Re:Attachment = virus>JBF

[Guest guest]

Can you explain to me how this JS/Exploit Back CSS virus works? I know

it is activated by using the back button. It was a first for me and I

was really upset with McAfee that it didn't catch. Is that being a

little too naive on my part or is that where I screwed up by not keeping

my firewall in place.

>From what I gathered it just comes from web sites and I just happened to

look at one that was infected so when I hit my back button it set into

those files. I did go through and clean out cookies yesterday also

besides cleaning out my 10 temporary flies where it was attached.

Something I should do more often, I'm sure. I couldn't believe how many

were there for things I don't use anymore and sites I had looked at

maybe one time.

What is your opinion my noble computer buddy. I tried to pull my

brother's chain for help but I guess the Good Lord must have him busy

redesigning the computer set-up for the Pearly Gates right now. No

Luck, my long distance call wouldn't reach quite far enough either!!

Since a big part of his work was security, I know he would have given me

an earful and kidded me about not running on Linux like he always tried

to get me to do.

Sally

[Guest guest]

Greetings Sally !

Let's see what I can do to answer your questions (and some extra thoughts

tossed in for good measure!)

> Can you explain to me how this JS/Exploit Back CSS

> virus works? I know it is activated by using the

> back button.

Okay, briefly, let's see if I can explain some of this. First of all, when

you press the back button, what you are really doing is telling Internet

Explorer or Netscape to run a small hunk of code that reloads the previous

page. Normally that is (by default) a small routine in these products. But

sometimes the web page designer can create a small script (using JavaScript

normally .. that's the JS part of the name) to do some of the work. This is

how some websites force you to move forward rather than using the back

button. Banks or surveys might require this type of control.

Once the 'back button' JS routine starts, it pulls code that was buried in

the CSS file. (For the life of me, I can't remember what CSS stands for,

but it is used to control the formatting of text on the screen.) Well, this

virus pulls the code from the CSS file for the pages, and voila ... you've

got it, too.

Isn't it nice to share?

> I was really upset with McAfee that it didn't catch it...

Norton would not have caught it either. Not when it's a new bug. Even

having a firewall would not stop this particular type of attack. It's

typically called a " Trojan Horse " . Can you guess why? And no, it doesn't

have any thing to do with a drug store!

Oh, and MacAfee and Norton were probably busy trying to characterize this

new threat to the Internet. It takes time and a lot of work. There are

very few people that really do this (less than 1,000) compared to the sickos

that send develop these viruses. Sometimes they definitely stay busy.

There are two ways this type of attack can be corrected. First the industry

needs to decide that this type of attack is unacceptable and correct it. IF

the software manufacturers all coded with security in mind at the outset,

this would not happen. The software I work on was rated as uncool at a

hacking convention ... REALLY ... because the security could not be broken.

It didn't happen by accident. It took tens or hundreds of thousands of man

hours to make it that way. But Microsoft has only recently said it's their

priority number one. Yeah, right. Then they continue to pour out buggy

software on the public.

The only other way for folken such as ourselves to avoid this is to be very

paranoid about our settings in Internet Explorer (or Navagator). Goto

Internet Explorer .. Tools .. Security [tab] .. then with Internet

highlighted, click on 'custom level...'. Take time to learn about this.

But when possible, ask for a prompt. If not, and the help on it appears to

imply it is very powerful (running ActiveX scripts as an example), then

'Disable' might be a good choice. But remember what you changed. Some

sites you know and trust might break (banks and such). You can move them

into the 'Trusted sites' to avoid that level of security.

Wow. A long answer to a (seemingly) simple answer.

> No Luck, my long distance call wouldn't reach quite

> far enough either!! ...

Oh, it reached. But the 'Call Waiting' time is set to an eternal clock!

You'll get that answer soon enough (at least for your brother).

Regards,

=jbf=

B. Fisher