Malicious SWFs, hacked websites, denial of service attacks.. where will it end?

 

Basically, it won't end.  I'm going to cover a few different things in this blog entry.

1. The malicious 1-800-petmeds SWF

Ok, so I've had a look at the 1-800-petmeds SWF and its the same old same old.  The SWF contains reference to the malicious URL iexplorer-security.org/?id=324400102.

2. Hacked web sites

Of equal if not greater importance, at the moment, is the ongoing hacking of many web sites and the injection of malicious code that tries to infect visitors via various exploits, the latest being MSNBC Sports.

There's no way we can predict which site will be hit next, but we can do all we can to make ourselves as safe as possible.  With sites such as TrendMicro's virus encyclopedia, McAfee's site, MSNBC Sports, ZDNET, Archive.org, Wired.com, History.com and myriad other sites being compromised, we really do have to assume that any site may be a risk.

That being said, it is not all doom and gloom - we can fight back, or at least minimize the risk of exposure.

Remember - the criminals are trying to take advantage of known exploits, many of which have been patched - eg MS06-014 MS07-004, MS06-067 and MS06-057 - and let me tell you, there's some pretty old exploits in that list.  I can only hope that all of my readers are long since patched and safe from such exploits. If you are not ***WHY THE HELL NOT???***

The criminals are also trying to take advantage of exploits affecting many different web applications and activex controls therefore it is no longer enough to simply run the latest Web browser and update Windows.  *All* web applications (Flash, Java, QuickTime, RealPlayer and anything else you can think of) must be updated regularly and all toolbars, add-ons and activex controls must be treated as a potential security risk.

IE7 and IE8 have a "Manage Add-Ons" feature.  Use it.  Check everything that has been installed. If you don't need it, or don't know if you need it, disable it.  If you need it, check for an update.

BTW, IE8 makes it easy to research and identify entries in the Manage Add-Ons window. Simply highly an add-on, then click on Search for this add-on via default search provider.

image

What about Firefox?

Users of Firefox, Flock, Seamonkey and other mozilla-based browsers are often advised to install noscript (http://noscript.net/) BUT (there is always a but) I am concerned when I see noscript being held out as a panacea - it is certainly an excellent improvement but it is no cure.  Why? Because of the risks introduced by normal human behaviour and social engineering.

At noscript.net it says "you can enable javascript, java and plugin execution for sites you trust with a simple left click on the noscript status bar icon, or using the contextual menu".  My question is this... how do you know which sites to trust and what happens if a site you trust is hacked? 

For example, do you trust MSNBC Sports? ZDNET? TrendMicro? McAfee? forum.avast.com? Computer Associates? Monster.com? The official United Nations web site? spreadfirefox.com? Circuitcity? Audi Taiwan? Asus Taiwan? Yahoo India? Neowin? *All* of those sites have been compromised.

For what it's worth, I say the same thing to people who advocate locking down Internet Explorer's Internet Zone by setting very high security levels, thereby forcing their users to add myriad sites to IE's trusted zone so that they will work properly - again, what happens when a "trusted" site is compromised?

3. Denial of service attacks

I'm sure we all remember how CastleCops suffered under a sustained DDOS.  Tonight I read that DSLreports.com is being attacked.

You can see their alert here:
http://www.dslreports.com/front/shutdown.html

And, more interestingly, a list of the IP addresses of the attacking computers here:
http://docs.google.com/Doc?id=dpbj3qz_10s6p5z4dn

Screenshots

Manage Add-Ons in IE7 (btw, the reason there are only two controls in the IE7 screenshot is because it is a screenshot taken from an almost-bare-metal machine image which I use for testing malicious banner advertisements).
addons

Manage Add-Ons IE8 - note how several that I do not have a current use for are disabled.
 image

Published Wed, Mar 19 2008 23:26 by sandi
Filed under: , , ,

Comments

# re: Malicious SWFs, hacked websites, denial of service attacks.. where will it end?

Wednesday, March 19, 2008 9:03 AM by Barry

Certainly you don't want to be too trusting of any web application, whether it's IE, Firefox, etc.  But I think your concerns about Noscript are larger than what reality reflects.  Malicious scripts are pretty much never hosted on the primary content URL for a website, and the actual exploitative scripts eventually try to direct the user to another website wholly different from the legitimate one.  Noscript's redirect blocking, plugin blocking, IFRAME blocking, and XSS protection help tremendously with preventing these exploits from working.  Almost all exploits these days are SQL-based, meaning that the actual malware has to be hosted somewhere else, and that's where Noscript's strengths lie.

The reason that Noscript isn't a panacea isn't because it's not powerful enough to keep a savvy surfer safe (hehe).  Used properly, it defeats virtually all of the exploits out there.  The problem is that for novice users, it breaks their Intarweb, and the learning curve may be steep enough to make it an unsuitable option for many people, because (a) some important sites such as online banking become unusable if the user can't figure out what permissions to grant, and (b) if the user grants permission to the wrong site, the protection can fail.

# re: Malicious SWFs, hacked websites, denial of service attacks.. where will it end?

Wednesday, March 19, 2008 4:24 PM by Giorgio Maone

"For example, do you trust MSNBC Sports? ZDNET? TrendMicro? McAfee? forum.avast.com? Computer Associates? Monster.com? The official United Nations web site? spreadfirefox.com? Circuitcity? Audi Taiwan? Asus Taiwan? Yahoo India? Neowin? *All* of those sites have been compromised."

You should also notice that *all* of those sites have been compromised through various kind of automatic injections (IFrame, Object, Script elements and the like) linking to *external* resources, sometimes through multiple redirections.

Therefore in *all* of those cases NoScript prevents the attack from being successful because 3rd party resources are blocked unless explicitly allowed, no matter if the top-level site (the one you suggest most users trust) is whitelisted or not.

On a side note, most of those attacks were drive-by-download which would have failed anyway on Firefox because they exploited IE-specific vulnerabilities, but that's another story ;)