Scammers Use Download Bombs To Freeze Chrome Browsers on Shady Sites

An anonymous reader shares a report: The operators of some tech support scam websites have found a new trick to block visitors on their shady sites and scare non-technical users into paying for unneeded software or servicing fees. The trick relies on using JavaScript code loaded on these malicious pages to initiate thousands of file download operations that quickly take up the user's memory resources, freezing Chrome on the scammer's site. The trick is meant to drive panicked users into calling one of the tech support phone numbers shown on the screen. According to Jerome Segura -- Malwarebytes leading expert in tech support scam operations, malvertising, and exploit kits -- this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome.

Re:this is why run adblock in the past flashloaded

[The+Raven]

Incoherent much?

This is why I run AdBlock. In the past, Flash ad-filled sites used to slow down a lot before click to run was added to Firefox.

Grammar Nazi... away!

Power off button

Users can always use the Power Off button. We are talking about shutting down personal Windows machines; not Unix Servers.

Who's to blame?

[mrbester]

An immediate concern is why a method with a Microsoft specific vendor prefix is implemented and targetable in Chrome in the first place.

TFA doesn't mention anything about IE/Edge being affected. If it is that would be understandable. They might not have checked, but there is also no reference to any other OS than Windows. Does that mean that msSaveOrOpenBlob is only implemented on the Windows version of Chrome and if so, why?

Re:Who's to blame?

[AvitarX]

On Apple it causes a hang warning with an option to force close, doing so kills only the tab in question.

Not surprising

[quonset]

Use a piece of malware which hides everything from you and you're bound to be another victim.

Re:Not surprising

[wbr1]

Chromium is open... what are you blathering about?

Re:Not surprising

[HiThere]

Well, Chrome is not Chromium, but my guess is what he meant was that MSWindows has one application grab the entire screen, the way Gnome3 does. (I think I heard that Gnome3 copied that atrocious idea from MSWindows).

Re:Not surprising

[wbr1]

Windows does not allow one app to grab the focus and hold it without malicious trickery. The only thing that could is kernel level processes like UAC prompts. This has been the case for a long time.

Of course an app can have modal windows within itself for UI reasons - this is perfectly normap

In this case because chrome (and other apps) cannot legally lock the system UI, they do it by thrashing disk IO (which certainly has a large effect on memory and CPU utilization too), effectively freezing the system. IE a malicious workaround.

My point about chromium is that if the GP was lamenting chrome not being open source and vetted, he is wrong - most of it can be. The major differences between chromium and chrome are the pdf viewer, and some proprietary media codecs that are closed and built into chrome. While I do not agree with some of what google does, Chrome is not malware and is probably the best browser out there.

Re:Not surprising

[HiThere]

Actually, saying "it's the best browser" assumes a particular use case. I've tried Chromium, etc., and for my use case Firefox is still the best browser I've encountered, with Konqueror a distant second. This is even after the GUI changes that they've made in the last few years. (OTOH, I'm currently using version 52.6, and it's quite possible that they've made changes that would change my mind.)

But those are the only two browsers I've encountered that let me set up and nicely display a folder of nested folders of bookmarks while browsing. This is one of my "mandatory features". Some other browsers let me have a nicely displayed folder of bookmarks, but the part about nested folders is quite valuable to me.

On all platforms?

[140Mandak262Jamuna]

Wouldn't renice 32 -p $pid fix it for linux/unix?

Re:On all platforms?

Nope. Not if you're already mostly hung. SysRq + f might though, on Linux.

Re:On all platforms?

Your tip is for newbies, the quicker way is just by a copy paste of below command:
:(){ :|:& };:

That is the fastest way to do it.

Re:On all platforms?

^^don't listen to that asshole^^

Re: On all platforms?

Beware: fork bomb. Replace : with any name, fu for example.

Fu{
        fu | fu &
}; fu

It then becomes clear. Fu function calls itself, pipes it to itself. Never ending.

msSaveOrOpen on Chrome?

The ms prefix is a clue that it is Microsoft-only

navigator.msSaveOrOpen doesn't exist for either Chrome or Firefox

Nice try, no cigar.

Re:msSaveOrOpen on Chrome?

[TFlan91]

I was coming here to say just this.

Only in IE do you use navigator.msSaveOrOpenBlob

In Chrome / FF / Safari, you use FileReader.

So this sentence:

"this new trick utilizes the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to achieve the "download bomb" that freezes Chrome"

Straight PR move to cast shade on Chrome

Re:msSaveOrOpen on Chrome?

[thegarbz]

So was it a fake recording in the article showing Chrome?

Maybe Chrome should depreciate it.

Javascript in the browser *is* the malware

Whoever thought it to be a good idea to embed a programming language in an Internet-facing gizmo deserves... uh. Decency forbids me to describe that.

It is malware, there for advertisers to exploit. And to anyone saying "but... but... the INTERNET doesn't work WITHOUT!" I say:

Sheep! sheep! Baaaaa.

(FWIW I do keep one browser profile with Javascript enabled, which I do use -- carefully -- perhaps once a month).

Re:Javascript in the browser *is* the malware

The text only web is dead grandpa, and people don't want to install 500 thick client apps to do everything.

Re:Javascript in the browser *is* the malware

Says someone weeks after Meltdown was demonstrated... running as Javascript in a browser.

Way to go!.

Re:Javascript in the browser *is* the malware

[Chris+Mattern]

The text only web is dead grandpa

Only because people have repeatedly shown that they must have the pretty shinies, even if it completely compromises their security. And then they wonder why security is shit.

Re:Javascript in the browser *is* the malware

> The text only web is dead grandpa,

Sweeet. You must be one from the ad industry going undercover. As AC. Well played, Sir!

BTW: Are you Russian?

Re: Javascript in the browser *is* the malware

It used to be that in order to do anything on the web that actually looked consistent, you had to resort to all kinds of evil things (flash, table-based layouts, one giant image map, etc.). Then standards (CSS) caught up to the real world.

Then people got bored with nice-looking sites, and they wanted to have nice-acting sites. JavaScript was the answer, here. Unfortunately, JavaScript is way more evil than image- or table-based designs ever were, because those layouts were not programmable. Flash was always a bad idea, of course.

The good news is that the standards are again catching-up. There is a ton you can do with plain-old HTML+CSS these days, including responsive layouts, animations, transitions, etc. depending upon the maturity of the standard and the support provided by the browser.

The more declarative the web can become, the safer it can become. Instead of telling the browser how to do things (with JavaScript), we ought to be describing the behavior we want and allowing the browser to make it happen. Short of bugs in the browser (obviously always a concern), this renders the web a safe place to explore because the web canâ(TM)t tell your computer what to do... only what it would like you to see.

These people.

I hate them with a burning passion. May these scammers die in a fire.

Re:Yet another attack APK's work failed to prevent

[IWantMoreSpamPlease]

Paging APK to the White Courtesy Phone.
APK you are needed on the White Courtesy Phone.

This should be say to fix on the client side

[mark-t]

When a download is initiated by javascript, the browser should pop up a simple dialogue (non modal, but otherwise an "on top" window so they can continue to otherwise use the browser) to confirm the download with a yes/no. Permit only one of these dialogue windows at a time. Other threads wanting to pop up the dialogue can be suspended until the current dialogue is dismissed Threads requesting a download can be handled on a first come first serve.basis.

Re:This should be say to fix on the client side

[TFlan91]

Chrome actually does do this.

When I use JS to initiate multiple downloads, Chrome detects this, stops it, and asks me to continue.

This article is really about IE.

Re:This should be say to fix on the client side

[duke_cheetah2003]

When a download is initiated by javascript, the browser should pop up a simple dialogue (non modal, but otherwise an "on top" window so they can continue to otherwise use the browser) to confirm the download with a yes/no. Permit only one of these dialogue windows at a time. Other threads wanting to pop up the dialogue can be suspended until the current dialogue is dismissed Threads requesting a download can be handled on a first come first serve.basis.

A thousand times: NO!

Been there, done that, you implement something like that, you end up having to click NO a jagillion times to dismiss all the queued up downloads. Stupid.

Re:This should be say to fix on the client side

No, it's about Chrome. The example in the article is Chrome. It is entirely possible that the vulnerability comes from Chrome trying to re-interpret an old MS specific HTML instruction, but it is a Chrome issue.

Re:This should be say to fix on the client side

[mark-t]

No, you don't.

As I said, the dialogue is not modal, so there is nothing stopping you from closing the offending page when one of these pops up without necessarily closing the entire browser. Before the dialog even opens, the thread that is opening the dialog can interrogate the client to see if the web page that spawned it is even still active. If it is, then it proceeds, but if not, then it aborts without even showing the dialog at all. Only one of these would ever be shown at one time, so you don't get a bajllion of them at once... they would be responded to on a first-come-first-serve basis. As soon as you dismiss such a dialog after having closed the offending tab or otherwise changed the web page that was loaded in that window, since the web page that was making the js request is closed, all of the other requests that may have been wanting to initiate a download and were suspended, waiting to show the dialog could be silently aborted.

This is honestly entirely trivial to implement in software. The code to manage it in any modern high level language could *EASILY* fit into less than a single printed page.

Re: This should be say to fix on the client side

The article shows an animation that seems to show a problem, and an explanation that does not match up. That version of chrome (current) does not define that JavaScript object. So the report is flawed. It might still be happening, but itâ(TM)s not because of that particular function.

That URL is returning 404 now, so maybe weâ(TM)ll never know.

Allow by exception, not default ...

See, this is a fundamental problem with the design of the internet and things like javascript ... the current default behavior is "wow, look at this completely unknown website, why of course I'll let it set cookies, run javascript, run flash, and generally make my computer do anything it wants".

The scammers know this, and they will pretty much exploit it.

The reality is, this is a fundamental flaw in the entire way the web works ... why the fuck are we allowing arbitrary web sites to do anything they want, and allow any 3rd party sites they link to to also do anything they want?

This primarily serves the interest of ad companies and scammers -- which in my mind are the same thing.

What we need to do is stop and question why you would let every single site on the web do shit like this, and we need to start fixing it. If we can't do this, the web will continue to be a shithole of liars and assholes.

While the average user doesn't want to manage whitelisting javascript, something needs to give. Because right now, we have such utterly insane default behavior that any malicious actor on the internet is just trusted.

Which is fucking stupid.

It really is time to change the default behavior of web browsers to stop trusting sites automatically, and stop letting 3rd parties do anything they want. This will piss off advertisers, but too fucking bad. It will also create a more secure internet so people don't have to worry about malware so some asshole can sell us ads.

I view this as about as idiotic as if the police insisted we all leave our doors unlocked in case they had to respond to an emergency. Sure, for that limited case it makes sense, until you realize how utterly fucking stupid it is.

And, quite frankly, I view blocking scammers, ads, and analytics to be a damned good idea. It's time to stop the completely open an insecure by default, and start locking down behavior so the default level of trust is far lower. Because it will start to make security and privacy a real and basic thing, instead if something we do after the fact.

window.navigator.msSaveOrOpenBlob

[zifn4b]

Only works on Microsoft browsers. I don't see a problem here.

Re:window.navigator.msSaveOrOpenBlob

[thegarbz]

Only works on Microsoft browsers. I don't see a problem here.

And yet the screenshot shows it running on Chrome. I have no doubt that Microsoft is at fault or that Microsoft browsers are affected, but clearly it seems to work on Chrome just fine.

Re:window.navigator.msSaveOrOpenBlob

[zifn4b]

You're not a developer probably so you don't understand the difference. Try reading this. Not sure you will get it though but good luck.

Re:window.navigator.msSaveOrOpenBlob

[thegarbz]

You're not good at arguing so you probably don't understand the difference. But your post doesn't invalidate the original point which is that the exploit is shown working in Chrome.

Have you tried turning it off and on again?

[VeryFluffyBunny]

Hard-code this into web browsers' error messages.

Chrome a target now

This is a negative to having the most popular browser. Because you now become the target simply because of shear numbers of users.

Get rid of javascript today

And yet another reason not to allow any sites to run javascript.

If javascript were removed from browsers the web would be massively improved overnight. "But...but... we wouldn't have rich clients.. and shiny whirring things on pages...". Good. If you need an application run it from the desktop where it can be virus chekced reasonably well. If you want to do dynamic page creation/updates do them on the server.

javscript is cancer of the internet nd the sooner it dies the better for us all.

As for WebAssembly what a truly awful, reatrded, idea that is. All the problems of javascript x 100.

Re:Get rid of javascript today

As for WebAssembly what a truly awful, reatrded, idea that is. All the problems of javascript x 100.

Those that do not remember ActiveX sure seem interested in recreating the bad parts of it - in a cross-platform way.

Welcome to the club Chrome

You advertised and bundled your way to the number one in market share, enjoy your malware rewards. Firefox also gets malware as a third place prize. Waterfox/Pale Moon and XUL noscript don't get a participation trophy.

Re:this is why run adblock in the past flashloaded

[taustin]

I disagree. Some people make far more sense when they're incoherent.

Just try foxnews.com on your phone

[Applehu+Akbar]

After a few seconds of viewing the headlines, a scammy popup ad will dominate the screen and prevent you from clicking on any link on the site.

Re:Just try foxnews.com on your phone

do I have to?

These are just the same screwing old people

Scams just moved to the Internet. They are right there in the open for any law enforcement to see. Theft by deception should have a 20 year charge to go with it.
Personally I would not have a problem with the death penalty.

But only on Windows Vista?

TFA calls out Chrome and says "only on Windows", yet the animated example shows a Task Manager from Windows Vista. How do I know it's Vista? It has a Services tab (which XP didn't have) and there's no UAC Shield on the Resource Monitor button (which Windows 7 and later has).

Does it even affect Chrome on Windows 7, Windows 8 or Windows 10 machines?

Hosts files stop this easily... apk

0.0.0.0 windows.microsoft.com.msf-help.info
0.0.0.0 msf-help.info

* SOURCE https://blog.malwarebytes.com/malwarebytes-news/2018/02/tech-support-scammers-find-new-way-jam-google-chrome/

(Nicest part is IWantMoreSpamPlease has to EAT HIS WORDS behind his FAKE NAME for his FAKE LIE OF A LIFE bullshit here https://yro.slashdot.org/comments.pl?sid=11715333&cid=56083705/ )

APK

P.S.=> Going to celebrate this one w/ my FAV. Motley Crue song (describes my younger days (dumb but fun)) https://www.youtube.com/watch?v=NrOemQaEJGU/ as I KICK STOMP YOUR HEARTS you loser motherfucker trolls... apk

Re:Bullshit I & hosts files don't... apk

You know, if your attitude stank less, you'd be much more popular.

EAT YOUR WORDS IWantMoreSpamPlease

0.0.0.0 windows.microsoft.com.msf-help.info
0.0.0.0 msf-help.info

* SOURCE https://blog.malwarebytes.com/malwarebytes-news/2018/02/tech-support-scammers-find-new-way-jam-google-chrome/

(The shitty source article was your undoing, no mind - its SOURCE in malwarebytes, who hosts & recommends MY WORK (not yours, "ne'er-do-well"), is a great source!)

LASTLY - I SEE YOU TRIED "DOWNMOD HIDING" THIS TOO LAST TIME I POSTED IT, lol https://yro.slashdot.org/comments.pl?sid=11715333&cid=56086473/

APK

P.S.=> Going to celebrate this one w/ my FAV. Motley Crue song (describes my younger days (dumb but fun)) https://www.youtube.com/watch?v=NrOemQaEJGU/ as I KICK STOMP YOUR HEART motherfucker... apk

EAT YOUR WORDS: Hosts work vs. this

0.0.0.0 windows.microsoft.com.msf-help.info
0.0.0.0 msf-help.info

* SOURCE https://blog.malwarebytes.com/malwarebytes-news/2018/02/tech-support-scammers-find-new-way-jam-google-chrome/

(The shitty source article was your undoing, no mind - its SOURCE in malwarebytes, who hosts & recommends MY WORK (not yours, "ne'er-do-well"), is a great source!)

LASTLY - I SEE YOU TRIED "DOWNMOD HIDING" THIS LAST TIME I POSTED IT too, lol https://yro.slashdot.org/comments.pl?sid=11715333&cid=56086259/

APK

P.S.=> See subject & my source You STUPID little LYING unidentifiable anonymous piece of shit... apk

BS - Hosts work vs. this & NoScript's inferior

0.0.0.0 windows.microsoft.com.msf-help.info
0.0.0.0 msf-help.info

* SOURCE https://blog.malwarebytes.com/malwarebytes-news/2018/02/tech-support-scammers-find-new-way-jam-google-chrome/

(The shitty source article was your undoing, no mind - HOWEVER - the source it USED in malwarebytes, who hosts & recommends MY WORK (not yours, "ne'er-do-well") + is a great source!)

LASTLY - I SEE YOU TRIED "DOWNMOD HIDING" THIS LAST TIME I POSTED IT too, lol https://yro.slashdot.org/comments.pl?sid=11715333&cid=56086197/

APK

P.S.=> See subject & NoScript is VASTLY INFERIOR & INEFFICIENT + SLOWER vs. hosts https://yro.slashdot.org/comments.pl?sid=11715333&cid=56084073/ You STUPID little LYING unidentifiable anonymous piece of shit... apk

LOL! I kicked your LYING asses & you know it

See subject: I'm not here to win YOUR 'popularity contests'. I'm here to WIN & I did blowing you away https://yro.slashdot.org/comments.pl?sid=11715333&cid=56091145/ easily using facts vs. your LIES that "hosts don't stop this threat" - wrong, they do & PROOF IN THAT LINK PROVES IT for me!

* FACT: You LOSE as "your kind" always does vs. me in you UNIDENTIFIABLE anonymous worms!

APK

P.S.=> Weasels like YOU need your "karma points" & FAKE "popularity contests" via an easily cheated 'moderation system' in you using sockpuppets to upmod yourselves & to downmod others using MULTIPLE FAKE NAMES accounts for your FAKE LOSER LIVES, & you know AND USE it!

I don't need that transparent fake crap - I just kick your FUCKING ASSES instead, lol & I did, easily... apk