AV detection of malware during real-time web browsing (cache, java,etc)?

Virus Guy · Apr 12, 2006

Has anyone ever had the experience that their AV software has alerted
them to *something*, in real time, as you were accessing a web site
(ie surfing the net)? Perhaps the *something* was found in the
browser or java cache, or a malicious plug-in (direct-x, etc)?

I'm talking real-time here, not something that was detected as a
result of a scheduled or manual scan.

I'm not talking about a browser re-direct, pop-up, or a screwy/invalid
certificate, or a cookie. I'm talking bona-fide browser exploit,
virus, trojan, worm, jpeg/wmf thing, etc, that results in code
download/execution, privledge elevation, etc.

Peter Zwitser · Apr 12, 2006

Has anyone ever had the experience that their AV software has alerted
them to *something*, in real time, as you were accessing a web site
(ie surfing the net)? Perhaps the *something* was found in the
browser or java cache, or a malicious plug-in (direct-x, etc)?

I'm talking real-time here, not something that was detected as a
result of a scheduled or manual scan.

I'm not talking about a browser re-direct, pop-up, or a screwy/invalid
certificate, or a cookie. I'm talking bona-fide browser exploit,
virus, trojan, worm, jpeg/wmf thing, etc, that results in code
download/execution, privledge elevation, etc.

Yes, several times. Because of the work I do I have to go quite often to
very dubious sites. Several times Avast! asked permission to cut a
connection because some site tried to install some trojan, without
clicking on anything, just by visiting the site. This were (of course)
mainly pornsites of the worst kind.

Peter

David H. Lipman · Apr 12, 2006

From: "Virus Guy" <[email protected]>

|
| Has anyone ever had the experience that their AV software has alerted
| them to *something*, in real time, as you were accessing a web site
| (ie surfing the net)? Perhaps the *something* was found in the
| browser or java cache, or a malicious plug-in (direct-x, etc)?
|
| I'm talking real-time here, not something that was detected as a
| result of a scheduled or manual scan.
|
| I'm not talking about a browser re-direct, pop-up, or a screwy/invalid
| certificate, or a cookie. I'm talking bona-fide browser exploit,
| virus, trojan, worm, jpeg/wmf thing, etc, that results in code
| download/execution, privledge elevation, etc.

Yes.

Here are 2 log snippets of going to malicious web sites...

9/25/2005 8:19:54 AM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\index[1].htm Downloader-AEH
9/25/2005 8:19:56 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\ysb_regular[1].cab\YSB_REGULAR[1].CAB Adware-ISTbar
9/25/2005 8:20:04 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\pcs_0002[1].exe\PCS_0002[1].EXE Downloader-AAI

9/26/2005 1:27:28 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\you[1].htm JS/Spawn
9/26/2005 1:27:28 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\you[1].js JS/Winbomb

Art · Apr 12, 2006

From: "Virus Guy" <[email protected]>

|
| Has anyone ever had the experience that their AV software has alerted
| them to *something*, in real time, as you were accessing a web site
| (ie surfing the net)? Perhaps the *something* was found in the
| browser or java cache, or a malicious plug-in (direct-x, etc)?
|
| I'm talking real-time here, not something that was detected as a
| result of a scheduled or manual scan.
|
| I'm not talking about a browser re-direct, pop-up, or a screwy/invalid
| certificate, or a cookie. I'm talking bona-fide browser exploit,
| virus, trojan, worm, jpeg/wmf thing, etc, that results in code
| download/execution, privledge elevation, etc.

Yes.

Here are 2 log snippets of going to malicious web sites...

9/25/2005 8:19:54 AM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\index[1].htm Downloader-AEH
9/25/2005 8:19:56 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\ysb_regular[1].cab\YSB_REGULAR[1].CAB Adware-ISTbar
9/25/2005 8:20:04 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\pcs_0002[1].exe\PCS_0002[1].EXE Downloader-AAI

9/26/2005 1:27:28 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\you[1].htm JS/Spawn
9/26/2005 1:27:28 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\you[1].js JS/Winbomb

What happens when you don't use IE, or disable scripting and axtivex
in IE? Do you still get the alerts?

Art
http://home.epix.net/~artnpeg

Art · Apr 12, 2006

Yes, several times. Because of the work I do I have to go quite often to
very dubious sites. Several times Avast! asked permission to cut a
connection because some site tried to install some trojan, without
clicking on anything, just by visiting the site. This were (of course)
mainly pornsites of the worst kind.

I'll ask you the same question I just asked David. Is this just with
IE, and with what IE security settings?

Art
http://home.epix.net/~artnpeg

David H. Lipman · Apr 12, 2006

From: "Art" <[email protected]>

| On Wed, 12 Apr 2006 14:29:54 GMT, "David H. Lipman"

| said:
From: "Virus Guy" <[email protected]>

Click to expand...

|> Has anyone ever had the experience that their AV software has alerted
|> them to *something*, in real time, as you were accessing a web site
|> (ie surfing the net)? Perhaps the *something* was found in the
|> browser or java cache, or a malicious plug-in (direct-x, etc)?
|>
|> I'm talking real-time here, not something that was detected as a
|> result of a scheduled or manual scan.
|>
|> I'm not talking about a browser re-direct, pop-up, or a screwy/invalid
|> certificate, or a cookie. I'm talking bona-fide browser exploit,
|> virus, trojan, worm, jpeg/wmf thing, etc, that results in code
|> download/execution, privledge elevation, etc.

Yes.

Here are 2 log snippets of going to malicious web sites...

9/25/2005 8:19:54 AM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\index[1].htm Downloader-AEH
9/25/2005 8:19:56 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\ysb_regular[1].cab\YSB_REGULAR[1].CAB Adware-ISTbar
9/25/2005 8:20:04 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\pcs_0002[1].exe\PCS_0002[1].EXE Downloader-AAI

9/26/2005 1:27:28 PM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\you[1].htm JS/Spawn
9/26/2005 1:27:28 PM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\you[1].js JS/Winbomb

Click to expand...

|
| What happens when you don't use IE, or disable scripting and axtivex
| in IE? Do you still get the alerts?
|
| Art
| http://home.epix.net/~artnpeg

It would go in the FireFox or Opera cache...

11/10/2005 9:18:00 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr000G1.jar Exploit-ByteVerify

Art · Apr 12, 2006

| What happens when you don't use IE, or disable scripting and axtivex
| in IE? Do you still get the alerts?
|
| Art
| http://home.epix.net/~artnpeg

It would go in the FireFox or Opera cache...

11/10/2005 9:18:00 PM Deleted DLIPMAN-1\lipman C:\Program
Files\Opera\profile\cache4\opr000G1.jar Exploit-ByteVerify

I know that. I'm wondering if your av (McAfee?) alerts when you use
a alternate browser. It will probably alert on the copying of the file
to the cache. But residing in cache in itself is harmless. So you need
the alert in that case like you need a hole in the head

I don't use
a browser h.d. cache with broadband, and I suspect that whenever
I try a realtime av and poke around bad sites, the reason I never get
any alerts is due to the lack of a cache to copy to.

I'm kinda curious about KAV 6 in this regard since it monitors ports
such as 80 and 8080. It might alert regardless of browser or cache.
And most alerts when I use FF or Opera might be useless alerts ...
sort of much ado over nothing. Not entirely, of course, but just most.

Art

http://home.epix.net/~artnpeg

optikl · Apr 13, 2006

Virus said:
Has anyone ever had the experience that their AV software has alerted
them to *something*, in real time, as you were accessing a web site
(ie surfing the net)? Perhaps the *something* was found in the
browser or java cache, or a malicious plug-in (direct-x, etc)?

I'm talking real-time here, not something that was detected as a
result of a scheduled or manual scan.

I'm not talking about a browser re-direct, pop-up, or a screwy/invalid
certificate, or a cookie. I'm talking bona-fide browser exploit,
virus, trojan, worm, jpeg/wmf thing, etc, that results in code
download/execution, privledge elevation, etc.

Yes. A "reported" malicious script, using firefox.

* * Chas · Apr 13, 2006

Virus Guy said:
Has anyone ever had the experience that their AV software has alerted
them to *something*, in real time, as you were accessing a web site
(ie surfing the net)? Perhaps the *something* was found in the
browser or java cache, or a malicious plug-in (direct-x, etc)?

I'm talking real-time here, not something that was detected as a
result of a scheduled or manual scan.

I'm not talking about a browser re-direct, pop-up, or a screwy/invalid
certificate, or a cookie. I'm talking bona-fide browser exploit,
virus, trojan, worm, jpeg/wmf thing, etc, that results in code
download/execution, privledge elevation, etc.

Yes, IMON the internet monitor in NOD32 will inform me that such and
such web site is trying to DL an infected file.

I do a lot of online research about manufacturing materials from
plastics to ceramics and metals. For example the other day I had to look
up A572. That's all I had to go on. It's a type of steel used in bridges
and buildings. Other example are TIVAR or WHMW or Kovar. I usually have
someone online waiting for answers about so I don't have a lot of time
to practice safe hex. The malware usually comes from hitting a bad link.

There was a lot of materials research done at East Bloc universities
during the 1980's and 90's and they are frequently good sources for me.
Most of the malware hits that I run into come from web sites in Hungary,
Romania or Russia.

Most of the time NOD32 will popup a warning asking if I want to block
the site or file. Occasionally a file has been DL to the browser cache
and it asks if I want to quarantine, clean or delete the file.

I run Firefox when I can but I need to use IE with ActiveX and Java
features running to access the info that I need at many sites that I
visit.

Chas.

Art · Apr 13, 2006

Yes, IMON the internet monitor in NOD32 will inform me that such and
such web site is trying to DL an infected file.

I do a lot of online research about manufacturing materials from
plastics to ceramics and metals. For example the other day I had to look
up A572. That's all I had to go on. It's a type of steel used in bridges
and buildings. Other example are TIVAR or WHMW or Kovar. I usually have
someone online waiting for answers about so I don't have a lot of time
to practice safe hex. The malware usually comes from hitting a bad link.

There was a lot of materials research done at East Bloc universities
during the 1980's and 90's and they are frequently good sources for me.
Most of the malware hits that I run into come from web sites in Hungary,
Romania or Russia.

Most of the time NOD32 will popup a warning asking if I want to block
the site or file. Occasionally a file has been DL to the browser cache
and it asks if I want to quarantine, clean or delete the file.

I run Firefox when I can but I need to use IE with ActiveX and Java
features running to access the info that I need at many sites that I
visit.

I want to start a study of malicious web sites and realtime av scanner
reactions. I'd appreciate it if you and anyone else would send me the
urls. My email addy is artsown at epix dot net.

Art
http://home.epix.net/~artnpeg

* * Chas · Apr 13, 2006

Art said:
I want to start a study of malicious web sites and realtime av scanner
reactions. I'd appreciate it if you and anyone else would send me the
urls. My email addy is artsown at epix dot net.

Art

Hi Art,

I was going to put a little note to you in my the message to the effect
that I would send you URL and malware info the next time I run across
some garbage. ;-)

Two ways that I run into these situations are usually due to dead links
that kick over to the malware sites:

A dead link in a valid web site and a dead link in a Google or other
search engine.

Chas.

Art · Apr 13, 2006

Hi Art,

I was going to put a little note to you in my the message to the effect
that I would send you URL and malware info the next time I run across
some garbage. ;-)
Thanks!

Two ways that I run into these situations are usually due to dead links
that kick over to the malware sites:

A dead link in a valid web site and a dead link in a Google or other
search engine.

I suppose I could set IE as a honeypot in order to find some sites. I
haven't been able to find any using FF with no h.d. cache and a old
version of KAV realtime to alert me. As I had mentioned, it might be
that without a h.d. cache and thus nothing to copy to, the old version
of KAV won't alert ... which is ok of course, but it defeats my
search-for-bad-sites work. I'm thinking I might d/l KAV 6 Beta once
again since it monitors the ports. You would think that, as such, it
would "go dingy" on most malicious sites and perhaps make for a
useful search tool for what I want to do.

Art

http://home.epix.net/~artnpeg

* * Chas · Apr 14, 2006

I suppose I could set IE as a honeypot in order to find some sites. I
haven't been able to find any using FF with no h.d. cache and a old
version of KAV realtime to alert me. As I had mentioned, it might be
that without a h.d. cache and thus nothing to copy to, the old version
of KAV won't alert ... which is ok of course, but it defeats my
search-for-bad-sites work. I'm thinking I might d/l KAV 6 Beta once
again since it monitors the ports. You would think that, as such, it
would "go dingy" on most malicious sites and perhaps make for a
useful search tool for what I want to do.

Art

It's sort of like muskie fishing..... you just need to keep trolling!

If you troll through some porn sites you'll probably find something
pronto! ;-)

Chas.

David H. Lipman · Apr 14, 2006

From: "* * Chas" <[email protected]>

| It's sort of like muskie fishing..... you just need to keep trolling!
|
| If you troll through some porn sites you'll probably find something
| pronto! ;-)
|
| Chas.
|

Gee, and I thought they liked spoons and live lined minnows.

Art · Apr 14, 2006

It's sort of like muskie fishing..... you just need to keep trolling!

If you troll through some porn sites you'll probably find something
pronto! ;-)

Yesterday I tried for several hours using IE6 with "Medium" (default)
setting for Internet Zone, and KAV 6 Beta set as paranoid as possible
as my alerting tool. Tons of porn, cracks, warez, and virii download
sites and nothing!!

I have a few ideas on ways of obtaining blacklisted urls lists which I
plan to follow up on today. I've given up on trying to just troll for
bad sites since it's turning out to be just a big waste of time and
effort.

Art

http://home.epix.net/~artnpeg

Offbreed · Apr 14, 2006

Art said:
I have a few ideas on ways of obtaining blacklisted urls lists which I
plan to follow up on today. I've given up on trying to just troll for
bad sites since it's turning out to be just a big waste of time and
effort.

My co workers find them with no trouble at all, and they were looking at
the sort of thing normal, polite, good girls look at: baby pictures,
clothes, "My space" type stuff.

You should have heard the IT guy <G>.

In addition, CNET had an article yesterday about people using typo
versions of regular sites for this sort of thing: ...soem_site.com
instead of ...some_site.com as examples.

* * Chas · Apr 14, 2006

Art said:
Yesterday I tried for several hours using IE6 with "Medium" (default)
setting for Internet Zone, and KAV 6 Beta set as paranoid as possible
as my alerting tool. Tons of porn, cracks, warez, and virii download
sites and nothing!!

I have a few ideas on ways of obtaining blacklisted urls lists which I
plan to follow up on today. I've given up on trying to just troll for
bad sites since it's turning out to be just a big waste of time and
effort.

Art

A 10" to12" live sucker works great!

Chas.

jen · Apr 14, 2006

[snip]

Yesterday I tried for several hours using IE6 with "Medium" (default)
setting for Internet Zone, and KAV 6 Beta set as paranoid as possible
as my alerting tool. Tons of porn, cracks, warez, and virii download
sites and nothing!!
I have a few ideas on ways of obtaining blacklisted urls lists which I
plan to follow up on today. I've given up on trying to just troll for
bad sites since it's turning out to be just a big waste of time and
effort.

I ran across an interesting find the other day, using Firefox(with java and
javascript turned on). My Symantec Corp Edition jumped up and quarantined
what it identified as "IRC.Worm.gen". I have the latest Sun java version.
It was in my FF cache...
www.sciencedaily.com/directory/Computers/Security/Malicious_Software/Viruses/Happy99/
- 47k - *in Google cache*, has link: "All You Need to Know about the
Happy99 Virus - Information and removal procedure for the Happy99 virus.
(Martynas Trimonis)", which has this link: "download this virus"(claiming to
be Happy99). Actual site is:
hxxp://www1.omnitel.net/martynas/virus/e-mail/happy99/

Identified by Symantec as IRC.Worm.gen which they say is a Zoo Worm

-jen

jen · Apr 14, 2006

jen said:
[snip]

Yesterday I tried for several hours using IE6 with "Medium" (default)
setting for Internet Zone, and KAV 6 Beta set as paranoid as possible
as my alerting tool. Tons of porn, cracks, warez, and virii download
sites and nothing!!
I have a few ideas on ways of obtaining blacklisted urls lists which I
plan to follow up on today. I've given up on trying to just troll for
bad sites since it's turning out to be just a big waste of time and
effort.

Click to expand...

I ran across an interesting find the other day, using Firefox(with java
and javascript turned on). My Symantec Corp Edition jumped up and
quarantined what it identified as "IRC.Worm.gen". I have the latest Sun
java version. It was in my FF cache...
www.sciencedaily.com/directory/Computers/Security/Malicious_Software/Viruses/Happy99/
- 47k - *in Google cache*, has link: "All You Need to Know about the
Happy99 Virus - Information and removal procedure for the Happy99 virus.
(Martynas Trimonis)", which has this link: "download this virus"(claiming
to be Happy99). Actual site is:
hxxp://www1.omnitel.net/martynas/virus/e-mail/happy99/

Identified by Symantec as IRC.Worm.gen which they say is a Zoo Worm

-jen

Here is the Google cache link:
http://72.14.203.104/search?q=cache...9/+&hl=en&gl=us&ct=clnk&cd=1&client=firefox-a

Art · Apr 15, 2006

I ran across an interesting find the other day, using Firefox(with java and
javascript turned on). My Symantec Corp Edition jumped up and quarantined
what it identified as "IRC.Worm.gen". I have the latest Sun java version.
It was in my FF cache...

I tried duplicating your result and haven't been able to. Maybe it's a
Java problem. I don't have Java installed. Try retracing your steps
with Java disabled and see what happens.

Art
http://home.epix.net/~artnpeg

AV detection of malware during real-time web browsing (cache, java,etc)?

Virus Guy

Peter Zwitser

David H. Lipman

Art

Art

David H. Lipman

Art

optikl

* * Chas

Art

* * Chas

Art

* * Chas

David H. Lipman

Art

Offbreed

* * Chas

jen

jen

Art