Jump to content


Photo

Stoping CWS Dead in it Tracts


  • Please log in to reply
4 replies to this topic

#1 shoreg

shoreg

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 25 December 2004 - 11:51 AM

I think this is my first post to this forum, but not my first post to Spywareinfo.

Since this site is dedicated to stopping and preventing CWS, I thought I’d pass along some experiences I have had with it in the last 6 month.

There are about 6 people involved, with varying degrees of computer skills. We all have been visiting sites that are known to hijack IE. Security ranges from multi layered defenses to none at all. The only security measure common to all individuals is that all computers access the internet from a limited account on an XP platform.

I run the box with no security software installed. It is a straight out of the box install that does not have any patches. All ports that are installed open have been left open. All security settings for IE are set to low and everything is allowed. This box has been up and running every day for 16 month. The basic monitoring software I use is regmon for NT and filemon for NT. There is further monitoring after each test.

A while back, Tom Liston from the Internet Storm Center posted an account of the average Joe user – “Follow the bouncing malware”. He monitored and logged what happens when the account has administrator privileges from a basic install. I believe they are up to 4 posts following the exploits that happens on this computer.

http://isc.sans.org/...date=2004-07-23

I followed along with my test box and visited the first site mentioned and monitored the events. My outcome was very different from Mr. Liston’s. I never got any farther than the first site, nothing was able to install on my box. The system remained clean. The logs clearly showed what the site was trying to do, but it was never able to install even one program. I decided that I should monitor the site while in the admin account to see if I could duplicate what was happening in his article. I had a very different experience once again. The site always brought my system to its knees every time I tried to monitor what was going on. I gave it three tries and could never log what was happening. The exploits probable used up more resources than this system can handle when it is running the monitoring software and the system chokes and dies. Monitoring such event after a reboot reveals that software was indeed installed.

I have repeated this over and over for different types of exploits on many different sites that I come across here and on other forum. It’s not hard to find someone asking for help with a new CWS infection. Once in a while I will get a site from there hihackthis log that turns out to be a good one. I think one of the best sites I ever logged was from the malware help forum on this site. Logging CWS exploit has proved to be a difficult task. They are a sneaky bunch.

No one in this group of testers has ever had a CWS or any other hijack. The time frame has been long enough and the sites visited are active enough to indicate that there is merit to running NT platforms with limited privileges. This is a very proactive step that can be taken with little investment on the part of the user.

Which brings me to a question I have for anyone who teaches the boot camp forum? I seldom read the hijackthis log other than browsing for sites. But I always read the advice given on how to regain control or fix such problems. The fixes on this site are always the best you can get from any forum. Now I don’t know if it is just me, but I can always tell when a poster is lacking in knowledge about computer. When I encounter such individuals in real life I always put them in a limited account when I have there machine in working order. It saves me from having to fix the same problem again at a later time. I’ve had very good success with this approach. However, I seldom see such advice on this or any security forum I visit. I can only surmise from the post in the malware forums that this is not something that is discussed in any detail in boot camp. By the nature of the post that come into this forum it has to be a reactive focus, but is seems that adding a simple proactive approach at the end would benefit both the guide and student. This is just an observation from one individual of what seems to be an oversight by most security experts. I often wonder why. My personal feeling is that they don't operate their box that way and what you don't do you don't advice.

May everyone have a merry holiday season.

Gary

#2 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 27 December 2004 - 08:26 AM

I think this is my first post to this forum, but not my first post to Spywareinfo.


There are about 6 people involved, with varying degrees of computer skills.  We all have been visiting sites that are known to hijack IE.  Security ranges from multi layered defenses to none at all.  The only security measure common to all individuals is that all computers access the internet from a limited account on an XP platform.

Which brings me to a question I have for anyone who teaches the boot camp forum?  I seldom read the hijackthis log other than browsing for sites.  But I always read the advice given on how to regain control or fix such problems.  The fixes on this site are always the best you can get from any forum.  Now I don’t know if it is just me, but I can always tell when a poster is lacking in knowledge about computer.  When I encounter such individuals in real life I always put them in a limited account when I have there machine in working order.


Gary

View Post


Hmm I just joined Bootcamp, as far as I can see so far, there is talk about "canned" preventation speeches, but these involve using spybot, spywareblaster etc etc.

I suspect most helpers run with full admin previlages anyway :)

I suppose another reason why I would be wary about advising newbies to run with limited accounts is that it would be too drastic a change to recoomend to some newbie user who you have just met only on the net. It might lead to further problems in the future when the user need admin rights.

I wonder though if running with a restricted account with the web browser via this method http://msdn.microsof...ure11152004.asp
is sufficient?
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#3 shoreg

shoreg

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 December 2004 - 01:31 PM

I can only speak from my personal experience. Setting a new user up in a limited account has always been an advantage for me. When it comes time to install some software, a new user will usually in up asking me how and if this software is ok to install. I find that it take less time to find out about the software and tell them how to install it than it does trying to spend hours or days fixing a compromised machine. I can tell them how to install through email, were as trying to explain how to fix a compromised box I have no patient for.

I’ve heard about DropMyRights, but have never used it on my test box. Connecting to the internet with a virgin install results in a lsass.exe exploit in very short order. So until I change my setup I’ll leave that one for other to report on. Maybe one of the other testers I work with will give it a try.

Good luck in boot camp. I’m always amazed that there are people that have the patients to learn to read a hijackthis log and then spend the time it takes to undo what has been done. My hat’s off to all of you. Although it does seem like a never ending arms race.

Gary

Edit: Conneting from an adminstrator account leads to a lsass exploite is what I should have said.

Edited by shoreg, 27 December 2004 - 01:41 PM.


#4 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 28 December 2004 - 06:11 AM

I can only speak from my personal experience.  Setting a new user up in a limited account has always been an advantage for me.  When it comes time to install some software, a new user will usually in up asking me how and if this software is ok to install.  I find that it take less time to find out about the software and tell them how to install it than it does trying to spend hours or days fixing a compromised machine.  I can tell them how to install through email, were as trying to explain how to fix a compromised box I have no patient for.

View Post


Seems to me you already have a preestablished relationship with these users you are helping.

For the helpers at any forum to do this would be to take on and impossible burden. As it is the helpers are struggling with the handling hjt logs. Imagine how much more traffic we would have, if every user starting asking us how to install this new software or carry out any other admin task :)

The more skilled users will know how to handle this of course with canned instructions, but they probably need less protection anyway.

So basically it comes down to reading the short post in the HJT log, assessing the ability of the user based on that, and if he is not too clueless (too clueless and your advise is likely to generate even more future support requests) , tell him how to set up as a limited account? :)
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#5 shoreg

shoreg

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 December 2004 - 11:21 PM

It is true that most people I deal with I have a personal relationship with. However, not all that I deal with are in person. Some of them I deal with long distance thru email. Most people that will ask for help with installing new software will usually only need to be walked thru it once to master such a skill. I am usually more concerned about what they want to install and I like the fact that most will ask about such and such software before they install it. The realities of most new users that need to be taught how to create a limited account rarely install anything. Most just want to surf the net and read and send email.

So whether or not it would dramatically increase question to the malware forum or not I don’t know. I could see an FAQ that could be pointed to for such question. As for how to set up a limited account, I have a standard reply that I use for anyone that I communicate with thru email.

Go “Start” and select “control panel” and look for “User Accounts”. Once there you will have the option to create a new account. Choose any name you want for this account. When you come to the window that says “create account” there are two radio buttons at the top. One is “administrator” the other “limited”. Choose the limited one. Log off the Owner account and you will see the welcome window with both the Owner account and your newly created account. Use this new account for email and surfing the internet.

As for the more skilled users knowing how to protect themselves, I’m not so sure. I’ve seen many a user on this and other forums that have a good understanding of how to use there computer, but end up in this and other forums needing help with CWS and the likes.

Your last question was what I was trying to point out in my first post. I seems that after going to all the trouble to correct the users problem, that at the end you would want to put them in a limited account as a proactive step. I personally think this is better protection than any software protection.

This type of account will stop more than just browser hijacks. I’ve tested most of the major virus, worm, trojans, keyloggers and just about anything I’ve been able to download off the net. Most just don’t work. I have found one trojan and one email virus that will install in a limited account. Both are contained within the limited account and are easy to deal with. Nothing has ever been able to compromised the system files. This also includes Blaster, Sasser, and Korgo. So many people have trouble with this when they reinstall there OS and then go out and try to update there system and AV, only to find that they have been infected in the amount of time it takes to update. If they would just create a limited account first and then go download what they want from this account, they would bypass such problems.

Gary




Member of UNITE
Support SpywareInfo Forum - click the button