Jump to content

OT: (sorta) -- Malware protection for Firefox


blue2blue

Recommended Posts

  • Members

UPDATE: the type of browser hijack outlined below has just started popping up here on Harmony Central!

 

 

Since we've been talking about the malware attacks that have popped up at popular sites like Yahoo, All Music Guide, CNN, MySpace, and other popular sites I've received reports from others of such browser-hijack attempts.

 

If malware takes over/locks up your Windows based browser -- I've had it happen in Firefox and Safari for Windows, locking up the browsers seemingly completely -- use the ctrl-alt-delete 'three finger salute' to bring up the Windows Task Manager and at the very least, shut down all instances of the afflicted browser.

 

DO NOT try to control the browser, even with something as "safe" as the Alt-F4 window closing shortcut -- you'll likely be taken to the bad guys site where an unpatched browser could be automatically infected, or a patched browser will display socially engineered "come ons" of the "download free video codec" or "your computer is running slow and may be infected" type. Again, the only safe recourse is to use the Win Task Manager to shut it down (and maybe shut down your whole session).

 

If such a malware exploit starts downloading/installing, close down anyway you can (I once pulled the plug when a careless keystroke started a malware install). Then do a thorough scan using up to date malware/antivirus scanning software (I use the free online scans from Trend Micro's Housecall or Bitdefender) to find and remove any partially downloaded bits.

 

I've also used Ad-Aware and Spybot Search and Destroy in addition to remove exploitable tracking cookies and other potential threats.

 

 

Now -- PREVENTIVE ACTION -- on recommendations from others, I installed the "noscript" Firefox add in. (You can search the Firefox add-ins for it.)

 

It seems to work well, taking only a small bit of overhead and lets you set permission levels on the fly for sites you visit (it blocks javascript by default unless you tell it to let it run). You can also temporarily allow script on a site. It also protects against the frequenly exploited "cross-server scripting" used by some legit services but also used to infect the unsuspecting with malware/spyware. (The target with much of this is credit card and password collection but all kinds of nasty things can happen once a back door is installed on your machine. New meaning to the word, "owned.")

 

 

Internet Explorer users -- it's very important to keep your browser patched. The latest version of IE (IE7) has similar anti-malware scripting built in -- but you may need to tinker with your user preferences/security settings to get the level of aggressive protection that the current level of attacks warrants. (When activated, the scripting protection asks you if you want to run various forms of javascript or Active X scripting at different sites -- so you can allow it for, say, your bank, but disallow it for, you know, those Russian porn sites you love. (Just kidding. I know you're way too savvy to go straight into the devil's den... porn sites, warez sites -- even some lyrics sites -- a lot of stuff in the gray area -- are common infection vectors for malware.)

 

 

 

And, Mac users, don't start feeling too smug, they're now targeting you with similar socially-engineered exploits, trying to entice you to voluntarily install malware under the guise of video codecs, helper programs, utilities, etc.

 

 

Sorry to go off topic on this again -- but it's become a serious issue and the attempts are becoming more frequent. This post, in fact, was inspired by one of our regulars who was apparently attacked -- his Firefox browser was the subject of an attempted hijack, locking it up on a malware "invitation" -- while visiting his Yahoo Mail page.

 

Sigh.

Link to comment
Share on other sites

  • Members

Good idea posting this. And I agree, to my fellow Mac users, don't think you're all cool for not getting malware. We haven't seen much in the wild yet, but you still need to be careful.

 

One note, though I wanted to sort of...oppose on blue2blue's point is the allowance of using Internet Explorer. It is the most insecure browser I know of, even fully patched, and therefore, I'm of the opinion that you should not run it. If you absolutely must run it, disable Javascript and ActiveX. There are more buffer overrun exploits than I can think of, and almost every one of them requires IE 6 or 7 with ActiveX and Javascript turned on. Firefox is a great alternative, but there's also Flock (Mozilla-based) and even Safari (though that has security issues on Windows as well). The point is, don't run IE, no matter what. It's a liability.

 

If you're enough of a geek, do what I do and run Linux part time. I prefer Ubuntu Studio, but there's other options. It might be overkill, but it's probably the closest to an indestructible operating system there is.

Link to comment
Share on other sites

  • Members

I got hit this morning with a popup while having Yahoo Mail and the HC board up. I used Windows Task Manager to kill firefox immediately. Around the same time there were postings by others here on HC reporting similar popups.

 

I've just tried the noscript add-on blue2blue mentions above and it seems to do the trick. I've tested it in a couple of places (including here, trying to post a reply) and it's great being able to be specific about which scripts to allow or disallow.

Link to comment
Share on other sites

  • Members

 

Good idea posting this. And I agree, to my fellow Mac users, don't think you're all cool for not getting malware. We haven't seen much in the wild yet, but you still need to be careful.


One note, though I wanted to sort of...oppose on blue2blue's point is the allowance of using Internet Explorer. It is the most insecure browser I know of, even fully patched, and therefore, I'm of the opinion that you should not run it. If you absolutely must run it, disable Javascript and ActiveX. There are more buffer overrun exploits than I can think of, and almost every one of them requires IE 6 or 7 with ActiveX and Javascript turned on. Firefox is a great alternative, but there's also Flock (Mozilla-based) and even Safari (though that has security issues on Windows as well). The point is, don't run IE, no matter what. It's a liability.


If you're enough of a geek, do what I do and run Linux part time. I prefer Ubuntu Studio, but there's other options. It might be overkill, but it's probably the closest to an indestructible operating system there is.

 

 

 

 

You bet! IE7 is better protected than previous versions (and at times FF actually has more unfixed security flaws if you read the security press)-- but Internet Explorer by virtue of its 900 pound gorilla adoption status is the most targeted browser.

 

And one of the reasons for that is because it is the general perception that the most naive users (on Windows) have IE -- because it is the default browser. And these are the folks who the bad guys count on to not patch their browsers (which is why Windows Automatic Update is very important for such users).

 

 

I was quite skeptical about Firefox when I first started using it for testing websites but it has continued to grow and improve -- and the third party support for it (in the form of add-ons [which I ONLY get initially through the Firefox/Mozilla site]) is really wonderful.

 

I've really integrated Firefox into my web life. It is now indispensable to me. My FTP client runs inside of Firefox. I far prefer the text-resizing in FF to IE7's graphic "zoom." The noscript add-in for FF seems to me to be more flexible and much superior to the similar protection built into IE -- and -- though it's not a security issue and is really more one of the things that drives web developers and designers just plain nuts -- but Firefox (and Safari, for that matter, to some extent) is MUCH more compliant with web standards for various code and design implementations (the increasingly important CSS comes to mind first, since IE has just been abysmal with buggy, inconsistent, ever-changing CSS implementations).

Link to comment
Share on other sites

  • Members

but Firefox (and Safari, for that matter, to some extent) is MUCH more compliant with web standards for various code and design implementations (the increasingly important CSS comes to mind first, since IE has just been abysmal with buggy, inconsistent, ever-changing CSS implementations).

 

Well yeah, actually Safari and a few linux only browsers I've seen are the only ones 100% web compliant as far as I know. Firefox still has a fair amount of weird stuff in it. I remember version 1 didn't even pass the Acid test for a while (was a test page that let you know if the browser was standards compliant enough). I agree, though, Firefox is probably the best browser available now, and if you keep it patched, it will probably never fail you. Actually, from a web developer's standpoint, IE needs to be shot anyway, because I always have to allow concessions to IE in my CSS...:mad:

 

If you really need a secure browser, just use something text based like Lynx. It doesn't display images or anything, but as far as I know it's impossible to buffer overrun it :p

(that's a joke, BTW, I don't really mean that :p)

Link to comment
Share on other sites

  • Members

 

That said --- I'm guessing that Opera, like Safari and Firefox with javascript turned on, will be subject to some of these exploits

 

 

I stumbled upon such a malicious ad on a blog site yesterday. Opera didn't help indeed, but as I understood it no browser can avert evil JS being executed when JS is turned on. In Opera you can turn off Java/JS globally, then turn it on for trusted sites via "site preferences". Neat feature, but it doesn't help if your favourite and trusted site is infected. But my antivirus software alerted me in time and it turned out to be no false positive after submitting the file to the experts at that company.

Link to comment
Share on other sites

  • Members

I'm happy to report that -- so far -- Firefox with the noscript add-in has seemed to be keeping me hijack-attempt free even as many others here on HC have reported hijack attempts.

 

Knock on wood.

 

 

But, like you say, if the malware is served up from your favorite sites own servers as these exploits were from CNN, Yahoo, MySpace, and other sites (I don't know about the HC exploit attempts yet) basic cross-site scripting protection may not be enough.

 

I have noscript set to allow HC scripting only -- but I'm watching very carefully.

 

HC uses Akamai to serve up cached content and I'm not allowing that, on general principle.

 

So far, so good. When I had javascript turned all the way off, it broke the Firefox WYSIWYG editor -- and, man, I'm addicted to that... so I'm proceeding with caution.

Link to comment
Share on other sites

  • Members

 

I stumbled upon such a malicious ad on a blog site yesterday. Opera didn't help indeed, but as I understood it no browser can avert evil JS being executed when JS is turned on. In Opera you can turn off Java/JS globally, then turn it on for trusted sites via "site preferences". Neat feature, but it doesn't help if your favourite and trusted site is infected. But my antivirus software alerted me in time and it turned out to be no false positive after submitting the file to the experts at that company.

 

 

yeah, that's the problem. There's one exploit I wrote an article on recently where an ad simply has to LOAD an image to execute (again) a buffer overrun. Once you disable Javascript, however, the ad ceases to exist because it relies on Javascript based ad-tracking. It's really sad how one bad ad server can spoil your favorite site.

Link to comment
Share on other sites

  • Members

yeah, that's the problem. There's one exploit I wrote an article on recently where an ad simply has to LOAD an image to execute (again) a buffer overrun. Once you disable Javascript, however, the ad ceases to exist because it relies on Javascript based ad-tracking. It's really sad how one bad ad server can spoil your favorite site.

 

Haha, the only unwanted infection I ever got was last year, with the similar "WMF-exploit" thingie. It was only 2 days in the wild.

 

Update: After telling the admin of the aforementioned site what's going on in all needed detail yesterday, I checked it again (with Java/JS turned off) today. I was rewarded for that stupidity by another attempt to launch malicious code, this time another variant embedded elsewhere. Apparently, it even managed to generate 4 "run" entries (for each user) for CTFMON.exe in the registry, which were not there yesterday. I have no idea for what purpose and how it did that and if it's really related to that code. But it teaches me that turning off Java is no reliable solution to this kind of problems. :confused:

 

BTW, SamuraiBSD, I've got a Johnson Strat clone, too and I love it! :thu::)

Link to comment
Share on other sites

  • Members

I just visited All Music Guide and they have a notice up on their front page, saying they're aware of the malware problem and giving a link to this eweek article: http://www.eweek.com/article2/0,1895,2215734,00.asp

 

 

And, of course, you've probably seen the system-wide announcement (top of the forum listings) from Craig Anderton telling us to beware of pop-ups.

 

(UPDATE: Not that I actually read it myself until just now, so I didn't know it was quoting my own tentative and hopefully properly qualified advice in this or another forum. I'm like the Ted Koppel of the Zero Day Exploit Crisis... I can see it, tomorrow: "Day two of the Zero Day Crisis dawns on a tense Harmony Central, as turkey-induced L-Tryptophan hangovers are jarred by dire warnings on favorite forums. Maybe, this Black Friday would be a good time to join the wife and kids for a trip to the mall, after all...")

Link to comment
Share on other sites

  • Members

As your generation (or maybe the one just before yours) so eloquently put it: Mean people suck.

 

 

But they always have... as long as I've been around (and that seems like a very long time, even to me) there have just been some people who want to take and some people who want to destroy.

 

And even when the bad guys aren't out to get you, stuff happens.

 

In this world, it's best to keep a positive mental attitude -- and sleep with one eye open.

 

;)

Link to comment
Share on other sites

  • Members

i should take this time to note that hackers aren't the bad people...CRACKERS are the bad people. Hackers modify software/hardware for good; crackers do it for bad. You could also put it was white hat and black hat (although black hat does sound cooler, doesn't it?)

Link to comment
Share on other sites

  • Members

This is very bothersome, and I'm wondering if it has anything at all to do with my recent problem with Google. Whenever I search for things, I click on the result I want to go to, but often I get redirected to an ad page or another search page. After 1 or 2 retries I'll get to where I want but it's really annoying and worrisome. I'm hoping that something hasn't already gotten through without my knowledge, because I've seen no suspicious processes, gotten no antivirus warnings, and as far as I know no spyware either. I'm going to, in light of these events, purge my computer of everything tonight. Time to break out the big guns. I'll probably have to do multiple full virus and spyware scans overnight =[

Link to comment
Share on other sites

  • Members

 

This is very bothersome, and I'm wondering if it has anything at all to do with my recent problem with Google. Whenever I search for things, I click on the result I want to go to, but often I get redirected to an ad page or another search page. After 1 or 2 retries I'll get to where I want but it's really annoying and worrisome. I'm hoping that something hasn't already gotten through without my knowledge, because I've seen no suspicious processes, gotten no antivirus warnings, and as far as I know no spyware either. I'm going to, in light of these events, purge my computer of everything tonight. Time to break out the big guns. I'll probably have to do multiple full virus and spyware scans overnight =[

 

It sounds all too much like the symptoms of a "toolbar" infection. These are typically the result of "socially engineered" exploits ("click here to install the cools FogItAll Super Duper Toolbar") but also can be the result of a "drive by" attack on an unpatched (or otherwise vulnerable) browser.

 

Sounds like a full a-v scan and possibly separate Ad-Aware and Spybot S&D scans, as well. (Why is it we need the multiple scans? I dunno, but it always seems like we do!)

Link to comment
Share on other sites

  • Members

They appear to have scrubbed the server of the piggybacked ads. But you will likely have to clear your browser cache to get rid of the residual bits that can act as a conduit for the malware ads.

 

You can catch up on the latest in the system-wide announcement listed at the very top of all HC forum listings.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...