Get infected with a rootkit trojan just by clicking on a link in a forum!

Discussion in 'other security issues & news' started by AlamoCity, May 5, 2007.

Thread Status:
Not open for further replies.
  1. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    That stupid, badly written article has been posted by many other sites on the internet.

    This whole issue is more or less a tempest in a teapot. You have to be using IE (of course) to get infected. If you do click on the link to the fun postcards site (which has been shut down) you then have to download and install the nasty which registers a malicious dll as a COM object and BHO. http://www.symantec.com/enterprise/security_response/weblog/2007/02/notsofun_video_postcard_1.html
    http://msmvps.com/blogs/harrywaldro...-worm-version-spreading-as-blog-comments.aspx

    "The antivirus vendors laughed off Secure Computing claims that this trojan could evade their detection.

    "Secure Computing's incorrect claim that Sophos could not deal with this threat gave the guys in our labs the best laugh of their day," said Graham Cluley, senior technology consultant at Sophos.

    "Sophos customers had a bigger problem deciding which socks to put on this morning than they did with this malware."

    http://www.vnunet.com/vnunet/news/2184461/security-firms-laugh-claims

    What is truly ludicrous is that any serious poster would allow some weird link to be tagged onto their posts. And who would click on a dumb link to a postcard site in the first place? Even a newbie would know something was wrong if there was some strange link attached to their forum or blog posts. And anyone dumb enough to click on a postcard link (that is a red flag to most just like greeting card links) and then download and execute the files (before the AV vendors had protection) well...
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    He is NOT assuming! He knows.

    That's the difference!

    He knows there is no fire. And I know you are not vulnerable while using Firefox. To suggest otherwise is silly, propaganda, MS anti-communism policy, incest, fragmentation, regurgitation, whatever.

    Anti-virus program notwithstanding, your software is innocent until proven guilty. This means there is NO vulnerability until one is found. Not the other way around. Prove me wrong. Then, your sentence will be valid.

    Till then, you have simply added to the article's craponium propaganda...

    The author is wrong and he wants money ...

    Mrk
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Mrk, if i get AlamoCity, that is exactly the fire he means.
    Re-read everything he wrote, and you'll realize that is his point from the beggining!
    "For all we know" as in "we" in general, anonymous and casual reader! With no knowledge.

    I think this topic goes along nice with your article. You agree no?
     
  4. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    If you mean this:

    "Is there anything you, as security experts, suggest to protect ourselves from this?"

    I answered you in my post. Didn't you read it? This is a non-issue. I have no idea what the OP was thinking of in making a thread about a trojan from February. This is May. Symantec had protection from mid-February and the postcard site was shut down by Symantec. This is an issue only for those who either have NO AV protection or have it but don't bother to ever update it.
     
  6. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    I did. But respectfully, sir, I believe you did not read mine at all :doubt:
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    A few thoughts not from an expert. (What is an expert?)

    From the first URL:

    Great way to grab your attention: broad sweeping statement, naturally, no source for that statistic. Might as well say, 99% of people drive when it's raining - possibility of sliding into the ditch.

    Without seeing his technical aspects of the threat, no suggestions can be made, so the article is useless from that standpoint. "Dozens of technologies..." Uh oh... This is nothing but a nofication about a talk, and serves no purpose being posted here as information about threats. How about a link to the talk?

    From the 2nd URL on XSS:

    Good definition, but there are many types of scripts, and much has changed in the browser world since this was written, so that nothing of any substance regarding protection can be gained from this. But scenarios follow.

    Protection: Alice doesn't click on the link.

    Who is Mallory?, she asks herself.

    Without knowing what this script is, we don't know which browser is vulnerable, or how this script runs commands. This scenario is too vague to suggest anything.

    Recently, I discussed this type of scenario with several people, and we agreed that the message from "Bob" (we used our own names) would have to be pretty clever to sound like "Bob": what would be the reason for "Bob" sending "Alice" a link? "Hey, check out this great site!" This wouldn't fly with those I know.

    Protection: In my email group, we include our name in the Subject line when sending an attachment. One suggested to do that when sending links.

    Same as above: no specifics about the type of script. Useless.

    This is trickier, because initially, it doesn't rely on social engineering, yet we aren't told the specifics of how credentials are taken. So, this scenario as presented, is useless: nothing to analyze, nothing on which to base a strategy for protection.

    Other links showed a few scenarios on how XSS exploits work, but the links were several years old.

    In recent times, Opera and FF have dealt with XSS exploits. (I assume IE7 does, but haven't checked):

    Client Side Protection against Session Riding
    http://72.14.253.104/search?q=cache...wser XSS protection&hl=en&ct=clnk&cd=11&gl=us

    XSS Warning Extension For Firefox
    http://ha.ckers.org/blog/20070430/xss-warning-extension-for-firefox/
    So there is the normal cat-and-mouse game here that we see with other types of exploits.

    None of those 2 URLs by themselves serve any purpose in the way you presented them. The wikipedia article is general reference, and should not stand alone in a post on security. It needs more concrete examples with code.

    As in the article linked in the first post, these do nothing more than present scenarios that create uncertainty and confusion in the general reader.

    This is exactly the wrong way to approach a potential problem. If you begin by being scared, you have no rational way of approaching a solution.

    It would be more useful to post some specific in-the-wild examples, like the PayPal XXS scenario, and see how the code works, and then go from there in discussing protection.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  8. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    XSS

    Thank you for answering, finally :)

    I think RSnake is a reliable source himself for that statistic (see below), but if you want some colorful table:
    21.5% of the vulnerabilities reported in 2006 were XSS

    RSnake's talks are still to be held this week, but my previous post contained a link (to a link) to a video of an equally interesting (yet a bit outdated) talk about the same kind of threats, by Billy Hoffman from Spi Dynamics, of Jikto fame.
    By "a bit outdated" I do not mean anything evolved since then (especially in browser technology), except for some more general awareness about XSS and Noscript's new so called "anti-XSS protection".

    Don't look at the script behaviour, look at the vector (how and where it gets injected).
    There are several ways to steal your credentials, but the interesting part is that a malicious script running in the right place doesn't really need even to "know" your credentials.
    If a site is vulnerable to XSS, a malicious script can simply "act as you" there: it just needs you to be already logged in, or to have some "remember me" feature enabled, or to keep password-completion enabled.
    JavaScript can do literally anything a "real" user can do, hence if an attacker manages to inject his script in a site having some value for you (e.g. your webmail pr your paypal account), he can effectively impersonate you.
    There's nothing you can do to prevent it from happening, provided that your browser has JavaScript enabled and the site is XSS-able.
    It's not a browser-specific vulnerability, and it really doesn't depend on "the kind of script" or some obscure browser bug...
    Let me repeat: no browser is intrinsically safe, until it has JavaScript enabled.

    A forum full of full disclosures (constantly updated), with examples of vulnerable sites ranging from Microsoft to Yahoo.
    The site is run by RSnake. Just look at the "So it begins" topic, with more than 1300 posts... That's why I think he probably knows his numbers...

    A good primer may be The XSS Cheat Sheet by RSnake.

    Thanks again for your time :)
     
    Last edited: May 8, 2007
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Re: XSS

    You are welcome.

    By the links you've posted, its evident you already know much about this stuff, which you should have indicated more specifically in your first post. :)

    Well, I've maintained that for years. The two basic means of protection are

    1) security in place behind the browser to catch remote execution of downloading/installing malware executables

    2) Awareness of how your secure transaction sites handle notifications regarding your account.

    This second one is applicable here, since you mention PayPal. You may remember last year's exploit described here:

    http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html
    If you are a PayPal user, do you know how PayPal notifies you about your account? If not, you should. If Yes, then you probably wouldn't follow through with this.

    Just now, I phoned a friend who has a PayPal Account and quoted the above message. He said, "I would be suspicious. I would log off and phone PayPal."

    He related another PayPal scam where someone sent an email regarding a bid and requested personal information to confirm it. That's not the way PayPal works; he sent the email to PayPal and received a reply that this type of scam was going around.

    Same thing with emails supposedly from your Bank requesting information.

    My friend's motto: "Trust, but verify."

    The statistics in your links are impressive, but could apply to many exploits: Just because thousands are snagged by a particular exploit, doesn't mean that I will. Or anyone I've helped set up. Or anyone who uses a bit of common sense.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  10. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Re: XSS

    I'm just a Firefox+Thunderbird+ClamWin user, and I add just NoScript as an extra-protection layer.
    Thunderbird and Firefox can never execute code automatically, and I always scan everything I download with ClamWin.
    I'm also a programmer, so I think I've got some understanding about what Java and JavaScript can do against my privacy, if not against my security, hence my choice for Noscript.
    I keep cookies disabled by default, enabling them just for session on sites of my choice by whitelist.

    That said, XSS is quite a new world for me too.
    I've been exposed to it when someone questioned Noscript as a security tool because it couldn't address XSS against whitelisted sites, so I decided to learn something about it and found the excellent RSnake blog and forum, where I've been lurking for a while because I still don't feel confident enough to post anything meaningful there :p

    Since then I received some Noscript automatic updates containing those "anti-XSS protection" features I told you, and as far as I can tell they seem really effective: they blocked every single XSS instance I've found so far, and as you know if you visited the sla.ckers.org forum there's a lot of stuff to test around ;)

    Also, some forum posts there suggest that RSnake himself is a NoScript user, but if this anti-XSS stuff was really an "unique solution" as they boast on noscript.net, I wonder why it's not publicized as such in the mainstream, beside a minor reference in the XSS Wikipedia page :doubt:
    So, since some of the counter-arguments against Noscript linked this wilderssecurity forum, and I was after an unbiased advice about XSS, I came here and rather than searching for "Noscript" I searched for "XSS" first, and then for "Javascript" because "XSS" returned no results.
    This one happened to be the first thread I found talking about Javascript-related malware, so I decided to spam here rather than elsewhere, lucky you :)

    XSS is all inside the browser, there's nothing an Antivirus, a sandbox or virtualization can do about it...
    You're still assuming that the start point must be a link in your email or something interactive anyway.
    That is not the case.
    There's nothing preventing an XSS attack from being launched by any web page you visit.
    Furthermore, you won't even notice the successful attack if it's well done.
    Whoever exploited the old Paypal XSS was sort of a pioneer, and the roughness and noisiness of his attack reflects those still ingenuous times.
    If an XSS vulnerability was found today in Paypal, its exploitation would likely happen in a perfectly silent and invisible way, by using XMLHttpRequest, automatic navigation through IFrames or both, while you're visiting an innocent-looking and completely Paypal-unrelated site, provided that you've got password autofill enabled or you're already logged in, possibly in a different browser window. In other words, while XSS can be very effective for phishing (like in the original incident you're referring to), it doesn't really need to, because given any XSS vulnerability you can perform arbitrary complex and user-invisible session riding attacks.
    That's exactly the point, defining common sense.
    I used to believe "common sense" meant shutting down any superfluous technology (Java, JavaScript, plugins...) when I visited any site I didn't explicitly trust (AKA "casual browsing").
    Then I learned that it took just an invisible iframe embedded in an untrusted site to automatically, not-interactively, XSS a trusted site, even if JavaScript was disabled in the malicious source page.
    Therefore common sense at this moment tells me this stuff may be a (not necessarily perfect) answer.
    I was just looking for an independent insight by people who seems to have some security wisdom like you.

    Sorry if you feel I've kept some of my knowledge hidden for malicious purposes: I just meant not to influence you and also to have an idea of how much XSS awareness actually exists in security circles :)
     
  11. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    So? You asked the question and I answered.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Re: XSS

    It never occurred to me to think that.

    It would have been better, then, to start your own thread, laying out the concept of XSS and then go from there according to responses.

    While the R-snake code samples are fascinating (although beyond most - including me -to understand -- and he makes this point clear, that you need programming experience) -- none the less, from a practical standpoint, it would be more useful to cite some of the known web site exploits, analyze how the exploit worked, and then discuss ways that users can protect against it, as I did with the PayPal, although it's no longer a very sophisticated attack, according to what you said.

    But just to focus on the dangers of this exploit serves no useful purpose in the long run. Sure, we know that there are web exploits - we may not know the specifics, whether a simple iframe, or obfuscated javascript.

    But to leave it at that invokes uncertainty and fear, leading inevitably to taking BigC's advice, that the only safe computer is that which is unplugged.

    Another reason that you might have started another thread, is that there was some confusion about your question. Mele thinks you were referring to the original article and exploits - and I did also at first, until you asked again about your question. So, it was a bit off topic, albeit somewhat relevant to the topic of web exploits.

    Since you have investigated XSS and understand quite a bit about it, you have a good opportunity to lay it out in a way the general user can understand, see what the responses are, and follow up with discussions about prevention. :)

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  13. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    2,286
    Location:
    Canada
    Hi Guys,

    It's past my bedtime, & my fingers are tired. NOD32 says it scanned my email, so isn't that email attachment as safe, as NOD32 can make it? It will make a hell of allot more sense in the am with a vente from starbucks.

    Take Care
    Rico
     
  14. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Re: XSS

    Thank you Rich.
    I'll try to follow your advice during this week-end.

    Sorry for the off-topic and best regards
    Elio
     
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Re: XSS

    Regarding the original post, I have to agree with bigc. The overall tone of this article is more analytical than alarmist. Anyone thinking that this article will have the uninitiated running for the hills in horror seriously underestimates the general level of apathy that those folks tend to have. People that become gripped with terror with these kinds of articles are not the types that run without any kind of security software, quite the opposite. I also seriously doubt that anyone is going to fixate on the one sentence and misconstrue it's actual meaning to the point that they actually think that every single computer will become infected. It's really quite clear that the one sentence only illustrated that the link leads to malware and not any kind of video.

    Filling articles with all sorts of qualifiers and disclaimers for every point made would leave the reader bored to tears, and leave the less-technical people's heads spinning with the amount of technical info. I know this from experience, as non-technical people get quickly impatient when you try to interject too much detail to try to keep things as technically accurate as possible. If you persist in trying to do so, people look elsewhere for opinions and analysis from someone that can "get to the point", "speak plain english", and/or "have some confidence in what they are saying".

    Lastly there's the human factor. You can't expect every sentence put in print to stand up to your idealogical standards, as the writers are, after all, still human. Even if they did, there would be plenty of others to hold it to completely different standards.
     
  16. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: XSS

    Thanks for your opinion, but I still think it was very irresponsible for PC World to run that article without at least stating whether the browser part of the exploit was limited to Internet Explorer/ActiveX. I mean, come on, how "detailed" and "technical" is that?

    When I first read the article I was worried that I could have been infected via my javascript based Firefox browser. (As I didn't use an anti-virus program for more than a year, due to the great job my firewall was doing.) What percentage of people are using Firefox now? About 38%? Don't you think the vast majority of them do so for security reasons?

    The point being that about 38% of the people who read that article were security conscious Firefox users. And don't you think the majority of them were concerned whether Firefox was vulnerable to the exploit, via javascript?

    If the words "Internet Explorer based exploit" had been included in the article, I really don't think that would qualify as: filling the article with all sorts of qualifiers and disclaimers that would leave the reader bored to tears, and leave the less-technical people's heads spinning with technical info. However, those four words would have relieved all the concerned Firefox users, including me. Consequently, this thread wouldn't exist, because that "ridiculously broad statement" in the article wouldn't have pissed me off one iota.
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    I don't think any Firefox user is a concerned user...
    Mrk
     
  18. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Then I guess you and me think differently. :D

    Do you use a firewall and an anti-virus program with Firefox? If you do, don't you think that qualifies you as a "concerned Firefox user"? :D
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    Depends on the setup. I have several.
    But I have machines with firewall only. And I'm not concerned. Firewall is not there to protect Firefox. Firewall is there to preserve the silence as I hate noise.

    On topic, once you dig into the way Firefox works, how it coexists with the system and how quickly its vulnerabilities are patched, you will realize that you have no reason to be concerned and that you are more likely to have your hard drive die on you than Firefox getting owned.

    BTW, javascript is not dangerous. It is merely a programming language. What can be dangerous is the way a client program - the browser - renders the code.

    In case of IE, that crap can do just about anything. Not so with superior alternative browsers - Firefox, K-Meleon, Opera, SeaMonkey, Konqueror etc.

    Example:

    del c:\windows\system32\*.* sounds like a very dangerous line of code, right?

    Well, this line of code means nothing on Windows 2000, for example. So the code itself does not matter. What matter is how the system / programs interpret code.

    Therefore, the only way Firefox users can get owned is if there's a handling exception somewhere in the memory / code / whatever, which may allow the code to escape its bounds and touch other parts of the system. With Firefox, the chances of this happening are zero.

    So far, there has not been a single working piece of code that showed one such successful attempt. There have been a few proofs of concept, which have earned a few geeks $500 from Mozilla and maybe a MSc thesis subject or a nice cubicle at Google.

    Mrk
     
    Last edited: May 10, 2007
  20. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
  21. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: XSS

    I'm looking forward to it.
     
  22. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    So I take it that you don't use the NoScript extension for Firefox?

    If Firefox was not vulnerable to javascript exploits, why would so much time and effort have been put into the development of the NoScript extension by people who have expertise with javascript exploits? And why would so many people feel that it's necessary to use the extension? Inquiring minds want to know. :D
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    I do use it, for more than reasons of security.
    I do a lot of website testing and it's very good for that purpose.
    Theoretically, it will also stop exploits - if there ever one such shows up.
    But first and foremost, Noscript makes the Internet quiet. All the ugly sites are silent. And I love silence ...
    Mrk
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Re: XSS

    Originally Posted by elio
    Thank you Rich.
    I'll try to follow your advice during this week-end.

    Elio
    ----------------------------
    I am too. He posted another example here:

    https://www.wilderssecurity.com/showthread.php?t=174195

    But it requires user interaction (click on a link). I'm waiting for a real example we can analyze, such as what he described earlier:

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  25. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    One simple statement:
    Avoid the mainstream media for all your computer security news.

    The news and magazines are really publishing thousands of crap articles when it comes to this.

    Heard what that agent in Prison Break said?

    "The press is a tool".

    To make, break, or manipulate.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.