Re: Here's how easy it is

VanguardLH <V@xxxxxxxxx> wrote in news:h7mfr2$264$1@xxxxxxxxxxxxxxxxx:

Lil' Abner wrote:

The first day after a clean installation of XP, one of my clients did
a Google search for "human arm anatomy". On the right side there was
a sponsored link...
http://www.ask.com/web?q=Lower+Arm+Muscle+Diagram&qsrc=6&o=10616&l=dir
OK, that one was safe but the very first link on the ask.com page
which appears to be "us dot alx dot linux-site dot
net/uthitamadsun.html" brings up the infamous Personal Antivirus
warning seen at http://mewnlite.com/PAV.gif (safe, just an image)
She got out of it fast and mbam found no trace of it so she was
lucky. I came home and duplicated her action on one of my own
computers. Same results except there was a WOT warning. The Personal
Antivirus popup was there too. I hit "cancel" and the phony scan came
up in another browser. Both of us were using Firefox.
The only advice I could offer was for her to stay away from sponsored
links, but it could have happened just as easily on a non-sponsored
site. My HOSTS file blocks most all of Google's sponsored sites. The
example above got past it though.

"except there was a WOT warning"
Sounds like you had WOT installed whereas your customer did not. I
tried it for awhile. Found it outdated (but not as bad as
SiteAdvisor) plus less than 2% of all web sites have been ranked so
most of the time the neutral rating was displayed which is of no
value.

Closing the web browser is an event that can be detected in Javascript
to perform a function. Malicious sites will use the event to reload
their web page and keep their dialog open, reopen it, reload their web
page, or keep you there, or ignore your close attempt and proceed with
whatever action they intended to take, like *pretending* to run a scan
on your host while issuing bogus infection report. Their popup dialog
(asking you to select to run or cancel their proposed scan) is modal
so you cannot change focus back to the web browser's frame. When you
attempt to close the web browser during their fake scan, they script
their way out using the close event to keep you there.

You never mentioned what OS either you or your customer are using. If
it is a version of Windows and one that includes taskkill.exe then you
can create a shortcut in a toolbar in the Windows taskbar that will
kill ALL instances of the web browser. For IE, I use a shortcut that
runs:

%windir%\system32\taskkill.exe /im iexplore.exe /f

Not only does this kill all current instances of IE but it also
eliminates the malicious sites that keep spawning new windows for IE
in an attempt to hang your host with fully consumed memory. The
continual spawning makes it impossible to get focus on any particular
IE window which prevents you from closing it, you'll never catch up
trying to kill iexplore.exe processes using Task Manager, but you can
still click on the taskkill shortcut.

I normally want scripting enabled in the web browser because far too
many sites would be useless or overly crippled without it. Not just
commercial sites but freeware and personal sites, too. When visiting
completely unknown or untrusted sites, I use a shortcut that disables
scripting in the web browser (and for any instances of it loaded
thereafter) while visiting the untrusted site. When I close my
reminder window (a DOS shell) which is after I exit the web browser,
scripting gets reenabled. The shortcut runs a batch file that runs IE
with a limited token (see below), in private mode, in no add-ons mode,
and with scripting disabled:

Batch file: curb_IE.bat

@echo off
cls

rem - Disable script support in Internet security zone.
echo
__________________________________________________________________
echo. echo DISABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3" /v 1400 /t reg_dword /d 3 /f

rem - Run IE with limited privileges, no add-ons, and in private mode.
echo.
echo
__________________________________________________________________
echo. echo Load Internet Explorer with no add-ons and in private mode
... echo.
echo *** Do NOT terminate this batch file.
echo *** Exit the web browser to complete this batch file and
echo resume script support.
echo.
echo WARNING: ALL instances of the web browser will have scripting
disabled echo until this batch file completes execution.
C:\Tools\SysInternals\psexec.exe -l "%programfiles%\Internet
Explorer\iexplore.exe" -extoff -private about:blank echo.
echo
__________________________________________________________________
echo.

rem - Enable script support in Internet security zone.
echo.
echo ENABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3" /v 1400 /t reg_dword /d 0 /f

When I run this batch file, a DOS shell window appears with the echoed
comments. I do the web browsing in private mode, with no add-ons,
where no scripts can execute, and under a limited user account to
severely reduce the privileges for the web browser process. Disabling
add-ons will make many sites unusable so you might want another batch
file that omits the -extoff parameter for a slightly less restrictive
instance of the web browser. The above batch file was tested on
Windows XP Pro but I doubt IE uses different registry keys and data
values to identify that the scripting option has been disabled.
reg.exe simply makes the changes to the registry rather than you
having to manually wade through the config screens in IE. I click the
shortcut, the DOS window appears, I use the web browser in its
throttled state (and any instances of IE opened thereafter may or may
not have private or no-addons modes enabled but they will still have
scripting disabled), I close the web browser (all windows for each
instance), and the batch script continues its execution in the DOS
shell to re-instate scripting support and it closes. In fact, for
that shortcut, I configure its properties to open the DOS shell
minimized so all I see is the taskbar button for it. When I exit the
last window for IE, that taskbar button disappears (but I could
restore its window size to see the comments).

It has always been recommended to have users log under a Limited User
Account (LUA) which significantly reduces their permissions. Alas,
many users still log under an admin-level account and some of us can't
do our work unless logged in under an admin-level account. That
doesn't preclude running the web browser under a LUA token to reduce
its privileges. Vista, I believe with its UAC mode, help to mitigate
some of the problems with the web browser having full privileges. In
Windows XP, I use SysInternals' psexec with its -l option to load a
process under a LUA token (I like it better than DropMyRights). If
you use OnlineArmor for your firewall (which also includes HIPS), it
has its RunSafer attribute you can assign to a program so when it
loads it also runs under a LUA token. GeSWall doesn't limit
privileges but itself enforces privileges on processes. OA and
GeSWall have the advantage that they are automatic and will limit any
instance of the web browser, including if it is started as the child
of another process (malware will often try to usurp an Internet-facing
application to get their connection). However, more security means
more interference. It's good for average or noob users but the
educated can probably do without it and eliminate the conflicts they
cause (unless they're lazy and, of course, all of are to some degree
since we want to use our computers instead of waste time securing
them). I eventually went simpler in my security setup and now just
use the shortcuts to determine how limited is the web browser. I have
an IE toolbar added to Windows taskbar for shortcut to run IE as:

- Normal
- Private Mode (-private)
- Private Mode + No Addons Mode (-private -extoff)
- Private Mode + No Addons Mode + No Scripts (uses a batch file)

That's some pretty useful stuff for those of us who understand it, but
I'm afraid the little old lady that was searching for "human arm
anatomy" wouldn't have a clue.
She's running XP Home SP3. I'm running XP Pro SP3. I also have Vista and
Win 7 RC on this machine and will try that URL just for kicks and see how
it acts in those OS's. I though that it was amusing that the URL of the
offending site included "linux-site" in it.
As far as WOT goes, I do notice that it flags a lot of sites you Google
for. Perhaps the 2% you mentioned are mostly bad sites that people have
reported. Who is going to take the time to rate a *good* site?
Thanks a lot for your lengthy reply. There's a lot of stuff in there that
I can use.

--
--- Everybody has a right to my opinion. ---
.

Loading