internet forensicks

darkweb4 darkweb4 at gbronline.com
Fri May 21 15:27:22 CDT 2004 

> I am needing a way to go through the source of  a
> Internet session.  i am looking for how my web browser is
> being exploited and summarily disallow that method from a
> proxy ie squid.
> 
<snip>
> malicious java script/active X etc.   it appears that the
> virus problems i was running in to was a  dso exploit
</snip>

I will assume then that you are talking about a Windows
machine.  On the assumtion that you are using Windows (in an
environment where you are not restricted by admins, as in at
home), there are several things that you can use to find out
what is exploiting the machine.  Computercops.biz is a good
resource with a lot of forums dedicated to peoples' fights
with malware.  I ran the standard Adaware, Spybot Search &
Destroy, and Hijackthis! scans (make sure that they are
updated!) to remove most of the crap on my machines.  I also
found that installing Zonealarm and setting it to it's
strictest settings helped as well.  Zonealarm made it easy
to see which programs were trying to access the internet,
and therefore which programs were possible malware "dialing
home."  Then after that I would go a google on the named
program and their associated files to see if they were
malware or not (and if so, how to remove them safely).

> I am trying to find how the program that creates that file
> got on my computer and then use squid to eliminate that
> vulnerability  and any others that try similer tactics as
> coolweab search

If you are trying to figure this out for educational
purposes, I don't know how to help you.  You might contact
the author or Hijackthis! and ask him for some pointers. 
However, if you are just looking for a solution to the
problem, I would try running the above programs.  Also,
there are customized hosts files that are on the Internet. 
Most of these are updated frequently with sites that are
known to run browser hijacks.  This, AFAIK, would pretty
much eliminate the majority of you problems. (you should
also be able to disallow these sites by updating your squid
rules)  Also, turn activeX off unless you absolutely have to
run it to operate on a _known_ website.   You should think
about doing the same for Java.

If you're doing this just to figure out "how things work". 
I don't have any good methods to suggest how to go about
this.  I have only been interested in the solutions in this
area, not the methods.  Again, try to email one or more
people who have authored anti-spyware software.  Maybe
sticking snort on a  machine between the Internet and the
subject machine would help you capture some information.

HTH,

Tim

PS.  If you're not already running an alternative browser
(i.e. firefox/mozilla/opra), you ought to consider it.  
Also, I am horrible at spelling.  I know that I've probably
commited many grammer mistakes in the above email.  However,
forensics does not contain a "k".  ;)

    /me leaps on the bandwagon for people who like to
correct kendrick's spelling mistakes

More information about the Kclug mailing list