Browser attacks are those which take place as a result of one's surfing the web. On a rare occassion, an intruder will gain entrance into a system by other means and use the system's browser to futher his intentions. In the more frequent scenario, however, the sites that users visit, potentially by accident or even without knowledge, host malicious content capable of carrying out the attack. Browser attacks are successfull because 1) everyone has them and 2) no one can live without them; just like anyone with a lymphatic system is vulnerable to cancer.
Welcome to the World Wide Web ER, here we share the stories with you and hope to install (but not without your permission) some awareness into your surfing habits. Some samples are in-depth at times and technical, but I make all attempts to explain thing in easy to understand terminology. So if the prior is an issue, hopefully it won't be by the time you're done reading. Enjoy.
Note: a lot of the evidence in these articles are snippets from the real exploits and can cause exceptional damage to your computer. For that reason, all of the html tags have been converted to square brackets instead. That way when you read my articles you really end up reading my articles rather than entertaining an iFrame or downloading a java archive from the malicious documented sites.
Although browsers are not red-headed stepchildren, sometimes they are treated as such. It's a bit ironic, but although this event involves the 0-day WMF exploit, and the compromised system behaved in a manner consistent with the reported symptoms, it was not the vulnerability which led to initial infection. The machine was exploited by either a vulnerability in Sun's or Microsoft's JVM.
View the report: (Red Headed Browsers and WMF).
This is simply another case of a widespread spyware distribution cloud and improper usage of search engine technology. In another report we will discuss the controversy over poor filtering of query results by search engines and their perceived necessity to return even pages that guarantee an infection if the user clicks it. This event is a classic tri-mode that was unsuccessful due to the use of Firefox and patched workstations.
View the report: (Classic Tri-mode Browser Exploits).
This attack starts out with a strange combination of servers in the .com, .name, and .pl TLDs. The browser is smacked around through a tunnel of spyware infested servers and ends up downloading a jar file which exploits the Java VM and breaks out into an executable .com file. This program downloads a .jpg from a domain registered to the Cocos Islands (.cc) which does some processing and writes the output to a randomly named .dll, which is then plugged into Internet Explorer's list of BHOs.
View the report: (MS JVMs ByteVerify Trojan).
View the report: (Trimode Browser Exploits).
This incident is classified as a browser attack, although it did not originate from the browser realm; rather AOL Instant Messenger. Internet Explorer was only lauched to grab the code that a link on AOL IM provided. After that, a mean screen saver executed, unpacked, and left a whole lot of evidence.
View the report: (Bestfriends and Sdbot Rootkit).
View the report: (XSS, Triple-encoded Exploit).
This shows how the telnet:// protocol handler in Internet Explorer can be exploited to allow execution of arbitrary code. Don't confuse this with a buffer overflow or something that spills bytes into RAM for execution; in this case telnet itself is the arbitrary code.
View the report: (telnet:// used in IE Exploit).
In the midst of browsing the web, a user noticed the Windows command prompt flash on the screen and initiate an FTP transfer. We trace this attack back to the original source and show the technique used to recover the username and password for the hacker's toolkit (so they could be fetched for analysis). It was all due to a vulerability in Internet Explorer.
View the report: (Investigating CHM Exploits).
This is the same old story of compressed Windows help documents exploiting browsers into downloading arbitrary executables. In particular, the so called Netwin instance was one of the very first I encounted in the wild. It explains the basic concept of the attack and shows how the malicious code overwrites Windows Media Player and immediately begins updating remote systems with spyware information.
View the report: (Investigating Netwin Malware).