Prev: Ignore - personal reflection only.
Next: Threats from cyber criminals underestimated!
From: james on 27 Feb 2010 06:34
I was using IE on a web site "wordtwist.org" playing a game while all of a
sudden the browser disappeared (closed?), replaced by a dialog saying
there's some suspicious activity on my PC and I needed a scan, etc. I did
not touch that dialog.

I disconnected from the internet, then I killed the IE process with task
manager. Everything seemed ok after that.

My question is where did this pop-up come from? Is it from wordtwist.org? It
doesn't seem like a malicious site and I have been using it for weeks
without any problem until today. And if it is from wordtwist.org, how is it
able to close my browser window?

Is there a way to prevent this type of pop-up?

From: MEB on 27 Feb 2010 15:54
On 02/27/2010 06:34 AM, james wrote:
> I was using IE on a web site "wordtwist.org" playing a game while all of
> a sudden the browser disappeared (closed?), replaced by a dialog saying
> there's some suspicious activity on my PC and I needed a scan, etc. I
> did not touch that dialog.

Presuming that did not come from your installed AV/anti-malware or some
other protection:

You *may* have run across [as you apparently indicate] one of the
standard methods for malware deployment - fake dialogs/displays to get
you to INSTALL/ALLOW the malicious activity. Forcing a close of a
browser is relatively simple task, though the below seems to indicate
you may have experienced a "lost focus" and close "window" "hidden"
instance.

What was the EXACT displayed message shown?

>
> I disconnected from the internet, then I killed the IE process with task
> manager. Everything seemed ok after that.

That does not necessarily mean you have successfully avoided the
potential hack/malware. The hack and/or its injection stub/exploit may
still exist in your system.

>
> My question is where did this pop-up come from? Is it from
> wordtwist.org? It doesn't seem like a malicious site and I have been
> using it for weeks without any problem until today. And if it is from
> wordtwist.org, how is it able to close my browser window?
>
> Is there a way to prevent this type of pop-up?

http://www.UnmaskParasites.com/security-report/?page=www.wordtwist.org
You must enable JAVA, cookies, and allow the Google api to run.
Check through the entire listed sites linked.

http://www.google.com/safebrowsing/diagnostic?site=www.wordtwist.org


* Does finding that there are no apparent issues reflect that any given
site is clean?

NO/not necessarily.
It means that the methods used to check the site/page were able to
check the ALLOWED or *seemingly* OFFERED activities/aspects within the
site/page.
Malicious activity has included the ability to avoid most detection
using methods such as by hiding the activity using: SSI; probe/site/IP
checking tools/methods and identification of that activity; reliance on
other methods such as pre-fetch and cross-site activities; JAVA and
Flash exploits; timed and/or extended interaction injection; Service
Pack and/or update probing; specific OS and browser related exploits;
and other continually modified methods now being deployed to avoid
detection and produce successful injection/hack.
Check through any of the most prevalent found malware and botnet [in
particular] related activities and you will stumble across the
particular methodologies for deployment PRESENTLY known. The key word is
"presently" [hence why it is capped] as these malicious activities are
constantly being modified.


* What might have caused your issue?

Your issue may involve contacts with other pages PRIOR to that site
{e.g., sites which used JAVA and/or Flash, or opened PDFs, or other
similar}, cached materials from other sites, tabs to other sites opened
in the browser, and/or malicious activity from some method as has been
previously indicated or inferred.


* What should you do?

Scan your computer with your present AV/anti-malware tools AND download
and use another for cross-check. Usual recommendation is to (preferably
using another computer) download a Live/bootable image with single or
multiple AV/anti-malware checking programs and burn and use that to
check the problem/target computer. And/OR scanning from another computer
in your local network [though that may already be part of the problem or
may potentially infect those other computers], and/OR using one of the
online scanner services.

IF an infection or malware is found, please post back with that exact
information, including: specific malware identified; file(s) found and
location; AV/anti-malware which is available and which was used to
detect and cross check, as many may not be fully detected or be removed
without further review.


* How to avoid or mitigate some of this potential activity?

Check your present settings for DEP and other related within your
system and increased whatever protections are available.
For examples see:

Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/uk/athome/security/online/browsing_safety.mspx

How to reduce the risk of online fraud
http://www.microsoft.com/protect/fraud/phishing/reduce.aspx

A detailed description of the Data Execution Prevention (DEP) feature in
Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and
Windows Server 2003
http://support.microsoft.com/kb/875352

Change Data Execution Prevention settings
http://windows.microsoft.com/en-US/windows-vista/Change-Data-Execution-Prevention-settings

Data Execution Prevention: frequently asked questions
http://windows.microsoft.com/en-US/windows-vista/Data-Execution-Prevention-frequently-asked-questions

How to Configure Memory Protection in Windows XP SP2
http://technet.microsoft.com/en-us/library/cc700810.aspx

Change Internet Explorer Security settings
http://windows.microsoft.com/en-US/windows-vista/Change-Internet-Explorer-Security-settings

Internet Explorer security zones registry entries for advanced users
http://support.microsoft.com/kb/182569

How to strengthen the security settings for the Local Machine zone in
Internet Explorer
http://support.microsoft.com/kb/833633

Security Tools
http://technet.microsoft.com/en-us/security/cc297183.aspx

Microsoft Baseline Security Analyzer
http://technet.microsoft.com/en-us/security/cc184924.aspx

-- * further

Adjust your Internet usage habits to avoid some of the simpler methods
of attacks, such as:

Never use tabbed browser abilities when going to interactive sites and
services and never use instances of browsers where you may have
contacted other sites previously, i.e., use fresh instances. Make sure
you limit stored pages, and remove/delete temporary files from previous
instances of Internet activity.

Make sure you keep updated on/in ALL of your installed applications
INCLUDING your browser, AV/anti-malware, and OS.

Make sure that ActiveX controls and killbits are properly installed/set
correctly.

Make sure to set JAVA and Flash restrictions. Check periodically as
there are methods to reset these via malware.

Limit or remove search bars, and other like browser "enhancements" to
avoid whatever exploitable aspects they might have or bring.

Install, if possible, browser plug-ins which limit and deny JAVA,
Flash, and other scripting activities pending your approval.

Set your browser zone settings to HIGH and further restrict JAVA,
Flash, iframe, redirects, and other activities using your system and
browser management tools.

Avoid, if possible, having an instant message, video, or other similar
applications/instances open when using other interactive services. Make
sure you have done everything possible to restrict activity within those
as well.

Since the above general recommendations aren't likely to be used as
they are not the way most people interact on the Internet today, at
least use SOME of the suggestions and make an effort to set some of the
restrictions. And NEVER use an administrator's account when contacting
the Internet.

NOTE: These should really only be your STARTING points to online
protection and local system security.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
From: "FromTheRafters" erratic on 27 Feb 2010 16:31
"james" <nospam(a)nospam.com> wrote in message
news:ut3MlD6tKHA.732(a)TK2MSFTNGP06.phx.gbl...
>I was using IE on a web site "wordtwist.org" playing a game while all
>of a sudden the browser disappeared (closed?), replaced by a dialog
>saying there's some suspicious activity on my PC and I needed a scan,
>etc. I did not touch that dialog.
>
> I disconnected from the internet, then I killed the IE process with
> task manager. Everything seemed ok after that.
>
> My question is where did this pop-up come from? Is it from
> wordtwist.org? It doesn't seem like a malicious site and I have been
> using it for weeks without any problem until today. And if it is from
> wordtwist.org, how is it able to close my browser window?
>
> Is there a way to prevent this type of pop-up?

If it is the one that I am thinking of, it might be coming through an
advertisement on the legitimate site. Often, it is not repeatable (when
you revisit, maybe a different ad is being served?). Sometimes you can
use taskman to maximize the "alert" and see the address bar, which gives
you a numerical IP for further investigation. Clicking anywhere on the
displayed 'window' sends you to the site.

In my case the target was one of the fake AV scan scam sites. I'm
guessing it is scripting.



From: David Kaye on 27 Feb 2010 16:43
"FromTheRafters" <erratic @nomail.afraid.org> wrote:

>Sometimes you can
>use taskman to maximize the "alert" and see the address bar, which gives
>you a numerical IP for further investigation. Clicking anywhere on the
>displayed 'window' sends you to the site.

Does anybody know if there's a tool out there that can list the processes
which are displaying icons in the taskbar? Most often there is a taskbar icon
for some malware and there appears to be no way to isolate it down to which
process is causing the program to run. This would be extremely helpful to
have.

Also, some tool that would display which process has called the Windows system
notification bubble would also be really good to have. So far I've been
unable to find any handy tools that do either of these.

Back to the "scan" website: Sometimes Google indexes malware sites along with
legit sites. I think I may have mentioned there a site that had a Shaun White
photo on it. Within about 2 seconds of going to the webpage and seeing the
photo, it was replaced by another page allegedly "scanning" my hard drive for
non-existent malware. My experience has been to click the "go away" button in
the upper right of the window IMMEDIATELY to get rid of it without infection.
If there is no go-away button, then press Alt-F4 to close the window via the
keyboard, and then close the browser.

From: james on 28 Feb 2010 01:47
>> Is there a way to prevent this type of pop-up?
>
> If it is the one that I am thinking of, it might be coming through an
> advertisement on the legitimate site. Often, it is not repeatable (when
> you revisit, maybe a different ad is being served?). Sometimes you can use
> taskman to maximize the "alert" and see the address bar, which gives you a
> numerical IP for further investigation. Clicking anywhere on the displayed
> 'window' sends you to the site.
>
> In my case the target was one of the fake AV scan scam sites. I'm guessing
> it is scripting.

I ran into the same pop up again, on a separate PC running a different OS
(vista) while visiting a different web site (gizmag.com). This time I found
the warning dialog covering a small IE8 window with the title "My Computer
Online Scan" and the URL in this IE8 is 217.23.5.233/index.html. It is
hosted in the neverland. I brought this up in a different newsgroup but for
the curious, here is the exact text in the dialog:

window title: Message From webpage
Warning!
Your computer contains various signs of viruses and malware
programs presence.
Your system requires immediate anti viruses check!
System Security will perform a quick and free scanning of your PC
for viruses and malicious programs.
OK Cancel

Perhaps it's a double click ad that is targeting me based on my internet
searches. That's why I run into it twice on two different PCs.

I wish there is a way to block IP address by country, since I browse usa web
sites most of the time. Unfortunately, a country may have hundreds or
thousands of non-contiguous blocks of IP assigned. Whoever is assigning IP
address is doing a poor job.

 |  Next  |  Last
Pages: 1 2 3 4
Prev: Ignore - personal reflection only.
Next: Threats from cyber criminals underestimated!