email hijack security risks? (IT dudes!)

[MDV]

Sophos results

This $%&#er here

Area:   Windows registry
Description:   Hidden registry value
Location:   \HKEY_USERS\S-1-5-18\Control Panel\International\sShortTime
Removable:   No
Notes:   (type 1, length 16) "h : m m   t t   "

And this

Area:   Local hard drives
Description:   Unknown hidden file
Location:   C:\System Volume Information\SystemRestore\New-security.LOG1
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

[phlip]

Sophos results

This $%&#er here

Area:   Windows registry
Description:   Hidden registry value
Location:   \HKEY_USERS\S-1-5-18\Control Panel\International\sShortTime
Removable:   No
Notes:   (type 1, length 16) "h : m m   t t   "

And this

Area:   Local hard drives
Description:   Unknown hidden file
Location:   C:\System Volume Information\SystemRestore\New-security.LOG1
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

Thats fairly standard results for a clean system, you do not have a rootkit on your system!

[MDV]

Sophos results

This $%&#er here

Area:   Windows registry
Description:   Hidden registry value
Location:   \HKEY_USERS\S-1-5-18\Control Panel\International\sShortTime
Removable:   No
Notes:   (type 1, length 16) "h : m m   t t   "

And this

Area:   Local hard drives
Description:   Unknown hidden file
Location:   C:\System Volume Information\SystemRestore\New-security.LOG1
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

Thats fairly standard results for a clean system, you do not have a rootkit on your system!

Kickass!

Dont mean to be a dick or anything, just checking source - I assume from your input in this thread that youre a pretty experienced IT dude?

[phlip]

Aherm http://m.zdnet.com/blog/security/hacker-exploits-ie8-on-windows-7-to-win-pwn2own/5855
I didn't read it in depth but as any operating system running with any software out there, thre are going to be holes, no matter how secure they claim to be :(

I never said it was impossible I said it was highly unlikely, which I stick by. The hack in the ZDNET link is very very difficult to do and requires a direct attack from someone with extreme skill against a system. Bypassing the DEP like he did would be almost impossible to automate.

Anyway the Sophos results say as expected MDV doesn't have a rootkit, so thats Good news!

 :D

[phlip]

Kickass!

Dont mean to be a dick or anything, just checking source - I assume from your input in this thread that youre a pretty experienced IT dude?

No problem at all the internet is full of 'experts!' and anyone in IT who claims to know everything and can't be wrong is to be avoided at all costs! I can be wrong but 20 years in IT tells me you don't have a rootkit, there would a a whole ream of hidden reg keys and dll's etc if you did.
I would still try other antimalware products to 100% ensure a clean system however Malwarebytes is well regarded and this has given you a clean bill of health.


This is one part of my job I also look after University wide management and deployment systems.
http://www.northumbria.ac.uk/sd/academic/sobe/bevc/bevcpeople/paitman/

I usually try to avoid giving internet IT advice, it's far to easy to come to a conclusion without access to all of the facts. The user can tell you what they can and believe to be relevant but there's no full picture of issues without actual access to the system either real or via a remote session.

[MDV]

Kickass!

Dont mean to be a dick or anything, just checking source - I assume from your input in this thread that youre a pretty experienced IT dude?

No problem at all the internet is full of 'experts!' and anyone in IT who claims to know everything and can't be wrong is to be avoided at all costs! I can be wrong but 20 years in IT tells me you don't have a rootkit, there would a a whole ream of hidden reg keys and dll's etc if you did.
I would still try other antimalware products to 100% ensure a clean system however Malwarebytes is well regarded and this has given you a clean bill of health.


This is one part of my job I also look after University wide management and deployment systems.
http://www.northumbria.ac.uk/sd/academic/sobe/bevc/bevcpeople/paitman/

I usually try to avoid giving internet IT advice, it's far to easy to come to a conclusion without access to all of the facts. The user can tell you what they can and believe to be relevant but there's no full picture of issues without actual access to the system either real or via a remote session.

Sweet, exactly the experience and honesty (that youre not claiming to know for sure, just making the best call you can with the information you have) I hoped to see. Glad youre not offended, too :)

Thanks for your help!

Everyone elses too.

I think I'll hold off my Defcon Level 'Kill it with fire' plan of taking the hard drive out, burning it and putting in a spare I have sitting around!

[phlip]

Offended god no! I could have been a random 12 year old girl or 80 year old bloke ;)

I still stand by my comment that any emails people have recieved didn't originate from you but will have had your address as a faked sender, you will see non-delivery reports for bounces but no sent items. It's far to easy to fake the sender address or any other header. It doesn't even need any programing skills.

[MDV]

Which is indeed exactly what I saw. I'm not 100% (how could I be; i aint no IT dude - I know just enough about computers to know how much I dont know) but I can come to reasonable, high confidence, if uncertain conclusions with limited evidence (that is my job) and we have

- dodgy email from my account
- delivery failure notice not from my IP
- no sent message log
- Its javascript (did I use it right this time sho' ;) :lol:) webmail
- I rang them and they're having some trouble with it happening on other accounts
- 3 anti-malware programs on the machine and one across a network coming up clean
- rootkit sniffer program giving clean result
- I have since explained the significant drop in performance experienced last night - its a bit of software I've used for years that suddenly decided to make my machine die, so I killed it instead

All of the above are consistent with what you would expect of a commandeering of my account using another computer and nothing ever having been on my machine, many are not consistent with hidden malware (or at least its highly unlikely, like yahoo having more widespread problems with it and the failure notice IPs not being mine) - doesnt prove that nothings there, but I'm quite satisfied that this computer is clean. (edit - occams razor = your friend; simple webmail hijack or nefarious malware-hiding rootkit thats evaded several fully updated and quite effective scans?)

Again, thanks :D

[JDC]

I didn't think it was a rootkit either but didn't want to speculate.

Could someone explain this web mail address book nicking in more detail, first I've ever heard of it. Would the javascript in the email be hosted on the web mail server or a 3rd party server? ie is firefox with noscript protecting me or not?

[BigB]

I didn't think it was a rootkit either but didn't want to speculate.

Could someone explain this web mail address book nicking in more detail, first I've ever heard of it. Would the javascript in the email be hosted on the web mail server or a 3rd party server? ie is firefox with noscript protecting me or not?

http://en.wikipedia.org/wiki/Cross-site_scripting

XSS being based on javascript code executed on the user's browser, disabling javascript on your browser should prevent the problem - theoretically at least.

[JDC]

Cheers! Didn't know cross site scripting could nick address books, I thought it was just for inserting fake login boxes on legit sites (or was that SQL injection?)

Noscript will be protecting me :D

On my Google Chrome suggestion earlier, I think Firefox + Noscript is probably more secure, but it isn't for typical web users, more for control freak nerds