Page 3 of 4

Re: Need NoScript like never before....

Posted: Sun May 24, 2009 6:12 am
by Alan Baxter
Tom T. wrote:Plus I don't download dancing bunnies. If I need to see them, they stay in the BunnyHutch (sandbox).
Yes! Thanks to Sandboxie, I can safely watch dancing bunnies. Yippee!

Re: Need NoScript like never before....

Posted: Sun May 24, 2009 10:35 am
by Tom T.
Alan, what terrible thing did I ever do to you? :shock:

(j/k)

Re: Need NoScript like never before....

Posted: Sun May 24, 2009 8:54 pm
by GµårÐïåñ
You two remind me of my cousins. They love the hell out of each other but never skip the opportunity to slip in a little banter. :lol: Gotta love it.

Re: Need NoScript like never before....

Posted: Sun Jun 07, 2009 8:57 pm
by luntrus
So another reason to keep the NoScript visors up, and another reason to thank Giorgi Maone for developing this firefox extension.

The number of websites that has been hacked in the "Beladen" attack
re: http://securitylabs.websense.com/conten ... /3408.aspx &
http://blog.scansafe.com/journal/2009/6 ... et-qa.html
now has risen from 20.000 to 40.000.

This according to security vendor Websense.
More than likely attackers through stolen FTP-passwords found access to websites,
also SQL-injected brute-force attacks on web-servers form an option, re:
http://bt.uptime.cz/apache/apache_attack_EN.pdf
According to websense's Carl Leonard mainly vulnerabilities in both Internet Explorer and
Firefox browsers were being exploited, but also attacks against Adobe Reader, QuickTime and WinZip are being launched, re:
http://www.computerworld.com/action/art ... src=kc_top
Despite of the recent growing number the beladen attacks are rather small as compared to the ongoing Gumblar attacks. According to ScanSafe the number of beladen hacked sites would only total a couple of thousand sites:
http://www.scmagazineuk.com/Claims-made ... le/137904/

Re: '"Beladen" new attack on the block'
« Reply #7 on: June 04, 2009, 01:07:23 PM »

Here some further info:
block *.beladen.net

Mass compromises are certainly nothing new. They regularly take place,
because attackers commonly use server-side vulnerabilities in an automated way
to infiltrate legitimate Web sites and inject them with malicious code.
The challenge in these kinds of attacks, from a security firm perspective,
is to recognize malicious patterns in legitimate Web sites (they're usually obfuscated),
and then research the exploit sites those attacks lead to. Read more here:

Beladen.net is full of various attacks and after a successful exploitation,
a malicious file will be run on the infected computer.

The exploit also uses the ‘typo-squatter’ domain with a similar name to
the legitimate Google Analytics domain (google-analytics.com),
redirecting users to beladen.net.

Beladen also had a low anti-virus detection rate.
At the time the attack was first reported,
only four out of 40 anti-virus vendors had reported the threat.
Also known now as Cruzer.D

He also said that if an exploit didn’t work on a machine,
the attack would also try to download rogue anti-virus software,
in order to dupe users in downloading a trojan.

securitylabs.websense.com/content/Blogs/3408.aspx
Due to some manipulation of the dns process beladen.net makes
everytime new subdomains and referral dns servers.
Trying to block each of them can't be done.

So look at these example and just block anything connected to it
[EDITED by luntrus for security reasons]:
when the problem comes up you're redirected to 7914421.beladen.n*t
and after that you've redirected to hxtp://scan4top.com/22/?uid=keyin that disguise like ...
wxw.vbulletin.com/forum/showthread.php?p=1735111 - 97k -

I spotted this last night, e.g.: h x t p://0e6047.beladen.net/t/m1002z188371.html
appeared down left and redirecting to h x t p://scan4note.com/22/?uid= ...
wxw.hondenforum.nl/phpBB2/viewtopic.php?p=3378096&sid=

Próba wlamania do mojego komputera podjeta przez tzvx.beladen.n*t
Tried to connect to my computer etc.:
(91.207.61.40,80) 30.04.2009 00:08:16 zostala zablokowana. ... (was blocked)
f*lieton102.bloog.pl/kat,0,m,4,r,2009,index.html

luntrus

Re: Need NoScript like never before....

Posted: Wed Jun 10, 2009 5:07 am
by Tom T.
Hi luntrus,

It's interesting (but not surprising) that in the latest June monthly edition of the Microsoft Malicious SW Removal Tool, there is nothing in the detection list with a name anywhere close to "beladen" or "cruzer". I realize that they acknowledge that it is not a substitute for AV, and that it covers only some of the most prevalent malware, but if this is infecting *sites*, you'd think maybe they'd add it... perhaps you could try to clue them in? GL! :mrgreen:

btw, if the *site* were infected, and it infected a user, would the name of the infection be different on the user's machine?

FWIW, I notice that my machine with Avast has four variants of Cruzer in the detection list, while Avira did not have it as of yesterday. Shame on Avira! Good work, Avast (and luntrus)!

Re: Need NoScript like never before....

Posted: Wed Jun 10, 2009 9:39 pm
by luntrus
Hi Tom T,

More interesting news about gumblar, this seems to have subsided a bit now, can be found here:
http://garwarner.blogspot.com/2009/06/g ... mains.html
Another one of these grand scale attacks this time on a lesser scale compared to gumblar is beladen.
And we know now that Conficker is also in a exploring-SQL-vulnerabilities scanning phase, and we do not know what the botnet will do as it starts to wake up.
How can we protect ourselves full proof when we run the NoScript extension in our Firefox/Flock browser:
1. Go to the NoScript icon, right click it,
2. Go to options and open it up,
3. Go to Plugins,
4. In there tag all additional restrictions, and also tag Apply these restrictions to trusted sites too,
Now your completely secure against gumblar malcode and other mass trusted website infections.
Where this is hampering your browser experience and considering what concessions you are willing to make towards that goal, is completely up to you (and your SafeHex browser habits), but with the settings as sketched above you cannot be infected by gumblar, beladen and whatever may be in the pipeline for us from CyberCrime & Co in the future.

Besides as an avast av-user I always can have the additional Shield protection as a last resort to disconnect from
trusted sites that try to redirect you to a silent malware download site,
It is a pity that most pre-link scanners and specifically reputation scanners do not do you much good in predicting whether a reputable trusted site has been fallen victim to these exploits, you can expect this to come from everywhere now, so non-real-time link scanners are a passed station and no longer a valid protection option,

Be safe and secure, is the wish of,

luntrus

Re: Need NoScript like never before....

Posted: Wed Jun 10, 2009 9:59 pm
by AlphaCentauri
luntrus wrote:It is a pity that most pre-link scanners and specifically reputation scanners do not do you much good in predicting whether a reputable trusted site has been fallen victim to these exploits
I don't know of any actual cases, but someone pointed out that as infrequently as McAfee revisits sites for SiteAdvisor ratings, a bad guy could easily put up innocuous content on a new domain, get rated green, then change to downloading malware with SiteAdvisor's imprimatur.

Re: Need NoScript like never before....

Posted: Wed Jun 10, 2009 10:31 pm
by luntrus
Hi Alpha Centauri,

In this respect McAfee SiteAdvisor & WOT are slightly indicative scanners, no more than that, and as good as the reports the scanners will get reported. It does not reflect the actual situation (the reputable site could just have been fallen victim to a fresh hidden Iframe exploit and redirecting to a silent malware-downloads site. Finjan is real time scanning but can miss things, DrWeb's av pre- av-link scanning extensions sometimes does not scans deep enough and only for the main domain, when the malcode is not there it does not flag it.
This is a good scanner here: http://www.blacklistdoctor.com/bld/diagnose.php
this also: http://www.unmaskparasites.com/security-report/ Again they do not catch all,
So what is left something that works all of the time all the time and that is a rightly configured NoScript extension together with RequestPolicy, as I see it full proof and full time in-browser protection,

luntrus

Re: Need NoScript like never before....

Posted: Wed Jun 10, 2009 10:41 pm
by GµårÐïåñ
With the way I have configured my NS and RP, I can walk into the lion's den and not get a single scratch. :twisted: Once more for the benefits of proactive security. :ugeek:

Re: Need NoScript like never before....

Posted: Thu Jun 11, 2009 2:26 am
by Tom T.
@luntrus:
3. Go to Plugins,
4. In there tag all additional restrictions, and also tag Apply these restrictions to trusted sites too,
This has been my standard setting from Day 1. I call it "100% lockdown (or "full lockdown") mode. Exceptions only as absolutely needed and trusted, and most TA only -- *very* short whitelist. (35, mostly banks and other institutions, including multiple domains for the same site, so the number of sites is actually less.)

@AlphaCentauri and luntrus:
This is why I was not totally supportive of integrating WOT with NS, although I understand that it was in response to user demand. You are still trusting a third party that can be manipulated, injected, ballot-stuffing, and the things AC pointed out. The idea behind NS was "user control", and I'm still with that. If you don't need it, don't allow it. If you can't find out enough about it to feel comfortable with it, don't run it.

Also, ditto what Guardian said.

Re: Need NoScript like never before....

Posted: Thu Jun 11, 2009 1:15 pm
by luntrus
Hi TomT,

I agree with this the basic line of defense is NS and RP. A combination of a basically reputation scanner and a blocking device does not seem very logical,

luntrus

Re: Need NoScript like never before....

Posted: Thu Jun 11, 2009 1:35 pm
by Giorgio Maone
I actually advocate reputation scanners (and WOT in particular, because SiteAdvisor's implementation is a mess) even though I don't use them, because some people may have an hard time at figuring out if a site is trustworthy even though basic search skills and possibly a whois query may suffice (notice my social rather than technical definition of "trust", which doesn't imply a trustworthy site can't be compromised).

Re: Need NoScript like never before....

Posted: Thu Jun 11, 2009 8:55 pm
by luntrus
Hi Giorgio Maone,

That was the basic concept with WOT, and this goes for the search engine at www.scandoo.com also (I like to recommend that as a search page search engine in Fx) in the days where bad reputation meant compromised sites and redirects to malcode downloads, more or less the same story with Finjan SecureBrowsing (real time scanner) and DrWeb's av-link scanner extension for Fx or Flock, so newbies had an indication as where not to go and what was considerably safe to click (pre-scanning links). There were safe browser practices, certain sites you would not go to in order to avoid infection vectors luring there, similar where and why in real life one would shun a dark alley, because one could run the risk of being clubbed over the head.
Now with the new mass website infections and it really goes about thousands and thousands of reputable trusted sites folks (with vulnerable software on it, log-ins ready to be compromised through holes, SQL and PHP vulnerabilities, hidden Iframes and redirecting to malware download sites probing browsers for known vulnerabilities or third party software also (Adobe etc.) to force fake av installers, trojans, botcode and other malcode onto a machine. With gumblar and beladen we do not know if the site infected is bad, good or ugly and to say freely after Led Zeppelin in this case "crying won't help you, scanning will do you no good", but as an alternative you can do just a couple of things.
* - Always have the latest version of the browser and see to it that your browser is fully patched,
* - the same goes for your Operational System, all critical ServicePacks, updates and patches,
* - also all third party software that can be exploited by checking through Secunia PSI and
* - on top of that use normal browser rights in stead of full admin rights (when you do not need this - updates, installing certain software), because on the Windows platform 92% of malware can do less harm to your Operational System etc: what you cannot do as a user, your operational system cannot perform either.
* - Now topple these basis security measures off with using Fx or Flock with NS and RP in the right settings and configuration and there is not much that can get wrong there. That is how I stayed malware free over the last couple of years. Security my friends is more of an attitude, if you know how to perform safe practices it will become a second nature,

luntrus

Re: Need NoScript like never before....

Posted: Fri Jun 12, 2009 5:43 am
by Tom T.
Giorgio Maone wrote:I actually advocate reputation scanners (and WOT in particular, because SiteAdvisor's implementation is a mess) even though I don't use them, because some people may have an hard time at figuring out if a site is trustworthy even though basic search skills and possibly a whois query may suffice (notice my social rather than technical definition of "trust", which doesn't imply a trustworthy site can't be compromised).
I agree with Giorgio in that novices don't know what to do, and some decent advice is better than none or "globally allow", which many give up and do. As in my previous post, I understood that user demand motivated this, while those of us who have the knowledge can be more discerning. Hence "not totally supportive" in my previous post -- but not greatly opposed, either. We had too many support posts asking "How can I know if X is safe..." Giorgio is striking a very fine balance in attempting to help novice users, and increase their low retention rate of NS, while not harming your or my security at all.

If our most trusted sites are compromised, your best fall-back is virtualization or other containment of some type. I would not go to the sites that some of our users ask us to check if it were not for Sandboxie. That has worked for me, while others may find other solutions like VMware, Parallels, etc. I think that ultimately, virtualization will become standard. Presumably, Windows 7 has a virtual XP in it, though the degree of isolation has been questioned. (Guardian, are you there? Calling Guardian, the extensive beta-tester of Win7).

Re: Need NoScript like never before....

Posted: Thu Jun 18, 2009 8:10 pm
by luntrus
Hi forum friends,

There is another threat out there, urging you to keep up the NoScript visors:

After the Gumblar & Beladen attacks researchers discovered yet another big attack of which at least 40.000 websites became victims. The so-called "Nine-Ball" attack, named after the site where all atacked sites re-direct to, functions in a similar way like Gumblar & Beladen attacks, re:
http://securitylabs.websense.com/conten ... /3421.aspx
Websites are being hacked, obfuscated code is loaded there trying to infect visitors through not patched leaks. The attackers also check whether visitors have visited the hacked site before.

If not they get an exploit for a Windows hole (MS06-014), AOL SuperBuddy, Acrobat Reader or QuickTime. Are they known, they are re-directed to another page. Via mentioned exploits a Trojan is being installed that steals private data. Out of 41 av-solutions only 7 recognized the trojan as malware and only 3 detected the PDF-exploit.

The security firm Websense has been tracking Nine Ball for a week and a half, and said compromised websites, loaded with malware, will first try to identify a web visitor by IP address to discover if it’s a repeat visitor. To evade security researchers and investigators who would likely be among any repeat visitors, the web page will dump a repeat visitor onto the search engine site Ask.com.

“Ask.com is nothing malicious, you’re just sent there if they’ve seen you before,” says Stephan Chenette, manager of security research at Websense. This type of inspection and re-direction is becoming commonplace in web attacks as a way to evade investigation, he points out.

If a web visitor is new, the victim is pushed through a few more re-directions to land at the site http://www.nine2rack.in, which may sound like a site in India, but is in Ukraine, Websense believes. The URL inspired Websense to name the attack method Nine Ball.

Is not it time for webmasters and web admins to wake up to this situation, and why the slackness in patch routine (this is also the case with the larger majority of web browser users),