How Much Harm Can One Web Site Do?

← Back to Stories (view on slashdot.org)

How Much Harm Can One Web Site Do?

Posted by timothy on Wednesday November 24, 2004 @05:58AM from the depends-on-what-os-you're-running dept.

Ben Edelman has written extensively on issues including censorship and spyware. He's got a very interesting piece on his site now about who profits from spyware, and how much spyware can be installed on a Windows XP machine when the user simply visits a single Web site using Internet Explorer.

14 of 501 comments (clear)

Min score:

Reason:

Sort:

not much... by domenic+v1.0 · 2004-11-24 06:03 · Score: 5, Informative

if you use another browser like Firefox?
1. Re:not much... by Moridineas · 2004-11-24 06:05 · Score: 3, Informative
  
  not much, if you are decently patched (he mentions at the very end the exploit installs don't work if you are running SP2)
2. Re:not much... by narcc · 2004-11-24 06:08 · Score: 3, Informative
  
  Not all of us can run SP2 -- It just breaks too many things.
  
  --
  Required reading for internet skeptics
3. Re:not much... by aetherspoon · 2004-11-24 07:06 · Score: 3, Informative
  
  Then.... clean the machine?
  
  It isn't a real hard thing to do most times as long as you know what you are looking for and the machine doesn't touch any form of a network during cleaning.
  
  Yes, it takes awhile. Then again, would you upgrade an OS on a virus infested machine? Of course not!
  
  --
  --- Ãther SPOON!
4. Re:not much... by sadler121 · 2004-11-24 07:46 · Score: 4, Informative
  
  Not all of us can run SP2 -- It just breaks too many things.
  
  I'm running SP2 and nothing has broken thus far. Normally when people complain about SP2 breaking stuff (like a game that will not play online after patching to SP2) it has to do with the upgraded firewall. Tweaking the firewall is all that is needed to get your game (and 9 times out of 10 X app)running agian.
  
  All in all, I think Microsoft did a good job with SP2. The security center is something that should have been in the control panel to begin with. Its good to have some centralized location.
  
  But yeah, SP2 fixed a lot of things in Windows and it really didn't *break* things, it just tighten some bolts that then required the user to go and loosen what he/she wanted to use. (instead of leaving the whole damn computer open)
5. Re:not much... by deaddeng · 2004-11-24 08:24 · Score: 4, Informative
  
  There are at least two other IE exploits out there that MS has not patched, and SP2 won't protect you. see: http://isc.sans.org/diary.php?date=2004-11-20 Quote: Two More IE Vulnerabilities Exploit code has been released for two more Internet Explorer vulnerabilities that were released on Wednesday (Nov. 17). This code would enable an attacker to trick users into executing malware. These vulnerabilities affect Microsoft Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2. The original advisory is here: http://secunia.com/advisories/13203/ The proof of concept exploit: http://www.k-otik.com/exploits/2041119.IESP2disclo sure.php While on the topic, it is interesting to note some statistics that Secunia has been compiling about Internet Explorer vulnerabilities: IE 5.01 - 42 advisories (7 unpatched) http://secunia.com/product/9/ IE 5.5 - 55 advisories (8 unpatched) http://secunia.com/product/10/ IE 6.0 - 69 advisories (18 unpatched) http://secunia.com/product/11/ If you still think SP2 has mystical properties: http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/
  
  --
  --- .085 as cool; proving that a little knowledge is dangerous
6. Re:not much... by narcc · 2004-11-24 11:38 · Score: 3, Informative
  
  didja get rid of spyware trojans and viruses first? or bother to read the readme? No, you were too busy recompiling the kernel and whining about Microsoft to RTFM.
  
  Wow, you really don't have a clue, do you?
  http://www.newsfactor.com/story.xhtml?story_id=263 44
  
  http://news.com.com/Microsoft+lists+SP2+conflicts/ 2100-1016_3-5311280.html?tag=nl
  
  http://news.com.com/Microsoft+tackles+AMD+conflict +in+SP2/2100-1016_3-5326707.html
  From this article: Microsoft had advised AMD users to remove SP2 altogether.
  
  There are pleanty of others.
  And lets not forget problems with legacy applications. (Which many people need.)
  
  --
  Required reading for internet skeptics
In Case It Gets Slashdotted... by Anonymous Coward · 2004-11-24 06:05 · Score: 5, Informative

From the site.

I've written before about unwanted software installed on users' computers via security holes. For example, in July I mentioned that 180solutions software was being installed through Internet Explorer vulnerabilities. (See also 1, 2, 3) More recently, researchers Andrew Clover and Eric Howes (among others: 1, 2) have described increasing amounts of unwanted software being installed through security holes.

How bad is this problem? How much junk can get installed on a user's PC by merely visiting a single site? I set out to see for myself -- by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still -- with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC.

In my testing, at least the following programs were installed through the security hole exploit: 180solutions, BlazeFind, BookedSpace, CashBack by BargainBuddy, ClickSpring, CoolWebSearch, DyFuca, Hoost, IBIS Toolbar, ISTbar, Power Scan, SideFind, TIB Browser, WebRebates (a TopMoxie distributor), WinAD, and WindUpdates. (All programs are as detected by Ad-Aware.)

See a video of the installations (WindowsMedia format, view in full screen mode when prompted). The partial screen-shot at left shows some of the new directories created by the security exploit.

Other symptoms of the infection included unwanted toolbars, new desktop icons (including sexually-explicit icons), replacement desktop wallpaper ("warning! you're in danger! all you do with computer is stored forever in your hard disk ... still there and could broke your life!" (s.i.c.)), extra popup ads, nonstandard error pages upon host-not-found and page-not-found error conditions, unrequested additions to my HOSTS file, a new browser home page, and sites added to my browser's Trusted Sites zone.

I've been running similar tests on a daily basis for some time. Not shown in the video and screen-shot above, but installed in some of my other tests: Ebates Moe Money Maker, EliteToolBar, XXXtoolbar, and Your Site Bar.

Installation of 180solutions software through security holes is particularly notable because 180 specifically denies that such installations occur. 180's "privacy pledge" claims that 180 software is "permission based" and is "programs are only downloaded with user consent and opt-in." These claims are false as to the installation occuring in the video linked above, and as to other installations I have personally observed. Furthermore, 180's separate claim of "no hiding" is false when 180 software is installed into nonstandard directories (i.e. into C:\Windows rather than a designated folder within Program Files) and when 180 software is installed with a nonstandard name (i.e. sais.exe) rather than a name pertaining to 180's corporate name or product names.

What's particularly remarkable about these exploits is that the bad actors here aren't working for free. Quite the contrary, they're clearly expecting payment from the makers of the software installed, payments usually calculated on a per-install basis. (For example, see a 2003 message from 180solutions staff offering $0.07 per installation.) By reviewing my network logs, I can see the specific "partner" IDs associated with the installations. If the installers want to get paid, they must have provided accurate payment details (address, bank account number, etc.) to the makers of the programs listed above. So it should be unusually straightforward to track down who's behind the exploits -- just follow the money trail. I'm working on passing on this information to suitable authorities.

Note that the latest version of Internet Explorer, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in my video and discussed above.
Re:What was the actual web page? by crimoid · 2004-11-24 06:22 · Score: 5, Informative

He used xpire.info/fa?d=get which then redirects to a series of other pages on the same site, eventually landing at www.sp2fucked.biz/user28/2DimensionOfExploitsEnc.p hp which in turn prompts him with an error and a dialoge box asking if he wants to continue executing scripts, to which he clicks "yes" after which all hell breaks loose.
Regarding the Video... by Anonymous Coward · 2004-11-24 06:35 · Score: 3, Informative

...may I point out that it is NOT worksafe? Thanks, Ben! Appreciate that.

Glad I didn't have the boss watch it with me in an attempt to convince her of the need to take better anti-spyware measures.
Another good write-up here: by Saint+Aardvark · 2004-11-24 06:37 · Score: 5, Informative
The "Follow the Bouncing Malware" series at ISC's Internet Storm Center has been quite good, too; it looks at what happened to Ordinary Joe's Windows computer when he surfs:
- Part 1
- Part 2
- Part 3
Part 4 is coming Real Soon Now (tm). The ISC handler's diary is required daily reading; always a lot of good stuff to be found. (And every now and then, there's a tale that'll make your blood run cold...)
--
Carousel is a lie!
Re:You could always use a Mac. by rainman_bc · 2004-11-24 07:18 · Score: 4, Informative

IE runs under a user with administrator privileges

No, IE runs under whatever user you are logged in as. One should definately learn to manage users. No argument there.

, but I am of the opinion that users have every right to be stupid,

Yet we all own cars... If you are too stupid to add oil to your car and you burn out your engine... It's not the manufacturers fault. There's a certain level of responsibility the users should bear as well. Users have a right to be stupid, but should pay up when they screw their computers up the same way car owners should pay if they don't maintain their vehicle or use it correctly.

. If XP needs all of these security patches just to keep going, where a mac or linux box could stand like a column of basalt for years

Again, Bullshit! There's security holes in Linux and FreeBSD. That's why we have utilities in Fedora like up2date, portupgrade, etc. So you can automate the patching of those security holes.

--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re:My e-mail to the TwainTec Legal Dept by clohman · 2004-11-24 07:32 · Score: 3, Informative

regsvr32 /u C:\DIRECTORY\twaintec.dll
How people get infected by bedelman · 2004-11-24 13:15 · Score: 3, Informative

Howdy folks. Sorry to take so long to respond -- was in airports and planes all afternoon. Day before Thanksgiving...

Browsing to the site I showed in my video is one way to get infected. But that's not the most typical infection method. Instead, other sites can and do point to this site (and other similar sites), typically via IFRAMES. I was recently looking at a post in a web-based threaded messaging site, which used a 1x1 pixel IFRAME (basically, hidden) to reference the site shown in my video. When a user loads the infected post in the threaded messaging site, the user's PC will be infected via the exploits shown (if the user's PC is vulnerable to such exploits), and the user will receive spyware like that shown in the video.

As to video format: I apologize for the WMV format. There's a lot to be said for this format, from the reliable free creator to the wide deployment of the player software (present in all W2K and WXP systems). But clearly it's an imperfect solution, and not great for viewers on other platforms. I'm working on finding a better alternative and/or offering the same content in other formats.