Closed Bug 455078 Opened 13 years ago Closed 12 years ago

Combat scareware with heuristics to detect fraudulent JavaScript popups/dialogs

Categories

(Toolkit :: Safe Browsing, enhancement)

x86
Linux
enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: thomas, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1

I know most security conscious people browse with JavaScript turned off or with NoScript/FlashBlock etc., but I know several people who have fallen for this scam, on IE and on Firefox. The problem is as such:

 * User is visiting site.
 * Popup: 'Your computer is infected with a virus, click OK to install SuperDuperCoolAntivirus 2009'.

Some users click Cancel but this still leads to a download page. And a 'your computer is infected web page'

What I am suggesting is on alerts which match a database of potentially fishy terms, add an info bar (or whatever they are called, the yellow/grey bar that drops down from the top of the browser and provides a message) alerting the user that 'This alert may be a scam, and may download a virus if OK or Cancel is clicked. Click [ Abort ] to stop the script running this alert and any potential download. ' - and have an Abort button which stops all scripts from running, or prevents at least all scripts from the domain the script originated from running. 

Would this be plausible? I don't know. It might reduce these drive-by downloads. Of course it would require proper implementation and a good database, and perhaps the scammers/virus writers would eventually make errors in the spelling to throw off the filter, but, we could try our best to stop the majority of these downloads from getting through. We would need to keep a database of URLs as well. 



Reproducible: Always
I think you hit the nail on the head with the plausibility question because that's really the heart of it.  Those popups, as you've anticipated, aren't "real" popups.  They are just more web-page artistry, meant to look like popups, and presented over top of the rest of the page.  This makes them incredibly difficult to detect since they can require almost no javascript, and can use hundreds of techniques to disguise their text.  Not just misspellings, they could sprinkle the letters all over the page, and then just use clever layout tricks to bring them all together at the appointed time.

What worse, they don't even really need to look like popups at all - that's just a product of the attackers being uncreative.  They need the user to click to launch the operation, but they could get that click by looking like a web-game, or by offering free pictures of lascivious things... the possibilities are endless, and the ability for us to detect it at that level is nearly impossible - even worse than spam detection, really.

However, all is not lost.  As you mention, the popups are all just a device, to trick you to going with a site that's serving the actual malware.  Rather than chasing the popup techniques, which I don't think is a battle we can win, I think our efforts are better spent on finding better ways to find these malware sites early, get them onto the appropriate lists so that the site is prevented from loading in the first place.

You've probably seen the beginnings of this with the new malware protection in Firefox 3, but this is something we will continue to improve.  Obviously the kind of filtering there is only as good as the quality of the lists we receive, but Google, our current partner in building those lists, has done a great thing by making their list available, and we should look for new ways to improve detection there, and the kind of list you describe sounds like a good fit.

I don't know of any existing lists of drive-by sites that are updated in real time and have the scaling plans in place to deal with something the size of the Firefox user base, but if you do, please provide a link.  Maintaining that kind of list ourselves is a massive undertaking - especially given the aforementioned difficulty detecting them automatically.  You're right that it is a continuing problem though, and one our existing mechanisms could be extended to handle, if such a list were available.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → WONTFIX
A lot of sites use simple popup windows, and this cannot really be avoided too much. A blacklist here would be useful.

However, you come to the popups from things such as the alert() and confirm() functions in JavaScript. These are used to give a native feel - on Mac OS X, they look like Mac, on Windows they look like Windows, ... Firefox could easily scan the strings passed to these functions. Misspellings of course could be used, but this weakens their attack. Who is going to click OK to a message saying 'Your compuer my be infcted with viruse(s) and yok may surfer erradict errrs, data lossses and sprodatic shutodwns. C-lick O. K. to INSTAll SUper*ANti*VIrus 2009.'? Not many. 

Maybe use Thunderbird's text (I think this is what's used, or at least similar to?) 'Firefox thinks this dialog box may be a scam and acting on a button may cause a virus to be installed. Click Abort to stop any download of a virus. '
Status: RESOLVED → UNCONFIRMED
OS: All → Linux
Hardware: All → PC
Resolution: WONTFIX → ---
can we get an update on this bug? It's been neglected for close to a year.
It's been two weeks with no response to my previous question. I'm moving this to closeme status as of 2 weeks from now. Triager, please move this bug to resolved: incomplete if there are no further comments in the bug by the date set in the whiteboard.
Whiteboard: closeme 8-14-09
The original suggestion seems more or less impossible.  Scanning alert text for specific words is fragile and difficult in all kinds of ways, and alerts aren't an essential part of scareware anyway.

What we *can* do to combat scareware:

* Show alert() as a page-modal lightbox rather than a dialog that is and appears to be modal.  Modality adds to the illusion that the dialogs are "from Firefox" rather than "from the web page", and makes it easy to trick users into clicking images for popup blocker bypass.

* Fix bug 186708, which is abused in a particularly nefarious dialog spoof.

* Disable popup windows completely, even in response to clicks.  Page asks for a small window, it gets a lightbox.  Page asks for a large window, it gets a tab.

* Make it super-duper clear what's going on at the point when you decide to install software (bug 249951).  This is tough because the scareware pusher gets the first shot at your state of mind.

* When a user is about to install software, show some measure of how trustworthy that the site or software signer is.

* Make real security dialogs less spoofable, based on when and where they appear.

* Stop inundating users with legitimate security-related requests.  For example, prefer updating Flash for users (bug 514327) over telling them to update Flash (bug 391433).

I don't like Johnath's suggestion of considering site-blacklisting to be a solution. Scareware can disperse itself across hacked boxen as well as any software exploit.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago12 years ago
Resolution: --- → WONTFIX
Summary: Alert the user to fraudulent JavaScript popups/dialogs → Combat scareware with heuristics to detect fraudulent JavaScript popups/dialogs
Whiteboard: closeme 8-14-09
Blocks: eviltraps
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.