But here is the dirty little secret of browser security: Even if every Internet browser made today were completely bug-free, it wouldn't stop malicious hackers and malware. Why? Because the vast majority of successful malicious exploits today don't exploit buggy browsers, but rather unwitting end-users. That is, Web-based malware is successful because end-users are intentionally installing it! Most exploit code doesn't search for an unpatched vulnerability, but simply asks the user to install. - Roger Grimes, Infoworld "There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.
Spyware Sucks is accepting donations, with thanks.
Help us catch the bad guysUse Fiddler to capture evidence of browser hijackings
Get Safe Online will help you protect yourself against internet threats.
The site is sponsored by government and leading businesses working together to provide a free, public service.http://www.getsafeonline.org/
hardwaregeeks.com blocked by Haute Secure
You know -- it'd be great if haute secure actually posted the behavior that caused the ban.
-Mike
Moderator note: post edited to remove live links.
(Mike, you can get a copy of an ethereal capture either by messaging me privately on the HS forums, or by emailing Sandi. I sent her a copy when we became aware of this post.)
According to Haute Secure’s current blocking policy, if navigating to a URL causes an infection without further user interaction, then that URL will be blocked. The Hardware Geeks site results in an infection due to malicious advertisements served as a result of navigating to the URL below.
The specific Hardware Geeks URL in question is:
http : / / www . hardwaregeeks . com/comments.php?catid=4&id=3046
This URL will still (as of 15-July) result in an infection on an unpatched system. Relevant bits:
1. Initial request to Hardware Geeks:
GET /comments.php?catid=4&id=3046 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: www.hardwaregeeks.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 16 Jul 2007 00:05:59 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.4.2
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 16 Jul 2007 00:05:59GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: theme_4=5; expires=Tue, 15 Jul 2008 00:05:59 GMT; path=/; domain=.hardwaregeeks.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
2. Response contains the following IFRAME:
<iframe id='a8bb3077' name='a8bb3077' src='www.geekadverts.com/.../adframe.php' framespacing='0' frameborder='no' scrolling='no' width='728' height='90'><a href='www.geekadverts.com/.../adclick.php' target='_blank'><img src='www.geekadverts.com/.../adview.php' border='0' alt=''></a></iframe>
3. That IFRAME retrieves content from http: / / ad.ad-flow.com / st?ad_type=iframe&ad_size=728x90§ion=15849
4. Returned content pulls more content from http: / / ad.yieldmanager.com / iframe3?KbIAAOk9AAAkXQYAl0gCAAIAAAAAAP8AAAABEQAABgN9VgAA8loAAL-dAwAAAAAAAAAAAAAAAAAAAAAAAAAAAGZmZmZmZsY.ZmZmZmZmxj9mZmZmZmbWP2ZmZmZmZtY.AAAAAAAA4D8AAAAAAADgPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmUGuP1GX4wItWGMASKf8D.YhR2H-YTmtaXWaLQAAAAA=,,www.geekadverts.com/.../adframe.php
5. Returned content pulls more content from http: / / mod.adsview.net / adserve/view/7483-265214909-9010/
6. Mod.adsview.net returns a 302, pointing at http: / / 80.93.48.74 /oiewupqoidasqw/
7. Host 80.93.48.74 eventually serves the exploit code + malware.
I suspect that it is your banner advertisement that is triggering the block. Flash banner advertisements have become notorious for being used as a conduit to infect systems with malware - look at the outbreak that affecting the Windows Live Messenger contact pane banner ad as a high profile example.
