said by Comment by Anita in VA :
April 18th, 2009 at 6:52 am
Good morning fellow bloggers
I have a quick questionhave any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?...
jimmy/allyes, that was actually the FakeAlert Trojan
other bloggersif you also got that popup, run a REAL virus scan of your computer,
even if you Xd out of it. Youre probably now infected with the FakeAvAlert Trojan
This is just wrong
since it's pretty much agreed that the user/victim has to click in the download box to get the trojan onto the system.
Am I interpreting correctly her statement? If so, how misleading and unnecessarily fear-provoking such a statement is for her readers.
This notion came up last year when new exploits of WinAntiVirus surfaced, and in a long thread, bcastner
made it clear that this is not a drive-by download exploit.
Much has been written and commented on concerning the much feared drive-by download. From my viewpoint, these types of exploits are very easy to prevent when proper security is in place. Most of the time they need to bypass several security measures before achieving success.
By the way, the term "drive-by" limits the exploits to web sites. Notice that Microsoft uses the more comprehensive phrase, "Remote Code Execution:"
The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer
The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file.
In both cases, malicious code executes "remotely" - automatically.
PDF exploits in the wild fall into both categories:
•the one on the Fox News site is web-based
•others arrive by email where the user/victim decides to open the file.
The end result is the same: code in the PDF file calls out to a server hosting malware which is then downloaded to the user/victim's computer.
The Fox News PDF web-based exploit is a good example of remote code execution. In order for it to succeed, 4 requirements must be in place. I'll summarize from previous posts.1)
The PDF file must load into the browser. If the browser is configured to Prompt for a Download...
... the user is in the same position as with the WinAntiVirus exploit: to be victimized, the user must consent to download.
In both cases, the reaction should be: Hey, I didn't go looking for this. CANCEL. With the fake antivirus exploit, the suggestion is to close the browser process in Task Manager.3)
The 3rd requirement for the PDF exploit by remote code execution is that the Acrobat Reader must connect out to the internet to retrieve the malware. Outbound firewall monitoring will permit only those applications previously authorized by the user. The PDF Reader, of course, should not be given free access to the internet:
Finally, the trojan must be able to download/install without anything blocking it. The most secure protection for these types of exploits is some type of White Listing which blocks ALL
unauthorized executable files that attempt to download/install:
File load.exe received on 04.17.2009 08:39:38 (CET)
Sunbelt 3.2.1858.2 2009.04.17 InfoStealer.Snifula.a (v)
Other solutions include running in a non-Administrator account; configuring Software Restriction Policies.
If this malicious PDF arrived by email and the user opened it, note that proper security at steps 3)
would block the exploit from succeeding.
I hope you can see why Remote Code Execution Exploits should be the easiest to prevent. Look at all of the hurdles necessary to jump before the exploit is successful.
While something certainly needs to be done about stopping the occurrence of exploits on web pages, nonetheless for people with proper security protection and policies in place, they are an annoying nuisance rather than a threat.