Re: Here's how easy it is

Lil' Abner wrote:

The first day after a clean installation of XP, one of my clients did a
Google search for "human arm anatomy". On the right side there was a
sponsored link...
http://www.ask.com/web?q=Lower+Arm+Muscle+Diagram&qsrc=6&o=10616&l=dir
OK, that one was safe but the very first link on the ask.com page which
appears to be "us dot alx dot linux-site dot net/uthitamadsun.html" brings
up the infamous Personal Antivirus warning seen at
http://mewnlite.com/PAV.gif (safe, just an image)
She got out of it fast and mbam found no trace of it so she was lucky.
I came home and duplicated her action on one of my own computers. Same
results except there was a WOT warning. The Personal Antivirus popup was
there too. I hit "cancel" and the phony scan came up in another browser.
Both of us were using Firefox.
The only advice I could offer was for her to stay away from sponsored
links, but it could have happened just as easily on a non-sponsored site.
My HOSTS file blocks most all of Google's sponsored sites. The example
above got past it though.

"except there was a WOT warning"
Sounds like you had WOT installed whereas your customer did not. I
tried it for awhile. Found it outdated (but not as bad as SiteAdvisor)
plus less than 2% of all web sites have been ranked so most of the time
the neutral rating was displayed which is of no value.

Closing the web browser is an event that can be detected in Javascript
to perform a function. Malicious sites will use the event to reload
their web page and keep their dialog open, reopen it, reload their web
page, or keep you there, or ignore your close attempt and proceed with
whatever action they intended to take, like *pretending* to run a scan
on your host while issuing bogus infection report. Their popup dialog
(asking you to select to run or cancel their proposed scan) is modal so
you cannot change focus back to the web browser's frame. When you
attempt to close the web browser during their fake scan, they script
their way out using the close event to keep you there.

You never mentioned what OS either you or your customer are using. If
it is a version of Windows and one that includes taskkill.exe then you
can create a shortcut in a toolbar in the Windows taskbar that will kill
ALL instances of the web browser. For IE, I use a shortcut that runs:

%windir%\system32\taskkill.exe /im iexplore.exe /f

Not only does this kill all current instances of IE but it also
eliminates the malicious sites that keep spawning new windows for IE in
an attempt to hang your host with fully consumed memory. The continual
spawning makes it impossible to get focus on any particular IE window
which prevents you from closing it, you'll never catch up trying to kill
iexplore.exe processes using Task Manager, but you can still click on
the taskkill shortcut.

I normally want scripting enabled in the web browser because far too
many sites would be useless or overly crippled without it. Not just
commercial sites but freeware and personal sites, too. When visiting
completely unknown or untrusted sites, I use a shortcut that disables
scripting in the web browser (and for any instances of it loaded
thereafter) while visiting the untrusted site. When I close my reminder
window (a DOS shell) which is after I exit the web browser, scripting
gets reenabled. The shortcut runs a batch file that runs IE with a
limited token (see below), in private mode, in no add-ons mode, and with
scripting disabled:

Batch file: curb_IE.bat

@echo off
cls

rem - Disable script support in Internet security zone.
echo __________________________________________________________________
echo.
echo DISABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1400 /t reg_dword /d 3 /f

rem - Run IE with limited privileges, no add-ons, and in private mode.
echo.
echo __________________________________________________________________
echo.
echo Load Internet Explorer with no add-ons and in private mode ...
echo.
echo *** Do NOT terminate this batch file.
echo *** Exit the web browser to complete this batch file and
echo resume script support.
echo.
echo WARNING: ALL instances of the web browser will have scripting disabled
echo until this batch file completes execution.
C:\Tools\SysInternals\psexec.exe -l "%programfiles%\Internet Explorer\iexplore.exe" -extoff -private about:blank
echo.
echo __________________________________________________________________
echo.

rem - Enable script support in Internet security zone.
echo.
echo ENABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1400 /t reg_dword /d 0 /f

When I run this batch file, a DOS shell window appears with the echoed
comments. I do the web browsing in private mode, with no add-ons, where
no scripts can execute, and under a limited user account to severely
reduce the privileges for the web browser process. Disabling add-ons
will make many sites unusable so you might want another batch file that
omits the -extoff parameter for a slightly less restrictive instance of
the web browser. The above batch file was tested on Windows XP Pro but
I doubt IE uses different registry keys and data values to identify that
the scripting option has been disabled. reg.exe simply makes the
changes to the registry rather than you having to manually wade through
the config screens in IE. I click the shortcut, the DOS window appears,
I use the web browser in its throttled state (and any instances of IE
opened thereafter may or may not have private or no-addons modes enabled
but they will still have scripting disabled), I close the web browser
(all windows for each instance), and the batch script continues its
execution in the DOS shell to re-instate scripting support and it
closes. In fact, for that shortcut, I configure its properties to open
the DOS shell minimized so all I see is the taskbar button for it. When
I exit the last window for IE, that taskbar button disappears (but I
could restore its window size to see the comments).

It has always been recommended to have users log under a Limited User
Account (LUA) which significantly reduces their permissions. Alas, many
users still log under an admin-level account and some of us can't do our
work unless logged in under an admin-level account. That doesn't
preclude running the web browser under a LUA token to reduce its
privileges. Vista, I believe with its UAC mode, help to mitigate some
of the problems with the web browser having full privileges. In Windows
XP, I use SysInternals' psexec with its -l option to load a process
under a LUA token (I like it better than DropMyRights). If you use
OnlineArmor for your firewall (which also includes HIPS), it has its
RunSafer attribute you can assign to a program so when it loads it also
runs under a LUA token. GeSWall doesn't limit privileges but itself
enforces privileges on processes. OA and GeSWall have the advantage
that they are automatic and will limit any instance of the web browser,
including if it is started as the child of another process (malware will
often try to usurp an Internet-facing application to get their
connection). However, more security means more interference. It's good
for average or noob users but the educated can probably do without it
and eliminate the conflicts they cause (unless they're lazy and, of
course, all of are to some degree since we want to use our computers
instead of waste time securing them). I eventually went simpler in my
security setup and now just use the shortcuts to determine how limited
is the web browser. I have an IE toolbar added to Windows taskbar for
shortcut to run IE as:

- Normal
- Private Mode (-private)
- Private Mode + No Addons Mode (-private -extoff)
- Private Mode + No Addons Mode + No Scripts (uses a batch file)
.

Loading