Malware-Laced Banner Ads At MySpace, Excite

Guess that means no go to Excite for at least another month.

 

How will you know when it's safe?

I'm not trying to be facetious. Excite.com could be google or any other site that could inadvertantly host malicious banner ads.

In the last line of the article we learn that these are javascript exploits. In fact they aren't even drive-by exploits, rather, enticements to download, and the user has to respond to download:


_________________________________________________________________________________


_________________________________________________________________________________

Rather than beginning by tooting his horn, the author could have replaced the scare language in the second paragraph with statements of the exploits, leading directly into preventative solutions including those he mentions in his last paragraph.

Knowing that from the beginning, would you still be hesitant in going to excite.com?

Suppose a family next door asked for your assistance: they want to let their children use MySpace, but have heard "terrible" things about getting viruses. They ask you for suggestions for safe surfing for their kids.

What would you (or anyone here) advise?


----
rich

 

You'd hope that blacklisting programs would catch it. Otherwise what about a sandbox? These are the least intrusive.

 

At what point in the exploit do you expect a blacklisting program to catch it?

Warning about the web page itself?

This is rarely feasible any more, since the banner ads change regularly. As has been pointed out, this is a problem that has to be dealt with by the hosting site - to monitor more carefully their ads.

Flagging a malicious .swf file?

(this was mentioned in another link from the article ronjor posted) Unless the file is actually analyzed itself, the changing nature of these .swf files makes this practically impossible, since they are hosted on a different server (imageshack is one).

For a discussion on how .swf files trigger downloads, see http://isc.sans.org/diary.html?storyid=3060
about 2/3 into the article, "Decompiling a flash component"

Blocking the trojan file as it's being downloaded?

Upon submitting the file to VirusTotal, 1 out of 32 vendors had a signature for it. The problem here is that the file changes regularly. I ran the exploit twice in a five-minute span and received another variant the second time.

So, blacklist programs are not the answer in this case.

From what I've read, this would isolate all browser activity.

Could you set this up and explain how to use in the family situation I've used as an example?


----
rich

 

Ultimately, to make sure all is well when i'm not present, AE, or freeware SSM (with all modules disabled perhaps, to be easier), or Prevx2 depending on preferences/needs. Sandboxes are yet another possibility, GeSWall, DefenseWall, SandboxIE.
DEP in AlwaysOn.
I'd try LUA, if it works ok, if not it's not the end of the world.

With SSM, disconnect UI and block IE in it, allow Firefox with NoScript / Opera.

 

Well, you weren't exactly very specific.

The thing about sandboxes is that they require little to no setup. Just install it and run the browser sandboxed, that's it; or maybe you can do some tweaking to tell the sandbox to allow read/write access to the Favorites and/or downloads folder so the people using it don't wonder where their downloaded file went.

The thing about sandboxes is also that it's very easy to sabotage yourself. Some sandboxes allow you to force specified programs to execute within the sandbox, others don't, why is can be a problem should be obvious. Also, if you download a file yourself, move it out of the sandbox and execute it, there goes your protection. A sandbox is quite useless against social engineering tricks.

Which is the main problem here. There are very few defenses that can effectively guard the uneducated user against social engineering attacks. Unless you somehow have the authority to enforce security policies on their computer (which I doubt, since it doesn't belong to you), there really isn't much you can do to protect them by using software.

 

Hi Pedro,

This would be my first suggestion. Letting the kids have their own account is a good way to teach them yet let them have *some* control over their own settings, etc.

Here, you really insure that those exploits mentioned don't get in.

Basic to all of this, of course, is to teach how to recognize the enticements to download unnecessary stuff. In the examples in the article (and links) it *should* be a no-brainer.

By the way, one point I make to people is that in case of a banner-ad exploit where a window pops up, to close the window, use CTRL + F4 or File|Close Window. Clicking "No" or "Cancel" or trying to close by clicking the "X" at the top just puts the window-open into a loop.

With proper precautions in place, it's not necessary to be afraid of using social network sites. It's what kids like to do these days, after all!


----
rich

 

Hello, solcroft,

Your point about sandboxes is well taken, which is why I wouldn't use one in this case.

My interests is with families, where often they are not so up-to-date on these types of explolits.

I've found that they can become quickly aware of social engineering techniques and how to deal with them. This solves most of the problems. Combined with default-deny approaches, I've not seen any occurrences of being victimized in the types of situations referred to in this article, and certainly don't have to worry, as stated in the article, that

----
rich

 

The biggest problem with sandboxes is overcoming social engineering. If that problem is already dealt with, then sandboxes are certainly a more user-friendly and less intrusive approach than a default-deny policy. They're also capable of stopping more types of attacks than default-deny, such as ActiveX plugins, exploits using data files such as wmf and ani, and buffer overflow attacks using shellcoded HTML files (all of which do not involve executables, meaning there's nothing to deny).

SafeSpace and GeSWall are two free sandboxes that allow specified programs to be automatically isolated whenever they execute. I think they're very well worth a try.

 

I have encountered this type of thing on another site just today a property site shown on the screen.

 

I'll give them a look-see, thanks.

Regarding exploits you mention,

These are IE specific, and still require a click-to install, if I'm not mistaken

IE specific, and patched.

Patched, and none ever surfaced, other than PoC, to my knowledge, that didn't attempt an executable download

Do you know of recent examples in the wild?

I confess to not having kept up with this type of exploit, since javascript-XSS has been so prevalent lately.



----
rich

 

Did you click to optimize?!

By the way, the "error detected" message at the bottom of your screen is an interesting piece of social engineering. This is loaded from one of the cached HTML pages, and would attempt to make the user think that there is in fact an error.


----
rich

 

The real value of a sandbox would be nullifying all such exploits (which use data files, and are not stopped by default-deny) regardless of which browser you use without having to wait for a security patch, should such similar exploits crop up again in future. Patches, as we know, fix the problem only after the problem has been discovered, and possibly exploited. The same reason why the use of a firewall is still recommended even if no known vulnerable services are running.

Also, the ani exploit isn't IE-specific IIRC, it's a Windows vulnerability. I remember the unpleasant experience of explorer.exe being repeatedly terminated by DEP and re-executed by winlogon.exe in a never-ending loop just by having a copy of the exploit file placed on the desktop.

Not at the moment, unfortunately. But again, only IE was vulnerable to such shellcoded exploit files, and it has been long since patched.

 

That's correct, however, I could never get any of them to run in Opera. FireFox also seemed immune until earlier last year, now since patched, I assume.

http://blogs.zdnet.com/Ou/?p=461

A colleague experienced a similar occurrence testing known site with an exploit. She uses Deep Freeze, so just rebooted to discard it.


----
rich

 

No mate, mysystem is as optimised as it needs to be. Once upon a time I would have, cause I'd have thought "Oh no, better get that fixed." but fortunately I've come a long way since that, thanx in part to websites like Wilders.
Yes, basically what happens, is when you click the image in the e-mail, (this is a legit e-mail which I have been subscribed to since August) a new window opens up for the property site, as it should, all normal so far, but during the load of that page there seems to be a redirect and the IE window shrinks to what you see at the bottom and you are also presented with the popup box in the center.

 

AVs and blacklisting by targeting the malware itself. Some AV's have a http scanner and all have a read/write scan. Hopefully the heuristics and signatures are able to catch these.

If the AV misses it, having the sandbox should isolate the malware. If we are looking specifically at drive by downloads then there shouldnt be any issues with social engineering as the user wont even know that malware is downloaded and should clear everything when s/he deletes the sandbox.

The other thing would be to be kept up to date. I use PSI to ensure all my programs are properly patched.

 

Cheers Rich, usefull info, since although I may have come a long way I didn't know that, I ended up killing via process explorer.

 

Drive-by downloads on MySpace aren't as common as Click-to-install, but here is a recent one:


________________________________________________________________________

While a sandbox would clear any downloaded malware, I would rather prevent it from downloading in the first place.


----
rich

 

Rich: how does AE know it's an executable before download? By extension only?

In the picture it looks like it's already in temp folder.

TIA!

 

I ran into it back in October and posted here. got only one reply.
It is archived now. Was viewing an artical from google on the pot pie recall.
Something everyone would have wanted to view.
Nice trick ey?

https://www.wilderssecurity.com/archive/index.php/t-187979.html

 

NOT by extension i think.

Only software that analyzes something else( code?) than just file extension. Even u change .exe to .gif and AE will catch it. I havn,t seen any other software able to do that. Very impressive.

 

Thank you aigle, but what i ask is if it blocks the download and how. If it blocks after download and before execution, i know it doesn't check for extensions.

 

Rmus can tel u better. I think as he tested with a spofed .gif file, the executable was downloaded to disk but immediately removed and blocked.

 

Ah, that makes sense. Thank you aigle!