Shelling a program from a website

Scary? Oh yeah. What if you're surfin the net, go to a site that seems innocent....For the moment, let's say it looks like a VB help site. But, behind your back, it searches your computer for a trojan. If it finds one, it notifies the webmaster. Wow, would you ever be in trouble that you didn't know about. Well, if they wanted to, MS could do this....And they (almost) do.

(Wow, I can sure make an innocent site sound horrible, can't I?)

I have MSN Messanger (although I hate it, I use it), so I decided to try an experiment. I was going to keep it closed all day. But, I noticed it kept opening itself. Then I noticed it opened itself as soon as I go to http://lc2.law5.hotmail.passport.com/cgi-bin/login. I was fiddling with this, and I realized that if there is a MSN cookie on my hard drive, MSN Messanger will be shelled. If there's no cookie, nothing happens.

Now, my question. Without uninstalling Messanger, without disabling Active Scripting in IE, without using Netscape, is there a way to prevent this? (And no, there are no options like this in MSN Messanger.)

Well, you can probably get software to filter out certain cookies, so that it would never get added in the first place... ZoneAlarm may be what you are looking for?

I also have MSN Instant Messanger, and if I keep the program open, but stay signed off, it doesn't seem to connect by itself.

I've got Zone Alarm, but it doesn't seem to help.....Thanks for the reply, though

I don't think that this is THAT bad. You have a program installed and it could just as easily look to see if you're on a certain site. if you are, it opens itself. it's not really shelling a program from a website since you already have the program running. Maybe I'm wrong, but it's my two cents :)

Sorry if I wasn't clear....This happens even if I'm only running Explorer, SysTray, and IE. MSN Messanger still opens. I don't mind a whole lot, I just want to know how to stop it, if possible. If not, no big deal, I'll just uninstall MSN Messanger....images/icons/wink.gif

I'm not sure - but in IE6 you can choose to block cookies. That might do it.

I'm intrigued - when you say it pops up - is it in the systray to start with, or completely unloaded?

Chief

Completely unloaded. I'm not sure if you can recreate the problem or not, but here's what to do (if you have MSN Messanger).

1.) If messanger is open, close it.
2.) Go to hotmail.com and sign in.
3.) Watch your systray.

Scary Stuff.
Yup, same thing happens with me, exept that my MSN appears in the sys tray but does not log on. Probably my settings.I guess that you already know that the same thing happens with Outlook Express if you check your http accounts with it.
I think that with enough effort anyone can run any script to invade your PC as you surf the web, even sites that seem like harmless HTML.

Yeh - I found a WELL scary site a few days back. It would read your hard driv, display the contents of a given file in a textbox, which of course could then be automatically emailed off to the webmaster, or whoeever else wanted a copy.
This was all dne via some DHTML scripting object.

Eeek.

Chief

I thought that you couldn't get infected by just surfing the web. is this out of date information now? or does it ask for a prompt first

It depends on your settings in Internet Options and the amount of security you have on your system. But the more you secure, the more you are prompted or some pages will not available to you. So it's pretty much a balancing act.

Ok, I discovered what it was. I changed my security settings and discovered that there was an ActiveX control accessing my hard drive. I've now asked it to promp me. images/icons/smile.gif I'm much happier now, thanks!

It appears to be a balancing act - but the new code red could infect you just by you viewing the infected servers pages (or so i heard...)

However, I did read somewhere else that you can have stuff uploaded merely by viewing a page, and it WONT prompt you. Surfing is becoming more and more dangerous, and the need for high security settings and a decent firewal are more evident.

Not that I'm trying to scare anyone..... heh heh images/icons/wink.gif

Chief

Same with P. Nimda, which would infect server and thus those that viewed pages hosted off that server.

well I've heard of the ones where it works through ActiveX which is set to 'prompt' by default so I'm not too worried about that, but I don't believe in the other stuff unless someone can point me to a reliable site that says so

<blockquote><font class="small">In reply to:</font><hr>

When infecting, it appends .ASP, .HTM, and .HTML documents, and files named INDEX, MAIN, and DEFAULT, with javascript code which contains instructions to open a new browser window containing the infectious email message itself (taken from the dropped file README.EML). Thus when this infected web page is accessed (locally or remotely) the machine viewing the page is infected. In other words, simply visiting a web site that is compromised can infect your computer. WinNT/2K systems cannot be infected by accessing an infected .ASP, .HTM, or .HTML document.

<hr></blockquote>

Taken from: http://vil.mcafee.com/dispVirus.asp?virus_k=99209&amp;

Happy?

[/url] site infected MANY of their clients. Though they've probably reinstated the site content, for about 2 weeks they had a strictly text version telling people why they had taken that server off-line.

[url="http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A><font color=purple>Here</font color=purple"] (http://www.ida.net><font color=purple>This</font color=purple) is information on one Nimda variant...

<blockquote><font class="small">In reply to:</font><hr>

The worm uses the Microsoft IE MIME Header Attachment Execution Vulnerability to drop emails. For an explanation and to download the patch please visit Microsoft's Web site.
The worm also uses the Microsoft Web Server Folder Traversal vulnerability. An explanation and patch is available at Microsoft's Web site.

<hr></blockquote>

This is only one of the variants, check out the others for more information.

btw -- using that same vulnerability, one of the other variants doesn't require you to open an e-mail attachment (when using IE-based e-mail) to be infected by the attachment.

Micro$oft really need to sort out their security......

Chief

So what's new. I don't think they've ever released a secure product.

No, and it's really amazing the comments their security "experts" make when a concerned user makes an attempt at pointing out possible vulnerabilities. I've read several articles of this type of scenario, it's really sad.

now this is the type of "hacking/hackish" discussion that should be encouraged....not to mention discussions of these specific exploits (perhaps in a less public area?).

solution to M$ security problems? LINUX images/icons/wink.gif

Fortunately, by the time the exploits have been publicised enough for most network administrators to worry about it, there is a fix. At least MS is decent at reactively fixing problems once they recognize them, although I would much rather them proactively do so.