Best defense against trojans that use javascript to slip in when you open websites?

Discussion in 'other security issues & news' started by Hop A. Long, Aug 23, 2004.

Thread Status:
Not open for further replies.
  1. Hop A. Long

    Hop A. Long Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    39
    Location:
    USA
    I got a trojan just by visiting a website, but Kaspersky alerted me to it and allowed me to delete it. The name of it was "Trojan.PSW.Sagic.14".

    Since I had ActiveX and the java applet feature disabled in my XP Internet control panel, I have to assume the hacker used my browser's javascript to slip me the trojan. (I use the latest version of Mozilla.) This is very disturbing to me, since it feeds my paranoia by proving I can get trojans just by clicking on websites. And disabling javascript isn't much of an option, since having it enabled is mandatory in order to utilize important features on a large percentage of websites.

    However, I don't want to rely on an anti-virus program to detect trojans, as I believe a specialized program is the only sensible protection against trojans. And for me, the most important feature in a trojan detection program is the ability to detect known and UNKNOWN trojans that sneak in via javascript when you click on malicious (or compromised) websites.

    So my quest is to find the program that has the best reputation for instantly detecting/stopping trojans that utilize javascript. And I would appreciate it if someone could point me in the right direction, as far as their personal experience, reviews that pertain to javascript trojans, etc.

    Thanks in advance,
    Cassidy
     

    Attached Files:

    Last edited: Aug 27, 2004
  2. controler

    controler Guest

    Re: Best defense against trojans that use javascript to slip in when you open website

    Hey cassidy


    Would one of these work? and or are you maybe talking the HTA problem?

    WormGuard, HTAStop, ScriptSentry, ScripTrap
    you may also like to check on more reading including IFRAME

    http://www.anti-keyloggers.com/spy_v_antispy.html

    Bruce
     
    Last edited by a moderator: Aug 24, 2004
  3. Justhelping

    Justhelping Guest

    Re: Best defense against trojans that use javascript to slip in when you open website

    Ditching IE for another browser is another solution
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Best defense against trojans that use javascript to slip in when you open website

    Good question.
    How do you de-fang javascript?
    FireFox has just a few options for controlling javascript (like stopping status bar modification for spoofing link URLs).
    But does FF block by default the really harmful javascript activities that would allow trojanous activity?
    What are the dangerous Javascript functions that should be removed or restricted?
    The benign Javascript functions should still be preserved (like image swapping).
    Maybe there is a way to control this within FF (about:config) ?

    Is there a way to de-fang javascript externally say with Proxomitron?
     
  5. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    Hop A. Long, I may be wrong about this but I don't believe there's such a thing as a "script trojan". I mean a script can be used to install a trojan but then that would be the script's only purpose. In which case the Script Sentry program Controler was talking about would do the job for you. Also, I believe that you can protect yourself against trojans by closing ports on your computer (or hiding them with a firewall) and you should be ok no matter what browser you use (I use IE, no problems yet!).
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Best defense against trojans that use javascript to slip in when you open website

    Script Sentry seems to block HTA exploits like WormGuard.
    But does the web browser's Javascript even use WSH?
    Isn't the WSH only used when you run a script outside of the browser?
    My concern is the same as Hop A. Long, getting a trojan (or other malware) dropped on you via Javascript exploits.
    What is the most effective way to remove this type of threat without disabling the benign javascripts (like image swaps)?
     
    Last edited: Aug 24, 2004
  7. Hop A. Long

    Hop A. Long Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    39
    Location:
    USA
    Re: Best defense against trojans that use javascript to slip in when you open website

    Hi Bruce

    I'll check those programs out, thanks. What is the "HTA problem"?

    IFRAME is evil! The remote scripting it allows just makes javascript that much more of a security risk--and it will only get worse.

    Cassidy
     
  8. Hop A. Long

    Hop A. Long Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    39
    Location:
    USA
    Re: Best defense against trojans that use javascript to slip in when you open website

    I was using Mozilla when it happened.
     
  9. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    You guys will have to excuse me I don't seem to be hip on the "lingo" :p . I'm talking about such abbreviations as IMO, HTA and WSH. If someone could clear that up for me that'd be great. Also, I've heard about the HTA problem but can't find any info can someone please provide a link? I also have an experience I'd like to share...

    I was at my friend's house helping him speed up his internet so we went to pcpitstop.com. The site said there was a simple registry change that may help so we clicked on the link. Apperantly his firewall had script blocking capabilities cuz it intercepted the script. We allowed it to run, rebooted and we were done. I believe Script Sentry should do this for you too. BTW Devinco, your post says "Script Defender" when you're actually linking to Script Sentry.
     
  10. Hop A. Long

    Hop A. Long Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    39
    Location:
    USA
    Re: Best defense against trojans that use javascript to slip in when you open website

    No browser allows you to defang javascript--your only option to avoid trojans that utilize it is to disable it 100%. (As not even TDS-3 can stop all trojans.) This is probably because it CAN'T be defanged, since the good stuff needs the same poison the bad stuff uses.

    Hmm, a service like Proxomitron may be a solution--certantly worth some research.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Re: Best defense against trojans that use javascript to slip in when you open website

    Proxomitron is ready!
     

    Attached Files:

  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Best defense against trojans that use javascript to slip in when you open website

    Thanks Ronjor!

    That is just too cool! :cool:
    Yet another reason for Proxomitron.

    Besides Proxo, isn't there something that can be done within FF besides the Tools/Options/Web Features/Advanced?
    Is there anything in about:config or maybe there is some kind of javascript:config?
    FF is so configurable. Is there such a thing within it?
     
  13. Hop A. Long

    Hop A. Long Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    39
    Location:
    USA
    Re: Best defense against trojans that use javascript to slip in when you open website

    The research I've done indicates that your browser's javascript can definitely allow a malicious website to sneak a trojan onto your PC, simply by opening the website. Which is why I'm sure that's how I got the trojan described above, particularly since I was on a hacker oriented website at the time (doing research to make my computer more secure).

    As far as ports are concerned, my firewall has them all invisible to hackers, according to independent testing I've done. (I'm currently using the Norton firewall, but will be switching to Sygate Pro.)

    Script Sentry was designed for 98/NT/ME/2000 and merely allows you to control which scripts are executed--so I don't think it's a practical solution. As what good are constant pop-ups asking me if I want to allow a javascript to execute, since I have no way of knowing whether a website will use it to sneak in a trojan. :'(
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Re: Best defense against trojans that use javascript to slip in when you open website

    Ashamed to say I don't know. Somewhere on the Firefox forum is a link to about:config and options. I've seen it but, would have to search to find it.

    Proxomitron seems to take care of whatever you throw at it. I guess that is why I haven't looked for more answers.
     
  15. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Re: Best defense against trojans that use javascript to slip in when you open website

    Ronjor

    I have FF too. But could you tell me which version of Proxomitron should I download.

    I read somewhere on this forum that Proxomitro might not be compatible with some programmes? Is that right?

    Will it give conflict to McAfee, Ad-aware, Javacools programmes: SpywareBlaster, SpywareGuard, MRU Blaster, ShootTheMessenger and SpySweeper etc., any conflict with other softwares? Also other firewalls?

    Cheers

    Chew

    P/s: I thought Proxomitron was for IE only ?
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Re: Best defense against trojans that use javascript to slip in when you open website

    Proxomitron is a proxy. Any program you set up to go throught port 8080 will go through Proxomitron first.
    You don't have to set it up so that every program goes through it. Just try your browser. Most programs can find a proxy if you are using one and set themselves to use it if need be.

    I have the 4.5 (6-1-2003) version. Found here.
     
  17. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Re: Best defense against trojans that use javascript to slip in when you open website

    Everyone,

    Sorry for the slight hijack of the thread here.

    Thanks Ronjor for the info.

    Will read and check it out soon.

    Cheers

    Chew
     
  18. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Best defense against trojans that use javascript to slip in when you open website

    I sifted through the Firefox about:config for anything Javascript related and here is what I found. Note DOM (Document Object Model) is used a lot by Javascript so I included it here.
    Does anything here look like a Javascript liability (ie exploitable for trojan dropping)?
    If there is another Javasript related configuration file for FF that would have some options, please post.
    Of course Proxomitron is a great solution, but beginners may shy away from it.
     

    Attached Files:

  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Re: Best defense against trojans that use javascript to slip in when you open website

    Add http: to the link below and paste in your url locator bar.

    //kb.mozillazine.org/index.phtml?title=Firefox_:_FAQs_:_About:config_Entries
     
  20. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  21. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  22. Hop A. Long

    Hop A. Long Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    39
    Location:
    USA
    Re: Best defense against trojans that use javascript to slip in when you open website

    How will Proxomitron allow you to use javascript and avoid trojans at the same time?
     
  23. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Best defense against trojans that use javascript to slip in when you open website

    Thanks Ronjor and iceni60.

    I am going through the linked articles now.

    But I am at a loss. I have beginning Javascript knowledge, but I don't know what the bad guys are exploiting in Javascript.
    We need to find out specifically what needs to be blocked first.
    How can this be determined?

    I will read through the articles and see if anything that appears "dangerous" jumps out at me.
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
  25. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Best defense against trojans that use javascript to slip in when you open website

    Thanks Ronjor. Good ones.

    From the first article:
    So, can Javascript control Firefox Extensions(plugins) which are then made to drop a trojan?
    If yes, then one solution would be to not have any extensions installed.
    Another solution would be to find out what in Javascript allows it to control (or interact with) an extension and block it.
    Where can I find what is needed to block it, if at all?

    From the second article:
    Java is usually more dangerous than Javascript so I keep it disabled.
    This confirms that it can interact with plugins, but Firefox Extensions too?

    So is this JavaScript ability to execute some "other action" already removed from Firefox?
    Maybe the developers already thought of all this and defanged Javascript within Firefox.
     
Loading...
Thread Status:
Not open for further replies.