win32.pinfi`
in [Anti-Virus]
|
From: FromTheRafters on 30 Nov 2009 07:34 "Leythos" <spam999free(a)rrohio.com> wrote in message news:MPG.257d77cb5932f61b989fe2(a)us.news.astraweb.com... > In article <4b1485c0.988859(a)EBCDIC>, me(a)privacy.net says... >> >> Leythos wrote: >> >In all my decades of >> >experience I have never... >> >> ...learned how to configure a safe web interface (browser) such that >> one could >> surf without fear, regardless of the site. > > You seem to have missed the article like Butts did - it was a > sacrificial machine with the sole purpose of downloading files. It is well known that downloading program files from the web can potentially lead to malware problems. What interests me more (and from a detection point of view) is how the initial lure gets to be displayed to a user. Obfuscated HTML and/or script (I'm sure scripting was also enabled and unrestricted) can be detected as suspicious (Avira may show a heuristic detection of these) and 'nipped it in the bud'. This is *not* the same as detecting the actual (various) malware being served up. Does your goat log these lure attempts, and did the endpoint protection slip up, or was it a new obfuscation technique it wasn't yet equipped to handle? Are your downloads unattended, or is the user required to say "yes" to whatever oddball rogue requests a click from them? I assume this was a goat network rather than a regular network that you set up on "opposite day". :o)
From: Leythos on 30 Nov 2009 08:21 In article <hf0e3t$3fl$1(a)news.eternal-september.org>, erratic(a)nomail.afraid.org says... > > "Leythos" <spam999free(a)rrohio.com> wrote in message > news:MPG.257d77cb5932f61b989fe2(a)us.news.astraweb.com... > > In article <4b1485c0.988859(a)EBCDIC>, me(a)privacy.net says... > >> > >> Leythos wrote: > >> >In all my decades of > >> >experience I have never... > >> > >> ...learned how to configure a safe web interface (browser) such that > >> one could > >> surf without fear, regardless of the site. > > > > You seem to have missed the article like Butts did - it was a > > sacrificial machine with the sole purpose of downloading files. > > It is well known that downloading program files from the web can > potentially lead to malware problems. What interests me more (and from a > detection point of view) is how the initial lure gets to be displayed to > a user. Obfuscated HTML and/or script (I'm sure scripting was also > enabled and unrestricted) can be detected as suspicious (Avira may show > a heuristic detection of these) and 'nipped it in the bud'. This is > *not* the same as detecting the actual (various) malware being served > up. Does your goat log these lure attempts, and did the endpoint > protection slip up, or was it a new obfuscation technique it wasn't yet > equipped to handle? Are your downloads unattended, or is the user > required to say "yes" to whatever oddball rogue requests a click from > them? > > I assume this was a goat network rather than a regular network that you > set up on "opposite day". :o) We have one machine we setup to download from the net, it's a machine that has no access to our other machines by network connection and firewall rules - the purpose is to download files, it's not a honeypot, it's just a safe way of doing downloads. In this case I was attempting to browse to a MS site and entered the address incorrectly and was taken to a non-MS site and immediately redirected to the malicious site. SEPP didn't show anything at the time of entry or during the additional items the malware downloaded, and the firewall was not setup to monitor intrusions on that network/machine. In this case there was no manual anything, as soon as the page started to load the tattle-tale DOS box appeared and then closed, doing this several times in a few seconds - as each new malware was loaded. The reason I posted the events/information was to make people aware of just how easy, even if you're using a NAT router, it is to get compromised by accident, using all updates/patches, using commercial antimalware tools, etc.... In all my years I've never had that happen, but we don't normally allow that level of access on our networks or customers networks - this machine was isolated and for good reason. The point was that with a few simple protection methods, based on how I believe the infection entered, it could have been prevented, something that most people are not willing to do because of the limits it puts on them while using their computers. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address)
From: FromTheRafters on 30 Nov 2009 08:59 "Leythos" <spam999free(a)rrohio.com> wrote in message news:MPG.257d90f2f0d8adb1989fe4(a)us.news.astraweb.com... > In article <hf0e3t$3fl$1(a)news.eternal-september.org>, > erratic(a)nomail.afraid.org says... >> >> "Leythos" <spam999free(a)rrohio.com> wrote in message >> news:MPG.257d77cb5932f61b989fe2(a)us.news.astraweb.com... >> > In article <4b1485c0.988859(a)EBCDIC>, me(a)privacy.net says... >> >> >> >> Leythos wrote: >> >> >In all my decades of >> >> >experience I have never... >> >> >> >> ...learned how to configure a safe web interface (browser) such >> >> that >> >> one could >> >> surf without fear, regardless of the site. >> > >> > You seem to have missed the article like Butts did - it was a >> > sacrificial machine with the sole purpose of downloading files. >> >> It is well known that downloading program files from the web can >> potentially lead to malware problems. What interests me more (and >> from a >> detection point of view) is how the initial lure gets to be displayed >> to >> a user. Obfuscated HTML and/or script (I'm sure scripting was also >> enabled and unrestricted) can be detected as suspicious (Avira may >> show >> a heuristic detection of these) and 'nipped it in the bud'. This is >> *not* the same as detecting the actual (various) malware being served >> up. Does your goat log these lure attempts, and did the endpoint >> protection slip up, or was it a new obfuscation technique it wasn't >> yet >> equipped to handle? Are your downloads unattended, or is the user >> required to say "yes" to whatever oddball rogue requests a click from >> them? >> >> I assume this was a goat network rather than a regular network that >> you >> set up on "opposite day". :o) > > We have one machine we setup to download from the net, it's a machine > that has no access to our other machines by network connection and > firewall rules - the purpose is to download files, it's not a > honeypot, > it's just a safe way of doing downloads. > > In this case I was attempting to browse to a MS site and entered the > address incorrectly and was taken to a non-MS site and immediately > redirected to the malicious site. Common typo squatters! > SEPP didn't show anything at the time of entry or during the > additional > items the malware downloaded, and the firewall was not setup to > monitor > intrusions on that network/machine. Browser exploit webpage must have had something that worked on your setup. > In this case there was no manual anything, as soon as the page started > to load the tattle-tale DOS box appeared and then closed, doing this > several times in a few seconds - as each new malware was loaded. Why do you run this special isolated machine as admin? > The reason I posted the events/information was to make people aware of > just how easy, even if you're using a NAT router, it is to get > compromised by accident, using all updates/patches, using commercial > antimalware tools, etc.... In all my years I've never had that happen, > but we don't normally allow that level of access on our networks or > customers networks - this machine was isolated and for good reason. Compartmentalization is the essence of what the term "firewall" used to be all about. > The point was that with a few simple protection methods, based on how > I > believe the infection entered, it could have been prevented, something > that most people are not willing to do because of the limits it puts > on > them while using their computers. You mean - like not running as admin when you don't need to?
From: tommy on 30 Nov 2009 09:03 Leythos wrote: > In article <hf0e3t$3fl$1(a)news.eternal-september.org>, > erratic(a)nomail.afraid.org says... >> >> "Leythos" <spam999free(a)rrohio.com> wrote in message >> news:MPG.257d77cb5932f61b989fe2(a)us.news.astraweb.com... >>> In article <4b1485c0.988859(a)EBCDIC>, me(a)privacy.net says... >>>> >>>> Leythos wrote: >>>>> In all my decades of >>>>> experience I have never... >>>> >>>> ...learned how to configure a safe web interface (browser) such >>>> that one could >>>> surf without fear, regardless of the site. >>> >>> You seem to have missed the article like Butts did - it was a >>> sacrificial machine with the sole purpose of downloading files. >> >> It is well known that downloading program files from the web can >> potentially lead to malware problems. What interests me more (and >> from a detection point of view) is how the initial lure gets to be >> displayed to a user. Obfuscated HTML and/or script (I'm sure >> scripting was also enabled and unrestricted) can be detected as >> suspicious (Avira may show a heuristic detection of these) and >> 'nipped it in the bud'. This is *not* the same as detecting the >> actual (various) malware being served up. Does your goat log these >> lure attempts, and did the endpoint protection slip up, or was it a >> new obfuscation technique it wasn't yet equipped to handle? Are your >> downloads unattended, or is the user required to say "yes" to >> whatever oddball rogue requests a click from them? >> >> I assume this was a goat network rather than a regular network that >> you set up on "opposite day". :o) > > We have one machine we setup to download from the net, it's a machine > that has no access to our other machines by network connection and > firewall rules - the purpose is to download files, it's not a > honeypot, it's just a safe way of doing downloads. > > In this case I was attempting to browse to a MS site and entered the > address incorrectly and was taken to a non-MS site and immediately > redirected to the malicious site. > > SEPP didn't show anything at the time of entry or during the > additional items the malware downloaded, and the firewall was not > setup to monitor intrusions on that network/machine. > > In this case there was no manual anything, as soon as the page started > to load the tattle-tale DOS box appeared and then closed, doing this > several times in a few seconds - as each new malware was loaded. > > The reason I posted the events/information was to make people aware of > just how easy, even if you're using a NAT router, it is to get > compromised by accident, using all updates/patches, using commercial > antimalware tools, etc.... In all my years I've never had that happen, > but we don't normally allow that level of access on our networks or > customers networks - this machine was isolated and for good reason. > > The point was that with a few simple protection methods, based on how > I believe the infection entered, it could have been prevented, > something that most people are not willing to do because of the > limits it puts on them while using their computers. seems like firefox with noscript might have prevented that. [ its happened to me before, thats why i use ff ] -- Tommy
From: FromTheRafters on 30 Nov 2009 10:04
"tommy" <tommylee9_2000(a)removeyahoo.dropcom> wrote in message news:hf0jbr$sme$1(a)news.eternal-september.org... > seems like firefox with noscript might have prevented that. [ its > happened > to me before, thats why i use ff ] A malicious website can host a wide variety of exploits covering many different clients. The way to get the user to visit the site varies (some using script), but this was just a misstep that landed Leythos in a bad place (with the keys to the machine dangling out of his pocket). Sometimes the user's choice of client only changes the website's choice of exploit(s). |