llama callllllllllll!

[Vulcan]

Told you so

http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html

The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants :

USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

[llama]

Ah Vulcan,

I was wondering when I would hear from you on this. ;-)

Now then, as I recall my original argument, many many months ago, was that AVG was sufficient antivirus protection if you used an alternative browser and didn't surf porn and warez sites.

Your argument was, as I recall, that any mainstream site can infect you these days.

My response was that these attacks were almost always against unpatched, older browsers, and relatively uncommon, so I stood by my statement.

That was then.

As recently as a month ago, I was going on and on about how AVG is now basically totally worthless under any condition. I said that it was worse than nothing, because at least "nothing" doesn't give a false sense of security, which is what AVG gives you and which is worse than no security at all. I said that AV software was vitally important, and I told the original poster "you need it." I still stand by this.

My change in opinion was based on a number of things, most of which involve either the testing I do the magazine, or based on cleaning up my clients' computers, and asking them their surfing habits. WITHOUT EXCEPTION, all the users of owned PCs admitted to me they went to warez or porn sites within two days of the problem that required my attention. Every. Single. Service call.

It was not based on increased IFRAME attacks, and it still isn't. Even the article you linked to says the following:

"What has changed since the last time? The number and importance of the sites has increased..."

In other words, the last round of IFRAME attacks were more focused on marginal sites than the mainstream sites now being attacked. That sounds like what I said.

Frustratingly, the article and the links within it don't talk about what the vulnerability is specifically, and what browsers are affected, so I can't comment on the relative age and patch level of the affected browsers. I could guess though...

If you have a link, please post. I need to see it and learn from it. Thanks.

-Llama

[humble]

Sigh,

This is absolutely in no way AVG related at all. I'm totally suprised at both of you....

AVG Free is not a malware program and its not going to cover this type of attack. Neither are almost any of the commercial products similiar to AVG. Some of the top of the line commercial suites will....and some won't. A layered defense of some type is a fundemental requirement. Your calling out a program by name for a type of attack that is totally outside the scope of its coverage.

All of the sites infected are major sites with tremendous resources. Do you think any of them are using AVG of any flavor? The simple reality is that all of them are accepting 3rd party content which is infected...so its getting by there own security. Whats happening is that malware is embedded in codecs that are then being downloaded and executed. This has nothing to do with outdated browsers or what flavor of anti virus your using.

If your unfortunate to be a "zero day" victim then your relying on the quality of that segment of your protection package. If your running a sandbox for your browser (or a virtual device) your fine. If your running threatfire your fine. If your running bitdefender or nod 32 (suite) your fine...

Better yet if you dont view anything that requires a codec your fine.

The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names

all the users of owned PCs admitted to me they went to warez or porn sites within two days of the problem that required my attention

You were clueless a month ago and you still are in my opinion. No AV program is 100% effective....not one. The difference between AVG free and the best program is normally about 1%. now if the same program was always the best then it would be easy...but its not. Even the best commercial programs fluctuate over time. So the window of risk is there....period. Now AVG free does not include either a malware or intelligent detection component (of any value)...it relies entirely on its definitions for known threats. Within that limitation its an outstanding program (as good or better then many commercial alternatives). I repeatedly went out of my way to make sure that everyone realizes that a layered defense up (or down) to user education is required. The simple reality today, last month and next year is that a layered defense of "free" products combined with a good backup/recovery program hijack this log and sound user practice is as good as most commercial products and way better then McChunky for sure.

If your going to a warez site your literally running a "hack me" sign out the door, porn sites arent much better either. Anytime you view a video on youtube or else where or download a mp3 or other audio file your taking a risk. Not one AV program on the market will override a user executed file...the most they will do is ask/warn you. If your so hot and bothered you need to avoid paying for software or are dying to watch debbie does whatever then your gonna eventually get hammered. Now this poisoned content is going mainstream...

And millions of people are being infected....duh...well since something like 80% of the planet has one of 2 major AV programs installed just who do you think is getting hammered . The only worse thing then having a false sense of security from a "free" program is getting shelled when you have the "best" program. Unless your paying for NOD32 or Bitdefender or maybe 1 or 2 more then your paying for marketing hype...just because you paid for it doesnt mean your any better off.

[humble]

I think a bit more information is required here...

1st an IFRAME attack is directed at content servers NOt an end user. So the initial problem is security at the content level. These sites all use very very sophisticated products (mainstream ones above) which highlights the problems regradless of what flavor of software you use.

So your CNN flavor site got hacked...what does that mean to you...

Automatically not a thing. An infected IFRAME isnt going to automatically get you...PERIOD.

So how do they work...

 Uses social engineering to entice the user to download malicious Trojan into his PC (for example masking it as a plug-in that is needed to view the content). Again in this case the download of the trojan is usually masked as plug-in from a reputable vendor (for example Microsoft), the plug-in that supposedly is necessary for viewing hacked site.  Some gullible users accept such an invitation.

Try to use serious of web browser exploits to break to a PC with unpatched IE6 or Firefox.

There is an old vulnerability covered in Microsoft Security Bulletin MS04-040  HTML Elements Vulnerability - CAN-2004-1050: The remote code execution vulnerability exists in unpatched Internet Explorer that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web Page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker  who successfully exploited this vulnerability could take complete control of an affected system.
Possibly uses other more subtle attack vectors.

Inserting invalid information into the viewstate field with the objective of causing the application to throw an exception and to log the exception. If, however, you open the error log file via a browser and the application's error log viewer, some of what the attacker has inserted into the viewstate may be rendered as HTML. If the attacker has put in an iframe with a reference to a live webpage, you would in effect be forced to run the webpage. This would not be dissimilar to you visiting a website with hostile scripting code.

So to be infected either you need to have an outdated browser or you need to execute a codec...end of story. You can not simply log on to a site and get tagged. This type of hyperbole isnt called for here....period.

By all means go spend money on a good security suite like NOD32 or Bitdefender, but DO NOT expect it to bail you out from stupid choices you make yourself. But before you go buy an inferior product hyped by a magazine or website that relies on income from the venue it "reviews" realize that many of the commercial products are no more effective then whats available for free and often in combination they (free) are roughly equal to ther best products on the market.

This is the reality. If you have an updated browser (any flavor) and do not download a codec you cannot be infected by an IFRAME attack other then thru a form of social engineering attack that coherces you to download and execute a file of some type. End of story...

[Vulcan]

I think a bit more information is required here...

1st an IFRAME attack is directed at content servers NOt an end user. So the initial problem is security at the content level. These sites all use very very sophisticated products (mainstream ones above) which highlights the problems regradless of what flavor of software you use.

Errr no they don't actually.