Bofra Worm Spreads by Banner Ads

M

Martin

Deceased
Bofra Worm Spreads by Banner Ads

Attacks exploit IE flaw, and allow attacker to gain complete control of your PC.

Laura Rohde, IDG News Service
Monday, November 22, 2004


Web site visitors who clicked on banner ads on a number of popular European Web sites this weekend could have infected their computers with variants of the Bofra worm, experts warn.




The attacks take advantage of an unpatched buffer overflow flaw in the way Internet Explorer 6 handles the IFrame tag, and has been confirmed on PCs running Windows XP with Service Pack 1 and Windows 2000, according to a warning posted Sunday on the SANS (SysAdmin, Audit, Network, Security) Institute Web site. Windows XP Service Pack 2 (SP2) is not vulnerable, it said.

The vulnerability allows attackers to gain complete control of a user's computer.

Also on Sunday, U.K. technology news Web site The Register reported that its third party ad serving company Falk became infected with the Bofra/IFrame exploit, forcing the Web site to suspend its ads from Falk.

"If you may have visited the Register between 6 a.m. and 12.30 p.m. GMT on Saturday, November 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date antivirus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue," The Register said on its Web site.


Additional Reports
According to SANS, there were also reports of sites in Sweden and the Netherlands being compromised by the malicious code.

In the Netherlands, the country's biggest news site, NU.nl, with over 450,000 unique visitors per month, was infected through the ad system of Falk and served the code to its visitors. Additionally, the other sites of Ilse Media, including one of the largest Dutch sites Startpagina, distributed the Trojan horse as well.

Adserver tags and link addresses were manipulated in order to install and execute the malware. User requests were redirected from Falk's servers to the URL "search.comedycentral.com" (199.107.184.146), from where the malicious code was delivered, Falk says in a statement.

Falk's competitor Adtech released its own statement saying that its adserving system Helios was not affected by the problem.

Microsoft has yet to issue a patch for the IE IFrame hole for users who have not installed SP2. However, some "unofficial" patches have been released, including one from a German security researcher at the Web site, cherryware.de.

Wilbert de Vries of WebWereld Netherlands contributed to this report.



http://www.pcworld.com/resource/printable/article/0,aid,118687,00.asp
 
P

Prairie Lady

Inactive
I use IE but I use a lot of third party helps too. Here are a few things I've done to assist in securing my win98/ie6 sp1 pc.

In the restricted zones, EVERYTHING set to disabled. From ie Tools>Internet Options>Security
Click on restricted sites, click on custom. Set all options to disabled. Click OK

From the same panel you entered restricted sites, click on internet then custom.

Keep the following disabled:

Download unsigned active x
Initialize and script activex not marked safe
Access data across domains
allow meta refresh
display mixed content
don't prompt for client cert. selection....
Install desktop items
Iframe
subframes
user persist

Prompt:
download signed active x
run active x controls and plugins
font download

to make ie act a little more like netcapes fancy version (firefox) disable java. I like mine at high safety because I like to use the chats at the forums like tb's.

the rest can be set at enable or prompt as your heart desires.

In the advanced tab..set the defaults but then UNCHECK the following:
Enable install on demand (IE)
Enable install on demand (other)
Enable synchronizing on a schedule
Enable 3rd party browser extensions
use inline auto complete for web addys

Set the rest as you desire if you think the features are ones you want.

Download and install a HOSTS file. This is a good one.
http://www.mvps.org/winhelp2002/hosts.htm

Read and follow the instructions for downloading and installing the file. It's very simple. Then, look at the HOSTS file because this one will tell you certain entries to add to the restricted sites file. Just copy/paste those entries. This prevents some things from being able to run on malicious pages if you should happen to encounter them. It also will reduce some ads :) as well as some cookies. You can always add to the file using a hosts file editor, and using the protocol shown on the hosts file.

Download and install E-spyad
This adds entries to the restricted zone thereby helping to block the install of malicious cookies and programs. The listing of files may be very different from the ones you copy and pasted from the HOSTS file so it increases even more protections. Read all documented literature that comes with the file, follow their directions. This file has no effect on Opera, Mozilla, Netscape.
Get it here: https://netfiles.uiuc.edu/ehowes/www/resource.htm

Download and install Ad-Aware SE Personal from LAVASOFT. There are many look-alikes out there so make sure the one you get comes from LAVASOFT only! UPdate and run it. Gets rid of some nasty crap.

Download and install SpywareBlaster.
http://www.javacoolsoftware.com/supportforums.html
Like e-spyads, this adds files to the restricted sites zone to help prevent the crap from getting in in the first place, but does a few other things for you too.

Update it and enable protections. This program comes with some tools that are vary handy. It can take a snapshot of your system so if something hijacks it, you can restore your browser configs and get back on line.
Your tools area has several tabs across the top. The first one, Browser pages lets YOU decide what and where your browser goes. You decide your home pages, your search pages and several others. In Hosts safe you can back up and encrypt your hosts file. Some malicious files add their junk to the file to redirect you to their sites. You can keep a copy of the original to protect and restore a damaged hosts file.

Misc ie you can prevent another pc user at your house from changing your home page settings. you can change the titles in the windows too.

Flash killer. I personally hate flash because so many ads use it and you can't shut them off. I don't consider it a safe program either so I shut that off. I only keep flash on the pc at all because some of my program installations depend on it, otherwise, it would be off my pc altogether.

Custom Blocking allows you to block Active x controls. I think this is a fine tuning so that you can enable active x at "safe' websites. Not having active x enabled can make pages act funny like when you click on post, the page posts and returns you to the posted page...well with active x disabled you sometimes have to click that click here line if you don't get redirected. I'm not as familiar with the custom blocking page so I'll defere this part to those who can teach us all.

Obtain and install Hijack this.

merijn@spywareinfo.com
http://www.merijn.org/files/hijackthis.zip
http://www.merijn.org/index.html

This handy dandy tool lets you know whats starting up and whats using your browser. Many a trojan/virus/worm/malware/spyware has been nailed with this tool.
This tool also contains...a HOSTS file manager so you don't have to have a special stand alone for editing your hosts file.

Some malware can't be gotten rid of any other way. Sometimes only parts of malware get removed by things like adaware so Hijack this gives you a little more fine tuning control to get rid of excess junk.

Get a trojan scanner. I just got the one from A2(squared). It's free.
http://www.emsisoft.com/en/

Free trojan scanners are hard to come by these days. There is a paid for version available with more controls too.

Get a virus scanner.

Get a Firewall. I really am happy with the Sygate Personal (free) firewall. I was a dedicated Zone Alarm user for years and it was hard to pry that program from my pc, but I did and I like the sygate. It's easy to use.
www.sygate.com

In all of this what have you done?
You have told your computer that it can't download just anyole thing that comes it's way. You have restricted behaviors of malicious programs just using all the unsafe open defaults in IE. You've tightened it up, closed a few gaps.

You've installed programs that help to block some popups, blocked some malicious ads/banners. You put some sites in restricted zone so it just can run well even if it did get in. You put programs in to detect and get rid of some bad stuff.

You've put in some "layered protections". You tried to block it's entry, tried to cut short it's ability to function if it got in at all, detect it and get rid of it. You should have a LOT less problems with malicious ware of any kind now IF.....IF You adjust just a few other habits/behaviors.

If you are using outlook express you need to reset a few things. One, get rid of preview plane. Click on View>layout. Uncheck preview plane.

In Tools>options>security click the radio button for restricted zones. Remember how you disabled EVERYTHING in restricted zones????? If your email operates from there, if a virus gets in, it's harder for it to operate. Check the other two options in the virus protection area also. One is warn if someone tries to send mail as me and the other forbids the opening of attachements.
Those are the most important ones in outlook express although there are others.

I picked up a little file from RMbox called Close 139. It's a little batchfile that closes the NetBios sharing ports 137, 138, and 139. No sense in letting the holes hang open if you don't need to. This is another layering. You have a fire wall hiding the ports but that's like putting a bush in front of your front door. Close the door.
http://home.earthlink.net/~rmbox/Reticulated/Toys.html

You will find a nice little toybox here with a few handy tools that don't consume resources, and are free.

I use another handy dandy little freebie I got from Fred Langa years ago that lets me clean out the temp files, index files, temporary index files from dos. You actually get them cleaned out that way. Pc runs better :) There are a few files you can use from Fred. They are called Cleanup.bat or Clean9x.bat, or Clean.bat
Some are much more aggressive than others so the thing to do is go to fred's site to learn how to use them properly. Its not difficult, but I'd rather he told you about his files, what they do and how to use them. This is one of my most trusted, needed, absolutely would not ever be without it files of all. It's in the top 3 of my priorities.
www.langa.com/cleanup_bat.htm

Ok, now...
It's up to you. IE can be a very good browser if you use a little bit of good sense. I really gave FireFox a go, and the best thing I can say about it is....It's 'ok'. I like the functionality of ie and while my suggestions (gathered from very wise and able people all over the best sites on the web) may not prevent 100% of all problems, you can still reduce those problems by 99% .

But what's in YOUR hands now is learning 3 very important things. If you refuse to learn them, if you refuse to implement them, then the onus is on YOU and i have ZERO sympathy for you if you get ruined.

1) Implement the above suggestions. LEARN!!!!!!!!!!!!!! The info above can save you thousands of dollars, and hundreds of hours of headaches and loss.

2) Don't open attachements!!!!!!!!! If you know it's a very important and expected file, save it to disk, and scan it with a virus scanner before opening it. But screw curiosity cuz it will kill your pc. Jokes aren't that funny!

3) Don't EVER, and I do mean EVER leave your email address on line.

Get a junk mail addy and use that. But don't use your personal email addy on websites. Even this one. Email dennis if you have to, but don't leave your personal email addy anywhere. Work something out with him if need be, but don't leave your email addy laying around the internet. You can be guaranteed TONS of junk mail if you leave it so much as once. It will be sold over and over and over again.
I've not had junkmail in my personal email box for years. But my junkmail box fills to the tune of 500 or more a week. If a program wants my email addy so it can send me an activation code or verification code ...redirect tolog in what ever...i use my junkmail addy. My home addy is for friends and family ONLY.

There is still more that a person can do such as hardware firewalls/routers etc but I leave those to those who use them and need them. I am on a dial up connection with a win98 machine that I just love. I've had excellent results with the methods above. Now and then something new comes along but for the most part I visit certain security forums either daily or several times a week in order to be aware, and that's helped tons too.

It's up to you. Your pc can be the zombie that wrecks the net for everyone or it can be a nice fast, clean, lean machine that performs well for you, but it's up to you. I've just spent the better part of over an hour putting this info together, PLEASE heed?

pl
 
You must log in or register to reply here.
Top