Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Javascript (http://www.velocityreviews.com/forums/f68-javascript.html)
-   -   Malicious JavaScript code, (http://www.velocityreviews.com/forums/t922649-malicious-javascript-code.html)

Noone Here 01-27-2006 10:35 PM

Malicious JavaScript code,
 
AIUI, it was not all that long ago when the threat to personal users,
was attachments that when executed compromised machines with keyloggers,
trojans, etc.

Now it seems that the big problem is reading a webpage or an HTML e-mail
and getting affected through the scripting. My understanding is that
the script downloads the malicious program from the web and sets it to
run on start up through the start-up folder or in the registry.

I don't know much about this; can someone suggest a good web site to
start learning a bit more about these threats. I have googled, but I am
not quire sure of the best search terms, and since there is so much
information out there, a site that experienced people endorse would be a
lot of help.

In particular, it seems as if JavaScript dowloading a trojran without
the user clicking an attachment is a big problem.

Thanks.

cwdjrxyz 01-27-2006 11:05 PM

Re: Malicious JavaScript code,
 

Noone Here wrote:
> AIUI, it was not all that long ago when the threat to personal users,
> was attachments that when executed compromised machines with keyloggers,
> trojans, etc.
>
> Now it seems that the big problem is reading a webpage or an HTML e-mail
> and getting affected through the scripting. My understanding is that
> the script downloads the malicious program from the web and sets it to
> run on start up through the start-up folder or in the registry.
>
> I don't know much about this; can someone suggest a good web site to
> start learning a bit more about these threats. I have googled, but I am
> not quire sure of the best search terms, and since there is so much
> information out there, a site that experienced people endorse would be a
> lot of help.
>
> In particular, it seems as if JavaScript dowloading a trojran without
> the user clicking an attachment is a big problem.


Using javascript is just one of many ways of writing codes that will
cause computers serious problems. Others include ActiveX, and just
corrupted images with bad code hidden in them. At one time you could
avoid bad sites and not open unknown email, and you usually would not
get infected.For some time now there have been bugs that will infect
you just if you sign onto the web. Especially if you have a Windows OS,
you must take all Microsoft critical updates, have good virus
protection, have a good firewall, and keep them all updated. Else you
most likely will be infected soon. Some of the anti virus programs have
links that will allow you to find what new bugs are out there and will
describe an old bug for which you have found a name.


Hywel Jenkins 01-28-2006 01:26 AM

Re: Malicious JavaScript code,
 
In article <1138403155.617666.275360@z14g2000cwz.googlegroups .com>,
spamtrap1@cwdjr.info says...
>
> Noone Here wrote:
> > AIUI, it was not all that long ago when the threat to personal users,
> > was attachments that when executed compromised machines with keyloggers,
> > trojans, etc.
> >
> > Now it seems that the big problem is reading a webpage or an HTML e-mail
> > and getting affected through the scripting. My understanding is that
> > the script downloads the malicious program from the web and sets it to
> > run on start up through the start-up folder or in the registry.
> >
> > I don't know much about this; can someone suggest a good web site to
> > start learning a bit more about these threats. I have googled, but I am
> > not quire sure of the best search terms, and since there is so much
> > information out there, a site that experienced people endorse would be a
> > lot of help.
> >
> > In particular, it seems as if JavaScript dowloading a trojran without
> > the user clicking an attachment is a big problem.

>
> Using javascript is just one of many ways of writing codes that will
> cause computers serious problems. Others include ActiveX, and just
> corrupted images with bad code hidden in them. At one time you could
> avoid bad sites and not open unknown email, and you usually would not
> get infected.For some time now there have been bugs that will infect
> you just if you sign onto the web. Especially if you have a Windows OS,
> you must take all Microsoft critical updates, have good virus
> protection, have a good firewall, and keep them all updated. Else you
> most likely will be infected soon. Some of the anti virus programs have
> links that will allow you to find what new bugs are out there and will
> describe an old bug for which you have found a name.


Feel free to go in to some detail about how JavaScript "will cause
serious problems". Also give some detail on how "just sign[ing] onto
the web" will cause infection.

--

Hywel
http://kibo.org.uk/

Randy Webb 01-28-2006 02:02 AM

Re: Malicious JavaScript code,
 
cwdjrxyz said the following on 1/27/2006 6:05 PM:
> Noone Here wrote:
>> AIUI, it was not all that long ago when the threat to personal users,
>> was attachments that when executed compromised machines with keyloggers,
>> trojans, etc.
>>
>> Now it seems that the big problem is reading a webpage or an HTML e-mail
>> and getting affected through the scripting. My understanding is that
>> the script downloads the malicious program from the web and sets it to
>> run on start up through the start-up folder or in the registry.
>>
>> I don't know much about this; can someone suggest a good web site to
>> start learning a bit more about these threats. I have googled, but I am
>> not quire sure of the best search terms, and since there is so much
>> information out there, a site that experienced people endorse would be a
>> lot of help.
>>
>> In particular, it seems as if JavaScript dowloading a trojran without
>> the user clicking an attachment is a big problem.

>
> Using javascript is just one of many ways of writing codes that will
> cause computers serious problems. Others include ActiveX, and just
> corrupted images with bad code hidden in them. At one time you could
> avoid bad sites and not open unknown email, and you usually would not
> get infected.For some time now there have been bugs that will infect
> you just if you sign onto the web.


I am like Hywel on this one. I would like to see some examples, or an
explanation, of your claims that JS "will cause" (not "can" cause)
serious problems. And as well as "just signing onto the web" can infect
my PC.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

cwdjrxyz 01-28-2006 02:29 AM

Re: Malicious JavaScript code,
 

Hywel Jenkins wrote:

> Feel free to go in to some detail about how JavaScript "will cause
> serious problems".


A very early JS exploit used script to open the Netscape home page in
windows without limit. It also wrote "Crashing" in the status bar, and
the computer crashed. This is a very simple bug by today's standards.
Rather than playing child-like pranks such as the above, the modern
hacker may not want you to know your computer is infected. He or she
may be more interested in making your computer a zombie to send out
spam email or to obtain your personal information such as various
account numbers.

> Also give some detail on how "just sign[ing] onto
> the web" will cause infection.


McAfee features a different bug on their security center home page
every few days. Here is one of their descriptions:

"W32/IRCbot.worm! is a medium risk worm for home users. You can be
infected simply by going online. Once infected, your computer may
restart continuously."

If you follow a McAfee link to a more detailed description of the worm,
you find in part:

"This threat scans for MS05-039 exploitable systems. When a vulnerable
system is found, it uses a buffer overflow to write the worm file to
that machine via a TFTP upload on port 8594. Blocking this port via
McAfee Desktop Firewall or McAfee Personal Firewall will prevent
infection even if the buffer overflow is not prevented."

Few of us have the time or interest to keep up with the details of the
several new important bugs discovered nearly every week. If there were
no more bugs, likely hundreds of people working at security companies
and Microsoft would be looking for new jobs. I have both my security
programs and Microsoft update set to update automatically so that I do
not have to check for new updates very often. You also need to pay
attention to the security program icon on your desktop. For example
mine is red if it is working and black if it is not.


Thomas 'PointedEars' Lahn 01-28-2006 04:38 AM

Re: Malicious JavaScript code,
 
cwdjrxyz wrote:

> Using javascript is just one of many ways of writing codes that will
> cause computers serious problems. Others include ActiveX, and just
> corrupted images with bad code hidden in them.


ActiveX does not run in my Mozilla/Firefox, neither in Linux nor in
Windows. And on Linux, ActiveX does not run in any other UA, too.

> At one time you could avoid bad sites and not open unknown email, and
> you usually would not get infected. For some time now there have been
> bugs that will infect you just if you sign onto the web.


Probably you mean security leaks exploited to infect computers that have
merely established an Internet connection, which is not the same.

> Especially if you have a Windows OS, you must take all Microsoft critical
> updates, have good virus protection,


The (sad) truth is that no virus protection can be good enough. Vendors of
anti-virus software cannot be faster than the thousands of malicious people
writing malicious software. You could be the one that discovers your
system being infected with the brand-new virus nobody knows about. Of
course vendors of anti-virus software do not tell you this, they want to
make money. Your money.

> have a good firewall,


Utter nonsense. A firewall, may it be just snake-oil software ("desktop
firewall") or a real one (that is, a security concept including a network
packet filter), cannot protect you from yourself, allowing your system to
be compromised by running inherently insecure software and clicking on
everything that cannot fight back. Of course vendors of so-called "desktop
firewalls" do not tell you this, they want to make (your) money one way
(you buying their snake oil and feeling protected while you are not at all)
or the other (you providing them with potentially valuable information
without knowing it).

<URL:http://www.interhack.net/pubs/fwfaq/>

Again, what is the right thing to do is not to use inherently insecure
software (that includes inherently insecure operating systems), or
configure the system as secure as possible if the former is not
possible, and to develop a common sense for secure use of computers.

<URL:http://www.ntsvcfg.de/linkblock_eng.html>


HTH

PointedEars

cwdjrxyz 01-28-2006 06:50 AM

Re: Malicious JavaScript code,
 

cwdjrxyz wrote:

> Using javascript is just one of many ways of writing codes that will
> cause computers serious problems. Others include ActiveX, and just
> corrupted images with bad code hidden in them. At one time you could
> avoid bad sites and not open unknown email, and you usually would not
> get infected.For some time now there have been bugs that will infect
> you just if you sign onto the web. Especially if you have a Windows OS,
> you must take all Microsoft critical updates, have good virus
> protection, have a good firewall, and keep them all updated. Else you
> most likely will be infected soon. Some of the anti virus programs have
> links that will allow you to find what new bugs are out there and will
> describe an old bug for which you have found a name.


You can of course reduce your chances for infection by using one of the
lesser used OSs rather than Windows. Many of these are more difficult
to hack than the XP, but also the XP is a favorite target of hackers
because they can infect a larger number of of computers that way.
Unfortunately many of us must use a Windows OS, because many important
media and other programs do not have versions for other OSs. If you are
working with professional media programs, fortunately many of these
have Mac as well as Windows versions. Many of the media professionals
love Mac for their work. Macs have been hacked, but not nearly as much
as Windows.

I should mention that ActiveX usually is found only on Microsoft OSs,
browsers, and their close relatives such as MSN9. However there have
been downloads available for Firefox, Mozilla, and Netscape to support
ActiveX for the Windows Media Player only. The reason is that some
write media pages using only ActiveX support. This limited use of
ActiveX for the WMP only is likely much safer than full ActiveX
support. Opera seems to have found some indirect way to support media
for the WMP written using ActiveX code only. I have no idea how they do
this, but it is extremely unlikely that they use ActiveX for anything
on their browser. Of course, if one wishes to live dangerously, you can
locate full ActiveX plugins for many browsers.

I should add that spyware, malware, scumware, or whatever you choose to
call it has become a big problem. If you have a Windows OS, you can
download a spyware protection program for free.But they check your
computer to make sure you have an official Windows OS, and if not you
get no download.

Of course it still pays to be careful. Stay away from doubtful sites,
use an email service or agent that scans for problems, etc. I have
never used Outlook/Outlook Express. I use the Yahoo mail service
provided by my isp SBC/Yahoo DSL, but free Yahoo mail is available to
everyone. They will not open any attachment for you until it is scanned
for a virus. I open all of my domain mail at Yahoo mail as pop mail. As
in most things in life, nothing is certain. You could be the first on
the block to get a new bug before updates for it are available in
protection programs. However, especially if you use a Windows OS, you
can greatly reduce the odds if you have good protection programs as
well as use caution about what you view or open.

Even on a Windows OS browser, you likely can reduce your chances for
infection by using a browser other than IE when online. I usually use
Opera or Firefox, but you still have to use IE to view some sites
properly. I have Opera set for very high security and use it for
questionable sites. It asks for you to accept or refuse all cookies of
any type a site my try to plant on your computer. I have seen sites for
which you have to refuse cookies 20 times, and some sites will not let
you in without cookies.


Lee 01-28-2006 07:19 AM

Re: Malicious JavaScript code,
 
cwdjrxyz said:
>
>
>Hywel Jenkins wrote:
>
>> Feel free to go in to some detail about how JavaScript "will cause
>> serious problems".

>
>A very early JS exploit used script to open the Netscape home page in
>windows without limit.


Very early. What does that have to do with how Javascript "will cause
serious problems"?


Randy Webb 01-28-2006 08:51 AM

Re: Malicious JavaScript code,
 
cwdjrxyz said the following on 1/27/2006 9:29 PM:
> Hywel Jenkins wrote:
>
>> Feel free to go in to some detail about how JavaScript "will cause
>> serious problems".

>
> A very early JS exploit used script to open the Netscape home page in
> windows without limit.


Trivial to do actually even now without a pop up blocker and considering
that even IE comes with one by default (enabled no less) its not a
concern anymore. But for kicks and giggles, you can disable yours and
execute this script for fun:

<script type="text/javascript">
while (1){window.open('www.netscape.com')}
</script>

And anybody that surfs the web without a pop up blocker deserves what
that script snippet will do.


> It also wrote "Crashing" in the status bar, and the computer crashed.


Repeatedly opening new windows causes that to happen......

> This is a very simple bug by today's standards.


It wasn't a "bug" then and it's not a "bug" now. It was an exploitation
of user's ignorance about pop ups and the lack of a decent pop up blocker.



> Rather than playing child-like pranks such as the above, the modern
> hacker may not want you to know your computer is infected.


And I will ask *again*. Post some JavaScript code that will "infect" my
computer. I want to see it.


> He or she may be more interested in making your computer a zombie to send out
> spam email or to obtain your personal information such as various account numbers.


Again, post some code. And, post code that will cause *my* PC to
repeatedly send out emails. Go on, try it.

>
>> Also give some detail on how "just sign[ing] onto
>> the web" will cause infection.

>
> McAfee features a different bug on their security center home page
> every few days. Here is one of their descriptions:


Anybody dumb enough to buy into McAfee's marketing hype deserves to pay
for the product that McAfee is selling. Do you actually expect to open a
website that sells an anti-virus product and not read how you should
have it?

> "W32/IRCbot.worm! is a medium risk worm for home users. You can be
> infected simply by going online. Once infected, your computer may
> restart continuously."


Thats ignorance on the users part.

> If you follow a McAfee link to a more detailed description of the worm,
> you find in part:
>
> "This threat scans for MS05-039 exploitable systems. When a vulnerable
> system is found, it uses a buffer overflow to write the worm file to
> that machine via a TFTP upload on port 8594. Blocking this port via
> McAfee Desktop Firewall or McAfee Personal Firewall will prevent
> infection even if the buffer overflow is not prevented."


The only thing being exploited there is peoples fear. And the ones doing
the exploiting are McAfee.

> Few of us have the time or interest to keep up with the details of the
> several new important bugs discovered nearly every week.


And some of us, myself being the first one to say so, don't care about
the details of new "important bugs" discovered. When MS updates the OS,
I update it. I have no need to try to track it myself.

> If there were no more bugs, likely hundreds of people working at
> security companies and Microsoft would be looking for new jobs.


And as long as that stays true, there will always be people trying to
keep a job by telling you to buy the product they are selling.

> I have both my security programs and Microsoft update set to update
> automatically so that I do not have to check for new updates very often.


Smart move.

>You also need to pay attention to the security program icon on your desktop.


What "security icon"? You mean the one I told the day I got WinXP to
shut up and let me handle my own PC? I disabled that piece of crap long ago.

> For example mine is red if it is working and black if it is not.


Then it should stay black all the time......

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

cwdjrxyz 01-28-2006 08:58 AM

Re: Malicious JavaScript code,
 

Lee wrote:
> cwdjrxyz said:
> >
> >
> >Hywel Jenkins wrote:
> >
> >> Feel free to go in to some detail about how JavaScript "will cause
> >> serious problems".

> >
> >A very early JS exploit used script to open the Netscape home page in
> >windows without limit.

>
> Very early. What does that have to do with how Javascript "will cause
> serious problems"?


A virus that crashes a computer is a serious problem to me, but
everyone may have a different threshold for what is serious. Of course
this virus is seldom met anymore. I gave it as an example of a pure JS
virus rather than a modern one that often mixes several types of code.
However someone at a software company put it in a code for a free html
editor, apparently a former employee, as a prank. The software company
did not bother to remove it for years. Thus many people had their
antivirus program detect it when they downloaded the program. I believe
the virus was put in the program in a form that would do no harm,
except set off virus detection programs. This subject kept coming up in
NGs for many years.

Many modern viruses and worms use a combination of various codes, of
which javascript often is a part, and the problems caused by some of
these can be quite severe. You can find a huge number of references to
these on Google at
http://www.google.com/search?as_q=ja...s=&safe=images

. If this very long URL fails, just use advanced search, require virus
or worm, and require javascript. Javascript is very much alive and well
in many recent bugs.



All times are GMT. The time now is 06:48 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.