Re: Malvertisement on MSNBC.com using clipboard (copy/paste) in Security

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Fri, 26 Sep 2008 15:13:59 EDT

said by swhx7 :

So is this now the correct thread for the clickjacking topic? I believe it is not the same as the original topic here, i.e. the clipboard exploit, but anyway.

It would probably better to start a new 'clickjacking' thread. This looks to be a serious and ongoing vuln that will continue for quite some time. So feel free...

Your info is very interesting. Thanks.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Fri, 26 Sep 2008 15:00:29 EDT

avd706 : The only solution is #5

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Fri, 26 Sep 2008 14:49:52 EDT

swhx7 : So is this now the correct thread for the clickjacking topic? I believe it is not the same as the original topic here, i.e. the clipboard exploit, but anyway.

The discoverers have been vague about just what the "clickjacking" involves. The reason of course is the same as in the recent Kaminsky/DNS thing, to give vendors time to patch. This has led to some anxiety about how site maintainers and surfers can be safe.

In looking around however, I found a clear explanation of at least one implementation of it: »lists.whatwg.org/pipermail/whatw···284.html

The above is already out there, so I'm not making it any worse by linking.

I favor Zalewski's #4, because it puts the user most in control.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Fri, 26 Sep 2008 00:44:03 EDT

SUMware : DF, thanks for posting this additional information.

From your link »blogs.zdnet.com/security/?p=1973 it's worth excerpting the following:

quote:
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:
Hi Ryan,

I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:
1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the "Plugins|Forbid [IFRAME]" option..

Cheers,
Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Thu, 25 Sep 2008 22:50:27 EDT

Doctor Four : Adobe says they are going to fix this, but there is now a much more serious threat involving clickjacking:

»blogs.zdnet.com/security/?p=1972

quote:
In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

Firefox and NoScript can give a degree of protection against this, according to an email the creator, Giorgio Maone, sent the ZDNet blogger.

»blogs.zdnet.com/security/?p=1973
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: To Be Fixed in Flash Player 10

Mon, 22 Sep 2008 03:00:43 EDT

antdude :

said by SUMware :

From ZDNet
September 19th, 2008 -

quote:
Adobe moves to nuke ‘clipboard hijack’ attacks

Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.

The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

(See Aviv Raff’s proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).

Here’s the skinny on the Flash Player 10 changes:
In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.

This change can potentially affect any SWF file that makes use of the System.setClipboard() method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIR—however, AIR application content itself is unaffected.

Any existing content that sets data on the system Clipboard using the System.setClipboard() method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user.

Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.

Will it be fixed in newer Flash v9? Or do we have to update to v10? :(
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer

To Be Fixed in Flash Player 10

Sat, 20 Sep 2008 19:59:43 EDT

SUMware : From ZDNet
September 19th, 2008 -

quote:
Adobe moves to nuke ‘clipboard hijack’ attacks

Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.

The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

(See Aviv Raff’s proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).

Here’s the skinny on the Flash Player 10 changes:
In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.

This change can potentially affect any SWF file that makes use of the System.setClipboard() method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIR—however, AIR application content itself is unaffected.

Any existing content that sets data on the system Clipboard using the System.setClipboard() method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user.

Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Fri, 12 Sep 2008 18:33:58 EDT

MeanPeepsSuk : Removed my response/question from last night as no longer relevant.

Just realized this was an old thread brought to the top again.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Fri, 12 Sep 2008 15:48:46 EDT

Jayhawk21 : I would just like to point out that this happened to me in Vista with Google Chrome today.

Damn!

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 20 Aug 2008 17:47:49 EDT

Doctor Four :

said by therube :

Using NoScript (& assuming that Flash is blocked) thwarts the exploit. And even if you were to Temporarily Allow the Flash, once you Revoke Temporary Persmissions, the exploit again ends.

So it looks like my earlier thoughts were partially correct. It does involve Flash & JavaScript, but it is not dependent upon IE or ActiveX.

Indeed it does thwart the hijacking. From the NoScript homepage: »noscript.net/?ver=1.7.9&prev=1.7···blocking

Looks like third party flash is blocked by default unless specifically allowed.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Adobe Product Security Incident Response Team (PSIRT)

Wed, 20 Aug 2008 15:14:00 EDT

SUMware : From Adobe August 19, 2008:

Clipboard attack
"We are aware of recent press reports about a potential “Clipboard attack” issue that involves Flash Player. Adobe is currently investigating potential solutions to this issue and will update customers as soon as we have more information to provide."

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 20 Aug 2008 11:47:17 EDT

therube : Ha! That is only too funny.

I'm trying to figure out why I can't get the testcase to work? It was not until I went to copy/paste a URL into another window that I see it DID work. Crafty.

If that happened to me out of the blue, it would be disconcerting to say the least.

Using NoScript (& assuming that Flash is blocked) thwarts the exploit. And even if you were to Temporarily Allow the Flash, once you Revoke Temporary Persmissions, the exploit again ends.

So it looks like my earlier thoughts were partially correct. It does involve Flash & JavaScript, but it is not dependent upon IE or ActiveX.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 20 Aug 2008 10:43:01 EDT

Doctor Four : I decided last night to see if I could duplicate this
hijack, so I did something dangerous, security-wse:
I disabled my hosts file temporarily.

I then went to several of the sites where the hijack was
being reported, while using IE and Fiddler, and not once
did I see it - no fraudware URLs showed up in Fiddler's
capture logs.

I'll try again tonight, but I have to wonder if the ad
network that was a vector for this hijack caught onto it
and got rid of it.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 20 Aug 2008 01:01:52 EDT

Bink : I swear, Flash is becoming the scourge of the Internet. If you use Internet Explorer, do yourself a favor and leave Flash disabled—»flash.melameth.com.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 20 Aug 2008 00:59:59 EDT

SUMware : Hijack demo prevented by NoScript and Proxo via Flash control (read about the demo at bottom of page here) .

NoScript
Proxomitron

Pwning the clipboard - latest trick in FakeAlert distribution

Wed, 20 Aug 2008 00:39:42 EDT

SUMware : »www.sophos.com/security/blog/200···from=rss

"The fact that victims report experiencing these issues after browsing legitimate, popular sites, suggests that malicious Flash is the culprit. The attackers are probably using the setClipboard() method within ActionScript embedded in Flash content. Maybe the attackers have poisoned some ad-stream as a way of hitting large volumes of users?

I guess we should be glad the Adobe folks were wise enough to not provide the corresponding getClipboard() method!"

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Tue, 19 Aug 2008 23:59:01 EDT

SUMware : Try setting Firefox's clipboard.autocopy to 'false' in about:config.

Also, check setting noscript.allowClipboard to see if it is set to 'false'.
NoScript Options > Advanced > Trusted tab - uncheck the 'Allow rich text copy and paste from external clipboard' preference.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Tue, 19 Aug 2008 23:16:17 EDT

Doctor Four : This is getting to be a hot topic, as Sandi notes. Also,
Firefox and NoScript do not block the clipboard
hijack. So far, the only ways to prevent it are either to
block flash, or close the browser when it occurs.

»msmvps.com/blogs/spywaresucks/ar···130.aspx

Seems having a hosts file does work, though. I have tried
several of the sites in question, and not once have I seen
this occur.

I did try Newsweek's site, and quantserve/quantcast showed
up again in the page's source. I didn't see it on either
MSN or MSNBC's home page, though.

Edit: I tested FF and NoScript on the proof-of-concept
site Sandi mentioned. It doesn't work unless you allow
the site in NoScript. Seems that would still be effective
at preventing the hijack as it is coming from a third party
(and one which is likely to be marked as untrusted).
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Mon, 18 Aug 2008 18:36:35 EDT

Doctor Four : More on this from Sandi:

»msmvps.com/blogs/spywaresucks/ar···914.aspx

Also, according some comments on The Register, this is
happening on Monster, as well as Digg and Facebook, which
were previously mentioned. And one reader got hit while
browsing Ars Technica.

Taking a look at several pages' source code, I believe I
might have found the vector for the clipboard hijack:
edge.quantserve.com. In each case, it is pulling a bit of
javascript. It might be time to temporarily disable the
hosts file, run Fiddler (an HTTP debugging utility) and
see if this can be confirmed.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Sun, 17 Aug 2008 15:07:55 EDT

swhx7 : At first I was sure this couldn't be done Javascript alone in Mozilla browsers. On following some links, I found one poster saying he did it with 20 lines of Javascript but only if a default was changed in about:config.

The only source for a claim that it happened on Firefox is this post ( »discussions.apple.com/thread.jsp···=7768848 ) on a Mac forum. As other posters suggested there, it probably relied on a plugin such as Java or Flash. Only Microsoft counts it as a positive "feature" that web pages can overwrite the clipboard. At least IE now has a more nearly explanatory label on the means to turn it off (it used to be "Allow paste operations via script").

Is it on by default in IE7 or 8?

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Sat, 16 Aug 2008 08:18:40 EDT

anon : Try disabling the "Clipbook" service and see if it works...

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Sat, 16 Aug 2008 01:50:07 EDT

mysec : Thanks for the link.

Meanwhile, a search around the internet reveals that various codes for this "feature" or "exploit" have been around for a long time.

As a "feature" people put code into their web pages with buttons to activate the copy/paste. Or to auto-copy text in a form.

As an "exploit" where you force something to be copied to the clipboard, here is one I found for IE5/6:

I tried it even with that feature disabled in Options as mentioned by therube or even if Scripting is disabled, but it works anyway. I might not be doing something right in Options -- I don't know IE that well.

As far as exploiting other browsers -- unfortunately no one in the Mac forum kept the URL for the offending page, and theories ranged from Java and Flash to Ajax as being able to write continuously to the clipboard, forcing the user to reboot to clear the clipboard.

By the way - what do you suppose was copied to the clipboard of the Mac user mentioned on the Apple forum? If you guessed the WinAntiVirus2009 freescan site URL, you win a prize!

EDIT:

Here is a site which tests IE for capturing your last clipboard entry. The code is different, and the paste fails if I have scripting disabled, or "Allow paste operations via script" disabled.

»www.sourcecodesworld.com/special···oard.asp

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Fri, 15 Aug 2008 21:29:07 EDT

Doctor Four : And it isn't just Windows/IE users that are being hit
by this. Here's a nail in the coffin for those who think
Apple and Firefox are more secure:
»msmvps.com/blogs/spywaresucks/ar···705.aspx

The incident Sandi describes involves a Mac user and the
Firefox browser.

Apparently this copy/paste malware is also hitting Facebook
and Digg users, as posters to Apple Discussions have noted.
I don't know about Facebook, but looking at the source of
Digg's home page indicates something might be in common with
MSN and MSNBC: Microsoft advertising.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 13 Aug 2008 23:34:58 EDT

mysec : Thanks for the information. Unfortunately, links from this site explaining the script code for cut, copy, paste, bring up "Content not found"

»msdn.microsoft.com/en-us/library···85).aspx

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 13 Aug 2008 10:45:53 EDT

therube : And it looks like we're coming back to ActiveX too. And IE. IE being a "trusted" application, of course.

Why might one have "Clipboard access" enabled? Well, because MS tells you to do so.

quote:
ActiveX controls are used for certain functionality in Microsoft Office Project Professional 2007 and in Microsoft Office Project Web Access. In order for the ActiveX controls to work properly, the Office Project Web Access Web site must be added to the list of trusted sites in Internet Explorer. There are additional security settings that can be configured, but they are optional.

»technet.microsoft.com/en-us/libr···703.aspx

Perhaps this cannot even be disabled in IE6?

Disable Allow This Webpage to Access Your Clipboard Pop-Up Warning Message in IE7

Picture here of what the prompt would look like, »msdn.microsoft.com/en-us/library···85).aspx

Appears you can disable this in IE6 too, »forums.spybot.info/archive/index···665.html.

That post includes a link to a site that retrieves your clipboard information, »www.sourcecodesworld.com/special···oard.asp.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 13 Aug 2008 10:37:03 EDT

therube :

quote:
This should be blocked by setting Internet Options, Security, Internet Zone, Scripting, "Allow programmatic Clipboard access" to Disable.

I would be curious if this setting failed to block this vector.

»msmvps.com/blogs/spywaresucks/ar···062.aspx

So it appears this would be a vector in IE that is being exploited? In my case (& I don't use IE) Clipboard access is set to "prompt". (Wonder what a prompt looks like or how I would respond to it if I were prompted?)

And then this, Rogue ads pushing malware -- how it works, describes simply Refreshing the MLB web page & the popups start appearing? Which kind of doesn't make sense?

So combine the two & perhaps Flash related? JavaScript related? JS being allowed to run in Flash?

And there must be some code somewhere on an infected web site that allows the clipboard overwrite to take place. Again perhaps via Flash & JavaScript?

(How can anyone say that using a Mozilla browser & NoScript does not have the potential to help is browsing safely.)

EDIT:
So perhaps MLB was injected with code, using a META tag to force malware page to open. Something like this:

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 13 Aug 2008 09:22:31 EDT

doppler :

said by avd706 :

said by doppler :

said by Doctor Four :

Windows - by default, the home page for IE 7 is MSN.

And this is the reason why I hate windows IE (pick any version)
The Default page should be about:blank. If the homepage
is taken over in some way, everybody is in danger. If I
wish to be dangerous. I don't need microsofts help.

I don't get it. Every browser has a home page. All you have to do is shut off your internet and you can change a bad home page without opening it. (You might have to clear your cache first though.)

What you don't realize is every new computer rolling off
the countless assembly lines. Has MSN website as the
default. Only .01% of users of computers these days
know enough about using them. Let alone using them
correctly. If it wasn't for the other 99.99% I would
not be in the nice side business of fixing microsofts
dumb marketing decisions.

Yes, the homepage default of MSN.COM is a marketing driven
decision. What better way to get eyes on your website
than to make the default page be yours.

Look at how many people ask for help. In fixing there hijacked
browsers. HIJACKTHIS, would not exsist if the browser
default was hard to change, from your preferred setting.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 13 Aug 2008 07:59:29 EDT

avd706 :

said by doppler :

said by Doctor Four :

Windows - by default, the home page for IE 7 is MSN.

I don't get it. Every browser has a home page. All you have to do is shut off your internet and you can change a bad home page without opening it. (You might have to clear your cache first though.)

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Wed, 13 Aug 2008 06:57:51 EDT

doppler :

said by Doctor Four :

Windows - by default, the home page for IE 7 is MSN.

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Tue, 12 Aug 2008 19:06:30 EDT

mysec :

said by Doctor Four :

Sandi Hardmeier, in her Spyware Sucks blog, is warning of a
new type of malvertisement that overwrites Windows' clipboard,

Has anyone seen the source code that shows how this is done?

Virus Warning

Tue, 12 Aug 2008 15:07:03 EDT

avd706 :

said by Doctor Four :

It appears to be hitting people who visit MSNBC.com:

»msmvps.com/blogs/spywaresucks/ar···062.aspx

The fraudware site is xp-vista-update.net, which is in the
MVPS hosts file (probably a recent addition as it is near
the bottom when I searched for it).

I hope you copied that link by hand... you didn't use cut/paste did you??

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Sun, 10 Aug 2008 11:43:01 EDT

Doctor Four : This could be happening with one of Microsoft's ad providers,
which means MSN might also have the malvertisement. This
could explain one of the forum posts Sandi linked that said
this kept coming back even after a reformat and reinstall of
Windows - by default, the home page for IE 7 is MSN.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Sun, 10 Aug 2008 06:57:31 EDT

Kayrac : PLEASE DO NOT CLICK THESE LINKS UNLESS YOU KNOW WHAT YOUR DOING
-----------------------------------------------------------

Okay so basically the website listed goes like so
(this is currently they could very easily change the redirects at any given time)

this variant has almost 0 detection btw

»www.virustotal.com/analisis/48bb···57e443d0

-Brian

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Sun, 10 Aug 2008 04:44:50 EDT

amysheehan : NOTE: Link in post at MSNBC has recently been edited and made viewable in post - I expect it to be removed soon.

-amy-
:)

Post has been recently edited

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Sun, 10 Aug 2008 03:15:33 EDT

amysheehan : Here's a screenshot of what happens when you try the link posted in the MSNBC forum.

Note: I notified MSNBC webmaster div contact about this post and added the URL to Sandi's warning and to your topic here as well.

Thanks for posting this info, too !!!
-amy-
:)
--
Proud Member of ASAP
DSLR Phishtracker

Norton alert

Malvertisement on MSNBC.com using clipboard (copy/paste)

Sat, 09 Aug 2008 15:26:45 EDT

Doctor Four : Sandi Hardmeier, in her Spyware Sucks blog, is warning of a
new type of malvertisement that overwrites Windows' clipboard,
hoping that its URL will be pasted into blog entries, email and
so on. It appears to be hitting people who visit MSNBC.com:

»msmvps.com/blogs/spywaresucks/ar···062.aspx

The fraudware site is xp-vista-update.net, which is in the
MVPS hosts file (probably a recent addition as it is near
the bottom when I searched for it).
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)