Re: 030.com

[Nick FitzGerald <nick () virus-l demon co uk>]

"Waitman C. Gobble" <waitman () emkdesign com> wrote:

<<snip>>
> I sent emails to the IP block owners of both 030.com and the ip in the
> hosts file, requesting that they investigate this matter and terminate
> the activity.
>
> I could care less if the owner of the site sends a friendly email
> instructing how to disable the thing. The hijacking should not have
> happened in the first place.

You almost certainly have two problems:

1.  You/your users use IE to browse the web.  Just say no.  Get any 
other buggy browser.  The minor inconveniences of having to 
occasionally do a shift-Reload to force a refresh because of local 
caching screwiness, or killing and occasionally restarting the 
browser because your system gets real slow and unresponsive and four 
web pages of basically plain text apaprently require 92MB of RAM to 
render, etc, etc far outweigh all the crap you face due to the bug du 
jour mess you face with IE.  The point is, IE bugs are heinous _and_, 
because there are so many IE users, arseholes will exploit them for 
as "trivial" but annoying things as changing your home page, default 
browser search page and much worse.  Mozilla, Opera, etc, etc are 
probably no less buggy, but any security flaws they have that are 
half as bad as most of IE's are not known and thus are not being 
widely exploited.

2.  Most likely your IE users have default security zone settings.  
If you really "must" keep using IE (given its appalling security 
record no-one can really justify that, but I'll humour you and assume 
there is some extraordinarily wacky "business need" argument peculiar 
to your company that only the sheer idiocy of typical middle level 
management could possibly understand) then you have to disable all 
ActiveX (except supervisor-approved), all scripting and all anything 
else 'active' in the Internet zone then be very careful about which 
domains you put in the Trusted Sites zone.  Of course, you then 
should review the Trusted Sites security settings, as the default 
Internet zone settings are really more appropriate.  This will break 
a huge chunk of the Internet because far too much of it unnecessarily 
"requires" scripting, promptly returning us to the "have you 
considered using another browser?" option.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com