dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
17
mysec
Premium Member
join:2005-11-29

2 edits

1 recommendation

mysec to MGD

Premium Member

to MGD

Re: foxnews.com infected?

said by Comment by Anita in VA :

April 18th, 2009 at 6:52 am
Good morning fellow bloggers–

I have a quick question–have any of you experience, when first accessing the Greenroom Blog, a Windows Explorer popup windows, saying you need to run a virus scan on your computer?...

jimmy/all–yes, that was actually the FakeAlert Trojan–

other bloggers–if you also got that popup, run a REAL virus scan of your computer,

even if you X’d out of it. You’re probably now infected with the FakeAvAlert Trojan


This is just wrong since it's pretty much agreed that the user/victim has to click in the download box to get the trojan onto the system.

Am I interpreting correctly her statement? If so, how misleading and unnecessarily fear-provoking such a statement is for her readers.

This notion came up last year when new exploits of WinAntiVirus surfaced, and in a long thread, bcastner See Profile made it clear that this is not a drive-by download exploit.

Much has been written and commented on concerning the much feared drive-by download. From my viewpoint, these types of exploits are very easy to prevent when proper security is in place. Most of the time they need to bypass several security measures before achieving success.

By the way, the term "drive-by" limits the exploits to web sites. Notice that Microsoft uses the more comprehensive phrase, "Remote Code Execution:"

»www.microsoft.com/techne ··· 014.mspx
The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer

»www.microsoft.com/techne ··· 009.mspx
The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file.

In both cases, malicious code executes "remotely" - automatically.

PDF exploits in the wild fall into both categories:
•the one on the Fox News site is web-based

•others arrive by email where the user/victim decides to open the file.
The end result is the same: code in the PDF file calls out to a server hosting malware which is then downloaded to the user/victim's computer.

The Fox News PDF web-based exploit is a good example of remote code execution. In order for it to succeed, 4 requirements must be in place. I'll summarize from previous posts.

1) Scripting enabled. (Javascript, not Java).

If I disable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.

2) The PDF file must load into the browser. If the browser is configured to Prompt for a Download...




... the user is in the same position as with the WinAntiVirus exploit: to be victimized, the user must consent to download.

In both cases, the reaction should be: Hey, I didn't go looking for this. CANCEL. With the fake antivirus exploit, the suggestion is to close the browser process in Task Manager.

3) The 3rd requirement for the PDF exploit by remote code execution is that the Acrobat Reader must connect out to the internet to retrieve the malware. Outbound firewall monitoring will permit only those applications previously authorized by the user. The PDF Reader, of course, should not be given free access to the internet:




4) Finally, the trojan must be able to download/install without anything blocking it. The most secure protection for these types of exploits is some type of White Listing which blocks ALL unauthorized executable files that attempt to download/install:



File load.exe received on 04.17.2009 08:39:38 (CET)
Sunbelt 3.2.1858.2 2009.04.17 InfoStealer.Snifula.a (v)

Other solutions include running in a non-Administrator account; configuring Software Restriction Policies.

If this malicious PDF arrived by email and the user opened it, note that proper security at steps 3) and 4) would block the exploit from succeeding.

I hope you can see why Remote Code Execution Exploits should be the easiest to prevent. Look at all of the hurdles necessary to jump before the exploit is successful.

While something certainly needs to be done about stopping the occurrence of exploits on web pages, nonetheless for people with proper security protection and policies in place, they are an annoying nuisance rather than a threat.

----
rich

planet
join:2001-11-05
Oz

planet

Member

quote:
1) Scripting disabled. (Javascript, not Java).

If I enable Javascript in Firefox's Options and in Opera's Preferences, nothing happens: this exploit (and the WinAntiVirus exploit) fails at this point.
Wow, so in this case scripting is disabled. I thought javascript would be needed.

So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?

And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel

Premium Member

I wonder if this could be another thing I am doing that blocks this behavior.

I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.
mysec
Premium Member
join:2005-11-29

mysec to planet

Premium Member

to planet
said by planet:

quote:
1) Scripting disabled. (Javascript, not Java).
Wow, so in this case scripting is disabled. I thought javascript would be needed.

Ooops - a booboo - that should be reversed, of course! Thanks for noticing that!

Javascript is required, and with it disabled, none of those exploits at Foxnews work.

Sorry for the confusion. I changed that in my post.
said by planet:

So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?

That is correct.
said by planet:

And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?

No, nor are any of the exploits against IE possible if patched.

The problem, of course, is that many exploits go unpatched for a while after they are released in the wild. The recent PDF exploit, if you remember: it was several weeks before a patch was released.

Patching, updating, are certainly preventative measures. Someone mentioned using a Hosts file. The important thing is that everyone understand what they are protecting against and insure that their security setup provides appropriate preventative measures.

This is not always easy because often advisories about a new exploit don't give a lot of information, so you have to do some research.
said by Sentinel:

I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.

This exploit works only against the PDF reader, so even if the PDF file loaded in the browser, nothing would happen without the Adobe Reader being installed.

You may remember the most recent PDF exploit used some type of image rendering engine in the Adobe Reader. Foxit also uses something similar and there was concern amongst Foxit readers that they might be vulnerable. Foxit support insured users on their forum that Foxit uses a different engine and was not susceptible to the current exploit.

----
rich