malware – Is Firefox’s new JavaScript support within PDF files a security concern?

Historically, we have learned that many security vulnerabilities and exploits have resulted from allowing document files to contain executable code, whether it be JavaScript, VBScript, another scripting language, or even macros.

As such, since the first days that JavaScript could be embedded into PDF files, I have disabled JavaScript support within every PDF reader and editor I have used. Many colleagues have done the same.

According to the pre-release notes for Firefox 88, which is being pushed to the public any hour now:

We (Mozilla) keep on working on improving our PDF forms support and now support JavaScript embedded in PDF files (some PDF forms use JavaScript for validation and other interactive features). If you find any bug with this feature, please file an issue on the PDF.js repository.

On the surface, this sounds quite concerning from a security standpoint. Although, hopefully, any code executed from a PDF file will have at least the same security in place as JavaScript run from a website, the source and control of PDF content being loaded is often very different than a website.

For example, let’s take google.com (as Henny Youngman would add, “please”). Assuming a non-compromised connection, any JavaScript code running on that domain would be written by Google developers (for better or worse). But if you perform a search for PDF files on google.com, you’ll be presented with literally billions of PDF files, each of which could be written by any random person. And each could contain JavaScript code written by literally anyone. With PDF JavaScript support enabled within the browser, any PDF file you click on to read could now run arbitrary code on your computer.

Is this a security concern? And if so, can it be disabled?

privacy – What’s the best way to protect my rooted Android 7 from malware and hacking?

Considering I have to use cellular data and being not connected to the internet is not an option, what measures can I take or tools I can use to keep myself protected from prying eyes?

My first step will be to do a clean rom flash in case I’m infected already, but as soon as I do that, I’d like to ensure that I remain clean and protected because I would be using my phone for very private data. What can I do? Besides the obvious and common sense stuff of course.

Android 7 | Rooted | Moto C Plus

malware – What’s the point of Empire if all payloads get flagged?

I’ve been reading about how powerful frameworks such as Empire and Metasploit are but I’m confused about something.

Say I gain access through a custom reverse-shell which I self-coded (so it bypasses AVs). Now, for privilege escalation, I want to have a meterpreter/Empire session.

How can I do that if the payload generated gets instantly removed by the AV?

What could re-enable uPnP on router apart from malware?

I’m the sole person who has access to this router. I turned uPnP off and have twice found it turned back on in recent weeks. The Router is Asus DSL-AC68U.

I have a VPN running at the router level, installed about a month ago. I’ve recently updated the firmware on it too but after extensive searching neither of those should have affected it. The only thing I’ve come across is that there must be malware inside the network.

Can someone please advise?

[Update] Today I’ve realised the auto logout feature is no longer working, something known to Asus routers, which was fixed 5 years ago. This seems strange. Can anyone else corroborate this?

malware – Check USB mouse for malicious code

When I first used this mouse and keyboard, my PC died shortly after. Today I used it and it somehow corrupted my Linux.

I once put a clean Linux on a laptop and plugged this mouse in and left it, several times the laptop came out of sleep without being touched.

I have suspicions that it’s effectively a “rubberducky” and delivering a payload.

Is there a way to determine the risk? Can I install hard or soft USB monitoring?

Here’s a link to the mouse.

malware – DUBIOUS CHINESE GAMING MOUSE

Today i used Sketchup and thought id use my 7 buttn gaming mouse. The mouse is a [www.kuiyn.com T6] no such website. When I was gifted this mouse and Keyboard [FELICON] I used it immediately and pc died shortly after. Today I used it and it somehow corrupted my Linux.

I have suspicions thats its effectively a “rubberducky” and delivering a payload.
I once put a clean Linux on a laptop and plugged this mouse in and left it, several times the Laptop came out of sleep without being touched.

This was bought from amazon and is still available. Is there a way to determine the risk, can i install hard or soft usb monitoring?

heres a link, not to promote but to show existence of.
https://www.amazon.co.uk/UrChoiceLtd-T6-Ergonomic-Keyboard-Standard/dp/B01M1VB1ZZ/ref=pd_day0_2?pd_rd_w=axnut&pf_rd_p=8ec13b8a-30d2-48fc-8503-84c56766370d&pf_rd_r=3TAEBNKBENSGBF6K8GPQ&pd_rd_r=5fa22003-87aa-4ba0-bbb9-63edb90fc5eb&pd_rd_wg=BeZ1l&pd_rd_i=B01M1VB1ZZ&psc=1

windows 10 – How to scan for malware and download a pdf within an ftp address?

This top result of a Google search for positive semidefinite matrices diffusion mri: ftp://ftp.cc.ac.cn/pub/home/dyh/papers/ChenDaiHanSun-SIIS2013.pdf is impossible to open, even though there is no password requirement.

It calls for an app or extension to open it, so I looked for a pdf extension to no avail.

The ftp protocol presumably makes the site unrecognized by virus total.

How can I make sure the site is safe, and download this pdf in Google Chrome (Windows 10)?

Stop malware from being executed by launchd

I’ve got this program running on my computer, /var/root/Library/Application Support/.SectionChannel.dp/SectionChanneldd, which Norton has identified as the malware OSX.Malcol. However, Norton has been thoroughly unhelpful in doing anything about it. I’ve tried deleting the file as well as sending a SIGKILL to the running process. However, it keeps restarting.

Digging further via Activity Monitor, I discovered that the parent process is launchd. How can I figure out what is causing launchd to execute this program and stop it? Resetting my computer does not fix the issue.

Trying to investigate a url serving malware, creating domains on the fly

I search google for “honda firmware dump”, and starting on page 2-3, several results start showing for urls which have domain ending in (.it). I want to uncover what kind of malware is getting served if any, or whether its just ad tracking. The fishy thing for me is, that if i visit any of these urls, starting from the google search result link, and a new private browser window, it will redirect to a new domain each visit, and each of these new domains is getting created/registered on the fly in real time, because whois search shows registered date same day as visit (today). For example:
Google search result of:
hXXp://eiag.sciclinelcuore(.)it/ecu-dump-files.html

when clicked from the google search result link:
hXXps://www.google(.)com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjSyNTq7OPvAhVIZ80KHX6jCDU4ChAWMAV6BAgGEAM&url=http%3A%2F%2Feiag.sciclinelcuore.it%2Fecu-dump-files.html&usg=AOvVaw2AxAsBBEl2cRDpzPY53-Nx

will redirect to a domain that was just registered same day of visit, and append params to the url which send some data, which i am worried could be info on what os/browser to exploit, similar to what nsa is known to do:
hXXps://section72quietspeed(.)live/tnhxiaix/?u=tqck80z&o=zdqr96x&t=trafback&cid=1evqsidf70p70&f=1&sid=t4~p35dtet2005dffg5v3i3bny3&fp=4HY03UMz4xihwwSxgWzHv3%2BFvsCeTeczYyN9Nej1D9 + a bunch more encoded characters

I ran an any.run report on the link, and showed some malicious activity, would be curious to know what it does: https://app.any.run/tasks/4fc79b4d-b3ea-4f81-a096-51864ccff9e3

Virustotal doesnt seem to follow the full redirect sequence but still found some suspicious things: https://www.virustotal.com/gui/url/b084279b1bb7a601fe1db2998d4da142ae92fff7059914868902afed9abcf231/details

A few examples of the domains getting created on the fly, same day of visit:
https://who.is/whois/section72quietspeed.live

https://who.is/whois/type93yardbase.live

https://who.is/whois/cook43burnrain.live

What kind of actor could this be?