From: Leythos on
In article <cdWdnZdjHOWkUiTWnZ2dnUVZ8qCdnZ2d(a)bt.com>,
BoaterDave(a)hotmail.co.uk says...
> God sure moves in mysterious ways!
>

My guess is that he would ask you to take the off-topic things to email
or some group where it fits - this is a anti-malware group.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free(a)rrohio.com (remove 999 for proper email address)
From: Beauregard T. Shagnasty on
~BD~ wrote:
>> <snip>

Asked and answered.

Why don't you agree to meet your new chum PCButts for dinner this
evening?

--
-bts
From: Ant on
"David Kaye" wrote:

> What I'm getting at is that I use the best of off the shelf freebie programs
> my customers would tend to download. As for updates, typically when I first
> see them they have default Windows services turned on, so that they are up to
> date on Windows updates,

What about non-MS updates?

> I'm using IE8 Version 8.0.6001.18702.

That should be reasonably safe, hence the importance of checking 3rd
party (non-MS) plugins and helper apps.

> I know you mean well, but believe me, I already know about this stuff.

I appreciate you have some clue and that's why I'm interested in how
you got infected. If all your software was fully updated this drive-by
infection should not have happened. If it was a new vulnerability, AKA
a zero-day exploit, then I'm particularly interested in knowing what
it was.

When executable code runs via an exploit like a buffer overflow and
code injection there's no guarantee that an otherwise securely
configured OS can spot it. DEP (data execution prevention) can help
prevent this kind of attack if available for the machine.

> I noted the file date/time and have looked back on this.

As I said, you need to examine the cached files to have any hope of
finding the exploit. Of course, you will need to have an understanding
of file formats and know what to look for.

> The exploit appears
> to have come from foxnews, officedepot, or officemax -- the time stamps are
> within a few seconds of each other and show up right before the time stamp
> that was written to the temp directory in my documents and settings tree.

You see, my probing has caused you to give more information which then
prompted someone else to reply with a link to a forum about the Faux
News site infection. Although that discussion is a year old, the
problem of legitimate sites serving up malware through adverts or
hacked servers is still a real one. It appears those exploits were via
buggy ActiveX controls which have all now been patched.

>>More important is to find the vulnerable software component that
>>allowed it to run.
>
> Yes. Also, since I was able to get this infection I suspect that I'll be
> getting frantic calls this coming week from others. I'm getting tempted to
> set people up as limited users, even though that creates headaches in itself
> (such as the inability to run QuickBooks properly, which I mentioned before).

You should at least disallow the automatic running of PDFs, look at
tightening browser security settings, and perhaps change the browser
to Firefox or Opera if they are not using IE 8. XP's default settings
are no longer sufficient.


From: Ant on
"~BD~" wrote:

> David Lipman *has*
> emailed me with evidence of 'catching out' hidden passwords in code used
> by TRT/BCButts. I also had an email from TRT asking me to tell him/her
> what DHL had said.
>
> My problem remains, though, in that there is no way I can be *100%* sure
> which is telling the truth!

You either accept what respected posters here (ACAV) say or you
analyse the files yourself. I can say that I've also found evidence
in butts' files that they were copied and altered by him in an attempt
to conceal the real authors.


From: ~BD~ on
Beauregard T. Shagnasty wrote:
> ~BD~ wrote:
>>> <snip>
>
> Asked and answered.
>
> Why don't you agree to meet your new chum PCButts for dinner this
> evening?
>

That was a very juvenile response, Bts.

Which part of this did you fail to comprehend? :-

If you are quite certain of your facts then I believe you have a public
*duty* - maybe in conjunction with all those who are in agreement with
you - to bring about a prosecution of the offending individual.

I cannot believe that help in not available to you in Obama's USA.

"Put your money where your mouth is" comes to mind.

As they say in the navy "Make it so!"

--
Dave