A New Era of Internet Threats

Thanks Ronjor,

Good article.

Is there anywhere I can learn more about these SSL vulnerabilites and how to protect against them?
It explained a little bit here, but could Proxomitron be set up to do something similar?

 

Ronjor,

I just found a helpful post by Paranoid2000 on The dangers of HTTPS. It also answers the question about Proxomitron: yes it can filter HTTPS with a special plugin.

The SurfinGuard Pro looks interesting, kind of like a combo of SSM and Proxomitron? But I wonder, since it is external to the browser, is it able to see into the encrypted HTTPS?

 

Thanks for the link Ronjor.

Nice tests. I saw no real difference between the SSL and non-SSL tests in practice though. The exploits that work in SSL work just as well non-SSL.
I tried them all with both FF 0.92 (will upgrade soon) and IE6.
This was with no Proxomitron or other prefiltering.
FF fared better even with tight IE settings.
The scrap object demo was pretty sneaky, but I was alerted by both Wormguard and Word.
One interesting thing is that IE allows you to disable downloads (thwarting the direct download test) while FF does not.

 

On the article..

Itzy Sabo from Finjan Software is trying to sell you a bill of goods with these comments and the scare tactics Jack M. Germain entertwined in his article with some of these statements.


"The Scob worm is the first attack in which hackers use a mix of mobile application techniques -- including VBScript, JavaScript and ActiveX -- to create a blended Web-based attack that can manifest across standard Web protocols like HTTP.

The attack is based on the execution of a series of mobile code scripts that infect Web servers and spread by way of users who visit those servers. Visitors to the Web site unknowingly download the Scob virus and thus participate in the propagation.
This is a very complex attack that none of the traditional security products were easily able to detect and combat. The virus operated as a VBScript utility, which targeted Microsoft IIS servers and appends a malicious JavaScript to Web pages in the compromised Web server"

And then the solution they both present..

In fact it is all lazy webmaster who did not take advantage of the fix on their side which was availble 3 months prior..and then users who did not have their system locked down using IE>



Microsoft Security Bulletin MS04-025
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx


On June 24, 2004, a flaw in Microsoft IIS servers led to compromised webservers that redirected visitors to a malicious website hosted in Russia. That site exploited additional flaws in Internet Explorer to force downloads of Trojans onto the hijacked visitor's system. The malware residing on the impacted IIS servers was dubbed Download.Ject, JS.Scob.Trojan, JS.Toofeer, and the Scob Trojan depending on the antivirus vendor.

The Trojan downloaded after visitors were redirected to the Russian website has been identified as BackDoor-AXJ.dll by antivirus vendor Network Associates and Padodor.W by antivirus vendor F-Secure. According to Network Associates, the Trojan provides remote access to the infected system, creates a web proxy, and can automatically download other malicious files. According to F-Secure, the Trojan is used to steal passwords and credit card numbers from infected systems.

Microsoft released a patch for the IIS vulnerabilities in April 2004. The patch, MS04-011, would have prevented the webservers from being penetrated. Without it, the attackers were able to append exploit code to various files on the webserver. That code then forced users to another site exploiting MS04-013, a flaw that has routinely been used to deliver Trojans via email links that lead to booby-trapped websites. (See Scam emails deliver Trojaned goods). A second, as yet unpatched, flaw in Internet Explorer was also exploited in the Scob attacks.

Though the Scob attacks received widespread media attention, they were quite short-lived. The Russian site dishing up the Trojan was shutdown on the same date - June 24, 2004 - the attacks began. However, similar attacks via email remain quite prevalent. The websites used in those attacks vary. Similar to a phishing scam, the miscreant email attempts to lure the user into visiting a particular site. Unlike a phishing scam, however, instead of soliciting financial details, the site surreptitiously infects the visitor's system with Trojans used for remote-access, keylogging, or downloading further malicious files.


Research analysis firm Gartner says although Internet-based code attack, called Scob or Tropher, that exploits unpatched security flaws in Microsoft's Internet Explorer has been dealt with, "copycat" attacks are highly likely, according to a recent report posted on the company's website.

The firm has recommended users make more investments to protect themselves against virus attacks and give themselves more time to patch and update their systems.

Referring to the latest Scob attack, the firm said "many enterprises have already implemented technologies for Web filtering and content monitoring that can help protect against such attacks."

Scob is a three-stage attack: The user visits a website that has either been defaced with malicious code or established to infect systems; a malicious script on the site is executed, infecting the user's PC and downloading exploit code; finally, the code on the infected system sends information to an external site.

The original sites hosting Scob have been shut down, but "copycat" attacks - including spam and phishing attacks - are highly likely, it says.

Web and content filters can help with such attacks, but they remain reactive and often require that blacklists be developed after a malicious site is detected. "Proactive detection and filtering of potentially malicious code offers a better defence against Scob-type attacks, as well as other spyware and malware threats," says the research. Gartner also recommends filtering vendors expand these capabilities in their products as soon as possible.

Also, it advises users to:




Use installed Web filtering applications to block known infected sites and sources of malicious code.

Block scripting code at the gateway until Microsoft releases a patch for the Internet Explorer flaws.

Filter Internet Traffic to Stop 'Scob Copycat' Attacks

http://www4.gartner.com/DisplayDocument?doc_cd=121672



Harden Your Windows Servers Against Internet Explorer Flaw


http://www4.gartner.com/DisplayDocument?doc_cd=121587

Qwik-Fix™ provides another layer of essential security

http://www.qwik-fix.net/



c't-IEController 2.0
http://www.heise.de/ct/ftp/projekte/iecontroller/

'Zero-Day' Internet Explorer Flaw Detected

http://www.eeye.com/html/research/alerts/AL20040610.html


Prevention:
Disable Active Scripting, except for trusted web sites. Alternative browsers such as Mozilla, Opera or Netscape are not subject to this attack.

Additionally, as a public service to the network security community, eEye Digital Security has developed utilities to assist with the remediation of the flaws these attacks are leveraging. To download these tools please visit:

http://www.eeye.com/html/research/tools/IESecurityRegFixer.zip

Update: These issues have now been updated by Microsoft and a patch is available.


So who has active scripting enabled ??