Winfixer infiltrates AOL ads

[Guest]

The only clickable links in my article go to reputable sites. Unfortunately
any Web site using the compromised network is at risk, so if you are going go
down that particular path, get ready to exclude pretty much all of "the
Internet" because virtually every major advertising network has been
compromised now.

It's not that I'm going down any path - rather it's that I saw all the
warnings, didn't understand what I might be letting myself in for, and simply
stopped.

During the course of the last few months I've made a really serious effort
to understand the problems involved. I am FAR more protected (and at least
partly educated) now than I was 6 months ago, and yet I'm also far more aware
of my vulnerability than I've ever been. It seems to me that pretty soon the
internet will be so compromised that only a security expert will be able to
use it safely at all.

 

[Anonymous Bob]

"That's a really kind offer Bob - thank you (though I'm not sure whether
you're in the UK, like me?) However, I'm now hoping to navigate a simpler
alternative. I'm currently investigating whether it would be more sensible
(given my limited expertise) to use Spybot's hosts file instead - which
requires no more than clicking a button, and which does, I understand,
include protection against this particular threat.

<reply interspersed>

Sandi,
Thank you for the kind words and for your update in the blog. I hope your
daughter is feeling better.

Alan,

For the benefit of anyone reading this who would like further helpful and
clear advice generally on this issue, see the comments in the following
thread in the Spybot forum:
http://forums.spybot.info/showthread.php?p=76321#post76321"

Alan again,
I see you've elected to use the Spybot hosts file. I'm certain you'll find
great support in the spybot forum.

If all you want is a protective HOSTS file, use this instead:
http://www.mvps.org/winhelp2002/hosts.htm

A good evening to all,
Bob Vanderveen

 

[Guest]

You know, your question may just inspire a new blog post about this
stuff - it seems there is some, if not misinformation, certainly
misunderstanding, out there.

I'm sure further clarification in the form of another blog would be helpful.
But the problem is not just about misinformation. There's also a great deal
of good information that is simply unintelligible to the typical user. I
never read a Microsoft KB yet that I could fully understand; most of them
make no concessions at all for the needs of the non-expert - which means
almost everyone.

 

[Guest]

Sorry I can't help you on the last 2 questions, but it appears Alt/F4 is the
safest way to exit from the popup.

If you have a strong desire to use the hosts file but the desire is offset
by a strong fear of messing with your system, drop me an email at
BobV3(at)hotmail(dot)com with your phone number and I'll talk you through it
on the phone.

That's a really kind offer Bob - thank you (though I'm not sure whether
you're in the UK, like me?) However, I'm now hoping to navigate a simpler
alternative. I'm currently investigating whether it would be more sensible
(given my limited expertise) to use Spybot's hosts file instead - which
requires no more than clicking a button, and which does, I understand,
include protection against this particular threat.

For the benefit of anyone reading this who would like further helpful and
clear advice generally on this issue, see the comments in the following
thread in the Spybot forum:
http://forums.spybot.info/showthread.php?p=76321#post76321

 

[Guest]

As to your question about what is the best thing to do, what is the "safe"
and "best" thing to do has depended on what you are encountering. Is it a
standard popup or is it a chromeless window with a fake title bar?

Could some kind soul tell me what a 'chromeless' window is, please?

 

[Dave M]

....just 'cause I didn't know either ;o)

A modification of the pop-up window is the Chromeless window. Unlike a
regular pop-up where you still see the browser window's title bar, a
Chromeless window takes out all of the extraneous details that your
OS/browser leaves on, and it gives you more freedom to customize the
appearance of your window. The only glaring problem with this cool effect
is that you have to use Internet Explorer. Users with Netscape or Mozilla
browsers are out of luck.

from http://www.kirupa.com/developer/mx2004/chromeless.htm

 

[Guest]

....just 'cause I didn't know either ;o)

A modification of the pop-up window is the Chromeless window. Unlike a
regular pop-up where you still see the browser window's title bar, a
Chromeless window takes out all of the extraneous details that your
OS/browser leaves on, and it gives you more freedom to customize the
appearance of your window. The only glaring problem with this cool effect
is that you have to use Internet Explorer. Users with Netscape or Mozilla
browsers are out of luck.

from http://www.kirupa.com/developer/mx2004/chromeless.htm

Thanks Dave! I still don't think I really understand the explanation though.
For instance - when I'm reading these newsgroups with IE, and click 'reply'
to a post like yours, a pop up reply panel appears which does not have all
the usual IE paraphernalia at the top of it. Is that a chromeless window,
then? I thought pretty well all pop-ups were like that (not that I've made an
intensive study of them).

 

[Dave M]

No, I don't think that's quite it, the popups your referring to still have
the title bar and X, Max, Min buttons which are controlled by IE itself. so
you're talking to Internet Explorer when you hit that X to close it. In
the chromless examples I've seen, functions are controlled by code other
than IE (java script for instance) and hitting the X could tell java to
execute some function... which might not be close... depending on how the
programmer wrote that script. In other words he could fool you into
thinking you were communicating with a regular IE window, though in reality
you'd be interfacing with his code.

 

[Guest]

In
the chromless examples I've seen, functions are controlled by code other
than IE (java script for instance) and hitting the X could tell java to
execute some function... which might not be close... depending on how the
programmer wrote that script. In other words he could fool you into
thinking you were communicating with a regular IE window, though in reality
you'd be interfacing with his code.

So a chromeless window can be programmed to look like an IE window? Blimey.
The more I think about this, the more I feel that the best of all the
options is to disconnect from the internet..... Well, I shall hope that the
Spybot hosts file will shield me from any of these ghastly deceptive
apparitions!

 

[Dave M]

Correctomundo.... however there's some good news (perhaps), since we're all
running fully updated XP-SP1 or later right? And hopefully all holes and
tricks are patched out, but I'm not gonna take any bets on this one...

"The Chromeless Window script currently does NOT work in Windows XP from
SP1 (Service Pack 1) and thereon after. The problem is due to a changed
behavior in XP that prevents Chromeless Windows all together (security
update). We're still observing to see if this behavior will be changed
soon, though if not, may have to remove this script altogether. If you wish
to use Chromeless Windows, please make sure you understand the above -Oct
28th, 2002"

from http://www.dynamicdrive.com/dynamicindex8/chromeless.htm

 

[Bill Sanderson MVP]

Thus far, I believe that exploits which have seen broad public use--those
used in this AOL incident or earlier MSN/Live incidents, for example, have
been ones which have already been patched.

So--first order of business is keeping up to date with critical patches for
Windows, Office, and Internet Explorer.

Exploits for which patches have not yet been issued have been used in narrow
targeted ways in the last 3 months or so. In general, the way to avoid
those exploits has been to not be part of the target population, and to stay
away from some rather unsavory sites. Additionally, Microsoft has issued
guidance about workarounds to avoid the unpatched exploits until patches are
available.

It is highly likely that there are also unpatched exploits to various apps
which are available for a price. So--if you are a high value target, you
probably need to do more than just patching, firewall and patching.

I really wouldn't let the above get you down, though. I still bank and shop
online regularly. I believe that the risks of those behaviors are still
probably less than those involved in the "old" ways of doing the same
things.

--

 

[Bill Sanderson MVP]

As an example: There is now a zero-day exploit being exploited by, at
current count by one security vendor, 9 sites.

This is the Microsoft advisory:

http://www.microsoft.com/technet/security/advisory/935423.mspx

This one will infect with no user interaction, if you visit any of the
infected sites.

In general, the way Microsoft seems to handle this kind of thing is to
monitor for sites utilizing the exploit, provide their antivirus partners
with any malware being distributed via the vulnerability, and, of course,
work on a patch for the underlying issue.

In these cases your up to date and competent antivirus is what may well
catch what is happening first, if you go to the wrong place.

--

 

[Bill Sanderson MVP]

Additional information: There is conflicting information about whether
reading email in plain text using Microsoft email clients will protect
against this exploit, were it contained in an email message. Microsoft says
yes, SANS says no in the case of Outlook Express, yes in the case of Outlook
2003.

--