O
Offbreed
* * Chas said:
I dunno. I think a 3 - 5# salmon on a shark hook is a bit better.
That'll bring up a nice, small halibut, say 100# or so. Good eating.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
AV detection of malware during real-time web browsing (cache, java,etc)?
I dunno. I think a 3 - 5# salmon on a shark hook is a bit better.
That'll bring up a nice, small halibut, say 100# or so. Good eating.
C
* * Chas
Offbreed said:I dunno. I think a 3 - 5# salmon on a shark hook is a bit better.
That'll bring up a nice, small halibut, say 100# or so. Good eating.
A friend was fishing for salmon and halibut up in Alaska. He hooked into
a monster that took an hour and half to reel in. When he got it up to
the boat he discovered that he had hooked a 100 Lb. octopus!
About 40 years ago I discovered a pair of 3 foot muskies in a small
brook trout stream in Northern Pennsylvania. They were laying in a 30
foot long hole about 15 foot wide and 3 foot deep. The water was crystal
clear and they were silver green colored with reddish brown tails.
Someone told me they were eating well on brook trout.
I came back with a heavy duty casting rod. I caught a 6" brookie with a
fly rod in another hole. I rigged the brookie with a big hook on the
casting rod so that it could swim around and left the rod wedged in a
small tree (highly illegal).
I came back about an hour later. My rod was out in the middle of the
hole and the brookie was cleaned off. Later I heard that someone else
cleaned the muskies out with a 30-30.
Chas.
C
* * Chas
Art said:Yesterday I tried for several hours using IE6 with "Medium" (default)
setting for Internet Zone, and KAV 6 Beta set as paranoid as possible
as my alerting tool. Tons of porn, cracks, warez, and virii download
sites and nothing!!
I have a few ideas on ways of obtaining blacklisted urls lists which I
plan to follow up on today. I've given up on trying to just troll for
bad sites since it's turning out to be just a big waste of time and
effort.
Art
Art, here's an example of a bad dead link. The original web URL is:
http://www.wilderssecurity.com/showthread.php?t=93155
The link is for SoftwareDiner.com
http://www.softwarediner.com/
It takes you to:
http://luckyluxorcasino.com/
Chas.
A
Art
Art, here's an example of a bad dead link. The original web URL is:
http://www.wilderssecurity.com/showthread.php?t=93155
The link is for SoftwareDiner.com
http://www.softwarediner.com/
It takes you to:
http://luckyluxorcasino.com/
And what? No dingys there for me. Did NOD32 alert? Does it still
alert?
Thanks to Dave Lipman who sent me a couple of lists of possibilities,
I managed to snare a couple of real baddies. They are both porn sites,
and they both attempt various IE exploits. What's rather interesting
in these two cases is:
1. IE must be set to Medium (default) security or lower in order for
KAV 6 to alert. If IE is set to Maximum security, KAV 6 doesn't alert.
2. KAV 6 doesn't alert when using Firefox or Opera (latest versions)
with javascript enabled (I don't have Java installed).
3. Trying again this morning, the situation with both urls is
different. In one case, a apparently legit and harmless page has
been substituted. In the other case, the porn and porn links are
there but apparently not the exploits code. No alerts at all. So these
clowns are obviously trying to be clever and tricky.
#3 probably explains (partially) why I only found two baddies out of
maybe twenty or thirty on Dave's lists. The site owners make sure
the exploits aren't always there. In other cases, there seems to be
some sort of blocking in effect somewhere along the line. I just see
a Fedora Core Test Page. I don't know what's going on in those cases,
but there are a large number of them and I can't get through to any
alleged bad sites.
Anyway, the inconsistencies make it very difficult to do any kind of
study. Now you see it, now you don't. I had originally thought that
I might test the effectiveness of various realtime scanners using a
goat machine since it would likely get infested with malware whenever
a scanner failed to do its job. But the damn targets have to stay in
place long enough to run the tests. And I would need quite a number
of stable targets to make the test worthwhile and significant. Doesn't
look like this is going to happen.
Art
http://home.epix.net/~artnpeg
V
Virus Guy
Art said:I managed to snare a couple of real baddies.
In those examples, do the following provide any degree of protection
for an otherwise vulnerable IE configuration?
- current MVPS hosts file
- SpyBot S&D
- AdAware
- Spyware Blaster
Trying again this morning, the situation with both urls is
different.
Maybe they use cookies to feed you different content? Did you clear
your cookies? Do you allow them? (maybe you have to).
Maybe based on your IP address?
J
jen
Art said:I tried duplicating your result and haven't been able to. Maybe it's a
Java problem. I don't have Java installed. Try retracing your steps
with Java disabled and see what happens.
Went back, and with java and javascript enabled or disabled, did not get the
"IRC.Worm.gen" warning now... However, clicking on the "download this
virus" link, Symantec quarantines what it calls "Happy99" which has the name
"41wntrwr.exe" in my quarantine folder. The"IRC.Worm.gen" has the name
"6DAE1AADd01". I delete cookies after every sessiion on the web. Also,
Firefox has been updated from 1.5.0.1 to 1.5.0.2 since my initial vist there
O
Offbreed
* * Chas said:A friend was fishing for salmon and halibut up in Alaska. He hooked into
a monster that took an hour and half to reel in. When he got it up to
the boat he discovered that he had hooked a 100 Lb. octopus!
I came back with a heavy duty casting rod. I caught a 6" brookie with a
fly rod in another hole. I rigged the brookie with a big hook on the
casting rod so that it could swim around and left the rod wedged in a
small tree (highly illegal).
I came back about an hour later. My rod was out in the middle of the
hole and the brookie was cleaned off. Later I heard that someone else
cleaned the muskies out with a 30-30.
The most aggravation I ever had was this one alligator that kept taking
my bait whenever I fished this one gravel pit in Fla. That pit had the
biggest bluegill I ever saw, so I did not want to concede the field.
A
Art
In those examples, do the following provide any degree of protection
for an otherwise vulnerable IE configuration?
- current MVPS hosts file
Looks like it. I just checked and the two urls are both included.
- SpyBot S&D
- AdAware
- Spyware Blaster
Didn't know AdAware has a realtime module. I hadn't planned to
include non-av scanners. Without having a large # of bad sites
it looks like I won't be trying to much more with this, as I said.
Maybe they use cookies to feed you different content? Did you clear
your cookies? Do you allow them? (maybe you have to).
Very good point. However, I was able to repeatedly go back to the
sites and get the same results without clearing cookies when I was
chcecking yesterday.
Oddly though, now that you brought it up, I cleared IE cookies,
history, and cache ... and went went back to the two urls. One was
still benign as it was earlier this morning but the other was again
hotter than a pistol. Very peculiar and seemingly unpredictable
behaviour.
Art
http://home.epix.net/~artnpeg
C
* * Chas
Art said:And what? No dingys there for me. Did NOD32 alert? Does it still
alert?
Thanks to Dave Lipman who sent me a couple of lists of possibilities,
I managed to snare a couple of real baddies. They are both porn sites,
and they both attempt various IE exploits. What's rather interesting
in these two cases is:
1. IE must be set to Medium (default) security or lower in order for
KAV 6 to alert. If IE is set to Maximum security, KAV 6 doesn't alert.
2. KAV 6 doesn't alert when using Firefox or Opera (latest versions)
with javascript enabled (I don't have Java installed).
3. Trying again this morning, the situation with both urls is
different. In one case, a apparently legit and harmless page has
been substituted. In the other case, the porn and porn links are
there but apparently not the exploits code. No alerts at all. So these
clowns are obviously trying to be clever and tricky.
#3 probably explains (partially) why I only found two baddies out of
maybe twenty or thirty on Dave's lists. The site owners make sure
the exploits aren't always there. In other cases, there seems to be
some sort of blocking in effect somewhere along the line. I just see
a Fedora Core Test Page. I don't know what's going on in those cases,
but there are a large number of them and I can't get through to any
alleged bad sites.
Anyway, the inconsistencies make it very difficult to do any kind of
study. Now you see it, now you don't. I had originally thought that
I might test the effectiveness of various realtime scanners using a
goat machine since it would likely get infested with malware whenever
a scanner failed to do its job. But the damn targets have to stay in
place long enough to run the tests. And I would need quite a number
of stable targets to make the test worthwhile and significant. Doesn't
look like this is going to happen.
Art
It seemed like the site was trying to DL a tool bar???
I didn't get any warning from NOD32 but I also run an old popup blocker
AdSubtract 2.55. I use it to stop ads, popups and unders. It's probably
not the best but it lets me easily clean out selected cookies and IE
temp files and it will block some trash.
Chas.