Prev: Ignore - personal reflection only.
Next: Threats from cyber criminals underestimated!
From: David Kaye on 1 Mar 2010 00:29
Geoff <geoff(a)invalid.invalid> wrote:

>I don't know of one off-hand but do you really want to trust the
>content of your restricted sites list to another anonymous program?

That's why I asked for a script. I want to look it over first.

From: MEB on 1 Mar 2010 14:14
On 03/01/2010 12:29 AM, David Kaye wrote:
> Geoff <geoff(a)invalid.invalid> wrote:
>
>> I don't know of one off-hand but do you really want to trust the
>> content of your restricted sites list to another anonymous program?
>
> That's why I asked for a script. I want to look it over first.
>

If I may:

I'm not sure of what you hope to achieve with such a script, as
anything you might find and attempt to place may change at any time.
This would appear to not address or ignore the methodology being
employed within these types of attacks. Any given entry found and placed
may not be viable within a matter of hours at the whim of the
controllers, or as pre-defined, or due to a take-over of a legitimate
site, or other common deployment methods.

Examples/References:

http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html

https://st.icann.org/reg-abuse-wg/index.cgi?malware_botnet_control

http://blog.threatfire.com/

Moreover, it would appear what you desire would require something more
in-line with advanced intrusion detection services/applications used *in
conjunction with* other methods.

http://www.google.com/search?&q=advanced+intrusion+detection+in+Windows&btnG=Search

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
From: MEB on 1 Mar 2010 19:10
Addendum:

On 02/27/2010 03:54 PM, MEB wrote:
> On 02/27/2010 06:34 AM, james wrote:
>> I was using IE on a web site "wordtwist.org" playing a game while all of
>> a sudden the browser disappeared (closed?), replaced by a dialog saying
>> there's some suspicious activity on my PC and I needed a scan, etc. I
>> did not touch that dialog.
>
> Presuming that did not come from your installed AV/anti-malware or some
> other protection:
>
> You *may* have run across [as you apparently indicate] one of the
> standard methods for malware deployment - fake dialogs/displays to get
> you to INSTALL/ALLOW the malicious activity. Forcing a close of a
> browser is relatively simple task, though the below seems to indicate
> you may have experienced a "lost focus" and close "window" "hidden"
> instance.
>
> What was the EXACT displayed message shown?
>
>>
>> I disconnected from the internet, then I killed the IE process with task
>> manager. Everything seemed ok after that.
>
> That does not necessarily mean you have successfully avoided the
> potential hack/malware. The hack and/or its injection stub/exploit may
> still exist in your system.
>
>>
>> My question is where did this pop-up come from? Is it from
>> wordtwist.org? It doesn't seem like a malicious site and I have been
>> using it for weeks without any problem until today. And if it is from
>> wordtwist.org, how is it able to close my browser window?
>>
>> Is there a way to prevent this type of pop-up?
>
> http://www.UnmaskParasites.com/security-report/?page=www.wordtwist.org
> You must enable JAVA, cookies, and allow the Google api to run.
> Check through the entire listed sites linked.
>
> http://www.google.com/safebrowsing/diagnostic?site=www.wordtwist.org
>
>
> * Does finding that there are no apparent issues reflect that any given
> site is clean?
>
> NO/not necessarily.
> It means that the methods used to check the site/page were able to
> check the ALLOWED or *seemingly* OFFERED activities/aspects within the
> site/page.
> Malicious activity has included the ability to avoid most detection
> using methods such as by hiding the activity using: SSI; probe/site/IP
> checking tools/methods and identification of that activity; reliance on
> other methods such as pre-fetch and cross-site activities; JAVA and
> Flash exploits; timed and/or extended interaction injection; Service
> Pack and/or update probing; specific OS and browser related exploits;
> and other continually modified methods now being deployed to avoid
> detection and produce successful injection/hack.
> Check through any of the most prevalent found malware and botnet [in
> particular] related activities and you will stumble across the
> particular methodologies for deployment PRESENTLY known. The key word is
> "presently" [hence why it is capped] as these malicious activities are
> constantly being modified.
>
>
> * What might have caused your issue?
>
> Your issue may involve contacts with other pages PRIOR to that site
> {e.g., sites which used JAVA and/or Flash, or opened PDFs, or other
> similar}, cached materials from other sites, tabs to other sites opened
> in the browser, and/or malicious activity from some method as has been
> previously indicated or inferred.
>
>
> * What should you do?
>
> Scan your computer with your present AV/anti-malware tools AND download
> and use another for cross-check. Usual recommendation is to (preferably
> using another computer) download a Live/bootable image with single or
> multiple AV/anti-malware checking programs and burn and use that to
> check the problem/target computer. And/OR scanning from another computer
> in your local network [though that may already be part of the problem or
> may potentially infect those other computers], and/OR using one of the
> online scanner services.
>
> IF an infection or malware is found, please post back with that exact
> information, including: specific malware identified; file(s) found and
> location; AV/anti-malware which is available and which was used to
> detect and cross check, as many may not be fully detected or be removed
> without further review.
>
>
> * How to avoid or mitigate some of this potential activity?
>
> Check your present settings for DEP and other related within your
> system and increased whatever protections are available.
> For examples see:
>
> Improve the safety of your browsing and e-mail activities
> http://www.microsoft.com/uk/athome/security/online/browsing_safety.mspx
>
> How to reduce the risk of online fraud
> http://www.microsoft.com/protect/fraud/phishing/reduce.aspx
>
> A detailed description of the Data Execution Prevention (DEP) feature in
> Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and
> Windows Server 2003
> http://support.microsoft.com/kb/875352
>
> Change Data Execution Prevention settings
> http://windows.microsoft.com/en-US/windows-vista/Change-Data-Execution-Prevention-settings
>
> Data Execution Prevention: frequently asked questions
> http://windows.microsoft.com/en-US/windows-vista/Data-Execution-Prevention-frequently-asked-questions
>
> How to Configure Memory Protection in Windows XP SP2
> http://technet.microsoft.com/en-us/library/cc700810.aspx
>
> Change Internet Explorer Security settings
> http://windows.microsoft.com/en-US/windows-vista/Change-Internet-Explorer-Security-settings
>
> Internet Explorer security zones registry entries for advanced users
> http://support.microsoft.com/kb/182569
>
> How to strengthen the security settings for the Local Machine zone in
> Internet Explorer
> http://support.microsoft.com/kb/833633
>
> Security Tools
> http://technet.microsoft.com/en-us/security/cc297183.aspx
>
> Microsoft Baseline Security Analyzer
> http://technet.microsoft.com/en-us/security/cc184924.aspx
>
> -- * further
>
> Adjust your Internet usage habits to avoid some of the simpler methods
> of attacks, such as:
>
> Never use tabbed browser abilities when going to interactive sites and
> services and never use instances of browsers where you may have
> contacted other sites previously, i.e., use fresh instances. Make sure
> you limit stored pages, and remove/delete temporary files from previous
> instances of Internet activity.
>
> Make sure you keep updated on/in ALL of your installed applications
> INCLUDING your browser, AV/anti-malware, and OS.
>
> Make sure that ActiveX controls and killbits are properly installed/set
> correctly.
>
> Make sure to set JAVA and Flash restrictions. Check periodically as
> there are methods to reset these via malware.
>
> Limit or remove search bars, and other like browser "enhancements" to
> avoid whatever exploitable aspects they might have or bring.
>
> Install, if possible, browser plug-ins which limit and deny JAVA,
> Flash, and other scripting activities pending your approval.
>
> Set your browser zone settings to HIGH and further restrict JAVA,
> Flash, iframe, redirects, and other activities using your system and
> browser management tools.
>
> Avoid, if possible, having an instant message, video, or other similar
> applications/instances open when using other interactive services. Make
> sure you have done everything possible to restrict activity within those
> as well.
>
> Since the above general recommendations aren't likely to be used as
> they are not the way most people interact on the Internet today, at
> least use SOME of the suggestions and make an effort to set some of the
> restrictions. And NEVER use an administrator's account when contacting
> the Internet.
>
> NOTE: These should really only be your STARTING points to online
> protection and local system security.
>

I had hoped something like this wouldn't be released [though the
potentials were discussed in several places], it has as of today.
Consider this as an additional Warning, of which you should be aware.

Internet Exploiter 2 � bypassing DEP
http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/
"I am releasing this because I feel it helps explain why ASLR+DEP are
not a mitigation to put a lot of faith in, especially on x86 platforms.
32-bits does not provide sufficient address space to randomize memory to
the point where guessing addresses becomes impractical, considering heap
spraying can allow an attacker to allocate memory across a considerable
chunk of the address space and in a highly predictable location."

Make sure you understand the ramifications, and make sure to look for
ways help mitigate the issues involved. Be forewarned that this exploit
vector will likely be used far more than before...

http://www.google.com/search?hl=en&q=ASLR+and+DEP+vulnerability&btnG=Search

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
From: Geoff on 1 Mar 2010 21:59
On Mon, 01 Mar 2010 14:14:12 -0500, MEB <MEB-not-here(a)hotmail.com>
wrote:

>
>On 03/01/2010 12:29 AM, David Kaye wrote:
>> Geoff <geoff(a)invalid.invalid> wrote:
>>
>>> I don't know of one off-hand but do you really want to trust the
>>> content of your restricted sites list to another anonymous program?
>>
>> That's why I asked for a script. I want to look it over first.
>>
>
> If I may:
>
> I'm not sure of what you hope to achieve with such a script, as
>anything you might find and attempt to place may change at any time.
> This would appear to not address or ignore the methodology being
>employed within these types of attacks. Any given entry found and placed
>may not be viable within a matter of hours at the whim of the
>controllers, or as pre-defined, or due to a take-over of a legitimate
>site, or other common deployment methods.
>
>Examples/References:
>
>http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html
>
>https://st.icann.org/reg-abuse-wg/index.cgi?malware_botnet_control
>
>http://blog.threatfire.com/
>
> Moreover, it would appear what you desire would require something more
>in-line with advanced intrusion detection services/applications used *in
>conjunction with* other methods.
>
>http://www.google.com/search?&q=advanced+intrusion+detection+in+Windows&btnG=Search

I agree, they love to obfuscate their addresses and domains and they
have demonstrated agility at retargeting their links as needed.

This is part of the problem with direct IP addresses as you (David)
found with your popup. If the IP is globally black-holed they simply
compromise another host and redirect their traffic to it.

FWIW, IE8 stores the security ranges in the registry:
HKEY_USERS\S-1-5-21-**********-*********-**********-****\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Ranges

If you want an automated method of preventing access to known bad
sites then you should consider SpyBot S&D, it's still reactive and you
have to do updates manually but it can help against known active
malware sites. Believe it knows how to manipulate these keys.
From: David H. Lipman on 1 Mar 2010 22:27
From: "Geoff" <geoff(a)invalid.invalid>

< snip >

| If you want an automated method of preventing access to known bad
| sites then you should consider SpyBot S&D, it's still reactive and you
| have to do updates manually but it can help against known active
| malware sites. Believe it knows how to manipulate these keys.

No need to manually update SpyBot S&D. Just create a .JOB in the Task Scheduler using the
following command line...

"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoupdate /autoclose


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Ignore - personal reflection only.
Next: Threats from cyber criminals underestimated!