Tag Archives: malware

Do you trust Google?

Posted on by

Everyone is scared about malware and hacking on the web. There is nothing wrong with this and there really is a genuine threat out there. People need to make sure that their browsing is as safe as possible. For most people, unless you are running a high volume internet banking transaction server this can be simply done by getting a good anti virus (AVG Free is cost effective) and a firewall (windows own, Zone Alarm or one on your router).

Despite this a lot of online organisations feel the need to join in and help out. Most modern browsers have built in “phishing filters” and will try to alert you when you click on what it thinks is an untoward link. This is all well and good and there are only minimal privacy implications.

Equally, search engines are doing the same thing now. When you google a search term, you get links with any potentially harmful ones highlighted. Just in case you ignore google’s advice, they have a blocking page pretty much ensuring you cant click through to malware from google. Again, this may seem all well and good but there are even more issues. For a start, it is down to google to decide what is, or isn’t malware. They may be correct 99% of the time, but what about the other 1%? It becomes the responsibility of the website owner to discover they have been flagged as “malware” by google and then jump through google’s hoops to clear their name. This is wrong.

More importantly, who is responsible when there is a problem with google? A sensible hacker could target google’s servers and create the illusion that certain companies are full of malware. It would take a brave person to ignore the warnings and keep going through to a site that is so heavily flagged on the search page.

Do you think this is unrealistic? Here is the results of a search I did today on www.google.co.uk – imaginatively I searched for “Google”:

Google Search results in Google Chrome

Google Search results in Google Chrome

The whole internet is infected with malware. Every link is flagged with the dire warning it may harm your computer. I am not alone in discovering this… (PCPlus simply suggests using another search engine for the afternoon, Neowin is more informative) Google isn’t hacked (this time), its just broken. The effect is the same though. Any attempt to search meets with this warning and googles intervention means you cant ignore it and click on. Well done Google – you have borked searching… Amazing.

This is (IMHO of course) the problem with allowing web services to have more and more control over our daily lives. It is bad enough that the most popular search engine on the internet suffers a glitch like this, but imagine if you were using Google to host your remote office systems – an outage can be crippling. Cloud computing may be in vogue, but it is fundamentally a bad idea. You can not delagate your responsibilities to unaccountable groups – you are responsible for making sure no malware gets on your PC, so why does google feel the need to intervene?

A big “d’oh,” maybe

Posted on by

It seems like only last week that I was whining that browsers were disintegrating like so many smashed plates at a Greek wedding. Oh yes, it was only last week.

Well it looks as if some of this may not be a unique personal experience but is caused by a vulnerability in IE. Microsoft’s Security Advisory describes the flaw they’ve just found. The way it seems to operate sounds uncannily like what’s happened to my browser in IE.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. (from Microsoft’s Technet)

“invalid pointer reference in the data binding function.” I understand all the words individually but I got lost as soon as I tried to understand them when they are linked together.

But, causing IE to “exit unexpectedly”. That sounds like what IE has been doing randomly for weeks. Often failing to release the memory that it was using – which I don’t find out until too late. I didn’t really consider that it might be a new form of browser attack. How naive is that? D’oh.

Not that’s any excuse for Firefox. But I’m not convinced that FF is so magically free from being affected by the same attack attempts, that it won’t crash and die when it bumps into them, even if it doesn’t let an intruder in. In any case, I only ever use IE when Firefox has decided to commit suicide a few times.

I know that using Linux would mean that attacks like this would never work but it’s not completely intrusion-proof. This PC is pretty well on its last legs, as it is. It’s a few more bad reads away from hard disk failure, anyway. (And that’s in the not-completely “legacy” disk drive, not the really old disks that are also still in it.) The graphics card should be in the “Museum of graphics cards that were state of the art in 2003” If I change its OS, my software won’t work, I’ll lose all my passwords, the cable connections will have to be reset and so on. When I’m forced to get a new PC, it will use Linux, but until then, no.

Microsoft Technet page warns site owners that SQL injection attacks might turn their sites into unwitting distributors for the malcode and directs worried site owners to a scrawlr, a free HP tool that is supposed to check your site for SQL injection code. Every site that uses something like php is fair game for that.

So it sounds like a plan and the scrawlr page has a good cartoon. But I end up far from convinced there’s any value in downloading scrawlr, after reading the comments. Like this one from leon:

The comic is xkcd
The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn’t find a thing… seriously, if you take anything away from this, let it be the comic.

(That link is to the comic, in general. The scrawlr page has the relevant cartoon.)
MarkH says:

Doesnt’ support POST forms or Javascript. In other words, this demo tool can’t actually test anything that any web developer would have written since, oh, say 2001.
Epic fail.

Doesn’t let you check POST forms? ๐Ÿ™‚ I think I’ll pass, then.

A report on the BBC’s tech page had a “security expert” saying “don’t use IE ” and Microsoft – unsurprisingly – warning against that particular course of action. ๐Ÿ™‚

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.” (from the BBC)

As soon as “security experts” start talking up threats, I tend not to believe them. 10,000 websites sounds as unconvincing as the UK government’s “30 terror plots.” And so far the exploit has stolen game passwords. Hmm. Hardly a cause to panic about your e-bay sales or your online banking, then. Do you care if you find yourself playing World of Warcraft alongside an unaccredited troll?

Still, Microsoft’s idea of advice doesn’t inspire much confidence, either.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

How exactly am I supposed to be vigilant? I could try to check every invalid pointer reference in the data binding function, could I? Even if this wasn’t so far over my head that I could call it an “umbrella”, IE would have to become Open Source before I could even hope to identify the databinding function.

I thought I’d already pushed the intrusion detection boat out by running Ethereal and Snort whenever I feel mildly obsessive. (And they piss me off because half the transactions that my computer indulges in can’t be fathomed anyway. So I stick to using them for purposes like getting my passwords off the traffic stream, in plain text, which is surprisingly helpful when I’ve forgotten them but annoys me all the same Why on earth have passwords that are hidden from the bloody user by asterisks but easily readable by anyone with a packet-sniffer? Cue another rant.)

This “data-binding function” of IE needs a whole new set of skills that I really don’t believe would hold much entertainment value. So I don’t intend to get them. And “invalid pointers”? Can Microsoft or someone direct me to the Girl’s Big Book of Valid Pointers so I can be properly “vigilant”?

Redirected Mail

Posted on by

Here’s another good reason for not reading the Daily Mail (if one were ever needed.) According to the Register:

Malware authors play Mario on Daily Mail website
Cue the outrage
An advertising network used by the Daily Mail website is being used to serve up malware. (By John Leyden in the Register )

Basically, one of its ad networks serves up redirection scripts, using Mario worm code.

Code injected into an advertising stream is been used to serve up content for a malware-harbouring website located in Russia (which we won’t name in case people are tempted to visit it). This site uses vulnerabilities in browser software to download malicious code onto unpatched Windows PCs, a classic drive-by-download attack.

I would be really laughing at this, were it not for the fact that this intrepid blog often looks at the online Mail, partly for amusement and partly to see what “information” so many people are getting fed. So the mocking laughter (a Nelsonesque “Ha Haa”) has got to be tempered by a self-recriminating “D’oh.” Then again, almost nothing would ever induce me to click on one of its ads, so I reckon it’s OK.

In any case, it’s quite hard to imagine a digital virus that could be anything like as devastating as the impact on British brain function that could be caused by reading the print version.

Deutsche malware

Posted on by

A Nelson-esque “Ha Ha” if you thought that other EC countries might be havens where the seemingly outdated Euro-values (justice, tolerance, protection under the law, presumption of innocence, free speech) are still observed.

The government of Germany (that’s the combined former East & West Germanies. Remember East Germany? That’s the one with the Stasi and a population that was so avid for freedom 20 years ago) has approved what the Register calls a Plod-spyware law.

This handy law will give the German government the “anti-terror” powers to monitor private homes, phones and computers. Don’t you just love the TWAT? Any government in the world can now take any powers they fancy just by invoking its name.

Instead of tapping phones, they would be able to use video surveillance and even spy software to collect evidence. Physically tampering with suspects’ computers would still not be allowed, but police could send anonymous e-mails containing trojans and hope the suspects infect their own computers (from the Register story)

Wow, government spam that carries malware! Did I put enough exclamation marks there? Here are more!!!!!!!

These powers will only be used in exceptional cases, yada, yada, usw. Oh yeah?

There have been already been several recent scandals about over-the-top surveillance in Germany (Lidl, Deutsche Telecom, usw) Although, unlike the UK, at least the Germans don’t yet seem to lose personal data on a biblical scale. But, if the Lidl surveillance is any guide, they see information on the dates of surveillees’ menstruation as worth gathering

XanderG made a beautifully phrased comment on a WgyDontYou post a couple of weeks ago.

Iโ€™ve never understood how weโ€™re supposed to find a needle in a haystack, by chucking in more hay. So many of these measures simply add dead-ends and wild goose chases to an already massive monitoring system. How are we going to catch anybody with real malicious plans? (XanderG)

If a government REALLY cares about preventing terrorism, it is blatantly illogical to collect massive amounts of information on the general public. It’s well nigh inconceivable how much information is flying around in a noughts-and-ones format.

For instance, almost every person I passed in a half-hour walk was having a mobile phone conversation – including three dog-walkers and two cyclists. (Cycling, in traffic, ffs. Unselfish people, trying to cull themselves for the good of the gene pool) Pretty well every house in my low-income street has a relatively-fast broadband connection. There are enough traffic cameras and public CCTV installations in a 500 yard radius to provide a year’s 24-hour broadcast reality tv on every known channel.

Scale this level of data traffic up to the population of the UK and Germany. Unless half the population is engaged in monitoring this hurricane of electronic noise – using the most advanced pattern recognition and cryptographic algorithms known to science – anyone who is gathering this data might as well not bother.

Well not if they care about detecting real social threats anyway. It might come in very handy for finding people who are spoofing their address to get their kid into a school slightly out of their area. Or it might catch someone who hasn’t paid their car tax or is claiming invalidity benefit while working (as the threatening TV and billboard ads keep telling us).

It might not seem to make sense but I have finally figured it out, with the help of the Matrix and the Church of Scientology.

Clearly, the earth is threatened by a monstrous alien intelligence that eats human data. It can only be kept at bay by feeding it gargantuan stores of bytes. Earth rulers are doing us a favour by collecting all our data and recycling it as xenofood to stuff in the gaping maw of the evil extraterrestrial overlord Zarg. They can’t tell us the truth because there would be a global panic.

A question for the lawyers out there – Sending malware in spam may not be a crime if the German police are doing it. But would installing this malware become a crime if the recipient of a German-police email were to forward the spam to, say, a member of the German government? The government of another country? A major corporation? At what point?