New Theory about Infections and Spyware

Discussion in 'other security issues & news' started by Infinity, Mar 9, 2005.

Thread Status:
Not open for further replies.
  1. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    by the Courtesy of ASAP and Coyote-Tom

    http://tomcoyote.org/Theory/

    Inf.
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    So, IE might get infected through another browser, thereby effectively bypassing the security setting of IE...
     
  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    apparently if you use IE as your mainbrowser at the moment you get hit, it won't infect you. it will hit you solely if you use ffx or moz and it uses some injecting techniques I guess to infect you through your secondary browser which is IE.

    I guess even with FFX or Moz, it is still IE that is the prob and even if you use ffx or moz, you'll still get infected. but if you use IE as a main browser you won't get infected. kinda weird if you ask me.

    Inf.
     
  4. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    So, we better protect against code and process injection :)
     
  5. cluessnewbie

    cluessnewbie Guest

    I'm just a cluessnewbie but I don't think this "theory" is anything new.

    When firefox started supporting direct installs of extensions via xpi last year, the very first "xpi malware" (if you allowed it and clicked yes) installed a IE homepage hijacker.

    Even with the latest versions of firefox, giving permission to java applets is sufficient to get a downloader running and of course it can do whatever it wants including infecting IE.

    Also it depends on the type of IE protection we are talking about, IE spyad obviously wouldnt work to prevent infection, but hosts files, registry monitors, BHO monitors etc will still continue to alert you of changes etc.

    Just the opinion of a cluessless newbie.
     
  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    so what you are saying is: uncheck the allow install from website and all is well?

    I don't think so...I guess they allready tried that, off course they tried it, we aren't talking about newbies here :) but I'll try to find out more if I can.

    Inf.
     
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    and no matter what, processguard would prevent it.
     
  8. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Moral of the story, use FF :p
     
  9. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    only if you completely ditch IE it is usefull, if you still use IE as secondary browser, you'll still get infected, that is the whole discussion...you need to completely uninstall IE if not, no matter what you do you get infected...
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I think what this theory amounts to is that some things can potentially still get through FF, which I agree with as I've seen computers infected that only use FF. It just stands to reason that if it comes in through FF, it's not going to be subject to IE's Internet Zone settings (including "safe" and "restricted" sites), and so it will be easier to make those changes.

    I think the real moral of the story here is that even Firefox isn't 100%, always use a layered defense.
     
  11. True, but not the point.

    Infinity, you don't need to do anything, by default the site will not install anything unless you put it in the allowed list. You need to click no to Java as well.

    Let's get one thing out of the way, the so called dangerous site will not infect you if you dont permission java. Other people have visited the site with no ill effects.

    That's not the point.

    I recommend you read the Original posting again. I was responding in particular to this part.

    First note it's a theory.

    A very trival observation.




    Actually, if you read, Tom is saying to *NOT* use any alternative browser.
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    hi CluelessNewbie... :D

    hmmm: title says: theory about malware install...

    my answer to this topic:

    true, exactly...that is basically my point what I was trying to say...

    sorry if I didn't elaborate any better then I did.

    sincerely

    Inf.
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Just about any of the behavior blockers (PG, Prevx, RegRun, MS Anti-Spyware, SpySweeper, WinPatrol or any good registry watcher) would have stopped this kind of attack, and most of the better AV/AT programs would have stopped it as well.

    Fact is that once malware has gotten inside your system, there's a lot that it can do, especially if you're running as admin and not using the program files it's trying to modify.

    EVERY browser is going to have it's problems, relying solely on your browser for your defense is not a good idea, and this story is a good example.
     
    Last edited: Mar 10, 2005
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just curious....when you speak of Java....are you speaking of Java\Active script or Java applet ?

    It is also mentioned in that theroized thread about a...."js file that was called to". Unless I'm mistaken concerning the URL in question....the code that's shown in that thread is actually derived from script contained on the suspected site and not a js file. In any case....I want be jumping on this theroized wagon....yet :doubt:
     
  15. Cluessnewbie

    Cluessnewbie Guest

  16. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    errr...
    if someone understands all this...
    mayB u shud drop a line to Kye-U...

    He has this amazing Proxo filter set that blocks web nasties by the dozen.

    It should be a good addition.

    www.kye-u.com
     
  17. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    We'll be trying netop firewall (corporate version). Looks like it might be a good defense as well ...
     
Loading...
Thread Status:
Not open for further replies.