Toys for the boys

Wear thick glasses and a brace on your teeth when you visit http://online.securityfocus.com 'cos it's full of links to geeky toys.  

 

     ****ALERT***

     

      I was just at the above posted url..had been there in the past.....this time I was hit by a trojan....my virus scanner alerted...an I deleted it.

    of special note.....file downloading is dis-abled on my os in all zones....install on demand is also dis-abled....in essense..this trojan should not have had any chance...but it by-passed all settings......of further note...java is dis-abled on my os....the trojan was a java exploit.....

     this just happened....so will now scan my os...later


                     snowman


    p.s    the posted url is a very nice site.....been there several times.....never had this happen before.

 

Hi Snowman,

Could you give some more info, if possible?
Which Trojan?
It looks like I didn't get such an alert overthere....

Thanks, Jan.

 

     Jan

     as soon as my scanner alerted I deleted the file without noticing the id'ed file.....only that it was a java exploit......

    if I recall correctely....when hit I was on page seven(7) of "intrusion detection"......was just reading..not opening any pages..or dl'ing.........my download scanner is what caught it........one file was deleted........don't know if this was the one or not but my scanner showed the last file scanned was c:\windows\...\scoreit(5).htm
......of itself that may means nothing...however, there is a score rating at the site..........

     frankly it was an absolute surprise....thats a real good website.......never have heard of this happening there before......really surprised!     I did a complete scan of my os....its clean.........but just in case I installed an extra resident trojan scanner....will remove it in an hour......resources at 50%

      there were several odd factors here....my script detectors didn't alert...js is blocked several ways by other means........htm...html..is blocked......in short this sort of exploit simply wont work on my os....yet I got the alert and deleted a file.......strange!!

      if it were anything other than my download scanner that had alerted.....I would look for something in my os..not the website...but in fact I have scanned my os also......both for trojan and virus ...nothing!

      oh well.....don't think I'll go back to find out.  LOL

                            snowman

 

What scanner are you using? What caught this "trojan"?

Are you certain it isn't a false positive?

 

I went there with java enabled, with my invisible firewall and with TDS up and running and I didn't experience any issues.  

Nice site.

 

       Unicron

       McAfee caught it......nope it was no false positive...
I would like being able to offer more information..but I re-acted quickly....first thought to get rid of the darn thing......

       Unicron...I think this was the incident that will completely turn me off..from using the internet.   I have been thinking about this since it happened.......an came to the realization that its a hopeless cause....everywhere there is an exploit of some kind.......its endless.

       a local privacy group I belong too...(2800 members) has long ago stop using credit cards on the internet.........members give talks at schools all around the state..........churches etc..........word is spreading...

       its rather unfortunate that the "good guys" are the one's who suffer a lost of business.......some exceptional software will never be purchased by people who..like myself..will never...under no circumstances...at no future time...will purchase anything by way of the internet..............this is what these incidents cause.

      I've never been bothered by pro hackers.....thats never been a problem...sure it could be...except the pro's have a code of honor all their own.....no, its the tracking ..tracing....cross-siteing...info harvesting....cookie jamming.....crap...thats disgusting!

       so far this year...four computers that I would have purchased will not be purchased........the software that would have went on those computers will never be purchased....my business hasn't suffered one bit...in fact..I began using other means entirely......an most likely will never go back.        maybe its time the honest software vendors see first hand the money they lose because of some idiots behavior.......

        sorry for the rant.....no I am not upset..not pe'oed.....just facing reality.......from now on I surf for the heck of it...expecting the worse....an re-formating when it happens........its much less expensive.

                        snowman

 

       Zappa

       thanks for checking out the site...yes its a very good site...I used it many times.



      looking back at how I used the computer today.....I didn't use it very much.......I checked the anti-ad blocking website.......I also downloaded and briefly installed "MYIE" broswer......un-installed...checked the registry...files..etc..........thats it for the entire day....nothing happened until Iwent to that site.....


                     snowman

 

Snowman: This whole thing (the web) is still, believe it or not, in its infancy. It's trial and error with so many things.

I know the frustration, but hang in there. I posted last night about my consideration of the Mac. Trust me, Snowman, not NEAR the problems or exploits. The new OS X is basically nothing but Unix with a (very classy) new Mac face. Go read my post - it's at
http://www.security-pro.co.uk/yabb/YaBB.pl?board=osif;action=display;num=1021617021
(Is there a quicker/easier way to link to forum posts?)

As for credit cards on the net. It's so CONVENIENT! But, there ARE risks. Though, I argue LESS than using it at WalMart, where the clerk
1. Gets your card number
2. Gets your expiration date
3. Turns your card over and gets your 3 digit security number.
4. Your Name
5. Your Address and Phone
6. Some states still use ss#'s for dl #'s.

Everything they need to steal your identity or use your card for non-pos purchases. If Internet shopping bothers you, here is a fool-proof safe method:
https://www.netspend.com/public/
It costs $20 bucks and you pre-load the Mastercard with as much as you want. Everytime you want to use it on the net, you sign in to NetSpend and tell it you want to use the card, it spits out a one-time use number. You then go wherever you want to shop, use that number and it is forever history after your purchase. I should also mention - it's completely anonymous. They don't even ask you a name and address. An email address is all you need. You can load the card with a money order and be 100% anonymous. (You can give the merchant ANY name - it's the one-time number that matters when they run the card.). They encourage the privacy in fact. You will see on the site that they really play up the anonymity.

Hang in there! Go look at my Mac post if you get a chance.

John
Luv2BeSecure

 

     John

     I apreciate everything that you said....at this point there is no way..no circumstances....that I would ever even consider using a credit card on the internet.....it just wont ever happen!

     after this post I am going to do a system restore....it happens that I was trying out a new program...an will need to un-install it.....thats one program that will never be purchased......yes it was good....but I wont waste time re-downloading it again......nor will I purchase it over the internet as would be needed......its gone forever..............

     this begins a new era in my experience with the internet.

     but hey..thanks John....


                              snowman

 

good info John!

Snowman, I must be missing something here. Please correct me where I am wrong, I obviously have not gotten the full picture:

You got an alert with one particular anti-virus program "McAffe"  that a Trojan was being downloaded to your machine via Java. McAffe deleted it before you could get its name or submit it to McAffe or anyone else for analysis. None of your programs designed to manage Java noticed. An  anti-trojan program did a scan afterward and found nothing.

So we have (or rather don't have) a nameless, un-analyzed file that now no one can analyze. Several other board members have gone to this site and noticed nothing out of the ordinary. You are absolutely sure this is not a false positive even though you have no idea what the file type was.

I see no possible way to prove this was or wasn't a trojan. I am uncertain why you are so strongly convinced. McAfee isn't even that great at detecting trojans.

I will now go to this site while running ethereal, and capture EVERY LAST PACKET they send me. Ethereal comunicates directly with the network card and totally bypasses windows, so we can be reletively sure we won't miss anything. I'll also be running NOD32, TDS-3, Wormguard and about 50 other things


I will post back with info when I get it.

 

I had Java not enabled when I visited that page.
While visiting NAV and BOClean were running.
After visiting I did full system scan with NOD32 and TDS-3. Nothing was found.

 

      Unicron

       everything you stated is correct......absolutely no dis-agreement on my part......also,, as previously stated I deleted immediately....therefore..no file...only showing that file was deleted..........once before McAfee was first to catch a trogan......an buddy I am no McAfee fan by any means of the word.......I dislike the company.

       also, as stated..I've been to that website numerous times...like it alot........

       if you are suggesting that I would lie...obviously you don't know me very well..........an I prefer to keep it that way in the future.......no offense intended.


        to all other posters...I am happy that you were not hit by the exploit......I just spent the past hour completely cleaning my os as a pre-caution...did an entire restore....cleaned again.........I could have been doing alot better things than this......

       next time..if there is a next time..something like this happens I'll be certain not to mentioned it.....see  this time I cared enough to want to prevent others from having the same experience............

       now I'll bid everyone a goodnight


                        snowman

 

I am back.

After going to that site and clicking through all 14 pages of "Intrusion detection", I had captured 2500 packets!

My preliminary finding are that nothing harmfull was sent to me. Just a ton of HTML, javascript, and images.

One more thing however is CSS (cascading style sheets provide formatting information for an entire page or site in an external file that need only be downloaded once). This site, like many, makes use of them. A browser has to download them. No, the browser doesn't normally bother to tell you. They are harmless as far as I know.

Could this be considered a threat? I don't know what the level of knowledge is on this board for CSS but basically you can make up yout own tags and name them what you want, and have them do what you want.  

eg:

SMALL
{
   FONT-WEIGHT: normal;
   FONT-SIZE: x-small;
   COLOR: #efefef;
   FONT-FAMILY: Arial, 'Courier New', 'Times New Roman'
}


Here I make a class called "small" that is used like this:

<p class="small"> really small text </p>

What if this class was called "sub7" or "klez"

would a scanner such as McAfee that scans downloading  files pic up something like this?

I will have to back through my captured packets and look for stuff like this. Perhaps I will install McAfee trial as well to test.

 

Snowman, from reading your posts I know you've been around the block and I know I ain't telling you nothing you already don't know. I ain't preaching either.

In the Firewall Forum I started a post where I question the need for a firewall on my home PC.  I babbled about the net and the paranoia it creates.  I recently lost a few pounds of net paranoia.    

I work in mortgage banking and have seen many folks that have suffered from identity theft, fraudulent use of their credit cards etc.   I use a, as in one CC, when purchasing stuff on the net.  It has a low limit and I never use my real full first or last name and I purposefully spell my street name wrong.   If there is an 800 # to call I will use that before typing away.

My little effort to thwart identity theft.  Yea, the social is an issue and so I've contacted the repositories and instructed them not to issue any credit until contacting me by phone to verify it's really me.  Seems to be working so far.  knock on wood

I had a buddy who had his CC swiped by a slime-bag waiter at a restaurant with one of those little gizmo's they use that fits in their pocket that steals the numbers.  I had a buddy who was at a stop light sitting on his bitchen Harley waiting for green and a City of Santa Monica garbage truck ran him over.  Launched him across the 4 way.  Tough mofo as he is still alive yet very damaged and just went back to work after 3 years of rehab.

Ya gotta live bro.  Stuff happens.  I tell you what you can use my CC on the net then just send me a check!!!  LOL.   Just kidding.  

FanJ, come on man, enable java and go back and try again!!  LOL.   Go for it.  

Snowman, just read your post^.  Come on man, people just be checking out possible exploits.  Everyone's paid for security programs and want to take them out for a spin around the block type of deal.  Anyway please let me know of any possible sites with exploits as I am testing my new less paranoid net 'tude of surfing with  java enabled, active x enabled, no firewall and relying on the layers of security programs as protection and seeing if the bucks I spent are earning their keep.  It feels really good to surf this way for some reason.  LOL.  

I did a full backup of all drives just in case the new 'tude, not to mention the HD, takes a beating.

Cheers.

 

Snowman, the thought that you are lying had not crossed my mind. I am actually trying my best to sort this out with the small amount of information I have (next to none)

I can assure you if I thought you were lying I wouldn't have spent the last three hours wasting my time on your problem.

What puzzles me the most is why you are sure it isn't a false positive, will little or no evidence. You have yet to provide any explanation of this. You may have a good reason, I dunno, nor can I guess so I wait for you to tell me.

I am trying hard to figure this out because I too like that site and it would be a shame if they were lame. Hey that rhymed!

Anyhow, please don't feel like you are being scrutinized, because you are not. Currently I have this site under the microscope not you!

I will have more info tomorrow but it is getting late here as well. Packet reading isn't a great deal of fun by packet number 600.

 

Hi Snowman,

I didn't want to hurt you or any thing like that.
If I did so, I apologize !
I'm not saying you're lieing, sure not.
I only couldn't find an infection with my programs; but maybe I should have done it another way. I guess Uni is doing it much better his extensive way.

 

  Unicron

  without perhaps realizing it..you solved the mystery....without going into to along explanation of the hows and whats.....will just say that CSS on my os could well be taken as a trojan......its a project I have been working on for awhile........but no..I still can't explain why McAfee would detect it..unless it was seen as a hostil applet...then yes......CSS wont execute on my os...its blocked completely..........an yes there is a reason.

     an now.. a more personal note....Unicron I took an immediate liking to you.....I like the way you present yourself...an your honesty is exceptional.........an its because I like you that I took offense that you may imply that I would lie..........it was like having a really good friend suddenly accuse.......an that hit hard........an I am grateful to you for clearing that up.......see, thats why I like you....you are straight up........that means alot to me....more than you may realize.      As for me....I am most likely more honest than a Pastor......

    I apologise if I have offended you...or anyone else..an say this sincerely......not because I have to...but because thats me.


        Zappa.....FanJ

      its been a long day...twice I was hit by trojans...an my attitude is not the best....for this I also apologise.....
      I contacted the IP of the first attempt on my computer.....as was all but laughed at.....an its this sort of thing that doesn't sit well.......

     fortunately the so-called trojan at that website isn't an actual trojan...instead its CSS.......this is how CSS does not work on my os:


©2002 Microsoft Corporation.  

Why does this page look like this?  This page has been designed to work best with current browsers.  If you're seeing this message, you either have an older browser, or you have disabled CSS (Cascading Style Sheets) support in your browser.  You can continue using this browser

   
      that paste is from the <msn> homepage....


      thanks to everyone for being patient....and to you Unicron for your understanding.   I am truely sorry to have been such a burden......an a pain in the &%^


                         snowman

 

    Just thought to show you guys what happens if I tryed to access a web e mail account:



 Warning: Failed opening 'modules/Email/index.php' for inclusion (include_path='.:/php/includes:/usr/share/php')




        Like I said...my os is odd......LOL



                      snowman

 

Hey Snowman, no sweat. We all had fun and I got to wear my furry purple cowboy hat with pink polka-dots and a peacock feather stickin out of it.

I am sooooooo glad we figured this out before I examined 1900 more packets. That is if we are sure. I am not yet convinced it is CSS, but if no one else is havin this prob, we can let it go till next time.

If you are feeling brave snowman, can you go back there, stomp around abit until you get the file again, and send it to me? If it is a harmless CSS then no biggie, if not, I'd like it for testing. Some of the security guys will want it too. But after a full restore I won't blame you for not wanting to go back!

Have a good night Snowman, all is well that ends well.


my daughter explains it best here:
http://24.69.117.89/ipdefault/images/peace.jpg

 

    Unicron

    thank you for being so understanding....I am embrassed for being so rude......alittle self-guilt may do me some good...LOL        I also forgot to thank you for giving of your time......that was quite an effort you made.

    definitely I will return to the site.....no doubt if its still there I will capture it........but I've got that "other" problem.....as you may notice in previous post..I don't have e mail....I did until a couple of weeks ago...then puff...my blocks took it out.....an I don't know which one did it.
 
    perhaps others can see my frustration...our friend zappa may have had the best advice when saying "live alittle"    because right now I sure feel like droping all the security..an flying!    My lil niece needs a computer..maybe I'll re-format back to its normal os..an give it to her......


                    snowman
     

 

Snowman, if malware has driven you to cripple your machine for fear of infections, it has accomplished its goal. Virus writers attempt to disrupt and cripple machines. Either way that is not a victory for us.

I propose that protection from the risk of an infection is not worth no email and a barely functioning browser.

I would not pay $100 to protect and insure $100. Self defeating! I'd guess the firewall is the problem, but hard to say from here. Turn it off and test your mail. If it works, then you need to reconfigure your firewall. If that doesn't work, here is a suggestion:

1) remove all your protection while disconnected from the web

2) add anti-virus back on.

3) get email working

4) apply firewall - ENSURE EMAIL WORKS

5) incrementally apply the rest of the security tools one by one testing your browser capabilities and email after each one. You can email me to test each time if you like.

6) isolate the offending security app

7) post its name here, and we can try to configure it properly or get rid of it.

Once all that is done, turn your computer off, crack a Corona w/lime and  fire up the Barbi-Q.

 

Snowman, you're (easily) the most cautious person here.  That's not a criticism, not in any way!  I would like to suggest the following, specifically for you:

• Buy and fit a second hard drive, as big as your primary hard disk
• Make it (your new secondary disk) bootable
• Copy your primary to your secondary
• In your BIOS settings, disable your primary disk
• "Surf" using your Secondary disk

It's not quite as straightforward as it may seem, but when a hard disk is disabled in the BIOS, nothing whatsoever can touch it.  What I'm suggesting to you is that you can (effectively) have two computers in one.  You can clean out and restart the second one very easily, and you won't have to worry about reinstalling patches or upgrades.  You can visit the Net to your heart's content, and let 'em all infect you with their damn trojans, bugs, cookies, whatever - the second you disconnect and reinitialise your secondary, they're history!  They've wasted their time!

To be even more secure, your machine has two IDE channels, and each can have a primary and secondary HDD (hard disk drive).  You could even have:

• A personal, non-Internet computer
• A fast-backup, non-Internet computer
• A surfing computer

...all in one!  All you have to do is make a couple of BIOS settings whenever you power your box on!

I sincerely hope that helps, Snowman.  I'd hate to lose you here.


(Hey...I may even take my own advice!   )

 

       Unicron   and Checkout

       several months ago I began a personal project that has led to the results you now see happening on my computer.

      Unicron..I have an up-to-date-broswer...fully patched...an working.......it functions normally

      firewall working just fine....recently tested a couple of days ago....

       whats happened...has happened by choice...an can be reversed in less than thirtry miniutes...although it would take much time to re-config if I wanted to un-do the reverse,,,,,
       this didn't start out as seeking a way to prevent malware.......this was about proxy cache servers...those never spoken about servers that collect..store..and re-distribute information.........an unless you go well out of your way to do a real fine search of the subject then you wont locate very much information....
      as yet no one has seen the light...not the security community..not the public..... an I am not going to be the person to enlighten....nope, I'm just an average guy lacking the knowledge to explain properly......
      there are security tools for just about every exploit....an army of people in the security community working around the clock to stop that next virus or trojan......a wonderful job being doing
      Checkout....my friend its not caution on my part...its determination.....once I actually was able to see what was going on my goal was to find a way of preventing it.
      think about this (un-related)  M$ knows that CSS can be used to exploit...even agreed that its a threat...but don't wait for M$ to offer a solution...M$ is perhaps the largest user of CSS....
     the whole ballgame is just smoke and mirrors..there are people in the security community who knows this to be true.....an would be shouted down if they spoke openly.........right now I must appear as a complete idiot talking about this subject....yet that does not change the reality of the situation.  
     will I ever return my os to normal...yes!  I succeeded in reaching the goal that was set..the challange isn't there....thats all I wanted to achieve.  in fact I wont make any record of the events.
     as mentioned in other threads here...this is a changing time in my life...in recent weeks I have slowly been selling my holdings.....with the idea of returning to just a slow paced lifestyle....a cabin in the moutains for relaxing...an 8 hour job...an a few good friends...an just let the world do its thing.
      please excuse me for the long winded post...I have known a few members of this BB for years...an have grown fond of everyone....we share our up and down moments...as a family of friends.   No I am not ready just yet to give up the internet entirely.....but yes yesterday did begin a new day on how I access the internet...

                          snowman

 

Rough paraphrase of something someone said to me lately:

"We can't control everything - but wouldn't it be a pity if we all gave up on helping the people we do and can with the things that we can control and help them protect themselves from?"

snowman, I know you care about people - heck, if it was just all about us, I know we both would have been off the Internet a long time ago.

Helping people, when you can and as best you can, is a powerful calling - I think we both know that it's not as simple as walking away from the computer.

Just a thought or two of my own (and someone else's) on that. Pete