El internet

F.B.I. Vs. Facebook
by Dan Reilly

Yes, there are more important matters to worry about than Facebook's recent redesign -- namely, an e-mail with a message that says "F.B.I. vs. Facebook," which includes the above picture and has a link to download the Storm Worm botnet, that nasty piece of malware that connects infected computers and uses them for identity theft and spam. Make sure not to open any e-mail with this subject and make sure to delete it immediately. If you do accidentally open this e-mail, don't click on any links within it and delete it immediately. Lastly, before you open another e-mail, make sure you have some sort of anti-virus software installed.

[img][/img]

October 8, 2008

Web Surfers Face Dangerous New Threat: 'Clickjacking'

Internet and Web browser security experts are sounding the alarm about a new type of malicious attack called "clickjacking," a technique that can be used to dupe Web surfers into revealing confidential information while clicking on seemingly innocuous Web pages. Among other things, a clickjacking attack can be used to take control of a computer's Webcam and microphone without the knowledge of the user.

Clickjacking has been identified as a vulnerability for the Adobe Flash player, as well as for every major browser, including Firefox, Internet Explorer, Opera, Safari and even the newly released Google Chrome.

"It is a very serious problem," said Giorgio Maone, the author of a widely praised free Firefox extension called NoScript, which blocks potentially malicious scripts from running in the Firefox browser.

"Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully," Maone warned. "There's no estimate to the number of trap sites, and it's unlikely that we will see any credible report about the number of sites using this technique, because there are literally infinite ways to implement such an attack, therefore no signature-based scanning can detect it automatically."

Unauthorized Access to Information

The growing severity of the clickjacking problem was identified by Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security. The two were scheduled to speak publicly about their discovery last month at the Open Web Application Security Project NYC AppSec conference in New York, but postponed their talk in order to give Adobe and browser companies a chance to come up with a solution.

Reacting quickly to the announcement, Adobe released a security advisory Tuesday, describing the threat as "critical" and instructing users on how to turn off Flash access to cameras and microphones.

"We have just posted a Security Advisory for Flash Player," wrote David Lenoe, Adobe's security program manager, on the Adobe security blog, "in response to recently published reports of a 'clickjacking' issue in multiple Web browsers that could allow an attacker to lure a Web browser user into unknowingly clicking on a link or dialog. This potential 'clickjacking' browser issue affects Adobe Flash Player's microphone and camera access dialog." Lenoe said a patch for Flash would be ready by the end of October.

Unfortunately, as Hansen and other researchers have pointed out repeatedly, Flash clickjacking is only one of the variants of this problem. In a lengthy blog posting about the issue, Hansen said that "there are multiple variants of clickjacking. Some of it requires cross-domain access, some don't. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to preload data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

A Structural Problem of the Web

Hansen warned that it will be challenging to come up with a comprehensive solution to prevent the clickjack threat because of the nature of the code that underlies the Internet.

Maone agreed. "This problem comes from features which are integral to the modern Web as we know it," he said, "and especially from the ability of Web pages to embed arbitrary content from different sites, or to host little applications (applets) through plug-ins like Adobe Flash, Java or Microsoft Silverlight."

Maone predicted that a general browser fix won't be developed any time soon, since the real solution lies in developing a general consensus about changing existing Web standards in the various Internet standardization groups.

WOW..THIS IS REAL SERIOUS, THANK YOU MAMI.

Riskware

Riskware is a term used to describe legal programs (many of which have legitimate applications and which are freely available) which could be used for malicious purposes. The Riskware class includes such programs as legitimate remote administration utilities, IRC client programs, dialer programs, downloader programs, any type of activity monitor, password utilities, and many internet services such as FTP, Web, Proxy and Telnet. None of these programs are inherently malicious. However, their functionalities can be used with malicious intent.

One example is WinVNC. The manufacturer's official site describes this program in the following way:

VNC stands for Virtual Network Computing. It is remote control software which allows you to view and interact with one computer (the "server") using a simple program (the "viewer") on another computer anywhere on the Internet. The two computers don't even have to be the same type, so for example you can use VNC to view an office Linux machine on your Windows PC at home. VNC is freely and publicly available and is in widespread active use by millions throughout industry, academia and privately.

The description makes it clear that this program is entirely legitimate, freely available, and used by system administrators and other IT professionals.However, this program could be used with malicious intent. The Kaspersky Virus Lab has encountered cases where WinVNC was installed without the user's knowledge in order to gain total access to a remote machine.

Another example is the mIRC utility. This legitimate program is described in the following way on the product site:

mIRC is a shareware IRC client for Windows. It is developed and copyrighted by Khaled Mardam-Bey. mIRC is a highly configurable IRC client with all the goodies other clients on UNIX, Macintosh and even on windows offer, combined with a *nice* and clean user interface. mIRC offers full color text lines, DCC File Send and Get capabilities, programmable aliases, a remote commands and events handler, place sensitive popup menu's, a great Switchbar, World Wide Web and sound support, and... a lot more. mIRC is shareware but not crippled in any way...

mIRC's extended functionality can be used with malicious intent, and Kaspersky Lab virus analysts regularly encounter Trojan backdoors which utilize mIRC. Any IRC backdoor is capable of writing its own scripts to the mIRC configuration file without the knowledge or consent of the user. This enables the backdoor to deliver its malicious payload, and the user will be totally unaware that a Trojan is active on the system. Additionally, malicious programs may install mIRC to the victim machine. mIRC functionality may then be used in the future with malicious intent. In such cases, mIRC will usually be located in the Windows directory or subdirectories. If mIRC is found in this location, it almost certainly means that while the program itself is not malicious, the computer itself has been infected by a malicious program.