Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do drive by virus arbitarily execute code on my machine? 3

Status
Not open for further replies.

1DMF

Programmer
Jan 18, 2005
8,795
GB
I'm curious how it seems websites are able to infect your machine via drive-by viruses, yet me as a webmaster and web developer am not able to gain access to the local machine , file sytem or registry with my websites / web apps?

I thought browsers ran websites in a sandbox that separate the website / browser session from the local machine.

I see countless threads in the scripting formus about "how do I access the client machine file system" etc.. and the answer always seems to be "You can't"

so can you or can't you?

If the drive by viruses can do it then anyone can can't they?

I'm a little confused buy this so clarification of what is or isn't possible when writing web apps, without the need for the user to accept , download or install additional plugins / active x components is appreciated.

Thanks,
1DMF



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

MIME::Lite TLS Email Encryption - Perl v0.02 beta
 
It is (best I recall) all done via scripts. A script HAS to run in order to infect a machine, regardless of how it runs.

Sometimes, a website pop-up or pop-under will make it past pop-up blockers, and then LOOK like it's infected the machine when it actually has not. So it's easy then for the user to panic, and click the wrong button to close the pop-up, which is basically saying "I accept, go ahead and run your script", and the script gets run.

What scripts can run depends upon the individual browser, what settings are in place, and what add-ons/plug-ins/enhancements are in place for protecting against scripts and such... as well as what security software is installed on the PC, and how it is configured. [spineyes]

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
The only other possibility I can even fathom, which I cannot verify personally, is are there any possibilities within HTML natively? Perhaps the latest HTML5? Since HTML5 can play audio and video files, for instance, without flash or java, then I suppose it would be just as well possible that it could launch applications or scripts directly as well, rather than being required to call a script via the normal <script> references... ??

Have you looked into that possible scenario? Do you have much experience with HTML5 coding to date? I've not done more than read up on it a little, really, myself.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
I appreciate the bogus popups, and i personally never click the 'close' , 'cancel' or even [x] , I kill the browser process via task manager immediately even at the expense of all other browser sessions / windows dying also.

The only thing with that at the moment is IE9 tries to restore all previous sessions...NOOOOOOO stupid MS!!!!!!!

But ATEOTD that still requires a user to accept something, even if done via stealth.

No I've not looked into HTML 5, I code X/HTML 1.0 strict , which does all I need and as not all browsers support HTML5 , I haven't even looked into it.

Why do you need flash or JS to play an audio file? I use Media player and it's worked fine for years that way?

Even when I used to use winamp or realplayer , it still played audio without the need for HTML5 , am i missing something?

It's not like I'm trying to actually do any of this, I'm just curious as on another thread someone posted stating that drive-by virus can just infect your computer purely by visiting them and nothing else.

I didn't think that was possible and hence the question.



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

MIME::Lite TLS Email Encryption - Perl v0.02 beta
 
Programs like Flash and SilverLight were designed to "make life easier" for everybody by running scripts automatically with amazing video and/or audio effects. The problem, esp. w/ Flash, is this allows miscreant scripts to run without user control. That's one of the reasons that Apple doesn't like Adobe (according to public reports). HTML5 is supposed to be designed differently and may not run scripts like Flash will. Several developers that I know are dropping Flash and SilverLight in favor of HTML5. Time will tell if holes will be found in that, too.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Thanks for the article.

I can see how applications that take input can be vunerable, but how is my browser accepting input to a buffer that would overflow and so allow insertion of executable code?

The return from a webserver (webpage) can be theoretically infinately long, so how is the browser buffer overloaded?

To overload your browser's buffer, wouldn't the return from a webserver have to be rediculously long and be very slow?

Isn't the definition of a "drive-by" short and fast?



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

MIME::Lite TLS Email Encryption - Perl v0.02 beta
 
This is another example that exploits a vulnerability in Safari and win32k.sys. Be creating a web page containing an IFRAME with an overly large height attribute, hackers may execute arbitrary code with kernel-mode privileges.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
That's crazy! Attributes of objects in the DOM open up holes for arbitary code execution!

Though why anyone would be using Safari on a windows 7 machine is puzzling?

But still, getting access to the OS or kernel to execute code via your browser should never, ever happen regardless of the object in the DOM!

OK, unless a deliberate installation of some component is made to preform a particular task, but not a basic webpage!

Frightening to say the least, though many on that post comment that is could be scare mongering and MS have yet to confirm anything.

Well at least your AV monitors things like this so as long as any attempted attack has a known signature, with any luck it will be blocked.







"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

MIME::Lite TLS Email Encryption - Perl v0.02 beta
 
Wouldnt the best attack method be to have a link to a CAB?
 
I suppose, if you're going ram raiding, but the final bill might be a bit steep ;-)

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

MIME::Lite TLS Email Encryption - Perl v0.02 beta
 
As everyone knows, browsers are programs designed by people, and people do make mistakes... taking advantage of these mistakes, is called an exploit...

Online Threats - Browser exploits

Malware Analysis Walking Tour

More specifically, BEPs are used in conjunction with botnets to exploit victim browsers through drive-by download attacks in order to successfully load the malware binary on the victim machine. Browser exploit packs such as Fragus, Fiesta, Yes, Crimepack, Phoenix, Red Dice, MPack, SPack, Bleeding Life etc. have demonstrated this kind of notorious behaviour.
source: Virus Bulletin: VB2011 - Browser exploit packs - exploitation paradigm

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Though why anyone would be using Safari on a windows 7 machine is puzzling?
Because it's pretty. [thumbsup2]
That's all I can figure.

I've used it on occasion just to see what it's about, but I definitely do not use that one as my default browser on any machine.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
Beauty is in the eye of the beholder!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

MIME::Lite TLS Email Encryption - Perl v0.02 beta
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top