Topic awaiting preservation: Internet security question

I was talking to a friend the other day and he said that just by going to page and viewing it in your browser, the server can download programs onto your machine and run the programs.

The example he gave was those e-mail messages you get telling you that there is a problem with your bank account. He says that by clicking the link in the message and visiting the page (which doesn't belong to the bank, but to someone trying the steal personal information), even if you don't do anything but shut down the browser, it is possible for the site to download a program to your machine that will then keep track of all your key strokes which it can later e-mail to whoever set up the site.

I can almost see how this might work with IE and ActiveX, but I don't beleive it would be possible in any of the Mozilla browsers.

Does this seem like a feasable way of infiltrating a machine? If it is, it's a huge security hole that I don't hear being discussed anywhere.

-- not necessarily stoned... just beautiful.

There's a lot of web page bourne exploits that drop trojans I think, check out a virus library like Norton's or McAfee's etc to read up on them.

The only browser exploit I recall for Mozilla/Firefox was a buffer overflow vulnerability in their handling of PNGs, similar to the recent IE JPEG problem.

Wasn't that gone within 12 hours, though?

The software that'll keep track of your key strokes is called a Key Logger, which is Spyware. If you use Internet Explorer expect to get hundreds of these nice little programs....

The banking one I believe is in reference to the emails which are faked as coming from Paypal.com whereas they say there's something wrong with the account, and you have to click the link and go to the page to log in, using the handy dandy form they have on a website which looks just like paypal.com (they even fake it as having paypal.com in the Address bar) and they basically just steal your username and password via this form.

-----------------------------------------------------
funny websites | funny signatures | funny jokes

Ozone Asylum KILLED my inner child.

Another beauty is one I've gotten a couple of times recently, as a domain owner they adress me all businesslike on a failed mailer, then they attach a file named something like:

failedmail_dms@dmsproject.com

Now for all you out there, the Q of the month:
How much havoc can a .com file create on a windows platform...

Nifty & devious, I'm positive a lot of ppl fall in that trap.
/Dan

{cell 260} {Blog}
-{ ?Computer games don?t affect kids; I mean if Pac-Man affected us as kids, we?d all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music.? (Kristian Wilson, Nintendo, Inc, 1989.) }-

quote:

---

How much havoc can a .com file create on a windows platform...

---

quite a lot if I'm not mistaken I think .com is a compiled program, essentially, an executable.

Indeed a .com is an executable. And though it's not designed for WIN32, it's easy to make a .com executable create a ( win32 ) .exe and run it to do a lot of harm to the system.

However, with the DOS interuptions, you have access to the disk functions, and thus it's easy to write some garbage on random sectors of a harddrive, or format some sectors here and there ... you know that kind of funny stuffs. Oh, and in assembly, you can freeze a computer with just 2 instructions ( taking 1 byte each ).



(Edited by poi on 09-30-2004 17:25)

Jason, you're right, a .com is a kind of executable from the old days of DOS. Not many people make them anymore since one of the requiresments is that the size be less than 64k, but, you can still run a .com file in a command window. Quite a few of the DOS commands that come from MircoSoft are .com files. For example, format, more, and command.

64k is a lot of space in an executable and if your only purpose is to steal information or create havoc, you don't need any kind of user interface so there is a lot of room in the file to do the things you want to do (speaking from a virus writer's viewpoint).

DmS, that is a new one. I had not seen it before. I tried to send myself a copy of more.com and my e-mail server responded that the attachment was potentially executable and would not send the message. The error message suggested that if I wanted to send an executable file I should zip it first. I assume the people sending out the messages you're talking about don't have this restriction on their server.

I assume if I could send myself an executable file, the system would ask me if I wanted to save or execute it. I can see where receiving an executable could be a very dangerous thing for people who don't stop to think about the possible collateral damage before executing the attachment.

My original question has to do with the following: I understand how someome could design a page that would tell the browser to download an executable. We do this all the time when we want to allow the user to download a shareware program. What I don't understand is how the page can cause the executable to run without first having some user intervention. Is that kind of thing possible in todays browsers?

-- not necessarily stoned... just beautiful.

.COM is one of the DOS native executable file formats, but was also used for the same things DLLs are used today. A malicious .COM can wreck any type of havoc in DOS or any system built on top of DOS, such as Win9x or WinME. The simulated DOS that exists in NT based environments (WinNT, Win2k, WinXP, Win2k3) somewhat shields you (e.g. it gives no direct disk access IIRC), but it's still dangerous and nowhere near the safety of for example the java sandboxing. The .CMD format that is the NT equivalent of .COM has about the same capabilities. The .EXE format is larger and thus not as good for spreading viri, but has somewhat bigger capabilities. This is one reason why .COM and later .CMD files are so frequent in email viri attachments. In short, anything you can to on the system you can do with a .COM file, with more or less effort.

As for webpage spread viri, trojans and spyware, most of them use holes in either the Microsoft Java VM sandboxing, ActiveX holes (most of these goes through holes in an already installed plugin like GoogleBar or Alexa), or rely on human engineering and the user's lack of knowledge and interest in security. Though I can see JPEG exploits appearing on the web soon enough...



Well, as for exploiting this in mozilla, I don't think you can use the same tricks. Mozilla plugins may introduce big holes, but those must be installed by the user or admin before the holes can be exploited. XPIs may do damage, but recent mozilla work has minimised the risk for spreading malicious XPIs by limiting the default locations from which XPIs may be downloaded to mozilla update. There's of course the breakage of the same domain policy, the possibility of protocol exploits and the library exploits, but those have proven to be hastily fixed so far. No, almost all exploits for mozilla will have to rely on the user actively activating them. They mostly have to rely on human engineering. Since mozilla doesn't have an "open file from remote location" choice in the downloader these are lessened as much as possible without treating the user like a baby who must be shielded from anything that is even potentially dangerous (such as any information transaction...). This is not to say that mozilla is entirely safe (nothing ever is) but it's far safer than iew.

--
var Liorean = {
prototype: ProgrammingTheoryGuru.prototype,
abode: "http://codingforums.com/",
profile: "http://codingforums.com/member.php?u=5798"};

Actually the pages I've seen downloading and executing a program without user interaction used some kind of ActiveX to fool Windows and make it believe the script was in the local zone and thus was considered as trusted. I don't remember the name of that sort of technique. I've seen a proof of concept several weeks ago that used several JavaScript endoded/escaped that were decoded/unescaped to bypass the security verifications of IE and run another similar script that finally loaded the content of a file and used an ActiveX to save and run it locally. Alas I don't remember if I've posted the URL on the Asylum, and I've re-installed my computer recently.

[edit] Yeepee, I found the proof of concept of the Ilookup Trojan. And the technique is called "cross zone access vulnerability". However it doesn't seem to work with IE6sp1 [/edit]




(Edited by poi on 09-30-2004 18:16)

Nifty indeed poi.
As he said, respect for the knowledge, a serious ass kicking for the usage!

Indeed I know what a .com file can do, I've been actively around 'puters first since the sinclair ZX81 and more seroiusly since win 3.x

However nifty the different cross zone/activeX exploits may be, the easiest way to get hold of a computer is still probably the human engineering part. Say you get the person to open the attachment, the first thing that happens is that IE pops up and goes to a professional url, perhaps even a real one, this while the .com installs whatever on the machine, thus creating an illusion of it beeing injected from the site.

Well, I just thought it was an interesting use of hiding a bad file in the open.

/Dan

{cell 260} {Blog}
-{ ?Computer games don?t affect kids; I mean if Pac-Man affected us as kids, we?d all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music.? (Kristian Wilson, Nintendo, Inc, 1989.) }-

poi: Thanks for the link. That answered a lot of the questions I have about this technique. I am going to have to go back to it when I have a couple of hours to sit and analyse how it works. It's a very interesting article.

DmS: I agree with you that naming the file name@name.com is a very interesting way of hiding the purpose of the file. Even those of us who have been around computers for a long time might miss that one. I know that if I'm browsing or doing e-mail and I see something named *.com I would assume that it is part of a url and might not think about the fact that it is also a suffix used by windows to denote an executable.

We all tend to compartmentalize our thinking and it is sometimes hard to remember that something will have more than one meaning depending on the compartment (context) we happen to be thinking in.

-- not necessarily stoned... just beautiful.