55,000 Web sites hacked

Discussion in 'malware problems & news' started by boonie, Aug 25, 2009.

Thread Status:
Not open for further replies.
  1. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
    From ZDNET:

    55,000 Web sites hacked to serve up malware cocktail

     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The article doesn't mention that the i-frame connects to a site to load a javascript file which contains the exploits. This means that the first area of defense is proper configuring of scripts in the browser to prevent the javascript file from executing and running the exploits.

    If you configure javascript per site, even if you have scripts enabled for the compromised site with the i-frame, once redirected to the site with the .js file, nothing will run.

    The URLs for the exploits are no longer working, but an earlier exploit using the same methods can illustrate. Here, the fileslist.js file attempts to load a fake winantivirus scanner:

    Code:
    script src='fileslist.js'>/script
    With javascript disabled, nothing happens:

    [​IMG]

    Enabling javascript, the fake scanner loads:

    [​IMG]

    Check your browser configurations!

    ----
    rich
     
  3. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Question...

    Would the exploit work if i-frame loading by the browser is disabled even if js is on?
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, because disabling inline frames just prevents the content from being displayed in the browser.
    The code in the inline frame will still execute.

    This is easy to test. Here is a .js file I put on my web site:

    frames-js.gif

    Here is code I put in a web page to run this .js file using i-frame:

    Code:
    <i frame src="http://www.urs2.net/rsj/check.js"></i frame>
    With inline frames enabled, the .js file displays in the browser:

    frames-opera1.gif

    And here is the cached file:

    frames-cache1.gif


    Now, I'll disable inline frames

    [​IMG]

    and delete the cached file and run the test page again. Opera does not display an inline frame:

    frames-opera2.gif

    However, the .js file did indeed cache again:

    frames-cache2.gif

    Re-enabling frames at this point displays the contents of the cached .js file as before.

    Many SQL injected pages use an inline frame to redirect the victim to a server which contains a .js file with the malicious code to download malware.

    EDIT: this is the behavior in Opera. I've not tested with other browsers.

    ----
    rich
     
  5. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Ahh, thanks for the clarification. Currently using opera as well and do have iframes disabled but js enabled although under the protection of sandboxie with run and internet access settings restrictions.

    Another question if I may...

    Can the such exploits circumvent default deny SRP + LUA mechanisms?
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In the exploits I've seen, any security with Default-Deny execution protection will block the exploit from running any malware. That would include SRP.

    Several users have tested SRP for me on a number of occasions. Here is one example I included with a SQL injection exploit from last year:

    http://www.urs2.net/rsj/computing/tests/sql

    ----
    rich
     
  7. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    So even if users have javascript on for their browsers, the browser may still cache the exploit or malware but will be benign since SRP blocks it from running. :thumb:

    Thanks again for the valuable insight Rich :)
     
  8. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Some sites now have java ap install even Firefox their own tool bar when you connect to certain web sites without your permission.
     
  9. Aberrant

    Aberrant Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    5
    Location:
    Downunder
    How effective is the NoScript extension for FireFox against this exploit?

    What I tend to do is just disable all scripts from running, unless the site is trustworthy, such as Microsoft, then I would allow it.

    If anyone is that paranoid, you could always disable Javascript from running via the about:config settings of Firefox, and simply settle for text. :D

    Interesting thread. Cheers for the info. :thumb:
     
Loading...
Thread Status:
Not open for further replies.