[Hidden-tech] Beware the Facebook thingy-dingy redux

[Michael Billingsley]

Just for clarification, I was using a Safari browser from a pre-Intel  
Mac Powerbook running OS 10.4.11    My browser is the absolutely  
latest version of 4.

I think, if you've read through all the quotes I've provided from  
Dark Reading and the professional security people, you will read them  
say that the page's hidden content loads whether you request anything  
or not.  Just going to the page starts a routine that can include  
loading or "updating" software in your computer.  After determining  
your OS (in my case Mac 10) it presumes the ubiquity of RealPlayer  
and loads a RealPlayer "update" by causing a permission path to occur  
whether you like it or not.

Remember to (cautiously) visit the website for RemoteViewer.com if  
you have doubts about what its programmers claim it can do.

They absolutely promise the operator of their software the ability to  
probe, enter, load and then remote-control from a distant console any  
hijacked ("slaved") computer with or without the computer-owner's  
permission, and with or without the presence of resistive firewalls.   
I would not recommend testing the validity of their claim by visiting  
the Chilean, Polish or Romanian server that they are feeding the  
remote operations from.  I'm not a computer-security professional, so  
I can't answer your objections about what ought to be, or what ought  
not to be, possible.

The professionals are saying that existing browsers are all  
vulnerable, that the click-jacking is platform-independent (works  
against ALL) and that only when the basic underpinning design of  
browsers is radically altered will attacks and servitude of this kind  
by thwarted.   Not very uplifting news, I know.  Meanwhile, since  
writing the list earlier, I've received yet another Facebook mimic  
from the same people encouraging me to visit (and to get my computer  
"loaded-into" and enslaved... again).

This new server is in Cmolas, Poland and if you choose to test the  
integrity of your browser, the server is 89.171.46.6     I wouldn't  
try it if I were you.
The actual "link" if you were to click on the button in the email, is  
to (in my case) AND DON'T TRY THIS AT HOME  –
  http://www.facebook.com.pitjiilil.com.pl/usersdirectory/ 
LoginFacebook.php? 
ref=134531713131695466698480437872&email=michaelb at sover.net

DON'T ANYONE CLICK ON THE ABOVE LIVE URL LINE, please.

Although this email came, unsolicited, directly "to my door" I should  
point out that the included ".pitjiilil.com.pl" address is exactly  
the same domain set that was used for the direct click-jack attack on  
Facebook over last weekend, so I think this adds proof to the  
possibility that this is an all-out attempt to scoop up personal  
computers in advance of some near-future DDoS attack.

I've received iterations of this trojan attempt on 30 October, 8  
December and 30 December from servers (as I said) respectively in  
Romania, Chile and Poland.

The "latest" Safari doesn't address the problem. The latest Firefox  
doesn't address the problem.  The latest IE doesn't and can't address  
the problem, and the problem's been around more than seven weeks.

The title of each of these emails is "Facebook Account Update" and in  
each instance the sender is "Facebook"

Michael


On  31 December 09, at 8:57 AM, R. David Murray wrote:

> On Wed, 30 Dec 2009 21:40:19 -0500, Michael Billingsley  
> <michaelb at sover.net> wrote:
>> The original posting - which under my signature tells Facebook's
>> experience with "clickjacking" gives some of the details.  It depends
>> upon the browser, and according to security experts, all browser apps
>> including Firefox are vulnerable if you land on the wrong page or
>> click on the wrong (deceptive) button.  Security people fault web
>> browser developers for being entirely in a defensive/responsive mode
>> instead of evolving a completely reworked approach to browser page
>> viewing.
>
> Yes, I understood that.
>
>> On  30 December 09, at 4:07 PM, R. David Murray wrote:
>>> How can just going to a web page install software on your machine?
>
> What I meant by this question is, even if the clickjack or web page  
> load
> initiated a request to install software, (a) you should be prompted  
> for
> confirmation before any install is done in a way that isn't  
> clickjackable,
> (b) it should not be *possible* for any software other than firefox
> add-ons to get installed without you entering the root or admin  
> password.
> Even if a bug in firefox lets an add-on install without a confirmation
> prompt, cleaning up your firefox addons registry would be much simpler
> than cleaning up the results of an equivalent hack on a Windows box,
> where the infestation could go beyond just firefox because many  
> Windows
> users run as admin (because not doing so is so much of a pain; though
> it is better these days than it used to be).
>
> Well, technically non-firefox-add-on software could get installed  
> in the
> non-admin user account on either OS X or Windows (or linux, for that
> matter) such that it would get run by that user, but again that's a  
> *lot*
> easier to fix than an admin level infestation.  (Well, it's still
> painful on Windows, unfortunately.)
>
> So I'm wondering how you got infected, and if it represents a serious
> vulnerability in OS X or Firefox or Safari.  Thinking about what you
> described, I'm guessing you were dealing with a firefox add-on?  Or  
> the
> Safari equivalent?  Which makes me wonder if there is a bug in the way
> the install-confirmation popup or the add-on update hooks are handled
> that the malicious web site was able to exploit.
>
> Well, I guess the main lesson is to always make sure your web browser
> is up to date with the latest security fixes, since it is the most
> vulnerable part of any Internet connected workstation, and then
> to always be cautious anyway when browsing the web.
>
> --
> R. David Murray                                      www.bitdance.com
> Business Process Automation - Network/Server Management - Routers/ 
> Firewalls

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20100101/68526551/attachment.html