Question about Trojan Horse Worms (e.g. latest virus threat) and FreeRepublic URLs

08-13-2003 | brianbaldwin

[Brian_Baldwin]

I have a question about Free Republic's URLs, in relation to various measures we are all using to protect our workstations/pcs/servers from Trojan Horse/Worm/Virus threats. As you know, another major problem related to W32.Blaster.Worm happened across the US and ASIA yesterday, and there are variations to this trojan horse worm which not only writes fake keys (e.g. "windows auto update") to the registry "HKEY_LOCAL_MACHINE - SOFTWARE - MICROSOFT - WINDOWS - CURRENTVERSION - RUN" (*the RUN folder is key, this is where they put the stuff as gateway to building a series of drop files which use mIRC type tools to script access and place fake system files in non-standard folders such as the fonts folder, files such as msblast.exe, lsass.exe, explorer.exe that isn't the actual one but a renamed expl32.exe IRC hacker tool, all of which start firing when you start the computer via RUN). We are all being very careful protecting our computer assets, I believe in part this is a terrorist threat, but I have a technical question is this regard:

I noticed something interesting while using the following configuration on one of my computers -

I have my BlackICE firewall software set to "PARANOID" for highest protection.
I have my Norton AntiVirus Realtime Protection enabled.
If I go to the URL "http://freerepublic.com", there are no problems, no errors, including my cookie logon to my ID so I am in "logged on" mode on Free Republic.
If I go to the URL "http://www.freerepublic.com", a File Download warning pops up, "Some files can harm your computer. If you do not trust the source, do not open or save this file, CANCEL. File name: freerepublic, File type: (this is blank), From: www.freerepublic.com, (OPEN) (SAVE) (CANCEL)" ... what is interesting is, if I open, I can see via Notepad session that it is simply the HTML of the Free Republic site. I assumed this had something to do with dropping the logon cookie to the site, but if I delete my cookie and thus have to relogon and get it, and use the http://freerepublic.com URL, this warning doesn't happen and I am able to pass a logon ID and psw to get the cookie as normal with no problem.

Thus, I do not believe this is a cookie issue in regards to the firewall. It is only an issue using the www.freerepublic.com verse freerepublic.com.

Any insight on this? The behavior of incoming URL access to Free Republic acts differently depending on if you use "www" prefix or not to the network portion of the URL. This is not so much a question because of the issue on the browser client side (e.g. those visting Free Republic), but also a question of the server-side of Free Republic and if there is some issue with the URL that a hateful hacker/leftist/Islamic extremist could exploit. Just F.Y.I. ... Everyone has to be very careful these days.

By the way, the whole trojan horse thing is becoming very serious - the mIRC type tools they are now dropping and using such as expl32 enable them to do all kinds of things and is getting to the point where they can actually remote desktop to your host and watch every mouse/keyboard you are doing on the computer. No, I am not joking about this, the IRC type exploits which are already dangerous are becoming very sophisticated with new remote control tools and drop files. Cookie technology may not be enough protection for Free Republic. This stuff (trojan horse crap) in part is coming from Red China, they are playing with it and spooking our machines all over the USA.

[TomGuy]

In the early summer (May-August) 2001, there were several email virii circulating. One did not even require the user to open an executable file; one simply had to open and read the email and it planted a worm on the computer. (I got 2 different pc virii that summer.)

I agree that the rash of pc virii are probably terroristic in nature. They seem to be more prevalent just before major attacks somewhere in the world.

It only makes sense. If the terrorists are using physical means -- bombs, suicide bombers, etc. -- why would they not also use the internet to create additional havoc? One of their goals is to disrupt commerce/economies.

[anniegetyourgun]

Heck, I'm just trying to beat back gators....

[js1138]

Black Ice is probably not the best firewall. http://grc.com/ says it puts out false alarms, and recommends the free version of ZoneAlarm.

[Ex-Dem]

Never had this issue. I use Norton Antivirus, Norton Firewall, Black Ice, and Zone Alarm (all set on highest security).

For some annoying reason though, none of these seem to block Active-X controls properly, so you have to tell IE to do that yourself. I'm sure there're clever hackers that can get around even the best firewalls...

[dwollmann]

It almost sounds like the firewall is altering the http headers and confusing your browser's mime type detection, making IE think that the content is not html. Try a different firewall package, as someone else recommended, or try a different browser temporarily, and see what happens.

[libravoter]

Did you have your e-mail program set to view graphics or html in the window pane?

[Brian_Baldwin]

Microsoft, as many other IT companies, are using sweat shops in Asia and India to write the source code, add DLLs, API functions, to the software, including interaction with registry and other. For example, in the case of IBM, another biggie like Microsoft, basically all of the guts of DB2 v8 for Windows is written by sweat shop coders in India and the interface for the authors consists of six different languages besides English such as South-India Dravidian based languages/script.

When you rely on such foreign experts in Third World countries to write (and effectively manage) the guts of your code, they are also the best experts to know how to exploit it.

They embedd hidden code, one source calling another complied and hidden source, which hardwires not only **Job Security** but anything, including purposeful fail points that can be triggered via passing an argument such as a ?arg from a URL that hits the application.

They live in Third World countries, for example Hyderbad India companies which, everyone in India at least knows, that have links to corruption or links to Muslim groups - low paid, they will also sell or even give away technology, code, source, for major operating systems and applications to others, especially to Communist China.

As US and UK corps use offshore outsourcing to India and elsewhere, the "staff" of such offshore outsourcing is constantly changing - there is no accountability, and such "staff" build in "fail points" into the code which the can trigger and then recover and say "see, here is the fix", or worse - they refer to these as "tala" (lock), and are seen as long term ways to force an argument or event by using embedded elements of the code to create a human response. It's like a sucker punch, only worse, they sell this to anyone, everyone.

Much of the worms, while some is domestic, is coming from Asia, such as Phillipines, India, and of course Red China is very, very serious about using such methods, buying it, exploiting it, testing it on us.

It is becoming worse by the day. The Islamic terrorists are trying right now.

In Hyderbad, a drought is killing the cattle and the people. The electricity goes on and off. In the sweat shops, Electrical Engineers write code at low pay. The money that pays them transfers via Bank of India in S.F. USA to their pay in India - in between, those involved in managing the money will have their accounts frozen because they are found to have terrorist links. The lights blink again at the sweat shop. The lights go out. It is very hot in the sweat shop, 102 in Hyderbad.

A man from "China" wants to talk with the guy in the dirty shirt who works in the sweat shop in Hyderbad.

[Brian_Baldwin]

I will check, thanks for the tip.

[Brian_Baldwin]

Interesting, I will look into ZoneAlarm.

[Cicero]

I would also suggest looking into two little programs from Gibson Research, unplugandpray and shootthemessenger. These ensure that you have Windows Messenger and Windows plug and play access from outside turned off--and that you can turn them on temporarily if needed.

[js1138]

Has anyone investigated the google tool bar. You get it from google.com. My son says it blocks popups. I haven't had time to investigate whether this is true, but it does seem to have an effect. Anyone know about this?

[TomGuy]

Did you have your e-mail program set to view graphics or html in the window pane?

Yes, I had it set to automatically open the preview pane.

Thereafter, I installed and checked out several pre-mailview programs. I settled on Mailwasher. Now, every email gets "processed" by Mailwasher first. I pre-view it for sender and, sometimes, contents. It keeps the mail on the server, rather than downloading it to my pc. I can delete it from the server. It also has built in "bouncing" so some mail I never even see if it is spam.

[BJungNan]

GRC.com is an excellent resource. Have you seen his section about undoing network bindings? Definately worth doing.

[TechJunkYard]

.. I do not believe this is a cookie issue in regards to the firewall. It is only an issue using the www.freerepublic.com verse freerepublic.com.

Any insight on this? The behavior of incoming URL access to Free Republic acts differently depending on if you use "www" prefix or not to the network portion of the URL.

I hope I can explain it. If you examine the two names in DNS, you'll see that they both point to the same IP address:

# host freerepublic.com
freerepublic.com has address 209.157.64.200

# host www.freerepublic.com
www.freerepublic.com has address 209.157.64.200

And if we examine that IP address, we'll see that it's in a block owned by Verio.

# whois 209.157.64.200@whois.arin.net
[whois.arin.net]

OrgName:    Verio, Inc.
OrgID:      VRIO
Address:    8005 South Chester Street
Address:    Suite 200
City:       Englewood
StateProv:  CO
PostalCode: 80112
Country:    US

ReferralServer: rwhois://rwhois.verio.net:4321/

NetRange:   209.157.0.0 - 209.157.255.255
CIDR:       209.157.0.0/16
NetName:    VRIO-209-157
NetHandle:  NET-209-157-0-0-1
Parent:     NET-209-0-0-0-0
NetType:    Direct Allocation

We can plug that same IP into Verio's WHOIS server and see that part of that block is assigned to JimRob.

# whois 209.157.64.200@rwhois.verio.net
[rwhois.verio.net]
Robinson-DeFehr Consulting (NETBLK-C053-209-157-64-192) C053-209-157-64-192
                                               209.157.64.192 - 209.157.64.255
Verio Data Centers - San Jose - Lundy (NETBLK-C053-209-157-064) C053-209-157-064
                                                 209.157.64.0 - 209.157.71.255
Verio Inc. (NETBLK-VRIO-209-157) VRIO-209-157    209.157.0.0 - 209.157.255.255

Now, it is possible for someone to hijack a name server and make a certain hostname point to another IP address. If you're concerned about this happening, you could bookmark the IP address to make sure you're always going to the right place.

.. also a question of the server-side of Free Republic and if there is some issue with the URL that a hateful hacker/leftist/Islamic extremist could exploit.

While that may be possible, there is another explanation for what is happening. Looking at Netcraft's analysis of freerepublic.com versus www.freerepublic.com, we see multiple servers in what appears to be a load-balancing arrangement. We also note a different number of servers and different versions of the Apache software in the list. This might lead us to believe that we'd interface with a different server (or set of servers) depending on which hostname we use. Indeed, the Apache software supports a virtual host function which can select a server based on which hostname a browser requests; there may be something in Verio's routers which does the same thing.

I'm guessing here, but since the newer versions are at freerepublic.com , Jim and John might be using that set of servers as a testbed before migrating the software to www.

So I don't think it's an indication of anything sinister going on. Good question, though.

[libravoter]

I wasn't aware that the google toolbar blocked pop-ups, but I can tell you what will: not using Internet Explorer (which the vast majority of ads are set to use.)

There are several nice browsers that have pop-up ad blocking built in, like Mozilla and, I think, Opera. Download the latest Mozilla, open preferences, click on the Privacy & Security tab, click on Pop-ups, and choose activate. You might need to choose any websites to be excluded if you want to pop-ups to work on them (financial sites like banks often require certain info windows to be pop-ups.) And you should check the preset exclusion list to make sure there aren't any set to default as excluded.

Other than that, look ma, no pop-ups!

[libravoter]

Yes, I had it set to automatically open the preview pane.

Thanks. I'm in computer support and I spend an awful lot of time telling my users they can't get a virus through e-mail unless they open the attachment, and I'd hate to change that.

(I try to explain the whole preview pane is bad thing, but I don't know how many of them get it.

[TechJunkYard]

Has anyone investigated the google tool bar.[?]

I wouldn't. Google's Toolbar Privacy Policy says, in part:

We understand and respect that you are concerned about your privacy. That's why we want you to know that if you choose to enable the Google Toolbar's advanced features (e.g., viewing the PageRank of web pages), the URLs of the sites you visit will automatically be forwarded to Google.

Also see the FAQ.

[oldcomputerguy]

"Black Ice is probably not the best firewall"

The govt seems to think it is pretty good.

[donnalee]

I've been using the Google toolbar for a few weeks and love it. It does block pop-ups!

This is the beta that I installed. You do not have to install Page Rank and the bar has not sent out any information. I did hesitate using it until it was recommended by Kim Komando, she is very "security minded" warning NOT to use Gator, Hotbar etc!