Infection via Website

Infection via Website
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Infection via Website Dennis 05-01-2007
Posted by Dennis on May 1, 2007, 4:50 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
There's a website I know of... as soon as you visit it, your anti-
virus (AVG in my case) starts setting off warnings. The site is
clearly trying to install spyware/viruses (apparently it is well
known for doing this).

As someone studying to become an MCSE I am curious in the specifics of
how the site is trying to infect computers. IE: is it using java to do
this? Active x? applets? scripts? I know it manages to get a few
files onto my harddrive (the files being on my harddrive are what
actually triggers the AVG warnings). How does it activate those files
and get them running in memory/startup? Can Active X/Java/etc/etc make
changes to your registry? Do you fully need to turn off these IE
settings to be truly safe? etc etc...

If anyone could give me some very basic info, or point me to some good
(brief & to the point) links, it would be much appeciated.

Thanks in advance


Posted by David H. Lipman on May 1, 2007, 5:34 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| There's a website I know of... as soon as you visit it, your anti-
| virus (AVG in my case) starts setting off warnings. The site is
| clearly trying to install spyware/viruses (apparently it is well
| known for doing this).
|
| As someone studying to become an MCSE I am curious in the specifics of
| how the site is trying to infect computers. IE: is it using java to do
| this? Active x? applets? scripts? I know it manages to get a few
| files onto my harddrive (the files being on my harddrive are what
| actually triggers the AVG warnings). How does it activate those files
| and get them running in memory/startup? Can Active X/Java/etc/etc make
| changes to your registry? Do you fully need to turn off these IE
| settings to be truly safe? etc etc...
|
| If anyone could give me some very basic info, or point me to some good
| (brief & to the point) links, it would be much appeciated.
|
| Thanks in advance

Insuffiecient information.

How about posting AVG log excepts so we can see what files in the IE cache were
seen as well
as what AVG was reporting.

Chances are many of the events were for exploit code.
The current "hot" exploit is the ANI Exploit.c

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Dennis on May 1, 2007, 6:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> How about posting AVG log excepts so we can see what files in the IE cache
were seen as well
> as what AVG was reporting.

My question was more about security in general.... how many different
ways are there for a website to infect a computer without the user's
interaction? etc

But in the case of this one specific site I know of, here's what AVG
records as soon as you visit:

- Resident Shield reports Virus identified VBS/Psyme.N in Temporary
Internet Files\newad[1].htm
- Resident Shield reports Trojan horse Downloader.Small.58.AW in
Temporary Internet Files\Image[1].htm

So... somehow the website got two .htm files onto my harddrive (how
exactly?). I assume their not really htm files, just .exe or some
other kind of executable that has been renamed? But that alone is
harmless unless I somehow active them. So how does it activate itself
and go about getting itself into memory and wreaking havoc? etc etc

I just want a basic understanding.. any info is appreciated






Posted by David H. Lipman on May 1, 2007, 6:42 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>> How about posting AVG log excepts so we can see what files in the IE cache
were seen as
>> well as what AVG was reporting.
|
| My question was more about security in general.... how many different
| ways are there for a website to infect a computer without the user's
| interaction? etc
|
| But in the case of this one specific site I know of, here's what AVG
| records as soon as you visit:
|
| - Resident Shield reports Virus identified VBS/Psyme.N in Temporary
| Internet Files\newad[1].htm
| - Resident Shield reports Trojan horse Downloader.Small.58.AW in
| Temporary Internet Files\Image[1].htm
|
| So... somehow the website got two .htm files onto my harddrive (how
| exactly?). I assume their not really htm files, just .exe or some
| other kind of executable that has been renamed? But that alone is
| harmless unless I somehow active them. So how does it activate itself
| and go about getting itself into memory and wreaking havoc? etc etc
|
| I just want a basic understanding.. any info is appreciated
|

There are too numerous to enumerate based upon the many ways to exploit
vulnerabilities.
This can be; Qucktime, Sun Java, RealAudio, GDI, ANI, MS Office, etc, etc.

Thene there are cleveraly crafted and encoded JavaScipt in HTML files which is
most likely
what AVG called "VBS/Psyme.N".

In thwe case above the HTML file has binary information in it that has been
encoded with the
script. The code is decrypted executed the binary is extracted saved and
executed.

Many exploits work through what is called "evelvation of priveledges" This
occurs when a
buffer overflow condition is exploited and the priocess creates an evelvation of
priveledges
where the code can be exercuted even in a limited user account that doesn't have
admn.
rights.

The problem is this is a public News Group and I don't want to go too deep
because I may
instruct you as well as teach miscreants ways to to do bad things to others.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Dennis on May 1, 2007, 9:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> There are too numerous to enumerate based upon the many ways to exploit
vulnerabilities.
> This can be; Qucktime, Sun Java, RealAudio, GDI, ANI, MS Office, etc, etc.
>
> Thene there are cleveraly crafted and encoded JavaScipt in HTML files which is
most likely
> what AVG called "VBS/Psyme.N".
>
> In thwe case above the HTML file has binary information in it that has been
encoded with the
> script. The code is decrypted executed the binary is extracted saved and
executed.
>
> Many exploits work through what is called "evelvation of priveledges" This
occurs when a
> buffer overflow condition is exploited and the priocess creates an evelvation
of priveledges
> where the code can be exercuted even in a limited user account that doesn't
have admn.
> rights.
>
> The problem is this is a public News Group and I don't want to go too deep
because I may
> instruct you as well as teach miscreants ways to to do bad things to others.
>
> --
>
Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

Good info, thanks for the reply Dave. A few more questions if you
don't mind:

Regarding the above example of sleezy website, which setting(s) would
I need to adjust in IE to have it protect me from these .htm files it
put in my temporary folder? Poking around in IE settings I notice a
bunch about enable/disabling/prompting for Active X but none regarding
Java. I see one called "Binary and Script Behaviours", would this be
it? What do you personally do when surfing the net? Do you use trusted
zones?





Similar ThreadsPosted
Spyware/Adware Infection January 2, 2006, 1:19 am
Virus infection as soon as I'm online! Help February 28, 2006, 5:52 am
Our new website February 8, 2008, 6:32 pm
Spyware method of infection? And is it still present? December 16, 2005, 9:26 am
accessing a website January 24, 2006, 12:47 pm
unwelcome website May 14, 2007, 6:20 am
Website proofing May 23, 2008, 5:34 am
multiple partitions are safer in virus infection? September 27, 2005, 4:07 pm
windows password for website? September 6, 2005, 8:05 am
Teen Website security January 21, 2006, 11:58 am

The site map in XML format XML site map

Contact Us | Privacy Policy