Re: Why did a visit to Google install netbios.dll in my windows system folder?

From: Duane Arnold (notme_at_notme.com)
Date: 07/04/03

  • Next message: Duane Arnold: "Re: Problem if I block svchost.exe?" 
    Date: Fri, 04 Jul 2003 15:33:21 GMT

    > Why did a visit to Google install netbios.dll in my windows system
    > folder?
    >
    > When "enable DLL authentication" is on I find new .dll files being
    > installed on my computer from Verio and then from Google, like the one
    > above. Anyone know if this is harmless?

    It's called a Website Drive By, where as, you access a Website and that
    Website starts sending dll's or other program elements like ocx, drv, vxd in
    the traffic and installs them on your machine without your knowledge and
    permission.

    It's not a good thing!

    > I can't be spending all day here trying to determine which ones to allow
    or not and which ones to delete or not.

    The only way you should allow something like this is when you're installing
    an application yourself and it's laying down program elements during the
    install process.

    My solution to this issue is below. It's not 100% bullet proof, but it's
    better than nothing at all. My analysis of the was about IDS, which is
    being cut short on this posting.

    *********
    <snip>

    Malware test using Gator telling Gator to install from the Website:

    IE Security:

    IE stopped the download and I told it OK

    BlackIce:

    BlackIce Application control stopped the download reporting that
    *iegator.dll* wanted to use *iexplorer.exe* and I told it OK. BTW, I did an
    entire search of <C> looking for *iegator.dll* and it was not there, which
    means it was coming from the Website in the HTTP traffic.

    BlackIce Communication control detected that *iexplorer.exe* wanted access
    to the Internet, but of course it was *iegator.dll* who wanted access and I
    told it OK.

    BlackIce Application Control stopped *gatorsetup.exe* from executing and I
    told it OK. BTW, I searched for *gatorsetup.exe* on <C> and it was not
    there, which means it was coming from the Website in the HTTP traffic.

    BlackIce Communication control reported that *gatorsetup.exe* wanted access
    to the Internet and I told it OK.

    Sygate Pro:

    Sygate Pro after BlackIce detected everything upfront, indicated that Gain
    Setup was trying to connect to *gs.gator.com* using remote port 80 HTTP.

    My analysis of this is that BlackIce IDS is doing a detailed analysis of
    layer 7 (application) protocols such as HTTP, Telnet, etc and is looking at
    what is coming in the network traffic from a Website and stopping it. And
    BlackIce is checking its Application and Communication control database in
    real time based on its analysis of traffic in layer 7.

    Sygate is not doing an analysis of layer 7 and not stopping anything from
    coming from a Website. Sygate only knew to stop the outbound communications
    of *gatorsetup.exe*. Once Sygate has given approval of iexplorer.exe to
    communicate to the Internet, it doesn't have the means to stop a *dll*
    executing from a site using iexplorer.exe on its behalf.

    Conclusion is that BlackIce has better features with its IDS then Sygate pro
    in controlling program execution and communication to the Internet and is
    better at stopping malware on the machine. Not only is BlackIce looking at
    dll's, it is looking at exe, com, sys, drv, ocx too and BlackIce can be made
    to look at more sub component program types. You see an attack will not
    always come from a dll or exe trying to use IE, OE or Outlook the host to
    get out. Not only is BlackIce's IDS looking at what's executing and
    communicating at the machine level, but it is looking at the network traffic
    too.

    <snip>

    I like Sygate so don't get me wrong.

    But as far as what you're concerned with I don't think about it.

    HTH

    Duane :) 

    -- 
The protection of the machine is a process and is not a given!
  • Next message: Duane Arnold: "Re: Problem if I block svchost.exe?"

    Relevant Pages

    • Re: Why did a visit to Google install netbios.dll in my windows system folder?
      ... >> Why did a visit to Google install netbios.dll in my windows system ... > It's called a Website Drive By, where as, you access a Website and that ... > BlackIce Application control stopped the download reporting that ... > Sygate Pro after BlackIce detected everything upfront, ...
      (comp.security.firewalls)
    • RE: Experiences with company nCircle and their IP360 product
      ... since I installed it for myself I have helped to install it at ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: i might be hacked if...
      ... Buy a new HD and a retail copy of XP for a clean install ... > The Tech" feature at their website that got me very ... > professional security tech after having given up on email ... > chat back in late december and having to accept an activeX ...
      (microsoft.public.windowsxp.security_admin)
    • Re: BlackIce security questions
      ... Blackice IP address result I get this sometimes? ... Re-apply power to the PC and install in regular ... > The Application Protection window will pop up. ... > Options, then Enable Install Mode. ...
      (comp.security.firewalls)
    • Re: Driver problems on new system.
      ... > Have you checked for an updated BIOS at Asus's website? ... > drivers on their site too. ... > I'd also suggest testing the RAM. ... >>I'm cool with doing a total new install, ...
      (microsoft.public.windowsxp.general)