Virus from web surfing

[FromTheRafters]

Edward Diener wrote:
[...]

I think you are nitpicking but "malware" is fine with me also.

It's better. For a thing to be a virus, it *must* not kill its host too
soon. Other malware might have just that intention and no other.

[...]

I also continue to believe that malware will not generally be able to
infect someone's computer by just surfing web sites as opposed to
downoading/executing programs or opening e-mail attachments etc.

There, you may be mistaken. Generally, these malware program's servers
use exploits of various software vulnerabilities to automate
drive-by-download and execution of the offered malware.

I can understand taking advantage of a browser's vulnerability, but I
can not understand how malware can infect a client system otherwise
unless, of course, the end-user helps it too by foolishly opening or
executing the files some web site offers.

It can't. It is not a design feature. To do so they must exploit
something. Much care is indeed taken to assure that allowing websites
some limited programming rights will not result in unwanted behavior.

Unless one is going outside the realm of the very popular browsers, ie.
IE, Firefox, Opera, Safari, it is hard to imagine using a browser which
is itself malware.

Some would argue that IE fits that bill, but that's not what I meant, I
wasn't clear. The "exploit" code itself is "malware" (not implying that
the browser is malware)- the code it (perhaps a remote code execution
exploit) runs can then download and execute *other* malware (keylogger,
spambot, dDoS engine, etc...). The web based exploit is *one* malware
instance (a beachhead), that in turn brings more instances of malware
onboard.

[...]

 

[FromTheRafters]

Edward Diener wrote:
[...]

I understand about scripts being downloaded and running on the client
side and I understand that if Javascript does something on the client
side as it runs it can theoretically change something on the client
computer. But as a programmer myself I have never heard or seen of any
ability which Javascript has to actually access the client computer's
hardware or file system. While some Javascript release in a browser
could have a bug in it which allowed such intrusion I would strongly
imagine that this would have been fixed and that every browser one uses,
if one keeps the browser up-to-date, will pick up such a fix. Of course
my friend could have been using an old version of a browser running some
early version of Javascript which allowed a hacker to subvert his
system. But my gut feeling is that Javascript has been gone over by so
many people down through the years to stop such an intrusion that is it
unlikely that some virus occurred from running it on the client side.
However, I am willing to listen to those who tell me otherwise.

It only takes minutes for your browser version to become *old* in this
sense.

Agreed. But the major browsers all must have a pretty good security team
involved with their development so that any possible exploits are
carefully examined with each release.

Javascript should be "well behaved" by now, but can be used maliciously.
I'm only mentioning misbehaving software.

http://www.microsoft.com/technet/security/advisory/2488013.mspx

Good link. Thanks !

I am aware that there are web sites out there which may have malware
trying to infect an end-user's computer through a browser vulnerability,
else one would not see updates from the major browsers to close possible
security holes. I admit I am probably naive in not realizing the effort
that can be made by such sites to exploit such vulnerabilities.

I guess I was skeptical that this happened to my friend because,
although I do not know the exact web site he went to which Webroot
warned him against, I was told by him that other people he knew said
they had surfed that sight without problems of their own. I also react
pretty quickly on my own if I ever see a web site that suggests it is
trying to convince me that something is wrong with my computer with
ridiculous displays of so-called scans of my files and other attempts to
scare me.

Some of these 'bad website detectors' are alerting to the scareware crap
that you just mentioned (it is malware after all). I sometimes download
the executable and submit it to the online file submission scanners just
in case it is new and may need to be exposed to the anti-malware
community. You can visit such a site, get an alert, then visit it later
and not detect anything (because 'this time' there is no malware there).
It's kind of a hit or miss situation.

Too bad the drive failed, you could see if Webroot logged the event
otherwise.

 

[FromTheRafters]

JS.loop

Annoying, and it is considered malware although it is rather tame.

Yanking the power like that is more dangerous than JS.Loop.

More dangerous to the computer that is...

If security is marching you out on the street for that, you worked for
the wrong company IMO. Any idiot can set up a website which plays
something loud and displays images on your screen which might offend
other people, but that is no reason why you should suffer from it just
because you accidentally surf such a site.

Indeed!

 

[(PeteCresswell)]

Per FromTheRafters:

Yanking the power like that is more dangerous than JS.Loop.


More dangerous to the computer that is...

-)