Here's how easy it is

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


The first day after a clean installation of XP, one of my clients did a
Google search for "human arm anatomy". On the right side there was a
sponsored link...
http://www.ask.com/web?q=Lower+Arm+Muscle+Diagram&qsrc=6&o=10616&l=dir
OK, that one was safe but the very first link on the ask.com page which
appears to be "us dot alx dot linux-site dot net/uthitamadsun.html" brings
up the infamous Personal Antivirus warning seen at
http://mewnlite.com/PAV.gif(safe, just an image)
She got out of it fast and mbam found no trace of it so she was lucky.
I came home and duplicated her action on one of my own computers. Same
results except there was a WOT warning. The Personal Antivirus popup was
there too. I hit "cancel" and the phony scan came up in another browser.
Both of us were using Firefox.
The only advice I could offer was for her to stay away from sponsored
links, but it could have happened just as easily on a non-sponsored site.
My HOSTS file blocks most all of Google's sponsored sites. The example
above got past it though.

--
        --- Everybody has a right to my opinion. ---

Re: Here's how easy it is



Lil' Abner wrote:
Quoted text here. Click to load it
For any windows that has the focus, you can type ALT+F4 and send a
"Close Windows" instruction to the command queue.  I never trust the
Close or Exit button on something that just appears.

hth,

mike

Re: Here's how easy it is



mike wrote:
Quoted text here. Click to load it
Tiny correction, "Close Window", singular.

Re: Here's how easy it is



Lil' Abner wrote:

Quoted text here. Click to load it

"except there was a WOT warning"
Sounds like you had WOT installed whereas your customer did not.  I
tried it for awhile.  Found it outdated (but not as bad as SiteAdvisor)
plus less than 2% of all web sites have been ranked so most of the time
the neutral rating was displayed which is of no value.

Closing the web browser is an event that can be detected in Javascript
to perform a function.  Malicious sites will use the event to reload
their web page and keep their dialog open, reopen it, reload their web
page, or keep you there, or ignore your close attempt and proceed with
whatever action they intended to take, like *pretending* to run a scan
on your host while issuing bogus infection report.  Their popup dialog
(asking you to select to run or cancel their proposed scan) is modal so
you cannot change focus back to the web browser's frame.  When you
attempt to close the web browser during their fake scan, they script
their way out using the close event to keep you there.

You never mentioned what OS either you or your customer are using.  If
it is a version of Windows and one that includes taskkill.exe then you
can create a shortcut in a toolbar in the Windows taskbar that will kill
ALL instances of the web browser.  For IE, I use a shortcut that runs:

  %windir%\system32\taskkill.exe /im iexplore.exe /f

Not only does this kill all current instances of IE but it also
eliminates the malicious sites that keep spawning new windows for IE in
an attempt to hang your host with fully consumed memory.  The continual
spawning makes it impossible to get focus on any particular IE window
which prevents you from closing it, you'll never catch up trying to kill
iexplore.exe processes using Task Manager, but you can still click on
the taskkill shortcut.

I normally want scripting enabled in the web browser because far too
many sites would be useless or overly crippled without it.  Not just
commercial sites but freeware and personal sites, too.  When visiting
completely unknown or untrusted sites, I use a shortcut that disables
scripting in the web browser (and for any instances of it loaded
thereafter) while visiting the untrusted site.  When I close my reminder
window (a DOS shell) which is after I exit the web browser, scripting
gets reenabled.  The shortcut runs a batch file that runs IE with a
limited token (see below), in private mode, in no add-ons mode, and with
scripting disabled:

Batch file: curb_IE.bat

@echo off
cls

rem - Disable script support in Internet security zone.
echo __________________________________________________________________
echo.
echo DISABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones" /v 1400 /t reg_dword /d 3 /f

rem - Run IE with limited privileges, no add-ons, and in private mode.
echo.
echo __________________________________________________________________
echo.
echo Load Internet Explorer with no add-ons and in private mode ...
echo.
echo *** Do NOT terminate this batch file.
echo *** Exit the web browser to complete this batch file and
echo     resume script support.
echo.
echo WARNING: ALL instances of the web browser will have scripting disabled
echo          until this batch file completes execution.
C:\Tools\SysInternals\psexec.exe -l "%programfiles%\Internet
Explorer\iexplore.exe" -extoff -private about:blank
echo.
echo __________________________________________________________________
echo.

rem - Enable script support in Internet security zone.
echo.
echo ENABLE script support in Internet Explorer ...
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones" /v 1400 /t reg_dword /d 0 /f

When I run this batch file, a DOS shell window appears with the echoed
comments.  I do the web browsing in private mode, with no add-ons, where
no scripts can execute, and under a limited user account to severely
reduce the privileges for the web browser process.  Disabling add-ons
will make many sites unusable so you might want another batch file that
omits the -extoff parameter for a slightly less restrictive instance of
the web browser.  The above batch file was tested on Windows XP Pro but
I doubt IE uses different registry keys and data values to identify that
the scripting option has been disabled.  reg.exe simply makes the
changes to the registry rather than you having to manually wade through
the config screens in IE.  I click the shortcut, the DOS window appears,
I use the web browser in its throttled state (and any instances of IE
opened thereafter may or may not have private or no-addons modes enabled
but they will still have scripting disabled), I close the web browser
(all windows for each instance), and the batch script continues its
execution in the DOS shell to re-instate scripting support and it
closes.  In fact, for that shortcut, I configure its properties to open
the DOS shell minimized so all I see is the taskbar button for it.  When
I exit the last window for IE, that taskbar button disappears (but I
could restore its window size to see the comments).

It has always been recommended to have users log under a Limited User
Account (LUA) which significantly reduces their permissions.  Alas, many
users still log under an admin-level account and some of us can't do our
work unless logged in under an admin-level account.  That doesn't
preclude running the web browser under a LUA token to reduce its
privileges.  Vista, I believe with its UAC mode, help to mitigate some
of the problems with the web browser having full privileges.  In Windows
XP, I use SysInternals' psexec with its -l option to load a process
under a LUA token (I like it better than DropMyRights).  If you use
OnlineArmor for your firewall (which also includes HIPS), it has its
RunSafer attribute you can assign to a program so when it loads it also
runs under a LUA token.  GeSWall doesn't limit privileges but itself
enforces privileges on processes.  OA and GeSWall have the advantage
that they are automatic and will limit any instance of the web browser,
including if it is started as the child of another process (malware will
often try to usurp an Internet-facing application to get their
connection).  However, more security means more interference.  It's good
for average or noob users but the educated can probably do without it
and eliminate the conflicts they cause (unless they're lazy and, of
course, all of are to some degree since we want to use our computers
instead of waste time securing them).  I eventually went simpler in my
security setup and now just use the shortcuts to determine how limited
is the web browser.  I have an IE toolbar added to Windows taskbar for
shortcut to run IE as:

- Normal
- Private Mode (-private)
- Private Mode + No Addons Mode (-private -extoff)
- Private Mode + No Addons Mode + No Scripts (uses a batch file)

Re: Here's how easy it is




Quoted text here. Click to load it

That's some pretty useful stuff for those of us who understand it, but
I'm afraid the little old lady that was searching for "human arm
anatomy" wouldn't have a clue.
She's running XP Home SP3. I'm running XP Pro SP3. I also have Vista and
Win 7 RC on this machine and will try that URL just for kicks and see how
it acts in those OS's. I though that it was amusing that the URL of the
offending site included "linux-site" in it.
As far as WOT goes, I do notice that it flags a lot of sites you Google
for. Perhaps the 2% you mentioned are mostly bad sites that people have
reported. Who is going to take the time to rate a *good* site?
Thanks a lot for your lengthy reply. There's a lot of stuff in there that
I can use.

--
        --- Everybody has a right to my opinion. ---

Re: Here's how easy it is - Thanks Dustin!




Quoted text here. Click to load it

Firefox in Windows 7 did nothing to block it, but Microsoft blocked it in
IE8. So I went back to XP to see if IE blocked it there, but MalwareBytes
now has the IP blocked. It won't let Firefox in there either. Way to go!
You don't suppose Dustin Cook was reading this thread and fixed it? :-)



--
        --- Everybody has a right to my opinion. ---

Re: Here's how easy it is - Thanks Dustin!

Lil' Abner wrote:

Quoted text here. Click to load it

I've only twice tested the free version of MalwareBytes (which doesn't
have any real-time protection).  I don't see how it could block anything
unless it is just another anti-malware scanner.  If IE was blocking
without the use of MalwareBytes then I'd suspect that the phishing list
got updated for IE and that the phishing filter was enabled in IE.  

Re: Here's how easy it is - Thanks Dustin!


Quoted text here. Click to load it

I have the paid version  of MalwareBytes. One of the features is real time
IP protection. It stops either browser before the page can open.
Interestingly, the top link on the Ask page has changed to something else
now, but it is also a rogue site and mbam has it blocked as well.

http://mewnlite.com/mbamIP.gif

--
        --- Everybody has a right to my opinion. ---

Re: Here's how easy it is - Thanks Dustin!




Quoted text here. Click to load it

The paid version has an IP blocker which was introduced in version v1.40;
v1.41 promises several fixes for reported issues since it's introduction.
If your seriously interested in testing our IP technology, I can arrange
for a license for your time as a beta tester.


--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: Here's how easy it is - Thanks Dustin!

Dustin Cook wrote:

Quoted text here. Click to load it

Is there a trial version of a released version instead?  If I'm going to
schedule time to see what features are in a product, I'd prefer to do so
on a non-beta version.  Will MB run inside a VM (for testing)?

Re: Here's how easy it is - Thanks Dustin!


Quoted text here. Click to load it

I'm not sure what you mean by trial version. We have either the FREE or
PRO versions; with the only difference being resident protection module,
IP blocking and scheduling. We do not offer "trial" keys or anything, and
the key unlocks the program for life; it's not tied to the unreleased
beta specifically. This has been our policy since day one...




--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: Here's how easy it is - Thanks Dustin!

Quoted text here. Click to load it

He thinks that having offered him a "license for [his] time as a beta
tester," you expect him to use a beta version of the product, so he is
asking if there is some way he can try out the release version for a limited
time for free (i.e., trial version).

So if you were to explain to him that what he understood is not what you
meant, you should both be on the same page.

(The irony of my inserting myself into the discusssion is that I like him
even less than I like you.)

--
Rhonda Lea Kirk Fries

The right to be heard does not automatically include
the right to be taken seriously. Hubert H. Humphrey



Re: Here's how easy it is - Thanks Dustin!


Quoted text here. Click to load it

I see. I suppose I wasn't clear then. I'm willing to provide him a
license if he doesn't mind beta testing v1.41 when it's available to
outside beta testing. For the time being however, he could take advantage
of the registered features of v1.40 and let us know of any bugs/issues he
has with the registered features which can be addressed in future
releases. I have a limited amount of beta testers I am authorized to
acquire, so he should take advantage of this offer soon via email if he
is interested.

 
Quoted text here. Click to load it

Thanks. Hopefully the above clears up any misunderstanding.
 
Quoted text here. Click to load it

That is true irony. I expected a special place in your enemies list, all
by myself for my act of treason against you.
 



--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: Here's how easy it is - Thanks Dustin!



Dustin Cook wrote:

Quoted text here. Click to load it

Yes, after visiting your site, I see there are no trial versions (of
released versions) available to let users evaluate the software before
purchasing it.  I don't want to appear to be worming a freebie version
out of you, especially if I can't be fair in allocating the time to
perform faithful testing to produce reasonable and usable analysis.  

This month is not promising.  My buddy needs my help to repair and
improve his sister's house.  I'm still repairing and cleaning up after a
burglary.  Need to get the house and yard stuff done before it gets
dismal outside.  I asked about trials so I could QA the product later
since it is unlikely that I'll get time to test a beta version now.
Thanks for the offer, though.  It was tempting.  

Re: Here's how easy it is - Thanks Dustin!


Quoted text here. Click to load it

Don't both. It is an annoying PITA (the IP Protection is).
I turn it off and it turns itself back on.
I have disabled the 'Protection Module' to get rid of the IP Protection
permanently.
Paid my money and now can only use the free side of it.
Guess this is another program that is going to turn into a load of
bloatware.

Re: Here's how easy it is - Thanks Dustin!


Quoted text here. Click to load it

It will turn itself back on if you reboot/relogin to windows, yes.
However, there is a registry key based workaround that will disable it
entirely.

Quoted text here. Click to load it

That's not necessary. Please visit our forum for assistance.

Quoted text here. Click to load it

If you are in any way unhappy or unsatisfied with our software, Please
visit the site at http://www.malwarebytes.org and acquire yourself a
support ticket; We'll see what can be done about issuing you a refund. We
clearly don't want you feeling cheated or otherwise unhappy with our
program.

 



--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: Here's how easy it is - Thanks Dustin!

On Tue, 29 Sep 2009 01:09:02 GMT, Dustin Cook

Quoted text here. Click to load it

I found the link and had used it before you posted. Thanks anyway.
I had already put in a support ticket but the person who responded
seemed to be a bit useless.

He reckons he provided me with a link and his email trail quite clearly
shows he did not.
And he had the gall to accuse me of not reading the information
provided. Cheeky git!

Reply one from support:
--------------
"Hello and welcome to the Malwarebytes helpdesk. Thank you for choosing
Malwarebytes' Anti-Malware as your malware security solution, my name is
<name deleted to protect the useless> and I'll be assisting you today.

If you'd like to disable this feature, Right-click the Protection Module
icon located in the system tray and UNcheck 'IP Protection'. "
--------------

Note, this was after my initial query advising I was doing this and this
is not working as a permanent solution, which is what I wanted.

I replied that I was not completely stupid and this did not work.

Reply two from support (12 minutes after the first):
--------------
Nothing to do with you being stupid or not. People don't read the info
provided.

See the link already provided to totally disable it via registry.
--------------

So will I use your support option again? No!

Re: Here's how easy it is - Thanks Dustin!

On Tue, 29 Sep 2009 06:48:18 +0100, Paul Jones

Quoted text here. Click to load it

I should add I found the forum yesterday and found the registry key to
change and it is now working how I wanted (Permanently disabled!). Shame
support could not have just provided this link instead of being.....

Re: Here's how easy it is - Thanks Dustin!

On Tue, 29 Sep 2009 06:48:18 +0100, Paul Jones

Quoted text here. Click to load it

The support person has now emailed me back:
----------------
"You're right, for some odd reason instead of replying with the usual
reply I did not, so apologies from me."
----------------

The end of the matter for me.

Re: Here's how easy it is - Thanks Dustin!


Quoted text here. Click to load it

I am very sorry you had such a lousy experience with our technical
support staff. They aren't normally such a... fun lot.

Quoted text here. Click to load it

I really can't blame you, from the post it wasn't a good experience at
all. I have passed this information along to the persons in charge, so
this will hopefully not happen to anyone else.

I am glad you found the information tho. In the future, I think I'll just
post the links for persons such as yourself, so you don't have to jump
thru hoops to get your question answered.

Have a good day!
 



--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Site Timeline