Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Any Advice Trojan.BHO
From: binarynomad at gmail.com (Brian H)
Date: Fri, 24 Apr 2009 18:03:41 -0700

Also, if they are willing to deal with the added maintenance and cost,  
you can opt to install Sandboxie (http://www.sandboxie.com/) to help  
reduce the attack surface from both FF and IE exploits.

----
Brian

On Apr 24, 2009, at 12:54 PM, Mad Marv wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IF they are serious and are willing to put up with the  
inconvenience, I
recommend installing the NoScript and Flashblock Firefox extensions.
These should prevent any drive by malware installations.  NoScript  
also
has some XSS prevention too.  The downside is that web browsing starts
to break down when scripts are blocked across the board.  The user can
approve scripts one by one, or white list scripts from entire domains.
But training NoScript to do so is a chore.

On the plus side, blocking scripts makes browsing super fast.  And  
those
annoying flash banner ads never bother you.

Oh, and setup OpenDNS too.  Create a profile and block parked  
domains in
addition to the default phishing / adware blacklists.  I've been
noticing that some parked domains should be classified as phish but  
are
not.  And, nobody will really miss a parked domain.  Use DNS-o-matic  
to
register and auto-update your client's IP address w/ OpenDNS.

Marv

Shaun Curry wrote:
Hello again everyone:

I have a client that recent was hacked.  We learned of this when an
email notification was sent from the bank stating that a "bill pay"  
had
been sent, but the client didn't setup any bill pay.  The money has  
been
refunded and the bank is contacting the FBI to prosecute.  I have
learned that they were infected by trojan.bho which as I understand  
is a
browser helper object that looks for SSL traffic and then keylogs  
user
names and passwords.  Once an SSL session is detected a ping is  
sent to
the attacker alerting them that SSL is being used and the somehow it
sends the keylogger info via ICMP. We have removed the BHO and they  
have
reset all passwords.

I am curious if there is anything else I can do to prevent this  
attack
from happening again?  I installed and instructed the user to use
Firefox and not IE and updated all windows updates along with the
antivirus.  They are using Symantec Corporate Edition v. 10.  Is  
there a
better antivirus to use?  They have a PIX for a firewall....  and  
thats
about all I can think of right now...

Any ideas?

thanx
-Shaun


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ8hjekOgHKNOb0dERAnWSAJ9CEqdCtBZfJezxVOARhnhH8n76FACgjx/q
oEXVH1Uvuc7gvqCKVdmQBKE=
=PwGo
-----END PGP SIGNATURE-----
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]