Noscript ftw!
Yet another attack thats preventable with noscript. If everyone used it properly (eg. not turning on scripts everytime they see a blocked one), cyberspace would be a safer place.
A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday. The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a …
NoScript only provides safety in the same way that turning your computer off provides safety. If you want to do anything which involves script type objects then you have to start allowing them. That means you have to start making judgement calls on what is safe to allow. The whole point of this is that you may have already made that call in order to have usable functionality from a trusted site. That trusted site may now be serving up this malware. NoScript is very useful but ultimately the user has to walk a line between risky objects and usable sites, and for the most part has no clear direction for where that line is.
I'm sure the intended target for the "potent malware cocktail" is Windows though.....
or perhaps its scanning for GNU/Linux users who have unpatched vulns that are remote exploits &
then trying to get them to install a (GNU/Linux) package containing "anti-virus" software. What do you think, Apocalypse Later?
NoScript is great if you don't want to do that much on the 'web.
Sadly almost any website where you want or need to do anything interactive on it (I'm thinking shopping, online banking, library catalogues, you name it) require scripts. So fuck it you either keep safe but fail to do what you need to, or you take a gamble and tentatively enable one of the domains blocked until you get enough functionality working to complete what you need to.
We either need a new way of doing 'useful stuff' on websites that doesn't use scripts, or give up and go back to the old way of going to shops and banks, or calling them up using the phone :-\
There are some easy choices that allow noscript to remain fairly effective. Even if you allowed a script from a trusted site because it was obvious the functionality of the site was missing without it, once you were redirected to the other site you have no reason to allow scripting there, no reason to allow scripting from another 3rd party site, nor a reason to install rogue anti-virus software from a popup window.
C'mon, hasn't everyone seen Sandboxie yet? www.sandboxie.com
I can browse any website with impugnity.. If something happens I dont like, I can terminate every process spawned by the browser and delete everything it's done since the last time I decided to empty the sandbox. Why would you risk exposing your whole computer to the world every time you open a webpage.. sheesh!
Luba kok antud lehel ?
Yeah right !!!!!!!
If this is familiar to anyone using No Script, perhaps they can translate it for the benefit of my teenage daughters and me.
It could be ........... Serbian (?) Russian (?)
Thanks No Script.
I still use it every day, even though I don't know what it says.
ALF
"NoScript only provides safety in the same way that turning your computer off provides safety"
I agree. I've used NoScript several times in the past and I found it a pain in the ass.
Maybe you NoScripters visit the same selection of sites all the time but I visit new sites on a daily basis. Configuring NoScript every time in an attempt to make each new site half usable turned surfing the web into an ordeal. Did NoScript even stop me getting infected? I doubt it as I never got infected via my web browser before using NoScript. It was, therefore, a massive waste of time.
Now I've switched to Linux and all I need to be secure is my common sense. You NoScripters really need to give it a try sometime if you actually care about security but I suspect many of you only use NoScript because you want the illusion of security.
"I can browse any website with impugnity."
Such complacency will eventually see you picking up malware, the authors of which are already working on ways to modify behaviour when detected running in a virtual environment. You will hit exactly the same problem that NoScript users have - do I allow (or recover from sandbox) or not. Eventually you will recover something which appeared benign and it will get onto your main system. That's if increased vulnerability attacks on the likes of Sandboxie, and other virtualised environments, don't pick you off first.
@ Lionel Baden: good solution, let's wait until somebody steals our bank details or make us part of a DDoSing botnet and *then* we'll start cleaning it up. Never heard the phrase "prevention is better than cure"?
@ John Smith: you probably just fell for an old trick where your browser reflects your system environment variables back at you, and nobody else would see those details. That trick's been around since Windows 95 and has great shock value, but little else.
@ NoScript haters: yes, it's not perfect, but neither is configuring a firewall to allow apps in/out every time I have a new app. Shall we just bother with firewalls either, because they're inconvenient? Oh god, heaven forbid we have a little bit of good old fashioned effort combined with a little bit of good old fashioned common sense, that would surely be too much. Let's just stick with one-click-idiot-level-simple and nice shiny websites that look pretty and deliver malware, than have to make even the slightest, most basic bit of effort. I, too, hated NoScript when I first used it. I've reinstalled it since and taken a little bit of time to figure out how it all works, and now I love it. Grow up and stop viewing the internet in terms of black and white.
Blocking google analytics won't help because it's not being served by analytics, just something that looks like it.
Noscript probably _will_ work because even if the initial render is being served by the trusted website it's still referencing external javascript, which will not be trusted by default by NoScript even if the rendering site is.
If my wife can handle NoScript, I don't see why any reasonably computer literate person shouldn't be able to.
The number of sites which absolutely require javascript is decreasing. Nowadays it is much easier to argue for a scriptless fallback to every bit of javascript functionality with clients and pointy-haired bosses, due in part to the rise of NoScript. Which in turn makes it more likely people will use NoScript, confident that sites they're using will still actually work.
Half a million downloads per week is not to be sniffed at (although that probably only translates to about half a million active users, as it is very frequently updated).
Also, I haven't studied this particular attack, but it would be unusual if the script is hosted on the same domain as the site, as that would require two separate modifications to the site's code. In which case the most common NoScript habit of only allowing scripts from the same domain would prevent it from running, assuming the site is in the user's whitelist or actually requires scripts to be enabled. IMO NoScript is "good enough" protection against script-borne attacks. Shame it requires a certain level of knowledge to use effectively.
This is interesting in light of Saturday's other article on El Reg about the M$/Asus puff-piece/FUD website www.itsbetterwithwindows.com for netbooks (http://www.theregister.co.uk/2009/05/30/its_better_with_windows/).
Netbooks with Linux are one of the IT industry's best efforts at producing secure on-line appliances for Jo/Jill Public to use with relative confidence that they won't be pWn3d. All the more so with so many legit websites compromised in this way. Just a shame to see a decent company like Asus get muscled into M$'s monopolistic attempts to crush all that is Open Source.
While it may be "cock waving" a little it's also a nice reminder to use said product. NoScript _seems_ to have prevented the malware downloading onto my PC so it's worth installing.
One of the sites that host the code seems to be m-analytics.net -- there's is the only other domain wanting to run scripts on my machine on a webiste I know to be infected.
Awful plugin, just turn off JavaScript in FF under.
Edit->Preferences->Untick Enable Javascript
If you don't want to use JavaScript.
Though JavaScript is hardly ever the problem, normally an activeX object or Flash is at the end of it, and JavaScript if used is actually more likely to break the chain of compromise.
"you probably just fell for an old trick where your browser reflects your system environment variables back at you"
That sounds about right. However my usual response is *never* to click on something offered as a "Solution." Just dump the page. On the up side from the article the attack failed to find any of the silent gaps it would have used otherwise.