computerfreaker wrote:Did you go to Yahoo mail?
I know that we're at almost 250 posts here, and the thread is almost two months old, but to refresh memories, yes, very early on I had said that the only three sites visited when it first showed up were Yahoo mail, this forum (probably not a suspect
) and Google, the latter being only for the sake of reproducing it. Once having done so, I then went to Ask and Bing, but only for reproduction: the infection was already there. So yes, I've included the possibility that someone slipped one in on Yahoo *for a relatively brief period of time*, else more Yahoo users would have reported it -- and I would have gotten it again in the next browsing session, with a clean sandbox, when I checked my mail the next day.
computerfreaker wrote:I was following that same line with Montagar, but that's off per his latest post...
Actually, his latest post makes it easier. Without NS, he could have picked it up from *any site he visited*, at any time in the last ... six months? Year? He wouldn't have discovered it until the first of the following: His next attempt to visit any of the affected targets, seeing the redirection; or his installation of NS, then attempting to visit the targets, and seeing NS block it. So the whole universe of Montagar's browsing is possible.
Given that, I don't think we need to give the black-hats that much credit. It's not the first time any major site has had an exploit, including Google and Yahoo, and it won't be the last. Hundreds of thousands, or millions, of sites were hit by 318x infection (Google it if you like; just don't click the links) recently.
This is why I believe in defense in depth. I *must* trust mail.yahoo to use it... but *any* trusted site can be hit. Hence the 100%-sandbox approach, as well.
computerfreaker wrote:I was wondering whether malicious JS could install - and execute - those files without exploiting a vuln. However, as I think about it, I'm not inclined to think JS could get away with that without exploiting a vuln...
The JS wouldn't have to execute the files. Since they posed as a legit Fx add-on, *Firefox* would execute them. Or they'd be self-executing. Merely writing them is good enough -- and as Giorgio points out, at any given moment, there are undisclosed vulns in the process of being patched, plus unknown (to Mozilla or MS or anyone else) vulns being discovered by the wrong people. This was why RSnake said "The browser (ALL browsers) is fundamentally broken"
-- and why NS + other layers are needed.
Here's another overly-simplistic analogy: Give me five minutes alone at your keyboard -- say, while you make a pit stop. I write a simple but malicious batch script and drop it directly into your "startup" folder, then leave. When you come back, you have no reason to believe anything's been tampered with; no visible evidence; everything runs normally. But unless you're in the habit of checking your startup folder before every shutdown, the next time you boot, you're going to be badly hosed.
I know this works, because I use exactly such a startup batch script to clean the "fungus" (accumulated, useless log files, etc.) off my puter at each boot.
So all the JS has to do is get the files on the machine, not execute them. Crude analogy, buy you get what I'm trying to say.
And now it's time to ask: Is it really worthwhile to continue to spend time trying to track down the source -- or hundreds of thousands of possible sources -- of this infection, when it's probably impossible (without some new sighting with more information)? We've all learned a lesson; SANS publicized it; and even if Giorgio Maone *could* track it, which he couldn't without a lot more information, I'd rather see him spending his time enhancing our future defenses rather than dissecting and tracking past malware. The bottom line is that *NS worked*
. Wherever the infection came from, NS alerted the user and prevented it from executing. Scary, but no harm, no foul.
And I'll bet NoScript has made a lifelong user and advocate of Montagar.
Merry Christmas to all, and to this issue, good night?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/20081217 Firefox/188.8.131.52