RE: IE Malware / Spyware Control Methods

From: Dave Dennis (dmd_at_speakeasy.org)
Date: 01/07/05

  • Next message: Harlan Carvey: "Re: IE Malware / Spyware Control Methods"
    Date: Fri, 7 Jan 2005 10:54:06 -0800 (PST)
    To: "Paris E. Stone" <pstone@alhurra.com>
    
    

    Run a firewall.

    Hardware firewall preferably. If its Windows and its not firewalled, its
    going to be owned.

    Any Windows box is going to have unpatched potential open vulnerabilities.
    the '20 minutes windows' concept applies. (an unpatched Windows host
    takes 20 minutes to be infected on a broadband connection, and it takes longer
    than that to download/patch a new Windows install)

    If they're on broadband, and they are running Windows, they have to have a
    firewall; hardware preferably, service pack 2 if possible, close all unnecessary
    ports that Windows often ships with open still (135 Messenger, 137, 139, 445).

    Otherwise running any A/V will still miss some things, A/V is essential, but A/V
    without firewalling still gets infected sooner or later, and the browser/toolbar
    ideas are great too, but only to prevent vectors introduced by the browser,
    not to prevent being infected by drive-by portscanning, which is rampant
    nowadays.

    +-------------------------
    + Dave Dennis
    + Seattle, WA
    + dmd@speakeasy.org
    + http://www.dmdennis.com
    +-------------------------

    On Fri, 7 Jan 2005, Paris E. Stone wrote:

    > Use Mozilla.
    >
    > If IE is a must, get the yahoo toolbar with anti-spy.
    > &
    > Spybot, have it immunize the system and block all bad pages & use the
    > TeaTimer component.
    >
    > ~~~~~
    > Paris E. Stone, "Linux Zealot"
    > CISSP, CCNP, CNE, MCSE
    > ~~~~~
    > The only thing necessary for the triumph of evil,
    > is for good men to do nothing.
    > - Edmund Burke
    >
    >
    > -----Original Message-----
    > From: Illuminatus Master [mailto:illuminatus.master@gmail.com]
    > Sent: Friday, January 07, 2005 12:37 PM
    > To: incidents@securityfocus.com
    > Subject: IE Malware / Spyware Control Methods
    >
    > Hello List,
    > I'm sure you all realize the growing threat of malware and spyware to
    > Internet Explorer. It has been my experience that the initial
    > infection and/or removel of an infection by anti-spyware products can
    > permanently damage a windows workstation. This damage occurs in many
    > forms and often leads too the workstation being reformatted and
    > rebuilt before going back into service.
    >
    > A recent example is earlier this week, in spite of content filtering,
    > a workstation was infected with "wintools", "mysearchtoolbar" etc. The
    > tough part of this is that such malware has multiple instances/threads
    > and renames system files like msconfig to resist removal. Often
    > IE/Windows is so damaged it's more time effiecient to just replace the
    > box and rebuild the infected one.
    >
    > My question is this, I'm batting around the idea of using Group Policy
    > in our Active Directory to try and choke IE down to the point where
    > such Malware has trouble installing itself. Has anyone here ever tried
    > such as this with any degree of success?
    >
    > Other than Group Policy I'm also considering deploying an alternate
    > web browser that isnt subject to malware infection but doing so
    > complicates my patching/reporting routine for our security audits.
    >
    > I look forward to your comments and idea's.
    >
    > Thanks,
    > massa
    >
    >
    >


  • Next message: Harlan Carvey: "Re: IE Malware / Spyware Control Methods"

    Relevant Pages

    • Re: Guide to secure installtion of IIS 5
      ... don't forget a well-configured firewall. ... Do not put the computer onto the network or the Internet until after the ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
      (microsoft.public.inetserver.iis.security)
    • Re: Is secedit.exe left by a hacker?
      ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
      (microsoft.public.win2000.security)
    • Re: Is secedit.exe left by a hacker?
      ... >> tested on port 445. ... >> I have a Linksys router that I use as a firewall to my ... >investigate the files on your computer - antivirus with ... >windows and everything else. ...
      (microsoft.public.win2000.security)
    • Re: How to Maintain an IIS Server?
      ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Security? What security?
      ... >> of that i get come through Internet Explorer, a Windows Browser if I'm not ... the rest of the time i use Netscape. ... assertion that these malware really did enter through IE. ... >You have no reputable firewall. ...
      (microsoft.public.windowsxp.security_admin)