Neil Diamond and Firefox infection
p2pnet.net News Feature:- “What if there was an infection out there that could bypass Firefox and still get its grubby little paws on IE, and from there, the heart of your OS?” – asks paperghost on Vital Security.org.
“What if that same infection could get past not only FF, but a whole raft of other (supposedly more secure) browsers too? What if, of all people, Neil Diamond was indirectly involved in this craziness?
“Unfortunately, this has now become a reality and woe betide anyone looking for lyrics from Neil’s latest hit. You’re more likely to end up with a nasty case of browseritis.”
Read on >>>>>>>>>>>>>>>>>>>>>>>>
Firefox Spyware infects IE?
By paperghost – Vital Security.org
After hearing rumours of a Firefox Adware bundle from this thread, I thought I’d go check it out. The results were, as they say, a right kick in the pants.
But how could this happen?
The answer is, some sneaky coding is being used to get around your browser of choice. Upon visiting the target website, nothing happens. Nothing that is, unless you have Sun Java Runtime Environment installed on the host machine. And seeing how everyone is being urged to turn away from Microsoft’s Java in favour of Sun’s version, this could spell problems for browsers currently lording it over IE.
Think you’re safe because you’re not actually using IE? Think you’re safe because you have IE locked down tight with HOST files, Spywareblaster and the inbuilt security settings cranked up to the max? Wrong. This is a shot of IE with the infection domain already added to the “Restricted Sites” zone in Internet Options. Note the “ironic” affiliate banner for Firefox.
So far, so good. Using IE, nothing is getting through. And using Firefox to browse will keep me totally secure, yes?…
…well, not exactly. Visit the same page in FF and, with the JRE up and running, the below happens:
Being a curious soul, I agreed to the install – and quickly wished I hadn’t! In a flurry of remote downloads, numerous changes to the registry took place and a sizeable amount of IE specific installs began downloading. Amongst the assortment was DyFuCA, Internet Optimizer, ISTsvc, Kapabout, sais (180 Solutions), SideFind, Avenue Media and something called djtopr1150.exe lurking in the Temp folder.
Imagine my surprise when, unnanounced, IE then suddenly opens up without me doing anything and looks like this:
Congratulations! Your PC is boned!
It goes without saying that, apart from Webrebates opening up adverts in the bottom right hand corner, whole swathes of entries in my favourites advertising “Adware removers” that also sell popup blockers (with popups!), Powerscan which loads at startup, yelling “DON’T GET CAUGHT WITH PORN ON YOUR PC!”, a Sidefind bar that doesn’t actually do very much and an MTV toolbar to keep the kids quiet, there was my jaw being slowly scraped off the floor as I realised in that instant that for all Firefox’s bravado, it had been cut down dead in an instant by what would normally be a bunch of rather average Adware installs.
The problem is, IE shouldn’t have been hit in this way – especially as it was locked down so tightly, and wasn’t even being used at the time. Vaguely worried by this, I tried some other browsers…the results aren’t exactly fantastic reading for the Mozilla Foundation.
- Firefox – The install works.
- Mozilla – The install works.
- Avant browser – The install works.
- Netscape 7.2 – The damn thing kept crashing, but eventually I was able to discover that the install works.
- NetCaptor – The install is blocked.
- Opera – The install is blocked.
Only two out of six had the good sense to steer clear of even asking the user if they wanted to install the applet. Not exactly a dazzling result.
(And it’s since been confirmed by Daniel Veditz, owner of the Security Group over at the Mozilla Foundation, that this will indeed work in Opera with the right permissions enabled…and will most likely work in NetCaptor as long as it has Java support).
So how is this happening? The developers of this install are using the Java Runtime Environment, the initial installer taking the form of a Java applet rather than an Active X component inherent to IE alone. In this way, if the browser being used can recognise and install the applet, then it doesn’t seem to matter what browser you’re using, or (more worryingly) how tight your IE security is. And for those of you at the back, here’s the .Jar file in all its cached glory (you’ll have to put up with a clickable link for this one, it wouldn’t fit on the page!) I should also point out that deleting the .Jar file from the Cache using the Java console will not remove the numerous IE Spyware and system infections now loaded onto your PC. This will only remove the initial installer.
Does this mean the Emperor’s new clothes syndrome has hit Firefox? Possibly not, though it doesn’t take a genius to work out that if “The Browser you Can Trust” now has to keep one eye on its older, slightly clumsier brother as well as watch its own back then there’s a very good chance its tail could be getting ready for the mother of all burnings.
============
Something you think we should know? tips[at]p2pnet.net
March 11th, 2005 at 9:48 pm
c’mon, if you agree to install something unknown (and ignoring a security warning), no browser can keep you from getting in trouble.
March 11th, 2005 at 10:00 pm
The clue for the user should have been the Warning Security Window!!!
Normally Java applets (programs that are embedded in webpages) can only play a sound, connect to the computer it was downloaded from, display information and very little else. Java prevents most applets from storing files on your computers and such. If an Applet needs to have additional power, then it needs to be signed. A signed applet can do anything that any program residing on your computer can do such as change the registry, read files, delete files, write files, change files, send spam, and much more. BE VERY CAREFUL BEFORE ACCEPTING ANY *****SIGNED*** APPLET.
If the window says Publisher authenticity cannot be verified, it means that the applet was not signed by a certificate that your browser reconizes. If it says that that the security certificate was issued by a company that is not trusted, that means that the party that signed the applet did not setup a verification with a certificate company that your browser trusts.
Even accepting a signed applet by a trusted company does not mean that you are safe. It only means that someone paid a certificate issuing company (that is trusted by your browser) money to be allowed to use a code signing certificate issued by them.
A good rule of thumb is, “If you don’t trust the website operator to have access to your computer, don’t accept the signed applet!”
March 11th, 2005 at 10:14 pm
I have to agree. But at least Firefox has more clear Warning messages, IE warnings are all the same, you didn’t know for the first that it was a javascript error or you just installed an activeX control from manyspywares.com.
Otherway a few warning is much better, than a not working, but important page (your banks homepage for example).
Security is not the main reason I think the most people would prefer Firefox. Internet security always has to depend on the user. You can’t make a much more secure browser than Firefox or IE. If you’re afraid of these thing you can still use Lynx.
March 12th, 2005 at 4:13 pm
I have Sun’s Java 2 (v 1.5.0 – build 1.5.0_01-b08 – ) & Firefox 1.0.1 installed here, and yet it took me a *great* deal of effort before I came to see the ‘Security Warning’.
And how, pray tell, did I find myself in this near “lockdown” condition? I habitually & usually run Firefox without allowing Java & Javascript run-permission[s], plus I use “Proxomitron” (v 4.5J) as a local web-proxy. In order to see the above-mentioned “Warning”, I had to enable both Java/Javascript, then disable Proxomitron (reloading the desired website after each action).
Running Firefox as I usually do, I would *never* have seen the aformentioned *undesirable* popup/window. In my humble opinion, Firefox is *more* than safe-enough. Then again; “Stupidity knows *no* season”, re users who enable their browsers to run “Everything, ALL the time.”
June 17th, 2005 at 8:53 am
Well using a nice product called RegDefend (from Ghost Security) the installs could have been blocked from making their registry changes
Admittedly not many people will have heard of the application but it is quite useful
http://www.ghostsecurity.com
August 17th, 2005 at 1:10 pm
Common culprit is Java….how makes this Firefox’s guilty?….I mean, how many browsers did the same?
Sounds more like anti Firefox rant than anything else. As the rest of the people here said, nothing is 100% secure….at the very end is in the users hands.
I once built a machine for a friend…..once every month I had to clean up over 4000 whatever-ware files, so I installed Firefox on it. Next month was the same, and the next.
I ended up installing 2 Antivirus (Zone Alarm Suite and F-Prot32), 3 anti spyware tools (Ad Aware, Spybot and MS own), had the 2 firewalls enabled, enabled ALL the features of pop up blocking, ad block in ZA, added site restriction and even parental restrictions in both ZA and IE. I scheduled all the tools for auto update and to have all of those tools scan the machine once a day, Auto protection was on, etc etc etc.
Guess what? Next month I had to clean up over 4000 files again….I got tired and told him I was going to treat him like a client and not a fried and charge him for the clean ups….no more spyware.
November 17th, 2005 at 1:16 am
I can’t use FireFox; it is chock full of infections and adware.
Weclome to becoming mainstream — now you people have to deal with success too.