Slashdot Mirror
Corporate Servers Spreading IE Virus [Updated]
uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via
several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?
Opera also offeres a very decent alternative to both IE and Mozilla/Firefox.
I spent ages trying to think of sig, but never did
Since the article is very vague, what happens is that once they compromise the IIS server, they modify each site on the server to write a document footer to every page. The document footer calls a DLL placed in the %windir%\system32 directory. The DLL writes a line of JavaScript to each page which redirects the user to a remote server to download the malicious code.
You mean like CNN?
Great spirits have always encountered violent opposition from mediocre minds. Albert Einstein
US-CERT and Internet Storm Center. Less talk, more information.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
http://www.microsoft.com/security/incident/downloa d_ject.mspx
/.) that a patched PC is safe.
Linked to from their home page, has been for quite a few hours. Gives more information, including an inference that the server portion is self propogating, and that (contract to
Read reviews of shopping cart software
I think this is the one I caught at work.
x .html ;)
s tem32\Automove.exe
o ws\Curr entVersion\Run
No security restrictions in IE will stop it.
I caught it here:
http://www.yetanotherhomepage.com/j7xx/j7x
There's a reason that this one isn't a link.
I killed mine like this (Windows 2000):
Delete these:
C:\Winnt\System32\Swin32.dll
C:\Winnt\Sy
C:\Winnt\System32\Trans.exe
And this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind
[Adstartup] C:\Winnt\System32\Automove.exe
Seek and destroy Swin32.dll in the registry
Take out all of the CLSIDs it occurs in.
It's never too late to have a happy childhood.
What You Should Know About Download.Ject
>> Well the simple solution is, unless you're into just microsoft bashing, is to PATCH YOUR SYSTEMS.
That would work, but the article states that there are no patches as of yet for these two secuirty holes...
From the article:
"The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed."
NeoThermic
Use my link above, or to view my server, NeoThermic.com
In Real Browsers javascript is sandboxed and it cannot do anything harmful. This thingy uses javascript to perform IE-only exploit.
Once again it's UNPATCHED USERS who are having problems
Not sure what article you are reading (maybe it's changed?).
This one (from ZDNET, which is the one linked to in the story) states:
"This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch."
Beauty is in the eye of the beerholder.
I really wish I could switch to Mozilla (ok, Firefox). My co-workers are switching to Firefox. My users are switching to firefox. But I can't, because I have no idea how to implement my pet project as a mozilla-type plugin.
All it has to do is read in a dictionary file, then catch the 'new page loading' event, perform morphological analysis on the page, and edit the page as it loads to include ruby tags and/or something to display definitions in the toolbar. That's it! It's fairly computationally intensive and sometimes the right html to insert at a given point is a bit of a guessing game, but it's not rocket science. But HOW THE FORK DO I DO IT IN MOZILLA??
PS Yes I have rtfm and no I cannot implement the analysis algorithm usefully in javascript and yes I do have to insert ruby tags, as well as regular javascript that talks back to the plugin, into the page on the fly.
Considering the amount of research that seemed necessary to get it working in the minefield of IE, I expected that I would be quite capable of figuring it out in mozilla, but it just seems to be an order of magnitude harder.
I would be grateful for advice (eg a pointer to a similar project). Or failing that, remarks on the lines of 'if u cant use mozilla u r lame u lame wind0z3 lu20r hehe l8trz' would also be fine.
Whence? Hence. Whither? Thither.
I was infected by stratics.com They use a third party pop up ad services and one of the ads is what installed the malware. It installed Lycos and STI on my machine, plus other junk.
It ended up embedding itself everywhere in my registry. After an hour of deleting all registry entries and even uninstalling IE6 and then reinstalling it, My search section of IE was still Lycos and banner ads would show up in it.
The only option i had left was to format and reinstall micosux windcrap.
You can change the name of Firefox completely with Firesomething - although I use it primarily for the random comedy names.
Go, Mozilla Firebadger!
Tedious Bloggy Stuff - hooray?
http://www.f-secure.com/v-descs/padodorw.shtml
Seems like a nice keylogger. It also installs another trojan. Virus vendors seem to be getting on the ball. Also the site which distributes the payload is currently dying under the load. The virus is apparently bit too succesful for it's own good.
There's apparently a newly discovered exploit in IE that can compromise an IE user's machine THROUGH AN IMAGE ON A WEB PAGE.
So any server that allows posting of graphics (eBay, many discussion forums, etc) can be "infected". Even those running Linux. The only solution is to stop using IE and pray that Firefox, Mozilla, Opera, etc. exploits are few and far between. Article on graphics exploit here.
The Internet Storm Centre has good information about what will be on your box if you're already infected. I think they're in \winnt\system32\inetsrv
Sorry about the duped links but more fixes, less FUD please. Yes, evil empire blah blah blah, but how about we tell people how to fix the problem instead?
Google Toolbar:
http://googlebar.mozdev.org/
And please name a few sites that only work with IE.
AVG free edition sygate personal firewall and Spybot seach and destroy (site down) will complete your collection nicely. Might want to have a look at Hijack this and this tutorial as well.
Yes, this is a lot of work for the price of keeping windows running. Some people don't have a choice... Me, as soon as my favourite IDE gets ported to Linux, I'll swap ;-)
Seriously though, if there are any other tools you guys use to try and keep windows secure, please share.
Importing Favorites is easy.
;)
Either let it import them during installation (it will prompt you), or go to the File menu and click on Import...
I'll assume you're having just a bad day.
My problem is finding "Compose ONLY in plain text" in Thunderbird. If it's there, I can't find it.
It's never too late to have a happy childhood.
Honestly, I've not really made the switch myself. The main reason is actually kind of petty, hotkeys. I've become very used to things like shift-clicking a link to bring up extra pages or hitting ctrl-enter after typing in a word to add the http://www. and .com to it. I've been working with IE for long enough that it's second nature to use those keys. Yes, I'm sure that other browsers have ways to do these things, but one gets used to not having to think browsing the web, so learning new keys feels like a fair burden.
I wont comment on your other problems with switching. But you could at least try these things with FireFox. As it turns out both of those hotkeys do exactly the same thing as IE under FireFox. Just tried it with 0.9.
Javascript is sandboxed in IE, too. The problem is, the IE sandbox leaks...
I work at a bank. A lot of the applications used internally are web apps that require IE... Mozilla/Opera aren't an option because those apps require MSJVM (Microsoft Virtual Machine - no joke), Active X or other proprietary MS technology.
I'm not talking simple forms here, this for Foreign Exchange transactions.
Certificates, multiple passwords, encryption...all moot
- This has been debated to death by Mozilla fans. Just give it some time, or download another theme.
- Extensions will be included in 1.0, I think. But there's nothing really missing for someone switching from IE; most extensions are icing for power users.
- I find Firefox settings very nice for a beginner/someone switching from IE. If you need to dig into about:config, you're not a stereotypical user.
- Because they are not working right yet. Check bugzilla if you want to know the details.
- This, I agree with. I'd remove all the buttons immediately, but for people coming from IE, it would be useful.
- No idea, I have a keyword ('g') set up for google searching.
- Here, you're just wrong. The installer asks on install if you want to import settings from IE, and I believe there's also a menu item to do it later.
- That's because shift-click saves a page. Try ctrl-click.
- I find it is instantanious on my 900 MHz Athlon, but this depends a lot on your computer. For me, it's the opposite: IE draws the window borders, then sits there for a few seconds before I can do anything with it. And Firefox still speeds up with each release.
In short, you don't sound like a typical user; you're more likely a power user, and as a power user, you're expected to dig for a few options. Otherwise, the options dialog would be too overwhelming.ctrl+enter works in firefox. install mouse gestures, and you'll have 10x more functionality than you had with hotkeys. need a new page? middle-click! you can keep IE around for the occasional game, but believe me when i tell you that its worth it to switch.
Gentlemen, you can't fight in here! This is the War Room!
http://www.mozilla.org
Two things:
1. Don't use an account that has elevated priviledges.
2. Don't install the latest security patches for I.E. 6.0.
The article mentions that the exploit takes advantage of the recently announced vulnerability in I.E. that an advertising company was exploiting. My testing of this vulnerability revealed that it would be unsuccessful if you didn't use a priviledged account. And oddly, at least with the previous exploit, the code wouldn't run until I installed the latest security updates. A generic install of Windows XP or one with SP1 didn't appear to work. Odd.
Basically: create an XPCOM component in C++ (if JavaScript or Python are too slow for you) which performs the computation. Mark your XPCOM interface as scriptable, use the typelib compiler to expose it to javascript then pass in the browser DOM so it can be edited by your component. Then write an extension to catch "page loaded" and pass the DOM to the loaded XPCOM component. I think that should work.
http://www.google.com/search?q=%22217.107.218.147% 22&hl=en&lr=&ie=UTF-8&start=20&sa=N&filter =0
Personally I'd rather know the list so I don't get infected, but then again I use netscape so....
Believe me, if I started murdering people, there would be none of you left.
Maybe it's not as you want is, but a similar plugin already exist: http://moji.mozdev.org/
Studying this source might be useful for your own project.
I can't operate without the google toolbar, which has no complete mozilla equivalent.
Um, what exactly is the mozilla google toolbar (http://googlebar.mozdev.org/) missing that you can't do without?
Remember, it doesn't need popup blocking (Mozilla does that itself).
Base: An up to date host file. This can probably block 95% of web nasties, regardless of source, yet is overlooked by most people.
Second: Proxomitron. The second browser-independent tool, it's a relatively little-known local proxy that filters the crap (including more ads than virtually every other solution) from a webpage before feeding it to your browser. Also handily removes most of the ActiveX and Javascript that causes these exploits. I simply cannot recommend it enough. In addition, it's fully configurable, and there are plenty of people out there who will write custom filters to get rid of any sort of ad that slips through.
Third: Firefox. I hesitate to suggest Opera because I don't feel it's as high a quality a product, and is closed-source, meaning it could be almost as susceptible to this stuff as Internet Explorer, should the bad guys aim their sights on it.
Fourth: In-browser plugins such as Adblock, which probably won't do much to stop this particular problem, but are nice to have around regardless.
Mozilla Backup is what you need. It can be used to easily transfer a profile from one machine to another. (Supports Firefox, Thunderbird, and Mozilla)
regedit.exe
Open HKEY_CLASSES_ROOT\http\shell\open
Remove the "ddeexec" subkey (subfolder).
Go into the "command" subkey (subfolder).
Change the (Default) string to this value:
"C:\path\to\mozilla.exe" -nosplash -url "%1"
Make sure to use the full path to mozilla or firefox. Also, keep the quotes.
To test, go to the run menu and type in an http:// URL. It should pop up a new mozilla window to the webpage.
Do the same thing for HKEY_CLASSES_ROOT\https and HKEY_CLASSES_ROOT\ftp to get the HTTPS and FTP protocol handlers as well.
Mail (mailto: links) is a little trickier. Use this guide for assistance.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
If Firefox can easily import my passwords, can't every adware and such also "import" them and send them anywhere?
I would think so.
Here is the question to ask yourself. Does the program that stores your passwords require any input from you to retrieve them (such as a master password). If so, you may or may not be safe - depending on how the master password is implemented. If not, you are definitely NOT safe. The passwords may be encrypted, but the key is somewhere on the hard drive otherwise IE couldn't make use of them.
If there is a master password then it could be used to encrypt your password database, which would probably make it fairly safe if the crypto isn't broken. Then again, it could just be stored as a hash on the disk and the passwords could be stored in the clear.
Bottom line - if the computer doesn't need to ask you for a password to access data, then spyware potentially doesn't either. Sure, things like sandboxes can protect some data from malicious apps, but they generally aren't perfect. Strictly speaking, neither is a passphrase since it doesn't have all that much entropy.
If you really want to be secure, store your passwords encrypted using strong crypto, and store the key on a smartcard protected by a PIN. To defeat that requires the smartcard at the very least, and unless you can hack the hardware it requires the PIN as well. Most decent smartcards will delete their keys making them useless after so many failed PIN attempts.
If iButton support was a little more mature on linux I'd probably start using it. You should check out their Java ibuttons - sounds like a neat solution for these kinds of problems. And they're pretty cheap.