eburger68
Premium,MVM
join:2001-04-28
2 edits | Anatomy of a Drive-by-Install
Hi All:
Wayne Porter and Jan Hertens of XBlock have just posted a fascinating analysis of a collection of drive-by-installs of spyware and adware that occur at a dubious web site:
Anatomy of a Drive-By Install- Even on Firefox
»www.spywareguide.com/articles/an···_72.html
Included in their write-up are videos, packet logs, and an extended traffic analysis of the site itself. Although this write-up is more than a little technical, it's well worth your time to have a look, as it offers real insight into how this kind of unethical, deceptive installation practice occurs.
It should be noted that Wayne and Jan are analyzing the same site that Suzi of Spyware Warrior did in her recent blog entry on 180solutions & CDT, Inc.:
Oh, What A Tangled Web We Weave...
»netrn.net/spywareblog/archives/2···e-weave/
Like Wayne and Jan, Suzi also has videos (look at the end of the blog entry for the second). Where Wayne and Jan devote most of their attention to the underlying mechanics of the drive-by-installs, though, Suzi focuses on the behavior of the 180search Assistant from 180solutions, which is one of the adware programs installed by the site.
Moreover, where Suzi was testing primarily on Mozilla 1.7, Wayne and Jan test on Firefox and Internet Explorer. The site in question serves up different install packages based on the browser being used to visit the site.
Once you're finished reading these new articles from Wayne, Jan, and Suzi, you also ought to have a look at Ben Edelman's new series of articles on unethical installation methods being employed to install adware and spyware:
New Series on Spyware Installation Methods
»www.benedelman.org/news/041105-1.html
Spyware Installation Methods (table)
»www.benedelman.org/spyware/installations/
3D Desktop's Misleading Installation Methods (write-up)
»www.benedelman.org/spyware/insta···ensaver/
There's some overlap between all these new articles, which complement each other very well. Each offers some unqiue insight into the problem of spyware, adware, and how these unwanted software programs are pushed on unsuspecting consumers, despite the profuse professions of innocence by the companies involved.
For those desiring still more reading on the same subject, you might take a look at one of my submissions to the FTC from last year (right about this time, in fact):
The Anatomy of a Drive-by-Download
»https://netfiles.uiuc.edu/ehowes/www/dbd-anatomy.htm
In any case, happy reading.
All the best,
Eric L. Howes |
|
B
Premium,MVM
join:2000-10-28
|
The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?
They show what the users SEE under each browser, but don't seem to discuss what the user would do or click next, or what he or she could do at that point to avoid the infections...?
-- B
--
In a realm outside causality and function |
|
metrodust
Hey Thats Mine
join:1999-12-10
Seattle, WA
1 edit | said by B  :The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install? They show what the users SEE under each browser, but don't seem to discuss what the user would do or click next, or what he or she could do at that point to avoid the infections...? -- B the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it.
--
When you are leaving.. heaven is a distance not a place. --Carissas Weird |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to eburger68
I'd love to read the article, but the webmaster needs to fix that site. It sprawls so badly that I have a horizontal scroll bar there and cannot see the article without long horizontal scrolling of each line. If I make the zoom below 100% then the horizontal scroll bar disappears but I can't read the tiny print. This is on Firefox and usually 100% to 120% text zoom is what I use on sites, but that site needs 150% or higher text zoom to be comfortably readable.
ON IE, with the text set to "medium" I get an even WORSE horizontal scroll bar! So, that site really needs to fix things. Do they expect everyone to use "smallest" font size on IE? That is the only one that doesn't produce the horizontal scroll bar. I have a 19" flat panel LCD at 1280x1024. I think that site is designed for 800x600. Maybe I can read it with out the horizontal scroll bar appearing if I used my 17" Trinitron connected to my older computer.
I suppose I can copy the article to Word when I have time and read it that way.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
eburger68
Premium,MVM
join:2001-04-28
1 edit | reply to metrodust
metrodust:
said by metrodust :the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it. It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).
The fact that the user has not elected to trust the CA has NOTHING to do with the trustworthiness of the Java applet itself. IST could have just as easily used a cert from Thawte/Verisign, which would be trusted by default through the user's browser.
In fact, we see this all the time with ActiveX controls installed by spyware/adware through Internet Explorer, almost all of which are signed with certs issued by Thawte/Verisign. The fact that the ActiveX control has been signed with a cert issued by a trusted CA says absolutely *nothing* about the trustworthiness of the ActiveX control itself, because Thawte/Verisign will issues certs to just about anyone under any name. See Ben Edelman's recent discussion of this problem for more information:
»www.benedelman.org/news/020305-1.html
And what if IST were to get a new signing cert from Thawte/Verisign? Would you then advise users that the app was "trustworthy"?
Of course not, because the real problem lies elsewhere. The real problem with Java applet Warning box is that it provides no useful information whatsoever to the user. None. Most users aren't going to be familiar with "Integrated Search Technologies," which sounds like an innocuous enough company. Still worse, there's not even a link, such as the much maligned ActiveX Security Warning box provides, for the user to get more information or read the EULA associated with the program.
And given that users will encounter these Java applet Warning boxes (or similar looking ones) frequently in the surfing around the Net, it's a serious problem that they don't have any useful method for distinguishing between trustworthy and non-trustworthy Java applets. The same holds true for ActiveX controls, though at least users can get to a EULA of some sort and Microsoft has implemented some changes in XP SP2 to take those Security Warning boxes out of users' faces.
It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits. Always has been. In fact, those kinds of exploit-based installations really only took off in the last year or so. Since the beginning in 2000, the spyware/adware problem has largely been the depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes.
Eric L. Howes |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to eburger68
hmm i dled the url.zip and looked at the url list my god theres lots of them in there.
Not to long ago i was fortunate enough (unfortunatly for cool web search) able to log in to and delete the entire contents of a ftp site of theres. Maybe they should have had the installer delete the .cmd file after install. I deleted aprox 18gigs from the ftp. Images adds links html and on the way out i changed the pass word. Corse the domain it was on was probably going to disapear in a couple days any how. Like the one in the .cmd file from a week earlyer.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
bpm3k
join:2004-08-15
Simi Valley, CA
2 edits | Deleted. |
|
TeMerc
join:2004-01-22
Phoenix, AZ
| reply to eburger68
Thanks for the great reading Eric, I had already read and linkde Bens article the other nite on my site, this of course expands things quite a bit.
Moreover, where Suzi was testing primarily on Mozilla 1.7, Wayne and Jan test on Firefox and Internet Explorer. The site in question serves up different install packages based on the browser being used to visit the site.
I guess it was just a matter of time before these lowlifes started writting dual coding to infect whichever browser your running at the time. Just goes to show, no matter which browser your runninng, your always at risk. 
--
Remember............You can NEVER be OVERPROTECTED!!»temerc.com/ |
|
inTulsa
Premium
join:2002-02-24
2 edits |  reply to eburger68
Caution - referenced malware scripts are EXECUTING in browsers viewing that spywareguide.com page!
Fortunately I block those domains ... but others won't be so lucky.
The earlier problem has been fixed. |
|
eburger68
Premium,MVM
join:2001-04-28 | reply to eburger68
inTulsa:
Please direct your comments to the correct parties. I am not affiliated with XBlock nor do I control those pages.
Eric L. Howes |
|
inTulsa
Premium
join:2002-02-24 | Eric - My sincere apologies. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | reply to eburger68
said by eburger68 :It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits .... depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes. I posted this in an earlier thread, about ActiveX and IST: »Re: 180Solutions Buying Legitimacy? .. Don't know if you've seen it yet. I believe it supports your claim that it is a myth.
That is the Internet Explorer equivalent of the Java/Mozilla exploit. What I posted is found on exactly the same pages where there Java/Mozilla exploit are, only when viewed in IE.
Also, I should mention the click_run_to_remove_virus.exe was unable to execute under a limited account.
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD.
Y I Hate L-i-n-u-x |
|
metrodust
Hey Thats Mine
join:1999-12-10
Seattle, WA | reply to eburger68
the bottom line is still lack of education on the end-users part. |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to eburger68
metrodust:
Education of users is important. But it's even more important that we not let adware vendors off the hook by making excuses for their substandard, deceptive installation practices.
We can do both: educate users and insist on better behavior from adware vendors.
Eric L. Howes |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to inTulsa
I noticed that as well. I didn't get hit by any of the
parasites being profiled due to the use of the MVPS hosts
file on my system, but others could very well have gotten
infected. I wonder if anyone's contacted XBlock yet about
it - the javascripts are very much active, and just
visiting the page results in HTTP GET commands in my ad
blocker (it logs all headers) for static.windupdates.com,
ct4download.com, and xxxtoolbar.com, the host URLs for the
parasites being profiled.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.To RIAA/MPAA - You can sue but you can't catch everyone! |
|
Kiwi
Premium
join:2003-05-26
USA
 ·Comcast
 ·Aristotle Internet
1 edit | reply to eburger68
I was reading this and wondered, are people still using ActiveX & Java -Mine have always been disabled even though I maintain current updates, except for MS critical updates and the rather rare speed test on DSLR?
Using buffer overflow vulnerabilities, or if you like 'Exploits' can be minimised by third party software & surfing habits. I personally hate certificate verification, serves no purpose to the end user at all and wish companies would quit using it!
{Edit}BTW -Your first link to 'Home' seems to have been DoSd & framed to avoid backing out.
Good articles though, Eric.
Cheers
--
2.66g/533fsb Intel CPU @ 3.48g
512meg Twinmos PC3700~466 DDR @ 2.8v -PCpower&Cooling 512.
ATI 9500 Pro @ 9700 Pro @1.6v
--
AMD ASUS A7N8X-E ~
2500+ @3200 ATI 9500 Pro, Corsair 512LL.-- Aristotle.net |
|
inTulsa
Premium
join:2002-02-24
| reply to Doctor Four
said by Doctor Four :I wonder if anyone's contacted XBlock yet about it - the javascripts are very much active, ... Email was sent, a "ticket" on the issue has been opened. |
|
eburger68
Premium,MVM
join:2001-04-28 | reply to eburger68
inTulsa:
Wayne Porter tells me that the problem will be corrected shortly.
Eric L. Howes |
|
xblock
join:2004-12-16
Willoughby, OH
| reply to inTulsa
On the live javascript problem. (I'll get to other comments later) It appears that was my goof. We have an internal article system, but since numerous people worked on this we used dreamweaver to collaborate on the report and took the raw HTML from DW. Because of this we could not use our normal web-based article software so the article was "hard coded" into our database. At that time all scripts were double-checked to make sure they were "dead".
Long story short I saw a typo on the report and used our internal editing system to fix the typo and that somehow made the scripts active again.
I have Jan working on fixing it ASAP and thanks for calling this to my attention!
regards,
Wayne |
|
garys_2k
join:2004-05-07
Farmington, MI
1 edit | reply to eburger68
Never mind... |
|
