New Theory about Infections and Spyware

by the Courtesy of ASAP and Coyote-Tom

http://tomcoyote.org/Theory/

Inf.

 

So, IE might get infected through another browser, thereby effectively bypassing the security setting of IE...

 

apparently if you use IE as your mainbrowser at the moment you get hit, it won't infect you. it will hit you solely if you use ffx or moz and it uses some injecting techniques I guess to infect you through your secondary browser which is IE.

I guess even with FFX or Moz, it is still IE that is the prob and even if you use ffx or moz, you'll still get infected. but if you use IE as a main browser you won't get infected. kinda weird if you ask me.

Inf.

 

So, we better protect against code and process injection

 

I'm just a cluessnewbie but I don't think this "theory" is anything new.

When firefox started supporting direct installs of extensions via xpi last year, the very first "xpi malware" (if you allowed it and clicked yes) installed a IE homepage hijacker.

Even with the latest versions of firefox, giving permission to java applets is sufficient to get a downloader running and of course it can do whatever it wants including infecting IE.

Also it depends on the type of IE protection we are talking about, IE spyad obviously wouldnt work to prevent infection, but hosts files, registry monitors, BHO monitors etc will still continue to alert you of changes etc.

Just the opinion of a cluessless newbie.

 

so what you are saying is: uncheck the allow install from website and all is well?

I don't think so...I guess they allready tried that, off course they tried it, we aren't talking about newbies here but I'll try to find out more if I can.

Inf.

 

and no matter what, processguard would prevent it.

 

Moral of the story, use FF

 

only if you completely ditch IE it is usefull, if you still use IE as secondary browser, you'll still get infected, that is the whole discussion...you need to completely uninstall IE if not, no matter what you do you get infected...

 

I think what this theory amounts to is that some things can potentially still get through FF, which I agree with as I've seen computers infected that only use FF. It just stands to reason that if it comes in through FF, it's not going to be subject to IE's Internet Zone settings (including "safe" and "restricted" sites), and so it will be easier to make those changes.

I think the real moral of the story here is that even Firefox isn't 100%, always use a layered defense.

 

True, but not the point.

Infinity, you don't need to do anything, by default the site will not install anything unless you put it in the allowed list. You need to click no to Java as well.

Let's get one thing out of the way, the so called dangerous site will not infect you if you dont permission java. Other people have visited the site with no ill effects.

That's not the point.

I recommend you read the Original posting again. I was responding in particular to this part.

First note it's a theory.

A very trival observation.

Actually, if you read, Tom is saying to *NOT* use any alternative browser.

 

hi CluelessNewbie...

hmmm: title says: theory about malware install...

my answer to this topic:

true, exactly...that is basically my point what I was trying to say...

sorry if I didn't elaborate any better then I did.

sincerely

Inf.

 

Just about any of the behavior blockers (PG, Prevx, RegRun, MS Anti-Spyware, SpySweeper, WinPatrol or any good registry watcher) would have stopped this kind of attack, and most of the better AV/AT programs would have stopped it as well.

Fact is that once malware has gotten inside your system, there's a lot that it can do, especially if you're running as admin and not using the program files it's trying to modify.

EVERY browser is going to have it's problems, relying solely on your browser for your defense is not a good idea, and this story is a good example.

 

Just curious....when you speak of Java....are you speaking of Java\Active script or Java applet ?

It is also mentioned in that theroized thread about a...."js file that was called to". Unless I'm mistaken concerning the URL in question....the code that's shown in that thread is actually derived from script contained on the suspected site and not a js file. In any case....I want be jumping on this theroized wagon....yet

 

Bubba,

I'm talking about the Java applet. This page http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html explains what I think is happening.

I'm don't see anything particularly evil about any inline javascript , though I havent checked the externally linked js file. But what do I know?

 

errr...
if someone understands all this...
mayB u shud drop a line to Kye-U...

He has this amazing Proxo filter set that blocks web nasties by the dozen.

It should be a good addition.

www.kye-u.com

 

We'll be trying netop firewall (corporate version). Looks like it might be a good defense as well ...