Re: hi-jacked browser

From: Tom H (th54_at_hotmail.com)
Date: 01/29/05 

Date: Sat, 29 Jan 2005 12:54:05 -0800

I know, how can they make a software product that vulnerable? But they do
...
I find a layered defense to be effective. Have firewalls and stuff, but
think, OK, if an attacker gets through what might happen? He might run a
script --- so I've got a program called Script Sentry (check it out), it
makes the default action for a script file to be examined instead of run,
this way when bozo the scriptkiddy manages to sneak the vanguard of his
exploit into your system (the vbs script disguised as whatever, that's
supposed to make reg entries and dnload further ***) you get a an alarm
bell and a window pops up displaying the script instead of the script just
silently running. I was amazed at how frequently scripts would have slid by
if I didn't have this. Another thing they want to do is put entries in the
reg where they start exe files or scripts on startup or reboot. TCMonitor
is software that continually monitors certain reg keys like "runonce", one
again, it's just amazing how frequently this alarm goes off, having
intercepted an attempt to slide a reg entry in there. Another area I have
software always watching is the browser helper object cache. It's called
BHO Demon, and it sets off an alarm bell and displays info whenever an
object tries to insert itself. Again, you'd be surprised at how often web
pages just try to go ahead and insert all this stuff.
Long story short --- yes, have firewalls, and AV stuff, but think, "OK, if
they get by all of this, what will they try to do?", and have software
monitor those sensitive areas:
-script interperetors,
-"runonce" type reg entries,
-browser helper objects
There's probably more, but I have ZoneAlarm, Script Sentry, BHODemon,
TCMonitor, and the antivirus/antitrojan trialware de jour --- and since I've
had this system (5 months) I have caught 8 or 9 serious, almost successfull
attempts to own my box where they got through a layer or two even, but
caught them because I had a multilayer defense system.
Good luck!

"flintridgeparkenfarker vonkerschnauzerheiden" <no@spam.com> wrote in
message news:10vi2khcqilb480@corp.supernews.com...
> This is my first and I think I've gotten rid of it, but we'll see.
>
> Fortunately for me, I had taken a screenshot of my processes running just
> prior to this wicked infiltration so I had a great starting point. You
> know,
> the 3-fingered salute: CTRL-ALT-DELETE and click the "Processes" tab. It's
> good to view this once in awhile to keep abreast of what is running
> normally. Hit the "print screen," button, open "Paint" or whatever, and
> paste it, or make a list of all the processes that normally are running.
> This is very valuable information.
>
> Anyway, I went to this website "here4search.com" (DON'T GO THERE!!) and I
> was immediately warned by XP's firewall that a possibility of malicious
> stuff was going on with port 443 [or something]. By the time I
> disconnected,
> the damage was done. Everytime I got online IE got hi-jacked.
>
> So, I copied the URL of the site to which I was taken, did a registry
> search
> and changed all the entries that matched, back to my home page. (I know,
> very crude) I did this several times after re-booting only to find the
> entries back to the evil site's URL.
>
> I did the 3-fingered salute to see what processes were running. I found
> one
> with an ugly name that didn't belong there because it didn't match my
> picture taken just days before. I opened Windows Explorer, did a file
> search
> and I deleted it. I checked my internet connections folder and found that
> the *.exe file had created it's own connection configuration, so I deleted
> that.
>
> I went to C:\Windows\System32 and sorted all the files by creation date. I
> couldn't believe it! I had files in there with the ".dll" extension
> concatenated about a dozen times on some of them so that some of the file
> names were extremely suspicious (5626kluujx5i.dll.dll.dll.dll.dll. [etc])
> was one of them. Anyway, I tried to delete all the .dll files that were
> created between Jan 25 [the fateful day] and today since I know I didn't
> install any programs in that timeframe.
>
> I was denied access to several of these files because either IE or
> Explorer
> was using them (I guess) as an IE third party add-in (thank you very much
> M$). I noticed also that they (.dll files) were being re-created after I
> would delete them and restart my computer. (This may have taken place
> before
> I checked the processes running and deleted the .exe file, I'm not
> sure--probably though).
> So anyway, for the .dll's that wouldn't give me access for deletion, I
> closed Explorer and IE and opened a DOS window. I typed:
> del 5626kluujx5i.dll and was allowed to delete 2 more of the last 4. So
> now
> I had 2 left. I changed the filenames, rebooted, and then was allowed to
> delete the last 2 .dll files.
>
> I didn't do this methodically and/or scientifically. I was pissed and
> wanted
> results so the exact sequence of my actions cannot be verified; therefore,
> I'm not entirely sure if I got the executable file that was slipped into
> my
> backside so quickly, but I think I at least broke the chain needed to
> hi-jack my browser.
>
> At any rate, so far so good. I can't believe I had to spend that much time
> fixing my computer from simply visiting a web site, but then, maybe it
> wasn't the website. Maybe it was simply a derelict scanning the web for
> suckers with a vulnerable port like me. I can only blame myself. I
> actually
> expected the firewall to not only detect and warn me of malicious goings
> on,
> but to PREVENT the infiltration. Shows ya how much I know.
>
> For what it's worth, I don't know if I'm out of the woods yet, but maybe
> someone can get some useful tips out of what I've experienced. I don't
> like
> downloading bloated patches from M$. I like to know what's going with this
> box as probably most of you do [excluding the seasoned, propellor-headed
> veterans--naturally]. Of course, I DON'T know what's going on, but I try.
> I'll probably have to eat my post later when I'm forced into using the
> dreaded, bloated, patch. I hope not. I've re-booted and gotten online
> several times now without being hi-jacked and no new .dll files have been
> created, so I think I got rid of it.
>
> Oh yeah, I'm not sure how much of a pain in the ass this is going to be,
> but
> I changed my Advanced Internet Options to not allow any third party
> add-ins.
> I don't know if this change will be effective for prevention.
>
> --
> joe
> /*------- A new survey of online daters found that
> 47% of people believe that their online date will
> go well... the other 53% are still missing. -------*/
>
>