Anatomy of a Drive-by-Install in Security

Re: Anatomy of a Drive-by-Install

Tue, 19 Apr 2005 19:39:05 EDT

Kiwi : Strange really, in some respects -I use IE, but as noted no activeX or Java unless needed. Firefox has become a popular hunting ground, so it's moot weather one uses IE or Firefox!

The Java disable noted by ElJay is most important, JavaSun is great if one knows how to configure the latest updates;)

Of course safe hex is the answer to most problems people suffer :) Few 'Surfers' realize the value of the 'electronic condom' ;)

Cheers
--
2.66g/533fsb Intel CPU @ 3.48g
512meg Twinmos PC3700~466 DDR @ 2.8v -PCpower&Cooling 512.
ATI 9500 Pro @ 9700 Pro @1.6v
--
AMD ASUS A7N8X-E ~
2500+ @3200 ATI 9500 Pro, Corsair 512LL.-- Aristotle.net

Re: Anatomy of a Drive-by-Install

Tue, 19 Apr 2005 12:02:39 EDT

PavTheMan :

said by Shriyash :

plus i have a online TV app. which needs java to run.
oh and not to mention pr0n.
java is indespensible.

:D Well you shouldn't need Java to see pr0n, er...... apparently. :D

I just avoid any site that won't show me pics or vid clips without Java. Ther are plenty of free ones that will.

Besides, P2P-ing for pr0n is, IMHO, a lot safer and more fruitful than those websites. Just run it as a limited account and lock it down.

:)
--
No Thanks Fritz, I'll Decide Who To Trust

Re: Anatomy of a Drive-by-Install

Mon, 18 Apr 2005 08:18:55 EDT

Mele20 : Yes, I'm seeing it upside down. I played it more than once hoping it would right itself but no luck. Maybe I don't have the right codec for it. Ahhh...I didn't think about this sooner but I suppose I could flip the screen with nVidia and invert it and then it would be right side up. Of course the Winamp controls would be upside down but that might not matter. I'll try that tomorrow.

I didn't realize you need Java for online TV. I avoid Yahoo but yeah if you like launchcast and pron! :D then I suppose you do need Java. ;)
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789

Re: Anatomy of a Drive-by-Install

Mon, 18 Apr 2005 07:35:45 EDT

Shriyash : you are seeing the video upside down?
i viewed it again in winamp and windows media player{10}, and it plays fine here.
one of my favoutite sites is launch.yahoo.com, and you need java to play launchcast.
plus i have a online TV app. which needs java to run.
oh and not to mention pr0n.
java is indespensible.

Re: Anatomy of a Drive-by-Install

Mon, 18 Apr 2005 03:22:29 EDT

Mele20 : That video plays upside down! Can't watch that.

I see Spazbox no longer exists? I guess all this publicity drove the site off?

I still can't believe anyone would click through the expired certificates warning or would install that very suspicious Active X on IE or any of those things. If you are that ignorant then you have no business owning a computer. Plus what sites are people going to where they see a lot of Java Applets? I NEVER see Java applets except when I go to the Speakeasy sites to speed test. I don't even have Java for Fx which I use 90% of the time. I don't need Java so I sure wonder what kinds of sites people are visiting that use so much Java applets.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789

Re: Anatomy of a Drive-by-Install

Mon, 18 Apr 2005 02:48:09 EDT

diver196 : Really great info. Just remember, in most cases the user does have to let the spyware onto his/her machine by giving consent, even if not informed.
--
Only those defenses are good, certain and durable, which depend on yourself alone and your own ability. The Prince, by Niccolo Machiavelli.

Re: Anatomy of a Drive-by-Install

Sun, 17 Apr 2005 22:45:38 EDT

Shriyash : oh my god!
u guys have to see this video for yourself, its a short clip, 1.2 MB, but its an 'experience' watching it. whew!
heres the link again:
»netrn.net/spywareblog/archives/2···e-weave/

just click on the "spazbox video" on the above link, and see for yourself.

Re: Anatomy of a Drive-by-Install

Sun, 17 Apr 2005 22:07:38 EDT

anon : Im suprised nobody has sued these companies butts off into total submission.. if i had a business computer, and had it trashed by these guys, i would OWN 180search assistant, and burn all the crap they use to create this stuff, then id wipe my *** with any piece of life,money, or dignity these guys had left

Re: Anatomy of a Drive-by-Install

Thu, 14 Apr 2005 01:24:49 EDT

paperghost : Thanks B - though as its turned out from new discoveries, the .Xpi is (in yet another strange twist) possibly the least of our worries. How about a potential 30,000 strong botnet through IRC? I've discovered that in all likelyhood, this is where Spazbox.net's huge traffic is coming from despite not being listed well (if at all) in search engines. However, it just raises more and more questions...!

»www.revenews.com/wayneporter/arc···tml#more

Re: Anatomy of a Drive-by-Install

Wed, 13 Apr 2005 22:17:27 EDT

B : Thanks, Paperghost.

Unfortunately, as with most things Mozilla, I don't trust them to implement Java whitelisting with any diligence. (The "whitelisted" XPI sites, for example, is an empty list and is disabled by default in the Moz suite, and the Fireweasel has but a single whitelisted site. This is nearly useless.)

Your update addendum was new to me though:

In my original tests, I found that disabling software installs in firefox would send the page into a tailspin - and i couldnt figure out why. Someone from a Firefox forum suggested that this behaviour only happens when a Firefox specific install (in other words - an XPI) is attempted. Check out the below, lifted from the Javascript installer served from ysbweb.com:

if (InstallTrigger.updateEnabled()) {
InstallTrigger.install({'Content Access Plugin 1.01' : ''});
} else { location.replace(''); }

The code above tries to load in a piece of rogue firefox .xpi. This is a rather crude .xpi installer to load xxx toolbar into IE - its currently being examined by some of our "file curious" members.

By chance, I happened to stumble upon a bunch of other sites that (last year) tried similar .xpi installs, which mozilla put out a fix for, rather quickly. Upon revisiting these sites - they now all use the Java applet alongside the .xpi install, and its possible the .Xpi's have been updated, which is why they're now currently being looked at (to see how they work alongside the java).

So after all the chaos and "browser warring" that erupted over this whole thing, it actually turns out there was "Firefox spyware" buried away in the code

Interesting stuff.

-- B
--
In a realm outside causality and function

Re: Anatomy of a Drive-by-Install

Wed, 13 Apr 2005 20:26:45 EDT

johnpro : It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).

*************

I have never trusted "trust us certification" for a number of reasons.

Trust is built up over time. Anyone can claim they are trustworthy.

Look at Truste certification for example. This company certifies that giants such as microsoft and intel are trutworthy. I happen to agree with them.

However they also certify that dubiates such as idownload and lycos are also trustworthy.

As one scribe recently wrote ...can truste be trusted!

My emails to truste were just ignored when I asked them to clarify their position of certification on many of the bad guys in the industry.

Verisign et al also have difficulties. Most players do not know the significance of these certificates anyway.

jp

Re: Anatomy of a Drive-by-Install

Wed, 13 Apr 2005 20:04:25 EDT

Bobby_Peru : B , in addition to ElJay 's Java Control Panel configuration pointer, putting the Java Toggle on the toolbar (from one of those button extensions, Pref Buttons, or ToolBar Enhancements?), with strict instructions to keep it deselected, and to inquire if a page/task fails, but not to select it without first checking, has worked for me, and the somewhat clueless newbies.

For my own installs, I keep the JavaScript (Per Tab) Toggle right next to it, as well.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**

Weasel Java Toggle

Re: Anatomy of a Drive-by-Install

Wed, 13 Apr 2005 19:20:11 EDT

Mele20 : Thank you. The video codec worked and I viewed both movies. The IE one is so obvious that no one would install that! It shows you the Eula. Why would anyone accept that? It clearly indicates it is advertising.

The Fx one is even more suspicous. Why, if I did not have Sun Java, would I agree to install something so OBVIOUSLY WRONG? The install is not for Runtime Environment 5.0 but for some weird something called "update 1". Red flag, red flag! Geez, I'd be outta there in second! Secondly, the certificate is OBVIOUSLY BAD. Again, no one would trust that!

There is nothing confusing about install on either browser. If users are so ignorant that they can't see all the red flags here then they better either get rid of their computers or learn something about their computer. I was ignorant when I got my first computer but I started learning immediately and have never stopped. If you want to have a computer you have to be willing to learn continously.

The one bad thing I do see is that install on IE 6SP1 (which I use) is HIGHLY DECEPTIVE since nothing happens and it is all silent. But since this uses Sun Java to install, the safe thing for SP1 users is to just use MSJVM and avoid Sun Java if you use IE. Or if you must install Sun Java to use the new dslr speed test applet because your ISP leases it then just don't use IE for anything else or disable Sun Java after running a speed test and continue to use IE with JVM. Of course, I would just have shrugged my shoulders if I ran across a site demanding that I install Sun Java. I detest Sun Java so I would just forget about that site.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789

Re: Anatomy of a Drive-by-Install

Wed, 13 Apr 2005 12:18:26 EDT

ElJay :

said by Mele20 :

Winamp won't play the movies. Plus, they won't play in the version of WMP I have. Why can't they be played in Real Player? I have the latest version of it.

Try downloading the video codec from »www.techsmith.com/products/studi···load.asp (169kb)

said by Mele20 :

I don't have Sun Java. Does this vulnerability also exist for MSJVM? It wouldn't matter probably for me since I only use JVM for speed tests and that is one the rare times I use IE instead of Fx.

I wonder if the Microsoft VM would even ask you before running this nasty installer. Or perhaps the Microsoft VM is so old that it won't be able to run this applet.

Re: Anatomy of a Drive-by-Install

Wed, 13 Apr 2005 01:47:34 EDT

anon : "I realize it's not Mozilla's issue per se; perhaps Sun can address this."

Hi B - I covered this type of install a while back (March 9th)and off the back of this initial investigation, Mozilla said they would look to "whitelist" applets with Sun, and a developer for Opera said they would look to change the way "accept" is highlighted as a default. More here.

Re: Anatomy of a Drive-by-Install

Tue, 12 Apr 2005 23:28:21 EDT

Mele20 : »www.spywareguide.com/articles/an···_72.html

Winamp won't play the movies. Plus, they won't play in the version of WMP I have. Why can't they be played in Real Player? I have the latest version of it. So, I can't read the article (I tried copying it to Word and it still produces a horizontal scroll bar) or play the files. :(

I don't have Sun Java. Does this vulnerability also exist for MSJVM? It wouldn't matter probably for me since I only use JVM for speed tests and that is one the rare times I use IE instead of Fx.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789

Re: Anatomy of a Drive-by-Install

Tue, 12 Apr 2005 21:10:00 EDT

redxii :

said by ElJay :

Would this help save a Mozilla/Firefox user from this "drive-by?"

I'm glad you asked:

With the second option unchecked, I was still given options Yes No and Cancel. With the first one unchecked, it went away, but applets using the "" code still worked on other (legit) websites.

For some reason I can't get 3 sites to give a me a popup anymore... trying to undo what I did but they may have taken it down and left the flash one in IE up. I'll restore a fresh image and see what happens...
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD.
Y I Hate L-i-n-u-x

Re: Anatomy of a Drive-by-Install

Tue, 12 Apr 2005 12:35:40 EDT

B :
Good find; I don't know.

The Java 1.4.2 control panel I have doesn't offer anything like that tab...

-- B
--
In a realm outside causality and function

Re: Anatomy of a Drive-by-Install

Tue, 12 Apr 2005 12:15:24 EDT

ElJay : I noticed in the latest Java VM (1.5.0/"5.0 Update 2") there's an option to disallow granting "permissions to content from an untrusted authority." I can't remember if this option was available in the 1.4.x version.

Would this help save a Mozilla/Firefox user from this "drive-by?"

Java Control Panel Security Settings

Re: Anatomy of a Drive-by-Install

Tue, 12 Apr 2005 11:43:04 EDT

B :
It's really unfortunate. It seems that the only way to properly secure clueless newbie browsing under Mozilla is to disable Java entirely?

I realize it's not Mozilla's issue per se; perhaps Sun can address this. I believe I've said before in a different thread here -- the Java plug-in really shouldn't even be capable, by default, of breaking the sandbox with a single real-time "drive-by" style query.

-- B
--
In a realm outside causality and function

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 21:41:21 EDT

xblock : B.

"The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?"

In the case of IE SP1- they have to do nothing. Just hit the web page which appears blank. I posed this question to my son (a 7 year old) and asked him what happened when he hit the web page on the IE SP1 page. He said "nothing happens Dad". Obviously if you look at the packet log a lot things happpen.

In the case of IE SP2- The user will see an elaborate movie explaining how to accept the installation. But there is reference to what is being installed, why it is being installed, or from where it is being installed. The only information they receive from the little movie, aside from install instructions, is a large sign that says THEY MUST INSTALL it.

In the Firefox the user is presented with a java prompt which asks them to install, but the key factor here is again no EULA is presented.

Much more analysis is planned on that piece- we worked on it over the weekend to get some dialogue started. It was like digging into a hole and finding a pool of water, the further we swam into the water the more stuff we found until we realized it wasn't water we were wading through but more like a high-stream sewer. So we took one aspect of the problem and focused on it. There are a myriad of things that can be studied and learned from that page.

The idea for this piece was taken from watching how my son (an eight year old) interacted with a web page and a discussion with my wife ( a teacher) about how kids interact with web pages in her lab.

So naturally prevention is important, if not the cornerstone of the problem, but we wanted to focus on what the user sees versus what it is actually happening and how the entire installation is mixed up with inadequate diclosure, confusing prompts, and no real attempt to tell the user what is going to happen.

regards,
Wayne

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 21:37:03 EDT

Kiwi : I'm a wee bit lost, to whom were the replies directed? I see the link works now.

Cheers

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 21:36:27 EDT

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 21:20:16 EDT

xblock : The problem has been corrected and I apologize to any and all who were affected. We have put in an extra layer of controls to ensure that doesn't happen again. As punishment I was told that Jan was going to strike me with the nearest blunt object next times he sees me.

regards,
Wayne

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 21:08:36 EDT

garys_2k : Never mind, part II.

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 21:05:47 EDT

garys_2k : Never mind...

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:53:01 EDT

xblock :
On the live javascript problem. (I'll get to other comments later) It appears that was my goof. We have an internal article system, but since numerous people worked on this we used dreamweaver to collaborate on the report and took the raw HTML from DW. Because of this we could not use our normal web-based article software so the article was "hard coded" into our database. At that time all scripts were double-checked to make sure they were "dead".

Long story short I saw a typo on the report and used our internal editing system to fix the typo and that somehow made the scripts active again.

I have Jan working on fixing it ASAP and thanks for calling this to my attention!

regards,
Wayne

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:47:43 EDT

eburger68 : inTulsa:

Wayne Porter tells me that the problem will be corrected shortly.

Eric L. Howes

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:23:10 EDT

inTulsa :

said by Doctor Four :

I wonder if anyone's contacted XBlock yet about it - the javascripts are very much active, ...

Email was sent, a "ticket" on the issue has been opened.

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:21:09 EDT

Kiwi : I was reading this and wondered, are people still using ActiveX & Java -Mine have always been disabled even though I maintain current updates, except for MS critical updates and the rather rare speed test on DSLR?

Using buffer overflow vulnerabilities, or if you like 'Exploits' can be minimised by third party software & surfing habits. I personally hate certificate verification, serves no purpose to the end user at all and wish companies would quit using it!

{Edit}BTW -Your first link to 'Home' seems to have been DoSd & framed to avoid backing out.

Good articles though, Eric.

Cheers
--
2.66g/533fsb Intel CPU @ 3.48g
512meg Twinmos PC3700~466 DDR @ 2.8v -PCpower&Cooling 512.
ATI 9500 Pro @ 9700 Pro @1.6v
--
AMD ASUS A7N8X-E ~
2500+ @3200 ATI 9500 Pro, Corsair 512LL.-- Aristotle.net

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:13:57 EDT

Doctor Four : I noticed that as well. I didn't get hit by any of the
parasites being profiled due to the use of the MVPS hosts
file on my system, but others could very well have gotten
infected. I wonder if anyone's contacted XBlock yet about
it - the javascripts are very much active, and just
visiting the page results in HTTP GET commands in my ad
blocker (it logs all headers) for static.windupdates.com,
ct4download.com, and xxxtoolbar.com, the host URLs for the
parasites being profiled.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. To RIAA/MPAA - You can sue but you can't catch everyone!

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:11:49 EDT

eburger68 : metrodust:

Education of users is important. But it's even more important that we not let adware vendors off the hook by making excuses for their substandard, deceptive installation practices.

We can do both: educate users and insist on better behavior from adware vendors.

Eric L. Howes

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:09:03 EDT

metrodust : the bottom line is still lack of education on the end-users part.

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:04:49 EDT

redxii :

said by eburger68 :

It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits .... depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes.

I posted this in an earlier thread, about ActiveX and IST: »Re: 180Solutions Buying Legitimacy? .. Don't know if you've seen it yet. I believe it supports your claim that it is a myth.

That is the Internet Explorer equivalent of the Java/Mozilla exploit. What I posted is found on exactly the same pages where there Java/Mozilla exploit are, only when viewed in IE.

Also, I should mention the click_run_to_remove_virus.exe was unable to execute under a limited account.
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD.
Y I Hate L-i-n-u-x

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 20:02:47 EDT

inTulsa : Eric - My sincere apologies.

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 19:57:24 EDT

eburger68 : inTulsa:

Please direct your comments to the correct parties. I am not affiliated with XBlock nor do I control those pages.

Eric L. Howes

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 19:53:22 EDT

inTulsa :

said by eburger68 :

Anatomy of a Drive-By Install- Even on Firefox
»www.spywareguide.com/articles/an···_72.html

Caution - referenced malware scripts are EXECUTING in browsers viewing that spywareguide.com page!

Fortunately I block those domains ... but others won't be so lucky.

The earlier problem has been fixed.

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 18:57:23 EDT

TeMerc : Thanks for the great reading Eric, I had already read and linkde Bens article the other nite on my site, this of course expands things quite a bit.

Moreover, where Suzi was testing primarily on Mozilla 1.7, Wayne and Jan test on Firefox and Internet Explorer. The site in question serves up different install packages based on the browser being used to visit the site.

I guess it was just a matter of time before these lowlifes started writting dual coding to infect whichever browser your running at the time. Just goes to show, no matter which browser your runninng, your always at risk. :huh:
--
Remember............You can NEVER be OVERPROTECTED!! »temerc.com/

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 18:28:45 EDT

bpm3k : Deleted.

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 18:19:50 EDT

novaflare : hmm i dled the url.zip and looked at the url list my god theres lots of them in there.

Not to long ago i was fortunate enough (unfortunatly for cool web search) able to log in to and delete the entire contents of a ftp site of theres. Maybe they should have had the installer delete the .cmd file after install. I deleted aprox 18gigs from the ftp. Images adds links html and on the way out i changed the pass word. Corse the domain it was on was probably going to disapear in a couple days any how. Like the one in the .cmd file from a week earlyer.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channel open source dns server for *nix and windows »powerdns.com

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 17:55:57 EDT

eburger68 : metrodust:

said by metrodust :

the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it.

It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).

The fact that the user has not elected to trust the CA has NOTHING to do with the trustworthiness of the Java applet itself. IST could have just as easily used a cert from Thawte/Verisign, which would be trusted by default through the user's browser.

In fact, we see this all the time with ActiveX controls installed by spyware/adware through Internet Explorer, almost all of which are signed with certs issued by Thawte/Verisign. The fact that the ActiveX control has been signed with a cert issued by a trusted CA says absolutely *nothing* about the trustworthiness of the ActiveX control itself, because Thawte/Verisign will issues certs to just about anyone under any name. See Ben Edelman's recent discussion of this problem for more information:

»www.benedelman.org/news/020305-1.html

And what if IST were to get a new signing cert from Thawte/Verisign? Would you then advise users that the app was "trustworthy"?

Of course not, because the real problem lies elsewhere. The real problem with Java applet Warning box is that it provides no useful information whatsoever to the user. None. Most users aren't going to be familiar with "Integrated Search Technologies," which sounds like an innocuous enough company. Still worse, there's not even a link, such as the much maligned ActiveX Security Warning box provides, for the user to get more information or read the EULA associated with the program.

And given that users will encounter these Java applet Warning boxes (or similar looking ones) frequently in the surfing around the Net, it's a serious problem that they don't have any useful method for distinguishing between trustworthy and non-trustworthy Java applets. The same holds true for ActiveX controls, though at least users can get to a EULA of some sort and Microsoft has implemented some changes in XP SP2 to take those Security Warning boxes out of users' faces.

It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits. Always has been. In fact, those kinds of exploit-based installations really only took off in the last year or so. Since the beginning in 2000, the spyware/adware problem has largely been the depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes.

Eric L. Howes

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 17:41:39 EDT

Mele20 : I'd love to read the article, but the webmaster needs to fix that site. It sprawls so badly that I have a horizontal scroll bar there and cannot see the article without long horizontal scrolling of each line. If I make the zoom below 100% then the horizontal scroll bar disappears but I can't read the tiny print. This is on Firefox and usually 100% to 120% text zoom is what I use on sites, but that site needs 150% or higher text zoom to be comfortably readable.

ON IE, with the text set to "medium" I get an even WORSE horizontal scroll bar! So, that site really needs to fix things. Do they expect everyone to use "smallest" font size on IE? That is the only one that doesn't produce the horizontal scroll bar. I have a 19" flat panel LCD at 1280x1024. I think that site is designed for 800x600. Maybe I can read it with out the horizontal scroll bar appearing if I used my 17" Trinitron connected to my older computer.

I suppose I can copy the article to Word when I have time and read it that way.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 17:29:18 EDT

metrodust :

said by B :

The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?

They show what the users SEE under each browser, but don't seem to discuss what the user would do or click next, or what he or she could do at that point to avoid the infections...?

-- B

the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it.
--
When you are leaving.. heaven is a distance not a place. --Carissas Weird

Re: Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 17:15:05 EDT

B :
The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?

They show what the users SEE under each browser, but don't seem to discuss what the user would do or click next, or what he or she could do at that point to avoid the infections...?

-- B
--
In a realm outside causality and function

Anatomy of a Drive-by-Install

Mon, 11 Apr 2005 17:03:56 EDT

eburger68 : Hi All:

Wayne Porter and Jan Hertens of XBlock have just posted a fascinating analysis of a collection of drive-by-installs of spyware and adware that occur at a dubious web site:

Anatomy of a Drive-By Install- Even on Firefox
»www.spywareguide.com/articles/an···_72.html

Included in their write-up are videos, packet logs, and an extended traffic analysis of the site itself. Although this write-up is more than a little technical, it's well worth your time to have a look, as it offers real insight into how this kind of unethical, deceptive installation practice occurs.

It should be noted that Wayne and Jan are analyzing the same site that Suzi of Spyware Warrior did in her recent blog entry on 180solutions & CDT, Inc.:

Oh, What A Tangled Web We Weave...
»netrn.net/spywareblog/archives/2···e-weave/

Like Wayne and Jan, Suzi also has videos (look at the end of the blog entry for the second). Where Wayne and Jan devote most of their attention to the underlying mechanics of the drive-by-installs, though, Suzi focuses on the behavior of the 180search Assistant from 180solutions, which is one of the adware programs installed by the site.

Moreover, where Suzi was testing primarily on Mozilla 1.7, Wayne and Jan test on Firefox and Internet Explorer. The site in question serves up different install packages based on the browser being used to visit the site.

Once you're finished reading these new articles from Wayne, Jan, and Suzi, you also ought to have a look at Ben Edelman's new series of articles on unethical installation methods being employed to install adware and spyware:

New Series on Spyware Installation Methods
»www.benedelman.org/news/041105-1.html

Spyware Installation Methods (table)
»www.benedelman.org/spyware/installations/

3D Desktop's Misleading Installation Methods (write-up)
»www.benedelman.org/spyware/insta···ensaver/

There's some overlap between all these new articles, which complement each other very well. Each offers some unqiue insight into the problem of spyware, adware, and how these unwanted software programs are pushed on unsuspecting consumers, despite the profuse professions of innocence by the companies involved.

For those desiring still more reading on the same subject, you might take a look at one of my submissions to the FTC from last year (right about this time, in fact):

The Anatomy of a Drive-by-Download
»https://netfiles.uiuc.edu/ehowes/www/dbd-anatomy.htm

In any case, happy reading.

All the best,

Eric L. Howes