Best defense against trojans that use javascript to slip in when you open websites?

Re: Best defense against trojans that use javascript to slip in when you open website

Beware of what you rely on when doing research on javascript security, because a lot of what you'll find is outdated, misleading, or written by shills promoting javascript for the businesses that profit from it. In addition, some of it is written by people who like to portray themselves as experts, but they really haven't done their homework.

Thus, they're actually guessing about a lot of the things they represent as being facts. In other words, they're saying things which they merely 'believe' are factual. In addition, security holes that didn't exist at the time the article was written could have been discovered a week later. As clever hackers are finding new ways to exploit javascript on a regular basis.

Why do hackers place so much emphasis on cracking javascript? Because in their infinite 'wisdom', millions of webmasters have effectively disabled crucial parts of their web sites for security conscious people who like to keep their javascript disabled. Their attitude seems to be "if you don't want to take a chance on me sneaking a trojan onto your hard drive--then click your clicker".

In fact, hackers who specialize in javascript exploits have web sites that are designed to 'force' you to enable your javascript. Otherwise, you won't be able to access ANY of the 'goodies' they've used to lure you to their spider web.

This is just an educated guess on my part, but I believe it's technically impossible for ANY application to "defang" javascript. As common sense dictates that if it was possible, the developers of javascript would do it themselves.

And I got a trojan while using Firefox's daddy--see the post I started this thread with, as well as the screenshot I just posted. The bottom line is that javascript is currently being utilized to sneak altered and "unknown" trojans into the computers of people who click on malicious or compromised web sites--and NO browser that has javascript enabled is immune from this exploit.

 

Re: Best defense against trojans that use javascript to slip in when you open website

the new home edition of Prevx looks very tidy and once out of beta may be good for that extra security such as you are talking about

 

Re: Best defense against trojans that use javascript to slip in when you open website

Rich,

If the browser is configurable enough, like FF, some of the exploits can be countered with settings (like Justhelping pointed out in post 37).
You could of course disable Javascript, ActiveX, and Java in the browser.
But where's the fun in that? I wouldn't mind blocking ActiveX and Java, but I would like to keep the more benign Javascript like image swaps and maybe form validation.

There are also filtering programs like Proxomitron that hold great promise for this type of threat. The problem with filtering is that the bad guys are able to use escape sequences to alter the way the code looks to bypass the filter and yet still run. I don't know if Proxo or any other program could handle this trick. The filter would have to convert the escape sequences first and then filter the Javascript (removing the bad parts).

I think a combination of good browser settings and a good filter (maybe Proxomitron) would work for this problem.
Like Ronjor said, maybe antivirus HTTP filtering would be able to handle it.
Or maybe someone could make a JavaScript Crippler program that would either remove the dangerous parts from WSH (altering it) or replace it with a more benign one.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Hop A. Long,
I disagree. Just as any security measure the good guys make the bad guys can counter, so the good guys can counter any exploit the bad guys use. It is just a matter of identifying WHAT the exploit is and how much TIME it will take to counter it. Nothing is impossible in this regard. Just my opinion though.

I read the post and in it you mentioned:

I don't have Mozilla, but I think you need to disable java within Mozilla itself.
Did you have Java disabled within Mozilla?
Also, from the screenshot, it appears that the trojan was in your browser cache not actually executed and running in memory.
AV are able to regularly check the cache and alert if there is something bad there.
So it appears that (if Java was disabled) the malicious website was able to use Javascript in Mozilla to drop a trojan into your cache, but not execute it.

What needs to be done is determine specifically what javascript methods and functions are being used for this and then filter them out.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Thanks Divinco for the helpful reply.

Regards,
Rich

 

Re: Best defense against trojans that use javascript to slip in when you open website

I agree with your disagree. I should have been more specific, as what I meant was 'permanent' defangment. Sure they can patch specific security holes as they're discovered, but with code as complex as javascript, there will always be holes that remain undetected for a prolonged period of time. And it wouldn't surprise me if there are holes which lazy programmers have known about for years, but have simply blown off because no one has reported them yet.

And as far as the trojan I got via Mozilla, I'm not sure, but I believe that's a common javascript exploit that programmers know about, but haven't been able to fix yet. Either that, or they just haven't got around to it. From what I understand though, there are currently a number of different javascript exploits available to hackers who want to slip you trojans via web sites.

In regards to that Russian hacking incident which was in the news not long ago, do you know if javascript was utilized in that exploit? All I remember is that they were able to infect some high traffic legitimate web sites with a small graphic file that contained just one short line of code. And when victims opened the web site, that line of code was planted in their computer (probably when the graphic file was transfered to their browser cache). Then the line of code 'phoned home' and was able to retrieve a keylogger trojan by disguising the traffic as browser activity, in order to slip through routers and software firewalls. (Only I.E. browsers were vulnerable to this exploit.)

When you say "java", do you mean javascript? As those are two different types of software (java is more risky). But you are correct, in that javascript would have to be disabled in the browser preferences.

Mozilla doesn't use java in the latest version, which is what I have. If you're referring to "javascript", I had it enabled.

My belief is that the hacker piggybacked the trojan into the browser cache with a graphic file, when the web site loaded. And it subsequently used javascript to automatically execute itself. Which was when Kaspersky detected it via it's non-signature based methods.

Mozilla doesn't have many options when it comes to javascript--see the screen shot I've included.

 

Re: Best defense against trojans that use javascript to slip in when you open website

This is dead wrong, among other things you have posted already. Mozilla can use Sun Java and many people do use it.

I just seen your screenshot it's unclear if it's being executed or if KAV just picked it up on a routine scan of your cache.

Again wrong.

There are ways to disable what JS can do [DOM model] in Mozilla beyond what is available in the GUI. See earlier posts on this thread.

Try reading what some of the people here are writing instead of blindly googling up old outdated articles that you don't really understand just to debate.

Very true. Also very funny given what you say here

And you have being peppering this whole thread with quotes you found on google, slashdot comments by people who don't know what they are talking about....Among others

Anyone who has been mislead by outdated information into believing you can't get a trojan via javascript, read this article: http://www.pcflank.com/news020704.htm

Also, the below is a quote from this site: http://www.freelabs.com/~whitis/security/nojava.html

"It can infect HTML files by embedding malicious javascript in those files. As a result, you are likely to unknowingly visit malicious pages on legitimate sites.
[/quote]

You caution people about outdated information then promply quote an old article that cautions of a IE only bug which is patched anyway.

Thanks, very informative article. Here's another good one for people who may still believe javascript security holes don't apply to them:

JavaScript Problems I've Reported
... (April 2002) A Short Retrospective It's been over 6 years since I first wrote
this page. JavaScript exploits continue to plague all browsers. ...
www.schooner.com/~loverso/javascript/[/quote]

Ditto, another old 2002 article. Refering to a old bug back when Firefox wasn't even a glimmer.

Most of the articles you refer to are old and/or refer only to IE. Firefox while not being perfect has generally a clean record with regards to JS because of tough restrictions built into it. I know you are probably going to google and promptly whip out what you think is a devasting case against this statement (and no, annoymous comments by slashdotters muttering about XPI spyware don't count) but I stand by my statement.

All you have is some dubious case of what you think is infection and from there you are convinced that the sky is falling.


I already challenged you to give us the url of the site that you say caused auto-execution of the malware for Firefox, but you have not replied.


In any case if you want 100% security against javascript exploits, the answer is simple don't use it. And then you are still vulnerable to various exploits. Like the phishing exploit I read yesterday that doesn't use javascript.

 

Re: Best defense against trojans that use javascript to slip in when you open website

"Many people"... GIVE ME A BREAK. Excuse me for not being a software engineer. All I know is that the preference file in Mozilla lists "javascript" as the only option, as indicated in my above screen shot. And you make an issue out of me not knowing that a small percentage of people have figured out how to use java in place of javascript?

And I stand by my statement as being factually correct--"Mozilla doesn't use java in the latest version". Because it doesn't do it by default. Again, just look at the screen shot--that's the configuration which the vast majority of Mozilla folks are using. I'm sure you can rig ANYTHING up to do something it wasn't designed for. That's like me saying XYZ cars use aluminum engines, and you pop up saying "that's dead wrong, many people use steel engines in XYZ cars", totally ignoring the fact that the cars come standard with aluminum engines, and you have to obtain the steel engine from a second company.

And your point is? Do you really think the hacker would go to the trouble of installing a trojan if he had no way of executing it?

And hmm, "I just seen" is WRONG grammar. For someone who likes to find every possible excuse to accuse people of being wrong, you seem to be wrong yourself about a lot of things.

"There are ways to disable what JS can do"... GIVE ME A BREAK. Excuse me for not being a computer scientist. All I know is that the preference file in Mozilla lists very few options for javascript, as indicated in the above screen shot. And you make an issue out of me not knowing that a small percentage of people have figured out a way to create additional options?

And you must be new to Internet forums. Try reading what this thread is about before blindly criticizing me for not reading everything that anyone writes. To do that, go to the first post--which was mine. If you read it, you'll see this thread pertains to detecting known and UNKNOWN trojans that sneak in via javascript when you click on malicious (or compromised) websites. And that my objective is to find a program that has the best reputation for instantly detecting/stopping trojans that utilize javascript.

Note that there was no mention of "[DOM model] in Mozilla beyond what is available in the GUI." Why? Because I have zero confidence in ANY browser being able to 'defang' javascript. So if a post in this thread doesn't pertain to DETECTING trojans as they sneak in from websites, or preventing them from entering in the first place, then I'm not really interested.

As no matter what javascript tasks FireFox can supposedly restrict, I think it's a fairy tale to expect it to be able to stop trojans. Because as long as it's supplying enough javascript code to enable web pages to carry out their basic functions, that's all the trojans need to sneak through. Haven't you figured out yet that the trojans are probably written to blend in with the activity that javascript is programmed to expect from the web pages?

Hmm, at least I HAVE some articles to quote. What did YOU bring to the table to support your position? BTW, what IS your position, other than to attempt to undermine the credibility of someone who is trying to warn people about the vulnerabilities of javascript? Perhaps you have a HIDDEN agenda that you're not willing to disclose? You make these rambling accusations about me being "DEAD WRONG", and criticize me for doing Google research, yet you don't present ANY research to back up your position--whatever it is. And again, your grammar is "DEAD WRONG".

You make the blanket statement that the guy I quoted from the slashdot forum doesn't know what he's talking about, but this just ruins your credibility even more. As who are you to judge anyone else? What facts or evidence do you have to support your statement that "he doesn't know what he's talking about"? Do you expect anyone to take anything you say seriously, when you can't present ANYTHING to back it up?

Hmm, but I disclosed that I just spent two seconds doing the research, and common sense dictates that isn't sufficient time to thoroughly study all of the search results. My objective was to simply illustrate examples of what you can find on the subject during quick searches--to encourage people to do their own research. I don't need to do any more research on the subject myself, as I already know how vulnerable javascript is. If you'll try reading some of the posts here, you'll also see that I described the problem about much of Google's search results being outdated. (Often, you can't even find a date when you open the web sites you're researching.)

And your spelling is "DEAD WRONG". The correct spelling is promptly, not “promply”.

And you expect anyone to take this statement SERIOUSLY, just because you SAY it? Hmm, you have 50 trillion articles available to you on Google, but yet you're unable to find a SINGLE web site that could even remotely back up your assertions. Are you going to use this thread to try and sell a bridge next?

That won't be necessary since you've already made a "devastating case" against it yourself, by being unable to produce a single source for your "clean record" claims.

And again, your spelling is "DEAD WRONG". The correct spelling is devastating, not “devasting”.

Hmm, isn't that like "the pot calling the kettle black"? You're an anonymous wilderssecuritydotter muttering about FireFox, and your comments DO count?

And once again, your spelling is "DEAD WRONG". The correct spelling is anonymous, not “annoymous ”.

You just gave yourself away dude. You're one of those FireFox fanatics who has some kind of connection with the Mozilla project. And when you people aren't trolling the forums looking for posts critical of your baby FireFox, you're submitting (phony) positive reviews to the FireFox site on download.com, in order to offset the (genuine) 70 negative reviews. Let's see... 559,521 downloads of FireFox to date, but yet a whooping 1,591 positive reviews have been submitted. Now compare that with the popular "Ad-Aware" program... over 64 MILLION downloads to date, but yet only 211 people have taken the time to submit votes.

The 'math' just doesn't add up, and you can tell at a glance that most of the positive reviews for FireFox reflect the writing styles, personalities, and vocabularies of just a small number of people. And a large percentage of them sound like sales pitches written by professional copywriters, rather than the general public.

You must be referring to some other thread you're attacking, as I don't use FireFox--I think it sucks due to the way it crashes when I have more than 100 websites open. (But I'll try it again in about a year, to see if it's any more stable--as I think it's basically a good program.) And there's no posts from any "Hmm's" asking for the site address--which is further evidence you're a FireFox shill, as you can't even remember which thread you're attacking at any given time. The site I was on when I got the trojan via Mozilla was http://astalavista.com/

Again, try reading some of the posts in this thread before making nonsensical suggestions. Because if you do, you'll see why permanently disabling javascript is not an option. And I never implied that I expected "100% security".

You can't just troll around looking for people to attack who say something negative about FireFox--you have to familiarize yourself with the threads first, to avoid making your hidden agenda so transparent. Also, please confine your flames to Usenet newsgroups, because web based forums don't put up with shills or trolls who have nothing constructive to add to a thread. In other words, don't look forward to wasting the time of forum members with more off topic, petty attacks--as I'm sure a moderator will disappoint you.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Gentlemen, gentlemen let's all be civil.
If we focus on content, rather than presentation, we (or at least I) can learn a lot from this thread. If this thread degenerates into petty bickering, the mods will close it, we will not learn, and the only ones who gain are the malware authors who can maintain their secrets about Javascript exploitation for dropping and executing trojans. Let's all keep it on topic. There are still a lot of unknowns about this topic.

 

Re: Best defense against trojans that use javascript to slip in when you open website

I concur, and have taped a "Do not feed shills" sign to my monitor. Attacks are off topic and will be forwarded to a moderator from now on.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Where can I learn about the Javascript specifics of these common exploits?
Not just the general overview of the exploit, but specifics on how it is accomplished. The specifics have to be determined first, then we can take counter-measures.

I would also like to know the Javascript specifics of this exploit. I read in one of the articles linked to from this thread about embedding Javascript in a pictures ALT tag.

I cannot confirm this because I don't use Mozilla. It just seems unlikely that you would visit a website with java and it wouldn't work. Mozilla was implementing java in it's browsers before MS (I think). There should be an option somewhere to turn java on and off in Mozilla. Could someone familiar with Mozilla please confirm this? Does Mozilla not use Java? Does Mozilla have no option to turn java on or off? This is important to determine whether java was on or off at the time of infection in order to rule it out as a possibility.

This may be possible. But it may also be that the javascript implementation in Mozilla permitted the trojan to be dropped, but not executed.
Perhaps someone knowledgeable with KAV could look at your screen capture in post 1 and determine if that is a warning for a trojan running in memory, or that it is just residing in the browser cache. Also does the resident part of KAV regularly scan the browser cache?

True. But from your screen capture in post #57, I see two options that could be used to protect against a common javascript exploit.
Uncheck Hide the status bar and Change status bar text
Using javascript, a web page can hide the status bar and alter its text. This is an easy way for the site to spoof a link. You hover over the link and check the status bar to see where it will lead. If you uncheck these two options, the status bar cannot be altered.

Also, Mozilla may have the ability to use about:config for more options. I don't know if it works in Mozilla, but you can type about:config in the URL address box and a configuration page with lots of options will come up.

 

Re: Best defense against trojans that use javascript to slip in when you open website

FYI:

I also have another thread that pertains to javascript based security breaches. The title of it is "How hackers can use your browser's javascript to disable your anti-virus software", and the address is: https://www.wilderssecurity.com/showthread.php?p=243415#post243415 (It's located in the "Other Anti-Virus Software" forum.)

The following is the letter I wrote for that thread:

It's an established fact that malicious and compromised websites can use your browser's javascript to sneak trojans onto your hard drive. I know, because I got one in this manner while using the latest version of the Mozilla browser--which is supposed to be one of the safest. The simple reality is that NO browser is immune from javascript based trojan exploits. And permanently disabling javascript isn't a practical solution, since a large percentage of web sites require it in order for various features to function. For more information about the vulnerabilities of javascript, as well as possible solutions--see my thread at https://www.wilderssecurity.com/showthread.php?t=45472

The title of the below web page is "Hacking With Javascript", and I found it after just five minutes of searching on Google. (I believe the search term I used was "javascript exploits".) Imagine what you could find if you spent TEN minutes searching! The part of the site quoted below pertains to the targeting of specific individuals with custom made trojans that are designed to get past their particular security programs. I thought this information was appropriate for this forum since it emphasizes the importance of taking precautions when using javascript, and also serves as a reminder of why effective trojan detection software is so crucial.

Hopefully, it will motivate irate readers to pressure software companies into giving extra attention to javascript exploits in their security programs. Not only by being the proverbial "squeaky wheel", but also by giving their business to the companies who are the first to address these unconscionable security holes. Because I find it OUTRAGEOUS that you can't even open a web site in 2004 without having to risk getting an unknown or altered trojan, despite having a dozen security programs 'protecting' your computer! A trojan that can then be used to open a back door into your hard drive, and allow a devious stranger to sneak your confidential files past your firewall disguised as legitimate browser traffic.

Note: If the below link is not sufficient evidence to convince you of how javascript can be used to circumvent your security, then simply spend ten minutes doing some Google searches. Because with Google, you have a WORLD of evidence at your fingertips. (Hint--make "javascript hacks" your first search.)

 

Re: Best defense against trojans that use javascript to slip in when you open website

This is in response to people who think that disabling their javascript on a permanent basis is a viable option, and who haven't been following this thread very closely:

Basically, you don't have much of a choice as to whether you use javascript. As some web sites won't even open if you have your javascript disabled--you'll just be staring at a blank screen wondering why the site won't load. In addition, many features, such as drop-down menus for example, simply wouldn't work on web sites that rely on javascript.

And of course, hackers are well aware of the necessity for having javascript enabled, and they silently thank the millions of webmasters on a daily basis for making everyone a sitting duck for them. That is, after they finish praising the javascript programmers for making the program too complex to avoid a never-ending series of gaping security holes.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Hi Ron,
I did a search on the NOD32 forums using the search term "javascript", but I didn't find anything relevant. I also didn't see anything on their site that jumped out at me. Where did you hear about it, and what do you mean "It's here today"?

Thanks,
HC

 

Re: Best defense against trojans that use javascript to slip in when you open website

 

Re: Best defense against trojans that use javascript to slip in when you open website

I think it would be better to stop here and just chill. no one is now at the moment giving more info regarding the starting post.

this is way beyond off topic;

it is a pitty.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Okay back on track then.

Thanks Ronjor.

I forgot about the HTTP IMON scanning in NOD32. That would be great if it would work against the known common javascript exploits.
From your screen shot, I can see that IMON is scanning an external Javascript file. (Note: an external JS file is used by web designers to store all the JS functions in an external file as opposed to embedding the code inline in the HTML. The external JS file simplifies code reuse and speeds downloads.)
It would be nice to know if IMON handles JS that is embedded inline in the HTML as well.
I also wonder if IMON is easily fooled with the Hacker tricks used to bypass filters:

By using hex characters to bypass filters. Example (extra spaces added to allow me to post it):

Code:

<& #115;cript type="java& #115;cript">"

Or by concatenating:

Code:

document.write('<'+'k'+'e'+'t'+'a'+'g'+'>')

Or by URLencoding:

Code:

http://goodwebsite.com/site/dir/helpdesk.asp@1234567890%1F%11%4E%23%76%31%7F [insert nasty javascript url encoded here]

note: the above link does not go anywhere, it is just an example.

These appear to be just some of the common ways that hackers are able to bypass filters and conceal their javascript code.
What is needed to counter this is a pre-filter that would replace all these concealment methods with normal code that NOD32 or Proxomitron or other filter could process.

Are there any safe (as in not hacker sites) vulnerability tests that use the same javascript exploits that the bad guys are using for dropping trojans and such?

I really don't like trolling around hacker sites, but it seems to be the only way to learn about the specifics of what the common javascript exploits are.
It still needs more research.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Sorry Ronjor,

I did not mean that you are hijacking this thread at all.
In fact, your posts here are directly on topic.
I was referring to previous posts that were just starting to go off topic.
My statement: Okay back on track then.
It was not intended for you and was not placed in the right context.

Sorry.

P.S. I will post info that I find, although I doubt it will be thorough.

 

Re: Best defense against trojans that use javascript to slip in when you open website

I hope no one minds if i jump in with some of my own thoughts on this issue.

From what i have read, i am still rather confused to what others feel is the threat that javascript poses. Is it in reference as an entry way to ones computer for virii, trojans etc? Like others have mentioned, by using an alternative browser, I imagine it is much safer against this threat than IE. Now I am not saying this because I know the inner workings of browsers like Firefox or Opera (so take what I say with a grain of salt). But what i am saying is that these browsers are not integrated with the OS like IE is. Which i assume would make it harder for the actual execution of malware (if the malware only depended on the functions that the browser is capable of). Also many of these browsers are much faster at addressing these very same vulnerabilities (that we speak of in this thread) than MS would. How many times have we seen vulnerabilities in IE that they ignore or pass off as not being critical? MS in fact has much more to consider in terms of the functionality of IE and end users (as still a large percentage of internet users are still using IE) than many other third party browsers do. Security can sometimes get compromised in this manner.

Filters have also been mentioned in this thread. Filters like proxo. To me i do not see them as being the end all solution to the "dangers of javascript." Many times they are far too restrictive. And a lot of legitimate activity gets filtered as well. So what do people like me do? Turn off the filter, and then begin to wonder what is the reason i had it in place at all. Configuration is a big part of using filters (that i will not deny), but this can be difficult at times as well. Especially not knowing the means of how websites use javascript on their pages. And then there are times when dangerous use of javascript and legitimate use of javascript overlap. I am sure they work for a lot of people and i am not saying to not use them at all. But being this is more of a decision for end users to make, i do not think it will be fair to label it as a solution at this time.

ronjor mentioned that some AVs are taking a larger role in detecting such malicious javascript activity. In this thread we have already seen KAV and NOD32. But many others also have detection for Javascript trojan downloaders and sorts (even if they are generic signatures). Because they can detect them through signatures, I would say they are more accurate than using a web content filter. At this time a lot of these Javascript exploits seem rather simple in nature and probably do not require a lot of attention for detection. Usually the virus/trojan downloaded are much more dangerous, in which case i do not see why one's AV and AT can not detect it and remove it. After all this is there job, no matter how "obscure" the means of entry is. Even if javascript "malware" became more advanced it would probably be recognized by Sun or MS (maybe even third party browsers), in which they would probably take some action in restricting or patching their products. In the mean time it also seems very likely that AVs/ATs/ or Anti spyware programs (or all 3) will add detection for such an event. Other programs like SpyBot and Spywareblaster seem to already have taken an active role to prevent malicious ActiveX controls. And many spyware programs now have resident protection as well.

I know i am probably over generalizing a lot of points, but to me that is personally how i view this threat.

Edit: With Sun Java one also has the option to disable caching, which in of itself might prevent some of these nasties from being saved on one's computer.

 

Re: Best defense against trojans that use javascript to slip in when you open website

Since up to 97% of people still use I.E., I'm assuming that percentage includes the readers of this thread--so here's a CURRENT article by a reputable organization regarding javascript security problems, etc., that pertain to I.E.

http://www.eweek.com/article2/0,1759,1624089,00.asp

A few quotes from the article:

"recent announcements against IE from [the Department of] Homeland Security recommending [Mozilla's] Firefox over IE."

"One recent attack uses a flaw in IE to download a malicious piece of JavaScript code onto users' PCs, and that code is then used to run further nefarious operations."

"For years, client-side active scripting tools such as ActiveX, VBScript and JavaScript have drawn the ire of security experts who see them as unnecessary at best and inherently dangerous at worst. Although users can disable any or all of these technologies in IE, most people—especially inexperienced home users—don't understand the potential dangers"

 

Since the thread subject matter is more conducive to Security issues in general and not anti-trojan software....we'll continue the discussion in this Forum....if indeed there's any discussion left.