Friday
Feb062004
Web-jacked?
Friday, February 6, 2004 at 05:59PM
TIP OF THE DAY
Web-jacked?
Help! I've Been Web-Jacked
http://www.pcworld.com/news/article/0,aid,114440,tk,dn012604X,00.asp
Spyware is becoming more common, and getting harder to fight.
Deborah Radcliff, Network World
Monday, January 26, 2004
On December 22, an Internet investigator got a tip that child pornography was being housed on an adult Web site. When he visited the site to verify the information, he didn't find any illegal images. But what he did find was a Trojan horse that disabled the ActiveX security controls on his browser and took control of it.
"I heard my hard drive churning and clicked on my task manager and saw three executable programs were installing themselves," says Chris Brandon of Brandon Internet Services. "I knew I was in trouble when I couldn't get my task manager to cancel the programs."
By the time he checked his registry, the Trojan had installed dozens of programs that replaced the default Web page with its own, and loaded its own IP addresses in his favorite places, short cuts and safe zones. When he tried to erase the programs and reboot the machine, the virus reinstalled.
Spyware Spreads
This program is a perfect example of spyware gone amok.
It installed itself by taking advantage of a vulnerability in Internet Explorer 4.x and 5.x that lets an unsigned applet to create and use ActiveX controls. Then it hijacked Brandon's browser, a term called "Web-jacking." But it could have been worse. Some variants evoke dialers to call up 1-900 numbers if the victim is using telephone dialup for Internet access.
"We're seeing more of this type of virus activity in recent months," says Ken Dunham, director of malicious code for IDefense, a security intelligence firm in Reston, Virginia. "Trojans promote going to certain pornography sites and other sites they affiliate with because they get money for the clicks from advertisers. They terminate regedit.exe [registry editor], and they can be very difficult to remove."
Anti-spyware vendor PestPatrolreports staggering growth over the past few months of the virus that Symantec dubbed Trojan.Norio. And at least 24 variants of the virus now exist in the wild, according to the anti-spyware site Spywareinfo.com.
Each variant is designed to do something different. One variant changes your customized search settings to allhyperlinks.com, for example. Another variant redirects all searches through a bogus site called Coolwebsearch.com. Another redirects Verisign's Site Finder to a fraudulent Site Finder site. Another evokes the auto-dialer. And so on.
What Lies Ahead
Expect these types of Trojan viruses to be used for even more malicious purposes, such as the culling of credit cards and passwords, Dunham says.
"In the case of the Norio Trojan, it changes the registry and the host file," he says. "You type in a name like Microsoft.com, it will redirect you to a site they want you to go to. You could make it redirect you to a fake Citibank.com Web site and get you to fill in sensitive information."
THE SOLUTION
SPY-Bothttp://www.safer-networking.org/index.php?page=mirrors
It's free. And it works. Download and install. Click on the Settings Tab on the left side, then click on settings, and click on the following settings so that the program will run automatically in the background without user intervention:
Under Main Settings, everything should be clicked except the last two which begin with the word "Display," make sure those are NOT.
Under Scan Priority, set to "lowest"
Under Automation, Program Start, check 1 & 2, 4 & 5, and the last one.
None of the other settings matter.
Now, you can manually run Spybot any time you want to check for Hijack programs, or put it on a schedule through Scheduled Tasks. You don't need to run it more than once a week. When you run it, it will automatically update its files to find the latest worms and hijack programs, and will run a sweep for any new ones.
After these settings are checked, click on Spybot S&D on the left side. Click on Immunize on the left side tab. In the main window, click on the Immunize and Install buttons.
Now reboot, and the program will run once before starting Windows and clean out your system. The immunize feature will also protect you from acquiring most worms and hijackers again. I run this on all computers in our Firm. Unintentionally loading a hijacking program (which I had done on several occasions prior to learning about Spybot) is a tremendous hassle. Running Spybot is worth the small investment of time of installing and configuring it.
Miguel M. de la O | Comments Off |