[geeks] filtering out web base trojan?

Alois Hammer aloishammer at casearmour.net
Sun Mar 16 01:08:15 CDT 2008 

There are lots of things you can do to filter trojans and the like, but
you need to identify the contagion and the vector-- and you need to
establish as fact that you're not leaving a reservoir of contagion
somewhere on the computer or on your local network that could be
reinfecting you.

Assuming that your network and your Windows machine are otherwise
secure, you could be falling prey to the ongoing IFRAME injection
attacks, which, if I understand correctly, may[1] successfully bypass
NoScript's trust system by using normally-trusted sites as springboards.

Check the full-disclosure March archives for more information:

http://seclists.org/fulldisclosure/2008/Mar/index.html

Or check this guy's posts:

http://ddanchev.blogspot.com/2008/03/wiredcom-and-historycom-getting-rbn-ed.html
http://ddanchev.blogspot.com/2008/03/more-cnet-sites-under-iframe-attack.html
http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html

Also, the outright bulk compromise of normally-trustworthy sites is
still going on, as far as I know.  That started about four to six weeks
ago, and, the last I heard, security researchers were having trouble
pinpointing affected sites, much less locking down contagion vectors. 
The attacks in question were (are?) delivering their payload(s) via
randomly-generated one-time URLs, making it difficult to analyze the
actual location of the malware on infected servers or the malware
itself.

Also, if you're relying on a Little Bloo Box for network security,
don't.  Compromise rates are skyrocketing, and one of the latest rounds
of attacks has been highly successful at injecting uPnP commands into
home routers *from Internet-side traffic*.  I'd be happy to pass on a
list of what routers with what firmware from what manufacturers are
vulnerable, but there's no such list that I know of.  Also, considering
how cavalierly uPnP was designed, and how much more cavalierly uPnP is
implemented, if your router's not on the notional list this week, it may
be next week.  If you have a Little Bloo Box, and it's been compromised
via uPnP, you could be repeatedly pulling down the trojan via malicious
DNS servers.  Have you checked recently to see if you're still using
your ISP's DNS servers, or at least known servers you trust?  (Rah rah
OpenDNS, etc.)

Since you haven't given me much information on the contagion, all I can
advise is that you start turning off anything you're not using or don't
absolutely need.  Download and install Secunia PSI to see if you have
out-of-date / known-vulnerable software on the Windows box.  Remove
Acrobat Reader and use something else (Foxit, SumatraPDF, xpdf) to read
your documents.  Remove Flash if at all possible (I have).  Remove
QuickTime and either replace it with QuickTime Alternative or don't
replace it at all.  If you do install QT Alt, don't install the browser
plugins.  If you're using Sun JRE, update to 1.6.0u5 or else remove it. 
Turn off uPnP support in any software or device that implements it.

All of the above are just some of the more prominent hard-targeted
vulnerabilities that have been hit recently.  Adobe in particular has
been letting known, major compromise vectors go unpatched until well
after they're being exploited in the wild, and certainly months after
they're reported.  In my book, they're one step ahead of merging
"security" departments with Oracle.

And, as a last note: if you think you don't have a vulnerable version of
Flash on your Windows machine, you're probably wrong.  Microsoft and
Adobe are *both* still distributing vulnerable Flash -- in Adobe's case,
they're bundling older Flash with AIR.  (At least.)  I've proven to my
own satisfaction, several times, that installing a more recent version
of Flash does *not* reliably remove the 6.x-era flash that still ships
with all versions of Windows XP, including Service Pack 3 RC2 (up
through at least build 3311).  If you do have Flash 6.x installed, it's
probably under %SystemRoot%\system32\Macromed\Flash.  Check the version
of every .ocx.  If you do have a vulnerable version, unregister it with
regsvr32.exe and delete it.


---
[1] If I'm wrong about the IFRAME injection attacks being able to bypass
NoScript trust, please feel free to correct me.  Actually, I'd /like/ to
be wrong.

On Sun, 16 Mar 2008 04:34:32 +0200, "Geoffrey S. Mendelson"
<gsm at mendelson.com> said:
> I have a problem with a persistent web based trojan that infects one
> computer of mine. I can get rid of it once it infects the computer, my
> antivirus finds it and hijack this and windows defender catches any
> startup registry entries.
> 
> Occasionally it gets so bad I have to boot from a CD and remove the DLL
> it installs by hand.
> 
> This is getting tedious.
> 
> I'm using FireFox as my web browser with the noscript add-on.
> 
> However, it still gets through. 
> 
> It's the one that randomly pops up a "your computer may be infected with
> spyware, click here to make sure it is" window. Noscript prevents the
> window from coming up, but it still tries.
> 
> Is there a way to filter it out via a web proxy? Possibly an add on
> module for squid or apache? Something similar to Dan's Guardian? A
> better FireFox add on?
> 
> While I would prefer something that stopped it, even a program that
> detected and logged it would do. Then I can block the sites if they are
> referred to, or simply no longer use the one that is infected.
> 
> I think that it comes in from a content/location based advertising
> service, so the site that tries to infect me may not even be aware
> that this is happening. 
> 
> 
> Thanks in advance,
> 
> Geoff.
>  
> -- 
> Geoffrey S. Mendelson, Jerusalem, Israel gsm at mendelson.com  N3OWJ/4X1GM
> _______________________________________________
> GEEKS:  http://www.sunhelp.org/mailman/listinfo/geeks

More information about the geeks mailing list