Best defense against trojans that use javascript to slip in when you open websites?

Re: Best defense against trojans that use javascript to slip in when you open website

According to that eWeek article I quoted from, “most people don't understand the potential dangers”. Obviously you and other members are aware of the dangers of javascript, but what about the thousands of 'newbies' who find this forum each week--are you saying THEY shouldn’t be warned?

Huh? What “continuous attacks”?? Could you be more specific? I was subjected to an unprovoked attack by a troll/shill and I merely defended myself one time. Or, are you characterizing my warnings about javascript exploits as “attacks” against javascript? If it’s the latter, that’s something difficult for me to comprehend, given the many thousands of Google entries for javascript exploits.

Well, I’m glad you don’t consider it to be a problem, but I disagree with you 100% on this, for the reasons I’ll outline in my next post.

If a trojan can masquerade as something that will fool javascript into believing it’s a legitimate feature of the web site, how is that the fault of the OS? To put it another way, since javascript has given the OS a green light to accept the trojan, why is it the responsibility of the OS to question javascript’s judgment? Logic dictates the responsibility should fall squarely on anti-trojan software rather than the OS.

And I find it interesting that you deflect ALL of the blame from javascript directly to the OS, when the reality is that javascript is where the problem originates. Want proof? Disable javascript and see if a hacker site can load a trojan onto your hard drive. (Assuming you already have ActiveX and java applets disabled in your OS Internet control panel.)

My position is that javascript should be able to distinguish between trojans and legitimate web site features. And since it can’t, then it’s up to the anti-trojan software to do the job, rather than the OS or browser.

I don’t allow ANY downloads that require java or activex. And I only use javascript because webmasters force me to use it, in order to utilize basic features on their sites. And I stick with TV for my multimedia experiences, since I can’t get trojans from a TV.

I don’t have time to send long vitriolic letters to trash cans--which is where they’d immediately be filed.

Huh What are you referring to Quote me ONE post where I’ve “blamed antivirus/anti-trojan developers for not blocking all jscript completely”. If you want your javascript blocked completely, all you have to do is disable javascript in your browser preferences--you don’t need a security program for that. But again, if you block javascript completely, you may as well get off the Internet. As again, it's standard practice for webmasters to require you to have it enabled in order to use the basic features on their sites.

 

Re: Best defense against trojans that use javascript to slip in when you open website

lol, are you sure!?

 

Re: Best defense against trojans that use javascript to slip in when you open website

The javascript exploits couldn't do anything but attempt to run a trojan or a virus, so your AV or AT - if you have chosen well - will handle it.

 

Re: Best defense against trojans that use javascript to slip in when you open website

FINAL POST

Exposing the dangers of javascript is one of the purposes of this thread--since "most people don't understand the potential dangers", as confirmed in the eWeek article quoted on page 3. And such exposure is the best way to motivate software companies to incorporate the appropriate protective measures into their security programs.

Because as long as "most people don't understand the potential dangers" of javascript, software companies will continue to focus on impressive sounding bells and whistles for their upgrades. As why waste their programmers time developing protection against javascript exploits if it won't generate a lot of new sales?

If you check their web sites, you’ll see that to date, not a single one of the industry leaders mention ANYTHING about their security software being able to protect users from malicious javascript exploits. Despite the fact that gaping javascript security holes have been around for MANY years.

As the only thing software companies understand is their bottom line--which equates to marketplace demand. They aren't going to gamble their resources on developing a new protection feature if there's inadequate demand for it. So it all boils down to the "squeaky wheel" syndrome--if you don't ask for the protection, then you won't get it.

In other words, simple logic dictates that you DO have some control over the security features available to you. Because the simple reality is that the people behind the software companies work for YOU--since they get their paychecks from you. So if you’re not satisfied with the product your employees are producing for you, then LET THEM KNOW IT. Because they’re fully aware that if they ignore your requests, then you’ll fire them as soon as you can find some hungry new employees who ARE willing to produce what you want.

Simply tell them that you’re not satisfied with a security program that allows marauding trojans free access to your computer merely by opening a web site. And that you’d like this unconscionable breach of your security fixed ASAP. Because you’re outraged that you have to wait until dangerous trojans are loose in your computer before their program stands a chance of detecting them.

As there’s always a chance that a sophisticated new trojan could execute undetected in your computer, disguised as a legitimate system process. One company argues that it doesn't matter, since their particular program scans everything that executes, including system processes. But they also admit that it's possible for disguised and unknown trojans to evade every feature they currently utilize in their scanning process.

To verify this, all you have to do is ask ANY anti-trojan company "if I buy your software, can you guarantee your scanner will detect every trojan"? So common sense dictates that the first line of defense for an EFFECTIVE anti-trojan program should be to keep trojans from getting into your computer in the first place. Instead of the ludicrous ‘open door policy’ that trojans are currently greeted with.

As that’s like sleeping with the front door to your house wide open in an extremely high crime neighborhood, with just your dog to detect intruders. Suppose a cat burglar uses a box of fried chicken to make friends with your dog? Obviously, this security risk is eliminated if the burglar is prevented from getting in--because that'll make it impossible for him to fool the dog.

Just like keeping trojans from getting into your computer makes it impossible for them to fool your computer's anti-trojan 'motion detector'. Because if trojans can't get in--they can't execute! In other words, anti-trojan software should consist of not only the interior 'motion detector', but a 'locked door' as well. That's just simple common sense! As again, it's a well known fact that the 'motion detector' can be circumvented--just like a real watchdog can be fooled!

And you certainly can’t depend on your router or software firewall to keep web sites from sneaking trojans onto your hard drive--since they slip in disguised as legitimate browser activity. (Thanks to the deaf, dumb, and blind javascript.) So the burden falls squarely on anti-trojan programs to do the job they should have been doing all along. Which is to prevent trojans from gaining access to your computer in the first place, since javascript is obviously unable to distinguish the difference between trojans and legitimate web site processes.

But by the same token, the burden also falls on the consumer to make sure the software companies know what they want. As they can't be expected to gamble costly resources on new features if there's no demand for them. And if only the hackers know about the javascript exploits, then there will be no demand for a feature to protect against it. Which is why "I'm preaching" about this, in order to inform the new visitors to this forum, since that eWeek article indicates that most of you are unaware of the problem.

But not to worry, as this is my final "sermon" on the 'evils of javascript', since this pretty much sums it up, and any redundant posts on this aspect of the thread could LEGITIMATELY be characterized as "preaching" on my part. Besides--I'm outta here, as I have to leave for Iraq in the morning. So posters with hidden agendas (ties to security software companies, etc.) can distort what I've said all they want to, in order to mislead people who don't have time to do their own research. Have fun--but remember to keep the distortions "on topic".

 

Re: Best defense against trojans that use javascript to slip in when you open website

Mcafee does recognize javascript and tries to protect their customers.

http://vil.nai.com/vil/content/v_119878.htm

 

Re: Best defense against trojans that use javascript to slip in when you open website

thank you big C, one of the question solved

 

Re: Best defense against trojans that use javascript to slip in when you open website

huh? all that on this page is about virus named
JavaScript.kit its just name of a virus
nothing about protecting from getting trogans from javascript

 

Re: Best defense against trojans that use javascript to slip in when you open website

And what happens if you decide to pick a fight with a moderator? You really crack me up.

 

Give me a break , this is off topic and it seems you ain't helping nobody here. unlike you try us to say your name is.

this is by no means even a reason to let yourself be known like this.

have a nice evening to you all

 

Re: Best defense against trojans that use javascript to slip in when you open website

Whats up with this? A sophisticated new trojan?? BAAAHAHAHAHAHA! What a joke! It sure doesn't take a sophisticated new trojan to bypass the scanners! All it takes is UNsophisticated old trojans!!!!! If hop spent less time yapping and more time researching, he'd would ahve seen the posts on TDS forum about their fancy named executive protection scanner missing trojans. TDS-3 is the best, and since the best can't do the job bring on the locked door like hop says! Keep those dang critters outta my dang puter, dangit!!!!!!!!!!!!!!!!!!!!!!!!!!!!! As I sure don't trust any of thescanners! Call me radical, but hop's to conservative because he should have been trying to organise people to file complaints with the govt. for the fraud perpatrated by the antitrojan companys. The govt. should make them put warning on the first screen of the installer saying THIS PROGRAM WILL NOT DETECT ALL TROJANS SO IT'S JUST A WASTE OF MONEY SINCE ALL IT TAKES IS ONE UNDETECTED TROJAN TO SCREW UP YOUR COMPUTER
All you antitrojan companies should turn your tv's off and put out a product that works all the time and not just some of the time or you may one day be getting some criminal charges for ripping off the public with joke software!!!!!!!!!!!!!!!!! Sorry but thats just the way I feel!!!!

 

Re: Best defense against trojans that use javascript to slip in when you open website

What question is solved? Are you guys seeing something on that link noone else can see? The only thing on big c's link is info. about a trojan that is named JavaScript.kit

 

At that time of writing , I was amused on how two human beings could take off like that.

it seemed that they had a lot of questions

seeing big c searching and trying to help here (to stay on topic) it felt OK to me. really.

I thought this was one of the answers we were looking for in this whole discussion...

it seems that there are members trying to help other members and there are other people, just waiting for someone to make a mistake and ...

talking about real life here

 

Re: Best defense against trojans that use javascript to slip in when you open website

As entertaining as this has been (no, not really) it's wandered So far off topic and remained there that I just can't live with myself if I allow this silly thing to live on. Off-topic thread with personal remarks closed.