Maybe we should all report the malware.

wrote:


I highly recommend Ad-Aware... it is free, is very frequently
updated... sometimes daily, and seems to do an excellent job of
deleting mal-ware and it's less insidious cousins.....  Downloadable
at:

http://www.lavasoftusa.com/software/adaware /

On Sun, 18 Apr 2004 21:57:30 -0400, "Gene Kearns"
......and in reply I say!:
 remove ns from my header address to reply via email


Got it. Failed! It was one of them that let the thing through. That
day's update.

My points are:
    - every time somebody says "I got a virus" somebody else says "Try
UmptyDoo. Works for me" and then somebody else says
"Nah it's crap. Try BlahBlah"..........and they're both right
.....sometimes.
    - if we all think we have protection and simply trust it or ignore
the leeches, then this will never be fixed. It _will_ get worse. The
catcher software will fail to keep up.

With this meany, only one of two firewalls, and one of four checkers
found the problem. In the meantime I was mined. I IDd the file myself
and disarmed it.

Metal content? We need to maintain these tools better, or they get
rusty.

Also, the _free_ adaware would have been useless to me in this case,
as it does not do real-time. All the time I was online, until I
checked, I would have beem mined.

****************************************************
I went on a guided tour not long ago.The guide got
us lost. He was a non-compass mentor.........sorry
........no I'm not.

... much snipped

... more snipped.

... even more snipped.

Nick,
What are the four checkers you used.  For some reason most anti virus
vendors have not been checking for spy ware.  By most accounts the
combination of ad-aware and spy-bot search and destroy is as good as it
gets.  Beware of others however, at least one has been caught installing
spy-ware.
    All of these are for catching the fox after it's IN the hen house.  The
real question is how to keep it out of the hen house in the first place.
You certainly can cut down on these  I just did a full scan of the system,
updating then scanning using both spy-bot and ad-aware. No spyware was
found,  after not scanning for over a month.  This machine is on the
internet and is regularly used to browse sites, including some linked to in
news groups.  The only time that I have found malware on one of my systems
was after I leant a co-worker my laptop while his was out for repairs.
    What is my secret you ask?  First regularly run windows update.  Windows
out of the box has a huge list of ways for viruses and or mal-ware to get on
the system.  Windows update will stop many of these but not all of them.
The second is somewhat more onerous.  Most of the spyware gets on the system
through the web browser.  The default installation of Internet Explorer
allows web sites no less than 3 ways to install and run software on your
computer without your permission.  The first and in my opinion the  most
dangerous of these are active-x controls.  These are native software and
once install have little to limit there damage.  The second is Java applets
these programs are supposed to run in a sand box that keeps them from
fowling things up but I don't trust them.  Microsoft calls the third active
scripting  this includes both Java script ( not at all the same as Java
applets) and Visual Basic Scripting (VB-script)  again this is supposed to
be contained but I really don't trust this one.  I don't know if the latest
updates leave the hole but I am told that VB-script can access the system
registry!  Stopping these three holes is not to difficult.  First bring up
internet explorer and open up the internet options dialog (tools->internet
options).  Go to the general tab ,press the settings button in the temporary
internet files section.  Then click the view objects button.  Behold a list
of all of the active-x controls currently setup in you web browser with an
(overly) brief description.  You will want to leave PDF viewing and probably
shockwave viewing.  Consider carefully what active x controls you want web
sites to be able to run on your machine.  The steps you are about to take
keeps them from installing any new ones.  Delete any you don't want.   Next
go to the security tab.  Highlight the internet zone and change the security
level to HIGH.    Now there are a couple of complications to what you have
just done.  First some business sites are really snooty and just plain
inaccessible with these settings.  When I find one of these sights I
reconsider doing business with them at all.  If I have no choice such as all
of the hardware stores do it I add them to the trusted site list. Second PDF
files and flash animations will not show by default.  We can fix this by
selecting the Internet zone, hitting custom level and then changing the "Run
ActiveX controls and plug-ins" setting from disable to enable or prompt.
Once you have done this your machine will not download active-x controls but
will run ones that are already installed given that you leave the rest of
the active x control settings the way that selecting high security set them.
While you are here you will want to also enable file download.  Consider
enabling META REFRESH , it is used to redirect you to a new page
automatically ,usually harmless but not necessarily so.  Click ok here.  Now
select the trusted sights and click the sights button,  you will see a check
box down at the bottom saying "Require server verification (https:) for all
sites in this zone."  Uncheck this because it won't let you exempt most of
the sights that you trust if you don't.  Ok out of this dialog then  click
ok on the internet options dialog and enjoy safer web browsing.  I hope you
dislike pop-up/pop under advertising because you wont be seeing them except
when visiting trusted sights... Just a convenient side effect of the
changes.
    Unfortunately this wont stop everything.  Trusted sights will abuse the
privilege, new bugs will be found, etceteras etceteras.    Long term this
will require legislative action.  Let your elected representatives know that
you are holding them responsible for the legality of spy ware at the polls.

Alan Wood

All,
I should of written an outline for the prior post as I forgot a critical
step to locking down the system.  Fortunately it can be done at any time.
This step only applies if you are using Microsoft outlook or Outlook
express.  If so turn off the preview pane.  Some newer viruses, and probably
spy ware too can install from email if you read or even just preview the
infected mail.   To turn this off in outlook express bring it up, choose the
layout item of the view menu, and then uncheck the show preview pane check
box.  Ok it and you are done with this step. I don't have a reasonably
recent version of Outlook installed anywhere but you should be able to find
out how to disable the preview pane in it's help system.  Just look up
preview pane.
    Now for the hard part, if it looks like spam or such don't open the
message.  This problem has lead to jokes about SARS being the only virus
that can't propagate via outlook.  It has also lead some people to recommend
switching from Outlook/Outlook express.  This viewpoint has considerable
justification in my opinion.
Alan Wood

The latest version of Outlook Express has an option to only display pure
ASCII text, no HTML, no graphics, no music, no scripts, no malware
programming. If you choose that option, you can leave the preview pane
turned on.

I pester my email correspondents to only create messages using plain
ASCII text. That way we both see the same thing. I have filters set which
automatically quarantine any email that arrives containing HTML, graphics,
scripts, attachments, or binary executables. That cuts down on spam
wonderfully, and just about completely insulates me from viri and malware
attacks via email. (I run Norton Antivirus too, of course.)

You can lock down IE in similar fashion, but I've chosen to use Mozilla
Firebird as my default browser. That's much more resistant to the usual
types of malware attack, has a number of features I find appealing, and
has a built in pop up stopper too. I understand that the next release of
IE will also have a built in pop up stopper. Of course you can use Popup
Stopper, a free program, to do the same thing, but the integrated pop
up stopper in Firebird works better because it is integrated and knows
when you've clicked on a link requesting a pop up, and when the website
is trying to force a pop up on you. It allows the former while blocking the
latter. Popup Stopper requires you to hold down the control key while
clicking on a link which will generate a pop up you want to see. Bloody
nuisance.

Gary

Gary,
Are you refering to the read all messages in plain text option?  I wonder
how well this works though I have it set.  Hm sacraficial install on one of
my (too) many machines to find out maybe?
Alan Wood

Yeah, that's it. It is safe, but you'll see lots of crap when it tries to display
messages that aren't sent in plain ASCII.

Gary

I've wondered on how they get your computer to download the viruses, do
they use an <img src="thevirus"> tag or something more complicated?
also, not on a virus but on a spam note, if you get spam that has
pictures and you click it which then opens into preview it sends a
request for the picture, then the spammers systems know that the email
is alive, so when checking out suspected spam, just unplug your modem,
it can't get the pictures, and it will still let you get a pretty good
idea of whats there, and whether or not you want pictures.

a theory
......and in reply I say!:
 remove ns from my header address to reply via email



errrm, no. You open that attachment and if all it did was phone home,
you would be lucky. Usually it places a programme on your PC that
_keeps_ phoning home, and / or creates more programmes that do the
same thing, mines your PC for info or buggers it up with a virus,
updates itself to avoid detection etc.
****************************************************
I went on a guided tour not long ago.The guide got
us lost. He was a non-compass mentor.........sorry
........no I'm not.

I meant the ones that don't require you to open the attachment.

    [ ... ]


    [ ... ]


    Those usually use a trick with an <iframe> tag in the HTML,
which causes it to automatically "play" the included "x-wav" file, which
in reality has an executable extension like .exe, .scr, or similar.  The
system is dumb enough so it says "Hmm ... I don't need to feed an audio
file directly to the audio player -- I can depend on the system
recognizing the ".wav" extension if I try to "run" it, and thus feeding
it automatically.  But when the real extension is *not* ".wav", it
actually *does* run the program, thus infecting your system.  Note that
not everything does this -- but the Outlook Express (the default e-mail
program) which comes *with* the system has this behaviour enabled by
default in Windows.

    Another thing which makes the system even more vulnerable is the
"hide known extensions" option, which is *on* by default in Windows, so
if an e-mail comes in with an attachment called "symphony.wav.exe", you
will only be shown the "symphony.wav", and not be given a chance to
realize that this is really an executable program which could be a
virus, instead of a sound file.

    For reasons like this, I don't read e-mail with anything which
handles HTML, let alone with things that have javascript, java, or
active-x enabled.  I see usenet news articles and e-mail with HTML as
raw HTML (which is pretty ugly, BTW), and usually just send it to the
bit bucket.

    And, of course, virii targeted at Windows systems won't run on
my unix systems.  Yes -- it is possible to target the unix systems, but
there are so many different types that it is hard to focus on just one.
The most common would probably be some popular flavor of linux.  (So I
tend to use a much less popular version of BSD unix -- and one known for
a strong security stance to start with.  And I *don't* even use the
e-mail programs which come with the system, but rather others downloaded
from web sites of authors who are dedicated to security in the handling
of e-mail, so the most common possible holes just aren't there.

    There are other ways to attack unix systems, and some versions
of unix are better at dealing with the attacks than others.  But there
are a lot more things which can be done with unix to *limit* the spread
of a virus, even if one *is* written for the system.  And mostly, unix
systems don't have the stupidity of auto-executing "features" built into
e-mail programs.  You are expected to know how to extract and run an
attachment if you need to -- and are also expected to know what kinds of
security doors you are opening by doing this, and to do it with an
account with minimum privileges, not as root (the superuser who can
change anything).

    A normal user has only permission to read and execute programs,
and to read and search the directories in which the programs live.  S/he
does *not* have the privileges to write anything there, so even if s/he
runs a virus, it can't change anything in the directories of programs
used by all the users.  The user may change programs in a private
directory of his/her own programs, so those could be infected -- but
those are not likely to be standard system programs, and normal practice
is to install even those with no write permissions, so it is more
difficult to change them in any harmful way.

    Of course, any user *can* do stupid things, and this includes
any unix administrator -- but the most common ways into the system are
turned off by default, so a user or an administrator has to be
particularly and wilfully stupid to turn such things on without knowing
what doors are being opened.

    Enjoy,
        DoN.

--
    (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
           --- Black Holes are where God is dividing by zero ---

DoN. Nichols wrote:
 

The Polarbar mailer handles HTML e-mails (wich, regretably, are all to
common) rather nicely.  You see the text extracted from the HTML and an
icon in thelower left that lets you know it came from HTML.  If you
really want to, you can open the HTML in a browser either on line or
after you've disconnected.

Ted

vaguely proposed a theory
......and in reply I say!:
 remove ns from my header address to reply via email


CA Antivirus, Ad-Aware, Spybot. All updated that day.


Yes, by me. NoAdware. I yelled loud about that one.


Well, I am fairly safe. I have everything set to read only ASCII.

I deliberately infected my machine. I did it with AV REAL TIME set up,
and firewall running. The Sygate Firewall has an apparent weakenss
that allows a "Software proxy" to be set up by malware. This can
apparenly make SPF ignore it.

However, my firewall(s) tell me that my system is being pinged about
every 10 seconds. I am told this is in preparation to trying to pry
into an open port, and get stuff onto my PC. I know that before I had
a firewall, I was becoming conscious of constsnt little bits of
traffic on my system, every few seconds, in both directions, when I
was doing nothing. These are all stopped as being suspicious now.


So had I. As I said Spybot and Ad-Aware completely failed to find the
problem. I found the problem. I _think_ the firewall helped, because
if I completely disabled all Net traffic, then it was partially ID'd.
I found an exe file that was really recent in windows/system, and
renamed it. Problem gone.

snip


Also, it can start to cripple certain stuff that is legit, IMO, and
make life that bit more difficult.

I have had very little, and none very harmful, until this one. It was
the worst I had had since I installed AV software, and it _was not
seen by anything_
****************************************************
I went on a guided tour not long ago.The guide got
us lost. He was a non-compass mentor.........sorry
........no I'm not.

Nick, what was the name of the executable you found. (before you renamed
it).
Alan Wood

vaguely proposed a theory
......and in reply I say!:
 remove ns from my header address to reply via email


Dunno if it helps, because probably each one will change, but it was
system2.exe in \windows\system (Win 98SE). It had...hmmmm sdbot.jbp
(??) in it.


****************************************************
I went on a guided tour not long ago.The guide got
us lost. He was a non-compass mentor.........sorry
........no I'm not.

I am curious as to how that one arrived.  Pretty nasty from what I found on
the web.
Alan Wood

If you try to cross a lake of hot coffee on a sugar cube, you're going to
get wet.

There's really no point in complaining about incoming arrows when you
insist on walking around with a big red target painted on your chest.

If the viri and malware bother you so much, get rid of Windows. Run
Linux, or get a Mac. Problem solved.

Gary

vaguely proposed a theory
......and in reply I say!:
 remove ns from my header address to reply via email


Well that's the polite version <G>.

hmmm just for now give me the viruses....<G>


I have to disagree. I feel that if enough people do as you suggest,
apart from not being able to ruin half the apps I rtun now (afaik) as
soon as the target is big enough, the hackers will simply move..and
these guys can _move_ when they want to. And I very kmuch doubt that a
system can be built that will stop them.
****************************************************
I went on a guided tour not long ago.The guide got
us lost. He was a non-compass mentor.........sorry
........no I'm not.

Put your computer out in the driveway and run over it a few times.

Problem solved.