Social Engineering
Friday 15th September, 2006 10:04 Comments: 6
I've come across the "you need to install this codec to watch the video" trick before, and cleverly avoided it, but it seems they're now combining this tactic with rootkits and writing it to not install the rootkit if you're in a virtual machine (as it's likely it's being studied). Interesting reading (if you're a geek). The summary is this: if you have to install a codec to watch a video... the video is probably not worth it.
While reading the blog, I noticed that there might be another IE 0-day (another bug was found in a fully patched copy of IE6). It'll be interesting to know if it applies to IE7 (as typically they don't seem to work on the new browser). I'd strongly recommend installing IE7 RC1 anyway, because it's cool. The phishing filter is nice too. Useful when there's more than 14,000 of them (the highest number in APWG's history, up from 10,000 sites in June and 12,000 in May). The average living time before killing phishing sites is 4.8 days, and the longest time online within the period is 31 days. This is why phishing filters need to be updated constantly, which Microsoft is doing.
While reading the blog, I noticed that there might be another IE 0-day (another bug was found in a fully patched copy of IE6). It'll be interesting to know if it applies to IE7 (as typically they don't seem to work on the new browser). I'd strongly recommend installing IE7 RC1 anyway, because it's cool. The phishing filter is nice too. Useful when there's more than 14,000 of them (the highest number in APWG's history, up from 10,000 sites in June and 12,000 in May). The average living time before killing phishing sites is 4.8 days, and the longest time online within the period is 31 days. This is why phishing filters need to be updated constantly, which Microsoft is doing.
Yamahito - Friday 15th September, 2006 13:18
//if you have to install a codec to watch a video... the video is probably not worth it.//
Bit too much of a generalisation IMO - how many of the 'virgin' out of the box operating systems can play back divx/xvid content for instance? If you have to install a codec that's not downloadable from a (reputable) third party... would be better, but then that would probably just confuse the everyman... >sigh
Bit too much of a generalisation IMO - how many of the 'virgin' out of the box operating systems can play back divx/xvid content for instance? If you have to install a codec that's not downloadable from a (reputable) third party... would be better, but then that would probably just confuse the everyman... >sigh
True, they don't tend to play all of them out of the box, but that's why websites usually go with codecs (e.g. WMV) that will (or use Flash)! How much DivX/XviD content do you see embedded in web pages?
One of the first things I do when I install an OS is install DivX followed by XviD. I also go to Windows Update for all the latest updates and simultaneously allow all Microsoft ActiveX controls to work automatically. I install the latest version of Flash (how YouTube and Google do their videos), and if I'm feeling nice I sometimes install QuickTime (and, very rarely, RealPlayer). Once you've done them, the only prompts you generally see in the browser are for naughty things that I know I needn't install. I also tend to install PowerDVD for MPEG2 playback, but you don't typically see that on the web.
The thing about the "codec" is that the one I saw was done in a clever way that naive users will generally fall for. The message is a link on the webpage to an executable that you have to run (and most users are Administrators or Power Users so it can do all sorts of mischief). The "Media Player" you see on the page isn't even trying to play a video, it's just a normal link in a webpage that appears within the "Media Player" embedded in the webpage and looks like a real error message, so once the "codec" is installed it's still not going to play the video as there isn't one to see. I saw this ages ago, I presume the "codec" program would send an email to everyone on your MSN contact list (IIRC it looked like it was done in small batches to make it look realistic) telling them to see your new video at this website. Anyone that went would see a pretty page and the link to the "codec", anyone that fell for it would end up emailing everyone else. I don't know what else it did, but it probably wasn't very nice.
Trying to educate users is tough, which is why telling them it's "probably not worth it" is easier to get across. Sure, they might miss out on the odd video, but I'd rather that than watch them get infected with a nasty rootkit. It's that dancing pigs problem again: http://en.wikipedia.org/wiki/Dancing_pigs_(computer_security)
If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet ? he's going to choose dancing pigs over computer security any day. If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability to have children," he'll click OK without even reading it. Thirty seconds later he won't even remember that the warning screen even existed.
One of the first things I do when I install an OS is install DivX followed by XviD. I also go to Windows Update for all the latest updates and simultaneously allow all Microsoft ActiveX controls to work automatically. I install the latest version of Flash (how YouTube and Google do their videos), and if I'm feeling nice I sometimes install QuickTime (and, very rarely, RealPlayer). Once you've done them, the only prompts you generally see in the browser are for naughty things that I know I needn't install. I also tend to install PowerDVD for MPEG2 playback, but you don't typically see that on the web.
The thing about the "codec" is that the one I saw was done in a clever way that naive users will generally fall for. The message is a link on the webpage to an executable that you have to run (and most users are Administrators or Power Users so it can do all sorts of mischief). The "Media Player" you see on the page isn't even trying to play a video, it's just a normal link in a webpage that appears within the "Media Player" embedded in the webpage and looks like a real error message, so once the "codec" is installed it's still not going to play the video as there isn't one to see. I saw this ages ago, I presume the "codec" program would send an email to everyone on your MSN contact list (IIRC it looked like it was done in small batches to make it look realistic) telling them to see your new video at this website. Anyone that went would see a pretty page and the link to the "codec", anyone that fell for it would end up emailing everyone else. I don't know what else it did, but it probably wasn't very nice.
Trying to educate users is tough, which is why telling them it's "probably not worth it" is easier to get across. Sure, they might miss out on the odd video, but I'd rather that than watch them get infected with a nasty rootkit. It's that dancing pigs problem again: http://en.wikipedia.org/wiki/Dancing_pigs_(computer_security)
If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet ? he's going to choose dancing pigs over computer security any day. If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability to have children," he'll click OK without even reading it. Thirty seconds later he won't even remember that the warning screen even existed.
Ooh, it looks like I was right, IE7 RC1 is fine:
http://msmvps.com/blogs/spywaresucks/archive/2006/09/15/128475.aspx
http://www.microsoft.com/technet/security/advisory/925444.mspx
http://msmvps.com/blogs/spywaresucks/archive/2006/09/15/128475.aspx
http://www.microsoft.com/technet/security/advisory/925444.mspx
\\\\How much DivX/XviD content do you see embedded in web pages?\\\\
True, not much, but the user education point remains valid - will they be able to tell the difference between a codec they need to install to watch films they download from bit-torrent and a rootkit masquerading as a codec?
//One of the first things I do when I install an OS is install DivX followed by XviD//
I have to admit, I normally use FFDShow to handle playback and only install XviD if/when I need to encode anything. Also RealplayerAlternative/QuicktimeAlternative (although it's a shame QTA doesn't do a lot of the Quicktime panorama stuff, last I looked).
True, not much, but the user education point remains valid - will they be able to tell the difference between a codec they need to install to watch films they download from bit-torrent and a rootkit masquerading as a codec?
//One of the first things I do when I install an OS is install DivX followed by XviD//
I have to admit, I normally use FFDShow to handle playback and only install XviD if/when I need to encode anything. Also RealplayerAlternative/QuicktimeAlternative (although it's a shame QTA doesn't do a lot of the Quicktime panorama stuff, last I looked).
If they can work out where to get a decent BitTorrent client (e.g. uTorrent or Azureus) and which websites to visit for torrent for said films (there's a few listed at Slyck's website), I'm sure they can also work out where to get the right codec from. I believe some torrents even contain VLC and the right codecs in order to help dumb users. You'd be surprised (actually, you wouldn't, you know what most users are like) by how many people appear to download "Some.Movie.DVDScr.exe" and try and run it in order to see the movie, I'm sure I read that on Slyck's forum somewhere.
I think I've done encoding on pretty much every system I've had my hands on, even if it were just to give the system a stress test (as MPEG-4 encoding gets the CPU nice and hot/makes them keel over). I've also got ffdshow on a couple of my machines (in order to watch x264 content, for example) but it's not really necessary for most people. Most encoding is still done with XviD, so any (decent) MPEG-4 compatible decoder should do. I've always liked DivX because it's had good post processing options and had better SMP support, and it was guaranteed to play on my DivX DVD player although XviD seems to have caught up now (I quite like 1.2, my own build from CVS seems pretty quick too) and an unofficial firmware has solved the XviD problems with my DVD player.
I tend to stick clear of Apple/Real simply because they're proprietary and the software isn't user friendly. I used to like Real's codec years ago, but since MPEG-4 and broadband came along, it's lost its usefulness.
I've just noticed there's a 2005 comparison up at Doom9 that looks interesting: http://www.doom9.org/codecs-final-105-1.htm
I think I've done encoding on pretty much every system I've had my hands on, even if it were just to give the system a stress test (as MPEG-4 encoding gets the CPU nice and hot/makes them keel over). I've also got ffdshow on a couple of my machines (in order to watch x264 content, for example) but it's not really necessary for most people. Most encoding is still done with XviD, so any (decent) MPEG-4 compatible decoder should do. I've always liked DivX because it's had good post processing options and had better SMP support, and it was guaranteed to play on my DivX DVD player although XviD seems to have caught up now (I quite like 1.2, my own build from CVS seems pretty quick too) and an unofficial firmware has solved the XviD problems with my DVD player.
I tend to stick clear of Apple/Real simply because they're proprietary and the software isn't user friendly. I used to like Real's codec years ago, but since MPEG-4 and broadband came along, it's lost its usefulness.
I've just noticed there's a 2005 comparison up at Doom9 that looks interesting: http://www.doom9.org/codecs-final-105-1.htm
IE7 is definitely safe from the latest 0-day
http://blogs.msdn.com/ie/archive/2006/09/15/756736.aspx
IE7 is safe against this attack and many of the other recent attacks on IE6. The input of the security community had a deep impact on the security strategy for IE7. As we worked with researchers to strengthen the core of the IE7 codebase against threats, we also eliminated threats on the periphery by reducing the attack surface that we expose to malicious websites. Most notably, IE7 reduces attack surface by disabling most ActiveX controls on the system by default. We actually went a step further with Direct Animation control and effectively remove it when you install IE7.
http://blogs.msdn.com/ie/archive/2006/09/15/756736.aspx
IE7 is safe against this attack and many of the other recent attacks on IE6. The input of the security community had a deep impact on the security strategy for IE7. As we worked with researchers to strengthen the core of the IE7 codebase against threats, we also eliminated threats on the periphery by reducing the attack surface that we expose to malicious websites. Most notably, IE7 reduces attack surface by disabling most ActiveX controls on the system by default. We actually went a step further with Direct Animation control and effectively remove it when you install IE7.