Google searchers could end up with a new type of bug

[snopes]

Cybercrooks are manipulating the computer code used to put the pizazz in millions of websites in hopes of taking over unsuspecting consumers' PCs.

The vulnerability occurs when someone does a Google search, then clicks on a result that has been secretly tainted by hackers. They will usually be taken to the Web page they expect. But at the same time, they are invisibly redirected to a computer server that installs a hidden program.

http://www.usatoday.com/money/indust...-hackers_N.htm

[BluesScale]

Actually, not related to which search engine you use.

They generally work using a poisoned iFrame. Reports at http://www.computerworld.com/action/...ce=rss_topic85

Blues

[Troberg]

Is this a new technology? Isn't it more or less a variant of an ordinary invisible redirect thingy?

[BluesScale]

Yes, it is just a variant. You redirect the user to a site with malicious content. Easiest way is to buy advertising space on a service which sells it. Slightly harder way is to hack the site to add an iFrame that links to a malicious site or hack the ISP cache - not, you understand, that I am recommending either.

But yes, it is really more of the same

Mark

[Troberg]

Quote:

hack the ISP cache

Hmm, I havn't thought about that. You don't even have to hack it, all you have to do is to spoof an address to a popular site so that you can download a fake page. That will put the site in the cache, and someone else who downloads the same site from the real address will get your page instead.

I doubt it will work nowadays, though, as I don't think the ISP's cache anymore. It's not worth the trouble, as bandwidth is cheap and support is expensive. It also opens them up to lawsuits, both from security exploits and from the risk of people setting up warez sites on the cache by using similar techniques (which has happened at least once to my knowledge). At least, I'm pretty sure that no Swedish ISP does it, not even the crappy ones. When high performance connections are all over the globe and the average user is on a 10 Mbit or better, cache becomes less of an issue.

[BluesScale]

Quote:

Originally Posted by Troberg

I doubt it will work nowadays, though, as I don't think the ISP's cache anymore.

I can't give you details of who and when (well, not and keep my job) but, yes, this does work and yes, this does happen.

Blues

[Troberg]

Quote:

I can't give you details of who and when (well, not and keep my job) but, yes, this does work and yes, this does happen.

I wouldn't have guessed. I thought cache on the ISPs died as collateral damage in the big hulabaloo when it was discovered that some ISPs used traffic shapers to limit/prioritize some traffic. It caused an uproar, and pretty much all obstructions/manipulations of bandwidth disappeared. Maybe that ruckus never went outside Sweden?

[stalker]

Quote:

Originally Posted by Troberg

Hmm, I havn't thought about that. You don't even have to hack it, all you have to do is to spoof an address to a popular site so that you can download a fake page. That will put the site in the cache, and someone else who downloads the same site from the real address will get your page instead.

That's really bad if they did cache by domain name.

In a company I worked at, if anyone left their PC unlocked, they were fair game for pranks (as it's a big security flaw if they're logged into production systems, etc, and it hopefully teaches them to be more careful). One that we would do was spoof the domain of our own website to the IP address of a porn site. That would not have been good for the company if that page ended up cached by our ISP!

I find it weird that it would be that simple though, wouldn't they cache by IP and domain? If that was the case, this wouldn't work.

[James G]

What could this actually achive though, outside injecting exploits onto a trustworthy site?

I was under the impression that most of the cross-site scripting problems had been closed, would this also be true for code inserted via an IFrame? That is, if someone managed to insert an Iframe into an eBay search page, or even an auction could it say intercept any login details that I typed onto the eBay main page? (Ignoring for the moment that eBay won't let you login from a search results/auction page)

[quiltsbypam]

So how does the average user protect him/herself online? Or is it enough to have a firewall, and run virus protection and anti-spyware checkers every so often?

[BluesScale]

Quote:

Originally Posted by James G

What could this actually achive though, outside injecting exploits onto a trustworthy site?

I was under the impression that most of the cross-site scripting problems had been closed, would this also be true for code inserted via an IFrame?

There are 2 types of attack typically used.

The first is the type that you mention - malicious code which uses an exploit. While IE is heavily patched these days and we are not aware of any active remote code exploits against the current builds, many users do not patch. Quite a lot of users refuse to patch because they are concerned that MS will use the information in some harmful way or because they believe that the patches contain malicious code - neither of which is true, scouts honour. A lot of home users don't know about patching in any case - although with XP SP2 and Vista, it is on by default. There are also other browsers that still have issues - Apple have been... well, let us say "unfortunate" with regard to the number of remote code execution vulnerabilities in Safari and in my personal opinion, it isn't quite ready for prime time yet. It is accordingly unfortunate that they are pushing it on iTunes users.

The second is good old social engineering. If you ask most users to install a component, they will. People are in the habit of saying "yes" to any dialogue that pops up. Some more savvy users will consider who is making the request. so, if they browse to (for example) CNN and it askes them to install a video codec, most people will agree to do this because CNN are regarded as reputable. With a poisoned iFrame, it is actually some malicious site in Solvenia that is making the request and the component will typically be a trojan dropper. I had a site which did exactly that shut down on Thursday.

77% of malware is installed because a user clicked "yes". The later versions of the Storm botnet don't even try to use any exploits and rely wholly on social engineering.

Hope that this explanation helps

Blues

[Troberg]

Quote:

I had a site which did exactly that shut down on Thursday.

Why? If the user agrees by answering yes to an install, he's fair game.

[BluesScale]

Quote:

Originally Posted by Troberg

Why? If the user agrees by answering yes to an install, he's fair game.

Because the link installed software that added the computer to a botnet that was being used for criminal purposes. Because the customer did not consent to installing a backdoor remote admin tool. He agreed to install a video codec.

Tricking someone into agreeing to take part in a crime doesn't make it less of a crime :-)

Blues

[Troberg]

Quote:

Tricking someone into agreeing to take part in a crime doesn't make it less of a crime :-)

Perhaps, but it can make the tricked party part of the crime. If you buy stolen goods without checking that it's legit, you will be breaking the law. Going after the botnet owners without going after the participants is extremely one-eyed.

[BluesScale]

I see. So, you would like us to try to prosecute users who get infected with malware by, as in this case, using a compromised search engine.

Ummmm. No. Sorry. Not part of our remit.

Blues

[Troberg]

Quote:

I see. So, you would like us to try to prosecute users who get infected with malware by, as in this case, using a compromised search engine.

As I see it, it's more or less the same as if you don't keep your weapons in the back seat of your unlocked car and leave the keys in the ignition, then someone steals it and robs a bank. You will get some of the blame.

By not taking proper precautions, they are helping the scammers. Ignorance is very seldom a defense that holds water in a court of law.

This is the reason I strike back at anyone trying to hack my servers, regardless if they are doing it actively or are just letting someone else use their hardware to do it.

[BluesScale]

But that way lies madness.

Crime is impossible without a victim. If I do not acquire things, the thief can not steal from me. If I do not go into unsafe places, he can not attack me.

While I agree that there is a reasonable duty of care, does every user have a duty to make their system safe from attack; to learn enough to protect themselves? That may have been true in the 1980 but computers are now a mass consumer item. People think about their computer in the same way that they think of their TV.

Shall we prosecute all victims of crime for not taking enough care? You didn't put bars on the window and were robbed. The money was used to buy drugs. So, that makes you guilty of robbery and buying illegal drugs. Hey, it was your money used. She went out in a short skirt - asking for trouble. Should we prosecute the both victim and her attacker for rape?

We see very different worlds, you and I. In your world, people should be able to fix bugs in the operating system. Computers are for the elite. In my world, they are for the masses and we must make them usable for the great unwashed. They give voice to the silent - and, admittedly, what they mostly say is nonsense but they have the right to say it.

I disagree completely with your allocation of blame in this instance.

Blues

[James G]

Quote:

Originally Posted by BluesScale

We see very different worlds, you and I. In your world, people should be able to fix bugs in the operating system. Computers are for the elite. In my world, they are for the masses and we must make them usable for the great unwashed. They give voice to the silent - and, admittedly, what they mostly say is nonsense but they have the right to say it.

Don't forget though, Troberg lives in a world where most people have fifteen or more computers, have installed Linux on their PS3, PC and digital audio player. A world where most people encode in OGG, rather then MP3 (or more likely whatever their media player rips to by default, be it AAC or WMA). A world where everyone patches their system hourly, and there is no such thing as a zero day exploit. Which raises the question of where he lives exactly, my money is on hiding under the tables at a Linux convention.*

And yes, I have Linux installed on my laptop (my desktop is XP based as I use it for gaming), I have a Linux based handheld, and have installed Rockbox on my iRiver. However I realise that these are things that stick me firmly in a minority, and although I love the flexibility anf outright tinkering that these options give me, I don't for a moment pretend that its something suitable, or desirable, for everyone.

* And sorry to get at you here Troberg, but you repetedly seem to have an unrealistic perception of most peoples technical skills, interests and understanding. Perhaps Sweeden in indeed different in this respect, but it is certainly far removed from most of the world's experience.

[Troberg]

Quote:

While I agree that there is a reasonable duty of care, does every user have a duty to make their system safe from attack; to learn enough to protect themselves?

Why not? We require people to have the proper training and knowledge when using a car, is this so different?

Quote:

Shall we prosecute all victims of crime for not taking enough care?

If you through negligence cause damage to a third party by providing the means for a malevolent person to misuse your equipment, yes. Not if you take reasonable care and still becomes a victim, nor if no one else is hurt.

Quote:

We see very different worlds, you and I. In your world, people should be able to fix bugs in the operating system. Computers are for the elite. In my world, they are for the masses and we must make them usable for the great unwashed.

You misunderstand my vision. If people are able to fix bugs and plug security flaws, not all will have the knowledge to do so, but enough will do it to provide the solutions for the rest of them. You don't have to fix every bug yourself, it's enough that someone does it, and many eyes makes all bugs shallow.

I sure knows that my two eyes are not enough to see all bugs, I lost around 30 GB zip files due to a really stupid bug in one of my own programs this weekend. It should have scanned a directory structure recursively, unpacked all archives encountered, and if no problem is encountered, delete the archive. Well, it worked nicely for RAR, 7Z and ACE, but I forgot one line of code when I made the ZIP extraction, so it never actually extracted anything, then deleted the file. I didn't notice it in the tests, as I seldom use ZIP. Annoying, but luckily, I had the files indexed, so I could find them and download them again...

It's about using the competent (in software design/development) part of the population to make computing aviable for everybody. Software by the people, for the people, with no goal other than making the software as good as possible. No profit demands, no market share strategies, no customer lock in, no format wars, no competition between products, just pure quality and nothing else.

This reminds me about a quote someone said on a programming group when someone there suggested starting a Christian programming group. Of course, this quickly descended into comments like "I thought Christians were a programmed group" and "Will you make macros to replace 'Begin Method' with 'Begin Gospel' and 'End' with 'Amen'?", but out of that flood, one comment stuck with me: "There is no god, only the purity of the code".

[Troberg]

Quote:

And sorry to get at you here Troberg, but you repetedly seem to have an unrealistic perception of most peoples technical skills, interests and understanding.

I work closely with customers, so I have a good idea about their competence. I know quite a few would eff up badly if given a chance, but I also think that we shouldn't hold back the entire class just because some pupils need to be held back a grade.

Just saying "I don't care about what's going on under the hood, it should just work!" is not realistic, and possibly dangerous to others. We don't accept that when driving a car, and neither should we accept it when using a computer. It is a complex machine, it is important for most people (we have a lot of important stuff on it), but it has certain limitations and we must be aware of them, for our sake and for others. Just like we can't make a perfectly safe car, we can't make a perfectly safe computer, and the operator needs to be aware of this and how to minimize the risk. If not, I say: throw them on the altar of Darwinism. Technical solutions only go that far, at some point, the operator has to assume responsibility.