Network News

X My Profile
View More Activity

Hackers Exploiting Facebook, MySpace Plug-ins

If you use Internet Explorer (versions 6 or 7) to browse the Web, listen up: Criminals are starting to exploit security holes in several widely installed IE plug-ins to plant invasive software when users are coerced or tricked into visiting one of several Web sites.

In an alert posted Friday evening, security software vendor Symantec said it is seeing malicious Web sites popping up trying to exploit vulnerabilities in a set of ActiveX controls produced by Aurigma, a technology company whose image transfer browser plug-in is licensed and distributed by a number of major Web sites to help IE users upload pictures. Currently, Facebook.com and MySpace.com are among the biggest distributors of this ActiveX plug-in, but they are hardly the only ones.

Symantec warns that if visitors don't have the Aurigma plug-ins installed, the sites will probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.

The malicious Web sites identified by Symantec actually redirect visitors to a fake MySpace.com login page in an attempt to steal MySpace credentials, all while trying the various plug-in exploits quietly in the background. The URL used by this site would probably fool all but the most vigilant (see the included screenshot).

The sites all download a series of executable programs, including some that Symantec said appear to be placeholders for whatever nasties the bad guys want to stuff in there later. The company said it is still in the process of analyzing the programs to see what they do, but it's doubtful they will turn out to be harmless.

If you haven't checked out the free, easy-to-use fixit tool released by incident handlers at the SANS Internet Storm Center, please do so now. The simple, graphical program sets a marker in the Windows registry so that if the vulnerable ActiveX components are installed, then the operating system will not let anyone or anything make use or activate those components.

To use the tool, double click on the .exe file that you download from SANS (you will need to run this while logged in as "administrator"). In the program window that pops up, place check marks in all of the boxes, then hit the "set" button. The notation next to each entry should now read "CLSID Exists." Click the "x" in the upper right corner of the box. You're done. If you ever want to undo any part of what you just did, run the tool again and uncheck the relevant boxes and hit "set."

By Brian Krebs  |  February 23, 2008; 10:00 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: How Not To Write a 'Geek Wanted' Ad
Next: YouTube Censorship Sheds Light on Internet Trust

Comments

Brian, I downloaded this file half a dozen times, from my administrative accounts in both Firefox and Internet Explorer 7. I could not get it to work. When I clicked on the file, a black screen popped up momentarily and then disappeared.

I've still got the file on my computer, but danged if I can figure out how to use it.

Posted by: John | February 23, 2008 10:44 AM | Report abuse

Brian,
What is it about the URL for the fake MySpace login page that a vigilant user would spot?
I use Safari on a Mac. Do I need to do anything? Thanks!

Posted by: William | February 23, 2008 11:50 AM | Report abuse

@william: the url is fashioned so that it appears to be myspace.com

Here is a neutered version of the link:
hxxp://profile.myspace.com.index.cfm.fuseaction.user.viewprofile.friend.51872x.cn

Posted by: Bk | February 23, 2008 12:13 PM | Report abuse

@John -- I can't seem to win either way. Last time I wrote about this I linked directly to the tool itself, and people complained saying that I should have linked to the page rather than right to the executable file.

There are two versions of the program on that page linked to in the article above. My suspicion is you downloaded the command line version, not the one with the graphical user interface pictured above. Here is the direct link to the version you want:

http://handlers.sans.org/tliston/KillBitGui-Feb08.exe

Posted by: Bk | February 23, 2008 12:17 PM | Report abuse

Brian, worked like a charm.
Even though I use IE only when only it will work, and never go to Myspace or Facebook, it cannot hurt. :-)

Posted by: GSG | February 23, 2008 2:31 PM | Report abuse

Who in the world would ever to to a .cn domain?

Posted by: Andrew | February 23, 2008 9:50 PM | Report abuse

errr.... go to a .cn domain....

Posted by: Andrew | February 23, 2008 9:51 PM | Report abuse

Fellows, Aren't these targeted items installed by my choice, not automatically. If so then I shouldn't have them on my machine, since I never installed them. Can't I just go to manage add-ons and look to see if I have any of these installed, and if they are not installed, then why do I want to add another "exe" to my system if it's not needed, even if I can do/undo the settings anytime. I like a lean clean machine, with the less the better. Who's to say this SANS program won't be targeted, if it can be, at some time in the future.

Posted by: M in CT | February 25, 2008 12:31 PM | Report abuse

Can you use the "power of the press" to put pressure on MySpace and Facebook to make available a formal statement and recommendation for its users. I'm getting conflicting information about whether this is fixed and the fact that neither MySpace or Facebook are warning their users is utterly irresponsible as they are the ones that made the software available to their users.

Posted by: gary | February 25, 2008 2:07 PM | Report abuse

Brian, Thanks for the article and the link to the utility. I've been commenting recently that someone should develop a tool like this to make it easier for people who might not have the knowledge/confidence to alter the registry themselves.
This is great for these *specific* vulnerabilities, and Tom Liston deserves thanks, but because these situations arise frequently where the temporary workaround requires setting a killbit, what would be really useful is a utility/GUI where *any* CLSID could be entered to set/unset whatever killbit needed to be used. Then when the next ActiveX issue shows up with no patch immediately available (as it surely will) folks could use that (along with something like ERUNT to back the Registry up beforehand) and/or just set a System Restore point in case something went wrong. I'm sure you've noticed how many people are deathly afraid of "The Registry", and don't dare altering it in any way. Something like a simple GUI-utility to make it easy for them would really help. And in the end, that makes us all safer right?

On another point, it's interesting observing the differing levels of knowledge people have, as evidenced by some of the comments here. That's one of the biggest issues when it comes to overall security, for the Internet and for security vendors. It's a bit like letting anyone who buys a car drive it on the highway whether they know how to drive [or not].

Posted by: TR Daggett | February 25, 2008 10:54 PM | Report abuse

Buy a mac. Use Firefox. :)

Posted by: Ian | February 26, 2008 5:36 PM | Report abuse

This is a Windows only thing right? Macs are safe?

Posted by: Bill | February 27, 2008 2:08 AM | Report abuse

Useful site. Thanks.
http://jeffreysmith.hostaim.com/samplesg01/ jeffreysmith

Posted by: jeffreysmith | April 17, 2008 2:29 PM | Report abuse

Useful site. Thank you!!
http://rubyclark.extra.hu/samplesgbf/ rubyclark

Posted by: rubyclark | April 17, 2008 5:12 PM | Report abuse

Useful site. Thank you!!!
http://senator-john-mccain.teachingrank.net senator john mccain

Posted by: senator john mccain | April 22, 2008 6:50 AM | Report abuse

I am Very thank full the owner of this blog. Becouse of this blog is very imformative for me.. And I ask u some thiing You make more this type blog where we can get more knowledge. http://www.penisenlargementz.com

Posted by: Prosolution | April 23, 2008 12:59 AM | Report abuse

Useful site. Thank you!
http://easter-monday-2008.yourexplorenew.com/easter-2008-toowoomba.html easter 2008 toowoomba

Posted by: easter 2008 toowoomba | April 25, 2008 4:05 AM | Report abuse

Hi


G'night

Posted by: Test | April 25, 2008 4:42 PM | Report abuse

Useful site. Thank you!!
http://gregingram.hostaim.com/batteryp0f/ scooter

Posted by: scooter | April 30, 2008 11:23 AM | Report abuse

Iam Very thank full the owner of this blog. Becouse of this blog is very imformative for me. http://www.chipoyun.com

Posted by: oyun | May 2, 2008 11:34 AM | Report abuse

Useful site. Thanks!
http://motel-6.bestpositioners.info/downtown-phoenix-motel.html downtown phoenix motel

Posted by: downtown phoenix motel | May 2, 2008 7:50 PM | Report abuse

Useful site. Thank you:-)
http://motel-6.bestpositioners.info/hotal-motel-chains-uk.html hotal motel chains uk

Posted by: hotal motel chains uk | May 2, 2008 9:26 PM | Report abuse

Useful site. Thanks!
http://xenical.uci.pl xenical

Posted by: xenical | May 2, 2008 10:35 PM | Report abuse

Useful site. Thank you!
http://scooterportal.extra.hu/health-i30 mega life and health health insurance for the sel

Posted by: mega life and health health insurance for the sel | May 3, 2008 3:15 PM | Report abuse

Useful site. Thank you:-)
http://scooterportal.extra.hu/health-i85 maryland health insurance complaints

Posted by: maryland health insurance complaints | May 3, 2008 7:15 PM | Report abuse

Useful site. Thank you!
http://phara.freehostia.com/freepeopd7 free people search

Posted by: free people search | May 3, 2008 10:23 PM | Report abuse

Useful site. Thank you!
http://phara.freehostia.com/mircette79 mircette 1

Posted by: mircette 1 | May 4, 2008 12:07 AM | Report abuse

Useful site. Thank you!!!
http://phara.freehostia.com/buydiova30 buy diovan generic hct

Posted by: buy diovan generic hct | May 4, 2008 1:51 AM | Report abuse

Useful site. Thank you!!!
http://scooterportal.extra.hu/ge-term-85 care company insurance long term health insurance life mega

Posted by: care company insurance long term health insurance life mega | May 4, 2008 10:00 AM | Report abuse

Useful site. Thank you!!!
http://scooterportal.extra.hu/ge-term-85 care company insurance long term health insurance life mega

Posted by: care company insurance long term health insurance life mega | May 4, 2008 10:01 AM | Report abuse

Useful site. Thank you!!
http://lawnweb.extra.hu/telephonaa state farm life insurance company

Posted by: state farm life insurance company | May 4, 2008 11:06 AM | Report abuse

Useful site. Thanks:-)
http://holidayblog.extra.hu/life-ins3e life insurance in an irrevocable trust

Posted by: life insurance in an irrevocable trust | May 4, 2008 1:48 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company