garys_2k
join:2004-05-07
Farmington, MI
1 edit | reply to xblock
Re: Anatomy of a Drive-by-Install
Never mind, part II. |
|
xblock
join:2004-12-16
Willoughby, OH
| reply to xblock
The problem has been corrected and I apologize to any and all who were affected. We have put in an extra layer of controls to ensure that doesn't happen again. As punishment I was told that Jan was going to strike me with the nearest blunt object next times he sees me.
regards,
Wayne |
|
xblock
join:2004-12-16
Willoughby, OH
| reply to B
B.
"The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?"
In the case of IE SP1- they have to do nothing. Just hit the web page which appears blank. I posed this question to my son (a 7 year old) and asked him what happened when he hit the web page on the IE SP1 page. He said "nothing happens Dad". Obviously if you look at the packet log a lot things happpen.
In the case of IE SP2- The user will see an elaborate movie explaining how to accept the installation. But there is reference to what is being installed, why it is being installed, or from where it is being installed. The only information they receive from the little movie, aside from install instructions, is a large sign that says THEY MUST INSTALL it.
In the Firefox the user is presented with a java prompt which asks them to install, but the key factor here is again no EULA is presented.
Much more analysis is planned on that piece- we worked on it over the weekend to get some dialogue started. It was like digging into a hole and finding a pool of water, the further we swam into the water the more stuff we found until we realized it wasn't water we were wading through but more like a high-stream sewer. So we took one aspect of the problem and focused on it. There are a myriad of things that can be studied and learned from that page.
The idea for this piece was taken from watching how my son (an eight year old) interacted with a web page and a discussion with my wife ( a teacher) about how kids interact with web pages in her lab.
So naturally prevention is important, if not the cornerstone of the problem, but we wanted to focus on what the user sees versus what it is actually happening and how the entire installation is mixed up with inadequate diclosure, confusing prompts, and no real attempt to tell the user what is going to happen.
regards,
Wayne |
|
Kiwi
Premium
join:2003-05-26
USA | reply to eburger68
I'm a wee bit lost, to whom were the replies directed? I see the link works now.
Cheers |
|
xblock
join:2004-12-16
Willoughby, OH
| reply to Mele20
B.
"The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?"
In the case of IE SP1- they have to do nothing. Just hit the web page which appears blank. I posed this question to my son (a 7 year old) and asked him what happened when he hit the web page on the IE SP1 page. He said "nothing happens Dad". Obviously if you look at the packet log a lot things happpen.
In the case of IE SP2- The user will see an elaborate movie explaining how to accept the installation. But there is reference to what is being installed, why it is being installed, or from where it is being installed. The only information they receive from the little movie, aside from install instructions, is a large sign that says THEY MUST INSTALL it.
In the Firefox the user is presented with a java prompt which asks them to install, but the key factor here is again no EULA is presented.
Much more analysis is planned on that piece- we worked on it over the weekend to get some dialogue started. It was like digging into a hole and finding a pool of water, the further we swam into the water the more stuff we found until we realized it wasn't water we were wading through but more like a high-stream sewer. So we took one aspect of the problem and focused on it. There are a myriad of things that can be studied and learned from that page.
The idea for this piece was taken from watching how my son (an eight year old) interacted with a web page and a discussion with my wife ( a teacher) about how kids interact with web pages in her lab.
So naturally prevention is important, if not the cornerstone of the problem, but we wanted to focus on what the user sees versus what it is actually happening and how the entire installation is mixed up with inadequate diclosure, confusing prompts, and no real attempt to tell the user what is going to happen.
regards,
Wayne |
|
B
Premium,MVM
join:2000-10-28
|
It's really unfortunate. It seems that the only way to properly secure clueless newbie browsing under Mozilla is to disable Java entirely?
I realize it's not Mozilla's issue per se; perhaps Sun can address this. I believe I've said before in a different thread here -- the Java plug-in really shouldn't even be capable, by default, of breaking the sandbox with a single real-time "drive-by" style query.
-- B
--
In a realm outside causality and function |
|
ElJay
join:2004-03-17
 ·Great Works Internet
2 edits | 
Java Control Panel Security Settings |
Would this help save a Mozilla/Firefox user from this "drive-by?" |
|
B
Premium,MVM
join:2000-10-28 |
Good find; I don't know.
The Java 1.4.2 control panel I have doesn't offer anything like that tab...
-- B
--
In a realm outside causality and function |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to ElJay
said by ElJay  :Would this help save a Mozilla/Firefox user from this "drive-by?" I'm glad you asked:
With the second option unchecked, I was still given options Yes No and Cancel. With the first one unchecked, it went away, but applets using the "<applet="">" code still worked on other (legit) websites.
For some reason I can't get 3 sites to give a me a popup anymore... trying to undo what I did but they may have taken it down and left the flash one in IE up. I'll restore a fresh image and see what happens...
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD.
Y I Hate L-i-n-u-x |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to eburger68
»www.spywareguide.com/articles/an···_72.html
Winamp won't play the movies. Plus, they won't play in the version of WMP I have. Why can't they be played in Real Player? I have the latest version of it. So, I can't read the article (I tried copying it to Word and it still produces a horizontal scroll bar) or play the files. 
I don't have Sun Java. Does this vulnerability also exist for MSJVM? It wouldn't matter probably for me since I only use JVM for speed tests and that is one the rare times I use IE instead of Fx.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
Paperghost
@net.uk
 from:
B
| reply to eburger68
"I realize it's not Mozilla's issue per se; perhaps Sun can address this."
Hi B - I covered this type of install a while back (March 9th)and off the back of this initial investigation, Mozilla said they would look to "whitelist" applets with Sun, and a developer for Opera said they would look to change the way "accept" is highlighted as a default. More here. |
|
ElJay
join:2004-03-17
·Great Works Internet
| reply to Mele20
said by Mele20 :Winamp won't play the movies. Plus, they won't play in the version of WMP I have. Why can't they be played in Real Player? I have the latest version of it. Try downloading the video codec from »www.techsmith.com/products/studi···load.asp (169kb)
said by Mele20 :I don't have Sun Java. Does this vulnerability also exist for MSJVM? It wouldn't matter probably for me since I only use JVM for speed tests and that is one the rare times I use IE instead of Fx. I wonder if the Microsoft VM would even ask you before running this nasty installer. Or perhaps the Microsoft VM is so old that it won't be able to run this applet. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| Thank you. The video codec worked and I viewed both movies. The IE one is so obvious that no one would install that! It shows you the Eula. Why would anyone accept that? It clearly indicates it is advertising.
The Fx one is even more suspicous. Why, if I did not have Sun Java, would I agree to install something so OBVIOUSLY WRONG? The install is not for Runtime Environment 5.0 but for some weird something called "update 1". Red flag, red flag! Geez, I'd be outta there in second! Secondly, the certificate is OBVIOUSLY BAD. Again, no one would trust that!
There is nothing confusing about install on either browser. If users are so ignorant that they can't see all the red flags here then they better either get rid of their computers or learn something about their computer. I was ignorant when I got my first computer but I started learning immediately and have never stopped. If you want to have a computer you have to be willing to learn continously.
The one bad thing I do see is that install on IE 6SP1 (which I use) is HIGHLY DECEPTIVE since nothing happens and it is all silent. But since this uses Sun Java to install, the safe thing for SP1 users is to just use MSJVM and avoid Sun Java if you use IE. Or if you must install Sun Java to use the new dslr speed test applet because your ISP leases it then just don't use IE for anything else or disable Sun Java after running a speed test and continue to use IE with JVM. Of course, I would just have shrugged my shoulders if I ran across a site demanding that I install Sun Java. I detest Sun Java so I would just forget about that site.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
Bobby_Peru
Premium
join:2003-06-16
1 edit | reply to B
Weasel Java Toggle |
For my own installs, I keep the JavaScript (Per Tab) Toggle right next to it, as well.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
johnpro
join:2005-03-11
Brisbane Oz
2 edits | reply to eburger68
It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).
*************
I have never trusted "trust us certification" for a number of reasons.
Trust is built up over time. Anyone can claim they are trustworthy.
Look at Truste certification for example. This company certifies that giants such as microsoft and intel are trutworthy. I happen to agree with them.
However they also certify that dubiates such as idownload and lycos are also trustworthy.
As one scribe recently wrote ...can truste be trusted!
My emails to truste were just ignored when I asked them to clarify their position of certification on many of the bad guys in the industry.
Verisign et al also have difficulties. Most players do not know the significance of these certificates anyway.
jp |
|
B
Premium,MVM
join:2000-10-28
| reply to Paperghost
Thanks, Paperghost.
Unfortunately, as with most things Mozilla, I don't trust them to implement Java whitelisting with any diligence. (The "whitelisted" XPI sites, for example, is an empty list and is disabled by default in the Moz suite, and the Fireweasel has but a single whitelisted site. This is nearly useless.)
Your update addendum was new to me though:
In my original tests, I found that disabling software installs in firefox would send the page into a tailspin - and i couldnt figure out why. Someone from a Firefox forum suggested that this behaviour only happens when a Firefox specific install (in other words - an XPI) is attempted. Check out the below, lifted from the Javascript installer served from ysbweb.com:
if (InstallTrigger.updateEnabled()) {
InstallTrigger.install({'Content Access Plugin 1.01' : ''});
} else { location.replace(''); }
The code above tries to load in a piece of rogue firefox .xpi. This is a rather crude .xpi installer to load xxx toolbar into IE - its currently being examined by some of our "file curious" members.
By chance, I happened to stumble upon a bunch of other sites that (last year) tried similar .xpi installs, which mozilla put out a fix for, rather quickly. Upon revisiting these sites - they now all use the Java applet alongside the .xpi install, and its possible the .Xpi's have been updated, which is why they're now currently being looked at (to see how they work alongside the java).
So after all the chaos and "browser warring" that erupted over this whole thing, it actually turns out there was "Firefox spyware" buried away in the code Interesting stuff.
-- B
--
In a realm outside causality and function |
|
paperghost
join:2005-04-13
| Thanks B - though as its turned out from new discoveries, the .Xpi is (in yet another strange twist) possibly the least of our worries. How about a potential 30,000 strong botnet through IRC? I've discovered that in all likelyhood, this is where Spazbox.net's huge traffic is coming from despite not being listed well (if at all) in search engines. However, it just raises more and more questions...!
»www.revenews.com/wayneporter/arc···tml#more |
|
180sucks
@zoominternet.net
| reply to eburger68
Im suprised nobody has sued these companies butts off into total submission.. if i had a business computer, and had it trashed by these guys, i would OWN 180search assistant, and burn all the crap they use to create this stuff, then id wipe my *** with any piece of life,money, or dignity these guys had left |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to eburger68
oh my god!
u guys have to see this video for yourself, its a short clip, 1.2 MB, but its an 'experience' watching it. whew!
heres the link again:
»netrn.net/spywareblog/archives/2···e-weave/
just click on the "spazbox video" on the above link, and see for yourself. |
|
diver196
join:2003-12-09
| reply to eburger68
Really great info. Just remember, in most cases the user does have to let the spyware onto his/her machine by giving consent, even if not informed.
--
Only those defenses are good, certain and durable, which depend on yourself alone and your own ability. The Prince, by Niccolo Machiavelli. |
|
