NIS 2008 - Dear Friend Email

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Are you certain that is was generated directly from your local computer?

 

Is it in your "sent" folder or was it returned to you as "undeliverable"?

 

Phil

At first glance, it looks like you are infected with some malware and made a part of a zombie botnet.

 

see this wikipedia article for details:

http://en.wikipedia.org/wiki/Botnet

 

Could you try one of these free anti-bot solutions.

 

  1. Norton Anti-Bot (download from: http://www.download.com/Norton-AntiBot/3000-8022_4-10698973.html )
  2. Trend Micro  RUBotted (http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted )

Hope this helped.
Message Edited by vijayn on 07-19-2008 06:37 AM
1 Like

The reason I asked about the mail being in your sent folder or being sent back to you was to determine if someone is "spoofing" your email address or if you are infected.

 

However, vijayn presents a good initial analysis.

 

In addition to running the anti-bot solutions he suggested, might I also suggest running Malwarebytes

 

It is a free utility, does not run as a process until called upon and has performed well for me. Be sure to click the "update" tab once you have installed it.

 

Please keep us posted.

I would recommend running Antibot. Let’s see what it can find

Hello, I’ve downloaded Norton Antibot and it says it is up and running and checking stuff but hasn’t found anything.  I’ve also tried Malwarebytes and that has done a full system scan and hasn’t found anything.  I’ve reloaded my Open office and it seems to be ok now.  I’m at a loss how something got in, sent something and went out without being spotted, I’m also not convinced that it won’t happen again.  Cheers anyway!

If both Antibot and Malwarebytes don’t find anything youa er safe

Out of curiosity, how did you discover that your email account sent something out?

Hi evelynjohnson86, nice to see that things appear normal. I would advice you to have either Norton AntiBot (Free for 15 days then you have to pay $29.99 ) or Trend Micro RUBotted (free) for some time.

Since malware are becoming increasingly intelligent and many such programs realise that you are installing detection software, so they become dormant for a while. After that they'll again try and connect with their master computer. That is the time they can be caught.

I too was infected by such botnet attack, I must say they are very sophisticated.)

 

Incase you see or feel anything fishy, try HijackThis (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/). Its a tool which will scan your computer and create detailed report only. By analysis of the report, I am sure experts at Symantec would be able to point out if you have been infected.

 

 

Message Edited by vijayn on 07-19-2008 09:22 PM

Hi,

 

Evelynjohnson86, sorry to hear about what happened. Did you manage to save any email headers? These may be able to help you track backwards & identify who sent them (see below). It's relatively common for a friend / family member / cork colleague to be 'infected'. Perhaps your email address was leached off a website by a search spider... you may never know. Always an optimist, I'd be surprised if the email header contained any useful info. Most are spoofed (fake entries).

 

Our language looking a lot like the way we speak about human infectious processes in epidemiology (population health studies). So too, perhaps is our behaviour?

 

Has anyone noticed a rapid increase in drive-by download sites over the last few weeks?

 

While doing some basic research for this post (Google searches), I was hit plenty of times - it gave me a fright.

 

Many of the criminal sites pose as (often free) 'legitimate' antivrius programs / services. There is no such thing as a free lunch. Some search results redirect you to "sting" site. NIS2008 blocked them in FF 3 but not always as well as I'd like: one site fired up an IE looking window (see below). According to NIS (View History - Porton Protection Centre) I was always safe - different German / Russian sites tried to install hacking tools, info stealers, intrusion attempts ... on four occasions while I've been typing here.

 

These crooks shed domains and IP's as we shed dandruff. Many are involved in organised crime.

 

Most use powerful visual and behavioural techniques to force unwary people to open up their computers to the crooks. How would you react if confronted by some of the images shown here? Many people think by clicking at these 'windows', they are stopping a malware attack ...wrong.

 

Without protection from something like NIS2008, the game is over for most people before their eyes ever see the webpage.

 

More power to those who push free AV solutions ... wonder how many realise their solutions are the problems? I was tempted a long time ago to go dark side and yes, there are hack sites which give newbs tips on how to get in the front door. Most are behavioural - like offers of free AV software. All go straight for the most effective AV products and try to shut them down: all went after Symantec.

 

Most vulnerable? - kids, older adults, average people and me. I've been caught out and I know better. While your eyes (and attention) are drawn to whatever is on your screen, has it occurred to you that the crooks are trying a number of tricks to walk in your 'internet' door: internet sleight of hand. They get your attention on a pretty screen so they can work undisturbed at getting into your system.

 

 

The site shown in the above graphic has a nice sting - it runs java applets as you try to get away. NIS works well and I've been protected (touch wood). If I did not have the product installed, I'd not be any wiser and my PC might well be happily curning out spam for some dude in Hong Kong.

 

PLEASE DON'T LAND ON THIS SITE: http://getmyvideonow.cXm/exclusive5/id/3913044/5/black/white/0/Video/ (changed link to www.www.www) it will try to install a program onto your PC without your permission. The story is familiar. Russian - site based in Germany ... tries to install hack tools (backdoors, keyloggers, identity kits, etc) as your eyes are distracted by the nasty images. I can't recall how I landed on that site - don't recall doing anything that would need a video player - probably a redirection from a security site I wanted to review.

 

Oh yeah, free porn movies etc? Sure - open your PC to the world. These are the front offices for child porn, spammers, scammers and all things criminal - organised crime especially.

 

 

Yep - and this gem - located via a google search on security and AV methods as research for this post:

http://www.online-xpcleaner.cXm/2/_freescan.php?aid=880253 (changed to www.www.www) . These crooks make it look as if FF has shut down (it's squeezed into a tight window out of sight). The warning (below) is perfectly capable of trapping most people - certainly most children. It looks like it is a legitimate Windows warning. .

 

 

This crook is based in Hong Kong. Using SmartWhoIs I was able to track down the IP block they use. Using VisualRoute I noticed they have an alternate domain 58.65.XX.106-myrdns.com ... same contact info / ISP.

 

TIPS:

 

No security system (hardware / software) will protect you if you engage in high risk internet behaviour: surfing porn sites (especially kiddy porn - burn in hell you scum!); pirate software / pirate movies / pirate music; hacker sites - do you really believe criminal hackers are going to play nicely with you just because you want to go darkside?

 

We (users - our kids etc) are the weakest link in our security. Reduce our risk exposure through frank discussion, education and behaviour modification. Yes, it can be a challenge for a mother to have a chat with their adolescent son / daughter about internet porn. Better to have the discussion ... trust me on this.

 

 

No, a very attractive (male / female) that you 'met' on the internet will not fall madly in love with you because you are a nice person ... :) These are scammers (some sophistocated - some not) who then trade your details for criminal activities. Some earn well over $100K a month - it's organised and they are good at what they do. A gorgeous woman? Sorry - more likely an ugly Russian criminal or some dude from various third world countries.

 

Never ever use free AV solutions unless you KNOW the owner of the software personally. Sorry - how many of you can tell the difference between a real AV program and a hacking tool dressed up to behave like one?

 

RUN full system scans at least once a week.

 

NIS2008 is technically very very good. Yes, there are intermittent problems with subscriptions etc but the product works brilliantly - there is no way that I would access the internet without NIS2008. And yes, these attacks took place as I sat behind a hardware firewall and other security measures.

 

Determined criminals will find a way to bypass most security systems. Make it difficult for them by updating your subscriptions and software (OS patches, virus definitions etc).

 

We see a number of users who have been caught out by infected files on old CD's / drives. Treat everything as a potential risk.

 

Never use any option presented to you by these sites: all roads lead to hell (press any button / control and you will infect your system). Better to shut things down via task manager. NIS was triggered but not always. I was using FF - an unwary person might be fooled into believing some of the screens were legitimate Windows warning messages.

 

Actually - use task manager (or the better alternatives like Essential Net Tools etc) to close down any applications that you aren't sure about. Programmers know how to hide their applications from task manager- that's why other tools tend to show you a lot more.

 

Use well kown and well regarded security sites like: WhatIsMyIPAddress. This site used my own IP address and found the suburb in which I live - that's so cool. There are plenty of tools to use here. In particular, you can analyse an email header and from there, find the sender's IP and on occasion - the name of their PC too (just the sloppy ones :)

 

How do you report drive-by sites like the few that I've just listed? Join community watch (NIS2008) and share your experiences with everyone. Use the technology to help protect all of us.

 

Symantec tech folk, correct me if I am wrong, the data we provide is aggregated (pooled) and you can't identify us individually? Just asking ...

 

NIS2008 and other security software will protect you quite well - but cannot protect anyone from being silly.

 

Never give out any personal info.

 

Never respond to emails from your bank asking you to confirm ....

------

 

Other useful Resources:

 

Symantec Spybot.

Antispam software: Mail Washer Pro - proven record of success.

Use products like Benign to strip out all unnecessay code / objects/ links to external servers / background sounds / meta tags / CSS style sheets from external servers / scripts / applets and embedding /internal frames and layes/ blinking text etc.

 

As for behavioural techniques - our email addresses are worth money. Scammers use web spiders to sift through newsgroups and less secured servers. Others use on-line dating sites - universities and social networking (ICQ, FaceBook, Yahoo etc). Males (any age) are apparently consistly easy targets - responding to stock photo's of attractive women. Women are similarly targetted through on-line dating services. If you happen to be an older average looking guy and a drop dead gorgeous woman appears out of nowhere all interested in you ... it probably some old guy in a third world country working to a script in a room full pf PC's. Big business - people die.

 

Hope this info helps someone avoid nasty surprises ... this thread is worth watching.

 

 

 

[edit: further broke the bad links, changed .com to .cXm, some configurations/browswer extensions could have repaired the broken links.  Also fixed good links, to not be relative.]


Message Edited by Allen_K on 07-20-2008 01:42 PM

Phil_D wrote:
Out of curiosity, how did you discover that your email account sent something out?

Great question ...

 

One of the best things I love with ZAPRO was that it put up it's hand if it detected a rush of emails being sent out at the same time.  (At least, I'm pretty sure it was ZAPRO - you could adjust the number of emails it allowed beforeit made a fuss.)

 

Zonelabs have been busy.. this caught my eye:

Virtual Browsing

Each time you surf the Internet with ForceField, we create a clone of your browser. Every time you visit a website, open a new page, or download a file, everything that could attack you or your PC goes to that clone. That way, if any threats do penetrate your defenses, only the temporary clone is infected. Not your computer.

You and your PC remain protected, immune to attacks.

It's a technique we call "Virtual Browsing." We believe it is an absolutely essential piece of Internet security software, and only ZoneAlarm has it.

Hmmm ... sounds like a plan.  Makes sense if it works. 

 

Wonder if NIS2009 has anything along those lines - have there been any press releases about product features?  Just curious ...

 

 

 

Surely NIS has always monitored outgoing messages? Some say it's useless but I don't agree. Since I've been fortunate so far I don't know what happens if it spots one or more that it is suspicous of.

 

Be interesting to see what Norton say about this for NIS in general and for NIS2009.

<< The site shown in the above graphic has a nice sting - it runs java applets as you try to get away.  >>

 

It requires self discipline not to click on that [X] .... I've seen it said that using ALT + F4 is a safe way to close down rogues like these without doing what they want you to do: clicking anywhere triggers the malware.

 

I keep Status Bar visible on my IE windows so when I hold the mouse over an object -- very useful in incoming emails -- it shows me if it is a link and very often the whole "text" of an email is in fact an image and so a potential trigger.

 

FWIW -- thanks for the excellent analysis.

1 Like

huwyngr wrote:

<< The site shown in the above graphic has a nice sting - it runs java applets as you try to get away.  >>

 

It requires self discipline not to click on that [X] .... I've seen it said that using ALT + F4 is a safe way to close down rogues like these without doing what they want you to do: clicking anywhere triggers the malware.

 

I keep Status Bar visible on my IE windows so when I hold the mouse over an object -- very useful in incoming emails -- it shows me if it is a link and very often the whole "text" of an email is in fact an image and so a potential trigger.

 

FWIW -- thanks for the excellent analysis.


Thanks huwyngr,

 

Self discipline?  Absolutely ... so why is it I get caught more often than not <g>  Sigh.

 

Thanks for the feedback ...  I *know* most regular contributors probably have their own resources / tools on almost any subject raised here.  

 

I'm just trying to share ...  These piccies might be the first time that some users have seen of their friendly security software in action.  Until you actually see some a thing (computer virus / bot/ rootkit / name your plague ... it's all theoretical.

 

Cheers.

Thanks more to you for sharing and including images -- if only the system here did not make it so complicated to achieve.

 

I know from my time in Compuserve how a picture is worth a thousand words -- even the most stalwart text only sysops now say "Can you post a screen image of that?"

I got a “unable to deliver” message bounce into my inbox and when I checked my sent box, there it was.

Do your “hotmail” messages stay on the web server or do you bring them into a mail program on your computer?


evelynjohnson86 wrote:
I got a "unable to deliver" message bounce into my inbox and when I checked my sent box, there it was.

Phil_D wrote:
Do your "hotmail" messages stay on the web server or do you bring them into a mail program on your computer?

 

Hi Evyelynjohnson86 and Phil_D,

 

The last two post from both of you don't make much sense - they are out of context and neither of you mention another post / forum user.

 

Would you mind editing them ... just greasing the wheels.

 

Phil_D: Hotmail is accessible both via Web and also via desktop using Outlook Express and Windows Mail Live programs.

 

Hope that answers your doubt.

Thanks for the info, vijayn.

 

I was trying to determine how evelynjohnson86's email account had been compromised; through an infection on her computer or through someone hacking into her web-based email account as mcullet had mentioned earlier. Since she noted that she found a copy of the message in her sent box, that's more than someone just spoofing her address.

 

That is why I wanted to know whether she used web-based mail or if she used an onboard mail program.

Message Edited by Phil_D on 07-21-2008 07:27 AM