Chapter 4. Downloading Machine Code with ActiveX and Plug-Ins

One of the most dangerous things that you can do with a computer that is connected to the Internet is to download a program and run it. That’s because most personal computer operating systems place no limits on what a program can do once it starts running. When you download a program and run it, you are placing yourself entirely in the hands of the program’s author.

Most programs that you download will behave as expected. But they don’t have to. Many programs have bugs in them: running them will cause your computer to crash. But some programs are malicious: they might erase all of the information on your computer’s disk. Or the program might seek out confidential information stored on your computer and transmit it to a secret location on the Internet. The program might even send threats to the president of the United States and the U.S. Congress, possibly granting you a visit from the Secret Service.

When Good Browsers Go Bad

The goal of an attacker is to be able to run a program of his choice on your computer without your knowledge. Once this ability is gained, any other attack is possible.

The easiest way for an attacker to accomplish this goal is to give or download a program to you for your computer to run. One would think that an easy way to defend against this attack would be to inspect all downloaded programs to see if they contain malicious code. Unfortunately, it’s theoretically impossible to determine what a computer program will do without running it. What’s possibly even more frightening is the fact that it’s frequently impossible to determine what a program is doing even after you have run it: programs have many ways of hiding their operations.

Even secure operating systems with memory protection and other security mechanisms, such as Windows NT and UNIX, offer users no real security against programs that they download and run. That’s because once the program is running, it inherits all of the privileges and access rights of the user who invoked it. No commercially available operating system allows users to create a “sandbox” in which to run suspicious code.

Internet users have been taught to download programs and run them without question. Web browsers like Netscape Navigator and Internet Explorer are distributed by downloads. And systems that extend the capabilities of these web browsers, such as the RealAudio player and the Adobe Acrobat Reader, are distributed by downloads as well.

Already, users have lost thousands of dollars by the actions of hostile programs that they have downloaded and run on their computers. These losses are likely to mount as technologies for downloading executable code become more widespread.

Card Shark

In January 1996, First Virtual Holdings demonstrated a program designed to show how easy it is to compromise a computer system. Affectionately called “Card Shark,” the program appeared to be a screensaver. Normally, the program would run silently in the background of your computer. If you didn’t type on your computer’s keyboard for a while, the screen would blank. You could make the screen reappear by typing a few characters.

Card Shark’s real purpose was to demonstrate the danger of typing credit card numbers into a computer system. While Card Shark was running, the program waited in the background on a PC or Mac, silently scanning the computer’s keyboard and waiting for a user to type a credit card number.[22] When the user typed a credit card number, Card Shark played ominous music, displayed a window on the screen, and informed the user that he or she had been sharked.

The program’s designers at First Virtual said that while Card Shark made its intention clear, an attacker interested in capturing credit card numbers wouldn’t need to do so. Instead, an attacker could have a similar sharking program store captured credit card numbers. When the program detected that the user’s computer was reconnected to the Internet, the sharking program could quietly post the credit card numbers on Usenet, enciphering the numbers in some way so as not to arouse suspicion. An attack carried out in this manner would be almost impossible to trace.

The Sexy Girls Pornography Viewer

In January 1997, a scam surfaced involving long distance telephone calls, pornography, and the Internet. The scam involved a web site, called sexygirls.com, which promised subscribers free pornography. In order to view the pornography, a computer user first had to download a special “viewer” program.

When the viewer program was downloaded and run, the program disconnected the user’s computer from its local Internet service provider, turned off the modem’s speaker, and placed an international telephone call to Moldova. Once connected overseas, the user’s computer was reconnected to the Internet and the pornography was seen.[23]

It turns out that the “free” pornography was actually paid for by long distance telephone charges, charges that were split between the American telephone company, the Moldovan phone company, and the web site. As this book was going to press, a spokesperson from AT&T was quoted as saying that the telephone charges would have to be paid, because the calls had in fact been placed. Meanwhile, the Federal Trade Commission was conducting an investigation of its own. One could argue that AT&T and the Bell operating companies introduced this security hole by deploying a purchasing and billing system that did not have adequate controls.



[22] Because of their structure, credit card numbers are exceedingly easy to recognize. For information about this structure, see Section 16.1.3.1 in Chapter 16.

[23] Netscape’s Eric Greenberg notes that this kind of attack does not require the Internet. A fairly common telephone scam in 1996 was for companies operating phone sex services in the Caribbean to call 800 numbers associated with digital pagers, in an attempt to get the pagers’ owners to return calls to the telephone number on the islands. These islands are part of the North American Numbering Plan, so they have regular area codes, just like telephone numbers in the United States and Canada. But calling these numbers costs many dollars per minute—a charge that is shared between the telephone company and the phone sex operator.

Get Web Security and Commerce now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.