I'd like to know what browser vulnerability is used by the ITSBar
malware (virus) to hijack your browser and customize it with a toolbar
for porn sites, casinos, etc.

---

Request for Question Clarification by antivirus-ga on 03 May 2004 07:00 PDT

Is there a chance you are referring to ISTBar and not to ITSBar?

Can you clarify, please.

Thanks!

antivirus-ga

---

Clarification of Question by goofer-ga on 03 May 2004 18:35 PDT

Yep, my fault. It's ISTBar, not ITSBar. Thanks.

To the poster who pointed me to removal instructions, that's not an
issue any more, I wiped the computer. But I'm very concerned that my
company's default browser security settings are low enough that I
could get stung, and without doing anything silly like clicking
through a "would you like to install" message. So I'm really
interested in the specific browser vulnerability that was exploited so
I can close the hole on my computer and in our default config.

Thx,
- RBW

Hi goofer-ga,

Thanks for the clarification. ISTbar is closely tied to TinyBar, which
is a helper sometimes used to display ISTBar. TinyBar has been known
to exploit a vulnerability in Microsoft Java virtual machine. The
applicable patch is MS00-075 and can be found at:

http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx

TinyBar has also been implicated in iframes cross-frame scripting
exploits. The applicable patch is MS02-066 and can be found at:

http://www.microsoft.com/technet/security/bulletin/MS02-066.mspx

A good resource for information on known TinyBar variants can be found at:
http://www.doxdesk.com/parasite/TinyBar.html

A good resource for information on known ISTBar variants can be found at:
http://www.doxdesk.com/parasite/ISTbar.html

Quite often, no vulnerability is involved, but rather affected by what
is often referred to as a drive-by download. The process starts with a
miscreant ActiveX control. To avoid this, make sure you've got
Internet Explorer configured properly. Mike Healan of Spywareinfo.com
has put together an excellent resource describing the necessary
settings:

http://www.spywareinfo.com/articles/hijacked/prevent.php

Though ISTBar is accused of being porn-related, insinuating that the
victim may have received it while visiting a porn site, this is a
rather common misconception. While a component of ISTBar is
porn-related, i.e. it launches pop-ups affiliate with porn sites,
ISTBar itself is not directly related to porn sites and the porn is a
side affect of the infection, not the cause.

So many of these hijackers are driven by affiliate ad programs.
Websites that sign up for such ad programs generally have no control
over what is advertised through them. The folks that do have control
seldom seem to bother checking out the types of ads that are pushed
through. Thus it is fairly easy to impact a wide range of victims and
often difficult to trace the source.

I hope this helps!

Regards,
antivirus-ga

Thanks--pointed me to just the right info!

Do you mean ISTBar?

If you are referring to that malware, it is placed on your computer in
one of two ways.  The first is from installing programs that are
affiliated with Integrated Search Technologies/CDT Inc.  These
affiliates are generally pornographic in nature.

The second way is that Internet Explorer's security settings are
improperly configured.

If you would like more information or to contact me directly, you can reach me at :

Http://www.bleepingcomputer.com

--
Grinler
http://www.bleepingcomputer.com
Source for Free Tech Support, Original Content and Tutorials for the
beginning computer user.