Is it possible for a computer to catch spyware/malware/virus/trojan just by viewing or scrolling a compromised webpage even if no clicking no pressing yes on any popup is involved?
February 25, 2006 6:20 PM   Subscribe

Absolutely, you can be infected with malware of all sorts through simple browsing. It's happened to me, it's happened to my clients, it's happened to my friends. (I'm the lucky guy they call to help them out.) How does it happen? I don't know the nitty gritty — though I'm sure somebody here does — but it has something to do with security holes in Microsoft Internet Explorer, and especially ActiveX.

Does a different platform make a difference? You bet. I've been browsing anything and everything for the past three years with Safari on a Mac: porn sites, gambling sites, warez sites, you name it. Have I ever had even a hint of malware? Nope. (Note: this is not meant as a "Macs are better than PCs" statement; it's merely meant to point out that in this instance the default Mac setup is far more secure than the default PC setup for browsing the web.)

Just last weekend I had a friend call me in because her PC had become infected with some nasty batch of stuff (that kept downloading more stuff). What had she been doing? Looking for photos of some movie star or other. Whatever site she found screwed her royally. IE on a PC: don't do it. If you're on a PC, use Firefox or something else. Perhaps the new version of Windows and the new version of IE will make things better, but I'm not holding my breath...
posted by jdroth at 6:36 PM on February 25, 2006

(p.s. The worst infection of spyware/malware I ever got on a PC happened when I was searching for cheat codes to Jedi Knight II: Jedi Outcast. I followed links from google. The second the site loaded, I knew I was fucked. I tried to close everything, but I just wasn't fast enough. That installation was toast, which was too bad, because it was a nice setup. Even after all the re-installs, I couldn't get it back to the smooth machine it had been before.)
posted by jdroth at 6:37 PM on February 25, 2006

I haven't used star downloader, but I really doubt you can depend on your download manager to catch anything. certainly you're not going to see anything as blatant as an exe. I believe the last one was capable of hiding in a jpg.
posted by juv3nal at 6:50 PM on February 25, 2006

Countermeasures:

Run antivirus software (AVG Free is good, and free) and keep it up to date.

Download Lavasoft Ad-Aware and Spybot Search & Destroy and use them to scan your system periodically for anything the antivirus software doesn't catch.

Keep Windows up to date with the latest patches.

Use any browser but Internet Explorer.
posted by hades at 7:11 PM on February 25, 2006

(Disclaimer: I use Mac OS X, Linux and OpenBSD, so I haven't ever gotten a virus or other malware myself. But I do desktop support for PCs at work occasionally, and my previous advice is a distillation of what I'd tell any of my clients with the same question.)
posted by hades at 7:16 PM on February 25, 2006

Studentguru, there are two ways to get infected while simply browsing web pages on windows.

1. Allow a page to allow a malicious activeX control.
2. Browse to a page that uses an unpatched browser or OS vulnerability to execute arbitrary code on your system.

#2 is also possible on MacOS and Linux, though other factors make it less likely you'll get hit.

If you want to keep yourself as safe as possible there are a few things you can do, preferably in combination.

1. Create a user with limited rights and use it for your daily computer use. Save the admin user for installing software and other system maintainance.

Unfortunately, a lot of software needs admin rights to run properly. If you use that sort of software regularly, you should still create an account with limited rights. Then right click to get the properties on the shortcut you use to run your preferred webbrowser, click the advanced button on the shortcut tab, and check the "run with different credentials box." Next, use the limited account when prompted when you start your browser next time.

2. Keep your operating system up to date with microsoft patches by turning on automatic updates. These days, most exploits are discovered by security researchers before they become widespread in the wild.

3. Don't install unsigned ActiveX controls, and be extremely circumspect about installing signed controls (microsoft confers some degree of legitimacy upon the author of the control).

4. Consider using a browser other than IE, like Firefox. Because it's less popular, malware writers are still less likely to target it's unique flaws. Also, it doesn't support activeX controls, which sidesteps that issue, but it has its own extensions, which you should also be skeptical of.

jdroth, it isn't simply a matter of the default mac setup (user defaults to limited privileges) being more secure than the default windows setup (user defaults to having admin privileges), it also helps that malware writers are less likely to target macs because there are fewer of them. The default of limited privileges certainly helps though.
posted by Good Brain at 7:21 PM on February 25, 2006

I would also add a firewall to this list of necessary programs. Windows security center includes one these days, or you could try sygate/netbouy, which have worked well for me in the past. If you are behind a hardware router, disregard this, as nearly all hardware routers have built in firewalls.

Most important though is Firefox, Sybot S&D, AdAware and up-to-date Windows.
posted by sophist at 7:41 PM on February 25, 2006

There is a section under Internet Options, Security, Settings called "ActiveX Controls and Plug-Ins". It has five choices which can be set to Disable, Enable, or Prompt. What is the best collection of settings.? How impaired would browsing be if each one was set to "Disable"?
posted by yclipse at 7:51 PM on February 25, 2006

yclipse - it depends on whether or not you run programs that legitimately rely on such things.

Prompt is the safest bet - use your personal judgement.

Software firewalls are primarily for keeping your computer from sending outbound connections. ZoneAlarm is a decent product. If in doubt, deny the request for an outbound connection (leaving the "remember this setting" box unticked). If everything still works and the message comes up again, feel free to click the box.

studentguru - FireFox/Mozilla is "better" in that if you tell it (using properties/settings) to query you before it does anything (or accept any cookies) then you can make the judgement call whether to let something happen or not.

But since WinXP is extremely prevalent, and not particularly configured as securely as it could be out-of-the-box, it's targetted by malicious entities.

Anyway, use your own discretion. Learn from your mistakes. "Free" stuff (that you can't verify as being legitimate - ie., from sourceforge or has a community folowing) is usually too good to be true, and thus, well, is.
posted by PurplePorpoise at 8:13 PM on February 25, 2006

I know that cookies may be automatically and surreptitiously

I think it's little unfair to say "surreptitiously" here. Cookies are behaving just as they ought to. If you don't like them, you can turn them off or take steps to approve each cookie as it is set. I used to do this but found it to be much more trouble than it was worth.
posted by grouse at 2:20 AM on February 26, 2006

Oh, you can absolutely get hosed by following a link. In all my surfing though, it's only happened the once -

I got toasted by a video file link - something to do with a magician and a celebrities Mercedes - from a well known website (Attu).

I had the basics in place, but this was nuclear and there I was wearing body armour, so to speak.

Search & Destroy was very useful, as was Hijack This for showing what was where and so on - bit of an eye opener that one - as well as AdAware, MS Spyware, and Norton AV.
Service Filter is also useful for post infection evaluation, and I suggest reading the forums around this URL ("One Wrong Link And I Was Hijacked")

The problem is, you don't go finding out about this stuff until it happens to you at least once; then you suddenly become aware of the tools and the process through searches - but it's a little late, when sometimes you have to do a new install to try and get control back! Best resource IMHO is Castle Cops.

You can't abandon IE as Windows update needs it, but for most everything else, Firefox, Opera et al are winners; Opera gets my vote, especially as it recently became free.


1. Install all the stuff mentioned above.
2. Run it all and ensure all is fine on your system
6. MAKE A BACKUP - use Ghost, or whatever you will, but MAKE ONE
3. Have a read on Castle Cops through the case files to get a rough idea of what is what
4. Use Opera for 99.9% of your surfing
5. Set default scans for all items in (1) on a nightly basis.
6. Resolve some form of regular backup operation
posted by DrtyBlvd at 7:06 AM on February 26, 2006

The absolutely most dangerous combination of browser and platform is Internet Explorer on Windows.

Not because IE or Windows are badly-written, I hasten to add -- all software has bugs and vulnerabilities. Simply because:

a) there are many more windows installations out there, so it's a more appealing target for writers of malware. I'm not looking forward to the day when we mac users get bitten by a real virus: it hasn't happened yet, but it's sure to someday.

b) IE is tightly integrated with the operating system, which means it's that much easier for what might otherwise be a relatively harmless vulnerability in the web browser to become an open door to the rest of the machine. (I'm oversimplifying, but in general a bug or vulnerability in firefox can only affect firefox; the same vulnerability in IE can affect anything.)

(For the same reason I won't use Safari on the mac. Most mac users would probably view this as overcautious superstition, but I've already seen some unexpected crossover between apple's own web browser and the OSX system -- safari cookies can be read by dashboard widgets, for example -- that makes me uncomfortable. Safari isn't nearly as tightly coupled to OSX as IE is to windows, so the vulnerabilities aren't nearly as dangerous, but I worry it's headed in that direction.)

Finally; as grouse says, you shouldn't worry about cookies. They got a bad rap early on, because people misunderstood what they are (teeny-tiny non-executable text files) and what they can do (not much, beyond allowing a website you've visited before to remember that you've visited before).
posted by ook at 8:41 AM on February 26, 2006

Second Good Brain's advice about using a limited account for day-to-day stuff.

Software that fails when run in a limited account can usually be persuaded to work by adding Modify permissions for the Users security group to whatever folder the software was installed in. This can be done from the command prompt under all versions of Windows XP. For example, if the software in question was installed under C:\Program Files\BoogerWare, you could add the needed security permissions by running the following command:

CACLS "C:\Program Files\BoogerWare" /T /E /P Users:C

You can do it from the GUI as well, but you often have to fiddle about to make the required facilities available.

If you don't want to fool around with security permissions, you can uninstall the software concerned and reinstall it in a subfolder of Shared Documents instead of under Program Files.

Some software (QuickBooks, for example) wants write permission to its own registry subkey under HKEY_LOCAL_MACHINE\SOFTWARE as well as to its installed folder. It's sometimes a little tricky to figure out which registry subkey's involved (for QuickBooks, it's HKEY_LOCAL_MACHINE\SOFTWARE\Intuit).

I keep hearing rumours that Windows Vista is going to make user accounts limited by default, and simply refuse to play nice with software that doesn't like that. Hopefully, more software vendors will see the writing on that wall, and release limited-account-compatible versions of their stuff for XP as well. The sooner limited accounts get established as the norm in the Windows world, the sooner the malware plague will die back.

Also: many drive-by malware installs (notably the CoolWWWSearch family) have exploited security holes in Microsoft's Java virtual machine. While I'm not aware of any current holes in an up-to-date Microsoft VM, AFAIK there have not been similar exploits for Sun's VM. Installing Sun Java on your Windows box is a good idea.
posted by flabdablet at 7:32 AM on February 27, 2006

This thread is closed to new comments.