torrent sites, but the use of eBook lures is a newly observed approach. Present within the supposed eBook RAR archive file is a hidden folder as well as a deceptive Windows shortcut file that purports to be a benign document.

Quote:

Attack chains propagating the malware are known to employ cracked software and torrent sites, but the use of eBook lures is a newly observed approach.

Yeah, it's an issue with RAR files, not ePubs or AZW3s or MOBis. That RAR could be holding a cracked game or a bunch of porn pics and still have the malware.

A few years ago there was a "WinRAR" vulnerability - except it wasn't actually WinRAR, it was a vulnerability in unacev2.dll and would affect any archive program using that specific library.

[jackm8]

Quote:

Originally Posted by ownedbycats

From the article:
Yeah, it's an issue with RAR files, not ePubs or AZW3s or MOBis. That RAR could be holding a cracked game or a bunch of porn pics and still have the malware.

A few years ago there was a "WinRAR" vulnerability - except it wasn't actually WinRAR, it was a vulnerability in unacev2.dll and would affect any archive program using that specific library.

I don't think that it's about rar files at all. If I read this right, there's a shortcut that looks like a book file (kamasutra.epub.exe), that then installs this trojan.

Quote:

Present within the supposed eBook RAR archive file is a hidden folder as well as a deceptive Windows shortcut file that purports to be a benign document.

[DiapDealer]

How does kamasutra.epub.exe look like a book file? Surely even the most novice potential book thief knows that ebooks aren't executables.

[PeterT]

Quote:

Originally Posted by DiapDealer

How does kamasutra.epub.exe look like a book file? Surely even the most novice potential book thief knows that ebooks aren't executables.

Remember that by default Windows does not display file type.... So after expanding the archive they will see kamasutra.epub in the folder....

[theducks]

Quote:

Originally Posted by PeterT

Remember that by default Windows does not display file type.... So after expanding the archive they will see kamasutra.epub in the folder....

and the reverse is also true.
If that (no ext)is set, then RED flag if there is one showing

LOGIC
I get security emails from my bank (and ISP) Frequently.
The Flag??? They come in on the WRONG email account. Many ISP allow alias/additional mailboxes as part of your subscription.

Hint: The bank never uses my theducks account

[DiapDealer]

Quote:

Originally Posted by PeterT

Remember that by default Windows does not display file type.... So after expanding the archive they will see kamasutra.epub in the folder....

I get that, but I'm still not seeing why this is an ebook thing. In my mind, anything that might possibly make people think twice about downloading illicit versions of ebooks from pirate sites (or gets their computer trashed for being ignorant/arrogant enough to do so) is a good thing. This is not a reason to fear being infected by legitimate ebook resources.

There's certainly vectors in ebooks themselves that can be exploited, but this doesn't seem like one of them. Any reading engine that allows epubs to access/modify files outside of the ebook's own archive (without the user giving explicit permission for them to do so via default preferences modification) is a shoddy reading engine.