Trojan-Downloader.Small - How'd I get it ?

[- Bob -]

How does this trojan get on your machine ?

I visited a (appeared to be reputable) web site the other day and
within a moment or two AVG started popping alerts. An instant later I
had a rogue c:\explorer.exe in addition to stuff in Temp Internet
files. All appears to be OK now after some clean up.

But, I am curious as to how this specific trojan made it on to my
machine? I understand the general principles involved, but what is the
specific exploit it used - and can I plug it?

Thanks,

 

[Art]

How does this trojan get on your machine ?

I visited a (appeared to be reputable) web site the other day and
within a moment or two AVG started popping alerts. An instant later I
had a rogue c:\explorer.exe in addition to stuff in Temp Internet
files. All appears to be OK now after some clean up.

But, I am curious as to how this specific trojan made it on to my
machine? I understand the general principles involved, but what is the
specific exploit it used - and can I plug it?

Assuming what you experienced was indeed due to a unpatched
vulnerability, it could have been any one of many possible. First,
what is the url of the web site you think was the cause? Next, what
browser was used, and what are its security settings (in detail)? What
version of Windows? Are all hotfixes for it installed? Latest service
packs and/or rollups? Are you sure the problem was really caused
by a web site? Maybe you have open shares or no firewall?

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "- Bob -" <[email protected]>

| How does this trojan get on your machine ?
|
| I visited a (appeared to be reputable) web site the other day and
| within a moment or two AVG started popping alerts. An instant later I
| had a rogue c:\explorer.exe in addition to stuff in Temp Internet
| files. All appears to be OK now after some clean up.
|
| But, I am curious as to how this specific trojan made it on to my
| machine? I understand the general principles involved, but what is the
| specific exploit it used - and can I plug it?
|
| Thanks,

How ?

By; explotation of vulnerabilities, Social Engineering. lack of installing needed security
updates, etc., etc...

 

[kurt wismer]

How does this trojan get on your machine ?

I visited a (appeared to be reputable) web site the other day and
within a moment or two AVG started popping alerts. An instant later I
had a rogue c:\explorer.exe in addition to stuff in Temp Internet
files. All appears to be OK now after some clean up.

But, I am curious as to how this specific trojan made it on to my
machine? I understand the general principles involved, but what is the
specific exploit it used - and can I plug it?

you are, unfortunately, asking a question that makes more sense for
viruses and worms than it does for trojans, especially something as
lowly as a downloader trojan...

trojans aren't self-spreading, so whatever means were used to get it
onto your machine are not part of the trojan itself - as such, telling
us which trojan it is doesn't really nail down the means by which it got
on your machine...

it could be an exploit as others have mentioned, or social engineering
(though you seem to be indicating it showed up just by you browsing to a
page)... have you disabled all active content except for known trusted
sites? that generally helps avoid drive-by-downloads...

 

[- Bob -]

it could be an exploit as others have mentioned, or social engineering
(though you seem to be indicating it showed up just by you browsing to a
page)... have you disabled all active content except for known trusted
sites? that generally helps avoid drive-by-downloads...

Ok... perhaps my post left two many question open. I'm not a newbie,
my system has the latest MS & AVG updates, spy-bot, adaware, I have
hardware and software firewalls, I don't say "yes" to active-x, I
don't knowingly visit less than reputable sites, my ports are closed
fairly well to the outside world. I do have JS turned on.

With all that in place and a cautious user at the keyboard, something
still snuck through. Are there known exploits in MSIE (6), or maybe
the MS Java module, or something else that allow for downloading
exploits?

The bottom line is that I am wondering if there is something else that
I can patch on my system to be better protected against this sort of
exploit.

 

[kurt wismer]

Ok... perhaps my post left two many question open. I'm not a newbie,
my system has the latest MS & AVG updates, spy-bot, adaware, I have
hardware and software firewalls, I don't say "yes" to active-x, I
don't knowingly visit less than reputable sites, my ports are closed
fairly well to the outside world. I do have JS turned on.

With all that in place and a cautious user at the keyboard, something
still snuck through. Are there known exploits in MSIE (6), or maybe
the MS Java module, or something else that allow for downloading
exploits?

yes, it's called javascript - that thing you say you've left turned on...

The bottom line is that I am wondering if there is something else that
I can patch on my system to be better protected against this sort of
exploit.

when i say disable all active content except for known trusted sites, i
mean *all* active content... for ie, customize your internet zone to be
as restrictive as you can and add sites you trust to your trusted sites
zone...

also, know that even with such measures things may still get through -
all preventative measures fail from time to time and whitelisting active
content is no exception when you consider things like cross site
scripting...

 

[Offbreed]

also, know that even with such measures things may still get through -
all preventative measures fail from time to time and whitelisting active
content is no exception when you consider things like cross site
scripting...

Yeah, one of my favorite web sites got hacked and tried to download
something to my computer. Norton blocked it. The website had a bunch of
dry, reference material in it, not the sort of site one would normally
expect to be targeted for hacking.

Need to watch everything on the net.