turetzsr Posted February 17, 2004 Share Posted February 17, 2004 Hi, Wazoo! Issue with file names. Microsoft, in the effort not to confuse the user, defaults Windows Explorer to NOT show file extensions (and even further, actually hide a lot of files from being seen) So this leads to a problem when the user even takes the time to look at the file name before giving it the "do it" click ... example; user sees: lookatthis.txt real file name: lookatthis.txt .com ... *GASP* That explains why so many otherwise computer-savvy people get caught by virii sent to them via e-mail. It hadn't occurred to me that anyone could find that default option of use! ...Thanks! Link to comment Share on other sites More sharing options...
Wazoo Posted February 17, 2004 Share Posted February 17, 2004 Hey, thank you turetzsr! .... I was beginning to wonder there if I was doing the right thing by continuing on (and on and on .. <g>) The quote helped also .. I wasn't thinking about the "white space" being dropped when I typed that example in ... glad the "quote" you did picked it up and displayed it as I had intended it to appear. No idea how far back it goes, but my "standards" have always been .. if you think you need to send me an attachment, there better be something really exciting in the included text that let's me know just why "you" think it's exciting, and even then, don't have your heart set on me actually "handling" it. Link to comment Share on other sites More sharing options...
Bri Posted February 17, 2004 Author Share Posted February 17, 2004 You'll still get to the web-site, but at that web-site, in the logs of who's been here, there's going to be an entry that says "you" came to this page, your computer's IPAddress was [insert your IP here], and it's going to have that "tracking code" (whatever was after the "?" in the above link example) This quote is what catches my eye first. I am truly doubting I was set up for a marketeering scam for my own reasons but I will concede the point to make it simple. Shortly after I accessed the http (and the link after, a link which did not exist 24 hours later) I had an odd IE message concerning an error in....forgive me, I would have to search for the exact error, I have seen a copy on norton of the error message but I am going to go from memory for the moment..... an error in IRC and required me to restart my computer....sigh....which I did. The computer was only a couple weeks old and had no firewall (I know! I know! but it is way to late to beat on me, it was 5 months ago). I had NEVER! downloaded an attachment on the computer and the hard drive was destroyed within a week of the access of the HTTP and website. Now this could be coincidence, but I sure have seen a whole lot of coincidences the last few months. I am going to add your mention of the rippling lake and snow that you mentioned to my list of coincedences ; no, I have never seen those in an email but I have seen them in my travels. Can a virus/worm be placed on a computer other than through a downloaded file in email? Link to comment Share on other sites More sharing options...
Wazoo Posted February 17, 2004 Share Posted February 17, 2004 In contrast to my last post ..... yes Link to comment Share on other sites More sharing options...
WB8TYW Posted February 17, 2004 Share Posted February 17, 2004 The computer was only a couple weeks old and had no firewall (I know! I know! but it is way to late to beat on me, it was 5 months ago). I am glad that you have learned that. With out a firewall, a Microsoft operating system is vulnerable to many exploits on a live internet connection. There used to be two live sites on the internet that would aquire your login username and password if your system was not properly protected, which would give it access to your hard drive. As an added feature, it would attempt to decrypt the password, even though decryption was not needed for the application to have full access to the computer. And all you had to do is visit a web site. It was amazing how many people logged into the site with Administrator on vulnerable machines. These sites were supposedly white hat demonstrations, and there were no reports of any malware taking advantage of this exploit. The only known defense against this exploit is to have a firewall. But this was at least 8 years before the winpop-up spam, or the blaster worm, both of which are blocked by a firewall. problem being that all those spaces moved the real file extension off the screen, so the user thinking that it's only a "text" file and "knows" that this means it's not a virus, goes on ahead and "opens" it up to read the expected words. Some dirty dogs are even nice to actually have their executable ".com" file really put some text up on the screen .. but the real work is going on in the background ... It is actually worse than that, especially if you do not have the current security patches. Microsoft uses two methods to decide how to open a file. The first method is to look at the extension, and then the application is launched. After the application is launched, it will sometimes ask Windows to launch an applet to do the actual open. This open uses the first few bytes of the file instead of the extension. So the trick was to put an executable in a multimedia file, and since a multimedia file was supposed to be harmless, that application was opened, but since it was not sure which multimedia format was actually used, it calls windows to open it. Windows discovers that it really is a scri_pt or an executable, and runs it. This was fixed in the current security patches, and I am not aware of any real exploits. Can a virus/worm be placed on a computer other than through a downloaded file in email? Yes. If you are using a Microsoft based operating system connected to the internet with out a firewall it is possible. If you have file sharing enabled, it is more likely. A Texas ISP was virtually shutdown by a worm that was spreading though the file sharing protocol that Microsoft uses, until that ISP blocked that type of file sharing. This was about 5 years ago. Any ISP or Network that is leaving the Microsoft file sharing ports open has not learned from the mis-haps of others. But it is not a Microsoft specific issue. No LAN (Local area Network) protocols should ever be allowed to reach the public Internet regardless of the platform. The difference with Microsoft is that for most of their operating systems, an add on firewall is needed to shut them off from the network port. A downloaded file from a web site, or a newsgroup can contain a worm. The people investigating one of the recent worms said that it was originally downloaded hidden in a porn picture, and then a later unknown program (presumably another virus) extracted it and executed it. A virus scanner can only detect known viruses, and is not a substitute for practicing safe computing. It can take over 8 hours for a virus scanner to learn to detect a new virus. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Wazoo Posted February 17, 2004 Share Posted February 17, 2004 I am glad that you have learned that. With out a firewall, a Microsoft operating system is vulnerable to many exploits on a live internet connection. Sorry, but in all fairness, any operating system exposed to the outside world 'can' be vulnerable. There used to be two live sites on the internet that would aquire your login username and password if your system was not properly protected, which would give it access to your hard drive. I also recall a number of sites that gave the appearance of accessing your hard drive, but it was only a URL that pointed to drive, basically calling up a "dir" command and offering "proof" that they could then go on and manipulate the contents ... wasn't true, but it sure scared ton loads of folks ... As an added feature, it would attempt to decrypt the password, even though decryption was not needed for the application to have full access to the computer. And all you had to do is visit a web site. Seems odd ... why "decrypt" a password you said had already been asked for on the web page? It was amazing how many people logged into the site with Administrator on vulnerable machines. why? so few users even know that there are different types of accounts on their systems to begine with ... heck even those choce developers don't seem to know that one can set systems up with different evels of users/capabilities .... These sites were supposedly white hat demonstrations, and there were no reports of any malware taking advantage of this exploit. The only known defense against this exploit is to have a firewall. Though obviously talking different exploits, those that I recall weren't exploits at all, just a simple HTTP:// string. So a firewall wouldn't be involved if the user / system already had web access. But this was at least 8 years before the winpop-up spam, or the blaster worm, both of which are blocked by a firewall. Ouch ... only if the firewall is configured to block it ... just one of those little details .... problem being that all those spaces moved the real file extension off the screen, so the user thinking that it's only a "text" file and "knows" that this means it's not a virus, goes on ahead and "opens" it up to read the expected words. Some dirty dogs are even nice to actually have their executable ".com" file really put some text up on the screen .. but the real work is going on in the background ... It is actually worse than that, especially if you do not have the current security patches. Microsoft uses two methods to decide how to open a file. Yes, but I didn't want to go too heavy into my answer (especially after having spent so much time on my previous pot to answer the last of her quesitons <g> I was thinking of going ahead and defining the word "Ports" and "Services", but again, didn't want to throw that much at her all at once. Can a virus/worm be placed on a computer other than through a downloaded file in email Yes. If you are using a Microsoft based operating system connected to the internet with out a firewall it is possible. If you have file sharing enabled, it is more likely.? and again, firewalls weren't developed just for Windows .. see your next quote <g> But it is not a Microsoft specific issue. No LAN (Local area Network) protocols should ever be allowed to reach the public Internet regardless of the platform. The difference with Microsoft is that for most of their operating systems, an add on firewall is needed to shut them off from the network port. In defense of Microsoft (and this isn't necessarly a normal stance for me <g>) their environment concept was (maybe still is?) that the OS would either be used on a stand-alone basis or in a work environment that had "professionals" at work to keep the network secured. Thus the issue of securing the desktop wasn't all that high on the list. Maybe you're not old enough, but I can recall Gates believing that the "day of the Internet" was years off, then hearing about this Andreson fellow getting rich off of same dang thing called Netscape ... thus began the crash development (and free distribution) of a thing called Internet Explorer <g> It's only been a bit after the release of XP (just a time-frame reference) that actually building security in has been a focus point, and even that is one of those items where the court decisions about their monolithic behavious has them at a stumbling block as to how far to go .... Link to comment Share on other sites More sharing options...
Bri Posted February 19, 2004 Author Share Posted February 19, 2004 Thanks so much for the info, I have found many things useful in the posts you all have kindly sent. I am not very good at forums and have finally realized I have probably been posting in the wrong spot, very nice of you all to bear with me. I also have no clue on how to quote more than one thing at a time so I will have to paste what is relevant, I promise I have been searching for a topic somewhere on this! <<I also recall a number of sites that gave the appearance of accessing your hard drive, but it was only a URL that pointed to drive, basically calling up a "dir" command and offering "proof" that they could then go on and manipulate the contents ... wasn't true, but it sure scared ton loads of folks ...<< I have only noticed 1 very odd message on any of my computers in nearly 7 years and it happened last fall. <<why? so few users even know that there are different types of accounts on their systems to begine with ... heck even those choce developers don't seem to know that one can set systems up with different evels of users/capabilities ....>> I fixed this problem last night, had absolutely no clue and thank you..... <<Ouch ... only if the firewall is configured to block it ... just one of those little details ....>> What is the proper configuration please? << It is actually worse than that, especially if you do not have the current security patches. Microsoft uses two methods to decide how to open a file. >> I have always kept my software up to date, I wish more people knew this one myself. <<I was thinking of going ahead and defining the word "Ports" and "Services", but again, didn't want to throw that much at>> I have a decent grounding on this subject but ALL lectures are welcomed, please assume I know nothing and start from there, tis very helpful in the long run <<Maybe you're not old enough, but I can recall Gates believing that the "day of the Internet" was years off, then hearing about this Andreson fellow getting rich off of same dang thing called Netscape ... thus began the crash development (and free distribution) of a thing called Internet Explorer>> I am old enough to remember also From what I have read so far I am still at my original conclusions on what I think happened but I am still unclear on one point. Can a Jpg be sent with a "hidden" attachment (assuming the Jpeg is sent as an attached Jpg file opened in Yahoo not using OE)? I have always thought no, but having already learned things can be rewritten so I am no longer sure and have been unable to find the answer so far. and what does <g> mean Link to comment Share on other sites More sharing options...
WB8TYW Posted February 19, 2004 Share Posted February 19, 2004 I am glad that you have learned that. With out a firewall, a Microsoft operating system is vulnerable to many exploits on a live internet connection. Sorry, but in all fairness, any operating system exposed to the outside world 'can' be vulnerable. Yes. However all but the recent Microsoft operating systems do not have the ability to block the vulnerable ports with out either a software or hardware firewall added on. And I did point out that it was mainly an issue of keeping LAN network data separate from the Internet. And that is elementary networking 101. But when the ISP's finally blocked the LANMAN ports to slow down the blaster worm, it was surprising how many people were cut off from their company mail server because their company's network was not secure. There used to be two live sites on the internet that would aquire your login username and password if your system was not properly protected, which would give it access to your hard drive. I also recall a number of sites that gave the appearance of accessing your hard drive, but it was only a URL that pointed to drive, basically calling up a "dir" command and offering "proof" that they could then go on and manipulate the contents ... wasn't true, but it sure scared ton loads of folks ... Not the same thing. In this exploit, access to the vulnerable systems hard drive was possible, but not done as part of the exploit. With out going into too much details, the demonstration site would request the user's logged in name and password silently, and when a Microsoft system has the LANMAN ports open to the Internet, it would give them to the site. At which point, that site could if it wanted to access the system's hard drive. As an added feature, it would attempt to decrypt the password, even though decryption was not needed for the application to have full access to the computer. And all you had to do is visit a web site. Seems odd ... why "decrypt" a password you said had already been asked for on the web page? The password had not been manually entered in by the user at the web page, the user['s computer was giving it out to everyone that asked for it. If the web site was able to decode the password, it displayed the first few characters back to the user. Many users use the same password for everything, so while decrypting the password is not needed for the attacking site to access the hard drive, it could allow someone access to other things. In defense of Microsoft (and this isn't necessarly a normal stance for me <g>) their environment concept was (maybe still is?) that the OS would either be used on a stand-alone basis or in a work environment that had "professionals" at work to keep the network secured. Most likely, and the early dialup internet access did not give an application full access to all internet capabilities. Those did not get added until later. Though obviously talking different exploits, those that I recall weren't exploits at all, just a simple HTTP:// string. So a firewall wouldn't be involved if the user / system already had web access. I only saw this web site information published IIRC by "The Register". The explanation of the demonstrated exploit was written in an overview using technical terms that a programmer would understand, but did not give out any code. Someone wanting to duplicate it would actually have to have more skill than a scri_pt kiddie. At the time the first site was live, there were few residential broadband connections, so the actual use was minimal. There really was not much content that a computer newbie could use other than to see their password displayed. At the time, the only systems that had "Administrator" accounts were Windows NT 3.51. The www.grc.com tests will expose the same vulnerabilities, and provide a better explanation. GRC.COM does not explain all the possible exploits though. At the time, also most networks were expensive, and usually were put in by someone who knew to block the LAN data the internet, so the site faded into obscurity. A live mirror was put up, but that also was taken down. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
WB8TYW Posted February 19, 2004 Share Posted February 19, 2004 I also have no clue on how to quote more than one thing at a time so I will have to paste what is relevant There are two ways of doing it, quoting the entire previous post is automated by clicking on a quote button before you click on REPLY. After you start the reply, you can click on the QUOTE button, paste in the text, and click on the quote button again. And then you can also just type in the text that the buttons add to your reply window. One of the anoyances of this editor is that it always puts the inserted tags at the bottom of the window, and not at your cursor position. And then it seems to scroll the window back up, so that it may look like your click did not work. Ouch ... only if the firewall is configured to block it ... just one of those little details .... What is the proper configuration please? For most users, you can go to http://www.grc.com and run their shields up test, and afterwords it will tell you if it found any ports open that should not be. Note that your ISP may be blocking some of the ports that GRC is testing, and this may result in your system appearing more secure than it is. GRC can not tell if your ISP is blocking the ports to internal users or just external users, or if you are blocking the ports I have no experience with GRC.COM's products and have no opinion on them. The default configuration of every hardware firewall that I have seen is also set up. I use a hardware firewall to isolate my internal LAN from the Internet. From what I have read so far I am still at my original conclusions on what I think happened but I am still unclear on one point. Can a Jpg be sent with a "hidden" attachment Not as an attachment, but hidden content can be present. The people disecting one of the current worms think that it was hidden in a porn picture for it's original spread. But just downloading the picture did not cause it to be activated. They know that something else needed to extract and activate it, but the last time I looked, they had not determined what.. They suspect that the virus was sent in two parts this way, with a second yet unidentified program that extracted and activated the worm. and what does <g> mean Usually a grin. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Wazoo Posted February 19, 2004 Share Posted February 19, 2004 Thanks so much for the info, I have found many things useful in the posts you all have kindly sent. I am not very good at forums and have finally realized I have probably been posting in the wrong spot, very nice of you all to bear with me. I also have no clue on how to quote more than one thing at a time so I will have to paste what is relevant, I promise I have been searching for a topic somewhere on this! If you look closely, this whole Forum thing is new to alot of folks, and as the ins and outs of each them are different, learning this one is also a shared effort <g> I have only noticed 1 very odd message on any of my computers in nearly 7 years and it happened last fall. I wish I could say something similar, but I get them all the time .. (different account types ....) ... I fixed this problem last night, had absolutely no clue and thank you..... Thanks you for letting "us" know that all this extra stuff getting thrown at you has been a good thing <g> <<Ouch ... only if the firewall is configured to block it ... just one of those little details ....>> What is the proper configuration please? That's the easy one to dance around <g> Simply put, you'd want no internal stuff to get out, no external stuff to get in, oher than what you want / need to make the transition .... nothing to it <g> <<I was thinking of going ahead and defining the word "Ports" and "Services", but again, didn't want to throw that much at>> I have a decent grounding on this subject but ALL lectures are welcomed, please assume I know nothing and start from there, tis very helpful in the long run This is where the firewall and system configuration comes together. In dealing with the "net" there are over 65 thousand ports on your system to play with. Some have evolved into "standards", others have "suggested" uses, and others are still "free" .... to make a port useful, there must be some kind of service running that will notice a specific kind of traffic happening there that it should be interested in. Example, a computer running a web page server would have this application / service monitoring Port 80, looking for traffic that looked like a web browser request for a data transfer of the data on that web page. The same web browser request coming on Port 119 would normally be ignored, as Port 119 does not have a web server "service" running to answer the call. On the flip side, some foolish person could intentionally set up a system that would answer an HTTP request at that port on that computer .... but only people in the know could get to it, as they would have to intentionally set their systems up to make that non-standard outgoing connection. Then we run into issues like the current version of MSN/Windows Messenger. To take full advantage of all the "features" of this application, one must open up dang near the full range of ports to the outside world. Funnily enough, this was done to "solve" the firewall issues, they say. Now you've got dumb firewalls, so you can only open and close ports ... and now you've got "smart" firewalls (maybe I should start adding in routers at this point ... dang it) that not only can you open and close specific ports, but you can also define exactly what kind of traffic they will allow. For example, if you want to lock down your e-mail app, then you'd only allow outgoing e-mail type traffic to port 25, incoming to port 110 ("standards" for POP and SMTP) ... not allowing your e-mail app to play games with port 80 stops the traffic that allows the embedded HTTP links to go out and download pictures .... From what I have read so far I am still at my original conclusions on what I think happened but I am still unclear on one point. Can a Jpg be sent with a "hidden" attachment (assuming the Jpeg is sent as an attached Jpg file opened in Yahoo not using OE)? I have always thought no, but having already learned things can be rewritten so I am no longer sure and have been unable to find the answer so far. As asked, the answer is no. A Jpg doesn't have the capability to have yet another file "attached" .. but that's not to say that it couldn't have something embedded into it. Certain types of encryption techniques are (allegedly) used to do just this, hide the "good" stuff within a picture, for instance ... but it takes yet another specialized app to install and extract the "good" stuff. Form your end of it, the worst thing you'd normally notice is when stuffing the "good" stuff into the picture, something bad happens and you end up with what looks like a corrupted file. and what does <g> mean an ancient shorthand mode of showing that I'm "grinning" when I wrote that ... I date back a bit .. computers that only had switches and lites on the front panel, running a BBS on an Apple II clone with a 300 baud modem ... you know, the good old days <g> Link to comment Share on other sites More sharing options...
ob1db Posted February 23, 2004 Share Posted February 23, 2004 OK, had you had "HTML allowed" set in your Yahoo preferences, (no guarantee here, but please play along with me <g>), instead of all the scripting you posted, you would have seen the "pretty picture" ot "important text" that the scri_pt would have normally accomplished. Now to be honest, the spammer probably made the assumption that you'd have actually "opened up the e-mail within Outlook or Outlook Express on "your" computer, assuming that your configurations let these scripts run wild. That you are actually "reading" this e-mail on the Yahoo server via a web browser with the already mentioned security settings (as I'm doubting that Yahoo would even attept to run a java scri_pt file, but this just confuses the issue right now) messes up the spammer's plan. So Yahoo showed you the "text" portion of the spam, but also gave you the indicators that there was a file attachment. <snip> whew! hope there's something in here you can use <g> Ya know, you can be really brilliant when you post like this. Bravo! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.