Solved

Keylogger Problem?  DSO Exploit

Posted on 2004-10-05
8
562 Views
Last Modified: 2013-11-16
I am playing an on-line game out of Germany called Tibia.  There is another thread about it here.  There are a lot of hackers playing this game and visiting any of the fan-sites is likely to lead to some kind of infection.  I don't go to them.

I have two accounts.  I logged into the Tibia home site on account 1 using Mozilla Firefox and was doing some account maintenance when a pop-up window appeared and invited me to change my password for account 2.  This appeared several times.   I logged out and ran Spybot and found DSO Exploit and removed it.  My operating system is Windows 2000 Personal Edition.  I am pretty sure it is at the correct patch level.

I don't know that the IE exploit DSO is anyhow related to my experience using Firefox but I have some evidence that there is a problem.  I also have Norton Firewall, Norton Anti-Virus, Adaware, and Hijack This on this machine but haven't run scans with these latter yet.  

What's going on?  Where do I start?  I am not looking for an exhaustive list of all possible removal tools but analyze the problem if you can, provide a solution or further troubleshooting steps.
0
Comment
Question by:DonFreeman
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Accepted Solution

by:
knoxj81 earned 250 total points
ID: 12229589
DonFreeman,

First, off I wouldn't worry about the DSO exploit. Spybot finds that on almost every computer. As far as having to worry about little script kiddies trying to infect your system, if you follow advise today, those problems and worries will end. Security is only as good as the user, so educating yourself about the latest threats, exploits, tools to use to protect yourself will pay off greatly. I'm going to list some great program along with a few sites to use for research.

Antivirus:
Kaspersky Antivirus 5.0 (new version) http://www.kaspersky.com/personal
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years and this is by far the best.

AVG is also a great virus scanner (more for home user) not to mention they have a wonderful FREE edition.
http://www.grisoft.com/us/us_dwnl_free.php

Firewall:
Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.  www.sygate.com

Spyware/Adware/Malware/Dataware:
AD-AWARE - www.lavasoftusa.com
If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.

RegistryProt 2.0 - http://www.diamondcs.com.au/index.php?page=regprot
This is a free program to monitor all changes to registry. This is a must in security for you windows machine. Big help in eliminating spyware, Trojans, backdoors, etc..

BHO Demon - www.majorgeeks.com/download3550.html  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. Windows XP SP2 offers something along these lines, but why trust M$.

IDS ( Intrusion Detection System ): - snort.org
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid users & advanced users.

References:
http://isc.sans.org/index.php?off=diary -Everyday info on the latest exploits/virus/security issues.
http://eeye.com - perfect for advisories and the best security software.
www.majorgeeks.com - Every program a nerd could think of!!
www.sygate.com – Great Software firewall.
www.kaspersky.com – Best AV on the market.
www.lavasoftusa.com – Best spyware removal program.
http://www.grisoft.com – Wonderful FREE AV.


Let me know if you have any questions or need any further assistance.

Jorden



0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12229900

The DSO exploits flagged by Spybot S&D are caused by a bug in its current release.

This will be sorted in the next release.

Latest news on this:

>>Please note the current beta release of the application (v 1.3.1b) corrects the DSO bug. If you are not comfortable with installing the beta ignore the DSO items until the final is released. Again, please note it is an application update and not an includes update that fixes this bug<<

From:

http://forums.net-integration.net/index.php?showtopic=17159

Zee
0
 
LVL 1

Author Comment

by:DonFreeman
ID: 12230093
What I want to do is figure out what is happening in the case.  I have been reviewing the products listed by knoxj81 and see some stuff I am going to install.  However, I want to know what is on my machine now.   It seems to know when I log into the Tibia home site and then spoof the password change interface.  How does it do that?  I want to see what's in the process list when it happens.  What should I be looking for?  

Spybot didn't find it and I want to run the other programs when I get off of work.  Obviously, if nothing finds it then I need to work with Adaware or Spybot support to figure out what it is.

0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12230144
Its not going to be in your processes. Most likly its just a popup from the website. If in fact it is a program running on your PC, All you have to do is run, Adaware scan and an updated virus scan, and anything of that nature would be removed. I would install the programs I listed then I would update them all.

Also: If you using Mozilla, I would recommend uninstalling your current version and updating to there latest release, to patch for the found exploits.
http://www.majorgeeks.com/download2248.html - This version of Mozilla Firefox was released yesterday.

Let me know if you have any further concerns,

Jorden
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 29

Expert Comment

by:blue_zee
ID: 12231518

I wonder if that pop-up isn't Firefox save password feature, because as you probably know Firefox can store several auto logon passwords for the same site.

Try this:

Tools > Options > Privacy > Saved Passwords

Click the "Clear" button to delete all stored passwords.

When logging on to the Tibia site, and asked to save, click "Never for this site" (or similar wording). I suspect this will end the pop-ups, but you will need to retype the name and password every time you want to log on to that site.

Interesting will be Process Explorer:

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Download, install and run.

This will show you All processes running and their details.

Maybe you can find something suspicious there...??

Post back if you have any doubts.

Good luck,

Zee
0
 
LVL 1

Author Comment

by:DonFreeman
ID: 12237206
knoxj81, When I get home I'll try what you are suggesting. I did run Adaware last night and it didn't find anything significant either.  I logged onto the site again this morning and it very reliably invites me to change the password for my second account.  I can't imagine that this thing is a feature of the Tibia Cipsoft home.  The dialog box isn't inviting me to SAVE the password, it's inviting me to CHANGE the password.  I figure once I do that and put in my old password I'm toast.  I'm too chicken to select yes and see what comes next.
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12237642

I agree with your "chicken" decison, but that is also the wise decision.

Maybe worth a try:

Logon with your second account and change password from within the Tibia interface.

Save and check if the problem persits.

That popup could also be, and there are some sites that do that, a reminder for old passwords that should be periodically changed, as a safety precaution.

But, I'm only guessing, of course.

Zee
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12242374
Regardless of weather its locally or remotely. If you have the right tools, thit doesn't have to be a concern.

If, it was a keylogger, you wouldn't have to be asked to enter your password. They would see you login and that would be that.

Either way: You need to run the best security tools, fully updated.

Good Luck,

Jorden
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now