Editor’s Note: Our certified security expert Steve Hardwick reported on a insidious style of hacker attack, one that can infect Macs as well as the Windows world where he works everyday. Here at Bites HQ we use the Intego Software suite (NetBarrier and VirusBarrier) for anti-virus protection. Intego just rolled out X6 versions to protect against newer-style attacks. We’ll see once we complete our testing what’s been added.

Meantime, be careful where you browse in the course of your business. Steve got attacked while shopping for business travel at Expedia. You should always look extra closely at any dialog box on the Mac that advises you to update for security reasons. Apple’s software will never use this language, just advise you an available software update.

By Steve Hardwick, CCISP

Should you be worried about a Web drive-by attack? First off, what is it?

Most Internet users are not familiar with the concept of a Web drive-by attack. The one I recently encountered was scary because of its simplicity and how it preys on security fears. It also underlines how easy it is to create attacks that are targeted to specific operating systems. Mine took place in Windows, but it would be easy enough to target the Mac OS, too.

To be able to infect a computer in a drive-by, the hacker has to trick the end user into loading a piece of malicious code. In the past this was done using e-mail attachments and other applications that were used for file transfer. However there is a growing threat where your Web browser (Firefox, Safari) is used to trick you into downloading and running the virus code. Here is a walkthrough on what I recently encountered as it gives a good understanding of this type of attack. (For anyone who wants a much more in-depth explanation, Virus List is great site to visit.)

I was going to various sites, trusted sites that I have used in the past without any problems. As I arrived at Expedia.com, one of my favorite travel sites to look at air fares, the following screen popped up. When I saw it, my first thought was that I had a virus on my system.

The screen displayed on top of the browser looked identical to Microsoft Forefront Client Security interface, which is the antivirus software (A/V) installed on my PC. Even the progress bars moved on the display and the virus list was populated. To all intents and purposes it looked and felt like I had a bad case of several viruses on my system. After the virus list had been completed I got the two more screens.

Fortunately I am well-versed in security products. As soon as I was asked to run a program outside of my A/V application the alarm bells started to ring. I also noticed that the file had been downloaded to my PC from a Web site I did not recognize. This is not usual behavior for an anti-virus program. So I decided to hit cancel. When I tried to close any screen I saw the screen above.

Now I was definitely concerned.

I took a quick look at my process monitor and I saw there were three browser windows open. Each one of the these two new “Windows” screens was a Web page. Plus the warning message was also a Web page. This told me that that my antivirus was not sending these messages. They were specially-constructed Web pages. I looked at the “Forefront” page and got the source URL The I took a quick visit to www.samspade.org and found out that this was a site out in France and not a site that I knew to be good. So I now knew it had nothing to do with the travel site I had gone to, or Microsoft Forefront. To stop this whole chain of events I had to shut down the browser application using my process monitor. (On the Mac, you’d do a Force Quit from the Apple menu, and you should.)

So how did this happen? Some technical details follow.

First the hacker constructed a simple set of Web pages to emulate ForeFront and trick the user into downloading a virus program. The virus progam was automatically downloaded as soon as the “Forefront” page came up. Once the user clicks OK to run the bogus “clean up” file the virus is installed and the hacker is in business.

The next thing is to load the Web pages and the virus on a Web site. In this case it was n6-scanner.com. It would take some skill to bypass the Web site security and load it, but on the whole this can be relatively easy to do. Web sites can be a very fertile ground for unpatched operating systems. (Ed. note: A very good reason to update the Mac OS with Security Updates — if only Apple would supply them sooner.) The hacker’s last step, the hard part, is to get you to go to a second Web site to load the code to direct the end user to the target site. This can be a simple HTML redirect, or a more sophisticated script line of code. The attack works best if this is a well-visited site, which is why it is harder. Once this last step is completed the hacker’s work is done. Just wait for the virus to distribute and take effect.

Why is this a very dangerous attack?

Well, the first reason is that it is relying on end user behavior. As soon as the user sees that there is a virus reported on their machine their first instinct is to get rid of it. The thought that the screen they are seeing is not the antivirus software is not immediately obvious. Most Windows users are now used to seeing virus attacks and want to get them off their system as soon as possible. Consequently many would click straight through these bogus screens without a second thought.

Next, the attack had bypassed the antivirus system. Hopefully, the A/V would have thrown something up after the viral payload was executed, but it may not have. The affectivity of the A/V is only as good as the last update. So if it is a recent virus, and the user had not updated their A/V definitions, then anything could happen.

The Web pages can be tailored to specific operating systems. In my case I saw a Windows based application. Your machine will send a lot of information back to the Web server about what you are using. If you want to see what you are sending out, go to Shields Up on https://www.grc.com and run the Browser Headers check. You may also want to run some of the other tests just to see how secure you are. So it would be fairly easy to construct an attack that was design to attack an Mac based system — that is, to switch the screen the user viewed and the downloaded payload. This is what came back on my system

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.33 Safari/532.0

Finally, the Web pages and the launching script can be placed on multiple Web sites. The attack codes can be put on different sites too – they do not need to be collocated on one site. The launch code can be added to multiple Web pages on a single site. So a Web page on a trusted site can get infected. One day the site is safe, the next it is infected.

What you can do to protect against this type of attack

Many users are not familiar with their antivirus software. Take a quick look at your software’s manual (I know, that sounds unpleasant).

• Find out what your A/V software does should it hit a virus: what messages it displays and what operations it will take to quarantine and remove any viruses it finds.

• Take a careful look at ANY program that is launched on your system from a Web visit. Make sure you know where it came from. If in doubt, do a quick Web search on the file name. In many cases this kind of program contains a virus payload. In some cases, especially a drive-by, the file name may be automatically generated. You will have to rely on looking up the URL of the source site. Sam Spade is a great site to get information on who owns the Web site.

• A great fundamental protection is to add another user account on your system, even if you’re the only user of your Mac. Your first is an administrative account and the other is a user account with no administrative rights. The second account is the one that you use most of the time. It does not have rights to install new programs. This may block this type of attack and stop the program load. The administrative account would be used when you want to load a safe application.

• Lastly, you can active a security scanner to your browser to detect dangerous sites. Firefox checks for these, working from a list of known dirty sites. Google’s Chrome, when it is released for the Mac, will have this capability, too.

Steve Hardwick has over 10 years of information security experience. He has worked with different environments from military customers, financial institutions, healthcare organizations and Fortune 1000 companies, as well as conducting security assessments for large and small corporations. He is currently Partner Manager at Mobile Armor Inc. providing cost effective solutions for securing and protecting mobile data.