I have seen these a lot lately. You click the link, and instant trojan. No need to download or anything.
How is this possible? Is there a way I can scan the links before visiting to make sure I won't be infected?
-
Possible duplicate: superuser.com/questions/13507/…– Hello71Commented Aug 31, 2010 at 14:46
-
It is possible because web browsers (like internet explorer) are extremely complex pieces of software and despite being well-written. There are flaws the hackers discover which can be utilized to run a program of their choice on your machine, such as a trojan.– unixman83Commented Mar 9, 2012 at 3:52
Add a comment
|
3 Answers
To answer how it's possible:
The site has some script that gets executed as you load the page. This is what infects your Windows PC - I'm not 100% sure of the details though, whether it downloads the code or just runs it. This page has an example of how it was done in one case. A vulnerable browser is also required, and virtually any popular browser is a vulnerable one as something running on a lot of computers is worth targeting.
It will be Windows PC's for the most part that get infected as people run as admin's rather than restricted users. The reasons for this are many and varied. As Roger points out in his comment its popularity rather than any intrinsic weakness that's the main factor here:
Windows is targeted more because it is more popular. Some say that Windows is less secure than alternatives too, but I have to say that in the way you highlight, it's not. I run Linux at home and if a trojan could run under my user account it could still do quite a lot of damage to files that I care about quite a bit, it just couldn't take over the system.
Though by running with a restricted rights user you can limit the damage, but not necessarily eliminate it.
With Vista and now 7 having tighter control over what gets run as admin you might start to see a drop in these sorts of sites - though it will only be when the majority are running the newer OS's.
-
Thanks. I just find it hard to believe that it can automatically make your browser download and run it though. What sort of script would that be? JavaScript?– RobCommented Feb 9, 2010 at 20:27
-
@Rob - Yes it'll be JavaScript, and it does require a vulnerable browser and the user being an admin.– ChrisFCommented Feb 9, 2010 at 20:28
-
It managed to install itself through FireFox. So much for safest webbrowser. fml– RobCommented Feb 9, 2010 at 20:30
-
@Rob - Firefox hasn't been the safest browser for a while. As soon as it hit a decent market share the virus and trojan writers started looking for exploits as it became worth their while. If you want "safe" browsing pick the browser with the lowest market share ;)– ChrisFCommented Feb 9, 2010 at 20:33
-
1Unfortunately I'm afraid of change. I'll stick with firefox, as it has a ton of addons I use on a daily basis. FML again. Now I just need to know if its possible to accept two answers on one question?– RobCommented Feb 9, 2010 at 20:35
Well, when you open a website, the website can direct the browser to do all kinds of things on its behalf. In the simplest case, it will just send text and pictures to be displayed, but it can also send small programs that the browser will run (in JavaScript, which browsers have built-in, or using a browser plugin such as Java or Flash).
In principle, getting infected just from visiting a website should be impossible:
While browsers will execute programs on behalf of websites you visit, these programs are carefully restricted so they can only do "harmless" things. From JavaScript, you can for example alter the page that the JavaScript belongs to (since both come from the same website, there can be no harm), but JavaScript may not change a page from a different website (so a sleazy site cannot alter your home banking display), and it may not directly access files on your computer.
Similar restrictions exist for most plugins (at least for Java and Flash). This is commonly referred to as sandboxing, as the code is essentially in a box of its own, isolated from the computer it runs on. In particular, it cannot read files on your hard disk, or start programs for you, like "regular" programs running on your computer can.
Now, the thing is: while in principle you're safe, in practice you may not be. The reason is that the sandbox system, like all programs, has bugs. Sometimes these bugs allow a program to "break" the sandbox and trick the browser or plugins to do things it should not be allowed to do. These tricks can be quite elaborate.
Examples:
- Like regular programs, the implementation of the browser or plugin can have buffer overflows, which can allow a website to run specially crafted code by sending it to the browser as input.
- There was a vulnerability in old versions of Sun's Java plugin with respect to the sandbox. The sandbox disallowed (and still disallows) access to all Java functions which could allow a program to do damage, such as reading or deleting local files. However, while the sandbox did correctly block access to these functions from a Java applet, browsers also allowed indirect access to these functions from JavaScript (via a technique called "reflection"). This "backdoor" had not been sufficiently considered by developers, and allowed to bypass the sandbox restrictions, breaking the sandbox. See https://klikki.fi/adv/javaplugin.html for details.
Unfortunately, there have been several vulnerabilities in the sandboxes of JavaScript, of Java and of Flash, just to name a few. It's still a kind of race between malicious hackers who detect these vulnerabilities to exploit them, and good hackers and developers who detect and fix them. Usually, they are fixed quickly, but there is sometimes a window of vulnerability.
BTW: The sandbox is the reason some Java applets pop up a "Do you trust this applet" warning on launch: These applets ask you to let them out of their sandbox and to give them access to your computer. This is sometimes necessary, but should only be granted with good reasons.
P.S.: The reason that ActiveX (at least early versions) were so horribly insecure is that ActiveX did not use a sandbox. Any ActiveX code from a web page had full access to your system. To be fair, this was (partially) rectified in later versions.
I mention this to answer your last question about preemptive actions. One not-so-common option is to use a virtual machine (well, it is common among security circles). There are a few free ones available. Install your OS, browser, and add-ins in the virtual machine and save the state. You can then browse to any site. When finished, you revert to that saved state and anything that happened in the virtual machine after that point is discarded. It's very simple once you get into it, but may pose a slight learning curve.
Note: Reverting state will literally discard any changes to the virtual machine; including browser history, cookies, updates, etc. In this case, you could revert to that state, apply updates, and save a new state. The same can be done for anything else you wish to keep. None of this affects your actual computer, only the virtual machine.
-
This is not really practical. Noscript with firefox is MUCH better. Commented Mar 9, 2012 at 3:50
-
1Actually, it's very practical from a security standpoint, which is what was asked. NoScript simply disables loading JavaScript by default, except for sites you allow; there are other attack vectors. Without help, that can be tedious and frustrating to get right. The VM acts like a sandbox, allows regular/full browsing and provides a means of easy/quick recovery. No need to use the VM for trusted/known sites if your desktop is locked down, just for new/questionable ones. This thread is also 2 years old...– IoanCommented Mar 9, 2012 at 16:10
-
Only 5% of real-world attack vectors are successful with scripts off and plugins disabled. i.e. with NoScript. many sites work without scripts turned on. Commented Mar 10, 2012 at 22:45
-
1That's fine, I mentioned it wasn't commonly used and takes getting used to. Down voting because you like another solution is incorrect. The answer isn't wrong. You would be better off adding your own answer or up voting another which you may prefer. At least, that's how I understand the voting system to work.– IoanCommented Mar 12, 2012 at 12:37