17

My mother's computer recently became infected with some sort of rootkit. It began when she received an email from a close friend asking her to check out some sort of webpage. I never saw it, but my mother said it was just a blog of some sort, nothing interesting.

A few days later, my mother signed in on the PayPal homepage. PayPal gave some sort of security notice which stated that to prevent fraud, they needed some additional personal information. Among some of the more normal information (name, address, etc.), they asked for her SSN and bank PIN! She refused to submit that information and complained to PayPal that they shouldn't ask for it.

PayPal said they would never ask for such information and that it wasn't their webpage. There was no such "security notice" when she logged in from a different computer, only from hers. It wasn't a phishing attempt or redirection of some sort, IE clearly showed an SSL connection to https://www.paypal.com/

She remembered that strange email and asked her friend about it - the friend never sent it!

Obviously, something on her computer was intercepting the PayPal homepage and that email was the only other strange thing to happen recently. She entrusted me to fix everything. I nuked the computer from orbit since it was the only way to be sure (i.e., reformatted her hard drive and did a clean install). That seemed to work fine.

But that got me wondering... my mother didn't download and run anything. There were no weird ActiveX controls running (she's not computer illiterate and knows not to install them), and she only uses webmail (i.e., no Outlook vulnerability). When I think webpages, I think content presentation - JavaScript, HTML, and maybe some Flash.

How could that possibly install and execute arbitrary software on your computer? It seems kinda weird/stupid that such vulnerabilities exist.

random
  • 15,201
Cybis
  • 123

6 Answers6

7

If she's using an outdated version of IE (or Firefox) then there are well-known vulnerabilities in the browser itself. Yes, its kinda weird/stupid but writing perfect software is very very very very hard.

There are probably unknown/undisclosed vulnerabilities in the current versions of web browsers (as well as every other piece of software)

3

I'm pretty convinced flash has some vulnerabilities. I've been infected by websites I've visited using firefox and I am certain I did not install anything.

Spencer Ruport
  • 231
0

IE is by no means a secure browser, but a web page shouldn't be able to infect a computer, unless it is exploiting some pretty big security holes in plugins and/or add-on features of the browser.

To be as safe as possible, use a web browser (like Google Chrome) that displays web pages in a sandbox, a virtual environment, that will stop malicious code from reaching your computer. Also, chrome contacts a database of malicious websites and displays a warning before it loads them, just to be sure.

Writing plugins and add-ons for browsers will always involve a balance of power vs security, someone just gave the plugin a little too much power. (I'm betting its java)

0

Look at the Cross-site scripting (XSS) attaks -- wikipedia ref.

It could also be a malware executable in a mail attachment that launched.
But, since you describe going to a site, a browser exploit from the referred site is likely culprit.

If she clicks on links in her mailbox while Internet connected,
All her browser vulnerabilities are exposed to the sites she reaches. You should at least keep her machine patched (if the OS is still supported), and Install an anti-virus (yeah, that will trip a large conversation here).

But, largely, it would be learning not to click on any unknown link or open unexpected attachments that will keep her system safer.

Shouldn't this question be migrated to SuperUser?

The windows host file can be modified to make the system always divert (even after a reboot).
Here is a more evolved attack using these things -- How Malware Expands A Phishing Network.
If you use things like Spybot Search & Destroy. It will keep checking your hosts file for damage.

nik
  • 57,042
0

This kind of exploit is only dangerous if you run your browser with admin rights..

Dentrasi
  • 11,325
-1

I am inclined to believe that what she experienced was a result of an outdated plugin like Flash or Java. Unless you have an actual need for Java on the system, remove it. And always try to stay up to date with the installers. Really, if security is such an issue, I'd tell them to use Linux. That has a much better updater. Alternatively, it could be that there is an exploit within the browser itself. IE8 is an old browser that is filled with security holes. Use Chrome, Opera or Firefox, they're all miles more modern and more secure. Also, the fact she's using XP means the system has absolutely no concept of permissions. There is no sudo&root, and no UAC. More modern Windows OS like 7 and 8 have UAC, which while not up to par with sudo+ apparmor/SELinux in Linux, is still a lot better than nothing at all.

Just to clean up a confusion, a site can infect your computer without plugins. Namely, JavaScript. Although modern browsers sandbox JavaScript so it can only do file operations in /tmp, JavaScript can still take advantage of actual vulnerabilities within the browser itself. In some cases, this can even be exploits in patched browsers (commonly known as the 0day exploit) although such incidents are rare.

00112358123
  • 1