Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 03, 2016, 11:59:35 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Drive by malware ... ouch  (Read 4858 times)

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Drive by malware ... ouch
« on: September 26, 2008, 06:20:14 PM »
I have just spent a day and a half trying to figure out why one machine on my network couldn't access websites that were accessible to other machines on the same network.

The main symptom was that since late yesterday evening every time I tried to log onto this forum I got an error saying that www.donationcoder.com doesn't exist. I panicked and in the end emailed Mouser to ask if there was anything I could do to help since the server seemed to be broken (memories of last years website hack sprang to mind). Having established that it was at my end and that my other computers actually did access donationcoder.com I set about searching for an answer. Now that I think of it i it does seem obvious to use another computer to check but given that my house is currently strewn with the remains of dead computers I had to cobble one together again to check the connection.

Having looked at the TCP/IP settings I noticed the DNS server had shifted from the automatic settings to fixed values (one of which was 85.255.115.51)

Everytime I tried to reset my DNS values or enter an IP for my Router it seemed to work except when Ioned the settings again they had been reset back to the bogus values.

I did a search on the IP causing the issue and found the following article:

http://forums.spybot...hlight=85.255.115.51

This seems to be what happened to my system and having gone through the steps outlined my system is running normally again.

I really don't know how I managed to acquire this annoyance. I didn't download anything and run it yesterday evening so I can only assume it must have been a drive by problem on a site. If my experience can help anyone else it will have been a useful experience.

As it happens I haven't been spending money online today (so that is a relief) but do I now assume that all my passwords are compromised for sites that I visited - even though most of those sites are accessed via cookies?

VideoInPicture

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 467
    • View Profile
    • Circle Dock
    • Donate to Member
Re: Drive by malware ... ouch
« Reply #1 on: September 26, 2008, 06:59:41 PM »
Drive by malware is the worst because it's so easy to be redirected to bad sites. What browser are you using on that computer?

It makes it seem sensible to run all web browsers in a virtual machine that gets wiped out every time you close the browser and prevents any file downloads.
Author of Circle Dock: http://circledock.wikidot.com
Author of Video In Picture: http://videoinpicture.wikidot.com
Author of Webcam Signature: http://webcamsignature.wikidot.com
Author of Easy Unicode Paster: http://easyunicodepaster.wikidot.com

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,096
    • View Profile
    • Donate to Member
Re: Drive by malware ... ouch
« Reply #2 on: September 26, 2008, 07:03:45 PM »
Cookies are small text files as far as I know, so it shouldn't take too much effort to read their content. What I would do is boot from a linux live CD (or when you feel adventurous, create a Bart's PE bootdisk using your Windows installation CD) and access the websites you need for changing the passwords.

Just to be on the safe (and/or paranoid) side...

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: Drive by malware ... ouch
« Reply #3 on: September 26, 2008, 08:42:06 PM »
My system seems clean now (I have done multiple scans with umpteen scanners).

I have changed all my domain passwords 'cos I spent the day getting frustrated trying to FTP stuff.

I will try to remember what I actually accessed today and change my passwords! Not easy and part of the cleanup removed all cached data/history and cookies so there is no easy way to make sure I know where I have visited!

Why can't someone castrate the b******s - preferably with a blunt stick slowly.

Cloq

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 268
    • View Profile
    • Donate to Member
Re: Drive by malware ... ouch
« Reply #4 on: September 27, 2008, 10:31:47 AM »
@Carol Haynes - I think you have something similar to what one of my family members had last year, in her case, it was anytime she would click on a web link (usually the first four) it would redirect her browser to some porn site. Spybot and lavasoft didn't detect/remove anything.

I ended up using PC Tools (free 1 year sub) and that worked like a charm. It found the issues and the evil program that kept changing its name and fixed them all. After that, I installed admuncher and a hostsfile, never heard about spyware/malware problems since.


A lot of these drive by malware usually come from various web ads (scripted typically).

Ad Muncher and good a Hostsfile would help prevent 99% of these type of issues.

Admuncher - www.admuncher.com
Hostsfile - www.bluetack.co.uk/forums/index.php?act=dscriptca&CODE=viewcat&cat_id=3
« Last Edit: September 27, 2008, 10:41:15 AM by Cloq »

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: Drive by malware ... ouch
« Reply #5 on: September 27, 2008, 11:25:48 AM »
Yep - I was running AdMuncher.

I may have just had an odd experience with it but years ago I tried using BISS Host file (and still get update emails from them) but I ended up uninstalling it as was just too aggressive and there were many benign websites (at least to my mind) that just didn't work properly with it installed.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Drive by malware ... ouch
« Reply #6 on: September 27, 2008, 12:22:04 PM »
FireFox3 + AdBlockPlus + NoScript + DropMyRights (or a limited user account)... that ought to keep you safe.

I wouldn't use a thing like "hostfile", a thing like that just can't get updated fast enough to be really efficient, and considering how often the hostfile is consulted... I don't want it having a zillion entries.
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: Drive by malware ... ouch
« Reply #7 on: October 10, 2008, 02:01:44 AM »
I would also make sure your Java (JRE) is up to date and uninstall older versions.

There is malware that exploits a vulnerability in an older version to get on your machine (through flash based ads on sites). That's how most people end up with Winfixer/Virtumundo (and that can be nasty to remove).

And if you are using Firefox, use Flashblock! And don't activate a flash file unless you know what it is and know it's safe.