Guest Yitzak Posted December 17, 2008 Posted December 17, 2008 Hi I can understand how a virus can be spread/caught by the user invoking/ running the code. Cannot understand how your PC can be infected just by visiting a website. I know web pages can contain client-side scripts (e.g. javascript) that run on your machine. But I thought the browser was a secure environment e.g. in that these scripts cannot access files locally - unless through user interaction (browse button). I'm sure they showed some code on BBC "on-click" program - that showed the malware being loaded on the page_load event of the web page - i.e. before user even sees page. Quote
Guest FromTheRafters Posted December 17, 2008 Posted December 17, 2008 inline "Yitzak" <terryshamir@yahoo.co.uk> wrote in message news:0ca9ac6a-0067-4eee-986d-1af8fccb8297@s9g2000prg.googlegroups.com...<span style="color:blue"> > Hi > > I can understand how a virus can be spread/caught by the user invoking/ > running the code.</span> The same could be said for trojans, so I assume you mean malware in general when you say "virus". <span style="color:blue"> > Cannot understand how your PC can be infected just by visiting a > website. > > I know web pages can contain client-side scripts (e.g. javascript) > that run on your machine. But I thought the browser was a secure > environment e.g. in that these scripts cannot access files locally - > unless through user interaction (browse button).</span> That's the default behavior - if they're not broken. That is aside from the places that they are supposed to be able to access. <span style="color:blue"> > I'm sure they showed some code on BBC "on-click" program - that showed > the malware being loaded on the page_load event of the web page - i.e. > before user even sees page.</span> Hmmm. This sounds like an exploit - typical of some worms and adware foisters. Drive-by downloading. http://en.wikipedia.org/wiki/Drive-by_download Quote
Guest David H. Lipman Posted December 17, 2008 Posted December 17, 2008 From: "Yitzak" <terryshamir@yahoo.co.uk> | Hi | I can understand how a virus can be spread/caught by the user invoking/ | running the code. | Cannot understand how your PC can be infected just by visiting a | website. | I know web pages can contain client-side scripts (e.g. javascript) | that run on your machine. But I thought the browser was a secure | environment e.g. in that these scripts cannot access files locally - | unless through user interaction (browse button). | I'm sure they showed some code on BBC "on-click" program - that showed | the malware being loaded on the page_load event of the web page - i.e. | before user even sees page. Easy, using vulnerability/exploit vector. You go to a website, it checks you system for software. It finds a vulnerability. It exploits the vulnerbility and it causes a file to be downloaded and installed. It is that simple. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest ~BD~ Posted January 5, 2009 Posted January 5, 2009 A real-life personal friend asked me recently what information about his computer he gave away when he visited a web site - any web site. I suggested he visit this URL to find out:- http://www.browserreport.com/ He was amazed (just as I was the first time I went there!) This rather supports the post by Mr Lipman, doesn't it? style_emoticons/ Dave "Yitzak" <terryshamir@yahoo.co.uk> wrote in message news:0ca9ac6a-0067-4eee-986d-1af8fccb8297@s9g2000prg.googlegroups.com...<span style="color:blue"> > Hi > > I can understand how a virus can be spread/caught by the user > invoking/ > running the code. > > Cannot understand how your PC can be infected just by visiting a > website. > > I know web pages can contain client-side scripts (e.g. javascript) > that run on your machine. But I thought the browser was a secure > environment e.g. in that these scripts cannot access files locally - > unless through user interaction (browse button). > > I'm sure they showed some code on BBC "on-click" program - that showed > the malware being loaded on the page_load event of the web page - i.e. > before user even sees page. > > </span> Quote
Guest David H. Lipman Posted January 5, 2009 Posted January 5, 2009 From: "~BD~" <BoaterDave@hotmail.co.uk> | A real-life personal friend asked me recently what information about his | computer he gave away when he visited a web site - any web site. | I suggested he visit this URL to find out:- | http://www.browserreport.com/ | He was amazed (just as I was the first time I went there!) | This rather supports the post by Mr Lipman, doesn't it? style_emoticons/ | Dave The information that is reported has NOTHING to do with how someone can get infected. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest ~BD~ Posted January 5, 2009 Posted January 5, 2009 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23YM2HYybJHA.5092@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "~BD~" <BoaterDave@hotmail.co.uk> > > | A real-life personal friend asked me recently what information about > his > | computer he gave away when he visited a web site - any web site. > > | I suggested he visit this URL to find out:- > | http://www.browserreport.com/ > > | He was amazed (just as I was the first time I went there!) > > | This rather supports the post by Mr Lipman, doesn't it? style_emoticons/ > > | Dave > > > > The information that is reported has NOTHING to do with how someone > can get infected. > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> You said earlier, Mr Lipman:- "Easy, using vulnerability/exploit vector. You go to a website, it checks you system for software. It finds a vulnerability. It exploits the vulnerbility and it causes a file to be downloaded and installed. It is that simple." Are you now saying that the information - which I have pointed out is available to any URL which wishes to use/abuse it - is of no value at all to the bad guys? Dave Quote
Guest David H. Lipman Posted January 5, 2009 Posted January 5, 2009 From: "~BD~" <BoaterDave@hotmail.co.uk> | You said earlier, Mr Lipman:- | "Easy, using vulnerability/exploit vector. | You go to a website, it checks you system for software. It finds a | vulnerability. It | exploits the vulnerbility and it causes a file to be downloaded and | installed. It is that | simple." | Are you now saying that the information - which I have pointed out is | available to any URL which wishes to use/abuse it - is of no value at | all to the bad guys? | Dave That information is generic and provides no information on any vulnerability. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest ~BD~ Posted January 10, 2009 Posted January 10, 2009 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23SxYBf3bJHA.4380@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "~BD~" <BoaterDave@hotmail.co.uk> > > > | You said earlier, Mr Lipman:- > > | "Easy, using vulnerability/exploit vector. > > | You go to a website, it checks you system for software. It finds a > | vulnerability. It > | exploits the vulnerbility and it causes a file to be downloaded and > | installed. It is that > | simple." > > | Are you now saying that the information - which I have pointed out is > | available to any URL which wishes to use/abuse it - is of no value at > | all to the bad guys? > > | Dave > > That information is generic and provides no information on any > vulnerability. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> You've suggested that I think about things more .......... so I have been pondering on what you said here. When I've used http://www.browserreport.com/ it tells me whether I'm using Internet Explorer, Firefox or Google Chrome. Most folk acknowledge that IE is more susceptible to attack than other browsers. Any 'attacker' might like to know exactly what they are up against and might simply move on if a host is NOT using IE. In other words, it seems to me that we do show our vulnerability to others. Quote
Guest David H. Lipman Posted January 11, 2009 Posted January 11, 2009 From: "~BD~" <~BD~@nomail.Im.afraid> | You've suggested that I think about things more .......... so I have been | pondering on what you said here. | When I've used http://www.browserreport.com/ it tells me whether I'm using | Internet Explorer, Firefox or Google Chrome. | Most folk acknowledge that IE is more susceptible to attack than other | browsers. Any 'attacker' might like to know exactly what they are up against | and might simply move on if a host is NOT using IE. In other words, it seems | to me that we do show our vulnerability to others. No, you are only showing you are using IE. Attackers don't really "to know exactly what they are up against". If they want to exploit a broswer they can and often do use a laundry list of exploits checking what browser is being used and apply and explot against it. During the past week I have seen several malware samples specifically targeting FireFox. Here's one... http://www.virustotal.com/analisis/d3b5b58...bd76bebc246b0ad a-squared 4.0.0.73 2009.01.10 Virus.Win32.VB!IK AntiVir 7.9.0.54 2009.01.10 SPR/PSW.FirePass.BD Authentium 5.1.0.4 2009.01.10 W32/Backdoor2.DBIC Avast 4.8.1281.0 2009.01.10 Win32:Trojan-gen {Other} AVG 8.0.0.229 2009.01.09 Dropper.Generic.ABHE BitDefender 7.2 2009.01.10 Trojan.Generic.712658 CAT-QuickHeal 10.00 2009.01.09 PSWTool.FirePass.bd (Not a Virus) DrWeb 4.44.0.09170 2009.01.10 Trojan.PWS.Firefox.12 eSafe 7.0.17.0 2009.01.08 Suspicious File F-Prot 4.4.4.56 2009.01.10 W32/Backdoor2.DBIC F-Secure 8.0.14470.0 2009.01.10 Trojan-PSW.Win32.VB.aad Fortinet 3.117.0.0 2009.01.10 PossibleThreat GData 19 2009.01.10 Trojan.Generic.712658 Ikarus T3.1.1.45.0 2009.01.10 Virus.Win32.VB K7AntiVirus 7.10.584 2009.01.09 not-a-virus:PSWTool.Win32.FirePass.bd Kaspersky 7.0.0.125 2009.01.10 Trojan-PSW.Win32.VB.aad McAfee+Artemis 5490 2009.01.09 Generic!Artemis Microsoft 1.4205 2009.01.10 TrojanSpy:Win32/Vwealer.U NOD32 3756 2009.01.10 probably a variant of Win32/PSW.VB Norman 5.99.02 2009.01.09 W32/Smalldrp.AJVR SecureWeb-Gateway 6.7.6 2009.01.10 Riskware.PSW.FirePass.BD Sophos 4.37.0 2009.01.10 Sus/TinyDL-G Symantec 10 2009.01.10 Hacktool TheHacker 6.3.1.4.216 2009.01.10 Trojan/FirePass.bd VBA32 3.12.8.10 2009.01.10 Trojan-PSW.Win32.VB.aad ViRobot 2009.1.10.1553 2009.01.10 Trojan.Win32.PSWVB.461362 VirusBuster 4.5.11.0 2009.01.10 Trojan.PWS.VB.EHIS -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest ~BD~ Posted January 11, 2009 Posted January 11, 2009 In line:- "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23UXytB4cJHA.5340@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "~BD~" <~BD~@nomail.Im.afraid> > > > | You've suggested that I think about things more .......... so I have > been > | pondering on what you said here. > > | When I've used http://www.browserreport.com/ it tells me whether I'm > using > | Internet Explorer, Firefox or Google Chrome. > > | Most folk acknowledge that IE is more susceptible to attack than other > | browsers. Any 'attacker' might like to know exactly what they are up > against > | and might simply move on if a host is NOT using IE. In other words, it > seems > | to me that we do show our vulnerability to others. > > No, you are only showing you are using IE. Attackers don't really "to know > exactly what > they are up against". If they want to exploit a broswer they can and > often do use a > laundry list of exploits checking what browser is being used and apply and > explot against > it.</span> Perhaps I wasn't clear in what I'd meant to say. If so I apologise. If I go to the 'browserreport' URL using IE7 - it tells me that I'm using IE7 If I go to the 'browserreport' URL using Firefox - it tells me I'm using Firefox If I go to the 'browserreport' URL using Google Chrome - it tells me I'm using Google Chrome. You are therefore mistaken when you said "No, you are only showing you are using IE." <span style="color:blue"> > During the past week I have seen several malware samples specifically > targeting FireFox. > > Here's one... > > http://www.virustotal.com/analisis/d3b5b58...bd76bebc246b0ad > > a-squared 4.0.0.73 2009.01.10 Virus.Win32.VB!IK > AntiVir 7.9.0.54 2009.01.10 SPR/PSW.FirePass.BD > Authentium 5.1.0.4 2009.01.10 W32/Backdoor2.DBIC > Avast 4.8.1281.0 2009.01.10 Win32:Trojan-gen {Other} > AVG 8.0.0.229 2009.01.09 Dropper.Generic.ABHE > BitDefender 7.2 2009.01.10 Trojan.Generic.712658 > CAT-QuickHeal 10.00 2009.01.09 PSWTool.FirePass.bd (Not a Virus) > DrWeb 4.44.0.09170 2009.01.10 Trojan.PWS.Firefox.12 > eSafe 7.0.17.0 2009.01.08 Suspicious File > F-Prot 4.4.4.56 2009.01.10 W32/Backdoor2.DBIC > F-Secure 8.0.14470.0 2009.01.10 Trojan-PSW.Win32.VB.aad > Fortinet 3.117.0.0 2009.01.10 PossibleThreat > GData 19 2009.01.10 Trojan.Generic.712658 > Ikarus T3.1.1.45.0 2009.01.10 Virus.Win32.VB > K7AntiVirus 7.10.584 2009.01.09 > not-a-virus:PSWTool.Win32.FirePass.bd > Kaspersky 7.0.0.125 2009.01.10 Trojan-PSW.Win32.VB.aad > McAfee+Artemis 5490 2009.01.09 Generic!Artemis > Microsoft 1.4205 2009.01.10 TrojanSpy:Win32/Vwealer.U > NOD32 3756 2009.01.10 probably a variant of Win32/PSW.VB > Norman 5.99.02 2009.01.09 W32/Smalldrp.AJVR > SecureWeb-Gateway 6.7.6 2009.01.10 Riskware.PSW.FirePass.BD > Sophos 4.37.0 2009.01.10 Sus/TinyDL-G > Symantec 10 2009.01.10 Hacktool > TheHacker 6.3.1.4.216 2009.01.10 Trojan/FirePass.bd > VBA32 3.12.8.10 2009.01.10 Trojan-PSW.Win32.VB.aad > ViRobot 2009.1.10.1553 2009.01.10 Trojan.Win32.PSWVB.461362 > VirusBuster 4.5.11.0 2009.01.10 Trojan.PWS.VB.EHIS > > ></span> It's good to see that all of those AV programmes found the malware! style_emoticons/ How can one tell that such malware is targetting a specific browser? Dave Quote
Guest David H. Lipman Posted January 11, 2009 Posted January 11, 2009 From: "~BD~" <~BD~@nomail.Im.afraid> | Perhaps I wasn't clear in what I'd meant to say. If so I apologise. | If I go to the 'browserreport' URL using IE7 - it tells me that I'm using | IE7 | If I go to the 'browserreport' URL using Firefox - it tells me I'm using | Firefox | If I go to the 'browserreport' URL using Google Chrome - it tells me I'm | using Google Chrome. | You are therefore mistaken when you said "No, you are only showing you are | using IE." No I meant is respect to IE. It doesn't tell you IE is unpatched and vulnerable. <span style="color:blue"><span style="color:green"> >> During the past week I have seen several malware samples specifically >> targeting FireFox.</span></span> <span style="color:blue"><span style="color:green"> >> Here's one...</span></span> <span style="color:blue"><span style="color:green"> >> http://www.virustotal.com/analisis/d3b5b58...bd76bebc246b0ad</span></span> <span style="color:blue"><span style="color:green"> >> a-squared 4.0.0.73 2009.01.10 Virus.Win32.VB!IK >> AntiVir 7.9.0.54 2009.01.10 SPR/PSW.FirePass.BD >> Authentium 5.1.0.4 2009.01.10 W32/Backdoor2.DBIC >> Avast 4.8.1281.0 2009.01.10 Win32:Trojan-gen {Other} >> AVG 8.0.0.229 2009.01.09 Dropper.Generic.ABHE >> BitDefender 7.2 2009.01.10 Trojan.Generic.712658 >> CAT-QuickHeal 10.00 2009.01.09 PSWTool.FirePass.bd (Not a Virus) >> DrWeb 4.44.0.09170 2009.01.10 Trojan.PWS.Firefox.12 >> eSafe 7.0.17.0 2009.01.08 Suspicious File >> F-Prot 4.4.4.56 2009.01.10 W32/Backdoor2.DBIC >> F-Secure 8.0.14470.0 2009.01.10 Trojan-PSW.Win32.VB.aad >> Fortinet 3.117.0.0 2009.01.10 PossibleThreat >> GData 19 2009.01.10 Trojan.Generic.712658 >> Ikarus T3.1.1.45.0 2009.01.10 Virus.Win32.VB >> K7AntiVirus 7.10.584 2009.01.09 >> not-a-virus:PSWTool.Win32.FirePass.bd >> Kaspersky 7.0.0.125 2009.01.10 Trojan-PSW.Win32.VB.aad >> McAfee+Artemis 5490 2009.01.09 Generic!Artemis >> Microsoft 1.4205 2009.01.10 TrojanSpy:Win32/Vwealer.U >> NOD32 3756 2009.01.10 probably a variant of Win32/PSW.VB >> Norman 5.99.02 2009.01.09 W32/Smalldrp.AJVR >> SecureWeb-Gateway 6.7.6 2009.01.10 Riskware.PSW.FirePass.BD >> Sophos 4.37.0 2009.01.10 Sus/TinyDL-G >> Symantec 10 2009.01.10 Hacktool >> TheHacker 6.3.1.4.216 2009.01.10 Trojan/FirePass.bd >> VBA32 3.12.8.10 2009.01.10 Trojan-PSW.Win32.VB.aad >> ViRobot 2009.1.10.1553 2009.01.10 Trojan.Win32.PSWVB.461362 >> VirusBuster 4.5.11.0 2009.01.10 Trojan.PWS.VB.EHIS</span></span> | It's good to see that all of those AV programmes found the malware! style_emoticons/ | How can one tell that such malware is targetting a specific browser? | Dave The name is indicative of what it does. FirePass -- FireFox passwords DrWeb is more descriptive -- Trojan.PWS.Firefox.12 PWS - means password stealer. Doing an analysis on binary gives even more clues. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest PA Bear [MS MVP] Posted January 11, 2009 Posted January 11, 2009 <plonk another one> [~BD~@nomail.Im.afraid] ~BD~ wrote:<span style="color:blue"> > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message > news:%23SxYBf3bJHA.4380@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> From: "~BD~" <BoaterDave@hotmail.co.uk> >> >><span style="color:darkred"> >>> You said earlier, Mr Lipman:-</span> >><span style="color:darkred"> >>> "Easy, using vulnerability/exploit vector.</span> >><span style="color:darkred"> >>> You go to a website, it checks you system for software. It finds a >>> vulnerability. It >>> exploits the vulnerbility and it causes a file to be downloaded and >>> installed. It is that >>> simple."</span> >><span style="color:darkred"> >>> Are you now saying that the information - which I have pointed out is >>> available to any URL which wishes to use/abuse it - is of no value at >>> all to the bad guys?</span> >><span style="color:darkred"> >>> Dave</span> >> >> That information is generic and provides no information on any >> vulnerability. >> >> >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp >> >></span> > > You've suggested that I think about things more .......... so I have been > pondering on what you said here. > > When I've used http://www.browserreport.com/ it tells me whether I'm > using > Internet Explorer, Firefox or Google Chrome. > > Most folk acknowledge that IE is more susceptible to attack than other > browsers. Any 'attacker' might like to know exactly what they are up > against > and might simply move on if a host is NOT using IE. In other words, it > seems > to me that we do show our vulnerability to others. </span> Quote
Guest ~BD~ Posted January 11, 2009 Posted January 11, 2009 "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message news:OTWNl%234cJHA.1860@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > <plonk another one> [~BD~@nomail.Im.afraid]</span> Whilst my memory is fast fading, I'm almost certain that it was a PA Bear who explained to me more than three years ago that it is imprudent to use a real email address in newsgroups. More interesting to me, and just possibly to others reading here, is just how it is you come to notice such subtle changes. Surely no 'normal' user/adviser in these groups checks Headers on every single post. Why on earth would they? It's the content of the post which is important - and that alone IMO. So a question (for anyone). Do sophisticated Newsreaders (outwith Outlook Express) carry out an automatic check of items from a Header so that the user knows instantly the 'vital statistics' of a poster? Perhaps they do; I have no idea. Dave PS The Hotmail address I use here IS live - quite deliberately. style_emoticons/ Quote
Guest Leythos Posted January 11, 2009 Posted January 11, 2009 In article <OnXbaW8cJHA.5748@TK2MSFTNGP03.phx.gbl>, ~BD~@nomail.Im.afraid says...<span style="color:blue"> > Do sophisticated Newsreaders (outwith Outlook Express) carry out an > automatic check of items from a Header so that the user knows instantly the > 'vital statistics' of a poster? Perhaps they do; I have no idea.</span> When one wants to verify the poster they check headers. Some real News Readers (which OE is not one) have the option of showing the header or parts of the header all the time. I personally never see the posters name in threads, when I believe the poster to be "someone" I always use the headers. -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.