5

Everyone know's that some sites can harm your computer just by looking at them, or some emails can send mail to all of your friends or collect information about you just by reading them.

How is this possible? Every site is just plain HTML, CSS and JS , that can't make any permanent changes on the computer (except cookies, but that can't harm you, can it?) so how could I get a virus?

If i click an ad, How do I get a virus? downloading link for autorun program?

How are these things done? what programming language?

thmas
  • 142
  • 12
7890
  • 91
  • 1
  • 6
  • Possible duplicate of http://stackoverflow.com/questions/1562145/how-viruses-get-through-browser-to-pc-as-javascript-do-not-have-much-privileges – Raedwald Jan 02 '15 at 22:09
  • See also http://stackoverflow.com/questions/9675941/how-can-a-virus-exist-in-an-image – Raedwald Jan 02 '15 at 22:11

2 Answers2

8

In general, the way these vectors work is by exploiting flaws in the software used to read/render the HTML, CSS, and JavaScript. In a perfect world with perfectly secure browsers/email programs with perfect sandboxes, then you'd be right that just viewing a page or an email couldn't load a virus on your computer. But we don't live in that perfect world.

One example is the "buffer overrun" vulnerability: The attacker spends a huge amount of time and effort to find that a particular program loads some resource (a CSS cursor, for instance) into a buffer failing to check that the resource is small enough to fit in the buffer. So the program writes bytes beyond the end of the buffer. Buffers are frequently on the stack, and so overwriting them can overwrite things like the return addresses for function calls. If you craft the data just right, you can make a return address jump to instructions in the data of the resource you're loading. At that point, all bets are off, the attacker can run arbitrary machine code embedded in that resource.

Other vectors involve vulnerabilities in the sandbox in which the JavaScript on the page runs.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
  • and just by that the attacker can make my pc get a virus ?! – 7890 Aug 04 '13 at 11:34
  • @7890: Once they can execute arbitrary machine code, they can do just about anything, including downloading and installing a virus. On Windows, this is harder now than it once was, because modern versions of Windows don't always run the user with admin rights, but it's still possible. (It was essentially always that hard on \*nix, because on \*nix, normally you're not running as root.) – T.J. Crowder Aug 04 '13 at 11:35
  • and that is how they can hack emails too? – 7890 Aug 04 '13 at 12:11
  • @7890: There are a large set of vectors for attacks. Most of them involve seeing and exploiting a vulnerability in something -- the email program, the email provider, etc., etc. – T.J. Crowder Aug 04 '13 at 12:50
0

Most users install plugins such as Adobe Acrobat, Shockwave Flash and Java in their browsers. If the plugins are out-of-date and the user visit a malicious site with code that target certain vulnerabilities, the attacker may be able to execute of arbitary code, gain privileged access to the system, install virus (join a botnet, for example), etc.

Luckily nowadays modern browsers sandbox the plugins and organizations like Google check for malicious code while crawling.

microtony
  • 192
  • 7
  • 1
    What I want to know is HOW EXACTLY are these viruses made. Do you have an example? – 7890 Aug 05 '13 at 09:55