Malware-Laced Banner Ads At MySpace, Excite

Discussion in 'malware problems & news' started by ronjor, Jan 3, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Brian Krebs
     
  2. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Guess that means no go to Excite for at least another month. :eek:
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    How will you know when it's safe?

    I'm not trying to be facetious. Excite.com could be google or any other site that could inadvertantly host malicious banner ads.

    In the last line of the article we learn that these are javascript exploits. In fact they aren't even drive-by exploits, rather, enticements to download, and the user has to respond to download:

    performopt_1.gif
    _________________________________________________________________________________

    performopt_2.gif
    _________________________________________________________________________________

    Rather than beginning by tooting his horn, the author could have replaced the scare language in the second paragraph with statements of the exploits, leading directly into preventative solutions including those he mentions in his last paragraph.

    Knowing that from the beginning, would you still be hesitant in going to excite.com?

    Suppose a family next door asked for your assistance: they want to let their children use MySpace, but have heard "terrible" things about getting viruses. They ask you for suggestions for safe surfing for their kids.

    What would you (or anyone here) advise?


    ----
    rich
     
  4. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    You'd hope that blacklisting programs would catch it. Otherwise what about a sandbox? These are the least intrusive.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    At what point in the exploit do you expect a blacklisting program to catch it?

    Warning about the web page itself?

    This is rarely feasible any more, since the banner ads change regularly. As has been pointed out, this is a problem that has to be dealt with by the hosting site - to monitor more carefully their ads.

    Flagging a malicious .swf file?

    (this was mentioned in another link from the article ronjor posted) Unless the file is actually analyzed itself, the changing nature of these .swf files makes this practically impossible, since they are hosted on a different server (imageshack is one).

    For a discussion on how .swf files trigger downloads, see http://isc.sans.org/diary.html?storyid=3060
    about 2/3 into the article, "Decompiling a flash component"

    Blocking the trojan file as it's being downloaded?

    Upon submitting the file to VirusTotal, 1 out of 32 vendors had a signature for it. The problem here is that the file changes regularly. I ran the exploit twice in a five-minute span and received another variant the second time.

    So, blacklist programs are not the answer in this case.


    From what I've read, this would isolate all browser activity.

    Could you set this up and explain how to use in the family situation I've used as an example?


    ----
    rich
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ultimately, to make sure all is well when i'm not present, AE, or freeware SSM (with all modules disabled perhaps, to be easier), or Prevx2 depending on preferences/needs. Sandboxes are yet another possibility, GeSWall, DefenseWall, SandboxIE.
    DEP in AlwaysOn.
    I'd try LUA, if it works ok, if not it's not the end of the world.

    With SSM, disconnect UI and block IE in it, allow Firefox with NoScript / Opera.
     
    Last edited: Jan 4, 2008
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Well, you weren't exactly very specific.

    The thing about sandboxes is that they require little to no setup. Just install it and run the browser sandboxed, that's it; or maybe you can do some tweaking to tell the sandbox to allow read/write access to the Favorites and/or downloads folder so the people using it don't wonder where their downloaded file went.

    The thing about sandboxes is also that it's very easy to sabotage yourself. Some sandboxes allow you to force specified programs to execute within the sandbox, others don't, why is can be a problem should be obvious. Also, if you download a file yourself, move it out of the sandbox and execute it, there goes your protection. A sandbox is quite useless against social engineering tricks.

    Which is the main problem here. There are very few defenses that can effectively guard the uneducated user against social engineering attacks. Unless you somehow have the authority to enforce security policies on their computer (which I doubt, since it doesn't belong to you), there really isn't much you can do to protect them by using software.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Pedro,

    This would be my first suggestion. Letting the kids have their own account is a good way to teach them yet let them have *some* control over their own settings, etc.

    Here, you really insure that those exploits mentioned don't get in.

    Basic to all of this, of course, is to teach how to recognize the enticements to download unnecessary stuff. In the examples in the article (and links) it *should* be a no-brainer.

    By the way, one point I make to people is that in case of a banner-ad exploit where a window pops up, to close the window, use CTRL + F4 or File|Close Window. Clicking "No" or "Cancel" or trying to close by clicking the "X" at the top just puts the window-open into a loop.

    With proper precautions in place, it's not necessary to be afraid of using social network sites. It's what kids like to do these days, after all!


    ----
    rich
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, solcroft,

    Your point about sandboxes is well taken, which is why I wouldn't use one in this case.

    My interests is with families, where often they are not so up-to-date on these types of explolits.

    I've found that they can become quickly aware of social engineering techniques and how to deal with them. This solves most of the problems. Combined with default-deny approaches, I've not seen any occurrences of being victimized in the types of situations referred to in this article, and certainly don't have to worry, as stated in the article, that


    ----
    rich
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The biggest problem with sandboxes is overcoming social engineering. If that problem is already dealt with, then sandboxes are certainly a more user-friendly and less intrusive approach than a default-deny policy. They're also capable of stopping more types of attacks than default-deny, such as ActiveX plugins, exploits using data files such as wmf and ani, and buffer overflow attacks using shellcoded HTML files (all of which do not involve executables, meaning there's nothing to deny).

    SafeSpace and GeSWall are two free sandboxes that allow specified programs to be automatically isolated whenever they execute. I think they're very well worth a try.
     
  11. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    I have encountered this type of thing on another site just today a property site shown on the screen.
     

    Attached Files:

  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'll give them a look-see, thanks.

    Regarding exploits you mention,

    These are IE specific, and still require a click-to install, if I'm not mistaken

    IE specific, and patched.

    Patched, and none ever surfaced, other than PoC, to my knowledge, that didn't attempt an executable download

    Do you know of recent examples in the wild?

    I confess to not having kept up with this type of exploit, since javascript-XSS has been so prevalent lately.



    ----
    rich
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Did you click to optimize?!

    By the way, the "error detected" message at the bottom of your screen is an interesting piece of social engineering. This is loaded from one of the cached HTML pages, and would attempt to make the user think that there is in fact an error.


    ----
    rich
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The real value of a sandbox would be nullifying all such exploits (which use data files, and are not stopped by default-deny) regardless of which browser you use without having to wait for a security patch, should such similar exploits crop up again in future. Patches, as we know, fix the problem only after the problem has been discovered, and possibly exploited. The same reason why the use of a firewall is still recommended even if no known vulnerable services are running.

    Also, the ani exploit isn't IE-specific IIRC, it's a Windows vulnerability. I remember the unpleasant experience of explorer.exe being repeatedly terminated by DEP and re-executed by winlogon.exe in a never-ending loop just by having a copy of the exploit file placed on the desktop.

    Not at the moment, unfortunately. But again, only IE was vulnerable to such shellcoded exploit files, and it has been long since patched.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's correct, however, I could never get any of them to run in Opera. FireFox also seemed immune until earlier last year, now since patched, I assume.

    http://blogs.zdnet.com/Ou/?p=461

    A colleague experienced a similar occurrence testing known site with an exploit. She uses Deep Freeze, so just rebooted to discard it.


    ----
    rich
     
  16. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    :D No mate, mysystem is as optimised as it needs to be. Once upon a time I would have, cause I'd have thought "Oh no, better get that fixed." but fortunately I've come a long way since that, thanx in part to websites like Wilders.
    Yes, basically what happens, is when you click the image in the e-mail, (this is a legit e-mail which I have been subscribed to since August) a new window opens up for the property site, as it should, all normal so far, but during the load of that page there seems to be a redirect and the IE window shrinks to what you see at the bottom and you are also presented with the popup box in the center.
     
  17. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    AVs and blacklisting by targeting the malware itself. Some AV's have a http scanner and all have a read/write scan. Hopefully the heuristics and signatures are able to catch these.

    If the AV misses it, having the sandbox should isolate the malware. If we are looking specifically at drive by downloads then there shouldnt be any issues with social engineering as the user wont even know that malware is downloaded and should clear everything when s/he deletes the sandbox.

    The other thing would be to be kept up to date. I use PSI to ensure all my programs are properly patched.
     
  18. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Cheers Rich, usefull info, since although I may have come a long way I didn't know that, I ended up killing via process explorer.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Drive-by downloads on MySpace aren't as common as Click-to-install, but here is a recent one:

    myspace.gif
    ________________________________________________________________________

    While a sandbox would clear any downloaded malware, I would rather prevent it from downloading in the first place.


    ----
    rich
     
  20. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Rich: how does AE know it's an executable before download? By extension only?

    In the picture it looks like it's already in temp folder.

    TIA!
     
  21. controler

    controler Guest

  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    NOT by extension i think.

    Only software that analyzes something else( code?) than just file extension. Even u change .exe to .gif and AE will catch it. I havn,t seen any other software able to do that. Very impressive. :thumb: :thumb:
     
  23. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Thank you aigle, but what i ask is if it blocks the download and how. If it blocks after download and before execution, i know it doesn't check for extensions.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Rmus can tel u better. I think as he tested with a spofed .gif file, the executable was downloaded to disk but immediately removed and blocked.
     
    Last edited: Jan 7, 2008
  25. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ah, that makes sense. Thank you aigle!
     
Loading...
Thread Status:
Not open for further replies.