PDA

View Full Version : Phishing Virus Help


Snaquebite
05-05-2010, 13:49
At least that's what I think it is..

On occasion when I go to on-line banking or other accounts dealing with "money" when I try to log in a screen comes up asking me for ALL if the acct info. It wants PIN, ACCT NR, CVC, etc etc.

Since I have some SA I realize there is something wrong and usually can sign in through another portal or link.

I've run every spyware and mlware program I have but can't seem to stop this.

Any suggestons?

Irishsquid
05-05-2010, 13:54
Sounds almost like a "Man in the Middle," attack, or DNS poisoning. Check your SSL certificates...make sure they are valid, not expired, and issued by a reputable CA...and that they are the CORRECT certificates for the site you are trying to hit.

Also, try running a "netstat -a," from the DOS prompt. That'll show you all your open connections. Look for connections to an unfamiliar IP address, or for listening ports that shouldn't be listening. That can be a big clue for malware on your system.

Snaquebite
05-05-2010, 14:09
I understand what you are saying about certs, but how do recognize which ones are bad?
If I remove too many or the wrong ones what's the damage?

JJ_BPK
05-05-2010, 15:59
I understand what you are saying about certs, but how do recognize which ones are bad?
If I remove too many or the wrong ones what's the damage?

As I understand Certs, they are a bit like a cookie, If you clean them up. the next time you go to a site that your system questions the Cert, You can OK the Cert and get the latest level, or block access.

My SIL got me started using FireFox and I added several security add-ons. It now stops at just about every site and wants to block something. Bit of a pain, but I had problems with a virus in a java script,, it's worth the hassle..

BetterPrivacy
Java COnsole
NoScript
Targeted Advertising Cookie opt-out
SpellBound - no security, but helps

Snaquebite
05-05-2010, 16:16
Cleaned up some certs and things are better. I still have a ton of certs I have no idea what they are...Thinking of cleaning them all out and jusr re-cert when I need to.......

CommoNCO
05-05-2010, 16:25
Sir,

The scrubbing of certs, followed by re-verifying as needed is probably the best idea.

The Army Information Assurance Network is a great source for everyone with AKO access. This page is frequently updated, and is a great security resource.

https://www.us.army.mil/suite/grouppage/97390

badshot
05-05-2010, 17:58
Sir:

The scrubbing of certs, followed by re-verifying as needed is probably the best idea

Good advice


My SIL got me started using FireFox and I added several security add-ons.

Firefox is not a bad choice because fewer people use it and it does have some good free plugins. "Fewer", meaning fewer hacks try to subvert it. I mostly use it, but...

Technically Explorer 8 is safer because it uses things like "Address Space Layout Randomization" (ASLR) for things such as the Program Stack and other data. The Stack and other data areas have long been used to exploit Operating Systems and Programs to gain control of a system. Basically with ASLR your Stack and Data don't end up in the same place in RAM each time its run and/or changes over time, making such an attack very difficult.

Having the program Cache (web browser's) cleared each time you exit the program is a good idea as well. In Explorer it is under the Advanced Settings.

take care and remember to wear protection ;)

bs

Irishsquid
05-05-2010, 23:17
When you go to a "secure," site, "www(dot)yourbank(dot)com," you'll notice instead of http:// you will see https://

If you don't see that, run away.

Second, if you look next to the address bar (in internet explorer) or the bottom-right corner of the screen (firefox) you should see an icon which looks like a lock. If you double-click on it, the certificate information for the current site should come up. It should say: Issued to "www(dot)mybank(dot)com" and issued by "verisign," (or some other TRUSTED certificate authority. Also check the certificate revocation/expiration date. If ANYTHING is not on the up-and-up, call your bank, and tell them you think you are the victim of unauthorized electronic intrusion or browser redirection. Their fraud department should then jump in.

Cleaning out your cert cache periodically is never a bad idea.
There are thousands of other things to look for, but these are a good start.


I apologize if I'm being too "techie," but it's my civvie job. I'm an Intrusion Detection Analyst.

Slantwire
05-10-2010, 22:14
If you double-click on it, the certificate information for the current site should come up. It should say: Issued to "www(dot)mybank(dot)com" and issued by "verisign," (or some other TRUSTED certificate authority.

Any idea why all the DOD certificates, issued by "US Government," are always flagged as untrusted and have to be approved manually?

longrange1947
05-10-2010, 22:35
Any idea why all the DOD certificates, issued by "US Government," are always flagged as untrusted and have to be approved manually?

Hellooooo, US Government!


Man, sorry, I just could not resist.

Hell, half the time I can't get our mil net to accept other mil net certs. It is a bit weird and I too would like to know. :munchin

Irishsquid
05-10-2010, 23:28
Any idea why all the DOD certificates, issued by "US Government," are always flagged as untrusted and have to be approved manually?

DOD is not a trusted Certifying authority, except to the DOD. Microsoft doesn't recognize them. Firefox has the ability to permanently store exceptions, so it'll stop asking you every single time...but IE ha no such capability.

Basically, as many windows machines as the military runs, the VAST majority of windows boxes are in civilian hands...the government networks are completely unused by most civilians, so MS has just never bothered "recognizing," DOD as a trusted CA.

Your only recourse is to mount an aggressive letter-writing campaign to MS, asking them to certify DOD as a trusted CA, and I wouldn't hold your breath on that.

plato
05-11-2010, 13:30
The Obama administration does not furnish certificates. :D

CSB
05-11-2010, 13:49
The Obama administration does not furnish certificates.

Best zinger of the day ... thanks!

Snaquebite
05-25-2010, 16:10
After switching anti-virus programs and trying to install it (Webroot) found that I had an MBR virus. The virus that was removed is known as an MBR (Master Boot Record) infection. Seems to be a Java exploit.

JavaDl-v
Clsldr-X

Took 5 hours with an on-line tech but I'm finally clean.

CommoNCO
05-25-2010, 18:05
Snaquebite - I've been reading that this is something that is happening with .pdf files as well....Were you using Java 6?

dr. mabuse
05-25-2010, 19:00
*

Irishsquid
05-25-2010, 20:45
Nevermind.

Snaquebite
05-25-2010, 21:02
Snaquebite - I've been reading that this is something that is happening with .pdf files as well....Were you using Java 6?

Yes

Irishsquid
05-26-2010, 00:00
The PDF file problem is probably part of a massive "spear-phishing," campaign. Unfortunately, it has hit .mil networks pretty hard.

Snaquebite
05-26-2010, 00:04
Apparently they sneeked in through Java and or Flash

Irishsquid
05-26-2010, 00:45
Flash can be a big vulnerability. When you install flash, you probably also install a P2P application called Octoshape, which makes your computer act as a P2P server for streaming video, and reducing bandwidth use on servers. That much is seemingly harmless...but it can be used for some pretty nefarious purposes.

dmgedgoods
06-12-2010, 17:24
Java certification and PDF vulnerabilities are hard hitting, regardless of your browser. I have done testing on several systems using certain social engineering tactics, and have successfully compromised some of the most secure networks I have ever come across. The best fix for this is good old fashioned situational awareness. As was previously mentioned, periodically check your certifications, and make sure they are properly signed. There are several browser exploits that can put you back in the same place you were at, so migrating to something like Firefox or Chrome is not a bad idea either. Regardless of how omnipotent Microsoft may appear, they are the largest target for all sorts of system exploitations, and in many cases they make it too easy.
If you need more help understanding the threats, or preventing further problems, please feel free to PM me.

Over
06-13-2010, 21:02
Any idea why all the DOD certificates, issued by "US Government," are always flagged as untrusted and have to be approved manually?

For those of you who are having problems with the DoD Certificates, you can download them from DISA at http://dodpki.c3pki.chamb.disa.mil/rootca.html.

Once you download them (4 files currently), you'll need to double click on the file. Certmgr will load. Expand the folder on the left side of certmgr until you are in the "certificates" folder. On the right side, you will see the various certificates which are part of this file. Right click on the certificate, click open, then click "Install Certificate". Repeat for each of the other certs and remaining files.

This will stop 99% of your DoD certificate trust issues.