Ten-fold rise in malicious ads bedevils publishers, consumers

.....that raises the question.....could RSS Feeds be an possible breach in security?

As RSS Feeds communication with the Browser are next to impossible to disable completely.


HKEY1952

 

This should make it perfectly clear that the "common sense" approach, eg "don't visiting questionable sites" is no longer sufficient.

 

i think the common sense approach these days should be to have your browser sandboxed and not install the malware yourself.
an AV, either real-time or on-demand is a must.

of course, the Joe and Jane Average of this world will have to be babysitted to be secure.

 

Malvertisements haven't been seen too much in the news for a while, and it seems they have really proliferated!

For those who don't know how malvertisements specifically work, the article mentions two things worth looking at further.

1) Blackhole Exploit Kit

REFERENCES

malvertisement (malicious advertisement or malvertising)
http://searchsecurity.techtarget.co...ement-malicious-advertisement-or-malvertising

Malvertising: The Use of Malicious Ads to Install Malware
https://www.infosecisland.com/blogv...-Use-of-Malicious-Ads-to-Install-Malware.html

___________________________________________________________________________________________​

2) Security Sphere 2012 [fake security program]

Again, from the article:

REFERENCES

Malvertising lifecycle case study 1--OpenX compromise on speedtest.net, spreading Security Sphere 2012 fake antivirus
http://blog.armorize.com/2011/10/malvertising-lifecycle-case-study-openx.html

speedtest.net spreading Security Sphere 2012
https://www.wilderssecurity.com/showthread.php?t=309608

Security Sphere 2012 Attack on Popular Torrent Site
http://news.yahoo.com/security-sphere-2012-attack-popular-torrent-160500397.html

Scareware Spread From Popular Torrent Site via 'Malvertizing'
http://www.pcworld.com/article/2420...om_popular_torrent_site_via_malvertizing.html

Malvertisements also use social engineering tricks.

REFERENCE

What is Security Sphere 2012?
http://www.2-viruses.com/remove-security-sphere-2012

Finally, preventative measures advice:

REFERENCES

Security Sphere 2012 - Sneaky Malware That Rips Users Off
http://www.212articles.com/security-sphere-2012-sneaky-malware-that-rips-users-off/

malvertisement (malicious advertisement or malvertising)
http://searchsecurity.techtarget.co...ement-malicious-advertisement-or-malvertising

----
rich

 

That is becoming a royal pain in itself, especially when they're Facebook addicts. I've got a PC sitting here that I've cleaned before that I'm not looking forward to, black screened.

Which most users will find completely unacceptable.

 

White-listing applications isn't that big of a deal, if you can find something that can do it without a lot of convoluted setup. If you're like me, you don't have all the security policy stuff that higher versions of Windows gives you. Therefore, you have to rely on 3rd party methods...which includes HIPS...that is far too difficult to deal with for most people, things like Anti-Executable...which is 50 freaking bucks, and so on.

Being able to say that only the installed programs you have right now on your disk can run, is a great boon to security...if you follow it through. The problem is, most programs also want you to white list the services and half a billion Windows files as well, which kills any average users' interest right on the spot.

Of course, you also still have to deal with those approved apps getting owned..Java and Flash, anyone? I'm not sure such a policy would prevent such things. The closest thing I have seen to such a policy, while maintaining a simple setup/use, is Returnil with its "trust only what is on disk" option.

 

Anti-executable, which you mention, does something similar.

Anti-Executable doesn't care what approved applications do, as long as any executable file they attempt to launch is whitelisted (already on disk).

Thus, for Java.exe which is whitelisted, it can execute its normal functions, but in this exploit triggered from a Blackhole web site, Java.exe is blocked from attempting to launch a non-whitelisted (not already on disk) java archive executable file, jar_cache####.tmp



From what you describe, Returnil's "trust only what is on disk" option would seem to do the same thing.


----
rich

 

Thanks, Rmus So it would prevent malicious takeovers after all. Yes, from what I have read of the newer Returnil versions, that trust option does exactly that. Seeing as that is the case, I'd actually be tempted to recommend Returnil over Sandboxie to some people. I completely believe in and trust Sandboxie, but, with the anti-executable being a mere check-mark away, instead of lots of "Start/Run/Internet" configuring, and the fact that needed files are just as easily saved via the "virtual disk" provided, Returnil seems to be a simpler solution. You also have the benefit of the entire system sandboxed, rather than on an application basis.

 

Is it really sandboxed?

That word is used rather loosely these days.

My understanding of a sandbox is that it contains stuff that has been executed, and can later be disposed of by emptying the sandbox.

Doesn't Returnil's Anti-execution protection prevent the execution of anything not whitelisted?

Correct me if I'm in error. It might be wise to clarify the terminology so that people coming here for information have a clear understanding of how the various products work.


----
rich

 

You're right, actually. I tend to find myself using the terms virtual system and sandbox interchangeably, and they're completely different. I should have stated that Returnil makes a virtual copy of your entire system, where Sandboxie does it on an application. Both default installs of Sandboxie and Returnil allow everything to execute, however, and both can "dump" it all. Of course the method of dumping is different.

In my opinion, Returnil, when used properly and with some thought, has the upper hand both in safety and useability. The reason being that the protection is more thorough and there is really no configuring to be done, outside of setting up the virtual disk. Reboot software is, admittedly, an issue, but both are outstanding tools, and should be used by anyone wishing to "K.I.S.S" security and not be terribly inconvenienced.

 

All sandboxing means is that there are restrictions applied. Virtualization isn't necessary.

 

It's the configuring and setting up that makes a world of difference to most users, though. I don't wish to knock Sandboxie, as I myself use it. But, if handed a really new user who knew nothing of security, let alone tools used, I'd pick Returnil over it. Simply because of ease of use and setup.

 

If I could configure Sandboxie myself for the user I'd prefer it.

 

In computing, a "sandbox" is simply an environment where something can run isolated from the real system. The difference is in where that takes place and how large the fantasy world created needs to be...

With something like SBIE, there are a number of complexities that require it to simulate real responses from the OS to create the environment that allows the program to run in a small, isolated portion of the OS. In the case of RVS/RSS, the "sandbox" is actually the disk where Windows itself is the child in the sandbox rather than the toy in the sandbox and anything it does is pure fantasy until it is released from said sandbox.

Where some confusion comes in, is in the fact that many different technologies can be considered a sandbox which makes it a general term rather than something specific like say describing birds generally and Crows specifically.

Yes, but it depends on the settings level. In the moderate configuration (known services), executables CAN run even if they are not specifically white listed. It is in the most restrictive setting that the executables themselves are blocked from running if unknown.

Please let me know if this makes it clearer...

Mike

 

Either way, if we could manage to convince most people to run either one, it would be of great benefit to all.

@Coldmoon: I neglected to mention there were different anti-executable settings (and forgot myself), thank you I too feel that Sandboxie is more complex to get "perfected", shall we say. For me, it wouldn't make much difference, as I'm used to tinkering with settings. But, for people like my family (who are very much your "average user", Sandboxie and any other security that requires attention, would just end up getting ignored or tossed.

 

Yes, thanks!

Back to the topic of malvertising, it seems there are a number of solutions that would prevent a user from being infected by the remote code execution components of a malvertising attack.

My favorite quote from one of the articles:

----
rich

 

Between blocking ads and having anti-execution in place (along with updated software), I don't see these malicious ads as a threat. Heck, an ad-blocker alone goes a long way towards it. Just another threat easily avoided with some proper care and attending to.

 

Sadly some still wouldn't get it if all the world leaders got in a room together (that would be fun to watch) and beamed the news via satellite, mandating that every newsroom in the world had to broadcast it. I know that sounds a little out there that it's that bad now, but it sure seems to be. Interrupt Facebook, web games/streams and all the other toys that are so hot now, and people have epileptic seizures.

They want vendors to protect them, which is the first problem, and they want that protection whilst staying out of their way, which is the other problem. The only software I know of that does that is a simple, no frills AV..and we all know how those are working out these days.

 

That's where it becomes unacceptable. The average user wants to install games, toys, screen savers, or gets coerced by some offer, voiding the base policy of only installed apps can run. Users who will accept a policy of "only installed apps are allowed" would be happy with Live CDs.

A default-deny policy that includes tight control over parent-child dependencies can prevent the compromised app from installing or launching a malicious executable. As with many things, the amount of integration for convenience of use will determine how effective the attack would be. If all of these are allowed in the browser, and the browser is IE6, it's probably "game over". If the content can be saved and run in its own free standing application, its access to the rest of the system and the internet can be severely restricted, leaving it little chance of properly, if it can run at all. Each user has to decide on the right security/convenience balance for themselves. Definitely not something I can imagine the average user doing or even thinking about.

 

Seamless integration and the "user experience" are being touted as virtues but can end up being portals to all sorts of things.