Strange Attack

[klikster]

I usually surf pretty safely .. Zone Alarm, AVG updated daily .. "No Script" extension installed on FF3.

Something apparently nailed me yesterday or night before. It looked like Maxnet had just collapsed, so I didn't think too much. Then I started noticing odd symptoms.

1 - I could only open websites for a few minutes after a reboot, then no apparent bandwidth.

2 - Oddly, I could log on to gmail, which is usually a bit slow. I could also ftp.

3 - When I finally realized what was going on, I saw that I could open https pages, just not http. Then I realized that Zone Alarm had been compromised.

I guess it must be/have been a trojan.

So I downloaded Comodo firewall and antivitus and scanned he heck out of my system It seems to have worked. I even scanned with the Comodo online scanner and got 0 threats.

Any recommendation for scanning for another trojan or rootkit?

[Farma]

Is it an attack or problems with the net?

For the past 3 days Middle Eastern services have been unreliable to say the least. It’s not restricted to the one supplier or service be it dial up, satellite or broadband. Users of all ISP’s have reported the same.

Connections drop, at times you connect to the server but it remains dormant, impossible to sign into msn or hotmail, can’t log into secure sites. The list goes on. For some reason Yahoo, Skype and Callserve work at the times when websites timeout.

In the past hour or so it appears to be returning to normal.

[klikster]

Is it an attack or problems with the net?

For the past 3 days Middle Eastern services have been unreliable to say the least. It’s not restricted to the one supplier or service be it dial up, satellite or broadband. Users of all ISP’s have reported the same.

Connections drop, at times you connect to the server but it remains dormant, impossible to sign into msn or hotmail, can’t log into secure sites. The list goes on. For some reason Yahoo, Skype and Callserve work at the times when websites timeout.

In the past hour or so it appears to be returning to normal.

I think the most telling point is that https pages opened and http pages wouldn't.

[TopDogger]

& connection problems don't disable firewalls...

[klikster]

I'm wondering if it could have been one of those clickjacking scripts. Tis from the webmasterworld site.

"This was announced a few weeks ago, and the mainstream press has finally caught it for a second round on the internet.

http://news.google.com/news?as_q=clickjack...mp;as_scoring=o

There is no workaround (and thankfully no proof-of-concept) and noscript does not stop it from happening. It works without javascript.

I cannot fathom how it possibly works. I hope the hackers have just as hard of a time.

One thing that might help is FlashBlock (for firefox) which stops all flash except the scripts you press the "play button" on."

[MKAsok]

Did you not notice this on the Comodo website? I would strongly recommend it. Just yesterday it picked up something - literally within seconds after I installed a downloaded EXE - that Norton apparently remained entirely clueless about...

mk

[JetsetBkk]

& connection problems don't disable firewalls...

I noticed about 5 days ago that my Comodo wasn't running - it was unchecked in the Startup tab of the System Configuration Utility.

So I wrote a simple command file for the startup folder that checks that certain important tasks are running: Avast antivirus, Comodo firewall, BOClean anti-malware, Windows Defender, Spybot S&D and Ad-Aware. If any isn't running, it displays a message.

[klikster]

Did you not notice this on the Comodo website? I would strongly recommend it. Just yesterday it picked up something - literally within seconds after I installed a downloaded EXE - that Norton apparently remained entirely clueless about...

mk

Yes, I downloaded BOClean and it found several tracking cookies, but nothing that looked like a trojan. I have this nervous feeling that the trojan(?) is still on my machine, and only the firewall is keeping it from doing whatever it is designed to do. I guess with the way the 'net is so rife with malware, paranoia is a healthy state.

[TopDogger]

I usually surf pretty safely .. Zone Alarm, AVG updated daily .. "No Script" extension installed on FF3.

So how have you picked this virus up? It must be from either warez or porn?

[JetsetBkk]

Yes, I downloaded BOClean and it found several tracking cookies, but nothing that looked like a trojan. I have this nervous feeling that the trojan(?) is still on my machine, and only the firewall is keeping it from doing whatever it is designed to do. I guess with the way the 'net is so rife with malware, paranoia is a healthy state.

Try this one: http://www.kaspersky.co.uk/virusscanner - Kaspersky online virus scanner.

[Jiu-Jitsu]

Download, install, update and run a Quck Scan with Malwarebytes' AntiMalware.

Once completed, make sure all of the entries are ticked. The choose Remove Selected. Reboot.

[klikster]

It must be from either warez or porn?

Why must it be? Why not read the entire post and take special notice of the "clickjacking" article.

I have already said I have used different virus scanners. Stupid and insulting comment, TopDogger.

[Jiu-Jitsu]

It must be from either warez or porn?

Why must it be? Why not read the entire post and take special notice of the "clickjacking" article.

I have already said I have used different virus scanners. Stupid and insulting comment, TopDogger.

Have you followed my instruction?

[klikster]

@jetsblue - did the kapersky online check .. all 54 hours. It did find a "trojan", (js.downloader) but it was in a folder for some dreeware I downloaded months ago and never got around to installing. So I don't think that caused my problem.

@jj - downloaded and ran Malwarebytes' AntiMalware on a complete system scan .. 1 hour .. nothing found.

Thanks to both of you for your help. My system "seems" okay, but .. ?

[MKAsok]

Don't think there's much more you can do realistically beyond a HD format which would seem a little excessive. Change all your passwords to be on the safe side. Good luck...

mk

[JetsetBkk]

It must be from either warez or porn?

Why must it be? Why not read the entire post and take special notice of the "clickjacking" article.

I have already said I have used different virus scanners. Stupid and insulting comment, TopDogger.

Ignore him - he's just "having a laugh".

@jetsblue - did the kapersky online check .. all 54 hours. It did find a "trojan", (js.downloader) but it was in a folder for some dreeware I downloaded months ago and never got around to installing. So I don't think that caused my problem....

Wow! How long?? I usually only scan my C: drive - just did it again, in fact, and it took just over an hour and only found the programs I know aren't viruses - cmdow.exe and some SysInternals stuff.

Of course, if I had scanned the 940 GB of external data on the 1.2 TB of drives, it would've taken a little longer.

I think I'll give that MalwareBytes stuff a go now...

[klikster]

Don't think there's much more you can do realistically beyond a HD format which would seem a little excessive. Change all your passwords to be on the safe side. Good luck...

mk

Actually, everything "seems" fine now that I removed ZoneAlarm and Installed Comodo's firewall.

[JetsetBkk]

Don't think there's much more you can do realistically beyond a HD format which would seem a little excessive. Change all your passwords to be on the safe side. Good luck...

mk

Actually, everything "seems" fine now that I removed ZoneAlarm and Installed Comodo's firewall.

Maybe Zone Alarm got its knickers in a twist I use Comodo - takes a while for it to "learn" what to do, but once that period is over, it's usually pretty quiet and gets on with its job.

I did the Malware Bytes scan - no problems.

[MKAsok]

So I downloaded Comodo firewall and antivitus and scanned he heck out of my system It seems to have worked.

Just out of interest, after you did this, did Comodo actually pick up any anything specific?

[klikster]

So I downloaded Comodo firewall and antivitus and scanned he heck out of my system It seems to have worked.

Just out of interest, after you did this, did Comodo actually pick up any anything specific?

To tell you the truth, I'm not sure. That sounds silly, but I had so much stuff going on in my old noggin that nothing jumped out at me.

BOClean found some stuff, but since nothing was actually called "trojan", it didn't register. I spent most of the afternoon changing passwords on ftp clients, and web server panels and accounts.

[MKAsok]

To tell you the truth, I'm not sure.

I think Jetset may have been right when he said "Maybe Zone Alarm got its knickers in a twist." Sounds like it may have got corrupted or something and you might not have had any malware at all. I don't think it's great software to be honest. Anyway, you did all the right things. Better safe than potentially extremely sorry...

[klikster]

To tell you the truth, I'm not sure.

I think Jetset may have been right when he said "Maybe Zone Alarm got its knickers in a twist." Sounds like it may have got corrupted or something and you might not have had any malware at all. I don't think it's great software to be honest. Anyway, you did all the right things. Better safe than potentially extremely sorry...

I hope he was right. I'm continually frustrated by the "No Script" extension that I have installed on FF .. so many times I have to give temporary permissions, reload pages, wait, etc. But I'm sure I would be a lot more frustrated if my hosting company had to format the drives and reinstall everything on my VPS and dedicated server .. and hope the backups are not corrupt.

[JetsetBkk]

...I'm continually frustrated by the "No Script" extension that I have installed on FF .. so many times I have to give temporary permissions, reload pages, wait, etc. But I'm sure I would be a lot more frustrated if my hosting company had to format the drives and reinstall everything on my VPS and dedicated server .. and hope the backups are not corrupt.

I have the NoScript icon on the FF status bar at the bottom of the screen and regularly click on the "Allow ......." option if I trust the web page. This means I don't need to allow it again in the future. I sometimes click on the "Temporarily allow ....." option, but not usually.

[klikster]

...I'm continually frustrated by the "No Script" extension that I have installed on FF .. so many times I have to give temporary permissions, reload pages, wait, etc. But I'm sure I would be a lot more frustrated if my hosting company had to format the drives and reinstall everything on my VPS and dedicated server .. and hope the backups are not corrupt.

I have the NoScript icon on the FF status bar at the bottom of the screen and regularly click on the "Allow ......." option if I trust the web page. This means I don't need to allow it again in the future. I sometimes click on the "Temporarily allow ....." option, but not usually.

Well, I'm very wary of iframe attacks. I guess I could assume "once okay, always okay", but I have been the victim of an iframe exploit on my server a few years ago.

The exploit inserted an iframe into a number of HTML pages on every site, as well as HTML pages on Apache. I spend about 30 hours removing the code and reloading pages. The exploit didn't appear to do anything, but it directed traffic to a specific URI. But the worst part was that Googlebot picked it up and placed a site-by-site warning in the search results. Needless to say, traffic dropped off considerably for the webmasters who didn't realize the code was there.

Estimates that I heard claimed the 200,000 sites had been affected.