HTML exploits and how to detect them?

Discussion in 'malware problems & news' started by tom772, Sep 6, 2005.

Thread Status:
Not open for further replies.
  1. tom772

    tom772 Guest

    Hi,

    I have asked some similar guestions and read some different threads at wilders such as the following>
    xxxx://www.wilderssecurity.com/showthread.php?t=45472&highlight=HTML+exploits

    if you have already been unlucky enough to be infected with a trojan, worm or even embedded HTML coding within the OS or security application, and your AV, AT and not showing up in HIJackthis, etc is unable to reveal or remove it, what steps could i take apart from disabling scripts on my PC using HTAStop?

    Thank you for any replys ,

    regards

    T
     
  2. StevieO

    StevieO Guest

    Hi Tom,

    I'm not too sure about detecting them, but to help prevent them i've been using this for some time now. Amongst the various other things it can also do to help secure our PC's, is what you are asking about.

    Please read the info about any possible side effects it may have, depending on which options you choose.

    These are all very quickly Enabled/Disabled on the fly.

    BugOff v1.10

    http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com


    StevieO
     
  3. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I'm not sure how you can be infected by 'embedded HTML coding', because it is an exploit and exploit coding is harmless in itself, the thing you need to worry about is the Trojan or Spyware the exploit attempts to foist onto your machine. But if you are not vulnerable to the exploit, because you are patched against it or your AV catches the exploit in your TIFs before it can do any harm, then there is nothing to worry about.

    If your AV can't find any malware on your system what makes you think you've got any malware to find? Do you have any symptoms of infection?
     
  5. Tom772

    Tom772 Guest

    The reason i ask is a few months ago i was online without proper firewall protection, due to various issues. I seem to have been infected with some html code , that was either a worm or trojan, not sure what, but when I installed my new AV, it seemed to pick it up and remove it, but i have been left with some stange WMI logs, that i have checked and while are normal when compared with my friends logs, show some ports that i think have been accessed!

    regards T
     
  6. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Please note that trojans spread through exploits (through infected rotating ad servers) are usually 0-day trojans/variants and were written/modified to escape detection. Exploits can also crash your browser.
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It sounds like you think you may have been hacked. I don't see what that has to do with HTML Exploits, which are things you would encounter through your browser whilst surfing an unsafe site (even though it may not seem 'unsafe'!).

    Your FW ports will have nothing to do with that. It is true that some FWs do offer certain protection against these problems (eg Zone Alarm Pro has its 'Mobile Code' protection against embedded Active X, Java and Scripts) but this is not the prime function of a FW.

    An HTML Exploit, or indeed any other exploit, is not a trojan or a virus or a worm, though some AV vendors like to confuse the issue by referring to them as trojans. In fact all the exploit does is try and forceably D/L malware on you, or redirect you to another site that will do a 'drive-by' D/L on you, or attempt to activate malware already on your machine. If you are not susceptable to the exploit it will be harmless.

    Hacking is a different matter altogether, you don't need to be at a website to be hacked, you just need to be connected to the internet. But if your AV is not finding anything and your FW is not displaying unusual activity, then, short of some kind of rootkit (which presumably would not be revealing itself in logs or open ports) I don't see you have a problem.

    You could, however, D/L 'Active Ports' and see what Ports are in a 'Listening' state with TCP protocol:-

    http://www.snapfiles.com/get/activeports.html

    Or simpler still, just click Start/Run, type cmd and click OK, then enter the command netstat -a and press enter. That will give you a list of listening ports. You would then need to work out which of your apps is using these ports - and be suspicious of one you cannot ascribe to a known prog.
     
Loading...
Thread Status:
Not open for further replies.