Interview with an Adware Author

http://philosecurity.org/2009/01/12/interview-with-an-adware-author

Great interview if you ask me.

 

Thanks for the link, Pedro. Very good interview.

 

Thanks. It was a good interview.

 

Indeed. On the other hand even many forum members here (who should be aware of security issues) still use IE. And I guess many of them have ActiveX and BHO's still enabled. Considering this sad fact - why should anyone expect non-members change their habits?

EDIT: A nice comment by Giorgio Maone on IE versus other browsers.

 

But note also these:

I know users of IE who would agree.

----
rich

 

Please explain how this infiltration takes place.

Just curious, why you display PDF files inside the browser rather than with the Reader.

----
rich

 

What is wrong with that?

----
rich

 

Alternative browser is a good advice for the average Joe, I install Firefox to all my friends. But people on Wilders can choose browser based on their needs.

 

Rich, there are several reasons. Some arguments can be found in the link I provided above. Additional arguments are presented here.

The point is: IE is tightly integrated in Windows. A couple of other system applications (like Help and Desktop) use IE. To make this possible Microsoft extended the abilities of Javascript by creating JScript. JScript is as powerful as VBS: via FileSystemObject it can open or delete files, start applications, communicate with other processes etc. Thus, it's obvious that a security flaw affects very often many other aspects of the OS. Javascript (as used in, e.g, Firefox) is much more limited as it doesn't have a FileSystemObject and therefore no direct access to your local files. And, of course, Firefox (or any other browser) is not used for other system applications - a security flaw consequently won't affect other functionalities of the OS.

 

Fair enough. I wouldn't want you to reveal any "secrets." I just thought you might clarify what you mean by "infiltration." BHO and Accessibility API were discussed under "Persistence," meaning, as I understand it, what takes place after the user agrees to install the Adware, and are not the initial infection method. Some readers might conclude wrongly.

Regarding comments about IE: Because of the sensational news reports about IE and Windows, it is assumed that you live dangerously indeed if you use IE, for just opening even to a "legitimate" web site is cause for certain doom...

I exaggerate, of course, but uninformed readers of this stuff do come away with that impression. In the past year, more analysts and researchers are looking a bit more closely at the statistics and the real world.

From a recent Windows Secrets Newsletter:

http://de.trendmicro.com/de/about/news/pr/article/20081216155324.html

I have confirmed this with a local shop: most victims admit that they downloaded something and didn't realize it was infected.

Social engineering (a polite way of describing user stupidity) is illustrated most recently by the flash_update.exe exploit,
where the user is enticed to watch an alluring video:

​

No browser, nor even operating system, will protect against this type of exploit, as illustrated in this comment in an analysis last year of an update trick which served up the MAC DNS changer exploit:

Storm, one of the biggest botnets, ensnares its victims with a similar temptation:

​

Returning to the exploitation of security flaws in products for a moment: the recent 7.7.7.0 Search Engine exploit showed how infection can occur by remote code execution (drive-by download) no matter the browser -- these comments from other forums:

Later the filename changed to wdmaud.sys.

This, of course, is not a browser exploit per se, but illustrates how malware authors are becoming more sophisticated in how they target their victims.

It should be obvious to people that protection should not rely entirely on the browser or applications that may be vulnerable before a patch is released.

All of the Remote Code Execution Exploits that download malware that I have seen analyzed, have in common what I put in bold above:

executes first as a Trojan​

What better way to protect than to start with the foundation layer of securing with Software Restriction Policies and LUA.
tlu's tutorials (which are worthy of publication, in my view) should be considered by all.

I will quote again from the interview,

Of course, even this will not protect against the topic of discussion, where the user agrees to download and run the setup.exe which installs the adware.


----
rich

 

Rich, I agree in general. However, it's not only a matter of your OS becoming infected but also about surfing-related risks like password stealing, XSS, clickjacking, Iframe injection etc. If the figures presented here are only roughly realistic these dangers should not underestimated. Having said this, blocking any active content by default makes a lot of sense. From my point of view the Firefox extension Noscript is not only the best protection against these threats on the client side (and even unique in many respects) but also the most user-friendly. The zones concept in IE is simply unusable. Even if IE isn't a less secure browser compared to Firefox if it comes to security leaks and speed of patching, it lacks usability since a strategy of blocking everything by default and easily whitelisting only trustworthy sites can hardly be implemented in IE.

I won't disagree but this doesn't protect against above mentioned surfing-related risks.

You're exaggerating but thanks for the praise.

 

Hello, Thomas.

This is not entirely connected with the Adware exploit, but does hint at awareness of exploits in general

I don't see a break down in that article "70 Of Top 100 Web Sites Spread Malware," of specific risks, such as those you refer to. For example, the article also includes:

So we don't know what %age of those sites that spread malware have the exploits you mention.

In XSS exploits I think the biggest concerns with people are sites where they transact business -- especially their financial institutions

I assume you mean the non-persistent type of XSS, since to permenantly embed an XSS script on a banking or other financial site would be quite a feat indeed. So, a successful exploit requires

• injection by means of a spoofed link when the user clicks on a link to take her/him to the secure login page. That is certainly a NO-NO and violates what should be a firm policy of only connecting via your own bookmark. This is similar to another in the NO-NO category, that of following links to install an executable file -- most recently illustrated in the fake obama web sites.
  
  
• a web site that is vulnerable to that type of code injection

I haven't looked at Clickjacking in a while and I see that not much as been written on it since the disclosure of the vulnerability back in October. I have this in my notes:

http://ha.ckers.org/blog/20081007/clickjacking-details/

Nontheless, this is certainly something to watch for, to see if any exploits develop, and if the Browser vendors are working to plug this weakness. Meanwhile your suggestion of NoScript seems to be the best protection at the moment for those concerned.

----
rich

 

Regarding our discussion about browsers, there is a very illuminative article on http://www.heise-online.co.uk/news/Microsoft-PR-blunder-over-Internet-Explorer-security--/112526

 

I'm just waiting for comments from Harry. Then it will be complete.
All in all it is pretty scary. A 20k developement environment installed on a machine that is compromised. Now all pwned machines need is a text file update. Executables as threads, then threadless, WOW. Sounds like win32 over NT is an issue worse than any browser.

Thanks Tom and Rich for the added info. Scary stuff.

P.S. Do you guys sing any country music tunes?