From: gufus on 4 Apr 2010 14:28 Hello, ~BD~! You wrote on Sun, 04 Apr 2010 18:55:23 +0100: | I'm unsure of the point you were making, but it's good to meet you! ;) What I was doing was teasing David Kaye, <evil grin>.. Nice to meet you too! have a /SUPER/ Easter. :-) -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: gufus on 4 Apr 2010 14:34 Hello, David! You wrote on Sat, 3 Apr 2010 20:13:30 -0400: | The two are drinking the same K00laide. Wobblypop's | -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: Ant on 4 Apr 2010 14:41 "David Kaye" wrote: > "Ant" wrote: >>You didn't say which browser was involved. Is it up-to-date? What >>plugins and other applicatiuons are used as helpers to view embedded >>content and are they sercurely configured and up-to-date? Think about >>Java (not javascript), PDF and Flash viewers, ActiveX components and >>other media players. Do you allow them to run automatically? > > Again, this particular computer is set up to imitate real world scenarios as > are present in my customers' computers. So that would be insecurely and typically lacking the latest (or any) third party software updates or patches for bug fixes. They might be a little better protected with Vista or Win7 if they haven't disabled the nags. > Prior to the infection I had visited > several websites from Google links. I did not click on anything within those > web pages. I don't recall if there was a pdf among the stuff I looked at or > not. My machine is set up top warn about ActiveX, but not Java, Flash, or > pdfs. However, downloading of exe and dll files should be triggering > *something* to warn me. You still haven't stated which browser and you don't need to click to be infected. In the last few days there have been updates for IE6 & 7, Firefox, Quicktime & Itunes and Foxit PDF reader. All of them correct exploitable vulnerabilities. Take a look at http://isc.sans.org/ To convince yourself to not allow PDF files to display automatically see the article "PDF Arbitrary Code Execution - vulnerable by design" at isc.sans.org. Foxit have corrected it but Adobe Acrobat is probably still vulnerable. In fact malicious PDFs, which are frequently used, often don't display at all but just run code. If you want some warning it's best to to have the appropriate OS security policies and logging in place. Firewalls are usually only concerned with network connections, not what you allow to run. The only way you can find out what causes a problem like this is to do an immediate investigation of all the recent HTTP (and perhaps other protocol) requests and examine any cached pages, scripts, Java .jar and .class files, etc when it happens so you can track down the bad site and what exploit was used. > As someone suggested, perhaps something else is being renamed as an exe. An executable named temp.tmp, for example, is easily run without being renamed by using the right API magic. > I did notice one thing that may be a clue. I couldn't run exe files any > longer until I entered the exe extension in the filetypes section to replace > what had been there. This was after the registry rollback, so I'm not sure > where the exe reference was being pulled from. It should have reverted just > like all other registry entries. That depends how you backup/restore the registry. File associations are stored in HKLM\software\Classes which is in the software hive in [win]\system32\config. Then there's the individual hives (ntuser.dat) in each user profile directory. It may be that exe association can be overrridden from those. Once malware is running with administrator rights it can do anything it wants, including elevating itself to have NT authority\system privilege. Thus it has full access to protected areas of the registry, the hard disk and the ability to load drivers. > So, indeed it could well be that ave.exe is really something non-exe that got > renamed and thus wasn't detected by Windows as being bogus. I have not saved > the ave.exe file to look at it. Perhaps I should have, but I had to use this > particular computer and just wanted to get rid of the malware. More important is to find the vulnerable software component that allowed it to run.
From: gufus on 4 Apr 2010 14:53 Hello, David! You wrote on Sun, 4 Apr 2010 09:21:52 -0400: | All Usenet is based on GMT therefore your clock may be correct bu the | wrong time zone. Yes, a person just has to set their "TZ" environment variable -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: gufus on 4 Apr 2010 15:09
Hello, David! You wrote on Sat, 3 Apr 2010 20:12:09 -0400: | | Yes. In fact a web site can offer up different MD5 valued files for | something as different as the User-Agent. | Vsoup the User-Agent for my saver's gateway need's TZ set to work proper. -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca |