I am very paranoid when it comes to browsing and computer use. Since I use my laptop a lot for online banking and other important accounts, I need to ensure that I don’t have any viruses, spyware or malware in my system. So I take the following precautions to keep my laptop safe,
- I bought a genuine copy of Windows 7 professional edition and I have put the system on full auto update mode. This means that whenever Microsoft patches a security vulnerability, my system automatically downloads and installs it.
- I have Microsoft Security Essentials anti-virus installed on my system. The virus definitions are also auto updated and hence my system is protected against all the nasty viruses that are newly released into the wild. Microsoft Security Essentials is so good that I think there is no future for paid anti-virus software.
- I don’t download anything from suspicious web sites. When I need to download something to try it out, I usually do that on a separate Windows virtual machine running on Virtualbox which I can discard later.
- Even when I download an executable from trusted sites, I always scan the executable using Microsoft Security Essentials to ensure that no compromised executable is run on the system.
- I have the auto play/auto run in Windows 7 disabled for all disks including pen drives. This saves me accidental execution of viruses from infected pen drives.
- I have enabled User Account Control (Located in Control Panel => User Accounts => Change User Account Control Settings) in Windows 7 and configured it to always notify me whenever programs try to make a change to the system or if any windows settings are changed. This again prevents accidental execution of viruses.
- I use Google Chrome for all browsing needs. Chrome seems to be the safest browser and was the first browser to adopt silent auto updates keeping the browser secure.
- I run a "full virus scan" every week using Microsoft Security Essentials. This has been a lifesaver many times in the past!
All these precautions kept me free of viruses till last week when I got hit by the nasty Simda.A virus. Simda.A virus is a Trojan which provides backdoor access to the infected system. It also steals passwords and other system information. Usually in order to infect a system, the user of the system should run an infected executable. However I was very certain that I hadn’t run a suspicious executable file.
Viruses Exploiting Java Plugin Vulnerability
Last week I was browsing websites using Chrome browser and I noticed a rectangular large advertisement on the bottom right of the browser. The reason why I noticed this was because the ads were appearing on sites which historically had no advertisements. Also identical ads were appearing in almost all websites I accessed except for a few such as google.com. The browser status bar indicated that the ad was being served from ib.adnxs.com domain. A quick search on the Google indicated that this could be due to a virus.
I immediately ran a full virus scan using Microsoft Security Essentials. It found infection of the dangerous Simda.A virus (see screenshot below). The first entry in the list is about an Adware named OpenCandy bundled with Mirc and Free Download Manager. It is not as nasty as Simda.A, but it is better to stay away from Mirc and Free Download Manager.
What caught my attention was the infected file for Simda.A which is a downloaded applet stored in Java’s temporary cache. Java applets run in a sandbox and hence has no ability to alter the system. But somehow this applet was able to bypass the sandbox and had altered my system and my browser behavior. The only way it can do that is by exploiting vulnerabilities in the Java browser plugin.
This seemed surprising to me since I was using Chrome browser which keeps itself auto updated and hence chances of a known vulnerability in the browser is extremely low. Then I realized that the auto update may not be enabled for the Java plugin itself!
In Chrome it is possible to see all the installed plugins from Settings => Show Advanced Settings => Privacy(Content Settings) => Disable individual plug-ins. In my case, Chrome indicated that I have a vulnerable Java plugin installed (6.0.260.3) and Chrome even gave an option to update the plugin!
I think Google should modify Chrome to show this warning during browser startup or at least there should be an option to display this warning in the browser window itself.
I installed the critical update and noted that all the other plugins were up to date. I also changed the plugin execution property from "automatically run" to "click to play". This ensures that the Java plugin would be run only after explicit approval and hence I can deny Java applet execution when I visit "suspicious" websites.
Hosts File Attack (Pharming Attack)
This is how my machine was infected with the ad generating malware,
- I accessed a Web site which had a malicious Java applet hosted
- The Java applet used the compromised Java plugin to bypass the sandbox
- Applet made changes to the system so that ads are delivered in my browser whenever I accessed a Website
I was wondering what changes were made by the virus. Initially I thought the virus had changed the Chrome executable, however the advertisements were appearing even when I used Mozilla Firefox! Another interesting thing I noticed was that ads were NOT shown in ALL websites.
On Windows systems, the hosts file is usually located in C:\Windows\System32\drivers\etc folder. I got another surprise when I found that the hosts file was missing in this folder. The file was marked as hidden and I had to enable "show protected system files" and "show hidden files" options in Windows explorer to access the file. When I initially opened the hosts file in notepad, I couldn’t find any overriding lines in it. Then I noticed a scrollbar on the notepad and realized that the virus had created a lot of newlines before adding the additional entries! This way someone who casually inspects hosts file won’t realize the domain hijacking! The following entries were added by the virus in the hosts file,
By hijacking the domain mapping, the virus effectively hijacked all the websites which used tracking code from Google Analytics, DoubleClick or StatCounter! This also explained why ads were not shown in some of the sites I accessed. It is a really cunning modus-operandi,
- User accesses a Website which uses Google Analytics, DoubleClick or StatCounter for visitor tracking
I removed the spurious entries from hosts file and tried to save it, but couldn’t save it because the file was marked as read only. When I tried to change the read only attribute, I got an access denied page. The virus was cunning enough to hide the hosts file, change it to a read only file and then remove permissions from all accounts! So restoring hosts file required the following steps,
- Login as administrator and then change the permissions of the file
- Uncheck the hidden and read only attributes
- Remove the nasty domain mapping lines and save the file
I now realized that it is very important keep browser plugins (Java, Flash etc.) up to date. Better still, you should change all the plugins to "click to run", so that you can explicitly run plugins when you are comfortable running them on the Web page you are accessing.
The Afterword – Asianet ISP Acting Like a Virus?
Suppose you call your friend over the phone and someone at the exchange snoops into your conversation and then talks to you in your friend’s voice? What Asianet is doing is very similar and should be illegal.
A temporary solution against Asianet ad injection is to modify the hosts file itself! Add the following line in your hosts file so that all requests to the ad server actually goes nowhere.
127.0.0.1 streamride.net ui.streamride.net
Best solution would be to cancel your Asianet broadband account and switch to an alternate provider.
June 8, 2012 | Posted in Technology Tips 3 Comments » | By Jayson