InformAction Forums

Hmm, I thought that letting pdfs run in a browser was so last century - - and that better security practise is to disable any pdf handling plugins and open pdfs outside the browser?
/hijack.

therube wrote:I wasn't making sense out that site either.
What is a "Worth startup"?

I'm not sure if 'startup' is the correct jargon - maybe a 'new site' is better description
http://en.wikipedia.org/wiki/Worth1000
Highly moderated photoshop "communities".

Quoth therube

Once you have gone /noscript/ you never go back ;-)

Ah,I don't get around much, do I. ... if I had a brain I'd be dangerous :-)
The poor visitor using the default NS was somewhat disbelieving about my "just toggle NS if a page doesn't work" ha ha.

Something weird going on and I don't have a lot of time this evening to do a proper screenshot post, so will just link to the page with a quick description and see if anyone else can reproduce. In a clean profile, all NS defaults, go to http://safeweb.norton.com/dirtysites It goes to a noscript redi...

The "biter" I meant in luntrus' quote was banking trojan writers, not MS - - at least not this time :-)

a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.

Quoth luntrus

Also MS flags it now since two days:n a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.

Oh, how nicely ironic. The biters bit :-)
No AV exes made with Borland, I trust ;-)

Ah, I got sucked in there. I registered to test and found that uploading is filtered for new registrants. Looks like it's another Worth startup. Care to post screenshots of your upload procedure here? - - eh eh, we don't require longtime membership for that here :-) What messages in Tools|Error Cons...

Hi,
If you mean toggle "temporarily allow" the combo is CTRL SHFT backslash.
A user can't toggle NS itself on the fly. It has to be turned off in the Addons Manager dialog.

I strongly advise you to follow the advice from therube to use the Reset provided in the NS Options. It's been provided by Giorgio for just this kind of situation - - It looks like you have set Options|Advanced|HTTPS |Behaviour " Forbid active web content unless it comes from a secure (HTTPS)co...

Results of a session testing Silverlight plugin in Fx, wrt cookie storage and management. It compares more favourably than Flash cookie management, but is essentially the same process. In particular, the super-cookie (which MS calls "Isolated Storage") may have the same persistence potenti...

Oh, don't listen to me - I am clueless about AV detection methods. It's always seemed to be very much an art and quite resistant to any kind of logical analysis; results (the famous "heuristic") is paramount. Quoth Alan Baxter But although overly aggressive detection heuristics may find mo...

All run with placeholders here. But note the very squashed placeholders in the first example http://haignet.co.uk/object-image-map.htm linked to by therube http://farm4.static.flickr.com/3478/3834055190_b5fc0b272b_o.gif To post screenshots, I just upload to flickr and link to them. It's an old habit...

I didn't see it noted what the found malware was reported as? (Didn't read the PDF either. <I think there was a PDF, somewhere?>) There's the pdf http://jon.oberheide.org/files/woot09-polypack.pdf from the blog that luntrus linked to http://erratasec.blogspot.com/2009/08/astroturfing-av-when-wolves...

Maybe doesn't detect any enclosed in particular - but fudges and just correlates a particular packer with malware in general. Sort of a packer signature.
Or did this test single out the packed item by name?

Nobody gets the chance to be wrong for long around here ;-)
I enjoy the anarchy.
Would you like to consider moving this thread to Web?
It does have a couple of NS mentions but lots of web interest.