How Much Harm Can One Web Site Do?

Ben Edelman has written extensively on issues including censorship and spyware. He's got a very interesting piece on his site now about who profits from spyware, and how much spyware can be installed on a Windows XP machine when the user simply visits a single Web site using Internet Explorer.

not much...

[domenic v1.0]

if you use another browser like Firefox?

Re:not much...

[Moridineas]

not much, if you are decently patched (he mentions at the very end the exploit installs don't work if you are running SP2)

In Case It Gets Slashdotted...

[Anonymous Coward]

From the site.

I've written before about unwanted software installed on users' computers via security holes. For example, in July I mentioned that 180solutions software was being installed through Internet Explorer vulnerabilities. (See also 1, 2, 3) More recently, researchers Andrew Clover and Eric Howes (among others: 1, 2) have described increasing amounts of unwanted software being installed through security holes.

How bad is this problem? How much junk can get installed on a user's PC by merely visiting a single site? I set out to see for myself -- by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still -- with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC.

In my testing, at least the following programs were installed through the security hole exploit: 180solutions, BlazeFind, BookedSpace, CashBack by BargainBuddy, ClickSpring, CoolWebSearch, DyFuca, Hoost, IBIS Toolbar, ISTbar, Power Scan, SideFind, TIB Browser, WebRebates (a TopMoxie distributor), WinAD, and WindUpdates. (All programs are as detected by Ad-Aware.)

See a video of the installations (WindowsMedia format, view in full screen mode when prompted). The partial screen-shot at left shows some of the new directories created by the security exploit.

Other symptoms of the infection included unwanted toolbars, new desktop icons (including sexually-explicit icons), replacement desktop wallpaper ("warning! you're in danger! all you do with computer is stored forever in your hard disk ... still there and could broke your life!" (s.i.c.)), extra popup ads, nonstandard error pages upon host-not-found and page-not-found error conditions, unrequested additions to my HOSTS file, a new browser home page, and sites added to my browser's Trusted Sites zone.

I've been running similar tests on a daily basis for some time. Not shown in the video and screen-shot above, but installed in some of my other tests: Ebates Moe Money Maker, EliteToolBar, XXXtoolbar, and Your Site Bar.

Installation of 180solutions software through security holes is particularly notable because 180 specifically denies that such installations occur. 180's "privacy pledge" claims that 180 software is "permission based" and is "programs are only downloaded with user consent and opt-in." These claims are false as to the installation occuring in the video linked above, and as to other installations I have personally observed. Furthermore, 180's separate claim of "no hiding" is false when 180 software is installed into nonstandard directories (i.e. into C:\Windows rather than a designated folder within Program Files) and when 180 software is installed with a nonstandard name (i.e. sais.exe) rather than a name pertaining to 180's corporate name or product names.

What's particularly remarkable about these exploits is that the bad actors here aren't working for free. Quite the contrary, they're clearly expecting payment from the makers of the software installed, payments usually calculated on a per-install basis. (For example, see a 2003 message from 180solutions staff offering $0.07 per installation.) By reviewing my network logs, I can see the specific "partner" IDs associated with the installations. If the installers want to get paid, they must have provided accurate payment details (address, bank account number, etc.) to the makers of the programs listed above. So it should be unusually straightforward to track down who's behind the exploits -- just follow the money trail. I'm working on passing on this information to suitable authorities.

Note that the latest version of Internet Explorer, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in my video and discussed above.

Re:not much...

[narcc]

Not all of us can run SP2 -- It just breaks too many things.

Re:What was the actual web page?

[AnotherScratchMonkey]

Here's what he types into the browser:
http://xpire.info/fa/?d=get [xpire.info] Entering this in Mozilla 1.8a4 gives me an authentication dialog. Hitting Cancel pops up a Moz file save dialog for a file containing an authentication error message.

Re:What was the actual web page?

[crimoid]

He used xpire.info/fa?d=get which then redirects to a series of other pages on the same site, eventually landing at www.sp2fucked.biz/user28/2DimensionOfExploitsEnc.p hp which in turn prompts him with an error and a dialoge box asking if he wants to continue executing scripts, to which he clicks "yes" after which all hell breaks loose.

Re:not much...

[cob666]

But you now have a neat little feature for all the network connections called repair which pretty much does the same thing but behind the scenes.

I know it's a pain to have to click on the icon tray and then select 'Repair' but it's a small price to pay. Also, I don't usually switch my network connection more than once if I move my laptop.

Re:No surpises here.

[cybersaga]

Why not use somthing like Ad-Watch [lavasoftusa.com], which comes bundled in the Plus and Professional versions of Ad-Aware? That would certainly save a lot of heartache.

I don't use it on my machine only because when windows pop up out of nowhere telling me I absolutely need to download something, I know I don't. But I wouldn't trust hundreds to thousands of employees of a company to know the same.

Re:What was the actual web page?

[terraformer]

I'm sure many people can't view it

Your right. If you did download the video you likely would not have been able to play it. It uses a non-standard codec and every player I have, including MS Media Player for Mac, could not play it...

Regarding the Video...

[Anonymous Coward]

...may I point out that it is NOT worksafe? Thanks, Ben! Appreciate that.

Glad I didn't have the boss watch it with me in an attempt to convince her of the need to take better anti-spyware measures.

Re:What was the actual web page?

[Jucius Maximus]

" He probably didn't say because there are a lot of people who will just click any random URL they see. (goatse link)"

Silly AC, the goatse site just displays a domain registry TOS page now.

wait...

Another good write-up here:

[Saint Aardvark]

The "Follow the Bouncing Malware" series at ISC's Internet Storm Center [sans.org] has been quite good, too; it looks at what happened to Ordinary Joe's Windows computer when he surfs:

• Part 1 [sans.org]
• Part 2 [sans.org]
• Part 3 [sans.org]

Part 4 is coming Real Soon Now (tm). The ISC handler's diary is required daily reading; always a lot of good stuff to be found. (And every now and then, there's a tale that'll make your blood run cold [sans.org]...)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Anti-anti-MS zealots

[crimson30]

Before you start whining about how the machine was unpatched, and going on about how we're picking on MS, realize that just maybe, Microsoft isn't the target here. If you would read the fucking article, you would see that Ben is attacking propagators of spyware; not MS.

Re:Now...

[digrieze]

Oh, probably the same reason I have to, all the corporate web sites that won't work with Firefox (still, yes, I have the updates). When Firefox gets plugins down we'll be able to nix IE, but till then we're stuck.

Re:not much...

[aetherspoon]

Then.... clean the machine?

It isn't a real hard thing to do most times as long as you know what you are looking for and the machine doesn't touch any form of a network during cleaning.

Yes, it takes awhile. Then again, would you upgrade an OS on a virus infested machine? Of course not!

Re:You could always use a Mac.

[rainman_bc]

IE runs under a user with administrator privileges

No, IE runs under whatever user you are logged in as. One should definately learn to manage users. No argument there.

, but I am of the opinion that users have every right to be stupid,

Yet we all own cars... If you are too stupid to add oil to your car and you burn out your engine... It's not the manufacturers fault. There's a certain level of responsibility the users should bear as well. Users have a right to be stupid, but should pay up when they screw their computers up the same way car owners should pay if they don't maintain their vehicle or use it correctly.

. If XP needs all of these security patches just to keep going, where a mac or linux box could stand like a column of basalt for years

Again, Bullshit! There's security holes in Linux and FreeBSD. That's why we have utilities in Fedora like up2date, portupgrade, etc. So you can automate the patching of those security holes.

Reminds me of passthison.com

[Serveert]

I spent about an hour trying to figure out all the hacks that website was doing but after all was said and done it was frightening the lengths people go to in order to hack your browser, set your home page then get ad impressions and make revenue.... embeded java code with encrypted javascript with encrypted java code which printed out encrypted HTML which when decrypted had the browser load java code that used a browse helper object to set your homepage.

Re:Umm...

[jrockway]

You do not get it. Sic is something an author inserts into a quote when the quote is incorrect in some way. Here, the author says "s.i.c" instead of "sic". This is the error. This error has nothing to do with the grammar error in the wallpaper.

Here's what's happening:

Wallpaper: Your computer is broked.

Author: The wallpaper says, "Your computer is broked." [s.i.c.]

The author should have written: "Your computer is broked [sic]"

See the difference and where the mistake is?

Re:My e-mail to the TwainTec Legal Dept

[clohman]

regsvr32 /u C:\DIRECTORY\twaintec.dll

Re:not much...

[edxwelch]

If you're running Windows 2000 there is no patch available for the latest iframe exploit.
See here:
http://search.linuxsecurity.com/articles/ha ckscrac ks_article-10204.html

I'm not sure if sp2 fixes this problem

Re:not much...

[sadler121]

Not all of us can run SP2 -- It just breaks too many things.

I'm running SP2 and nothing has broken thus far. Normally when people complain about SP2 breaking stuff (like a game that will not play online after patching to SP2) it has to do with the upgraded firewall. Tweaking the firewall is all that is needed to get your game (and 9 times out of 10 X app)running agian.

All in all, I think Microsoft did a good job with SP2. The security center is something that should have been in the control panel to begin with. Its good to have some centralized location.

But yeah, SP2 fixed a lot of things in Windows and it really didn't *break* things, it just tighten some bolts that then required the user to go and loosen what he/she wanted to use. (instead of leaving the whole damn computer open)

Re:SP2 is immune

[FuzzyBad-Mofo]

Outdated products like Windows 2000 Professional?

Microsoft's own product lifecycle chart [microsoft.com] indicates "Mainstream Support" through June 30, 2005, and "Extended Support" through June 30, 2010.

Re:not much...

[crawling_chaos]

Um, Microsoft's own CRM program breaks under SP2 as does at least one version of Great Plains Dynamics. There are registry hacks that re-enable the software, but they undo some of the protections provided by SP2.

That said, we'll be going to SP2 where I work when all of the testing is finished, but there are non-game business critical software packages that do break under SP2. I recommend it for home users, but I'm far more hesitant in the business environment, particularly if some custom or very old software is being used.

Re:s.i.c. -actually.

[Anonymous Coward]

Wouldn't that be "in the world of grammer [sic]"?

The word is spelled 'grammar'. Also, check the MLA Handbook (you do know what that is, Mr. English Major?), and you will see that you are wrong about 'sic' being an acronym.

I suppose it's a good thing you changed majors. Remember that spelling and grammar are helpful in computer languages also.

Re:not much...

[deaddeng]

There are at least two other IE exploits out there that MS has not patched, and SP2 won't protect you. see: http://isc.sans.org/diary.php?date=2004-11-20 [sans.org] Quote: Two More IE Vulnerabilities Exploit code has been released for two more Internet Explorer vulnerabilities that were released on Wednesday (Nov. 17). This code would enable an attacker to trick users into executing malware. These vulnerabilities affect Microsoft Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2. The original advisory is here: http://secunia.com/advisories/13203/ [secunia.com] The proof of concept exploit: http://www.k-otik.com/exploits/2041119.IESP2disclo sure.php [k-otik.com] While on the topic, it is interesting to note some statistics that Secunia has been compiling about Internet Explorer vulnerabilities: IE 5.01 - 42 advisories (7 unpatched) http://secunia.com/product/9/ [secunia.com] IE 5.5 - 55 advisories (8 unpatched) http://secunia.com/product/10/ [secunia.com] IE 6.0 - 69 advisories (18 unpatched) http://secunia.com/product/11/ [secunia.com] If you still think SP2 has mystical properties: http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/ [safecenter.net]

Re:What was the actual web page?

[neko9]

just saw it... the best video in ages... i cried... i laughed... never seen anything so funny and scary... maybe because i don't use window$ and ie for net anymore :-)

btw video stream is Windows Media Video 9 Screen
and audio is Windows Media Audio 9

Re:not much...

[narcc]

didja get rid of spyware trojans and viruses first? or bother to read the readme? No, you were too busy recompiling the kernel and whining about Microsoft to RTFM.

Wow, you really don't have a clue, do you?
http://www.newsfactor.com/story.xhtml?story_id=263 44 [newsfactor.com]

http://news.com.com/Microsoft+lists+SP2+conflicts/ 2100-1016_3-5311280.html?tag=nl [com.com]

http://news.com.com/Microsoft+tackles+AMD+conflict +in+SP2/2100-1016_3-5326707.html [com.com]
From this article: Microsoft had advised AMD users to remove SP2 altogether.

There are pleanty of others.
And lets not forget problems with legacy applications. (Which many people need.)

How people get infected

[bedelman]

Howdy folks. Sorry to take so long to respond -- was in airports and planes all afternoon. Day before Thanksgiving...

Browsing to the site I showed in my video is one way to get infected. But that's not the most typical infection method. Instead, other sites can and do point to this site (and other similar sites), typically via IFRAMES. I was recently looking at a post in a web-based threaded messaging site, which used a 1x1 pixel IFRAME (basically, hidden) to reference the site shown in my video. When a user loads the infected post in the threaded messaging site, the user's PC will be infected via the exploits shown (if the user's PC is vulnerable to such exploits), and the user will receive spyware like that shown in the video.

As to video format: I apologize for the WMV format. There's a lot to be said for this format, from the reliable free creator to the wide deployment of the player software (present in all W2K and WXP systems). But clearly it's an imperfect solution, and not great for viewers on other platforms. I'm working on finding a better alternative and/or offering the same content in other formats.