Fake Security Malware question

H

hellosky

Weaksauce
Joined
Mar 28, 2010
Messages
111
I am dealing with a machine that had the Win 7 Home Security 2011 malware come in and trash the machine.

I am confused however - all users that had access to the machine had restricted accounts (no admin level) and had an updated AV (Symantec Endpoint) yet it still managed to infect the whole machine and drop rogue files into the c:\windows\system32\config\systemprofile folder.

Does anyone know which exploit this malware uses, and what I should do to lock it down further?
 
Browsers today are very insecure. Even Firefox unfortunately. Without noscript or any other script blocking techniques, you can land on a malicious page, it will execute something right on the PC under administrator or system or w/e and pretty much trash the whole machine, without the user's consent. Most of these have a popup of some sort to say you've been infected but they can easily choose to not code that in their malware. You can very well go to a website and have a keylogger or other malicious program installed and not even know it.

I think it's js but could be flash, java etc... all I know is that it's pretty sad that it's this easy. To me, there is zero reason a browser should write to anything but it's own cache, or a designated download directory. It should block all disk/registry writes outside those areas. Would not be all that hard to do, they have to code in js and make it so when it sees a certain line of code, it does something, so just ensure to cover all possibilities of disk writing and restrict them.

With noscript you are pretty safe but it is kinda annoying as pretty much every site now uses some form of js so you can easily enable it and only realize after that you landed on a bad site.
 
Red Squirrel said:
Without noscript or any other script blocking techniques, you can land on a malicious page, it will execute something right on the PC under administrator or system or w/e and pretty much trash the whole machine, without the user's consent.
Click to expand...
[H] forums got hit with that not so long ago and I got infected several times. A real PITA. I had always used IE out of habit, didn't really care much for FF, but switched to it with NoScript installed after all the hours I spent dealing with the problem.

But you're right, it does cripple some pages. I only use IE now on trusted sites.

The problem is not so much end users going to questionable sites (though I grant that probably happens a lot) but sites that are not so secure where hackers can go in and inject their scripts, thus infecting anyone who visits the site without any further interaction. Heck, I got hit after googling for ukulele tabs for a piece and ending up on someone's personal blog.

Pop-ups can be deceptive. Clicking "No" can mean "Yes". When I got hit here, I took a screen shot without taking any action at all, and I still got infected before I could crop/save the SS. :mad:
 
Red Squirrel said:
Without noscript or any other script blocking techniques, you can land on a malicious page, it will execute something right on the PC under administrator or system or w/e and pretty much trash the whole machine, without the user's consent.
Click to expand...

How can it do that if the account has limited access and UAC elevation is blocked (note: UAC is not disabled)
 
You must log in or register to reply here.
Back
Top