Thursday, November 29, 2012

Click to Play: the next step for Firefox

Click to Play first appeared in Firefox 14 and it appeared in developer versions of Chrome back in 2010. I described the feature in a post last July. Click to Play disables all plugins by default on all pages. The user then has to explicitly click on a warning to let the plugin, Flash or Java for example, run. Chrome and Firefox both have Click to Play disabled by default. After trying to use Click to Play for a week in Firefox, I had to give up, too many websites were not working and the warning was not always showing on the page.

Click to Play warning in Firefox 14

Firefox 17

Firefox 17 is the first browser to enable Click to Play by default, with a caveat. Click to Play is enabled only for plugins that are outdated and vulnerable. It is possible to enable Click to Play for all plugins, including up to date ones, by changing the property plugins.click_to_play to true in about:config. However, it is not possible to disable the feature for vulnerable plugins.

One of the problems in the previous implementation of Click to Play was that plugins could be used without any visual widget on the page, so no warning would be displayed to the user. In Firefox 17, there is an additional icon on the left of the URL bar that is visible when a plugin has been disabled on the page. You can click on the blue icon to choose what to do: enable the plugin once, always enable the plugin on the site, etc.

New icon to manage disabled plugins

More options for always disable or enable outdated plugins on a site

Plugin check

Firefox has also had tools to verify whether the plugins installed are up to date for a while. However, this is a manual process: go to Tools - Add-ons - Plugins and click on Check to see if your plugins are up to date. This opens a new tab to the Firefox website with information about the plugins installed.

Information about my plugins

You will notice that four of my plugins are unknown to Mozilla. In this case, the page cannot tell me whether they are up to date or not.

Fortunately, Mozilla makes it clear when there's a difference between outdated versionssimply lacking new features and unsafe versions:

Vulnerable Flash version

Outdated Flash version
Click to Play kicks in for vulnerable versions only, not for outdated versions of a plugin. This is better for companies that don't let users upgrade to the latest version (like Flash 11) but still install safe versions of older releases (Flash 9 in my example).

Not full security

First, Mozilla cannot manage all plugins. It is not always able to tell whether a particular version is safe or not. Because Mozilla chooses to enable Click to Play for outdated and vulnerable version only, it would not have protected users against 0-day vulnerabilities, like the vulnerability that affected the latest version of the Java plugins, or the Flash 0-day exploit that circulated on the web.

Strangely, the feature stopped working for me after a while. I reinstalled Firefox, wiping out all my user settings, a couple of times, but the same thing happened: after using Firefox for about one hour, Click to Play was not kicking in anymore.

While it is not a silver bullet, this is a good step forward in making Firefox user safer. They have also made UI improvements since Firefox 14 that make the feature much more usable.

Friday, November 16, 2012

UPS Phishing page with malware

For some time now, attackers have been faking popular websites like YouTube to entice users into downloading and installing malicious software disguised as plugin updates or video codecs. I rcently found a page that is using the same technique to distribute a malicious executable through a fake UPS page.

The page is located at hxxp:// It has been up for at least three weeks and not yet blacklisted by Google Safe Browsing. At the top is a fake Firefox warning bar (the same type we analyzed earlier) for a missing plugin. It is interesting to note that the page shows the same fake bar to all browsers - it does not attempt to fake a specific implementation for say Internet Explorer or Chrome.

Fake UPS website
The page warns of a missing plugin. All links, buttons and images open a new popup to download  JavaJREInstaller.exe. On 10/31, only 4 AV vendors were detecting the threat out of 43 vendors! Five days later, that count rose to 35 AV vendors. This illustrates how hard it is for AV to detect new threats.

A behavioral analysis of the executable shows that several executables are dropped into a temporary folders:
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\00442734.exe
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\00445cfa.exe
  • C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msuuioeyi.exe
  • C:\Documents and Settings\All Users\Application Data\8CAFEE7F380FD13300008CAF61D8DA37\8CAFEE7F380FD13300008CAF61D8DA37.exe
The last executable is registered to run with every startup. This example is very representative of the threats we see on the Internet today - most of the attacker effort goes into hiding the malicious executable from the AV vendors, not into the way the payload is delivered to potential victims. This is true for many exploit kits such as the Blackhole exploit kit, where it is much easier to detect the page used to deliver the executables than the malicious executables themselves.

Thursday, November 8, 2012

Evolution of the "Work from home" scam

The "Work at home mum makes $X,000/month"scam has been around forever. In fact it has been an integral part of various scam campaigns which we've detailed in the past. These scams even appear in the list of the top-20,000 most visited websites in the world.

It is interesting to follow the evolution of this scam. The scam site always looks like a newspaper website (NBC, News Daily, etc.) with a legitimate news article, but they keep making small "improvements". Earlier this year, the scammers "borrowed" Facebook Like buttons to make it appear as though they had many supporters.

In the past two weeks, thousands of WordPress websites have been hijacked to redirect to New pages are added inside the /wp-includes/ directory:
  • etc.
The file names seem to be random and unique. Some of the hijacked websites are blacklisted by Google Safe Browsing, but the majority are not flagged and some of the websites have been cleaned up.

"Work from home" scam

Above is a spoof of the CNBC website. The page is well designed, with fake ads for CNBC Pro, summaries of fake articles on the elections, etc.  They even use geo-localization to modify the title of the article to include the local city name: San Jose Mum...", "Atlanta Mum...".

JavaScript used for geo-localization

All the links redirect to (currently down). Neither nor are currently blacklisted by Google Safe Browsing, but some of the hijacked sites leading to them are blocked by Google.