About "Clickjacking"

[Anti-Trend]

With all the hubbub about "Clickjacking" (gag, buzzwords!), I thought it would be valuable to write a brief post on the topic.

What it is
Details are still being suppressed at this point, but it appears to be an <IFRAME> manipulation used to effectively cover a normal web link with a trusted site that appears good and proper, with a bad one to an attacker site. This attack could conceivably be used for phishing or host exploitation.

Who it affects
Basically, any modern browser which supports IFRAMEs. This includes any reasonably current versions of IE, Firefox/Mozilla, Safari, Flock, Opera, etc. So, pretty much everybody. It doesn't include browsers which don't support IFRAMEs, such as lynx or elinks.

How to protect against it
Basically, the ultimate fix will involve a re-thinking of how we handle IFRAMEs. In the meantime, you can provide yourself at least a modicum of protection by using NoScript plugin.

1. Download and install Firefox
2. In Firefox, download and install the NoScript plugin
3. Navigate in Firefox to Tools --> Addons
4. Highlight NoScript and click Preferences
5. Click the Plugins tab and make sure "Forbid <IFRAME>" is checked

Or, you can view our brief video tutorial here.

 

[cro maat]

thanks so much for this. I immediately did as you instructed in the tutorial; thanks for the clear easy instructions.

I was "clickjacked" late Sunday night when I went onto a progressive news site and clicked on a picture of a war vet. :o(

I am still trying to figure out if my virus program stopped the virus from entering my computer or not. I did write the name of the virus and the path, and I'm no techie but did try to find it and if it's there it's hidden and no match for me.

The virus name or type is Exploit hap 1.cn
C:\programfiles\mozilla\firefox\firefox.exe

Any redirection to posts about this virus or info. about how it works and what it does would be helpful.
Also, I have a question: just earlier that day or the day before, I went onto youtube and it told me to download the latest version of flash so I could watch videos (comedy central and a lot of other sites have the same message, since my bandwidth isn't too fast).

I did that, and shortly after I was clickjacked! Should I remove shockwave flash from my computer and how to proceed? I realize I'm asking several questions here, ans sorry about that. Thanks so much for having this site. I plan to learn lots here to protect myself, and perhaps tell others about you. I got the link to here from the hackademix site; thank you for the great article and the links.

 

[Anti-Trend]

Looks like Firefox itself may be infected. If I were you, I'd download it with a different PC, burn to disc, and reinstall it on your infected PC.

 

[cro maat]

Thanks for your answer, which leads to many more questions, which I hope are OK to ask, since I'm a new geek in training!

If I do as you suggest and install firefox from an upload on another computer and delete all old firefox files, what about my bookmarks? Could the culprit malware also be hiding somewhere in them, since they are "live" links? I don't even want to think about the ramifications of that (shudder); I'll save that for the political rant thread!

I have not backed up my bookmarks for awhile and they are in my documents, and I have a ton of them. The latest ones (hundreds) are the results of hundreds of hours of research I did in the past 2 weeks. Like all "good" (ie dumb) Americans, I want to be told what I want to hear! ("your bookmarks are fine!")

Sadly, I am not big on backing up my data (extensive) on disks or CDs, nor have been in the past; this may be the hard lesson I needed to learn.

I thought maybe I could do a system restore to the point before I downloaded shockwave and was clickjacked, but that may not remove the virus if it is embedded in the bookmarks or some other sneaky place like my virus program (which might be possible due to some other things that have been happening with that).

Thanks in advance for any answers. If this isn't the place to be asking these questions, maybe there is a forum that deals with geeks in training who know little? Thanks for your patience and willingness to answer questions like mine.

 

[Anti-Trend]

Thanks for your answer, which leads to many more questions, which I hope are OK to ask, since I'm a new geek in training!

You don't need to ask if you can ask questions; that's just redundant, right? :)

If I do as you suggest and install firefox from an upload on another computer and delete all old firefox files, what about my bookmarks? Could the culprit malware also be hiding somewhere in them, since they are "live" links? I don't even want to think about the ramifications of that (shudder); I'll save that for the political rant thread!

The virus report you posted only mentioned the firefox binary, so I'm assuming it's a binary-level infection.

I have not backed up my bookmarks for awhile and they are in my documents, and I have a ton of them. The latest ones (hundreds) are the results of hundreds of hours of research I did in the past 2 weeks. Like all "good" (ie dumb) Americans, I want to be told what I want to hear! ("your bookmarks are fine!")

Firefox's bookmarks are stored in HTML format; not much there to "infect". To be painfully honest, Windows itself is the biggest security threat on your system. For example, why in the world is the Firefox binary writable by your user account in the first place? :confused:

I thought maybe I could do a system restore to the point before I downloaded shockwave and was clickjacked, but that may not remove the virus if it is embedded in the bookmarks or some other sneaky place like my virus program (which might be possible due to some other things that have been happening with that).

I think if you just install firefox, it will overwrite the troubled binaries in the process, leaving your profile (and subsequently bookmarks) intact.

Thanks in advance for any answers. If this isn't the place to be asking these questions, maybe there is a forum that deals with geeks in training who know little? Thanks for your patience and willingness to answer questions like mine.

No problem, that's why HWF exists in the first place, right? ;)

 

[cro maat]

Ok, I get it!http://www.hardwareforums.com/images/smilies/chk.gif
No more asking if I can ask questions!

I'm still wondering why I can't just download firefox from this computer but after what you said about windows, I may have a clue as to why not, even if I don't understand it. it's just that "need to know" thing in me.

With all the time i sit here trying to figure things out and surfing the net, maybe I should train for some freelance computer gig! Do you teach online classes?

 

[Anti-Trend]

I'm still wondering why I can't just download firefox from this computer but after what you said about windows, I may have a clue as to why not, even if I don't understand it. it's just that "need to know" thing in me.

If you can't trust your computer due to virus, how can you trust the integrity of your downloads? So, download Firefox on a system that's not compromised, and install it on the one it is, overwriting the virus-laden version that you have installed. It may or may not work, depending on the level of infection. The safest route is to reinstall Windows. :doh:

With all the time i sit here trying to figure things out and surfing the net, maybe I should train for some freelance computer gig! Do you teach online classes?

No, I'm a systems administrator ... I just help out here and there.

 

[sabashuali]

If you can't trust your computer due to virus, how can you trust the integrity of your downloads?

True pearls! From experience - after an infection, I tried to re-install the antivirus program and guess what - the installer I downloaded was infected.....

Cro Maat, can I ask how the virus showed itself? i.e. what were the symptoms?

Cheers!

 

[cro maat]

hi sabashuali;

The virus, or backdoor trojan or whatever it is....Well it/they happened to get onto my computer one of 2 ways. It is possible that I got it from a youtube site. Was watching lots of progressive videos and doing lots of political outreach, sending video links and links to progressive news articles to friends about election fraud and things like that. I kept having trouble the watching videos on you tube (and on vodpod), so on youtube an ad at the top with a logo of adobe macromedia said "you don't have the latest macromedia flash installed". Did I click on that and fall for it? I honestly can't remember, but I could have, and if so, the look-alike site which looked exactly like the legit one downloaded a trojan horse or some other godawful thing that I didn't know about. And then less than 24 hours later I was surfing on the net and went onto a progressive radio news website. Was reading stories, clicking on pictures to read more articles. I clicked on a picture and boom! My computer got hit so hard I am surprised it didn't catch fire. I have AVG internet security and keep it up to date, but didn't have a lot of settings turned on that I should have to make it more secure.

What the virus (the vibrating AVG web shield said it was a hap.1/ca) did was to keep hitting the webshield window and freezing it but you could see it kind of vibrating ; I think that was the thing hitting my virus program and installing a bunch of stuff and opening windows one after the other)and I kept trying to shut that vibrating window down (mouse didn't work at all, because about 200 windows opened within about one minute; partly because of my own panic. I kept keying Alt/F to try to shut the window(s), which only opened more windows to the task manager tand made it all 100 times worse! What a mess. Took me all night to get all the windows closed. That was late Sunday night.

Then the virus or worm (s) started slowly taking over little by little. Today it (they) ate one of my identity defense programs! It's gone off my computer completely, no trace! Who knows if the bugs are in my email or not? I only use web based email and am not using firefox, which is totally taken over, but I stopped emailing everybody a few days ago when it was obvious; I shudder to think what damage i may have possibly inadvertently done others with emailing. I tried installing other spyware removal programs (freeware, since I have no job these days or money to pay for the paid ones). Most were bogus and I deleted them, or did one test, showed 500 objects of high security, and wanted you to pay. Spybot s & d did pretty good as far as it could, but I think that it has now been compromised by the malware, plus it is having a problem of its own and is not scanning the core shell stuff at all (been reading their forum too; that just happened today on a big scale to lots of spybot s & d users ) and I can see the bugs are trying to break it down. Also today I went into windows and learned that windows itself has some holes in the system that have let bugs in too. They supposedly have a fix for it and a tool to remove the trojans, but I can't even be sure what site is legit anymore as far as msn goes. While in windows, I saw that my firewall was turned off and no updates; that was turned off too. These malware things are so smart.

Sorry this is so long; so much has happened to my computer and I've been working at it for days. My AVG virus program is now beefed up with the security settings adjusted much better (sure glad I have the paid version!), but I fear the viruses or worms have embedded themselves in my virus program files because weird things started happening there right away too, like my scheduled scan time changing when I didn't tell it to. I also think this virus overwrites files and then can hide and switch to something that looks legit when the virus protecion program tries to find it. Hopefully I can save my data, but realize I also may have some macro viruses in my word docs. Have purposely avoided going into my photos, just in case. I don't know how many programs the worms or whatever have gotten into, but it's deep in my registry and files. Arggggh.

What would be helpful would be to know some trusted sites and forums where a geek in training can learn how not to make things worse for herself! I have read lots on these forums so far, but with so many opinions about wha's good and what isn't in the way of software and what best protects a computer from malware, it's hard to know what would be best. :o)
I know how to customize settings on some things, but have definitely made things worse by not understanding some of the settings I changed or didn't set high enough, security-wise, so I've only got myself to blame for doing too much of what I didn't understand, and not enough of the rest.:doh:

Linux sounds like the way to go! I'm getting fed up with windows. Thanks for asking about the virus and for letting me know of your experience. Maybe my tale will help someone else do things smarter. I think the thing i kick myself over is that I did no data backups. My friend the tech says we can save my data, but I wonder how, if it is corrupted too; and how would one tell. I have over 4,000 pictures, many edited, that I'd really like to save. So the biggie lesson I learned is that any programs I have, always get updates or downloads from the interface of that program. and if in doubt, DON'T touch it! but what the hell, it's only a reformat. it's not the end of the world, even if I lose my data.

 

[sabashuali]

Linux sounds like the way to go! I'm getting fed up with windows. Thanks for asking about the virus and for letting me know of your experience. Maybe my tale will help someone else do things smarter. I think the thing i kick myself over is that I did no data backups. My friend the tech says we can save my data, but I wonder how, if it is corrupted too; and how would one tell. I have over 4,000 pictures, many edited, that I'd really like to save. So the biggie lesson I learned is that any programs I have, always get updates or downloads from the interface of that program. and if in doubt, DON'T touch it! but what the hell, it's only a reformat. it's not the end of the world, even if I lose my data.

Hey, sounds like you got it bad... :mad:
Linux is not "Fort Nox" and there are bastards out there targeting Unix type OS's as well. But safety wise it is built differently to Windows which makes it much harder to compromise. You will not find many users here who dislike Linux and you will do many who will be happy to help if you choose to use it. I am no expert on PC security but my infection experiences can be counted on three fingers, mainly because I use a lot of common sense and tightly control the use of the PC by the other users. Using Windows does not automatically mean getting infected at every turn... In you case I can not see any other way out but to format your disk(s) and starting again... As for your precious data, I think that your images are safe. I think viruses need a piece of code and I do not think pictures fall under that category. But again, I might be way off the mark. As for a safe backup... I am not sure, unless you use a live Linux CD of some description and try to pull the data off the PC that way.

Good luck and thanks for the detailed description... OUCH!

 

[Anti-Trend]

Hey, sounds like you got it bad... :mad:
Linux is not "Fort Nox" and there are bastards out there targeting Unix type OS's as well.

Most of the time, when Linux systems get compromised, it's because the admin who set it up did something wrong... like allowed the root user to login through SSH, with a root password of "qwerty" or something ridiculous like that. :doh: And that's not a virus per se, but a worm (an automated way of attacking an obvious weakness). Windows is also vulnerable to worms when misconfigured or unpatched, and vulnerable to viruses as well simply because it's poorly designed. A properly configured Linux box is a pretty hard target. So far, not a single Linux (or Unix) server I've admin'd has been compromised yet. This isn't a coincidence, but a result of common-sense hardening, as these boxes are attacked pretty much 24x7, like everything else on the internet.

Using Windows does not automatically mean getting infected at every turn...

For most people it does. Windows out of the box is a security nightmare, and any hardening you can do is a) relatively ineffectual overall, and b) causes the system to be virtually unusuable for an average user. So, it's not unfair to say "Windows is an insecure platform... Period!" :O

As for a safe backup... I am not sure, unless you use a live Linux CD of some description and try to pull the data off the PC that way.

I'd agree with that. Makes a lot of sense to burn a live Linux CD on an uninfected PC, then boot to it on your infected PC. Linux has no danger of being infected by these viruses, and you can safely copy your data someplace else. It's a good idea to use a tool like clamav to scan the data from Linux, so your next Windows installation won't be reinfected.

 

[cro maat]

Thanks sabashuali and Anti-trend for your help and support! Been offline for a few days, and am using a friend's computer. Whether I needed to or not, I changed all my passwords just in case.

Tomorrow or Tuesday I'll take the computer to a tech who is going to reformat the hard drive and reinstall windows. I wonder if he knows about Linux and how to do what you suggested? I will mention it to him.

I believe his plan is to test and extract what data he can from a computer that is clean (not sure if windows though) and dump what data he can't clean, then put it back onto the computer. I'm a little nervous, but what will be will be. He's the tech, I'm obviously not, LOL! Learned my lesson! I think next time I'd take the computer to someone right away rather than wait. Also learned a lot, thanks to reading this forum, and plan to keep reading.

So if I can get onto a computer to check this thread, Anti-trend, how would he do what you suggest regarding getting and burning a live linux Cd? Thanks in advance!

 

[cro maat]

Hi Anti-trend and others;

I wanted to follow up with the latest on my computer saga. I brought it to my tech friend on Monday and paid him what money I had, with the promise of more at the end of the month, and we agreed that he would "nuke" the hard drive and reformat windows and maybe the hard drive too, if needed, and save what data he could.

Yesterday, he told me that he didn't reformat Windows. He said that Windows didn't need to be reformatted, since he scanned my computer and it was fine. Instead of what we agreed on, he simply tested my computer from another computer with a windows OS, ran AVG and Norton scans on my Windows and program files, put my data on a removable drive and tested it from his extra computer (not linked to his network, thankfully), then reinstalled my data onto my computer.

I asked him how he knew that that worked, and how he knew the virus(es) and trojan(s) had not installed themselves on my hard drive as well as in my Windows OS, or corrupted his computer if it's also on windows. He said " that almost never happens", which still didn't answer my questions.

I don't have a good "gut" feeling about what he did being a solution or the end of my problem. I've been reading about system 32 viruses and how hard they can be to find and to eradicate, since they overwrite files and hide under the proper file names, add zeros to registry keys, and they are also good at fooling and even controlling virus programs to actually install more malware, which is what I think I saw happen to Spybot s&d. I know what I saw with my own eyes when I installed and tried to run Spybot s&d after my own AVG program got fooled and was not catching anything, yet spybot was showing viruses and trojan horses and registry glitches galore. Each time I ran Spybot, more malware showed, so I wonder if spybot was also being controlled at the end of it all, and was used to install even more malware. The last time I ran spybot, there were literally thousands of malware files getting in, files whose names I didn't recognize and were mostly executable and DLL with foul names that sounded evil.

So, am I just being totally paranoid? Maybe, but it wouldn't hurt to wipe my disk clean and reformat everything just to be sure. I watched the malware overwrite files in front of my eyes as AVG scanned them, and then the file names would change back to the innocent looking ones. I watched Spybot s&d almost get destroyed because there was so many of these things it couldn't contain them even while scanning and trying to stop them from getting in.

My friend the tech is the expert, I am not. He thinks I am being a pest for questioning his expertise and asking questions like, "if my computer has a hap 1.cn/ virus and a mabezat virus (since I saw the pharoah.exe file and others associated with this polymorphic virus, which hides in removable media files) and god knows what else in the way of viruses and trojans, wouldn't the virus(es) be in my actual hard drive CD/DVD files and burner files, and then wouldn't my computer hard drive files have to be reformatted as well as windows to make sure that windows is clean?"

I really thought he would go ahead and reformat windows and strip my hard drive and start over. I was shocked when he told me what he did instead, but there was no arguing with him. I was prepared to pay him to do the job we discussed, and am more than disappointed that he didn't, which means I am at square one again, less the money I spent to get my computer back exactly the way it was when I dropped it off to him. My next step may be to try for the linux live CD and go from there.

He said it would cost me a lot more money for him to reformat windows, but I understood that! I have done reformatted my hard drive in the past by myself, and it was time consuming but not hard at all. And I thought he understood what we agreed to do and that he would call me if he decided to do something different. I don't know how much more tech work I can afford, but I feel like getting a "second opinion" from another tech. I think my computer is a lot sicker than it appears to be.

Is there a good purely technical website or forum that I can ask these kind of questions, besides on a large and varied forum like this? Unfortunately, AVG doesn't have phone # for tech help, or I would have called them long before now. Meanwhile, I am reading what I can on the Microsoft and AVG sites; there is a lot of info. there on AVG about the exploit and mabezat viruses and others, whose file names I recognize as seeing on my computer, and some good tools like the one you mentioned, ClamAV.

I'll check within the next several days to see if I get any responses to this post. Meanwhile, I am not going to use my computer, especially for emailing, until I am sure it is malware free.

 

[Anti-Trend]

Hey again cro maat. Sorry nobody's replied in a while, but real life happens sometimes. :)

Back on track, I am going to give you an answer you probably won't like much. Windows is a closed-source operating system, meaning nobody really knows what goes on under the hood (except maybe Microsoft, anyway; but that doesn't do us much good). Further, they go out of their way to obfuscate certain aspects of their OS. Between that and plain old bad design plus lack of foresight, it is that much easier for malware to take hold than it reasonably should be. The nastiest and hardest to remove are rootkits, which are extremely challenging to detect from within the host OS. Worse, routine viruses have a good chance of going by undetected also, as even the best antivirus software has something like a 50% catch rate. Security is an arms race. There is a whole industry built up around the flaws in Windows, and they're decidedly losing the war if you ask me.

If you really care about security, you might consider running Linux instead. It is free, open source (meaning one can look at the underlying workings, nothing is obfuscated or hidden), and resists malware by design. Further, it's faster, more reliable and more efficient than Windows. If you're not completely married to some Windows-specific software, Linux will save you a lot of time and money -- in licensing, visits to the local tech, etc. -- not to mention sanity. ;)

That's my advice as a former "tech friend" myself. I won't even work on Windows anymore, as I don't feel I'm doing anybody any favors. I recommend Linux first, and if people resist (new things are scary!), I suggest buying a Mac instead. They are somewhat proprietary, and not nearly as cost-effective as Linux, not as fast, nor as secure. But in comparison to Windows, they are a polished marble bastion of reason.

As for me personally, I have 5 systems running Linux here in my home office, and I've never had a security breach. None of them run antivirus software. I also have a MacBook, courtesy of my employers. It doesn't run an AV either. Never had a security breach on that either. On the other hand, I don't believe I've ever touched a system running windows that didn't have at least a few pieces of spyware lurking on it... or worse. I think that says something.

-AT

 

[cro maat]

Thanks so much, Anti-trend. Of course life happens, and I hope you are having fun with it! I have no expectations here on my end, just gratitude for the help I have received.

Ha ha! I love that graphic about rootkits! I imagine there's a monster mash going on in the bowels and guts of my windows!
Your answer is sane to me, as I am drawing the same conclusions about windows. I like your answer better than taking my computer home as-is and the consequences of that. Linux is free?! That's music to my ears, since I am low income anyway. I don't even mind about the big learning curve, as I am naturally curious and I will have some great help here!:chk:

So, my first step is to look around at the Linux site while I have use of this computer. It doesn't have a burner or CD player, so I will have to have someone else burn the CD on theirs. Is it pretty straightforward what I will need to put on the CD once I go to the site?

I think I'd better burn an AVG rescue CD, since how will AVG check itself for viruses if it's been compromised, as I believe it has? What do you think of also having a backup program like Spybot S&D for when AVG doesn't work the way it should? I mostly need to go with freeware or trial versions of things, although I have AVG internet security for a year.

 

[cro maat]

oops, AT! I see I didn't read all the way down your post. No need to respond to that last part. Maybe I won't even need VP at all. big smile.

 

[Anti-Trend]

Thanks so much, Anti-trend. Of course life happens, and I hope you are having fun with it! I have no expectations here on my end, just gratitude for the help I have received.

Not a problem. :)

Ha ha! I love that graphic about rootkits! I imagine there's a monster mash going on in the bowels and guts of my windows!

It's possible. In fact, it's statistically probable. :(

Your answer is sane to me, as I am drawing the same conclusions about windows. I like your answer better than taking my computer home as-is and the consequences of that. Linux is free?! That's music to my ears, since I am low income anyway. I don't even mind about the big learning curve, as I am naturally curious and I will have some great help here!:chk:

Yeah, it's weird at first. I used MS products since the 1980's, so it was a big change for me. But after you get used to it, it's pretty unlikely you'll ever go back. Linux is extremely solid, and it's a very consistent user experience.

So, my first step is to look around at the Linux site while I have use of this computer. It doesn't have a burner or CD player, so I will have to have someone else burn the CD on theirs. Is it pretty straightforward what I will need to put on the CD once I go to the site?

Well, the most popular entry-level distribution of Linux right now is Ubuntu. Incidentally, they will ship you an install CD for free if you like. There are also methods to install Linux from a USB thumb drive if you wish. You could always purchase a CD-RW for around $30/USD and go that route. Your call, ultimately.

If you're especially brave, you can install Ubuntu's [more flexible, more challenging] ancestor Debian using only your broadband connection: Say goodbye to Microsoft. Now. ...no CD-RW required. :cool:

I think I'd better burn an AVG rescue CD, since how will AVG check itself for viruses if it's been compromised, as I believe it has? What do you think of also having a backup program like Spybot S&D for when AVG doesn't work the way it should? I mostly need to go with freeware or trial versions of things, although I have AVG internet security for a year.

Any anti-malware software has a far from perfect catch record. In most IT shops, when a Windows system is compromised, it's policy to simply reformat. :( But of course it is your PC, and you're welcome to do as you like. Who knows, maybe it will work?

 

[Anti-Trend]

oops, AT! I see I didn't read all the way down your post. No need to respond to that last part. Maybe I won't even need VP at all. big smile.

Yeah, I don't use any anti-malware software on my Linux systems. It's simply not susceptible to infection by merit of its architecture.