Interview with an Adware Author

Discussion in 'other security issues & news' started by Pedro, Jan 14, 2009.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    http://philosecurity.org/2009/01/12/interview-with-an-adware-author

    Great interview if you ask me.
     
  2. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Thanks for the link, Pedro. Very good interview.
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Pedro, excellent interview :thumb: especially the question: Can you tell me more about your strategies for persistence? If that section doesn't make people think twice about using IE, nothing will!
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks. It was a good interview.
     
  5. tlu

    tlu Guest

    Indeed. On the other hand even many forum members here (who should be aware of security issues) still use IE. And I guess many of them have ActiveX and BHO's still enabled. Considering this sad fact - why should anyone expect non-members change their habits? :D

    EDIT: A nice comment by Giorgio Maone on IE versus other browsers.
     
    Last edited by a moderator: Jan 15, 2009
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    But note also these:

    I know users of IE who would agree.

    ----
    rich
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    tlu, I agree with you that many of our forum members will continue to use IE no matter what, however, indicative of their sigs, most have armed themselves with hardware and software that Joe Public might never use.

    My comment was/is directed at those who visit Wilders seeking knowledge (like I did many years ago) rather than persuading long time forum members. For as long as articles are posted, like Pedro did, there is a chance that we can motivate people to change their ways, even if it is only one person at a time . That's all we can hope for.
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Rmus, yes, it's very clever to use the accessibility.api, found in Adobe Reader, to infiltrate all browsers and most OSes with adware, but I'm glad you brought that up because a conflict with Reader was the main reason why I gave up on IE7 and went to Firefox.

    When IE7 first came out officially, not BETA, in 2006, I had a heck of a time with the browser crashing and so did many others as seen by the frequency of forums' postings in those days (even today, IE7 has crash issues with Adobe's Flash Player 10). Adobe Reader turned out to be the culprit, and with its inability to display a PDF page inside the IE7 browser then, made me look at Wilders for browser alternatives and that's when I discovered Firefox. I reverted back to IE6 and use it sparingly today.

    Will I ever go back to IE? Perhaps. Every thing I read about IE8 piques my interest, however, this time, I won't rush into it.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Please explain how this infiltration takes place.

    Just curious, why you display PDF files inside the browser rather than with the Reader.

    ----
    rich
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What is wrong with that?

    ----
    rich
     
  11. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Alternative browser is a good advice for the average Joe, I install Firefox to all my friends. But people on Wilders can choose browser based on their needs. ;)
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Rmus, that I will not do, sorry. The article offers the gist of it; let's leave it at that.
    Ease of use. I code Web sites and have many programs open, at any given time, while working on projects. Don't need another window bugging me.
    Nothing at all; different strokes for different folks.
     
  13. tlu

    tlu Guest

    Rich, there are several reasons. Some arguments can be found in the link I provided above. Additional arguments are presented here.

    The point is: IE is tightly integrated in Windows. A couple of other system applications (like Help and Desktop) use IE. To make this possible Microsoft extended the abilities of Javascript by creating JScript. JScript is as powerful as VBS: via FileSystemObject it can open or delete files, start applications, communicate with other processes etc. Thus, it's obvious that a security flaw affects very often many other aspects of the OS. Javascript (as used in, e.g, Firefox) is much more limited as it doesn't have a FileSystemObject and therefore no direct access to your local files. And, of course, Firefox (or any other browser) is not used for other system applications - a security flaw consequently won't affect other functionalities of the OS.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Fair enough. I wouldn't want you to reveal any "secrets." I just thought you might clarify what you mean by "infiltration." BHO and Accessibility API were discussed under "Persistence," meaning, as I understand it, what takes place after the user agrees to install the Adware, and are not the initial infection method. Some readers might conclude wrongly.

    Regarding comments about IE: Because of the sensational news reports about IE and Windows, it is assumed that you live dangerously indeed if you use IE, for just opening even to a "legitimate" web site is cause for certain doom...

    I exaggerate, of course, but uninformed readers of this stuff do come away with that impression. In the past year, more analysts and researchers are looking a bit more closely at the statistics and the real world.

    From a recent Windows Secrets Newsletter:
    http://de.trendmicro.com/de/about/news/pr/article/20081216155324.html
    I have confirmed this with a local shop: most victims admit that they downloaded something and didn't realize it was infected.

    Social engineering (a polite way of describing user stupidity) is illustrated most recently by the flash_update.exe exploit,
    where the user is enticed to watch an alluring video:

    koobface.gif

    No browser, nor even operating system, will protect against this type of exploit, as illustrated in this comment in an analysis last year of an update trick which served up the MAC DNS changer exploit:

    Storm, one of the biggest botnets, ensnares its victims with a similar temptation:

    withlove.gif

    Returning to the exploitation of security flaws in products for a moment: the recent 7.7.7.0 Search Engine exploit showed how infection can occur by remote code execution (drive-by download) no matter the browser -- these comments from other forums:

    Later the filename changed to wdmaud.sys.

    This, of course, is not a browser exploit per se, but illustrates how malware authors are becoming more sophisticated in how they target their victims.

    It should be obvious to people that protection should not rely entirely on the browser or applications that may be vulnerable before a patch is released.

    All of the Remote Code Execution Exploits that download malware that I have seen analyzed, have in common what I put in bold above:

    executes first as a Trojan

    What better way to protect than to start with the foundation layer of securing with Software Restriction Policies and LUA.
    tlu's tutorials (which are worthy of publication, in my view) should be considered by all.

    I will quote again from the interview,

    Of course, even this will not protect against the topic of discussion, where the user agrees to download and run the setup.exe which installs the adware.


    ----
    rich
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    Rmus, you are correct, I was speaking after the user has clicked on whatever it's presented on screen, enticing that person to go beyond. The usage of the word infiltration is due to my ex-military background and I should be more careful not to paint things in such dire terms.

    You are absolutely dead-on when you state user stupidity being the main reason why PCs get infected. I have clients who, no matter what you say to them, will click on an email link, open an attachment, download a screen saver, etc., then come pleading for help when their PCs turn into bricks. Yes, you switch them to Firefox and they still find a way to hurt themselves. You explain and have them try SRPs, LUAs and UACs, but some find them too restrictive and access the Administrator account to bypass it all. Well, I make money off of their misery but these people should not be allowed to own a computer. There ought to be a law against that!

    Mind you, personally, I did not switch browsers because I thought IE was less secure (I'm in the tlu camp: I block everything in the Internet zone but do allow only the most trusted sites in the Trusted zone plus Sandboxie is my friend), I found FF because of the stated problem with IE7. The addition of NoScript and AdBlock Plus add-ons was just icing on the cake and IE Tab allows me not to fire up IE at all. Yes, I know about the IE7 Pro add-on but FF has become a good tool. After IE8 is out for 6 months, I'll give it a look, but FF 3.1 is looking mighty good as well. ;)
     
  16. tlu

    tlu Guest

    Rich, I agree in general. However, it's not only a matter of your OS becoming infected but also about surfing-related risks like password stealing, XSS, clickjacking, Iframe injection etc. If the figures presented here are only roughly realistic these dangers should not underestimated. Having said this, blocking any active content by default makes a lot of sense. From my point of view the Firefox extension Noscript is not only the best protection against these threats on the client side (and even unique in many respects) but also the most user-friendly. The zones concept in IE is simply unusable. Even if IE isn't a less secure browser compared to Firefox if it comes to security leaks and speed of patching, it lacks usability since a strategy of blocking everything by default and easily whitelisting only trustworthy sites can hardly be implemented in IE.

    I won't disagree ;) but this doesn't protect against above mentioned surfing-related risks.

    You're exaggerating :oops: but thanks for the praise.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Thomas.

    This is not entirely connected with the Adware exploit, but does hint at awareness of exploits in general

    I don't see a break down in that article "70 Of Top 100 Web Sites Spread Malware," of specific risks, such as those you refer to. For example, the article also includes:

    So we don't know what %age of those sites that spread malware have the exploits you mention.

    In XSS exploits I think the biggest concerns with people are sites where they transact business -- especially their financial institutions

    I assume you mean the non-persistent type of XSS, since to permenantly embed an XSS script on a banking or other financial site would be quite a feat indeed. So, a successful exploit requires

    • injection by means of a spoofed link when the user clicks on a link to take her/him to the secure login page. That is certainly a NO-NO and violates what should be a firm policy of only connecting via your own bookmark. This is similar to another in the NO-NO category, that of following links to install an executable file -- most recently illustrated in the fake obama web sites.

    • a web site that is vulnerable to that type of code injection

    I haven't looked at Clickjacking in a while and I see that not much as been written on it since the disclosure of the vulnerability back in October. I have this in my notes:

    http://ha.ckers.org/blog/20081007/clickjacking-details/
    Nontheless, this is certainly something to watch for, to see if any exploits develop, and if the Browser vendors are working to plug this weakness. Meanwhile your suggestion of NoScript seems to be the best protection at the moment for those concerned.

    ----
    rich
     
  18. tlu

    tlu Guest

  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I'm just waiting for comments from Harry. Then it will be complete.
    All in all it is pretty scary. A 20k developement environment installed on a machine that is compromised. Now all pwned machines need is a text file update. Executables as threads, then threadless, WOW. Sounds like win32 over NT is an issue worse than any browser.

    Thanks Tom and Rich for the added info. Scary stuff.

    P.S. Do you guys sing any country music tunes?
     
Loading...
Thread Status:
Not open for further replies.