Last weekend I passed along sketchy details of a news report that claimed spyware purveyors have found a way to get to Windows users even when they use Firefox as their primary browser. I’ve now had a chance to test this claim and I can report that it’s true.
The original article included enough details to help me track down the seemingly legitimate Web site that’s distributing this stuff. Like so many of these sites, it offers content designed to attract young people – in this case, a library of song lyrics. I visited the site using both Internet Explorer and Firefox. The results were surprising.
For my first visit, I used Internet Explorer on a computer running Windows XP SP2. As expected, the site tried to install a downloader packaged as an ActiveX control. The page also contained a script to pop up two dialog boxes that deceptively claimed I needed to click Yes to continue.
Of course, this dialog box makes no sense on a computer running Windows XP with SP2. There’s no Yes button to click, because the Information Bar blocks the ActiveX dialog box. So, for its next bit of social engineering, the page included instructions designed to walk me, the unsuspecting user, through the process of bypassing the SP2 security controls and installing this Trojan on my computer. But it wasn’t able to put an Install button in my face
Click image to enlarge.
“But I’m safe,” you say. “I use Firefox, so I don’t have to worry about this stuff.”
Think again. You’re about to get slammed by a crapware vendor who has figured out how to sucker-punch Firefox users. In fact, to add insult to injury, the center of the page includes this ad, complete with affiliate code, to help you install Firefox.
Click image to enlarge.
So what happens when you visit this page with Firefox?
On my test computer, I had a fresh installation of Firefox, so I was prompted to install Java. The Firefox Information bar (which closely resembles the equivalent feature in Internet Explorer) displayed the message “Additional plugins are required to display all the media on this page.” I clicked the Install Missing Plugins button, and the Firefox “Plugin Finder Service” displayed a dialog box that offered to install the Java Runtime Environment. This certainly looked safe, so I clicked Next and allowed Firefox to download and install the code for me. It popped up this license agreement along the way and generally behaved just like any other program.
Click image to enlarge.
This installation was completely safe. The Java program is useful and, in fact, is required for a number of popular sites. It did nothing out of the ordinary or suspicious. So, after restarting my computer, I returned to the Web page where I began, and this time I was greeted with a Security dialog box.
Click image to enlarge.
This is confusing. As an unsuspecting user, I’m not really sure what a “security certificate” is. The dialog box is different, but I just installed another program with a complicated dialog box and it seemed safe enough, so I guess it’s probably OK to install this one too. Hmmm, maybe I should click the More Details button first, just to see what’s there.
Click image to enlarge.
That’s not very helpful, is it? Oh well, might as well install it. How much harm could it do? After all, the Get Firefox page has a big bold quote from USA Today that says “Beware of spyware. If you can, use the Firefox browser.” And the Get Firefox page itself says “Built with your security in mind, Firefox keeps your computer safe from malicious spyware…”
So I clicked Yes. And then … nothing. A single line of text appeared in the lower left corner of the Firefox window, alerting me that the Installer Applet was running. But I saw no dialog boxes, no pop-ups, no obvious signs of anything untoward happening. Much ado about nothing? Not exactly.
After closing the browser window, I installed the Microsoft Anti-Spyware beta (which I had downloaded earlier). After updating to the latest signature files, I let it do a scan. And look what turned up.
Click image to enlarge.
Three nasty-sounding programs are now running on this computer. One of them has already begun serving up large X-rated pop-ups. And worst of all, the original Trojan horse program, which downloaded those three programs, is still there. Presumably it will begin downloading additional software shortly.
Lessons learned:
- Spyware dealers are sneaky. Their goal is to put a dialog box in your face and convince you to click Yes. They’re successful way too often.
- Antivirus software can protect you. Trend Micro’s PC-Cillin correctly identified the original Trojan and blocked it on a computer in my lab. F-Secure detects this Trojan as as Java.OpenStream.T and blocks it as well.
- Even an expert can be fooled. Alex Eckelberry of Sunbelt Software, a maker of anti-spyware software, says, “[O]ur own researcher working on this project (no stranger to spyware) inadvertently loaded a piece of 180 Solutions adware… This is the real problem with spyware. People click on things and that lands them into trouble.”
- Simply being careful isn’t enough. You can land on a site offering this sort of crap by typing a URL wrong or clicking on a perfectly normal link in a page full of Google search results.
- Simply switching browsers isn’t enough. This all happened through Firefox, remember?
- It could happen on a Mac or Linux computer. As F-Secure notes: “The trojan works just because the trojan author did not use any Microsoft specific code. Thus making the trojan portable to other platforms. And yes, the trojan will most likely also work under Linux, but it won’t do really anything there as it tries to download and execute Win32 EXE trojan.” For now, that is. Consider this a proof of concept – this code could easily be modified to run on a Mac and download a Mac-specific Trojan or dialer.
- Novices can be overwhelmed by permission dialog boxes. Remember the Java dialog box that I showed earlier? Here’s an example of what you’ll see when you’re prompted to load a legitimate Java program. Go ask a non-techie friend or neighbor if they can tell the difference.
Click image to enlarge.
Was I stupid to click Yes? Perhaps. But as Alex Eckelberry correctly notes: “People click on things.” Even after they’ve been told to be careful. Even when the wording should make them suspicious. In fact, most untrained computer users have a hard time distinguishing between good and bad software. If they’re burned often enough, they eventually start clicking No to everything – including security patches. Which only makes the problem worse.
Ed Bott 
Excellent analysis and write up, Ed. Yours write up is quite a contrast with this newsletter from Spywareinfo.com.
I’d be interested in your comments regarding the editor’s article on Firefox and spyware.
The one point I would make is that you were using Java 5 Update 1. Sun have just released Update 2 so you might want to see if they have made the security warning dialog more intuitive. I didn’t see it in the changelog though, and you are right in saying that the security wanring’s message is too obscure for most users. And that More Details dialog is just scary.
Symantec’s Norton AV detects it as Trojan.ByteVerify.
http://www.dozleng.com/updates/topic4255
Well, the Java 5 Update 1 code was what I was offered by Firefox. After it was installed, Java’s Auto-Update module offered me Update 2.
And I just tested it – the security dialog box is exactly the same in Update 2.
…But the Spywareinfo.com author’s question still stands: Why target Firefox? It’s a problem for all browsers.
The developers of this exploit are clearly attempting to target Firefox, which has had 25 million downloads since last November and has gained a substantial amount of market share. The applet doesn’t run on Internet Explorer. It might run on Opera (I don’t have Opera installed here to test it), but Opera has minuscule share. the target is clearly Firefox, and this exploit was developed precisely because Firefox has been successful and because the formerly reliable ActiveX-based methods of installing spyware don’t work with it.
Applet itself runs nicely also with IE and Sun’s Java.
It is just that Lyricspy site has JavaScript launcher which decides installation method.
if (IE) use activeX installer
if (Netscape/Mozilla) use Java installer
The point is that there is nothing that prevent malicious sites using this applet approach with IE too instead of ActiveX or in cases where ActiveX installation fails.
Right, Priva. That was my point all along. There is nothing that prevents IE from running this as well. That’s not news. But there is nothing that prevents Firefox from running this, and that IS news.
Ed, Thanks for posting this analysis. I came to the same conclusions that you did after first hearing about this exploit. I think it is a very serious security flaw and find it appalling that an applet can execute arbitrary code from a temp directory. The implications or this are that NO target platform or application is immune from this exploit given enough time and energy by the malware authors.
Thank you for the information and the testing. Spyware vendors are looking for all the open doors eh? :^)
More important at this point is this. Does the installer work under limited user accounts? Is it able to install enough junk to infect IE or is this only able to happen to power users and above?
This is a Java problem. If you do not trust yourself not to click on things (or to clean up after yourself when you do) then you can disable this function.
Open the Java Control Panel; choose the “Advanced” tab; expand the “Security” option; clear all of the checkboxes labeled “Allow user to grant…”. Make double sure you clear the second such box.
Thank you Brad, this is the sort of information I’m looking for. Do you know if these settings are stored as registry settings or are kept in some file in each user’s profile? I’ve scanned through the registry trying to find where they’re set, nsl. If Firefox is going to be deployed with Java for some of our network functions, I need some way to limit this stuff. You cannot depend on users to not click on stuff. ;^) A point missed by most of the discussion about whether it is a Firefox or Java problem.
this info is all great but what is the friggen solution. I’ve browsed this problem all over the net but no one gives solution. Should I uninstall firefox? I use ie6 mainly and am getting the certificate thing all of the sudden on pages I need to access and can’t unless I say yes. this is bad. Please help????????????
Chris
RE: Brad and the “Allow User to Grant…” checkboxes
It gets a little long winded and frustrating to have to open each user’s login and change the checkboxes. And then when you add a new user, the default is with the boxes checked. Sun Java central management to the rescue!!
This will allow you to make all the security settings to Java from one central location so every user on the computer has the same security settings applied.
Files needed to do this are in contained in the %windir%\Sun\Java\Deployment directory where %windir% is the C:\WINDOWS directory.
Two files are needed: deployment.config deployment.properties
Contents of deployment.config:
#deployment.config
deployment.system.config=file:C:\WINDOWS\Sun\Java\Deployment\deployment.properties
deployment.system.config.mandatory=true
Contents of deployment.properties:
#deployment.properties
deployment.security.askgrantdialog.show=false
deployment.security.askgrantdialog.notinca=false
deployment.browser.vm.mozilla=true
deployment.browser.vm.iexplorer=true
The next time each user starts Java the above settings will be installed in their user profile.
As a further amendment on the deployment.properties file:
The %windir%\Sun\Java\Deployment directory doesn’t always get created on a java install, you might have to create it yourself.
If you have dumb users who are smart enough to fill the checkboxes and leave them that way, you can lock them out permanently with the following.
#deployment.properties
deployment.security.askgrantdialog.show=false
deployment.security.askgrantdialog.show.locked
deployment.security.askgrantdialog.notinca=false
deployment.security.askgrantdialog.notinca.locked
ok i just recently installed foxfire and after my next restart, i notice mt browser is much slower than before including my download speed also. Is foxfire doing all this? thanks
On a related issue, I’ve tried using the deployment.config with the mandatory setting and with the apporpriate deployment.properties file. It’s not working, though — still pulling my user settings.
With the mandatory setting, isn’t it supposed not to use my user settings? Did I miss something to enable this?
Thanks.
Rick
Here is what Sun has to say..
These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011).
If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer.
http://www.java.com/en/download/help/cache_virus.xml
I don’t think anyone who understands how malware works would argue that firefox solves the problem in general. I do think IE is MUCH more prone to be a problem, whether by poor programming or just being the biggest in the market doesn’t really matter to the poor users. I guess we’ll find out if Firefox ever equals its market share — let’s all try it!
It is interesting that the Sun site claims that this was only possible using the Microsoft VM — was the author using that VM? It wouldn’t likely have come with Firefox, so I guess it would have had to be on his machine already.
I, for one, am more in favor of user education than trying to disable anything that might be a problem. After all, phising scams and email attachments are STILL there, we can’t plug all the holes if the users insist on “just clicking on things”.
Disclaimer: I’m a 30-year veteran of the programming industry, and just got caught by a usenet message purporting to hold the group’s new charter in an HTML file that turned out to automatically download an EXE, so I just got done running a 2-hour scan on the machine to see if it got anything on here. And found this trojan-loader on the machine in places where it’s already been! Fortunately I refuse to run MS’s so-called Java VM, so that may have saved me. I refuse to run IE, also.
rc