Phishing Virus Help

Snaquebite · 05-05-2010, 11:49

At least that's what I think it is..

On occasion when I go to on-line banking or other accounts dealing with "money" when I try to log in a screen comes up asking me for ALL if the acct info. It wants PIN, ACCT NR, CVC, etc etc.

Since I have some SA I realize there is something wrong and usually can sign in through another portal or link.

I've run every spyware and mlware program I have but can't seem to stop this.

Any suggestons?

Irishsquid · 05-05-2010, 11:54

Sounds almost like a "Man in the Middle," attack, or DNS poisoning. Check your SSL certificates...make sure they are valid, not expired, and issued by a reputable CA...and that they are the CORRECT certificates for the site you are trying to hit.

Also, try running a "netstat -a," from the DOS prompt. That'll show you all your open connections. Look for connections to an unfamiliar IP address, or for listening ports that shouldn't be listening. That can be a big clue for malware on your system.

Snaquebite · 05-05-2010, 12:09

I understand what you are saying about certs, but how do recognize which ones are bad?
If I remove too many or the wrong ones what's the damage?

JJ_BPK · 05-05-2010, 13:59

Quote:

Originally Posted by Snaquebite

I understand what you are saying about certs, but how do recognize which ones are bad?
If I remove too many or the wrong ones what's the damage?

As I understand Certs, they are a bit like a cookie, If you clean them up. the next time you go to a site that your system questions the Cert, You can OK the Cert and get the latest level, or block access.

My SIL got me started using FireFox and I added several security add-ons. It now stops at just about every site and wants to block something. Bit of a pain, but I had problems with a virus in a java script,, it's worth the hassle..

BetterPrivacy
Java COnsole
NoScript
Targeted Advertising Cookie opt-out
SpellBound - no security, but helps

Snaquebite · 05-05-2010, 14:16

Cleaned up some certs and things are better. I still have a ton of certs I have no idea what they are...Thinking of cleaning them all out and jusr re-cert when I need to.......

CommoNCO · 05-05-2010, 14:25

Sir,

The scrubbing of certs, followed by re-verifying as needed is probably the best idea.

The Army Information Assurance Network is a great source for everyone with AKO access. This page is frequently updated, and is a great security resource.

https://www.us.army.mil/suite/grouppage/97390

badshot · 05-05-2010, 15:58

Sir:

Quote:

The scrubbing of certs, followed by re-verifying as needed is probably the best idea

Good advice

Quote:

My SIL got me started using FireFox and I added several security add-ons.

Firefox is not a bad choice because fewer people use it and it does have some good free plugins. "Fewer", meaning fewer hacks try to subvert it. I mostly use it, but...

Technically Explorer 8 is safer because it uses things like "Address Space Layout Randomization" (ASLR) for things such as the Program Stack and other data. The Stack and other data areas have long been used to exploit Operating Systems and Programs to gain control of a system. Basically with ASLR your Stack and Data don't end up in the same place in RAM each time its run and/or changes over time, making such an attack very difficult.

Having the program Cache (web browser's) cleared each time you exit the program is a good idea as well. In Explorer it is under the Advanced Settings.

take care and remember to wear protection

bs

Irishsquid · 05-05-2010, 21:17

When you go to a "secure," site, "www(dot)yourbank(dot)com," you'll notice instead of http:// you will see https://

If you don't see that, run away.

Second, if you look next to the address bar (in internet explorer) or the bottom-right corner of the screen (firefox) you should see an icon which looks like a lock. If you double-click on it, the certificate information for the current site should come up. It should say: Issued to "www(dot)mybank(dot)com" and issued by "verisign," (or some other TRUSTED certificate authority. Also check the certificate revocation/expiration date. If ANYTHING is not on the up-and-up, call your bank, and tell them you think you are the victim of unauthorized electronic intrusion or browser redirection. Their fraud department should then jump in.

Cleaning out your cert cache periodically is never a bad idea.
There are thousands of other things to look for, but these are a good start.

I apologize if I'm being too "techie," but it's my civvie job. I'm an Intrusion Detection Analyst.

Slantwire · 05-10-2010, 20:14

Quote:

Originally Posted by Irishsquid

If you double-click on it, the certificate information for the current site should come up. It should say: Issued to "www(dot)mybank(dot)com" and issued by "verisign," (or some other TRUSTED certificate authority.

Any idea why all the DOD certificates, issued by "US Government," are always flagged as untrusted and have to be approved manually?

longrange1947 · 05-10-2010, 20:35

Quote:

Originally Posted by Pinhead

Any idea why all the DOD certificates, issued by "US Government," are always flagged as untrusted and have to be approved manually?

Hellooooo, US Government!

Man, sorry, I just could not resist.

Hell, half the time I can't get our mil net to accept other mil net certs. It is a bit weird and I too would like to know.

Irishsquid · 05-10-2010, 21:28

Quote:

Originally Posted by Pinhead

Any idea why all the DOD certificates, issued by "US Government," are always flagged as untrusted and have to be approved manually?

DOD is not a trusted Certifying authority, except to the DOD. Microsoft doesn't recognize them. Firefox has the ability to permanently store exceptions, so it'll stop asking you every single time...but IE ha no such capability.

Basically, as many windows machines as the military runs, the VAST majority of windows boxes are in civilian hands...the government networks are completely unused by most civilians, so MS has just never bothered "recognizing," DOD as a trusted CA.

Your only recourse is to mount an aggressive letter-writing campaign to MS, asking them to certify DOD as a trusted CA, and I wouldn't hold your breath on that.

plato · 05-11-2010, 11:30

The Obama administration does not furnish certificates.

CSB · 05-11-2010, 11:49

Quote:

The Obama administration does not furnish certificates.

Best zinger of the day ... thanks!

Snaquebite · 05-25-2010, 14:10

After switching anti-virus programs and trying to install it (Webroot) found that I had an MBR virus. The virus that was removed is known as an MBR (Master Boot Record) infection. Seems to be a Java exploit.

JavaDl-v
Clsldr-X

Took 5 hours with an on-line tech but I'm finally clean.

CommoNCO · 05-25-2010, 16:05

Snaquebite - I've been reading that this is something that is happening with .pdf files as well....Were you using Java 6?