How does your system become infected by just browsing

I am looking to find out the mechanics of their technique that essentially uses a browser to infect ones system.

I have personal experience of contracting a what I believe a virus/malware and it ending up somewhere on my computer and not in the browser cache.How is this possible and how can registry be modified at the same time ? I believe that the virus is able to circumvent the browser memory/disk space and into the rest of the system ? I just don't know how this is done.

Any comments would be appreciated

 

This and this should get you started.

 

I'm not an expert, but a common technique is to exploit security weaknesses in JavaScript. Other malware may exploit a bug in the browser code or in an add-on like Adobe Reader (by using a booby-trapped pdf file). The injected code can then access your registry, download more malware and generally mess up your PC. (More details are in the Verizon Databreach Report.)

The NoScript add-on in Firefox is a good way to protect yourself against many of these malicious webpages. I use this along with Sandboxie, which provides a very strong sandbox that prevents malware from doing any damage.

 

These tips should help you read them, it is a start, security is not learned in an afternoon, it takes years, is a neverending quest and battle to keep the bad guys from your door.

 

Look up posts from Wilders member Rmus. He provides plently of examples with screenshots.

 

If you want to gain a more detailed insight, it may help to look at a particular example, like this exploit for Adobe Reader http://securitylabs.websense.com/content/Blogs/3311.aspx . This uses a technique called "heap spraying" http://en.wikipedia.org/wiki/Heap_spraying in JavaScript inside a booby-trapped pdf to inject a tiny piece of executable code ("shellcode" http://en.wikipedia.org/wiki/Shellcode), which then downloads a trojan from a remote website. If your security software didn't catch that trojan, then you'd become infected.

As I understand it, there are many variations on this theme that exploit various vulnerabilities in browsers and their add-ons. Turning off JavaScript and other active content (like pdf's, flash etc) affords some protection, but it's quite restrictive. Using a sandbox like Sandboxie provides stronger protection without that limitation.

 

Most modern OS's (Unix, Mac OSX, Windows, and many others) use what is known as Discretionary Access Controls as the main security template (Unix did it first, then Windows followed with NT). This means that permissions are at the discretion of the user and not mandatory (as is the case with the more powerful MAC and RBAC security paradigms).

So, what does this mean? Well, if you are running an application that has the permissions of yourself, and if this app is exploited, it can typically take over any other app/service/daemon and write to any directory that you have access to. In other words, this app inherits all of your user's permissions and has free reign to what you have access to as a user. Unfortunately, most of the time on Windows this means the exploited app can take over the entire machine because most everyone runs their machine with administrative (root) privileges. But if you are running the app in a LUA, it will only have access to what the LUA has access to.

Now a browser is nothing but an application that parses code for viewing. Since all apps have a privilege level, the browser, if ran from a limited account, will not be as vulnerable. Even if exploited it cannot do much outside of the scope of the user (barring any privilege escalation vulnerabilities, which are possible but rare. That's another subject entirely).

But to answer your question: browsers are like any other app, they can be exploited just by parsing code (or clicking on links). So if you stumble upon a malicious site or a site injected with malicious code, your browser can be the entry point for a system compromise (if you're running it as admin). You don't actually have to download anything.

Now you see why it's so important to run from a LUA.

 

chrono, very nicely explained

 

This is quite right, but many Windows users (me included) find that running from an LUA is too restrictive and it can become a pain.

It's not quite so important if you have a decent security suite like Kaspersky that limits programs' privileges. You can set the browser privilege fairly low, so that it's more or less like running it in an LUA. You can also stop it from accessing personal files on your PC, so that malware can't steal your bank statements or whatever. (I may be wrong, but I don't think that an LUA would stop that.)

With Sandboxie, you can apply very tight restrictions, including 'dropping rights', which effectively makes sandboxed programs run in an LUA.

You have to try it out to see if you're happy running from an LUA. Otherwise, make sure that your security software protects you.

 

Thanks alot guys for the helpful replies. I've got some interesting reading ahead of me. Will take a look at Sandboxie also.

Cheers

Victor

 

This is very easy for a malware writer to code.

Here is an example of malware code in a web page which carries out the instructions automatically without any action on the part of the user (except to click to get to the page!).



Looking at the lines in red:

1) First, there is a call out to the internet to download a file. It is an executable file with the file extension .gif -- this helps avoid web filters that look for the .exe extension.

2) The code sets up the Windows Script Engine, WScript.exe, to do the work.

3) The script identifies the User's Startup folder as the destination for the malware file.

4) The file is renamed with the extension .exe and copied to the Startup folder.

Here is a screen shot of a search after rebooting, where this file, running from the User's Startup folder in C:/Documents and Settings.../ has downloaded more malware and copied them to other locations:



The above exploit targeted specifically the IE6 browser.


MaxEntropy links to an explanation of the code in a malicious PDF file that downloads malware. Here is how the PDF file is set in motion by the browser.

The success of this depends on the user having both Javascript and Plugins enabled, which tells the browser to open the PDF file, rather than prompting the user for action. This is coded in the web page that the user goes to:



You saw in the link to the PDF analysis, code in the PDF file to connect out to the internet to download malware. All of this is done automatically without any user action.

Here is the firewall intercepting such a call out to the internet. Note that it is the Acrobat reader that is connecting out, not the browser. So, this is an Acrobat Reader application exploit, rather than a browser exploit, since it is the code in the PDF file that calls out, not code in the HTML web page. All the browser does is follow instructions to open the PDF file in the browser window, and the Reader application does the dirty work!



The current Aurora exploit is using a combination of IE Browser, Adobe Reader, and MSOffice document exploits as the mechanisms for delivering malware by remote code execution to the user's computer.

chronomatic explains well one way how such exploits can easily be stopped from succeeding.


----
rich

 

Thanks alot for the reply. I've tried the NoScript add-on for Firefox but that did not work at least in my case. I believe the NoScript add-on will not work against exploits of the browser code or other non script exploits.

Victor

 

Thanks alot Rmus. I had no idea how straightforward is for a script to go outside the browser and make changes to a user's operating system.

Victor

 

Hello Victor,

Can you describe your case specifically? What was the exploit?


regards,

-rich

 

I respect your opinion although I can not say that I understand it. I run from an LUA and for me it is no problem at all. When I need to, logging out and then back in as an admin takes just a few seconds.

 

We can only speculate atleast if the TS care to elaborate and assuming he configured noscript properly(disabled plug-ins etc). The possible way the non-script-based exploit could have worked and bypassed noscript is if the vulnerability(buffer overflow or arbitrary code execution) being exploited is kernel-based like wmf or the vulnerability is against jpeg rendering(browser-unpatched), for e.g, under admin account and in an old unpatched windows system.But since he didn't anymore care to elaborate and seemed pleased with your enlightening post(see post#13), we can safely assume there's no such exploit that bypasses noscript. If ever there is one, will be only used in targetted attacks like for e.g stealing of trade secrets and thus, the exploit is a very top secret zero day backdoor. lol

 

TS you can try changing the integrity level of firefox to low as well as the folders that firefox uses to read and store data to. That will limit the locations that firefox is allowed to write to or modify. Also you can restrict all lower level processes from reading or modifying any sensitive data that you may have, such as credit card info. This is pretty effective against exploits and some vulnerabilities, but is not a sure fire prevention. Check out this guide on hardening Windows if your interested.

 

You could also try out Defensewall which automatically labels anything downloaded by the browser as untrusted. Anything untrusted in Defensewall has its rights restricted and can't do any damage to your system.

 

Interesting guide. I have never heard of SEHOP before. I am wondering why not. I see on Microsoft's site that they recommend enabling it, but I have never seen anyone discuss it, and I visit Wilders and other security related sites on a daily basis.

 

It's purely a personal preference, but this poll https://www.wilderssecurity.com/showthread.php?t=242061 seems to indicate that many other people also prefer to run as administrator. My security software restricts programs far more than an LUA, so I don't see the point of the extra inconvenience.

I did get caught out once doing this a few years ago when my security was weaker. But that actually encouraged me to use my present security (KIS2009+Prevx+Sandboxie with XP SP3). That may not be 100% bullet-proof, but it makes it pretty hard for malware to do the sort of things that an LUA prevents. I certainly wouldn't run as an administrator without several layers of active protection.

Perhaps the most important thing is running Firefox with dropped rights in Sandboxie, which effectively makes it run under an LUA without having to switch user accounts. But the sandbox is actually far more restrictive than any LUA.

 

Everybody has to decide for him/herself. But your approach has two drawbacks IMHO:
1. It's always a problem to configure security software the proper way. If they are intended to be as effective as possible you are very often confronted with false alarms. There are numerous threads here on Wilders about how to make HIPS and the like less talkative - but at what price?
2. You should understand that by using additional security software you're actually increasing your attack surface. They can also suffer from leaks that might be exploited, and they might misconfigure your system particularly if several of them are used at the same time.

A LUA approach - preferably combined with SRP - has to be setup once and works until the end of time. The LUA/SRP combo stops the very most attacks cold without the need to fine-tune dozens of settings of your HIPS or AV. And I agree with FiOS Dan that running from a LUA is no problem since most newer apps are LUA-compatible. Under WinXP SuRun will greatly simplify that approach, and under newer Windows version there is UAC.

 

"The LUA/SRP combo stops the very most attacks cold without the need to fine-tune dozens of settings of your HIPS or AV."

Yes indeed. I have users on remote sites that used to spend more time on adult sites and P2P software than work. That doesn't happen anymore.

LUA + SRP + ACL + SuRun + Browser configuration - I'm a card carrying member.

The only problem I run into is a few printer installs. There are certain HP OfficeJet models that just won't install correctly or completely with SuRun. So far, the only workaround I've found is to install the software in an admin account then reboot into the limited one. However, that's pretty inconvenient when it's a remote install.

 

Here's one vulnerability or hole in the Windows Kernel where Browser based mitigation like disabling of javascript won't help

link:

Fortunately, this vulnerability was patched last Nov. 2009.Exploits taking advantage of this type of vulnerability as well as the old wmf vulnerability are just a few where NoScript add-on will probably not work against. Unless ofcourse the author of NoScript has added additional mitigation mechanisms against non-script exploit I haven't yet heard of.

 

Yeah it does add some protection, but if you were to setup all of your internet facing apps with low integrity "no read up" and set up all of your important info correctly so it is unreadable unwritable to the browsers, email clients etc, it can be an effective sandbox. I use this rather than a sandbox because I think it is a lot easier, although it doesn't have all the possibilities of say sandboxie. Win 7 has pretty good protection OOTB. With this and a proper SRP all you really need is common sense to stay clean.