We are constantly installing new software and add-ons, but how do we know if this software is safe to use? In this video, you’ll learn about add-ons and attachments, and I’ll give you some real-world examples of malicious add-ons.
<< Previous Video: Locally Shared Objects and Flash CookiesNext: Arbitrary and Remote Code Execution >>
One of our larger security concerns is not the things that are already on our computer, but the things we interactively add to our computer ourselves. We manually decide to add new software to our computer, and unfortunately, sometimes that software has vulnerabilities, it has threats inside of it, that then create problems for our system.
One common way to do this is with attachments. Email attachments are still being sent. There are a very, very common way to get a bad piece of data, a bad program on your computer, and infect you with malware or spyware or some kind of virus. That’s because so many people have email, and there are so many different kinds of threats and vulnerabilities out there.
They’re called attachments because they’re attached to the email, and you just double click it, and you’re able to run it on your computer. The bad guy’s trying to force you to run that, to encourage you with social engineering, so that you’ll be able to do that.
Almost always, attachments should always be considered a security risk. Even if you recognize who sent this to you, even if you recognize the file, even if you’ve already talked to the person about them sending the file to you, you should still consider that attachment a security problem, because you don’t know if the other user might be infected with something that’s latching on to the attachment and coming over to your computer.
You really have no way to know what’s in there. So you want to be sure before you run anything that is an attachment that you know about it, you understand what’s in there, you perhaps have scanned it with one or more antivirus or anti-malware packages, to make sure that it’s absolutely safe.
Another way to get information onto your computer is through add-on’s. Very good examples, with Firefox or Internet Explorer are browsers that we use every day. We can make them easier to use. We can add additional functionality just by adding some add-ons onto our systems, onto our browsers, makes it very, very simple to extend the functionality of our applications.
The problem, of course, is the bad guys know that we are going to install these add-ons, and very often we just assume the add-ons should be completely trusted. It’s something that is in a big list of things. Obviously other people are downloading this and installing it. It’s from a relatively trusted source. So why not just add on to our browser without even considering that the add-on itself might be a problem?
Here’s the way these add-ons work in something like Firefox. This is my Firefox view. And under My Tools, you see I have a lot of add-ons that are already here, because you can see a lot of things in icons here that are not normal in a stock configuration of this.
If you go to the add-ons option here, brings up a completely different set of menus. I’m running Firefox 4.0, so mine looks a little bit different than previous versions, but look at this huge library of different add-ons. And I can search for any type of add-on here. I’m going to type, just for security a very generic name, and look at all of the different security add-ons I could put on my system. These all sound great. I’ll load all of them up.
I’ll put anything I’d like onto my computer. It’s a relatively easy process to do this. If you would like to add, I don’t even know what some of these, I’ll just click install. And here’s a good example of how it’s quickly downloaded. I just clicked my mouse to get it there. I click Restart now, and now the add-on is installed in my Firefox.
And you can see under My Tools pull down menu, I can go, well, the add-ons has already come right back here, and now click here for more info about the websites. Now the add-on has already kicked in. It’s already started gathering more information for me about that particular site. There’s a new button that’s appeared that gives me a reputation rating for that.
I don’t know if this reputation pull down is something legitimate or not. I just clicked an add-on, and now it’s in my browser. It looks legitimate, but you have no way of knowing. I may have put myself at risk just by adding that into my system.
So there’s our trade off. We have a certain amount of trust we have to put in these add-ons, but they’re obviously a situation where this could be risky to our computer. These worries are not completely unfounded. In February the 4th 2010, Mozilla, the developer of Firefox, found Trojans in two separate Firefox add-ons, and it’s ones that you could just do exactly what we just did. Go out to the add-on site, click a button, and now it’s installed on our computer.
Inside of that was malware. It was a Trojan. It was trying to get you to install that so it could put that on there. Nearly 5,000 downloads across two different Trojans. They weren’t even the same Trojan. They were two different ones that they came across.
Now obviously they removed the add-on from the main library, so people could not download it anymore, but even if I went back to the add-ons inside of my browser and chose to uninstall that add-on, it was too late. The malware was already on my computer. Just by uninstalling the add-on meant nothing.
It did not remove the malware from our system. So obviously, these people that installed this particular add-on may have been infected, and most likely were infected, a number of them, by this particular problem.
This happened earlier as well. This was not the only time this occurred. There was a Vietnamese language pack that also had a Trojan inside of it that installed malware, bad piece of system of software onto the system, so this is something that happened before. So obviously, you have to think about these add-ons before you install them.
The problem in this particular case is that Mozilla was only using a single anti-malware engine to scan these add-ons. They were using ClamAV. So something they mentioned after the fact, after they had decided, you know what, we should probably scan this with more than one engine. So today they are doing multiple scans to multiple engines just to be able to be sure that when they put something inside of the library that it’s something that is protected, that does not have something vulnerable inside of it.
But as you probably recognize as a security professional, just because you scan it with anti-malware, doesn’t necessarily mean there isn’t any malware inside. It could be a piece of malware that those AV or anti-malware systems knew nothing about.
So you just have to be very careful about what you’re downloading, get a level of trust associated with it, and maybe after you’ve installed it also do your own scans and make sure your system is up to date with the latest patches and up to date with your latest antivirus and anti-malware signatures.