malware attack queries

Discussion in 'Security Software' started by Jo-Anne, Oct 29, 2010.

  1. Jo-Anne

    Jo-Anne Guest

    Today, a website I clicked on from Google in IE8 (WinXP computer) tried to
    download malware to my computer by claiming it had found a virus. I couldn't
    exit the warning or the page and finally resorted to CTRL-ALT-DEL, which
    seemed to work. I also then updated and ran Avira AntiVir, SuperAntiSpyware,
    and Malwarebytes. They all reported no infection.

    My questions:

    Is it likely that I avoided the infection? Nothing else I need to do to
    check?

    If this happens again, is there a best way to get out of the situation? (The
    website I clicked on was supposed to be for hardware used in
    closets--brackets and similar stuff, nothing I would have thought of as
    iffy.)

    Thank you!

    Jo-Anne
     
    Jo-Anne, Oct 29, 2010
    #1
    1. Advertisements

  2. I don't think so.
    Something I've been trying to inform people of, it is *not* just the
    "iffy" sites that do this - it happens everywhere.

    As long as you didn't actually "open" or "run" the program they try to
    convice you to download, you should be okay. This is not always the
    case, because the same site (or an affiliate) can also run exploits
    against vulnerable software on your computer and "install" the malware
    that way. Since you already ran the three most recommended detection and
    removal tools out there, my guess is that you avoided infestation.

    You could disable scripting in your browser (except for trusted sites),
    but that might be considered 'over the top' these days. :eek:)

    When and if it happens again, you could try the ctrl+alt+del and right
    click to minimize or close the miscreant - but usually I find you have
    to terminate the browser session entirely.
     
    FromTheRafters, Oct 29, 2010
    #2
    1. Advertisements

  3. Jo-Anne

    Mike Easter Guest

    Did IE8's SmartScreen Filter alert you? Did you have it enabled?

    http://www.microsoft.com/security/filters/smartscreen.aspx SmartScreen
    Filter is a feature in Internet Explorer 8 that helps you avoid socially
    engineered malware phishing Web sites and online fraud ...and other Web
    sites that contain malware. ... In Internet Explorer, click the Safety
    button. Point to SmartScreen Filter, and then click Turn On SmartScreen
    Filter.
     
    Mike Easter, Oct 29, 2010
    #3
  4. Jo-Anne

    Jo-Anne Guest

    Thank you! I'm relieved. I was in such a state when it happened that I
    didn't even think of right-clicking to minimize or close the page

    Jo-Anne
     
    Jo-Anne, Oct 30, 2010
    #4
  5. Jo-Anne

    Jo-Anne Guest


    Thank you, Mike! I don't have the safety button showing in IE8. However, I
    found SmartScreen Filter under Tools. It looks like it must be activated,
    given that my choices were Check This Website, Turn Off SmartScreen Filter,
    and Report Unsafe Website. Since IE appeared not to be doing anything, as
    far as I could tell, while I was at the infected site, I suppose I should
    have reported that site. But all I wanted to do was get away from it.

    Jo-Anne
     
    Jo-Anne, Oct 30, 2010
    #5
  6. Jo-Anne

    Mike Easter Guest

    Historically, IE has been much less secure than its contemporaries, with
    IE6 having been really terrible in spite of all of its patching, besides
    a number of other 'retarded'/backward conditions of IE6, but with the
    evolution to IE7 and IE8, the IE security has improved.

    The fact that the site was accessed from a google search result link
    suggests that the google system for Safe Browsing wasn't working -
    didn't have it listed - either. That safe browsing feature is built-into
    Chrome and Firefox, and it is supposed to prevent someone accessing a
    site like you did even before you get there.

    The design goal is for an attempt to access a site such as you described
    to give you this look http://www.mozilla.com/firefox/its-an-attack.html

    Then, if you click the button in that alert 'Why was this site blocked?'
    you get a page that has information arranged in this format, except that
    the example shown is a safe site instead of one with malware
    http://www.google.com/safebrowsing/diagnostic?site=http://searchengineland.com/

    Presumably MS's SafeScreen has a similar strategy behind it, but I'm
    sure that MS & Google aren't cooperating with each other in that regard
    of sharing black or whitelisting information.

    Do you recall what the site was that you had trouble with? It might be
    possible to determine what came of its condition.
     
    Mike Easter, Oct 30, 2010
    #6
  7. Jo-Anne

    Jo-Anne Guest


    Thank you for all the information, Mike! I wish I had kept the web address
    of the site; but all I wanted was to get out of it. I see three
    possibilities in my history folder, but I'm not sure. According to today's
    history, I visited hardware.hardwarestore.com, knapeandvogt.com, and
    77.78.247.165. I think I recognize all the other sites from today.

    Jo-Anne
     
    Jo-Anne, Oct 30, 2010
    #7
  8. Do you happen to see one with a http://something.cz.cc domain? The fake
    AV display comes from an obfuscated html file that references a script
    file and some small graphics (security shields etc...) to give it that
    *real* look. This is only one of many domains that they use.

    I have on occasion disconnected my internet access (shut off wireless)
    and allowed my computer to attempt to download the actual malware -
    after silently failing, it was possible to terminate the rogue webpage
    without losing the whole session. Then, my temp files directory has the
    whole 'fake stuff' stored.

    Sometimes, even then it is necessary to close the entire browsing
    session (and remember to *not* restore last session).
     
    FromTheRafters, Oct 30, 2010
    #8
  9. Jo-Anne

    Jo-Anne Guest

    Thank you, FromTheRafters! I didn't see anything with a cz.cc domain. I take
    it the one that showed up as a number was OK?

    I see what you can do now after disconnecting from internet access, but I'd
    be afraid to try it.

    I did get the message about restoring the last session and clicked no. The
    first thing that ran through my mind when I saw it was: Why would I want to
    go back to that page of malware?

    Jo-Anne
     
    Jo-Anne, Oct 30, 2010
    #9
  10. Forget about it.
    All those "tools", of course including AV scanners et. al., are useless:
    they can only react, they can NEVER protect you from (yet) unknown malware
    or attacks.

    Fortunately there is but help: just configure your PC appropriately, i.e.
    restrictive!

    Get rid of the administrative rights of your user account (in case you
    created it during Windows setup)!

    BUT: don't just remove your account from the "Administrators" group and
    join the "Normal users" group: ALL files you created under %SystemRoot%
    and %ProgramFiles% are owned by your account, you still have complete
    control over these files.
    You either have to create a NEW account and remove you old one, or you
    must change the owner of all those files to the "Administrators" group.

    Before you log off: turn on SAFER alias software restriction policies,
    set its default level to "Disabled", exempt "Administrators" (if you
    like), but include DLLs.
    You can use <http://home.arcor.de/skanthak/download/XP_SAFER.INF> to
    perform these steps, it works from XP Home up to Windows 7 64bit.

    Now log off and log on to you new account (or simply reboot).

    With SAFER in effect (and the rules defined in the *.INF from above) you
    can execute "programs" from %SystemRoot% and %ProgramFiles% only, i.e.
    places where only an administrator has write access to, but are denied
    execution in your own user profile, the TEMP directories and various
    other places you have write access to (it's the same as "data execution
    prevention" in RAM).
    So even if malware gets downloaded to your computer, you can't run it.

    This works against ALL malware, known and unknown. It works against
    Stuxnet and others which exploit errors in the OS too: the shellcode
    of those malware might still be run, but it can't execute its payload.

    Mission accomplished!

    Stefan
     
    Stefan Kanthak, Oct 30, 2010
    #10
  11. Not necessarily, but since you didn't download and execute the malware
    (only the "come-on") it probably doesn't matter anyway.
    Unless you wanted to investigate it further, or absolutely did not want
    to lose your current browsing session, there would be no need.

    It is aggravating to me to have to close all just because one is trying
    to lead me to malicious software.
    Exactly!
     
    FromTheRafters, Oct 30, 2010
    #11
  12. Definitely looks suspicious.
     
    FromTheRafters, Oct 30, 2010
    #12
  13. "Stefan Kanthak"
    <>
    wrote in message
    [...]
    Not *all* malware.
     
    FromTheRafters, Oct 30, 2010
    #13
  14. Jo-Anne

    Jo-Anne Guest

    Thank you again!

    Jo-Anne
     
    Jo-Anne, Oct 30, 2010
    #14
  15. Jo-Anne

    Jo-Anne Guest

    "Stefan Kanthak"
    Thank you, Stefan!

    Jo-Anne
     
    Jo-Anne, Oct 30, 2010
    #15
  16. Funny though that they seem to think all of that nefarious activity
    within 90 days (including today) isn't suspicious. :eek:D
     
    FromTheRafters, Oct 30, 2010
    #16
  17. Jo-Anne

    Mike Easter Guest

    I'm not a fan of IE8 or its features for security, my suggestion was
    based on her use of IE8.
    I agree that restricting the functions of browsers is a powerful way to
    defend, but it also comes at a cost of some functionality.
    If I understand these restrictions correctly, one would not be able to
    run any executables found on any websites, such as MS's.

    How would you counteract this limitation?
    Ah, so you you are the site's Stefan Kanthak. Thanks for the useful site.
     
    Mike Easter, Oct 30, 2010
    #17
  18. From the top:

    "
    What is the current listing status for 77.78.247.0?

    This site is not currently listed as suspicious."
    They should do the best that they can. :eek:D
     
    FromTheRafters, Oct 31, 2010
    #18
  19. [...]
    You're welcome.

    (and congratulations)
     
    FromTheRafters, Oct 31, 2010
    #19
  20. As many as it takes?

    People forget why signature based scanners were developed in the first
    place in light of what malware has now become. Do whatever you like
    about the easy to avoid malware of today, but take care not to throw out
    the baby just because modern malware has dirtied the bathwater.

    All that Stefan said is true IMO - except that the user will still want
    to run new programs on his computer, and he will get them from what he
    considers trusted sources. Barring any evil trusted source, or an evil
    (insufficiently supervised) employee of same, purposefully planting
    malware in their programs - you will *still* have the worm/virus problem
    (although it won't be the lameware cesspool it is today).

    Viruses are a special case, and worms (true worms) imply software
    vulnerability exploits (they're always running) and worms can drop
    viruses.
     
    FromTheRafters, Oct 31, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.