A history of irresponsibility and one vulnerability
I hasten to note that this article has nothing to do with the transition of Opera to WebKit. I just want to draw attention to one problem that has haunted me with the Opera for many years on one simple example.
My acquaintance with the Opera browser began in the late 90s. It was then that I was fortunate enough to buy a drive from an unfamiliar bearded man behind a market stall covered in January snow. It was called, oddly enough, like Golden Software and contained on the cover a list of programs and catchy cuts in “100% no viruses!”. From this disc, my friendship began with the then shareware Opera. Multiple-application interface, the ability to turn off pictures - what else was needed for the Russian dialup?
Therefore, in recent years, when I repeatedly stumble upon the fact that Opera "by default" condones the hidden download of malware, I still do not want to leave it.
Each incident begins sadly and unexpectedly. Nothing foreshadows trouble. Standard surfing on the Internet, firewall enabled, antivirus cheerfully hanging in the tray, searching for some information, clicking on links, file sharing services and unexpectedly launching the firewall message “Application fghtdhdffsdhr.exe requests access to the registry, allow?” (Name “fghtdhdffsdhr.exe” taken at random, but reflects the general principle of naming such files). Calm panic begins. In thoughts you are always afraid of the most terrible thing - to run into a cryptovirus and lose the accumulated documents and sources for years. A look at the diode activity of the disks, I listen to them - they are silent, which means that the virus froze in anticipation of the completion of the call to access the registry. And, while he holds, disassembly begins.
')
It quickly turns out that the virus was launched from the user's directory (or the temporary Internet files folder), started its java.exe process, and the java.exe process, in turn, was launched by the opera.exe process. The process of the virus is killed and its file is destroyed.
I didn’t take any more actions in such cases. It bothered me a little. Yes, and the Java plug-in, included, by the way, in Opera by default, I did not want to disconnect. The firewall license was stably extended, I also reinstalled the operating system periodically, and there were a lot of cases and without fights with the Opera. Although I did not forget to update it with Java, secretly hoping that sometime they would be updated to such an extent that they would solve this problem.
2012 has come. And passed surprisingly calmly. Nothing dangerous happened, which made me completely relaxed and decided that, in the malicious linkage of Opera + Java, they finally solved the problem of executing arbitrary code on the remote machine. In vain hoped.
In the fall of 2012, when downloading some terribly rare book, an old story begins with a horribly nasty file sharing service. And it pissed off: it’s necessary that at least someone told Opera company, so that they could deal with such a vulnerability. I began to think: let's say that I generally saw this file sharing service for the first time, and I will never see it again. But after all, this happened before on popular resources, the same trackers, overloaded with advertising, but still appreciating their users. Are the administrators of these sites so corrupt that they are allowed to execute java applets of unknown developers with consequent disastrous consequences for the victims? It is doubtful.
Armed with a virtual machine, an HTTP debugger, a network activity monitor, and also a utility for tracking the activity of processes from Sysinternals, I started the trial. The transition to the file sharing site to the same file did not give any results. Refresh the page too. Opera did not rush to generate the java.exe process, there were a lot of binary files only in the form of images: one advertisement, advertisement, advertisement.
The very first thought, which later turned out to be correct, was simple - the site distributing the Trojan does not give more than one file to one hand. Or rather, one IP. Replaced external IP, got on the file sharing again. No reaction.
The second thought, which later turned out to be also correct, was again simple - the site distributing the virus does not give more than one file to one hand. Rather, it gives only to those who do not have his cookie. We destroy all received cookies from all sites, change IP, go to the site. After a second, the task manager fixes the launch of java.exe, then the next “fghtdhdffsdhr.exe”, which I, not without pleasure, destroy after, in my opinion, it is quite a mess.
Disassembly began with log files. The virus showed typical activity. It was not interesting, it was interesting how it appeared. The fact that it was originally loaded by java-applet, I understood, but I really wanted to understand how file sharing administrators allowed this. It turned out all very simple, although confusing because of the abundance of redirects and advertising. One of the "advertisements" requested to download the page counter as a * .swf file from a third-party site. The counter, he was, I think, because the site was appropriately called. And was in the domain ru, by the way. But this file redirected the browser to another site counter. *. Com. And now he almost always returned a blank page with a hint that, yes, the user was counted. But in case the user downloaded the counter for the first time, the browser was redirected to the page with the java applet that was processed by java.exe, downloaded the executable file to the user's computer and launched it. Java.exe was launched by Opera with a number of parameters, including, as far as I understood, the name of the named pipe through which Opera merges the applet. There was no time for a more thorough investigation.
Of course, I posted a bug report on opera.com describing the sequence of the problem. Quite expectedly, I was told that this is a Java problem, the browser is working correctly, and write letters to Oracle. In Oracle, I already did not write, from my point of view, Java also works correctly. Executes code, loads files, runs programs, what to complain about? The problem was that Opera allows Java to execute unknown code from unknown sources. In fairness, I note that Chrome and Firefox, by default, do not allow the Java plugin to work just because of security problems. The second problem, of course, is in webmasters of popular resources, which, in pursuit of shows and traffic, place advertisements on their websites from questionable sources, which, on the one hand, can work for their intended purpose, or perhaps, posing as quite harmless and do evil.
Another form of blasphemy, manifested, which is already quite scary, on the site of a very popular supermarket served as an impetus to the article. On certain pages of this site, Opera once again launched unknown files through Java! But everything turned out to be much simpler there: in the code of the page, in its lower part, even behind the closing <html> tag there was a call to the JS script from a third-party server, which, after a series of redirections, loaded the applet. It worked on the onmousemove event and loaded into a miniature iframe. And, as always, a repeated transition through the store’s pages did not result in the virus downloading: the malicious server sets a cookie and remembers the IP address. For such a familiar combination, the site returned a 404 code instead of a virus. It is because of this ability that a virus and malicious code on a page can remain undetected for a very long time. The site administrator, once having caught a cookie, will never see this problem. And provided that only the content of the site is updated, then the next revision of the code can be in a very long time, during which the attackers will be able to update both their approaches and the Trojans who are hooked up.
The method of infection is also simple: most likely, the administrator has increased the password to the ftp account for the store site. Perhaps the same Trojan. And then automatically they added a <script> </ script> tag to all * .html files or files with html-code. No wonder he is even behind the </ html> tag.
I cannot contact the site administrator, the site’s contacts point only to the press office. Knowing how long my application will make its way through the bureaucratic corporate apparatus, and, realizing that it may get “accidentally” lost, I don’t want to “officially” apply to them. Moreover, the site administrator, after reading the letter, in a couple of minutes will eliminate all problems and continue his blissful existence, without changing, perhaps, even the password to access the site. Through my friend in the IT department of the store, I will directly go to the site administrators and explain the essence of the problem.
I hope this turned out to be an instructive story from which a number of conclusions can be drawn:
PS I do not exclude the possibility of the presence of this "problem" in other browsers of old versions.
UPD: In connection with the questions I will highlight the main idea of ​​the article: Opera, unlike other popular browsers, does not warn the user “by default” about potential problems with Java security. The second moral is that the exploitation of such a “vulnerability” (yes, it was necessary to take this word in quotes and in the title) is possible due to the irresponsibility of various categories of persons (examples in the article).
Foreword
My acquaintance with the Opera browser began in the late 90s. It was then that I was fortunate enough to buy a drive from an unfamiliar bearded man behind a market stall covered in January snow. It was called, oddly enough, like Golden Software and contained on the cover a list of programs and catchy cuts in “100% no viruses!”. From this disc, my friendship began with the then shareware Opera. Multiple-application interface, the ability to turn off pictures - what else was needed for the Russian dialup?
Therefore, in recent years, when I repeatedly stumble upon the fact that Opera "by default" condones the hidden download of malware, I still do not want to leave it.
Outset
Each incident begins sadly and unexpectedly. Nothing foreshadows trouble. Standard surfing on the Internet, firewall enabled, antivirus cheerfully hanging in the tray, searching for some information, clicking on links, file sharing services and unexpectedly launching the firewall message “Application fghtdhdffsdhr.exe requests access to the registry, allow?” (Name “fghtdhdffsdhr.exe” taken at random, but reflects the general principle of naming such files). Calm panic begins. In thoughts you are always afraid of the most terrible thing - to run into a cryptovirus and lose the accumulated documents and sources for years. A look at the diode activity of the disks, I listen to them - they are silent, which means that the virus froze in anticipation of the completion of the call to access the registry. And, while he holds, disassembly begins.
')
It quickly turns out that the virus was launched from the user's directory (or the temporary Internet files folder), started its java.exe process, and the java.exe process, in turn, was launched by the opera.exe process. The process of the virus is killed and its file is destroyed.
About antivirus in this story
The valiant popular antivirus, by the way, was often silent. Or analyzed the file, and then released. It is understandable - I downloaded the latest, freshest version of the Trojan directly from the attacker's server. And this file, meanwhile, was stuffed into autoload, downloaded various dirty tricks from the network, created task scheduler tasks, tried to replace various system libraries, ran cmd.exe, wanted to inject itself into explorer.exe, and much more planned to do. I, true to patriotic feelings, checked the file on virustotal.com, then with an online scanner on the site of the antivirus company, and then sent it to the Virus activists' archive in the archive. I would like to note that some of the viruses sent were actually them, the virus activists even gave them new names, or they wrote to me that there are no viruses. The first time I was told that there were no viruses, I was so outraged that I contacted someone from the company’s managers and complained that their “virus experts” were incompetent. A couple of hours later a letter arrived that, yes, comrade, you were right, we figured out, there is a virus. But I no longer want to swear at them, and now, when I am told that there are no viruses, I shrug: for some reason, other programs find viruses, but “virus experts” do not. In any case, these specimens always got into the piggy bank of “my” antivirus. But, apparently, not from me. Therefore, my attitude to the antivirus after this story has not changed. There are no perfect things.
I didn’t take any more actions in such cases. It bothered me a little. Yes, and the Java plug-in, included, by the way, in Opera by default, I did not want to disconnect. The firewall license was stably extended, I also reinstalled the operating system periodically, and there were a lot of cases and without fights with the Opera. Although I did not forget to update it with Java, secretly hoping that sometime they would be updated to such an extent that they would solve this problem.
Climax
2012 has come. And passed surprisingly calmly. Nothing dangerous happened, which made me completely relaxed and decided that, in the malicious linkage of Opera + Java, they finally solved the problem of executing arbitrary code on the remote machine. In vain hoped.
In the fall of 2012, when downloading some terribly rare book, an old story begins with a horribly nasty file sharing service. And it pissed off: it’s necessary that at least someone told Opera company, so that they could deal with such a vulnerability. I began to think: let's say that I generally saw this file sharing service for the first time, and I will never see it again. But after all, this happened before on popular resources, the same trackers, overloaded with advertising, but still appreciating their users. Are the administrators of these sites so corrupt that they are allowed to execute java applets of unknown developers with consequent disastrous consequences for the victims? It is doubtful.
Armed with a virtual machine, an HTTP debugger, a network activity monitor, and also a utility for tracking the activity of processes from Sysinternals, I started the trial. The transition to the file sharing site to the same file did not give any results. Refresh the page too. Opera did not rush to generate the java.exe process, there were a lot of binary files only in the form of images: one advertisement, advertisement, advertisement.
The very first thought, which later turned out to be correct, was simple - the site distributing the Trojan does not give more than one file to one hand. Or rather, one IP. Replaced external IP, got on the file sharing again. No reaction.
The second thought, which later turned out to be also correct, was again simple - the site distributing the virus does not give more than one file to one hand. Rather, it gives only to those who do not have his cookie. We destroy all received cookies from all sites, change IP, go to the site. After a second, the task manager fixes the launch of java.exe, then the next “fghtdhdffsdhr.exe”, which I, not without pleasure, destroy after, in my opinion, it is quite a mess.
Disassembly began with log files. The virus showed typical activity. It was not interesting, it was interesting how it appeared. The fact that it was originally loaded by java-applet, I understood, but I really wanted to understand how file sharing administrators allowed this. It turned out all very simple, although confusing because of the abundance of redirects and advertising. One of the "advertisements" requested to download the page counter as a * .swf file from a third-party site. The counter, he was, I think, because the site was appropriately called. And was in the domain ru, by the way. But this file redirected the browser to another site counter. *. Com. And now he almost always returned a blank page with a hint that, yes, the user was counted. But in case the user downloaded the counter for the first time, the browser was redirected to the page with the java applet that was processed by java.exe, downloaded the executable file to the user's computer and launched it. Java.exe was launched by Opera with a number of parameters, including, as far as I understood, the name of the named pipe through which Opera merges the applet. There was no time for a more thorough investigation.
Of course, I posted a bug report on opera.com describing the sequence of the problem. Quite expectedly, I was told that this is a Java problem, the browser is working correctly, and write letters to Oracle. In Oracle, I already did not write, from my point of view, Java also works correctly. Executes code, loads files, runs programs, what to complain about? The problem was that Opera allows Java to execute unknown code from unknown sources. In fairness, I note that Chrome and Firefox, by default, do not allow the Java plugin to work just because of security problems. The second problem, of course, is in webmasters of popular resources, which, in pursuit of shows and traffic, place advertisements on their websites from questionable sources, which, on the one hand, can work for their intended purpose, or perhaps, posing as quite harmless and do evil.
Decoupling
Another form of blasphemy, manifested, which is already quite scary, on the site of a very popular supermarket served as an impetus to the article. On certain pages of this site, Opera once again launched unknown files through Java! But everything turned out to be much simpler there: in the code of the page, in its lower part, even behind the closing <html> tag there was a call to the JS script from a third-party server, which, after a series of redirections, loaded the applet. It worked on the onmousemove event and loaded into a miniature iframe. And, as always, a repeated transition through the store’s pages did not result in the virus downloading: the malicious server sets a cookie and remembers the IP address. For such a familiar combination, the site returned a 404 code instead of a virus. It is because of this ability that a virus and malicious code on a page can remain undetected for a very long time. The site administrator, once having caught a cookie, will never see this problem. And provided that only the content of the site is updated, then the next revision of the code can be in a very long time, during which the attackers will be able to update both their approaches and the Trojans who are hooked up.
The method of infection is also simple: most likely, the administrator has increased the password to the ftp account for the store site. Perhaps the same Trojan. And then automatically they added a <script> </ script> tag to all * .html files or files with html-code. No wonder he is even behind the </ html> tag.
I cannot contact the site administrator, the site’s contacts point only to the press office. Knowing how long my application will make its way through the bureaucratic corporate apparatus, and, realizing that it may get “accidentally” lost, I don’t want to “officially” apply to them. Moreover, the site administrator, after reading the letter, in a couple of minutes will eliminate all problems and continue his blissful existence, without changing, perhaps, even the password to access the site. Through my friend in the IT department of the store, I will directly go to the site administrators and explain the essence of the problem.
Afterword
I hope this turned out to be an instructive story from which a number of conclusions can be drawn:
- Irresponsibility and inattention can lead to sad consequences.
- Do not even trust your favorite sites. If yesterday everything was good for them, then today it can become bad.
- Servers that distribute viruses are not fools. More than one in one hand is not shipped. Only one infection attempt per IP or computer.
- I think the problem can be solved by disabling the Java plug-in in Opera using opera: plugins, or by disabling automatic redirection in the settings (doubtful and inconvenient).
PS I do not exclude the possibility of the presence of this "problem" in other browsers of old versions.
UPD: In connection with the questions I will highlight the main idea of ​​the article: Opera, unlike other popular browsers, does not warn the user “by default” about potential problems with Java security. The second moral is that the exploitation of such a “vulnerability” (yes, it was necessary to take this word in quotes and in the title) is possible due to the irresponsibility of various categories of persons (examples in the article).
Source: https://habr.com/ru/post/169497/
All Articles