win32.pinfi - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: win32.pinfi`



Quoted text here. Click to load it

Sorry, I must have misunderstood your reasoning for running the subject
computer in such a pants down bent over state on the internet.



Re: win32.pinfi`



erratic@nomail.afraid.org says...
Quoted text here. Click to load it

We've had a computer in that role for years, this was the first time it
had been compromised in all that time, running under that same
methodology. If I had given it enough time the IDS in the firewall would
have locked it to the network it was in and not let it have Internet
access, so there was no real danger of spewing crap on the net for very
long.

This was a sacrificial computer, we keep a ghost image of it on a USB
drive so that we can restore it as needed - it's not like the machine is
used by people that can't spot the signs....

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: win32.pinfi`






Leythos wrote:
Quoted text here. Click to load it

seems like firefox with noscript might have prevented that. [ its happened
to me before, thats why i use ff ]
--
Tommy



Re: win32.pinfi`




Quoted text here. Click to load it

A malicious website can host a wide variety of exploits covering many
different clients. The way to get the user to visit the site varies
(some using script), but this was just a misstep that landed Leythos in
a bad place (with the keys to the machine dangling out of his pocket).

Sometimes the user's choice of client only changes the website's choice
of exploit(s).



Re: win32.pinfi`






FromTheRafters wrote:
Quoted text here. Click to load it

So scripts aren't the only way to infect somebody's pc from a website.
Got any cool links for that type of thing?
--
Tommy



Re: win32.pinfi`




Quoted text here. Click to load it

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf



Re: win32.pinfi`





FromTheRafters wrote:
Quoted text here. Click to load it
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf

excellent, thanks

--
Tommy



Re: win32.pinfi`



FromTheRafters wrote:
Quoted text here. Click to load it

That link merely describes the theoretical nature of browsing dangers.
affecting grossly under-protected systems or extremely careless users.
I wonder if there's any real danger out there to a hardened system?
I'm still waiting on someone to put up a link that my system can't handle.

Re: win32.pinfi`



Quoted text here. Click to load it

I assumed the poster only wanted information. The fact is that the
browser itself acts as a window for other programs that also consume
data from a webpage, so even if the browser itself isn't attacked (or
abused in the case of scripting or media extensions) it still
participates in the attack vector. Exploits on webpages aren't entirely
limited to scripting exploits - although that is probably the lion's
share.

Quoted text here. Click to load it

Probably not, but there's always new stuff coming all the time. I used
to be able to send a metarefresh to the con/con bug in an e-mail, just
because that is no longer possible does not mean something else like it
won't be possible in the future. Even security programs (parsing the
HTML prior to the browser getting it) could conceivably be attacked if
they mishandle the data.

I always had scripting disabled in earlier Windows versions (I
considered scripting to be extending programming rights on my machine to
unknown parties), now I just take my chances with the timeliness of
patches for zero-day exploits.



Re: win32.pinfi`



FromTheRafters wrote:

Quoted text here. Click to load it

Only participates to the degree allowed by one's config.

Quoted text here. Click to load it

AFAIK the browser is the first app that sees anything online,
after the innate windows firewall.
Is there anything that can overwhelm a simple allow/ignore IDS?

Re: win32.pinfi`



Quoted text here. Click to load it

Indeed! That's the problem.

Quoted text here. Click to load it

Remember "Proxomitron"? I'm thinking that some of these browse-safe
"security" programs work similarly.

Quoted text here. Click to load it

Overwhelm? No. Circumvent? Probably. It lies in what is allowed to be
consumed by what.



Re: win32.pinfi`



FromTheRafters wrote:
Quoted text here. Click to load it

Later became Proximodo, or was it vice versa,
in any case I don't have any of those illusions of privacy here.

Re: win32.pinfi`




Quoted text here. Click to load it

It would be at the least, irresponsible for anybody in antimalware to place
any link that could harm your computer intentionally. Some things, you will
have to locate on your own; if thats really your wish.


--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: win32.pinfi`



Dustin Cook wrote:
Quoted text here. Click to load it

I'm not looking to harm my system, but merely offering a bluff for someone so
inclined to call it, and I suspect you well understand the sarcastic smart ass
nature of such.
To be simplistic, I could do more damage with readily available hand tools
than any set of code could ever hope to. I'm a retired electronic tech that
has spent enough time online to adopt the arrogance of today's youth. ;-)

Re: win32.pinfi`




Quoted text here. Click to load it

I just had an image of you sitting there all smug with a text-only
browser - just daring anyone to post a malicious link. :oD

There was a site some time ago that hosted every exploit they knew to
crash the visitor's machine - a test site that explained what was being
tested for and allowed the user to decline if so desired. Also, another
site on that domain that did the same thing only not so nicely. Having
never used a text only browser, I wouldn't know how affected it would be
by the malformed or oversized font file exploits.

Still, your computer consumes data, and that data can be maliciously
crafted.



Re: win32.pinfi`



FromTheRafters wrote:
Quoted text here. Click to load it

It's not limited to text only, but actually plays javascript and a bunch of
other crap as well, just doesn't swallow everything it tastes.

Quoted text here. Click to load it

I think there was a netfarmers or, something like that, site
that would wreak havoc on early browsers.

Quoted text here. Click to load it

Maybe a better or more accurately defined 'consumption' would be in order.
Just utilizing such data doesn't necessarily have to be destructive regardless
of how it's crafted. Like why welders have such thick gloves, to exert
influence, yet not be too influenced, by a rivet.

Opera v10.10 (latest freebie)
Sandboxie v3.40 (didn't like v3.42)
Foxit v3.1.1.0928 (latest freebie)
...and just in case
OB1 v3.5d (really bullet proof since 2006)

Re: win32.pinfi`



Quoted text here. Click to load it


Data destined by the consumer program's design to be translated and
interpreted as program code (a browser extension that runs scripts for
example), is the most obvious consumption. Such code can do something
undesired by using or abusing functions. Data destined by design to be
consumed as data only can influence program flow in undesired ways as
well, especially if there are flaws in the consuming program that allows
the data to be interpreted as code. Even if the data isn't interpreted
as code, it can be used by the consuming program as input (for address
arithmetic for example) which can result in DoS conditions like hanging
or crashing the program or the OS by memory corruption.

Data crafted as a simple DoS attack, while unsophisticated, would still
be exploit based malware.

Quoted text here. Click to load it

No, it doesn't have to be. The thing is that data coming in often gets
consumed by more than just the program that the user thinks is consuming
it. There are often many opportunities to mishandle data.



Re: win32.pinfi`




Quoted text here. Click to load it

The trick is whats done with the data. Is it treated as data only, or
can specific instructions be included? That's where it gets
interesting...


--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org

Re: win32.pinfi`



Quoted text here. Click to load it

Like when it is assumed that the data will only be treated as data (as
designed) but vulnerabilities exists (malicious font files) or it is
misunderstood that an assumed data filetype has the ability to execute
code by design.(WMF).

Sites that host exploit based malware could have a detrimental effect on
a system where the user thinks he can go anywhere and click on anything
because he uses a "secure" browser. Exploits such as the one discussed
here http://seclists.org/bugtraq/2009/Jul/91 could still ruin your day.



Re: win32.pinfi`



FromTheRafters wrote:
Quoted text here. Click to load it

Ruin whose day?
Went and checked,
yep,
sure enough,
they're talking about MSIE.
Now, kindly show me the way to an actual threat to a 'secure' browser.
I'm not saying none exist,
just would like to know the limits to my system
so I can tweak my config if needed.

Site Timeline