Largely just for Windows XP according to the article
|
| Author | Content |
|---|---|
| bigg Oct 12, 2010 12:47 PM EDT |
It seems that it would not affect most Linux users according to thisQuoting:The manipulation works on all platforms on which the Trojan has the rights to modify the nsLoginManagerPrompter.js file. In tests this worked on Windows XP, Windows 7 and Ubuntu 10.04. However on Windows 7 and Ubuntu the user is usually working with limited privileges by default and under these circumstances the malware is unable to manipulate the file. |
| herzeleid Oct 12, 2010 3:42 PM EDT |
How did it affect "ubuntu 10.04" but not "ubuntu" - methinks there was something fishy about the test. |
| caitlyn Oct 12, 2010 4:02 PM EDT |
It just reinforces what most of us know: don't login as root routinely. Login as as an unpriveleged user. Don't use a single user Linux distro that is always logged in as root. |
| herzeleid Oct 12, 2010 5:17 PM EDT |
None of the main linux distros encourage doing day to day computing tasks (web browsing, email etc) as root. I'm sure there might be one out there though. Now that I mention it, there was a distro awhile back that targeted windows converts, the name escapes me but it was a debian derivative with a convenient, dumbed down interface and had the user running as root to ensure there would be no permissions issues. I'm sure someone here will remember. |
| bigg Oct 12, 2010 5:39 PM EDT |
> How did it affect "ubuntu 10.04" but not "ubuntu" - methinks there was something fishy about the test. My impression is that it would have an effect only if you were running as root. @Caitlyn: Your favorite distro, Puppy, runs as root. |
| tuppp Oct 12, 2010 6:03 PM EDT |
herzeleid: "Now that I mention it, there was a distro awhile back that targeted windows converts, the name escapes me but it was a debian derivative with a convenient, dumbed down interface and had the user running as root to ensure there would be no permissions issues." Are you referring to Lindows/Linspire? |
| caitlyn Oct 12, 2010 6:51 PM EDT |
@bigg: I know. The community around that distro is so incredibly hostile to any criticism, no matter how slight, and the way it lashes out guaranteed I'd never even look at that distro. The fact that it ignores even the most basic security principles is why nobody else should either. |
| tracyanne Oct 12, 2010 8:26 PM EDT |
On Ubuntu and Ubuntu derivatives, the nsLoginManagerPrompter.js file requires root privileges to edit it, I'm sure that is the case for almost all Linux distributions, so unless some noddy is running their Ubuntu Distro as root, the file is secure and the Trojan can't work. A question I have is how does the Trojan install and run on Linux? |
| herzeleid Oct 12, 2010 8:42 PM EDT |
Caitlyn said: Quoting:The community around that distro is so incredibly hostile to any criticism, no matter how slight, and the way it lashes out guaranteed I'd never even look at that distro. The fact that it ignores even the most basic security principles is why nobody else should eitherLOL, what distro is that? puppy, ubuntu or linspire? In any case, those are pretty harsh words. |
| herzeleid Oct 12, 2010 8:42 PM EDT |
@tupp - yep that was it, linspire. |
| jdixon Oct 12, 2010 9:35 PM EDT |
> LOL, what distro is that? Puppy. As I recall things went as far as death threats at one time. |
| jdixon Oct 12, 2010 9:38 PM EDT |
> I'm sure that is the case for almost all Linux distributions... It is for Slackware. |
| tracyanne Oct 12, 2010 10:15 PM EDT |
Here's the details of the trojan http://blog.webroot.com/2010/10/06/patchy-phisher-forces-fir... Quoting:The keylogging Trojan copies itself to the system32 directory with the filename Kernel.exe; drops and registers an old, benign, deprecated ActiveX control called the Microsoft Internet Transfer Control DLL, or msinet.ocx (MD5: 7BEC181A21753498B6BD001C42A42722), which it uses to communicate with its command and control server; then it creates a new user account (username: Maestro) on the infected system. |
| hkwint Oct 12, 2010 11:27 PM EDT |
Thanks, TA, sounds like I don't have to worry. On the other hand, I'm a bit concerned, all my 'website-passwords' are in Firefox-memory, and I heard it wasn't really secure once. Nonetheless, disabling JavaScript by default on all websites (with NoScript) seems a bit too restrictive in my opinion. |
| tracyanne Oct 13, 2010 12:11 AM EDT |
What I'm wondering is how the bloke at The H could possibly have tested this Trojan on an version of Ubuntu, let alone 10.04, as he claims. |
| caitlyn Oct 13, 2010 12:50 AM EDT |
ta: Seems unlikely, doesn't it? |
| JaseP Oct 13, 2010 5:30 PM EDT |
So it's an *.exe file?!?! That means unless you are running Linux on top of Windoze (to which I'd ask,... WHY!?!?),... or running firefox for Win as a wine service or virtualized,... there would be essentially no chance of the trojan taking over??? Is that what I'm essentially getting, here??? So once again, it's a Windoze threat, only... |
| tracyanne Oct 13, 2010 5:51 PM EDT |
Quoting:or running firefox for Win as a wine service And probably not even then. |
| gus3 Oct 13, 2010 10:07 PM EDT |
It could be a problem for someone running as root. It could also be a problem for someone running their own installation of Firefox, in their own home directory, with the necessary $PATH and $LD_LIBRARY_PATH. As the owner of the files, that user can run a program with rights to modify nsLoginManagerPrompter.js. |
| tracyanne Oct 13, 2010 11:38 PM EDT |
@gus, I'm begining to doubt even that, as the details of the Trojan make it unlikely to be installable on a Linux system. |
| gus3 Oct 13, 2010 11:54 PM EDT |
@tracyanne, take a look at the last 50 lines of Firefox's run-mozilla.sh. That's enough env vars to find it. Notice in the first comment's quote:Quoting:In tests this worked on Windows XP, Windows 7 and Ubuntu 10.04. |
| tracyanne Oct 14, 2010 12:21 AM EDT |
@gus, so how did Mr The H manage to install the Trojan on Ubuntu? |
| gus3 Oct 14, 2010 2:47 AM EDT |
I'm not talking about the binary-executable keylogger; I'm only talking about the danger posed to the nsLoginManagerPrompter.js file. Being root isn't the only way to hit that Firefox file. |
| tracyanne Oct 14, 2010 3:48 AM EDT |
Quoting:I'm not talking about the binary-executable keylogger. You might not be, but Mr The H is Quoting:The manipulation works on all platforms on which the Trojan has the rights to modify the nsLoginManagerPrompter.js file. In tests this worked on Windows XP, Windows 7 and Ubuntu 10.04. So my question remains, how did Mr The H manage to install the Trojan on Ubuntu? Quoting:Being root isn't the only way to hit that Firefox file. No of course not... if you are silly enough to install and run Firefox from your home directory, then yes it may well be possible for someone to edit that script without your knowledge. |
| gus3 Oct 14, 2010 4:17 AM EDT |
Quoting:You might not be, but Mr The H isNo, they aren't. They are talking specifically about the ability to modify nsLoginManagerPrompter.js. The trojan can accomplish it on Windows, with privileges, and Quoting:the H's associates at heise Security were able to reproduce the effect of the [trojan's] manipulations...My edit does not change the meaning of the quote. The topic at hand is, what can the trojan accomplish? It can modify a critical Firefox file, with sufficient privileges. My point is that it does not need root privileges, when the file in question is owned by a non-root user running Firefox. This attack is a code injection exploit, pure and simple. What's worse, being JavaScript, the injected code is platform-neutral, and will run on any platform that supports Firefox. After the code is injected, it doesn't really matter what platform it's on; it can tailor its further actions as necessary. That includes downloading a custom binary for the platform, to carry out further attacks against the Firefox browser, or simply installing a huge JavaScript file that gets included into nsLoginManagerPrompter.js the next time FF launches. If The H releases their Linux-based proof-of-concept code to modify nsLoginManagerPrompter.js to the public, I will join you in calling them stupid. Otherwise, don't expect ever to see it. Only the Firefox security team should ever see this code. In the meantime, I'm not willing to brand The H's team a pack of liars. |
| tracyanne Oct 14, 2010 4:31 AM EDT |
Quoting:I'm not willing to brand The H's team a pack of liars. I am. |
| hkwint Oct 14, 2010 9:51 AM EDT |
Then mail them and ask them. Not giving them the opportunity to defend themselves against such accusations isn't neat. |
| phsolide Oct 14, 2010 4:09 PM EDT |
I have Slackware 12.1 and Arch (current as of Sunday last). The nsLoginManagerPrompter.js file is only writeable by "root" on those two distros. I've only run Ubuntu 7.04 off a Live CD, so I can't speak for Ubuntu of any sort, but for Arch or Slackware, it looks like *if* you surfed as "root", you could have that file modified. Could "The H" be running Firefox as "root" to get the file modification to work? |
| herzeleid Oct 14, 2010 6:54 PM EDT |
I'm running ubuntu 10.04 on my work desktop and I can verify that every instance of that file (one each for firefox, seamonkey, xulrunner and thunderbird) is owned by root, and writeable only by root. Q.E.D. |
| tracyanne Oct 15, 2010 4:39 AM EDT |
OK, here's the drum. I've been talking on email with someone from The H Basically the nsLoginManagerPrompter.js file is as safe and secure on Linux, as it ever was. The only known way for an external attacker to exploit that file is to first get someone local to change the permissions on the file, so that it becomes possible for a script running with local user privileges to modify it. That boils down to someone malicious having direct access to the computer, or social engineering. Of course Mozilla do need to fix a few security issues related to how Firefox handles javascript code. But that's a slightly different issue. |
| hkwint Oct 18, 2010 8:09 AM EDT |
Interesting, TA, glad to hear you asked! There are two other ways one could have mentioned file with user-permissions (as I found three of them on my system:) 1) If you have a version in Wine (but there's not much point in running Firefox through wine), 2) If you're running a beta / development version of Fiefox which you unzipped as a normal user, and not as root. My conclusion is I shouldn't do 2), and instead chown those files to root. |
| bigg Oct 18, 2010 9:21 AM EDT |
> there's not much point in running Firefox through wine Not true - some websites still require you to pretend to be running Windows to work correctly. I think it's fixed now, but it used to be that if you wanted access to all of the Thomas and Friends website, you needed to run Windows Firefox and Flash through Wine. Surely you cannot get through the day without Thomas videos. There are others, but no specific examples are coming to mind at the moment. There may be a bank website in that category (not that I would do such a thing). |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!