How to block Auto-Download?

Discussion in 'other security issues & news' started by aigle, Mar 18, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    There are some sites if you visit them, you can get some auto-downloads without any action by you( there is some special term for it- I don,t remember currently!!). As far as I know You can tweak IE settings to block this phenomenon. I want to know how to do it.( A product Hitaman Pro does it automatically but I don,t want to instal it and will like to do it manually.)
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Do you have a particular link where Hitman Pro is doing this automatically ?
     
  3. metallicakid15

    metallicakid15 Registered Member

    Joined:
    Dec 6, 2005
    Posts:
    454
  4. spindoctor

    spindoctor Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    83
  5. crackman

    crackman Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    24
    Location:
    Southern California
    I noticed that some has posted just as I prepare this reply. Follow the link; it covers "Drive-By Download" countermeasures soon to be seen in Internet Explorer 7.

    You mentioned "IE settings" and thus presumably want IE preventative measures. I can speak only for IE6 within Windows XP/SP2; some SP2 features do not exist in earlier, more-vulnerable versions. Tell you in advance, someone will post saying, "Switch to Firefox." That having been said, this IE user will say, "Not necessary in this day and age." Browser wars are fought elsewhere in this forum; for an example, see https://www.wilderssecurity.com/showthread.php?t=122606 .

    Your single best preventative measures, regardless of browser, are to keep your software up to date and to surf the Internet as a Limited User. The former neutralizes known exploits; the latter minimizes the damage. Vulnerabilities in Microsoft's Java VM, malformed URL links, and buffer overflows have been used in the past to trigger exploits; these get patched when discovered. Outside of an actual exploit, Internet Explorer is subject to drive-by ActiveX downloads only if you have the settings "Download signed ActiveX controls" and/or "Download unsigned ActiveX controls" enabled. Needless to say, these settings are not recommended. Common-sense settings for ActiveX are, in order of the TOOLS - INTERNET SETTINGS - SECURITY menu:

    Automatic prompting for ActiveX controls Disable
    Binary and script behaviors (fairly benign) Enable
    Download signed ActiveX controls Prompt
    Download unsigned ActiveX controls Disable
    Initialize and script ActiveX controls not marked as safe Disable
    Run ActiveX controls and plug-ins Enable or Admin-Approvd
    Script ActiveX controls marked safe for scripting Enable
    Automatic prompting for file downloads Disable

    "Run ActiveX controls and plug-ins" is the "master switch" for all other ActiveX activity; if disabled, nothing else matters. If your computer is clean, installed ActiveX controls that are marked safe for initialization and scripting are generally safe; however, an Admin-Approved list amounts to a "whitelist" that will prevent other controls from being downloaded and installed. Trouble is, if you do want a new control, you will need to change this setting or move the Internet site that offers the control into your Trusted Zone. You will need to do a bit of research to find out just what you might want. It can be as simple as Flash, Adobe Reader, and perhaps a media player, or it can be quite large. I have about 30 items in my somewhat permissive, but (I feel) safe list. Note that if you have certain controls that you want just trusted sites to use, then move those sites to the Trusted Zone. As an example, my antivirus provider has several ActiveX controls that I don't want to be exposed to the general public (see http://secunia.com/advisories/18169/ for a reason why). They are a trusted user and thus run in that zone. Their controls are not in the Admin list.

    Another nearly-silent drive-by method, requiring just a mouse click, involves the "Execute-by Hyperlink" capability that is documented at http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q232077 . Be certain that the setting "Launching programs and files in an IFRAME" is disabled or prompted.

    CarckMan
    XP/SP2; IE6/SP2; fully-patched
     
    Last edited: Mar 18, 2006
  6. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    as well as playing with IEs settings to provent drive by active x installs you can also emply an active x block list this will add a large list of entries to the registry of programs that arnt allowed to install on your computer and should thay try thay will automaticley be rejected

    you could also install iespyad this will further enhance your security by adding a large list of bad sights to IEs restricted zone proventing them form misbehaving on your system
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    The link is there in post 3 . Thanks metallicaKid.
     
  9. Eldar

    Eldar Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    2,126
    Location:
    Vilvoorde (Belgium)
    I don't get a drive-by download when going to that official site. o_O
    You still need to download Hitman Pro by pressing the button. :)
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That is indeed a link to Hitman Pro but the question was do you have a link to "where Hitman Pro is doing this automatically".

    If I place Interent Explorer to Low....no code on that page causes a plugin to download and install Hitman Pro :doubt:
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Originally Posted by spindoctor
    Do you mean a drive-by downloads?
    While browser security is helpful, it's been demonstrated too many times that one needs something behind the browser to catch the unexpected. With the various HIPS and anti-execution products available today, there is no need for one to be vulnerable to a drive-by download.

    Driveby download example
     
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Correct if I am wrong but the unexpected you are attempting to show would have been a non issue if Active script in IE was disabled ?
     
  13. crackman

    crackman Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    24
    Location:
    Southern California
    Appears so, but the same link can be followed via an obfuscated Close button in a popup, many of which have the entire window be the link.

    HIPS and anti-execution software will indeed make one safer. I guess the questions are those that I have seen bandied about repeatedly: How much is enough, and at what cost to performance and compatibility? Antivirus programs have a tough enough time fitting into every system.

    The vast majority of spyware installations occur with the aid of a different kind of exploit -- mainly, "social engineering". This leverages user laziness, inattention, complicity, naïveté, or sometimes, sorry to say, outright stupidity into a download or hijack. The best defenses are inborn (a healthy suspicion) and acquired (via education). I'm just another of the millions of Windows users lacking extra time and desire to fortify my system against every conceivable attack. Antivirus, firewall, and somewhat tighter than "medium" security, along with being a Limited User, are this machine's main defenses. SpywareBlaster is a just-in-case extra along with Spybot/Adaware for passive end-of-day scans. Past computers have been less secure. But just Klez (inattentive e-mail click) and some harmless DOS beast in the early 90's (was it called "Boing" or something like that?) are the acquired ailments over many years. XP/SP2 and antivirus have blocked a few others.

    Much of the "unexpected" these days comes in the form of buffer overflows, leveraging programmer laziness, inattention, etc., into a download or hijack. Virtually all of these attacks come from the "slums" of the Internet. Yes, a few of them are visited via clicking "dead ends" on Google, but most of the visitors to the slums go there voluntarily. Like those who travel to the third world, they are more likely to pick up exotic ailments. Antivirus companies are much better than American doctors; they have "antibodies" (signature file updates) with a day or two. Microsoft takes more time, but they are relatively quick to fix the OS, compared to the old days.

    What is being discussed, and done, with HIPS is great and should continue. But don't expect quick public acceptance; this stuff is too "techie" for your average user.

    CrackMan
    XP/SP2; IE6/SP2; McAfee VirusScan 10 & Firewall

    P.S. Visited the link hxxp: //certified-safe-downloads.com/adserver/RegClean_W0.exe shown at the referenced drive-by example. XP won't allow direct execution. While I didn't click the RUN option, I know that XP will require unblocking the file before it can be executed. Two fences to jump.
     
    Last edited by a moderator: Mar 18, 2006
  14. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Rmus exggarartes. He's talking about buffer overflows and whatnot.

    I mean we guys here are hyper sensitive about such things so it seems like there are a lot. But really there isn't.

    But even then, truly potent exploits that attack patched browsers and allows autodownloads without user interaction is extremely rare, as Crackman points out. And if you use Firefox or Opera this is even less likely.

    TNT I think even claims that he went in look for malware, with unpatched IE and couldn't find any. ;)
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, that is true.
     
  16. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    About turning off active scripting in IE and protection from unexpected events..

    That's not entirely true.....
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I'll retract that since I didn't test myself - a friend looked at the script and said with Active scripting disabled, it would not have run.

    edit: correct terminology
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan

    I think there is a bit confusion regarding my post. I said in my first post,

    As far as I know You can tweak IE settings to block this phenomenon. I want to know how to do it.( A product Hitaman Pro does it automatically but I don,t want to instal it and will like to do it manually.)

    I don,t mean that Hitman Pro is causing Drive-by downloads. All I mean that Hitman changes ur IE/ system setting etc to block the drive-by downloads so u are protected against this.( when I run Hitman, after scanning it showed a message saying something like that"....disabling drive-by downloads..."). That was teh reason to make me think taht there must be some system settings that Hitman is changing to do this job and I wanted to do it manually instead of installing Hitaman( I have uninstalled it now).

    I hope I am able to clear my point.
     
  19. crackman

    crackman Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    24
    Location:
    Southern California
    D.A. is correct here. Not quite true indeed, although Active Scripting is the major catalyst behind the trickery employed in drive-by downloads. Even without any active content via script, ActiveX, Java, or Binary Behaviors, a newly-discovered buffer-overflow exploit can do damage. This is true regardless of browser. The stack does not respect Firefox, and Firefox has had buffer issues in the past.

    Note that it is possible to run ActiveX controls without scripting simply by using an <OBJECT> tag, although of course one can only initialize the control, not script it. Many instances of Flash simply load the SWF file via an <OBJECT> tag. For an example of a web page employing Flash without any script on the page, see the jobseeker site http://www.volt.com.

    You can also run a binary behavior without script, although in general, outside of such things as ClientCaps, not much functionality can be realized. The built-in binary behaviors are themselves safe; the only exploit that I remember was the one involving anchorClick, drag-and-drop, and a very gullible user to inject files into the Local machine Zone; that was patched long ago. Behaviors are semi-independent of ActiveX, but their download rules are the same (no need to worry about drive-by Behavior downloads). Note the following examples from my various notes:

    • An Analog Clock using VML with scripting of the VML control. The clock runs even with ActiveX disabled, although that will give an ActiveX warning because the Microsoft Scriptlet Component will be disabled. And it does not need "Script ActiveX" permission (1405) to script VML (the VML control -- yes, it is also possible to instantiate it as ActiveX -- is marked safe for initialization and scripting). http://webfx.eae.net/dhtml/VMLClock/clock.html

    Finally, the <APPLET> tag will run without ActiveX being enabled (i.e., with "Run ActiveX controls and plug-ins" disabled) if Java itself is enabled. The Java Plug-in 1.5.0_05 redirector control {08B0E5C0-4FCB-11CF-AAA5-00401C608501} is executed under these circumstances.

    Still, I feel that Active Scripting has the greatest potential for mischief because of the virtual infinity of possibilities that it presents. By enabling script, you give the world a chance to play programmer on your machine. Unfortunately, virtually every site in the world uses it since script is what gives DHTML its power. Nobody wants to go back to the 90's and the bland, static pages characteristic of that era. By comparison to scripting, installed ActiveX controls and Binary Behaviors on your machine are fixed in function and do a predefined set of tasks. Downloaded ones, of course, are a different animal; that's why one should download only from trusted sources.

    CrackMan
    XP/SP2; IE6/SP2; McAfee VirusScan 10 & Firewall
     
  20. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    CrackMan

    Hi,

    Nice details etc.

    I went to all those links you listed, and nothing happened !

    I'm using IE with amongst other things, ActiveX/Scripting/Java disabled.


    StevieO
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I understand what you are saying, but in my original post I was referring to this specific script:

    _________________________________________________
    script sClickUrl = 'hxxp:/ /certified-safe-downloads.com/adserver/RegClean_W0.exe
    sTrackingUrl = 'hxxp: / /certified-safe-downloads.com/
    _________________________________________________

    After Bubba's comment in post #12, I phoned a friend to look at it and she said that if scripting were turned off, then it would not run.

    After DA's comment in post #16, I retracted my statement since I did not test myself, and no longer have the original page with this script that connected to the download site.

    My point I made in my first post is that no matter how safe we may feel with our browser security, there is something waiting to find another vulnerability, as has been repeatedly demonstrated with the various recent zero-day exploits, and that it's wise to have other security measures in place.

    eg:

    New Zero Day IE Exploit In The Wild
     
    Last edited: Mar 19, 2006
  22. crackman

    crackman Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    24
    Location:
    Southern California
    Sorry, there was no intent to say someone was right or wrong; it's easy to lose someone's present stance in a long thread of cryptic posts. My point in the entire article was that active content can run without having Active Scripting enabled or even existing, and you can run Binary Behaviors -- a kind of ActiveX -- without having ActiveX enabled. If there is bad active content other than script (i.e., bad ActiveX, Binary Behaviors, or Java VM), then bad results can occur.

    Yes, thanks for pointing that out. Incidentally, my antivirus provider already has a signature for it. Various posts that I have read here and elsewhere say antivirus isn't necessary, but this threat was neutralized by McAfee before I ever heard of it.

    Well, nothing will happen with all these disabled. Starting from a baseline of having all active content disabled (i.e., no Active Scripting, no ActiveX, no Binary/Script Behaviors, and no Java), you will need to enable the following for the referenced web pages. Registry value names are provided if you find hacking that to be simpler; 0 = enable; 3 = disable; be sure to revert to disabled after each test. You also need to launch a new instance of IE for each test. Don't do the CTRL-N trick for each test; it "remembers" Registry settings for each window, and thus any "on-the-fly" changes will not take effect in that window or group of windows belonging to the single instance of IE. Launch from your QuickLaunch button or Start menu and then copy the shortcut to the Address Bar:

    http://www.volt.com/ Run ActiveX controls and plug-ins - 1200
    http://msdn.microsoft.com/workshop/samples/author/behaviors/timespline_7.htm Binary Behaviors - 2000
    http://msdn.microsoft.com/workshop/samples/author/behaviors/testspline_6.htm ActiveScript & Binary Behaviors - 1400/2000
    http://webfx.eae.net/dhtml/VMLClock/clock.html ActiveScript & Binary Behaviors - 1400/2000

    One can indeed be more secure by disabling active content, but then one cannot experience much on the Internet. I went through a long spell of attempting to surf with all active content disabled, then went through a brief period of wading through endless "Do you want..." questions by using the PROMPT option for the Active Scripting and ActiveX Run/Script settings. I even considered e-mailing various webmasters with the (justified) complaint that script was overused in their pages. Then I looked back at my aforementioned virus history (two in 15 years), evaluated my acquired knowledge over that period (all three micrograms of it), reviewed the purpose and options of various security features and packages, and then decided that I don't need to live in a fenced security compound if I am not living in the slums. There are better things to do with my 24 hours in a day than check out every possible site for malicious intent. This statement is not directed toward any individual in this forum, but rather toward the heightened sense of security that seems to prevail among those who know what a hijacking could do. I repeat and condense what I said earlier, "The vast majority of spyware installations occur with the aid [of the user]."

    I do use a bit of a non-standard security setup with a whitelist/graylist/blacklist concept. Standard IE "Medium" security is a little too loose. But the "graylist" (default internet) does have Active Scripting, a limited set of ActiveX and Binary Behaviors, and Sun Java. Most errors that I see are, surprisingly, due to the fact that hoi polloi do not have cookies. That seems to break some pages, for reasons that I generally don't bother to debug. If the site is trustworthy, I whitelist it.

    CrackMan
    XP/SP2; IE6/SP2; McAfee VirusScan 10 & Firewall
     
  23. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Of course, this one is one of those stuff that currently only does DOS, that people are trying to change into a remote code execution thingie, it might not actually pan out as several in the past haven't either.

    Not particularly relevant in the context of this thread of course.

    Zero days of all sorts are found daily, and most are not too dangerous.

    Ditto. :)

    And also this.

    Yes

    But remember as always there is a big difference between saying something is possible, and saying it is likely enough to worry and obsess about it. That if anything has always being I felt a major problem with many inhabitats of this forum.

    For all intents and purposes turning off Java, ActiveX and Activescripting will be suffient, barring the rare buffer overflow attacks that actually amount to anything.

    In particular for the security freaks, they will probably read about such attacks before your AV actually gets a semi working patch working anyway :)
     
Loading...
Thread Status:
Not open for further replies.