- Related Stories
-
Cybercrooks ramp up against antivirus firms--and each other
April 4, 2006 -
The secret of phishers' success
April 3, 2006 -
Interpol: Give us tools to fight cybercrime
March 21, 2006 -
Between phishers and the deep blue sea
July 18, 2005
Today, trusted Web sites can no longer be trusted. Those of us who collectively click on the billions of hyperlinks generated each day by search engines, blogs and e-mail are playing Russian roulette with our computers.
Can the search results of Google, Yahoo, MSN and Technorati really be so hazardous to our computers' health? Sadly, the answer is yes.
So why do we click on hyperlinks with such wild abandon? The answer is that most of us have been taught that as long as we're not accessing pornography or illegal file-sharing sites, and as long as we keep our antivirus and anti-spyware updated, we're safe.
It's time for a reality check.
Cybercriminals continue to innovate new and diabolical methods for delivering their crimeware payloads. Recently, they've entered the Web application development business, where they're helping good people develop trusted Web sites that unwittingly deliver a nasty malicious software payload.
Last month, while conducting my ongoing crimeware research, I stumbled into a new Web site in the U.K. operated by a self-employed plasterer. The plasterer, apparently hoping to promote his business online, had recently created a Web site using--as many of us do--free Web development tools.
Unbeknownst to the plasterer, however, one of the freeware tools he downloaded, which allowed him to place a Web counter on his site, was now inadvertently exposing his visitors to malicious crimeware.
My analysis revealed that the free Web counter had hidden functions. When someone visited the plasterer's site, the Web counter accessed a Web server in Slovakia, which then grabbed a drive-by download from a server in Colorado, that was then silently installed onto the unsuspecting Web site visitor's computer.
In this age of open-source and free software, the plasterer is not alone among Web site owners who utilize free Web development tools. The cybercriminals understand that people expect the Web to be free, which is why they're building tools to exploit that idea.
This plasterer's particular drive-by download took advantage of security vulnerability in a component in the Windows operating system known as Windows MetaFile.
It typically takes Microsoft weeks or months to issue a patch for each new vulnerability discovery. To Microsoft's credit, it cannot release patches any faster, because patches must be thoroughly tested to ensure they don't break other applications or introduce additional vulnerabilities.
So until a patch is issued, users are vulnerable to these exploits, usually in the form of a rootkit and other malicious software delivered via drive-by download. And the sad reality remains that, even after patches are released, many users never install them.
Virus writers in the 1990s were like cybergraffiti artists--their goal was to wreak havoc by tagging as many people as possible. But by the late 1990s, shadier elements had realized the profit potential of adware and spyware. They, too, focused their efforts on infecting as many users as possible.
Today, this shady element has evolved into fully fledged organized cybercrime gangs that buy, sell and distribute exploits for profit. And unlike the early virus writers, who often sought to make the presence of their virus known, crimeware distributors are stealthier and more calculating in their attacks.
If you knew there was a guillotine behind the front door of a certain percentage of businesses in your neighborhood, would you visit those businesses? The same holds true for Internet business.
How will Internet users respond if they begin to suffer hyperlink insecurity? What will become of the multibillion-dollar search engine business, and more importantly, what will happen to the millions of businesses of all sizes who rely upon search engines to guide customers to their front door?
It's enough to make you nostalgic for the days when we only needed to worry about viruses. Well, almost.
Biography
Roger Thompson has been researching malicious software for 20 years. He's chief technology officer and co-founder of Exploit Prevention Labs, a developer of antiexploit software.
See more CNET content tagged:
cybercriminal, hyperlink, malicious software, Web development, patch management
Please in future before using passages like "world in grave danger" mention that problem is M$ Windows & Internet Explorer specific.
Not all of us are using Wind0ze. And more and more Windows users come to sense and install Firefox or Opera.
Does the Windows Metafile vulnerability allow the installation of a rootkit when the web browser (which browser?) is run without system administrator permisions?
First, the WMF exploit specifically targets a vulnerability in Microsoft Internet Explorer. Other browsers, such as Firefox and Opera, are not as vulnerable.
Please keep in mind that exploits are not what we call well-behaved programs. They don't have to play by standard rules. By their very nature, they succeed by blowing up some application (IE in this case) and using it to poke a hole in the OS so that they can do whatever they want.
Hadaso is correct, it is _always_ best to surf the Internet with a lower privilege account. There is little on the down side, except that you may not always be able to easily install software that you _do_ want to install.
In the case of the WMF exploit, being logged in on a lower privilege account probably stops the install because the _common_ payload is just a downloader - but there are others. If the payload were a rootkit, or if the exploit payload involved privilege escalation, anything would be possible, including unwanted installations - even when those privileges aren't expressly allowed by your account.
The best defense, in our estimation, is to never let the exploit into the machine at all, thus keeping computers completely safe from this kind of harm.
Joe Chiarella
Product Manager, Exploit Prevention Labs
with additional insight from Roger Thompson, CTO
Oh, sorry, those were two separate sentences. ;)
Although Mac is hardly free in either sense of the word, it's still built to be more secure than Windows.
And it's a good thing I have Firefox on all my platforms (I'm actually on an MS Windows desktop right now).
When you were doing your testing of how easy it is to be infected were you running under these conditions? Or were you using a more secure method like Firefox, Windows fully updated, and under limited user account.
I understand the WMF exploit you mentioned could have bypassed many of these security practices.
Interesting article. A great shot of paranoia keeps everyone in the IT security field going in the morning. Thanks! :-)
- In response
- by jdgill June 2, 2006 7:13 AM PDT
- To my knowledge the WMF exploit bypassed any permissions and security software (anti virus/anti malware) and caused code to be executed as a high level user (administrator). There are methods of embedding exploit code into a "harmless" jpeg image on a website. The viewing of this jpeg image under any browser compromised the system without the users input. No AV warnings, no certificates, no asking of permission to execute.
- Like this Reply to this comment
-
(6 Comments)