dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
54
MGD
MVM
join:2002-07-31

2 recommendations

MGD to Florida Dan

MVM

to Florida Dan

Re: foxnews.com infected?

said by Florida Dan:

said by Sentinel:

...I use a hosts file to block ads as well.
Methinks that's the ticket.
That may be one of several reasons why some users were never exposed, nor triggered any other alerts. I spent some time checking the add rotations and noticed that several of the domains showed up as blocked in several hosts files. As a first line of defense, that may have prevented many AV, and script blockers from barking.

Foxnews.com offers a comprehensive list of advertiser options: »advertise.foxnews.com/cr ··· e-specs/ and also the following Approved Third Party Vendors:

Atlas
Doubleclick
Eyeblaster
Eyewonder
Klipmart
Pointroll
Unicast
Zedo

Ref: »advertise.foxnews.com/cr ··· vendors/

I spent several hours reviewing the top banner adds, many are flash, but not all. One issue that I noted is that there were several complaints of infection attempts while on blogs.foxnews.com which appears to have less adds than the other pages.

For example, posters on "FOX News Blogs » Alisyn in the Greenroom" noted the following on 04/18
quote:
Comment by Anita in VA
April 18th, 2009 at 6:52 am
Good morning fellow bloggers–

I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?

I had it happened last saturday, when on work travel, from my work computer, and then again this morning, from my home computer.

Comment by Jimmy
April 18th, 2009 at 6:54 am
yes Anita…..it a shame…ran my program…no infections….they bother you to try to grt you to buy their program….do not load the program

Comment by Anita in VA
April 18th, 2009 at 6:59 am
jimmy/all–yes, that was actually the FakeAlert Trojan–

other bloggers–if you also got that popup, run a REAL virus scan of your computer, even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan

Alisyn/Foxnews–
Please scan your website pages, it was definitely a link/ad on your pages that produced the popup that infects with the FakeAVAlert Trojan.

Ref: »greenroom.blogs.foxnews. ··· ning-15/

I hope that Fox comes forward and informs the public of its findings. I believe it is important that the exploit vector is made public so that everyone can be aware of the methods that are used.

This epidemic has affected many high traffic sites, irrespective of the content. Cybercriminals are not selective. However, the compromising of such a high value target warrants some disclosure of the facts, in order to mitigate additional potentil targets, and address issues with third party advertisers.

Fox's own stats list:

13.5 Million Unique users per month

615 Million Page views per month

That is a significant potential exposure. One can debate how many visitors come from fully patched updated systems, and are savvy enough to weave through the fake screens if exposed.

One interesting side note, while vetting the top banner adds last night, a non flash advertisement came up for E*TRADE. There was absolutely no nefarious activity associated with it. However, it was impossible to perform any vetting of the source. The properties of the add appeared to link to a subdirectory of Lorentrio.com which is hosted in Holland on a Leaseweb IP 94.75.216.152

The initial concern was the entire anonymonity of the set up.

There are 10 domains hosted on IP 94.75.216.152:

01. Alitasis.com
02. Idatrinity.com
03. Junstring.com
04. Kemerlane.com
05. Lacoste-ads.com
06. Lorentrio.com
07. Mosdao.com
08. Namlean.com
09. Nokia-corp.com
10. Tornadomb.com

One would assume that "Nokia" could be a copyright issue. The eyebrow raiser is that all of these domains were registered within the last month or so. All appeared to be registered using ICANN Registrar:

DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM

In addition, they were all registered using a cloaking service PrivacyProtect.org:

Such as:
quote:
Registration Service Provided By: REGISTER SERVICES
Contact: +001.8882106539

Domain Name: LORENTRIO.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 29-Mar-2009
Expiration Date: 29-Mar-2010

Again, nothing appeared wrong with the add, however, in most other circumstances the above criteria would be cause for concern. Though not necessarily unusual in these circumstances, but all the domains contain a "deny all" robots.txt file. Who are these people ??

As Cometcom1 See Profile noted to me, and I believe it was also mentioned in Dancho Danev's blog, Google's safe browsing diagnostic of foxnews.com notes the site as not suspicious. It is somewhat ambiguous as they do note that:
quote:
"Malicious software is hosted on 3 domain(s), including 2mdn.net/, s3.wordpress.com/, llnwd.net/."


»www.google.com/safebrows ··· news.com
Snapped 2009-04-21 00:45:11


If you check Google's analysis of one of the above three:
s3.wordpress.com, it shows:
quote:
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including foxnews.com/.


»www.google.com/safebrows ··· ess.com/
Snapped 2009-04-21 00:44:54


I hope the focus can remain on the current stage of this epidemic and systemic organized cyber crime, and not on what the content of the infested high traffic website du-jour is. This problem will continue to invade the entire internet until concerted efforts are made to go after the money, and the commercial and financial systems that are utilized to support it.

MGD
mysec
Premium Member
join:2005-11-29

2 edits

1 recommendation

mysec

Premium Member

said by Comment by Anita in VA :

April 18th, 2009 at 6:52 am
Good morning fellow bloggers–

I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?...

jimmy/all–yes, that was actually the FakeAlert Trojan–

other bloggers–if you also got that popup, run a REAL virus scan of your computer,

even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan


This is just wrong since it's pretty much agreed that the user/victim has to click in the download box to get the trojan onto the system.

Am I interpreting correctly her statement? If so, how misleading and unnecessarily fear-provoking such a statement is for her readers.

This notion came up last year when new exploits of WinAntiVirus surfaced, and in a long thread, bcastner See Profile made it clear that this is not a drive-by download exploit.

Much has been written and commented on concerning the much feared drive-by download. From my viewpoint, these types of exploits are very easy to prevent when proper security is in place. Most of the time they need to bypass several security measures before achieving success.

By the way, the term "drive-by" limits the exploits to web sites. Notice that Microsoft uses the more comprehensive phrase, "Remote Code Execution:"

»www.microsoft.com/techne ··· 014.mspx
The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer

»www.microsoft.com/techne ··· 009.mspx
The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file.

In both cases, malicious code executes "remotely" - automatically.

PDF exploits in the wild fall into both categories:
•the one on the Fox News site is web-based

•others arrive by email where the user/victim decides to open the file.
The end result is the same: code in the PDF file calls out to a server hosting malware which is then downloaded to the user/victim's computer.

The Fox News PDF web-based exploit is a good example of remote code execution. In order for it to succeed, 4 requirements must be in place. I'll summarize from previous posts.

1) Scripting enabled. (Javascript, not Java).

If I disable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.

2) The PDF file must load into the browser. If the browser is configured to Prompt for a Download...




... the user is in the same position as with the WinAntiVirus exploit: to be victimized, the user must consent to download.

In both cases, the reaction should be: Hey, I didn't go looking for this. CANCEL. With the fake antivirus exploit, the suggestion is to close the browser process in Task Manager.

3) The 3rd requirement for the PDF exploit by remote code execution is that the Acrobat Reader must connect out to the internet to retrieve the malware. Outbound firewall monitoring will permit only those applications previously authorized by the user. The PDF Reader, of course, should not be given free access to the internet:




4) Finally, the trojan must be able to download/install without anything blocking it. The most secure protection for these types of exploits is some type of White Listing which blocks ALL unauthorized executable files that attempt to download/install:



File load.exe received on 04.17.2009 08:39:38 (CET)
Sunbelt 3.2.1858.2 2009.04.17 InfoStealer.Snifula.a (v)

Other solutions include running in a non-Administrator account; configuring Software Restriction Policies.

If this malicious PDF arrived by email and the user opened it, note that proper security at steps 3) and 4) would block the exploit from succeeding.

I hope you can see why Remote Code Execution Exploits should be the easiest to prevent. Look at all of the hurdles necessary to jump before the exploit is successful.

While something certainly needs to be done about stopping the occurrence of exploits on web pages, nonetheless for people with proper security protection and policies in place, they are an annoying nuisance rather than a threat.

----
rich

planet
join:2001-11-05
Oz

planet

Member

quote:
1) Scripting disabled. (Javascript, not Java).

If I enable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.
Wow, so in this case scripting is disabled. I thought javascript would be needed.

So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?

And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel

Premium Member

I wonder if this could be another thing I am doing that blocks this behavior.

I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.
mysec
Premium Member
join:2005-11-29

mysec to planet

Premium Member

to planet
said by planet:

quote:
1) Scripting disabled. (Javascript, not Java).
Wow, so in this case scripting is disabled. I thought javascript would be needed.

Ooops - a booboo - that should be reversed, of course! Thanks for noticing that!

Javascript is required, and with it disabled, none of those exploits at Foxnews work.

Sorry for the confusion. I changed that in my post.
said by planet:

So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?

That is correct.
said by planet:

And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?

No, nor are any of the exploits against IE possible if patched.

The problem, of course, is that many exploits go unpatched for a while after they are released in the wild. The recent PDF exploit, if you remember: it was several weeks before a patch was released.

Patching, updating, are certainly preventative measures. Someone mentioned using a Hosts file. The important thing is that everyone understand what they are protecting against and insure that their security setup provides appropriate preventative measures.

This is not always easy because often advisories about a new exploit don't give a lot of information, so you have to do some research.
said by Sentinel:

I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.

This exploit works only against the PDF reader, so even if the PDF file loaded in the browser, nothing would happen without the Adobe Reader being installed.

You may remember the most recent PDF exploit used some type of image rendering engine in the Adobe Reader. Foxit also uses something similar and there was concern amongst Foxit readers that they might be vulnerable. Foxit support insured users on their forum that Foxit uses a different engine and was not susceptible to the current exploit.

----
rich
Graycode
join:2006-04-17

Graycode to MGD

Member

to MGD
said by MGD:

Foxnews.com offers a comprehensive list of advertiser options: »advertise.foxnews.com/cr ··· e-specs/ and also the following Approved Third Party Vendors:

Atlas
Doubleclick
Eyeblaster
Eyewonder
Klipmart
Pointroll
Unicast
Zedo

Ref: »advertise.foxnews.com/cr ··· vendors/
Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com

I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS.
MGD
MVM
join:2002-07-31

MGD

MVM

said by Graycode:

..Why no mention of adsonar.com ? The foxnews pages are splattered with scripting for them. Their script www.foxnews.com/js/adsonar.js is one that injects iframes into the pages being viewed. Foxnews also includes script hxxp://js.adsonar.com/js/adsonar.js and references ads.adsonar.com

I happen to block things from adsonar.com and they're also included in MVPS and HP_HOSTS.
Indeed, adsonar references are all over the fox pages.

adsonar lists Foxnews.com as one of the locations they have access to advertise on adsonar aka quigo.com Maybe the relationship is something other than a third part vendor.

MGD