Kiwi
Premium
join:2003-05-26
USA
 ·Comcast
 ·Aristotle Internet
2 edits | reply to eburger68
Re: Anatomy of a Drive-by-Install
Strange really, in some respects -I use IE, but as noted no activeX or Java unless needed. Firefox has become a popular hunting ground, so it's moot weather one uses IE or Firefox!
The Java disable noted by ElJay  is most important, JavaSun is great if one knows how to configure the latest updates;)
Of course safe hex is the answer to most problems people suffer  Few 'Surfers' realize the value of the 'electronic condom' 
Cheers
--
2.66g/533fsb Intel CPU @ 3.48g
512meg Twinmos PC3700~466 DDR @ 2.8v -PCpower&Cooling 512.
ATI 9500 Pro @ 9700 Pro @1.6v
--
AMD ASUS A7N8X-E ~
2500+ @3200 ATI 9500 Pro, Corsair 512LL.-- Aristotle.net |
|
PavTheMan
join:2002-05-10
UK
clubs:
| reply to Shriyash
said by Shriyash :plus i have a online TV app. which needs java to run. oh and not to mention pr0n. java is indespensible. :D Well you shouldn't need Java to see pr0n, er...... apparently. 
I just avoid any site that won't show me pics or vid clips without Java. Ther are plenty of free ones that will.
Besides, P2P-ing for pr0n is, IMHO, a lot safer and more fruitful than those websites. Just run it as a limited account and lock it down.
--
No Thanks Fritz, I'll Decide Who To Trust |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Shriyash
Yes, I'm seeing it upside down. I played it more than once hoping it would right itself but no luck. Maybe I don't have the right codec for it. Ahhh...I didn't think about this sooner but I suppose I could flip the screen with nVidia and invert it and then it would be right side up. Of course the Winamp controls would be upside down but that might not matter. I'll try that tomorrow.
I didn't realize you need Java for online TV. I avoid Yahoo but yeah if you like launchcast and pron! then I suppose you do need Java.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to eburger68
you are seeing the video upside down?
i viewed it again in winamp and windows media player{10}, and it plays fine here.
one of my favoutite sites is launch.yahoo.com, and you need java to play launchcast.
plus i have a online TV app. which needs java to run.
oh and not to mention pr0n.
java is indespensible. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Shriyash
That video plays upside down! Can't watch that.
I see Spazbox no longer exists? I guess all this publicity drove the site off?
I still can't believe anyone would click through the expired certificates warning or would install that very suspicious Active X on IE or any of those things. If you are that ignorant then you have no business owning a computer. Plus what sites are people going to where they see a lot of Java Applets? I NEVER see Java applets except when I go to the Speakeasy sites to speed test. I don't even have Java for Fx which I use 90% of the time. I don't need Java so I sure wonder what kinds of sites people are visiting that use so much Java applets.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
diver196
join:2003-12-09
| reply to eburger68
Really great info. Just remember, in most cases the user does have to let the spyware onto his/her machine by giving consent, even if not informed.
--
Only those defenses are good, certain and durable, which depend on yourself alone and your own ability. The Prince, by Niccolo Machiavelli. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to eburger68
oh my god!
u guys have to see this video for yourself, its a short clip, 1.2 MB, but its an 'experience' watching it. whew!
heres the link again:
»netrn.net/spywareblog/archives/2···e-weave/
just click on the "spazbox video" on the above link, and see for yourself. |
|
180sucks
@zoominternet.net
| reply to eburger68
Im suprised nobody has sued these companies butts off into total submission.. if i had a business computer, and had it trashed by these guys, i would OWN 180search assistant, and burn all the crap they use to create this stuff, then id wipe my *** with any piece of life,money, or dignity these guys had left |
|
paperghost
join:2005-04-13
| reply to B
Thanks B - though as its turned out from new discoveries, the .Xpi is (in yet another strange twist) possibly the least of our worries. How about a potential 30,000 strong botnet through IRC? I've discovered that in all likelyhood, this is where Spazbox.net's huge traffic is coming from despite not being listed well (if at all) in search engines. However, it just raises more and more questions...!
»www.revenews.com/wayneporter/arc···tml#more |
|
B
Premium,MVM
join:2000-10-28
| reply to Paperghost
Thanks, Paperghost.
Unfortunately, as with most things Mozilla, I don't trust them to implement Java whitelisting with any diligence. (The "whitelisted" XPI sites, for example, is an empty list and is disabled by default in the Moz suite, and the Fireweasel has but a single whitelisted site. This is nearly useless.)
Your update addendum was new to me though:
In my original tests, I found that disabling software installs in firefox would send the page into a tailspin - and i couldnt figure out why. Someone from a Firefox forum suggested that this behaviour only happens when a Firefox specific install (in other words - an XPI) is attempted. Check out the below, lifted from the Javascript installer served from ysbweb.com:
if (InstallTrigger.updateEnabled()) {
InstallTrigger.install({'Content Access Plugin 1.01' : ''});
} else { location.replace(''); }
The code above tries to load in a piece of rogue firefox .xpi. This is a rather crude .xpi installer to load xxx toolbar into IE - its currently being examined by some of our "file curious" members.
By chance, I happened to stumble upon a bunch of other sites that (last year) tried similar .xpi installs, which mozilla put out a fix for, rather quickly. Upon revisiting these sites - they now all use the Java applet alongside the .xpi install, and its possible the .Xpi's have been updated, which is why they're now currently being looked at (to see how they work alongside the java).
So after all the chaos and "browser warring" that erupted over this whole thing, it actually turns out there was "Firefox spyware" buried away in the code Interesting stuff.
-- B
--
In a realm outside causality and function |
|
johnpro
join:2005-03-11
Brisbane Oz
2 edits | reply to eburger68
It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).
*************
I have never trusted "trust us certification" for a number of reasons.
Trust is built up over time. Anyone can claim they are trustworthy.
Look at Truste certification for example. This company certifies that giants such as microsoft and intel are trutworthy. I happen to agree with them.
However they also certify that dubiates such as idownload and lycos are also trustworthy.
As one scribe recently wrote ...can truste be trusted!
My emails to truste were just ignored when I asked them to clarify their position of certification on many of the bad guys in the industry.
Verisign et al also have difficulties. Most players do not know the significance of these certificates anyway.
jp |
|
Bobby_Peru
Premium
join:2003-06-16
1 edit | reply to B
Weasel Java Toggle |
For my own installs, I keep the JavaScript (Per Tab) Toggle right next to it, as well.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to ElJay
Thank you. The video codec worked and I viewed both movies. The IE one is so obvious that no one would install that! It shows you the Eula. Why would anyone accept that? It clearly indicates it is advertising.
The Fx one is even more suspicous. Why, if I did not have Sun Java, would I agree to install something so OBVIOUSLY WRONG? The install is not for Runtime Environment 5.0 but for some weird something called "update 1". Red flag, red flag! Geez, I'd be outta there in second! Secondly, the certificate is OBVIOUSLY BAD. Again, no one would trust that!
There is nothing confusing about install on either browser. If users are so ignorant that they can't see all the red flags here then they better either get rid of their computers or learn something about their computer. I was ignorant when I got my first computer but I started learning immediately and have never stopped. If you want to have a computer you have to be willing to learn continously.
The one bad thing I do see is that install on IE 6SP1 (which I use) is HIGHLY DECEPTIVE since nothing happens and it is all silent. But since this uses Sun Java to install, the safe thing for SP1 users is to just use MSJVM and avoid Sun Java if you use IE. Or if you must install Sun Java to use the new dslr speed test applet because your ISP leases it then just don't use IE for anything else or disable Sun Java after running a speed test and continue to use IE with JVM. Of course, I would just have shrugged my shoulders if I ran across a site demanding that I install Sun Java. I detest Sun Java so I would just forget about that site.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
ElJay
join:2004-03-17
·Great Works Internet
| reply to Mele20
said by Mele20 :Winamp won't play the movies. Plus, they won't play in the version of WMP I have. Why can't they be played in Real Player? I have the latest version of it. Try downloading the video codec from »www.techsmith.com/products/studi···load.asp (169kb)
said by Mele20 :I don't have Sun Java. Does this vulnerability also exist for MSJVM? It wouldn't matter probably for me since I only use JVM for speed tests and that is one the rare times I use IE instead of Fx. I wonder if the Microsoft VM would even ask you before running this nasty installer. Or perhaps the Microsoft VM is so old that it won't be able to run this applet. |
|
Paperghost
@net.uk
 from:
B
| reply to eburger68
"I realize it's not Mozilla's issue per se; perhaps Sun can address this."
Hi B - I covered this type of install a while back (March 9th)and off the back of this initial investigation, Mozilla said they would look to "whitelist" applets with Sun, and a developer for Opera said they would look to change the way "accept" is highlighted as a default. More here. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to eburger68
»www.spywareguide.com/articles/an···_72.html
Winamp won't play the movies. Plus, they won't play in the version of WMP I have. Why can't they be played in Real Player? I have the latest version of it. So, I can't read the article (I tried copying it to Word and it still produces a horizontal scroll bar) or play the files. 
I don't have Sun Java. Does this vulnerability also exist for MSJVM? It wouldn't matter probably for me since I only use JVM for speed tests and that is one the rare times I use IE instead of Fx.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to ElJay
said by ElJay :Would this help save a Mozilla/Firefox user from this "drive-by?" I'm glad you asked:
With the second option unchecked, I was still given options Yes No and Cancel. With the first one unchecked, it went away, but applets using the "<applet="">" code still worked on other (legit) websites.
For some reason I can't get 3 sites to give a me a popup anymore... trying to undo what I did but they may have taken it down and left the flash one in IE up. I'll restore a fresh image and see what happens...
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD.
Y I Hate L-i-n-u-x |
|
B
Premium,MVM
join:2000-10-28 | reply to ElJay
Good find; I don't know.
The Java 1.4.2 control panel I have doesn't offer anything like that tab...
-- B
--
In a realm outside causality and function |
|
ElJay
join:2004-03-17
·Great Works Internet
2 edits | reply to B
Java Control Panel Security Settings |
Would this help save a Mozilla/Firefox user from this "drive-by?" |
|
B
Premium,MVM
join:2000-10-28
| reply to xblock
It's really unfortunate. It seems that the only way to properly secure clueless newbie browsing under Mozilla is to disable Java entirely?
I realize it's not Mozilla's issue per se; perhaps Sun can address this. I believe I've said before in a different thread here -- the Java plug-in really shouldn't even be capable, by default, of breaking the sandbox with a single real-time "drive-by" style query.
-- B
--
In a realm outside causality and function |
|
