Text 14071, 84 rader
Skriven 2010-03-23 08:35:00 av WAYNE CHIRNSIDE (1:123/140)
     Kommentar till en text av MAURICE KINAL
Ärende: Re: do do do dou-dit
============================
-=> MAURICE KINAL wrote to WAYNE CHIRNSIDE <=-

 MK> Hey Wayne!

 > See my post to Tom Walker.

 MK> Read it just before replying to this.  For the record I was referring
 MK> to others around this neck of the woods who could prove it but don't
 MK> for whatever reason.

 > Oh and yeah, I got hit again

 MK> Yeah.  I witnessed something simular here except it was the neighbour's
 MK> eeepc and seamonkey.  He managed to kill it before it got anywhere.
 MK> Beats me what it could have done but he didn't seem too thrilled to let
 MK> it try.

 MK> Personally I don't like nor use GUI browsers so none of this really
 MK> matters to me but I still can't understand how a user based browser
 MK> could do any system damage.  I can see it stealing passwords and the
 MK> such might be storing in their browser caches but even that I am not
 MK> positive of since it has never happened given I don't ever do such
 MK> things in the first place.

 MK> If I even get an errorcode from a server it is usually something along
 MK> the line of them recommending a browser upgrade which will result in
 MK> better access to the system.  Yeah right.  Don't hold your breath.  :-)

 > I couldn't even drop to the command line to kill process nor
 > would it close now matter what I did.

 MK> A 'killall firefox' in an xterm should have worked.  

This was one smart malware, linux aware, f-prot aware and  would NOT allow
itself to be killed
as when done when you invoked the browser again back up it came.

Gotta love that javascript :-(

 MK> Are you allowing
 MK> firefox to use up the entire monitor real estate?  You shouldn't allow
 MK> anything to do a true fullscreen display as that can get in the way of
 MK> accessing anything else that potentially could save some grief.

That's the one thing it did allow, minimizing or reducing the screen.

 > Found out today it HAD caused some damage to my system

 MK> That sounds odd.  What damage?

Well not only was this site Linux aware but it also was aware of F-prot's
fpscan not allowing it to run to completion
but rather freezing the system along about 1/3rd of the way through its run.

Lots of referances to logging in  in /var just before fpscan froze.

Chkrootkit ran to completion without detecting anything but f-prot never made
the whole run.

In the end I ran dd if=/dev/zero of=/dev/hda.

That vaporized it along with everything else.

Pesky little bugger and not quite so easily dismissed as the moderator of Cyber
Danger reported to Jean Parrot.

I gave it some access through it's supposed I.Q. test, guess I flunked, as I've
seen these buggers before and they usually 
wind up being an ad for cellular phone contracts.

Not so this time, pure malicious malware of the worst sort.

In answer to the original question I'm not sure the exent of the damage but it
did corrupt files and being as I do 
online banking I elected not to follow the advice of the esteemed moderator of
Cyber Danger to Jean of "don't worry."

It was linked IIRC to a regular news site either domestic or overseas.

Could have been www.msnbc.msn.com or The Guardian in England or any of a number
of news sites I routinely visit.
 
--- MultiMail/Linux v0.49
 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)