Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Need advice/info/ help related to specific malware issue.

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Need advice/info/ help related to specific malware issue.

Old 11-17-07, 11:12 PM
  #1  
DVD Talk Limited Edition
Thread Starter
 
Nefarious's Avatar
 
Join Date: Apr 2001
Location: In the Middle
Posts: 5,254
Received 3 Likes on 1 Post
Need advice/info/ help related to specific malware issue.

A family member had a company laptop that got infected with malware. He turned the pc into the company's IT shop to get it reformatted but didn't mention the malware. IT reformatted it but then got suspicious and did a restore/recovery on it (don't have full details so I'm unclear on exactly what and how). They found thumbnail size pornographic images (location on drive wasn't disclosed nor were file names & dates). They have now accused him of willingly and knowingly accessing pornography with the company computer. He recalls that some of the pop-up windows he was getting had the word close on them, etc.

He is emphatically denying any willful or knowledge based intent to access pornography. The IT head (and apparently he consulted an outside company and they concurred) is stating that the images could only have been on the computer through willful intent. They are stating that spyware/malware/badware would not have resulted in the images being on the drive.

I have seen a similar situation myself. I worked a computer for a co-worker once and she had gotten a pop-up saying porn was found and buy this software to fix the problem. It had downloaded images into a directory to support the claim but it was obviously malware.

I find plenty of documentation regarding "drive-by download" which support the assertion that malware can be installed unwittingly by the user. From Wikipedia: "Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, it is an error report from his own PC or that it is an innocuous advertisement popup; in such cases, the "supplier" may claim that the user "consented" to the download though he was completely unaware of having initiated a malicious software download."

What I'm having trouble finding any documentation to support, though, is the argument that malware will sometimes install/copy the pornographic images to the local computer.

What I'm hoping is that someone here knows of an article or something that would support the assertion. Or better yet if you know of a malware that does just that it would be perfect because it would prove the point.

Sorry for the long post but it's a very serious matter that could result in him being terminated & humiliated and having to take legal recourse at a considerable expense. I have found the articles about the Connecticut teacher but they don't prove the point I need.

Thanks in advance.
Old 11-17-07, 11:37 PM
  #2  
Senior Member
 
Join Date: Apr 2002
Posts: 628
Likes: 0
Received 0 Likes on 0 Posts
http://www.sophos.com/pressoffice/ne...orntrojan.html
Old 11-17-07, 11:44 PM
  #3  
Senior Member
 
Join Date: Apr 2002
Posts: 628
Likes: 0
Received 0 Likes on 0 Posts
You may also want to advise your relative to contact the EFF if he thinks he's in serious trouble. What the IT head said is, quite frankly, bullshit. If you can get malware on your machine -- something that would normally need the ability to write to privileged directories -- then there's absolutely no reason it couldn't store arbitrary files to any arbitrary location on the hard drive.

Any outside consultant who has a clue what they're talking about can tell you this; and the EFF has plenty of those people at their disposal. (The fact that an outside consultant supposedly agrees with the IT head means one of two things: the consultant is incompetent, or the IT head is lying about consulting someone.)

Last edited by GHackmann; 11-17-07 at 11:47 PM.
Old 11-18-07, 09:25 PM
  #4  
DVD Talk Limited Edition
Thread Starter
 
Nefarious's Avatar
 
Join Date: Apr 2001
Location: In the Middle
Posts: 5,254
Received 3 Likes on 1 Post
Thanks guys. I've passed the info. on. He told me today that he did tell them upfront about all the malware and everything my brother and I had done to try and get it removed (adaware, spybot, etc.) and what the logs showed.

What it boils down to is they are saying the malware came because he was accessing porn. I'm unclear if they are saying that the malware wouldn't be there unless he was accessing porn (which is obviously ridiculous) or that the images wouldn't be local if he hadn't been. Either way, they are clearly incorrect.
Old 11-19-07, 11:08 AM
  #5  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
Nefarious

I too would be most concerned with how the specfic malware first entered the machine.

If it was a worm, then your family member has no worries, worms propagate all on their own via secrity flaws in Windows or other applications.

If it was via some spam email, then again, the company is at fault and your family member is wrongly accused. The company email server should have safe guards against this type of thing.

If the malware was one of those that came from a certain porn website, then the family member may be in trouble.

Yes, it is possible to figure it out, but I would need the machine in hand to do so. I would also need to see the email server if the claim is that it came from spam email.

You more need legal assistance in this case than a PC guru. Where does the burden of proof fall? Is it on the company to prove beyond a doubt that your family member was doing something against company policy? or is it on your family member to prove that a malware infected his machine via NO ACTION of his own?

I am sorry, but I work in this situation daily and it always ends up being something the user clicked on that was non-work related that caused the problem. RARELY do these things infect machines all on their own, unless of course the proper security patches were not installed.

It clearly falls into the "need more information" category on this forum

Sure, anything is possible. Real life has taught me that users lie about EVEYRTHING. Since I work someplace with a 0 tolerance porn policy, you bet we have fired all kinds of people for porn (senoir execs you would think would be smarter) and each and every one of them claimed they had nothing to do with it and they don't know how it got there.
Old 11-19-07, 02:13 PM
  #6  
DVD Talk Limited Edition
Thread Starter
 
Nefarious's Avatar
 
Join Date: Apr 2001
Location: In the Middle
Posts: 5,254
Received 3 Likes on 1 Post
Clicking on something non-work related that causes a malware infection to occur is far from intent to access pornography. In addition, for a company to expect that a user doesn't access non-work related emails and/or websites using a laptop off site is a bit unrealistic.

Here's a YouTube video done by a British security firm that shows malware infections occurring simply by visitors going to www.mlb.com and www.nhl.com

http://www.youtube.com/watch?v=8lBUQqufZWc

There is a coalition that Google & Harvard are involved in: www.stopbadware.org which chronicles hundreds of thousands of websites that are non-pornographic in nature that end up serving as outlets for malware infestations because of applets they include for features like site visitor counters; calendars, etc.

There's extensive documentation that supports that malware can be installed without intent.

In addition, he has offered to take a polygraph on the matter. Obviously that's not something admissible in court (at least criminal) but if there was any chance of intent he wouldn't be offering.
Old 11-19-07, 02:52 PM
  #7  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
- I am not arguing that. Sure websites and emails can load things on your machine without your knowledge.

I doubt mlb and nhl are loading porn on people's machines.

My point is that he had to be on some fairly shady website for it to load porn.

The most common that I can think of is a crack/hack/serial type site. Those are all infected with porn and the content of those sites is illegal for the most part anyway.

Sites that contain video game cheats are too.

You should not use company owned equipment for those kinds of things. Too much risk. If the company doesn't have a policy against it, then your guy wouldn't be in trouble now, would he? Obviously, the company has a problem with it or policy against it or they wouldn't care if he used a work machine to view those things.

I would be surprised to find a website in the same class as mlb.com or nhl.com or amazon.com or weather.com or something along those lines of web pages that MIGHT be ok to visit while on a work machine that will load porn on to your computer.

I still say you have a question of burden of proof.

No matter how you look at it, your guy is going to be tagged as the porn fiend in the IT department where he works
Old 11-19-07, 11:28 PM
  #8  
DVD Talk Special Edition
 
Join Date: Mar 2004
Location: Western PA, Central Florida
Posts: 1,930
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by 4KRG
I would be surprised to find a website in the same class as mlb.com or nhl.com or amazon.com or weather.com or something along those lines of web pages that MIGHT be ok to visit while on a work machine that will load porn on to your computer.

I still say you have a question of burden of proof.

No matter how you look at it, your guy is going to be tagged as the porn fiend in the IT department where he works
Having read this for a couple of days I am going to disagree based on events happening to me over the past couple of months.

Somehow a Trojan DNS changer got onto my system. I know I visited no porn sites but it could have come from youtube however even that I cannot prove.

When I did innocent searches on google, using firefox, I was steered to other search sites. On more than one occasion I ended up on a porn site while not asking for one. Careful clicking allowed me to close the window but a wrong click yould have taken me deeper.

Now, this being my personal system I could not care less if some porn shows up but I resented the DNS changer. Eventually, after being lead on wild goose chases by helpful guru's I got rid of it using Nortin Systemworks.

Point being, it's difficult not to get some nasties onto systems these days and that guys IT department, if they were as smart as they should be, should realize the guy did not have a habit of visiting porn sites (easily proven), clean the system and let life go on.

For someones career to be busted regarding an issue like this should result in complaints and lawsuits. I recommend the guy hire a lawyer if the IT Department persists in accusing him.

Just my 2 cents!

Last edited by kayak99; 11-20-07 at 12:51 AM.
Old 11-20-07, 01:00 AM
  #9  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by kayak99
Having read this for a couple of days I am going to disagree based on events happening to me over the past couple of months.
So you feel websites that are of amazon.com caliber are loading porn pictures on your computer? cause that is what I am saying and you state you disagree.

wow...

amazon does use tracking cookies and other 'spyware' type devices, but crossing the line into loading pornographic material on users machines is a bit much IMO from this type of site.

Come down a level in class of website to one that provides warez/hacks and cracks, and yes, they will load porn images on your machine...
Old 11-20-07, 08:49 AM
  #10  
DVD Talk Special Edition
 
Join Date: Mar 2004
Location: Western PA, Central Florida
Posts: 1,930
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by 4KRG
So you feel websites that are of amazon.com caliber are loading porn pictures on your computer? cause that is what I am saying and you state you disagree.

wow...
Where did I say that?

What I said was When I did innocent searches on google, using firefox, I was steered to other search sites. On more than one occasion I ended up on a porn site while not asking for one. Careful clicking allowed me to close the window but a wrong click yould have taken me deeper.

These days people can be redirected, and are. From those redirects unwanted images could land on a hard drive.

That is what I said.
Old 11-20-07, 09:32 AM
  #11  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
Me

Originally Posted by 4KRG
would be surprised to find a website in the same class as mlb.com or nhl.com or amazon.com or weather.com or something along those lines of web pages that MIGHT be ok to visit while on a work machine that will load porn on to your computer.

I still say you have a question of burden of proof.

No matter how you look at it, your guy is going to be tagged as the porn fiend in the IT department where he works

You

Originally Posted by kayak99
Having read this for a couple of days I am going to disagree

Apparently you are not disagreeing with me then like you stated.
Old 11-20-07, 09:33 AM
  #12  
DVD Talk Limited Edition
Thread Starter
 
Nefarious's Avatar
 
Join Date: Apr 2001
Location: In the Middle
Posts: 5,254
Received 3 Likes on 1 Post
4KRG, I think what we are saying is that we don't completely agree with you that these malicious coders are benevolent in their actions to where they only put the "nasty" malware and worms on your system if you are visiting illicit sites (e.g. porn, warez, etc.). In addition, you are possibly misunderstanding how a legitimate site delivers it. They have no intent to be a delivery portal for the malware. They become targets because of their traffic & popularity and the hackers use advertisement plug-ins, etc as a delivery method. Amazon isn't a prime example because it doesn't really resort to advertising out of site content. There is an excellent article about how the Miami Dolphins official site was specifically targeted shortly before the last super bowl which was held in Miami. The hackers delivered malware through the ads on the page with the intent to steal passwords to gambling sites & World of Warcraft accounts which could be lucratively sold on the black market. The audience visiting the Dolphins site was ideal to deliver those things (young males). I understand where you are coming from but just disagree that there is that level of righteousness amongst these low-lives that they don't target people not doing something wrong in the first place. Even Santa Claus' website was used due to its high volume.

kayak99, you actually are on the same track as my relative. He recalls the issues starting to occur after having gone to YouTube to look for a video referenced on a TV show.

I am finding documentation that others have had similar issues with YouTube being used as a delivery method for malicious malware, some of which is pornographic in nature.
Old 11-20-07, 10:19 AM
  #13  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
Youtube would be one of those sites that is at risk IMO

Nefarious - I think you and Kayak are missing one distinction I am trying to make. Loading pornographic images on someones computer is a step beyond a malware hijack. You two are equating the two actions, I am saying there is a difference between them, that is all.

Loading pornographic pictures on someone's machine is going beyond a minor hijack and malware infection, something that only more shady sites are going to be invovled with.

Amazon vs youtube is a perfect example of what I mean in class of website, the two are not the same caliber.

You would not care so much if the president of your company saw you buy a christmas gift from amazon.com using a work computer during your lunch break. You should care if that same president of the company watches you play a youtube video of some girl shak'in it in a mini skirt.

There are some things you should avoid doing with your work computer and some things that are not as much of an issue. You both seem to be making more of what I am saying. I have never denied that a machine can be hijacked. They can and are daily.

I am making a distinction that to be loaded with porn images that are actually saved on the hard drive of said computer, there had to be something more to it than the user simply doing some shopping at amazon on their lunch hour.

I guess it is just easier to assume that your family member is perfect and your IT department is clueless.

and I am going to repeat there are not enough details here to decide your case
Old 11-20-07, 10:39 AM
  #14  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
Let me try from a different POV

Here is a fairly extensive list of identified Malwares

http://research.spysweeper.com/?id=H2-USEFUL_Links-TR

Please point out the ones that have been determined to auto install and then specifically download pornographic images to ones hard drive.

Many web sites charge for porn, if there are some malwares out there creating libraries of it on my hard drive for free, I WANT THEM!!!!
Old 11-20-07, 11:10 AM
  #15  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
While I agree that full pictures wouldn't get downloaded by malware, isn't it likely that the malware brought his browser to a porn site and thumbnails of the pics you're supposed to click on got cached?

That could be supported by what directory the thumbnails were found in.
Old 11-20-07, 12:25 PM
  #16  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts
^^ X that is exactly what I mean when I say there is not enough information in the OP to determine what is going on.

An IT person SHOULD be able to tell a thumbnail image randomly downloaded in the temp internet files directory opposed to a porn worth getting in trouble over.

Since they have now opened the company up to a law suit, my guess is they were pretty confident.
Old 11-20-07, 12:47 PM
  #17  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,763
Likes: 0
Received 4 Likes on 3 Posts
Originally Posted by 4KRG
An IT person SHOULD be able to tell a thumbnail image randomly downloaded in the temp internet files directory opposed to a porn worth getting in trouble over.

Since they have now opened the company up to a law suit, my guess is they were pretty confident.
You never know. There are some pretty hack IT departments and it's not like most upper management/HR would know enough to do this checking.
Old 11-20-07, 06:44 PM
  #18  
DVD Talk Limited Edition
Thread Starter
 
Nefarious's Avatar
 
Join Date: Apr 2001
Location: In the Middle
Posts: 5,254
Received 3 Likes on 1 Post
Do you feel there is a difference in class between amazon and the official website for the dolphins? Because i would say that stealing passwords for wow accounts as happened via the infections delivered through the dolphins site is pretty serious and don't see why you view it as a stretch that people who would steal info/money are above putting porn related malware on your pc.

Also i wasnt asking anyone to try his case. FYI. He was cleared of all allegations today by the forensic it consultant.

Sorry for bad typing but not so good via iPhone.

Last edited by Nefarious; 11-20-07 at 06:46 PM.
Old 11-20-07, 07:25 PM
  #19  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
Likes: 0
Received 0 Likes on 0 Posts


That is good.

The first thing we do is make an encase image of the machine in question BEFORE anyone else touches it.

Seems like the IT department is full of idiots, also seems like a nice quick resolution.

Your family member should seek payment for the accusation.

Last edited by 4KRG; 11-20-07 at 07:27 PM.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.