Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[silversurfer44]

My greatest sympathies are with anyone who catches one of these nasties. I just wonder though, how many users are running their computer in administrator mode. I have yet to meet a Windows user who runs their computer with a restricted account. One that requires a strong administrator password to allow the installation of application/executables etc. I frequent a couple of Linux forums, as that is my system choice, and I am amazed how many Windows users want to compromise there Linux system by running it in Root User mode. One can live in the strongest well protected castle going but if the front door has the key left in it then the protection is useless. I know the only sure fire way of not getting infected is to never switch the machine on, but, why not cut the risks and make a user account on the computer? One without administrator privileges.

[CurlyWhirly]

I've seen quite a few systems in recent weeks with any/all of the "symptoms" you listed, there's been quite a rash of them.
And in most cases once the defences are breached a whole horde of nasties flood in behind.

The worrying thing is that in most cases the users are cautious people with proper protection in place and have no recollection of doing anything risky at all.

That's what got to me, I don't visit dodgy websites or bother with P2P and yet something definently was up and I only visited a forum!

[CurlyWhirly]

My greatest sympathies are with anyone who catches one of these nasties. I just wonder though, how many users are running their computer in administrator mode. I have yet to meet a Windows user who runs their computer with a restricted account. One that requires a strong administrator password to allow the installation of application/executables etc. I frequent a couple of Linux forums, as that is my system choice, and I am amazed how many Windows users want to compromise there Linux system by running it in Root User mode. One can live in the strongest well protected castle going but if the front door has the key left in it then the protection is useless. I know the only sure fire way of not getting infected is to never switch the machine on, but, why not cut the risks and make a user account on the computer? One without administrator privileges.

This latest episode has made me think twice about running my Windows installation in Administrator mode (I have always run it in this mode as it's the default option and I've never bothered to change it  )

In general everyday use is it a lot of hassle?

I'm running Vista on both my PC's and I found the constant UAC warnings a pain 

[silversurfer44]

Not wishing to go off topic here, but Mike you are spot on when you say the administrator mode is the default option. That is purely the fault of Microsoft. They do not put any emphasis on running in administrator mode. They could change it if they wish and make it a lot harder for the vagabonds. Unfortunately it may put a few anti-virus companies out of business as well

[CurlyWhirly]

Not wishing to go off topic here, but Mike you are spot on when you say the administrator mode is the default option. That is purely the fault of Microsoft. They do not put any emphasis on running in administrator mode. They could change it if they wish and make it a lot harder for the vagabonds.
Unfortunately it may put a few anti-virus companies out of business as well

I didn't know that !

In hindsight it's a wonder that Microsoft have not been hassled by the EU for their own AV solution, mind you that's the subject for another debate!

[Chrysalis]

>> Can you name the website...

Yes I can
- I still even have a copy of part of the code which was injected into the forum index page using javascript.

However I dont think its wise putting the url up, in case anyone goes clicking or looking at the site...   other than to say it starts with gold.

------

btw - those php errors being seen, were a result of the hackers changing the header in one of the phpbb files when they inserted their own script

please if you dont mind pm me this information.

[Chrysalis]

Stresses that the above did NOT come from the dslzone attack..  and its NOT the same thing that you guys are seeing.

The point being that new variants of viruses are being released all the time and thats why making sure our AV is kept up to date and patched.
Ive been online now for about 13/14 yrs and iirc the only time ive ever suffered from such like is back in 2002/2003 on the very night that sql slammer was released into the wild.   It got me about 30mins after it was released... but it was so new that none of the AVs could offer any protection against it.  It was a few days before M$ released a patch for  MSDE sql and even longer before the AVs started offering protection.


None of us should be too complacent either, because I know of several forums which have been attacked through brand new security issues that have come to light, luckily these were more minor stuff such as spam bots type and not malicious stuff...  but in the world of computing we all have constantly alert :/

What would likely have worked is using a 'proper' limited account alongside software restriction policy.  However is a bit of hassle setting it up.  That alone is more powerful than any A/V can ever be.

The problem with A/V is its a game of cat and mouse, trojan coder only needs to change a few bytes and suddenly the virus database cant pick it up and then the A/V relies on heuristics which is always hit and miss.  There will always be 0day viruses that are not detected and this situation will never change.

I am very curious to see the infection code as well as the well known trojan site you reffer to in pm.  I will then put nod32 on max hardcore settings on a spare pc to see how that handles it, after that test I will then deploy SRP+limited account setup and see if it can infect me.

Finally was this virus able to infect via all browsers or just specific ones?

[Chrysalis]

Not wishing to go off topic here, but Mike you are spot on when you say the administrator mode is the default option. That is purely the fault of Microsoft. They do not put any emphasis on running in administrator mode. They could change it if they wish and make it a lot harder for the vagabonds. Unfortunately it may put a few anti-virus companies out of business as well

Windows 8 will very likely change this.

After XP microsoft realised using admin accounts (finally) is a bad thing to do for general use, admin accounts should only be used for maintanence tasks.  So they deployed UAC in vista, the problem they had was they could not just change the default to limited accounts since virtually all software was designed to work with admin priviledges.  UAC is there to make software developers change their behaviour.  It is a stop gap measure.  The end game is to have limited accounts the default which I am hoping will be the case in windows 8.  Saying that tho I expect most software now days will work in limited accounts.

Software restriction policies is a fairly unknown option available, what it does is restrict what paths programs can be executed from. eg. just from program files and the windows folder can be set.  Since a limited user cannot write to those folders then you have a nightmare scenario for trojans.  That is the limited user cannot execute programs from a folder they can write to.  So payload at worst would be able to get itself on the end user hdd in a writeable folder via browser exploit etc. however will not be able to run due to SRP.

[kitz]

>> please if you dont mind pm me this information

Done

[CurlyWhirly]

I am very curious to see the infection code as well as the well known trojan site you reffer to in pm.  I will then put nod32 on max hardcore settings on a spare pc to see how that handles it, after that test I will then deploy SRP+limited account setup and see if it can infect me.

Your braver than me 

I would only attempt something like this in a sandbox environment !

[postie]

site still playing up and james hasnt been back on the site since 22nd march when he sorted out then   he has had messages sent to him on adsl24 but nothing and its april 10th now.

[UncleUB]

site still playing up and james hasnt been back on the site since 22nd march when he sorted out then   he has had messages sent to him on adsl24 but nothing and its april 10th now.

I like many others have not been back and have removed it from my bookmarks and into the old dustbin.Its a shame because the site could have been really good if run and maintained properly

[kitz]

I noticed several days ago that the forums seemed to have vanished.

[Browni]

The forum is still there, it seems that the home page is broken.

My link to the form is http://www.dslzoneuk.net/forum/search.php?search_id=newposts

EDIT: Sods law! As soon as I post that link it goes down

[tuftedduck]

Your link opens fine for me, Browni