Best defense against trojans that use javascript to slip in when you open websites?

Hop A Long,
1. Well you can probably decide to block all scripts.
2. The friend I was talking about uses Norton and his didn't stealth him so I wonder?....
3. https://www.wilderssecurity.com/showthread.php?t=43658 Primerose's post at this thread has links to browser security tests you might try.

Devinco, from your post it seems that the worst thing that javascript can do is control activex programs in which case we're covered with SWB! BTW FireFox does not even use activex, apologies if you already knew that.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Anyone who has been mislead by outdated information into believing you can't get a trojan via javascript, read this article: http://www.pcflank.com/news020704.htm

Also, the below is a quote from this site: http://www.freelabs.com/~whitis/security/nojava.html

"It can infect HTML files by embedding malicious javascript in those files. As a result, you are likely to unknowingly visit malicious pages on legitimate sites.

This is not the first and certainly won't be the last java/javascript vulnerability. Java and Javascript allow webmasters to non-consensually and without notice run their computer software on your computer. This gives them WAY TO MUCH POWER, including the power to invade your privacy and crash, corrupt, or damage your computer system due to malice or incompetence."

The above is just from searching google for two seconds. Imagine what you could find in five minutes if you use imaginative search terms.

 

Re: Best defense against trojans that use javascript to slip in when you open website

I'm sorry, I should have included an example of what I meant by "imaginative search terms". Here's one: Javascript trojans

P.S. Although the PCFlank article mentioned in my last post pertains to the I.E. browser, ALL browsers are vulnerable to malicious javascript. And from a security standpoint, javascript is no different than the Microsoft OS--new security holes are being discovered and exploited on a regular basis. And since it's not practical to disable javascript, the objective of this thread is to find the best security software to protect against javascript exploits.

 

Re: Best defense against trojans that use javascript to slip in when you open website

IMO = In My Opinion

HTA = Hypertext Application. Basically an executable form of an HTML page which can do good things (like "USER ACCOUNTS" or "ADD/REMOVE PROGRAMS" Control Panel applets) or bad things. Both HTAstop2003 and WormGuard can block HTA. WormGuard has the advantage in that it allows access to those control panel applets.

WSH = Windows Scripting Host. The scripting engine that handles Visual Basic Scripts (VBS), Javascript, and other automation tasks.

Here's the danger. Say they are able to drop a trojan on you but not execute it. Well they could have modified the registry to make the dropped trojan execute when you reboot automatically. PCpitstop is not a malicious site AFAIK (as far as I know).

Thanks. Corrected!

 

Re: Best defense against trojans that use javascript to slip in when you open website

SWB will certainly help with IE and block spyware cookies in FF, but doesn't deal with Javascript at all.
I don't know if Firefox is vulnerable to Trojan dropping Javascript exploits.
Certainly FF is safer than IE, but the info posted certainly leaves the question open.
The articles hint at plugins, but they were written long before Firefox (with extensions) came about.
Maybe Firefox is immune to all Trojanous Javascript Exploits?

I would like to know how the malicious javascripts are able to do their ill deeds. Maybe then we would know what needs to be blocked.

The vulnerability tests are a good idea if they use the same current methods that the bad guys are using.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Thanks, very informative article. Here's another good one for people who may still believe javascript security holes don't apply to them:

JavaScript Problems I've Reported
... (April 2002) A Short Retrospective It's been over 6 years since I first wrote
this page. JavaScript exploits continue to plague all browsers. ...
www.schooner.com/~loverso/javascript/

Quote from the site: "Sadly, other browsers, like Opera, have followed in MS and Netscape's footsteps created their own list of security problems by adding JavaScript in an unsafe fashion. IMHO, Opera is still nowhere near as safe as Mozilla."

And I got my last trojan while using the most recent Mozilla browser! So if hackers can use the late 2004 version of the 'safest' browser to sneak trojans onto your hard drive, then obviously EVERYONE should be concerned. Again, the firewall I use had all my ports fully stealthed, and the trogan apparently slipped right past the firewall, disguised as legitimate Internet traffic.

 

Re: Best defense against trojans that use javascript to slip in when you open website

best way to protect against java trojans?

install suns java, and make it your computers default
http://wwws.sun.com/software/download/

most of these install themselves through holes and vulnerabilities in microsofts java VM

 

Re: Best defense against trojans that use javascript to slip in when you open website

Here's a better site: http://www.governmentsecurity.org/articles/HackingWithJavascript.php

Quote from the site: "This one is used to gain enough info on someone in order to form a trojan attack on them. What this javascript will allow us to do is to probe their system and see if they have any security against our attack. It will let us see what anti-virus program they use, what firewall they use, and if they have any programs that allow us to infect them with macros.

Lets say we check for anti-virus programs, if they don't have any you can display a link to download sub7 and say it is a video game... if they do have an anti-virus program you can display the link to the real game. This way you don't have to worry about the user finding out that you tried to send them a trojan. Only users who don't have an anti-virus program will have downloaded the trojan.

One possible future for trojan's is modules that you can insert to attack specific programs. For instance if you know the user is running a certain type of anti-virus program and they are running a certain type of firewall you can plug those modules into the trojan. When the user downloads and runs this trojan the modules will trojan those anti-virus and firewall making them seem as if they are running fine, when they aren't. Ether they won't detect your trojan or they will replace them with a emtpy program that just puts the icons in the taskbar and task list. I will try to get a working deminstration of how javascript can be used to download the correct trojan for a user's system or detect if the trojan will be detected by an anti-virus program so it will make them download a regular file."

I found this site after just five minutes of searching on google. Imagine what you could find if you spent ten minutes searching!

 

Re: Best defense against trojans that use javascript to slip in when you open website

LOL, see the post by "Michalson" at the following forum (Click your scroll bar down about four times):

http://it.slashdot.org/it/04/07/31/0037210.shtml?tid=154&tid=128&tid=172

The below is from the first part of his post:

"Re:This is nothing... (Score:5, Interesting)
by Michalson (638911) on Saturday July 31, @10:45AM (#985226
You should really read the Mozilla vuln. list. While they only allow things that have been reported, *already fixed*, and *gone for 2 versions already*, it does provide a pretty scare look at Mozilla's "security", or lack there of. While I will be the first to admit this model of secrecy has worked in the past, it doesn't look like it will in the future. First, a lot of people are moving to Mozilla and Firefox, making it a viable target (I've already seen several instances xpi spyware/trojans"

 

Re: Best defense against trojans that use javascript to slip in when you open website

Of course, no browser is perfect, but Firefox's implementation of javascript is far more strict than IE's.

As for XPI based spyware, that is not really a concern, since you still have to click to accept it. So it is not technically a vulnerability.

1.0 versions will tighten this even further by allowing by default only official sites to prompt for xpi installations. You can add more to the whitelist.

Interesting, but the relevant question is , was the trojan actually being excuted?

OR was it merely dormant in the cache? I remember being alerted to dozens
of warning about <insert IE based exploit/trojan that installs itself automatically on medium settings>, but I was on firefox and was immune anyway.

 

Re: Best defense against trojans that use javascript to slip in when you open website

I would disable (set to true) the following

dom.disable_window_status_change
dom.disable_window_open_feature.menubar
dom.disable_window_open_feature.scrollbars
dom.disable_window_open_feature.status
dom.disable_window_open_feature.toolbar

The last one is particularly important to avoid ta spoofing method which replaces your toolbar with javascript and XPI.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Thanks Justhelping!!

 

Re: Best defense against trojans that use javascript to slip in when you open website

Mozilla based browsers can use the 'prefbar' plugin to create a javascript on/off button.

Javascript (even without the dangerous Activex) can give EXTRA environment variables to the website logfiles.

try this, install the mentioned plugin, Javascript button 'on' and visit: http://leader.ru/secure/who.html

Then do the same with JavaScript 'off'.

This shows how much info you give to website owners when JavaScript is on.
You can do the same thing with Java, which is both Slow and more dangerous to enable,

 

Re: Best defense against trojans that use javascript to slip in when you open website

I realize that, but the poster was wondering whether Firefox is immune to ALL Trojanous Javascript Exploits. Obviously, Mozilla and FireFox are vastly superior to I.E. in many ways in terms of security. If Billy was smart, he'd trash I.E. and rebuild it from scratch. As that's the only way he'll ever get rid of all the security holes.

What do you mean by XPI based spyware? What is XP1? Whatever it is, I want it! Because if the spyware identifies itself and gives you the choice of accepting it... what more could you ask for?

Yes, definitely. If Kaspersky hadn't stopped it, it would have installed itself in my system.

That's odd. I've used Mozilla and FireFox heavily for many months and have never received a single warning like you describe. In fact, the alert from the Kaspersky program is the only alert I've ever received of any kind while using a browser. Other than pop-ups I get from the Norton Firewall warning me about web sites that are trying to load ActiveX or java applets onto my computer. Why I'm getting the ActiveX alerts is a mystery, since ActiveX supposedly can't be used with a Mozilla browser.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Thanks for the great info! I was getting ready to try Opera, but if Mozilla makes it easy to turn javascript on and off, that would definitely be a deciding factor. As that way you can keep javascript disabled until you come across something on a web page that doesn't function, such as a drop down menu. Then you can turn it back off after using the feature that required the javascript.

As a large percentage of web sites I go to are a total waste of time, and I close them within about five seconds. So there's no sense in having javascript enabled for all those junk sites--and making myself vulnerable for nothing. This should be the strategy everyone uses, since javascript makes you so vulnerable.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Hi illukka,

Thanks for your contribution to this thread. I'm not familiar with the differences between Sun's java and the Microsoft version, so do you know of any reputable reviews or web sites that confirm Sun's java is more secure? If so, I'd greatly appreciate the information, as I couldn't turn up anything useful with some quick google searches I just did.

Also, it seems the MS version would have one clear advantage over Sun--patches would be included with regular MS automatic updates. And new security holes are found on a regular basis with any version of javascript. In addition, even if the Sun version is more secure, that's still not secure enough, due to the inherent vulnerabilities of javascript.

So you still need to take the same precautions you'd take with the MS version. In other words, if you have your javascript enabled on a malicious site, you can't depend on Sun to stop a trojan--you have to have a good anti-trojan program running. As the odds are that a trojan could slip past Sun as easily as MS.

If that wasn't the case, Sun could put the anti-trojan companies out of business, and you'd see their spam everywhere bragging about the trojan prevention aspects of their java.

I did find the following on google:

[DOC] Java Security
File Format: Microsoft Word 2000 - View as HTML
... Java VM’s, made by Netscape, Sun Microsystems, and Microsoft, have all had serious security flaws3,6. The effects of these flaws have ranged from exploits ...www.giac.org/practical/Miles_McQueen_GSEC.doc - Similar pages

But it appears to be outdated. That's the problem with search engines--they waste your time by not including dates in the search results, so you have no idea of how current the information is until you open the websites. And obviously, everyone wants the most current info.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Hop A Long & Tuatara

The "Prefbar" extension is a very nice tool to have but ... one thing ... it kills off the "Open a new tab" function on Firefox.

I installed Prefbar ... then uninstalled it after the bug prevented me from using the "Open a new tab" ... I love the "Open a new tab" function of firefox too much not to use it.

So I guess I just have to keep checking the disable/enable Java and Java Script from the Tools > Options > Web features on Firefox.

 

Re: Best defense against trojans that use javascript to slip in when you open website

here is one link, describing one of the most famous java trojans
http://java.com/en/download/help/cache_virus.jsp

almost every day there is a poster asking for help concerning this trojan at various hijack forums

 

Re: Best defense against trojans that use javascript to slip in when you open website

I was answering in the context of the quote from slashdot, where someone dished Mozilla by pointing out that secure exploits exist.

My point is It's like asking will any antivirus product protect you from all viruses, the answer is obviously no.

In any case, I'm not aware of any exploit that automatically causes a trojan to be downloaded and executed on firefox without any user interaction. Not that there can't be any, but I believe currently no such method is known.

If you can prove otherwise, I'm sure many people will be very interested.

XPI roughly speaking is the system used by Firefox to add extensions. Hopefully you know what extensions are. You visit a certain site, find a extension you like, click on it, it prompts you to install you click yes. Then it's installed. In short it's just a mechanism used to install programs, much like Activex but much more secure.

The mozilla people are aware of the possible dangers of XPI , and have created a host of measures to protect users. Even the newbies, on top of the whitelist , current versions of firefox 0.9 have a built in prompt that forces the dialog box prompt to be displayed for 3 seconds. They have also considered vulnerabliities where users are tricked to click "yes".

That is why I say you should read always read claims on slashdot with a pinch of salt. The kicker is with regards to that XPI "spyware" referenced even if you did install it, all it did was to hijack IE

Would be interesting if you reported such a site to mozillazine.

I would venture a guess that the firewall is able to intercept and intercept such http streams before they even reach your browser.

 

Re: Best defense against trojans that use javascript to slip in when you open website

I'm currently aware of 2 other methods besides prefbar to do what you want.

One is toolbar enhancements

Another is prefbutton

They might be Mozilla Firefox only (as opposed to Mozilla suite) though .

I wouldn't be suprised if there are other ways.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Given that at one point in time MS gave up bundling MS JAVA and began bundling SUN Java might be a big clue I also remember at one point they mentioned dropping support totally for upgrading MS JAVA but i *think* later
they reversed themselves. I'm sure someone can fill you in with the glory details about the agreement

LOL. When was the last time you spotted a Java update from MS? In any case, I disagree with those who think Sun java is a bigger security problem than javascript. That might be the case maybe 1 year ago, where bugs in java was found that bypassed the sandbox, but I believe that this hasn't happened in a while. As for javascript being a lesser danger just browse secunia or any security exploit site, with javascript off, java (SUN or MS) on, notice how 99% of them suddenly isn't a problem? Repeat it with java (SUN or MS) off but javascript on, and compare

The problem is javascript than, NOT Java. If you really believed your argument just turn off javascript and turn on Java.

Huh? Java is just a very small aspect of the net. There are dozens of ways to get infected without using Java. When people say SUn Java is secure compared to MS Java they refer to the fact that MS Java is more likely (no 100% guarantees!) to be exploited than Sun Java

No one is saying you don't need to care about trojans

I did find the following on google:

As i said before, most java problems you find will be old outdated ones.

And as always, nothing can protect the computer from user stupidity.

 

Umm... that's a very misleading and revisionist version of events. What actually happened is that Microsoft provided a Java VM that was widely recognized as the most advanced in the industry. However, Microsoft's JVM did not support:

1. the Java Native Interface (JNI) API, but instead utilized their own native function calling protocol called J/Direct; and
2. the Remote Method Invocation (RMI) API, which was an optional part of the Java specification that detailed how Java could interract with other Java code on remote machines/devices.

As a result, Sun sued Microsoft over non-compliance with the Java specification. There are tons of arguments back and forth over all of this. For example, J/Direct is actually more efficient than JNI on a Windows platform and since both techniques are all about how one goes about calling platform native functionality, the support, or lack thereof, of this protocol had little impact on the "write once, run anywhere" goal that Sun supposedly was championing. Anyway, the upshot of all of the above was that Microsoft and Sun settled this lawsuit out-of-court and one of the provisions was that Microsoft agreed to no longer ship a JVM with any of its products after a certain date. Moreover, Microsoft agreed to no longer advance the development of any of its Java Runtime Environment code including the JVM (other than bug/security fixes on code that was already out there).

Of course, about a year later, once Sun came to its senses and realized that Java support was going to rapidly errode if they just let Microsoft drop Java like a hot potato... Sun once again sued Microsoft, this time claiming that Microsoft would have to ship Sun's version of the Java VM. This lawsuit was also settled out-of-court, I believe, and that's why Microsoft did what they did. NOT, as you imply, because they believed Sun's JVM was in any, way, shape, or form a better, more advanced, or more secure product. Sun's JVM is more advanced now, of course, because Microsoft stopped all development per legal agreement about 4 years ago. I would hope that Sun's present day code would be better than 4 year old code.

 

Regarding the actual topic at hand, I'm not an expert on every possible avenue of attack via Javascript, but I do think that a few points need to be made. First and foremost, as most of you know but some seem to perhaps not know, is that Java and Javascript are completely different animals. They just share a similar sounding name is pretty much it. In fact, on IE, it's not even really properly called Javascript, it's called JScript or ECMAScript. In fact, I believe that ECMAScript is the only true open-standard scripting language for use on the web.

Anyway, I believe that much of the confusion about Javascript (or whatever you want to call it) is that on its own it is a fairly limited and secure language. Primarily it is just a specification of syntax for conditional execution, branching, looping, etc. on an interpreted platform. That is, it is mostly just what I would call "coding glue". The power behind Javascript is in what "objects" are provided to it for its use. This is where I believe the complexity comes in since there are various "objects" that are provided. For example, Internet Explorer supports the Document Object Model (DOM), which is also often referred to Dynamic HTML or DHTML. The DOM is an open standard means of allowing script to control a web page. That is, DOM provides all sorts of objects for your Javascript to manipulate to affect the rendering of the web page. Additionally, on Internet Explorer, the scripting engine runtime itself provides certain objects that can be utilized by Javascript. Moreover, you have objects that can be explicitly instantiated instances of ActiveX/COM components that reside on the machine or elsewhere. You can have objects that are explicitly instantiated instances of Java applets that reside on the machine or elsewhere.

So, when one talks about the security of Javascript, is one talking about the security of the syntax itself or all of the possible interactions it can cause with all of these other DOM/ActiveX/Java objects? Javascript, on its own, I think is considered to be fairly harmless. It's what you add to it that presents the security problems. If any of the objecs themselves present any vulnerabilities or avenues for attack, then Javascript can be used to exploit these weaknesses in the underlying objects. Thus, the complexity in pinning down the concept of Javascript security. Can anyone vouch for all of the possible uses and permutations of objects and how they might be used? I think that is the issue.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Question: Is there a way of preventing Javascript or similar scripting languages from accessing DOM objects or similar type ActiveX/Jave objects? Thanks.

Rich