Tom T wrote:... Web browsers are capable of running JavaScript outside of the sandbox, with the privileges necessary to, for example, create or delete files. Of course, such privileges aren't meant to be granted to code from the web. [[But it happens, right? (bold and italics are mine) -- T.T.]]
If you can create a file, you can create an executable file.computerfreaker wrote:What about execute privs? That's the bigger of the 2 steps...
Tom T wrote:... Web browsers are capable of running JavaScript outside of the sandbox, with the privileges necessary to, for example, create or delete files. Of course, such privileges aren't meant to be granted to code from the web. [[But it happens, right? (bold and italics are mine) -- T.T.]]
computerfreaker wrote:What about execute privs? That's the bigger of the 2 steps...
But can you install that file? Creating an exe and running an exe are two different things...Tom T. wrote:If you can create a file, you can create an executable file.
So... the innoshots malware must have come through a browser/plugin vuln, right?Giorgio Maone wrote:JavaScript can't install exes without user consent unless it exploits some browser and/or plugin vulnerability.
Unfortunately, this kind of beasts are far from uncommon (at this moment, for instance, there's an Adobe Reader 0day in the wild, while latest Fx update fixed 4 bugs exploitable for this purpose).
The worst of JavaScript is that if such a vulnerability can be exploited, it doesn't even need to install anything in order to compromise your system, since it's a programming language of itself.
Not either, for the same reason: NS will protect you from plugin vulnerabilities as long as the plugin content is not downloaded from a trusted source (or even in that case, if you've got the same configuration as me).computerfreaker wrote:EDIT: I doubt it would have been a Fx vuln as Tom was running NS... probably a plugin vuln.
computerfreaker wrote:EDIT: I doubt it would have been a Fx vuln as Tom was running NS... probably a plugin vuln.
Tom already ruled out warez, and IMHO a malicious e-mail attachment would be pretty obvious (i.e. surely, of the 3 people with the same infection, at least 1 would relate that to the e-mail attachment they just opened...)Giorgio Maone wrote:Not either, for the same reason: NS will protect you from plugin vulnerabilities as long as the plugin content is not downloaded from a trusted source (or even in that case, if you've got the same configuration as me).
So the most likely venue for infection here would be either a malicious email attachment or some warez.
I will run some Flash from YouTube (whitelist YouTube and yimg), but only in Sandboxie, so any malicious code should be dumped on closing the browser. Flash is blocked by default, and I allow only the desired video, by clicking the placeholder. I have 100% of Embeddings checked.Giorgio Maone wrote:Not either, for the same reason: NS will protect you from plugin vulnerabilities as long as the plugin content is not downloaded from a trusted source (or even in that case, if you've got the same configuration as me).computerfreaker wrote:EDIT: I doubt it would have been a Fx vuln as Tom was running NS... probably a plugin vuln.
Never opened an attachment from unknown sources, and generally scan even those from friends and business associates, although we've seen some surprising failures of AV-detection posted here lately.Giorgio Maone wrote:So the most likely venue for infection here would be either a malicious email attachment or some warez.
Actually, the ever-increasing script count at Yahoo Mail is up to 85 ATM. But Montagar doesn't use Yahoo mail, and I don't allow scripting from http://www.yahoo.com, only from mail.yahoo.com. I *think* that change was made before this incident, but there's a tiny possibility it might have been made in response to this issue. I'd have to dig through full-disk-image backups to see if I can pin down when I made that change. Montagar may have visited Yahoo or some sub-domain of it. Does he allow any scripting from Yahoo parent or subs?computerfreaker wrote:Tom said he had to allow 40 or so scripts so he could use Yahoo mail, and (IIRC) Monty had to allow scripts to run on Google. Because the scripts were allowed, NS would no longer offer protection... so at this point, we're looking at Google, Yahoo and Firefox getting hacked. Is that a possibility, or is that just too much hacking for someone to handle?
However, in this case, it *did* install something: a folder with several files, disguised as a Fx add-on, complete with "install.rdf" files and the <hidden> install tag. So I think computerfreaker's question was whether malicious JS could do that *without* exploiting a vuln -- which, as Giorgio points out, are common anyway.Giorgio Maone wrote:The worst of JavaScript is that if such a vulnerability can be exploited, it doesn't even need to install anything in order to compromise your system, since it's a programming language of itself.
Just to be clear, I did not have NS installed when I picked up this malware. I only found out that I had it after I installed NS.computerfreaker wrote:[snip]and (IIRC) Monty had to allow scripts to run on Google. Because the scripts were allowed, NS would no longer offer protection... so at this point, we're looking at Google, Yahoo and Firefox getting hacked. Is that a possibility, or is that just too much hacking for someone to handle?[/snip]
Giorgio Maone wrote:Not either, for the same reason: NS will protect you from plugin vulnerabilities as long as the plugin content is not downloaded from a trusted source (or even in that case, if you've got the same configuration as me).computerfreaker wrote:EDIT: I doubt it would have been a Fx vuln as Tom was running NS... probably a plugin vuln.
Did you go to Yahoo mail?Tom T. wrote:I will run some Flash from YouTube (whitelist YouTube and yimg), but only in Sandboxie, so any malicious code should be dumped on closing the browser. Flash is blocked by default, and I allow only the desired video, by clicking the placeholder. I have 100% of Embeddings checked.
I wouldn't have gone to YT, nor any other site with active plugin content allowed, during the time that I was able to reproduce the issue and was actively investigating it.
Which is the track I'm following right now - because it was written into the sandbox during a normal browsing session, you had to have picked it up during your normal browsing session. Since you have NS running, it had to have come from some allowed domain - like Yahoo Mail.Tom T. wrote:The fact that I run sandboxed 100% of the time implies a "live" infection, as nothing can write outside the sandbox except NS prefs, Adblock prefs, cookie prefs, bookmarks, etc. No file-creation or installation allowed, so it would have had to have been picked up at the time of investigation -- because it disappeared in the next session, i. e., once the browser had been closed and the sandbox emptied. So it was written into the sandbox.
computerfreaker wrote:Tom said he had to allow 40 or so scripts so he could use Yahoo mail, and (IIRC) Monty had to allow scripts to run on Google. Because the scripts were allowed, NS would no longer offer protection... so at this point, we're looking at Google, Yahoo and Firefox getting hacked. Is that a possibility, or is that just too much hacking for someone to handle?
I'm no longer at a loss.Tom T. wrote:Actually, the ever-increasing script count at Yahoo Mail is up to 85 ATM. But Montagar doesn't use Yahoo mail, and I don't allow scripting from http://www.yahoo.com, only from mail.yahoo.com. I *think* that change was made before this incident, but there's a tiny possibility it might have been made in response to this issue. I'd have to dig through full-disk-image backups to see if I can pin down when I made that change. Montagar may have visited Yahoo or some sub-domain of it. Does he allow any scripting from Yahoo parent or subs?
I don't allow scripting from Google.com -- it's Untrusted -- so I'm at a loss.
Giorgio Maone wrote:The worst of JavaScript is that if such a vulnerability can be exploited, it doesn't even need to install anything in order to compromise your system, since it's a programming language of itself.
I was wondering whether malicious JS could install - and execute - those files without exploiting a vuln. However, as I think about it, I'm not inclined to think JS could get away with that without exploiting a vuln...Tom T. wrote:However, in this case, it *did* install something: a folder with several files, disguised as a Fx add-on, complete with "install.rdf" files and the <hidden> install tag. So I think computerfreaker's question was whether malicious JS could do that *without* exploiting a vuln -- which, as Giorgio points out, are common anyway.
I know that we're at almost 250 posts here, and the thread is almost two months old, but to refresh memories, yes, very early on I had said that the only three sites visited when it first showed up were Yahoo mail, this forum (probably not a suspectcomputerfreaker wrote:Did you go to Yahoo mail?
) and Google, the latter being only for the sake of reproducing it. Once having done so, I then went to Ask and Bing, but only for reproduction: the infection was already there. So yes, I've included the possibility that someone slipped one in on Yahoo *for a relatively brief period of time*, else more Yahoo users would have reported it -- and I would have gotten it again in the next browsing session, with a clean sandbox, when I checked my mail the next day.
Actually, his latest post makes it easier. Without NS, he could have picked it up from *any site he visited*, at any time in the last ... six months? Year? He wouldn't have discovered it until the first of the following: His next attempt to visit any of the affected targets, seeing the redirection; or his installation of NS, then attempting to visit the targets, and seeing NS block it. So the whole universe of Montagar's browsing is possible.computerfreaker wrote:I was following that same line with Montagar, but that's off per his latest post...
The JS wouldn't have to execute the files. Since they posed as a legit Fx add-on, *Firefox* would execute them. Or they'd be self-executing. Merely writing them is good enough -- and as Giorgio points out, at any given moment, there are undisclosed vulns in the process of being patched, plus unknown (to Mozilla or MS or anyone else) vulns being discovered by the wrong people. This was why RSnake said "The browser (ALL browsers) is fundamentally broken" -- and why NS + other layers are needed.computerfreaker wrote:I was wondering whether malicious JS could install - and execute - those files without exploiting a vuln. However, as I think about it, I'm not inclined to think JS could get away with that without exploiting a vuln...
I know this works, because I use exactly such a startup batch script to clean the "fungus" (accumulated, useless log files, etc.) off my puter at each boot.
computerfreaker wrote:Did you go to Yahoo mail?
Probably Yahoo mail... I doubt they'll admit it though.Tom T. wrote:I know that we're at almost 250 posts here, and the thread is almost two months old, but to refresh memories, yes, very early on I had said that the only three sites visited when it first showed up were Yahoo mail, this forum (probably not a suspect
computerfreaker wrote:I was following that same line with Montagar, but that's off per his latest post...
That's why I figured that line was off with him - he wouldn't have any idea what site he got it from.Tom T. wrote:Actually, his latest post makes it easier. Without NS, he could have picked it up from *any site he visited*, at any time in the last ... six months? Year?
yup.Tom T. wrote:He wouldn't have discovered it until the first of the following: His next attempt to visit any of the affected targets, seeing the redirection; or his installation of NS, then attempting to visit the targets, and seeing NS block it. So the whole universe of Montagar's browsing is possible.
318x isn't too pretty... Gumblar was worse though IMHO. But I digress...Tom T. wrote:Given that, I don't think we need to give the black-hats that much credit. It's not the first time any major site has had an exploit, including Google and Yahoo, and it won't be the last. Hundreds of thousands, or millions, of sites were hit by 318x infection (Google it if you like; just don't click the links) recently.
computerfreaker wrote:I was wondering whether malicious JS could install - and execute - those files without exploiting a vuln. However, as I think about it, I'm not inclined to think JS could get away with that without exploiting a vuln...
yep, I get what you're saying. Not too pretty... then again, none of this has been.Tom T. wrote:The JS wouldn't have to execute the files. Since they posed as a legit Fx add-on, *Firefox* would execute them. Or they'd be self-executing. Merely writing them is good enough -- and as Giorgio points out, at any given moment, there are undisclosed vulns in the process of being patched, plus unknown (to Mozilla or MS or anyone else) vulns being discovered by the wrong people. This was why RSnake said "The browser (ALL browsers) is fundamentally broken" -- and why NS + other layers are needed.
Here's another overly-simplistic analogy: Give me five minutes alone at your keyboard -- say, while you make a pit stop. I write a simple but malicious batch script and drop it directly into your "startup" folder, then leave. When you come back, you have no reason to believe anything's been tampered with; no visible evidence; everything runs normally. But unless you're in the habit of checking your startup folder before every shutdown, the next time you boot, you're going to be badly hosed.
So all the JS has to do is get the files on the machine, not execute them. Crude analogy, buy you get what I'm trying to say.
You're right, there's nothing more we can do unless somebody else reports this.Tom T. wrote:And now it's time to ask: Is it really worthwhile to continue to spend time trying to track down the source -- or hundreds of thousands of possible sources -- of this infection, when it's probably impossible (without some new sighting with more information)? We've all learned a lesson; SANS publicized it; and even if Giorgio Maone *could* track it, which he couldn't without a lot more information, I'd rather see him spending his time enhancing our future defenses rather than dissecting and tracking past malware. The bottom line is that *NS worked*. Wherever the infection came from, NS alerted the user and prevented it from executing. Scary, but no harm, no foul.
"It's an ill wind that blows no good", eh?Tom T. wrote:And I'll bet NoScript has made a lifelong user and advocate of Montagar.
Agreed.Tom T. wrote:Merry Christmas to all, and to this issue, good night?
There's always something that can be learned from anything!computerfreaker wrote:"It's an ill wind that blows no good", eh?
Oh, definitely not locked. Just that Montagar, you, and I were the ones spending the most time on it; agreeing to let it go and concentrate on other things.computerfreaker wrote:Please don't lock this, though; perhaps we'll get a new report or two.
A) Merry Christmas!computerfreaker wrote:Merry Christmas!
Absolutely!Tom T. wrote:And I'll bet NoScript has made a lifelong user and advocate of Montagar.
Merry Christmas to all of you!Tom T. wrote:Merry Christmas to all, and to this issue, good night?