Re: Here's how easy it is

"Lil' Abner" <blvstk@xxxxxxxxxxxx> wrote in
Xns9C7AA3C4D4F71butter@wefb973cbe498:">news:Xns9C7AA3C4D4F71butter@wefb973cbe498:

VanguardLH <V@xxxxxxxxx> wrote in news:h7mfr2$264$1@xxxxxxxxxxxxxxxxx:

Lil' Abner wrote:

The first day after a clean installation of XP, one of my clients
did a Google search for "human arm anatomy". On the right side there
was a sponsored link...
http://www.ask.com/web?q=Lower+Arm+Muscle+Diagram&qsrc=6&o=10616&l=di
r OK, that one was safe but the very first link on the ask.com page
which appears to be "us dot alx dot linux-site dot
net/uthitamadsun.html" brings up the infamous Personal Antivirus
warning seen at http://mewnlite.com/PAV.gif (safe, just an image)
She got out of it fast and mbam found no trace of it so she was
lucky. I came home and duplicated her action on one of my own
computers. Same results except there was a WOT warning. The Personal
Antivirus popup was there too. I hit "cancel" and the phony scan
came up in another browser. Both of us were using Firefox.
The only advice I could offer was for her to stay away from
sponsored links, but it could have happened just as easily on a
non-sponsored site. My HOSTS file blocks most all of Google's
sponsored sites. The example above got past it though.

"except there was a WOT warning"
Sounds like you had WOT installed whereas your customer did not. I
tried it for awhile. Found it outdated (but not as bad as
SiteAdvisor) plus less than 2% of all web sites have been ranked so
most of the time the neutral rating was displayed which is of no
value.

Closing the web browser is an event that can be detected in
Javascript to perform a function. Malicious sites will use the event
to reload their web page and keep their dialog open, reopen it,
reload their web page, or keep you there, or ignore your close
attempt and proceed with whatever action they intended to take, like
*pretending* to run a scan on your host while issuing bogus infection
report. Their popup dialog (asking you to select to run or cancel
their proposed scan) is modal so you cannot change focus back to the
web browser's frame. When you attempt to close the web browser
during their fake scan, they script their way out using the close
event to keep you there.

You never mentioned what OS either you or your customer are using.
If it is a version of Windows and one that includes taskkill.exe then
you can create a shortcut in a toolbar in the Windows taskbar that
will kill ALL instances of the web browser. For IE, I use a shortcut
that runs:

%windir%\system32\taskkill.exe /im iexplore.exe /f

Not only does this kill all current instances of IE but it also
eliminates the malicious sites that keep spawning new windows for IE
in an attempt to hang your host with fully consumed memory. The
continual spawning makes it impossible to get focus on any particular
IE window which prevents you from closing it, you'll never catch up
trying to kill iexplore.exe processes using Task Manager, but you can
still click on the taskkill shortcut.

I normally want scripting enabled in the web browser because far too
many sites would be useless or overly crippled without it. Not just
commercial sites but freeware and personal sites, too. When visiting
completely unknown or untrusted sites, I use a shortcut that disables
scripting in the web browser (and for any instances of it loaded
thereafter) while visiting the untrusted site. When I close my
reminder window (a DOS shell) which is after I exit the web browser,
scripting gets reenabled. The shortcut runs a batch file that runs
IE with a limited token (see below), in private mode, in no add-ons
mode, and with scripting disabled:

Batch file: curb_IE.bat

@echo off
cls

rem - Disable script support in Internet security zone.
echo
__________________________________________________________________
echo. echo DISABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3" /v 1400 /t reg_dword /d 3 /f

rem - Run IE with limited privileges, no add-ons, and in private
mode. echo.
echo
__________________________________________________________________
echo. echo Load Internet Explorer with no add-ons and in private mode
... echo.
echo *** Do NOT terminate this batch file.
echo *** Exit the web browser to complete this batch file and
echo resume script support.
echo.
echo WARNING: ALL instances of the web browser will have scripting
disabled echo until this batch file completes execution.
C:\Tools\SysInternals\psexec.exe -l "%programfiles%\Internet
Explorer\iexplore.exe" -extoff -private about:blank echo.
echo
__________________________________________________________________
echo.

rem - Enable script support in Internet security zone.
echo.
echo ENABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3" /v 1400 /t reg_dword /d 0 /f

When I run this batch file, a DOS shell window appears with the
echoed comments. I do the web browsing in private mode, with no
add-ons, where no scripts can execute, and under a limited user
account to severely reduce the privileges for the web browser
process. Disabling add-ons will make many sites unusable so you
might want another batch file that omits the -extoff parameter for a
slightly less restrictive instance of the web browser. The above
batch file was tested on Windows XP Pro but I doubt IE uses different
registry keys and data values to identify that the scripting option
has been disabled. reg.exe simply makes the changes to the registry
rather than you having to manually wade through the config screens in
IE. I click the shortcut, the DOS window appears, I use the web
browser in its throttled state (and any instances of IE opened
thereafter may or may not have private or no-addons modes enabled but
they will still have scripting disabled), I close the web browser
(all windows for each instance), and the batch script continues its
execution in the DOS shell to re-instate scripting support and it
closes. In fact, for that shortcut, I configure its properties to
open the DOS shell minimized so all I see is the taskbar button for
it. When I exit the last window for IE, that taskbar button
disappears (but I could restore its window size to see the comments).

It has always been recommended to have users log under a Limited User
Account (LUA) which significantly reduces their permissions. Alas,
many users still log under an admin-level account and some of us
can't do our work unless logged in under an admin-level account.
That doesn't preclude running the web browser under a LUA token to
reduce its privileges. Vista, I believe with its UAC mode, help to
mitigate some of the problems with the web browser having full
privileges. In Windows XP, I use SysInternals' psexec with its -l
option to load a process under a LUA token (I like it better than
DropMyRights). If you use OnlineArmor for your firewall (which also
includes HIPS), it has its RunSafer attribute you can assign to a
program so when it loads it also runs under a LUA token. GeSWall
doesn't limit privileges but itself enforces privileges on processes.
OA and GeSWall have the advantage that they are automatic and will
limit any instance of the web browser, including if it is started as
the child of another process (malware will often try to usurp an
Internet-facing application to get their connection). However, more
security means more interference. It's good for average or noob
users but the educated can probably do without it and eliminate the
conflicts they cause (unless they're lazy and, of course, all of are
to some degree since we want to use our computers instead of waste
time securing them). I eventually went simpler in my security setup
and now just use the shortcuts to determine how limited is the web
browser. I have an IE toolbar added to Windows taskbar for shortcut
to run IE as:

- Normal
- Private Mode (-private)
- Private Mode + No Addons Mode (-private -extoff)
- Private Mode + No Addons Mode + No Scripts (uses a batch file)

That's some pretty useful stuff for those of us who understand it, but
I'm afraid the little old lady that was searching for "human arm
anatomy" wouldn't have a clue.
She's running XP Home SP3. I'm running XP Pro SP3. I also have Vista
and Win 7 RC on this machine and will try that URL just for kicks and
see how it acts in those OS's. I though that it was amusing that the
URL of the offending site included "linux-site" in it.
As far as WOT goes, I do notice that it flags a lot of sites you
Google for. Perhaps the 2% you mentioned are mostly bad sites that
people have reported. Who is going to take the time to rate a *good*
site? Thanks a lot for your lengthy reply. There's a lot of stuff in
there that I can use.


For what it's worth, you might want to install SandBoxie on her
computer, and configure it by default to start her web browser inside a
sandbox. That way, no matter what she encounters; it won't pose any real
threat, nor give you a headache. :)


--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk
.

Loading