How to navigate away from quicksand domains which hold your browser captive until you install their software?

[hummingbird]

On Mon, 14 Jul 2008 12:05:55 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

>hummingbird wrote:
>
>> 'Beauregard T. Shagnasty' wrote:
>>> hummingbird wrote:
>>>> [HEALTH WARNING]
>>>> If you switch off all your security s/w and surf to this website,
>>>> see what happens: xxx.pricelessware.org
>>
>>> Ok, I did. I see a ~1995-coding-style web site with many lists of
>>> free Windows software. What was supposed to happen?
>>
>> Well, several months ago, if you had no security running that website
>> was discreetly transferring you to a URL based in HK and downloading
>> a trojan onto your system and running it to take you over. A recent
>> poster reported a similar problem only a coupla days ago on ACF. I
>> believe a malicious a-frame was installed by hackers. Much debate
>> here about it on ACF at the time.


>So that was a Windows trojan then?

The one in question is called "trojan.systemposer".

>Ok, I understand. To become
>infected, you probably needed to be using a Windows OS,

I use XP-Pro. I have no idea if *nix suffers the same problems.
Some people say it's more secure, but that's probably because
the hackers focus on MS s/w.

>probably Internet Explorer,

I use an IE clone (Avant).

>probably allowing ActiveX, probably don't have
>patches to stop malicious iframe redirection (which is quite common on
>hacked sites). [I guess you meant iframe, rather than a-frame.]

Sorry, yes I meant i-frame.

The problem with banning Active-X across the board in IE browsers
is that some websites simply don't display correctly without it.


>> After I got hit by it, I added the URL into my HOSTS file to prevent
>> myself ever going there again in error.
>
>If you got hit by this trojan, then which of the above were you not
>securing yourself from? Windows/IE/ActiveX/patches/iframes ?

All, but I took immediate to kill it and recovered within an hour.
I might add that that was the first time ever I got hit, and that
is without running AV s/w and not having a lot of browser patches,
although my browsing security is quite tight.

I read in the thread that you don't use Windows, so you probably
don't have all these problems. But my earlier point was about them
affecting a majority of users using Windows.


--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

[Beauregard T. Shagnasty]

hummingbird wrote:

> 'Beauregard T. Shagnasty' wrote:
<snippage>
>> So that was a Windows trojan then?
>
> The one in question is called "trojan.systemposer".

That is a nasty one. It's a rootkit as well, and - depending on what
else it downloaded and installed - nearly impossible to get rid of.
Experts suggest you flatten and reinstall to be totally sure you are rid
of everything.

>> Ok, I understand. To become infected, you probably needed to be using
>> a Windows OS,
>
> I use XP-Pro. I have no idea if *nix suffers the same problems. Some
> people say it's more secure, but that's probably because the hackers
> focus on MS s/w.

Linux is not affected. And not because hackers focus on Windows, it's
because they won't be successful targeting Linux. In order to install
anything, my Linux operating system will ask me for my root password.
When that occurs, everything else on the desktop is frozen. All I have
to do is answer [ Cancel ] - if it would ever occur in the first place.
There are no Linux viruses/trojans in the wild, simply because they
can't be reproduced outside a lab.

In order to successfully compromise a Linux PC, you have to be sitting
in front of it.

>> probably Internet Explorer,
>
> I use an IE clone (Avant).

That's an IE shell rather than a clone, so you are still using IE
beneath that shell, with much of the same security issue.

>> probably allowing ActiveX, probably don't have patches to stop
>> malicious iframe redirection (which is quite common on hacked
>> sites). [I guess you meant iframe, rather than a-frame.]
>
> Sorry, yes I meant i-frame.

http://htmlhelp.com/reference/html40...al/iframe.html

> The problem with banning Active-X across the board in IE browsers is
> that some websites simply don't display correctly without it.

There are so few of those sites anymore, and in most cases, you can find
alternative sites for the same information. You could also use Firefox
with the 'simulate ActiveX' extension, which would probably work but be
a lot more secure.

>>> After I got hit by it, I added the URL into my HOSTS file to prevent
>>> myself ever going there again in error.
>>
>> If you got hit by this trojan, then which of the above were you not
>> securing yourself from? Windows/IE/ActiveX/patches/iframes ?
>
> All, but I took immediate to kill it and recovered within an hour.

Some sites about that trojan indicate that an hour might not be long
enough. <g>

> I might add that that was the first time ever I got hit, and that
> is without running AV s/w and not having a lot of browser patches,
> although my browsing security is quite tight.
>
> I read in the thread that you don't use Windows, so you probably
> don't have all these problems. But my earlier point was about them
> affecting a majority of users using Windows.

Sure, almost everyone uses Windows. And the hackers love it because of
all the holes in it. ;-)

--
-bts
-Friends don't let friends drive Windows

[hummingbird]

On Mon, 14 Jul 2008 14:33:18 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

>hummingbird wrote:
>
>> 'Beauregard T. Shagnasty' wrote:
><snippage>
>>> So that was a Windows trojan then?
>>
>> The one in question is called "trojan.systemposer".
>
>That is a nasty one. It's a rootkit as well, and - depending on what
>else it downloaded and installed - nearly impossible to get rid of.
>Experts suggest you flatten and reinstall to be totally sure you are rid
>of everything.

Interesting.
I researched at the time but found conflicting descriptions.

Anyway, I noticed what was happening at the time and shut down
the browser and ADSL connection within about 10secs.

I found 7-8 small programs on my system and wrapped them in
a zipfile for safety (later sent to SuperAntiSpyware guys for
analysis).

I then spent 2-3 hours running every piece of anti-malware s/w
I have, including several root kit programs. All came up clear.

Since then, I've seen no abnormal activity on my system using
packet sniffers and monitoring ports etc. My guess is that I
killed it before it had hardly got started doing its evil work.


>>> Ok, I understand. To become infected, you probably needed to be using
>>> a Windows OS,
>>
>> I use XP-Pro. I have no idea if *nix suffers the same problems. Some
>> people say it's more secure, but that's probably because the hackers
>> focus on MS s/w.
>
>Linux is not affected. And not because hackers focus on Windows, it's
>because they won't be successful targeting Linux. In order to install
>anything, my Linux operating system will ask me for my root password.
>When that occurs, everything else on the desktop is frozen. All I have
>to do is answer [ Cancel ] - if it would ever occur in the first place.
>There are no Linux viruses/trojans in the wild, simply because they
>can't be reproduced outside a lab.
>
>In order to successfully compromise a Linux PC, you have to be sitting
>in front of it.

I believe you, thousands wouldn't ;-)

>>> probably Internet Explorer,
>>
>> I use an IE clone (Avant).
>
>That's an IE shell rather than a clone, so you are still using IE
>beneath that shell, with much of the same security issue.

Indeed.

>>> probably allowing ActiveX, probably don't have patches to stop
>>> malicious iframe redirection (which is quite common on hacked
>>> sites). [I guess you meant iframe, rather than a-frame.]
>>
>> Sorry, yes I meant i-frame.
>
>http://htmlhelp.com/reference/html40...al/iframe.html

Thanks, I'll take a look at that.
I presume it's easy to imbed a malware URL into one of those.


>> The problem with banning Active-X across the board in IE browsers is
>> that some websites simply don't display correctly without it.
>
>There are so few of those sites anymore, and in most cases, you can find
>alternative sites for the same information. You could also use Firefox
>with the 'simulate ActiveX' extension, which would probably work but be
>a lot more secure.

A site I read a bit is the UK Telegraph newspaper which requires
Active-X. But I now have my browser set to prompt for Active-X
use.

>>>> After I got hit by it, I added the URL into my HOSTS file to prevent
>>>> myself ever going there again in error.
>>>
>>> If you got hit by this trojan, then which of the above were you not
>>> securing yourself from? Windows/IE/ActiveX/patches/iframes ?
>>
>> All, but I took immediate to kill it and recovered within an hour.
>
>Some sites about that trojan indicate that an hour might not be long
>enough. <g>

see above. I jumped into action like greased lightning!

>> I might add that that was the first time ever I got hit, and that
>> is without running AV s/w and not having a lot of browser patches,
>> although my browsing security is quite tight.
>>
>> I read in the thread that you don't use Windows, so you probably
>> don't have all these problems. But my earlier point was about them
>> affecting a majority of users using Windows.
>
>Sure, almost everyone uses Windows. And the hackers love it because of
>all the holes in it. ;-)

When I build my next system, I hope to install a version of *nix
as well as XP-Pro-SP3, probably using VMPC.


--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

[Beauregard T. Shagnasty]

hummingbird wrote:
<snippage>
["trojan.systemposer"]
> Anyway, I noticed what was happening at the time and shut down
> the browser and ADSL connection within about 10secs.
>
> I found 7-8 small programs on my system and wrapped them in
> a zipfile for safety (later sent to SuperAntiSpyware guys for
> analysis).
>
> I then spent 2-3 hours running every piece of anti-malware s/w
> I have, including several root kit programs. All came up clear.
>
> Since then, I've seen no abnormal activity on my system using
> packet sniffers and monitoring ports etc. My guess is that I
> killed it before it had hardly got started doing its evil work.

Maybe you got lucky. Maybe it wasn't activated by its owner prior to
your shutting off your connection.

You do have a router and firewall, correct?

>> Sure, almost everyone uses Windows. And the hackers love it because
>> of all the holes in it. ;-)
>
> When I build my next system, I hope to install a version of *nix as
> well as XP-Pro-SP3, probably using VMPC.

Try Ubuntu. You can also install it from within Windows using Wubi. For
testing and playing. I wouldn't recommend using any virtual machine for
a working installation, though.

--
-bts
-Friends don't let friends drive Windows

[hummingbird]

On Mon, 14 Jul 2008 16:45:26 -0400 'Beauregard T. Shagnasty'
wrote this on alt.comp.freeware:

>hummingbird wrote:
><snippage>
>["trojan.systemposer"]
>> Anyway, I noticed what was happening at the time and shut down
>> the browser and ADSL connection within about 10secs.
>>
>> I found 7-8 small programs on my system and wrapped them in
>> a zipfile for safety (later sent to SuperAntiSpyware guys for
>> analysis).
>>
>> I then spent 2-3 hours running every piece of anti-malware s/w
>> I have, including several root kit programs. All came up clear.
>>
>> Since then, I've seen no abnormal activity on my system using
>> packet sniffers and monitoring ports etc. My guess is that I
>> killed it before it had hardly got started doing its evil work.
>
>Maybe you got lucky. Maybe it wasn't activated by its owner prior to
>your shutting off your connection.
>
>You do have a router and firewall, correct?

s/w firewall = yes, router = no.

A router is for my next system in a few months.

>>> Sure, almost everyone uses Windows. And the hackers love it because
>>> of all the holes in it. ;-)
>>
>> When I build my next system, I hope to install a version of *nix as
>> well as XP-Pro-SP3, probably using VMPC.
>
>Try Ubuntu. You can also install it from within Windows using Wubi. For
>testing and playing. I wouldn't recommend using any virtual machine for
>a working installation, though.

Yep ok. Ubuntu is currently top of my list :-)
We have one or two folks here on ACF who know about that and
there's always the other groups WHEN (not if) I get stuck ;-)

Thanks for the suggestion...


--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

[hummingbird]

On Mon, 14 Jul 2008 22:40:23 +0100, hummingbird wrote in <g5gkko.lg.1
@localhost.127.0.0.1>:
>
> On Mon, 14 Jul 2008 16:45:26 -0400 'Beauregard T. Shagnasty'
> wrote this on alt.comp.freeware:
>
> >hummingbird wrote:
> ><snippage>
> >["trojan.systemposer"]
> >> Anyway, I noticed what was happening at the time and shut down
> >> the browser and ADSL connection within about 10secs.
> >>
> >> I found 7-8 small programs on my system and wrapped them in
> >> a zipfile for safety (later sent to SuperAntiSpyware guys for
> >> analysis).
> >>
> >> I then spent 2-3 hours running every piece of anti-malware s/w
> >> I have, including several root kit programs. All came up clear.
> >>
> >> Since then, I've seen no abnormal activity on my system using
> >> packet sniffers and monitoring ports etc. My guess is that I
> >> killed it before it had hardly got started doing its evil work.
> >
> >Maybe you got lucky. Maybe it wasn't activated by its owner prior to
> >your shutting off your connection.
> >
> >You do have a router and firewall, correct?
>
> s/w firewall = yes, router = no.
>
> A router is for my next system in a few months.
>
> >>> Sure, almost everyone uses Windows. And the hackers love it because
> >>> of all the holes in it. ;-)
> >>
> >> When I build my next system, I hope to install a version of *nix as
> >> well as XP-Pro-SP3, probably using VMPC.
> >
> >Try Ubuntu. You can also install it from within Windows using Wubi. For
> >testing and playing. I wouldn't recommend using any virtual machine for
> >a working installation, though.
>
> Yep ok. Ubuntu is currently top of my list :-)
> We have one or two folks here on ACF who know about that and
> there's always the other groups WHEN (not if) I get stuck ;-)
>
> Thanks for the suggestion...
>

------FORGERY---------

--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)
--
....of all the things i've lost in my life ... i miss my mind the most

[hummingbird]

On Mon, 14 Jul 2008 20:51:20 +0100, hummingbird wrote in <g5ge89.1ts.1
@localhost.127.0.0.1>:
>
> On Mon, 14 Jul 2008 14:33:18 -0400 'Beauregard T. Shagnasty'
> wrote this on alt.comp.freeware:
>
> >hummingbird wrote:
> >
> >> 'Beauregard T. Shagnasty' wrote:
> ><snippage>
> >>> So that was a Windows trojan then?
> >>
> >> The one in question is called "trojan.systemposer".
> >
> >That is a nasty one. It's a rootkit as well, and - depending on what
> >else it downloaded and installed - nearly impossible to get rid of.
> >Experts suggest you flatten and reinstall to be totally sure you are rid
> >of everything.
>
> Interesting.
> I researched at the time but found conflicting descriptions.
>
> Anyway, I noticed what was happening at the time and shut down
> the browser and ADSL connection within about 10secs.
>
> I found 7-8 small programs on my system and wrapped them in
> a zipfile for safety (later sent to SuperAntiSpyware guys for
> analysis).
>
> I then spent 2-3 hours running every piece of anti-malware s/w
> I have, including several root kit programs. All came up clear.
>
> Since then, I've seen no abnormal activity on my system using
> packet sniffers and monitoring ports etc. My guess is that I
> killed it before it had hardly got started doing its evil work.
>
>
> When I build my next system, I hope to install a version of *nix
> as well as XP-Pro-SP3, probably using VMPC.
>

------FORGERY---------

hb

--
....of all the things i've lost in my life ... i miss my mind the most

[hummingbird]

On Mon, 14 Jul 2008 17:58:02 +0100, hummingbird wrote in <g5g43a.8o.1
@localhost.127.0.0.1>:
>
> On Mon, 14 Jul 2008 12:05:55 -0400 'Beauregard T. Shagnasty'
> wrote this on alt.comp.freeware:
>
> >hummingbird wrote:
> >
> >> 'Beauregard T. Shagnasty' wrote:
> >>> hummingbird wrote:
> >>>> [HEALTH WARNING]
> >>>> If you switch off all your security s/w and surf to this website,
> >>>> see what happens: xxx.pricelessware.org
> >>
> >>> Ok, I did. I see a ~1995-coding-style web site with many lists of
> >>> free Windows software. What was supposed to happen?
> >>
> >> Well, several months ago, if you had no security running that website
> >> was discreetly transferring you to a URL based in HK and downloading
> >> a trojan onto your system and running it to take you over. A recent
> >> poster reported a similar problem only a coupla days ago on ACF. I
> >> believe a malicious a-frame was installed by hackers. Much debate
> >> here about it on ACF at the time.
>
>
> >So that was a Windows trojan then?
>
> The one in question is called "trojan.systemposer".
>
> >Ok, I understand. To become
> >infected, you probably needed to be using a Windows OS,
>
> I use XP-Pro. I have no idea if *nix suffers the same problems.
> Some people say it's more secure, but that's probably because
> the hackers focus on MS s/w.
>
> >probably Internet Explorer,
>
> I use an IE clone (Avant).
>
> >probably allowing ActiveX, probably don't have
> >patches to stop malicious iframe redirection (which is quite common on
> >hacked sites). [I guess you meant iframe, rather than a-frame.]
>
> Sorry, yes I meant i-frame.
>
> The problem with banning Active-X across the board in IE browsers
> is that some websites simply don't display correctly without it.
>
>
> >> After I got hit by it, I added the URL into my HOSTS file to prevent
> >> myself ever going there again in error.
> >
> >If you got hit by this trojan, then which of the above were you not
> >securing yourself from? Windows/IE/ActiveX/patches/iframes ?
>
> All, but I took immediate to kill it and recovered within an hour.
> I might add that that was the first time ever I got hit, and that
> is without running AV s/w and not having a lot of browser patches,
> although my browsing security is quite tight.
>
> I read in the thread that you don't use Windows, so you probably
> don't have all these problems. But my earlier point was about them
> affecting a majority of users using Windows.
>


------FORGERY---------

--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

[hummingbird]

On Mon, 14 Jul 2008 23:31:26 +0100
**THE FORGER*** wrote this on alt.comp.freeware:






>On Mon, 14 Jul 2008 22:40:23 +0100, hummingbird wrote in <g5gkko.lg.1
>@localhost.127.0.0.1>:
>>
>> On Mon, 14 Jul 2008 16:45:26 -0400 'Beauregard T. Shagnasty'
>> wrote this on alt.comp.freeware:
>>
>> >hummingbird wrote:
>> ><snippage>
>> >["trojan.systemposer"]
>> >> Anyway, I noticed what was happening at the time and shut down
>> >> the browser and ADSL connection within about 10secs.
>> >>
>> >> I found 7-8 small programs on my system and wrapped them in
>> >> a zipfile for safety (later sent to SuperAntiSpyware guys for
>> >> analysis).
>> >>
>> >> I then spent 2-3 hours running every piece of anti-malware s/w
>> >> I have, including several root kit programs. All came up clear.
>> >>
>> >> Since then, I've seen no abnormal activity on my system using
>> >> packet sniffers and monitoring ports etc. My guess is that I
>> >> killed it before it had hardly got started doing its evil work.
>> >
>> >Maybe you got lucky. Maybe it wasn't activated by its owner prior to
>> >your shutting off your connection.
>> >
>> >You do have a router and firewall, correct?
>>
>> s/w firewall = yes, router = no.
>>
>> A router is for my next system in a few months.
>>
>> >>> Sure, almost everyone uses Windows. And the hackers love it because
>> >>> of all the holes in it. ;-)
>> >>
>> >> When I build my next system, I hope to install a version of *nix as
>> >> well as XP-Pro-SP3, probably using VMPC.
>> >
>> >Try Ubuntu. You can also install it from within Windows using Wubi. For
>> >testing and playing. I wouldn't recommend using any virtual machine for
>> >a working installation, though.
>>
>> Yep ok. Ubuntu is currently top of my list :-)
>> We have one or two folks here on ACF who know about that and
>> there's always the other groups WHEN (not if) I get stuck ;-)
>>
>> Thanks for the suggestion...
>>
>
>------FORGERY---------


You are the forgery, moron.


--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)

[DrumStick]

It happens that Alfred Einstein formulated :
> "Ed Mullen" <ed@edmullen.net> wrote in message
> newsIGdnTP_78JRXufVnZ2dnUVZ_uydnZ2d@comcast.com...
>> Tom wrote:
>>> On Sun, 13 Jul 2008 14:52:18 -0400, Ed Mullen wrote:
>>>
>>>> Why are you jumping through all these hoops? The Windows "hosts" file is
>>>> a plain text file you can edit in Notepad.
>>>
>>> I know, I know. Microsoft put the c:\windows\system32\drivers\etc\hosts
>>> file in the most
>>> ridiculous non-intuitive spot it could possibly find, deep in muck, deep
>>> under large directories that take a while to load, and without a decent
>>> extension so you have to grope for your text editor (mine is vim
>>> freeware).
>>>
>>> So, rather than "jump thru hoops" each time just to edit the hosts file, I
>>> add a one-time-only registry key "hosts" which opens up the TEXT file (so
>>> that I have a backup if I need it). When I type "Start -> Run -> hosts",
>>> vim opens up that
>>> c:\windows\system32\drivers\etc\hosts.txt text file, where I edit and save
>>> to "hosts" which it saves in the current directory (i.e.,
>>> c:\windows\system32\drivers\etc\hosts).
>>>
>>> That's a LOT easier than navigating deep into the windows hierarchy into
>>> the least logical place MS could have placed the hosts file and then
>>> fumbling around to get notepad to edit the file with no extension.
>>
>> Nonsense!
>>
>> You have detailed a process that does not work in my standard install of
>> WXP-SP3. You have further created a questionable process involving editing
>> the Windows Registry which is, at best, a questionable process in and of
>> itself, and hardly something to be posting to a newsgroup.
>>
>> Further, you have not answered satisfactorily any questions of the links
>> you posted. And, your bizarre approach to a HOSTS file is ...
>> mind-blowingly stupid.
>>
>> I deem this entire thread bogus at best, threatening at worst. I encourage
>> no one to do anything that "Tom" has recommended until he demonstrates that
>> he actually knows what he's doing by citing authoritative references.
>>
>> That HOSTS file and registry stuff is total nonsense and the product of (at
>> best) someone who has not a clue and who has been surfing and copied
>> suspect references.

> Nonsense. This is a fine solution (though I can think of simpler ones ...
> like just creating a shortcut to vim-edit the hosts file).

Agreed, or you can use Hostman to manage the HOSTS.

Drumstick