IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Hidden files & really hidden files ...
Post #70,440
by dmarker
Picture of dmarker
12/22/02 9:37:34 PM
Reply
New Hidden files & really hidden files ...

Every win install I do I immediately uncheck the hidden files & suffixes.

The hidden files showing up in my ZA log were truly hidden - they were in the log as having accessed the Internet (with permission) but when I looked for them they were not in those locations.

I had deleted them but a day later they were back & I had *not* given any permission thru ZA to allow them net access.

My educated guess is that theye were trojans modules planted as components of either Netscap MSIE or Win services.

Anyway - I seem to have got rid of them with a clean install & by 'hardening & firewalling' every one of my computers. BUt I am being hit with 2 virus attachments in email, per day. I won't open email from people I don't know esp if they have attachments.

Cheers

Doug
Post #70,446
by boxley
12/22/02 10:10:08 PM
Reply
New could you forward a copy of the virus to me?
I would like to take a look under the hood.
woxley at tampabay dot rr dot com
thanx,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]

You think that you can trust the government to look after your rights? ask an Indian
Post #70,447
by rickmoen
Picture of rickmoen
12/22/02 10:12:41 PM
12/23/02 12:14:22 AM
Reply
New "Opening" attachments
Doug wrote:

But I am being hit with 2 virus attachments in email, per day. I won't open email from people I don't know esp if they have attachments.

Back when I ran legacy Microsoft OSes, I found a 100% effective way to nullify the virus problem: Never run code you don't have reason to want to trust well enough to run. This, of course, implied ensuring that I knew about all occasions when I (or my machine on my behalf) ran code, and that it never happened without my approval.

Relevant to that, your quotation (above) indicates clearly where part of your problem lies: You talk about "opening" e-mail attachments. In Microsoft-speak, the verb to "open" sometimes mean to execute, and sometimes means to view -- with the implication that the user has no idea which of the two he's doing. The implied mindset is part of what leads Microsoft's captive userbase to put up with misdesigned applications like MS-Outlook and MS-Outlook Express, whose three-pane view (at least in some versions) auto-executes code arriving as attachments without the user even selecting the attachment at all, let alone giving permission to run it.

The first steps to asserting control (aside from probably rebuilding your system from trusted media) is to remove all executables that you don't regard as trustworthy. I.e., if you suspect that MS-Outlook Express runs executables without checking with you first, get rid of it. And does your MS-Word, MS-Excel, MS-Access, or WordPro run AutoOpen or AutoClose macros automatically without checking with you? (Are you sure? Did you create test documents with those macros and see if they ran without checking with you? If not, why not?)

From that point forward, never just "click on" or "open" files without knowing of a certainty whether that's going to run as code or not. And don't just install software without meaningfully checking its identity. (You downloaded it? OK, but are you sure the site you got it from was the real site? Are you trusting some dubious party's DNS?)

Unfortunately, keeping a legacy Microsoft OS non-compromised is always a bit stressful, because you know that a user-level error of judgement can compromise the whole system's security, and not just his own security. (This is largely true even on NT, which at least in theory supports multiple user contexts, although it's not genuinely multiuser.) You have much more of a safety cushion, in that respect, on Unix.

If you use Linux, you get your pick of [link|http://linuxmafia.com/~rick/linux-info/muas|105 e-mail clients], none of which has a "virus attachment" problem. No offence intended, but it's a bit pitiful to have to ignore e-mail from strangers: No competently designed system can be threatened by a mere e-mail.

Rick Moen
rick@linuxmafia.com

If you lived here, you'd be $HOME already.
Expand Edited by rickmoen Dec. 23, 2002, 12:14:22 AM EST
Expand All History
Post #70,449
by rickmoen
Picture of rickmoen
12/22/02 10:18:09 PM
Reply
New Obvious flaw
Doug wrote:

I won't open email from people I don't know esp if they have attachments.

Afterthought: How do you know which mail is genuinely from people you know? If you simply elect to believe the name in the From: header, then you're immediately at the mercy of malware-carrying SMTP worms like SirCam, which forge SMTP mail to make it appear to come from names and addresses familiar to you.

So, your protective measure not suggests a serious problem with you using untrustworthy mail software, but also is ineffective.

Rick Moen
rick@linuxmafia.com

If you lived here, you'd be $HOME already.
     Seeking serious opinions - advice - (dmarker) - (29) - Dec. 11, 2002, 03:54:24 AM EST
         Perhaps some separation of duties. - (static) - Dec. 11, 2002, 04:48:56 AM EST
         is the win2k installed locally produced recently? - (boxley) - (1) - Dec. 11, 2002, 07:47:15 AM EST
             Re: iGood point Bill - go head to head - (dmarker) - Dec. 11, 2002, 07:54:44 AM EST
         Re: Is it possible to hide programs on someone computer - (dmarker) - (13) - Dec. 12, 2002, 02:55:31 AM EST
             Hidden directories? - (Ashton) - (3) - Dec. 12, 2002, 06:05:53 AM EST
                 Re: Hidden directories? - (dmarker) - (2) - Dec. 12, 2002, 08:02:16 AM EST
                     OT: About your PIC... - (folkert) - (1) - Dec. 12, 2002, 08:39:49 AM EST
                         Re: That Pic (grin) Miss HK 2000 - I used it - (dmarker) - Dec. 12, 2002, 09:23:02 PM EST
             you have been smacked - (boxley) - (1) - Dec. 12, 2002, 08:39:26 AM EST
                 Re: Hmmm that does it - will reinstall from scratch - (dmarker) - Dec. 12, 2002, 09:31:07 PM EST
             Forensics - (kmself) - Dec. 12, 2002, 10:07:02 PM EST
             Re: Is it possible to hide programs on someone computer - (deSitter) - (4) - Dec. 15, 2002, 03:06:06 AM EST
                 Hidden files & really hidden files ... - (dmarker) - (3) - Dec. 22, 2002, 09:37:34 PM EST
                     could you forward a copy of the virus to me? - (boxley) - Dec. 22, 2002, 10:10:08 PM EST
                     "Opening" attachments - (rickmoen) - Dec. 23, 2002, 12:14:22 AM EST
                     Obvious flaw - (rickmoen) - Dec. 22, 2002, 10:18:09 PM EST
             Hey Doug, - (jb4) - Dec. 23, 2002, 02:42:27 PM EST
         Goal? - (kmself) - (2) - Dec. 12, 2002, 10:50:35 PM EST
             Re: Goal? - At the moment is to figure out what thyz up 2 - (dmarker) - Dec. 13, 2002, 12:31:48 AM EST
             Why I bought a laptop - (rickmoen) - Dec. 13, 2002, 02:13:59 PM EST
         Have you tried Spybot Search & Destroy? - (Another Scott) - (6) - Dec. 12, 2002, 11:09:35 PM EST
             Re: Downloaded & will try - looks good - (dmarker) - Dec. 13, 2002, 12:43:48 AM EST
             Re: Interesting results - (dmarker) - (3) - Dec. 13, 2002, 12:58:43 AM EST
                 Most of the found items are just information. - (Another Scott) - Dec. 13, 2002, 01:14:50 AM EST
                 Re: Doug's strange new fascination with Re: - (tseliot) - (1) - Dec. 13, 2002, 11:21:30 AM EST
                     Not new by any stretch of imagination... -NT - (hnick) - Dec. 13, 2002, 12:03:07 PM EST
             Re: Have you tried Spybot Search & Destroy? - (dmarker) - Dec. 14, 2002, 12:07:34 AM EST
         Re: Seeking serious opinions - advice - (rickmoen) - Dec. 13, 2002, 04:37:29 AM EST
         FYI: XP & Zonealarm - holey shit - (kmself) - Dec. 15, 2002, 12:03:38 AM EST

I never trusted P.E. teachers, I'll tell you that.
83 ms