Domain: netrn.net
Stories and comments across the archive that link to netrn.net.
Comments · 11
-
Re:Google is your friend
http://netrn.net/spywareblog/archives/2005/01/03/
m ore-on-adware-installed-though-windows-media-files /
http://www.edbott.com/weblog/archives/000340.html
"In an earlier post, I pointed to the fast-spreading but suspicious story alleging that a flaw in WMA files can plant spyware on your computer. This is a follow-up."
It looks like another reason to avoid WMA files entirely. -
Appears to be from Inhoster, known spyware source.
Looks like this is coming from a known source of spyware in Ukraine, "Inhoster.com".
"zcodec.com" is actually "85.255.117.106-xbox.dedi.inhoster.com", a dedicated server at a "nlayer.net" colocation site in San Francisco. The dedicated server appears to be associated with "atrivo".
Both "inhoster.com" and "atrivo" appear to be "psuedo-ISPs"; they have web sites that look like those of an ISP, but they don't really offer services for sale. Both have bad reputations: see "Spywarequake Scam on the Run. The previous attacks were based on phony anti-spyware programs. Now that people are wise to that one, the new frontier is apparently phony codecs.
The WHOIS information for "zcodec.net" appears to be bogus. It's given as "Abrahamen Biderman" at "5624 17th Ave, Brooklyn, New York" There is an "Abraham Biderman" with an office at 5624 17th Ave, Brooklyn, New York, and he's a political figure and investment banker, with a career running major financial institutions. Probably not behind some two-bit spyware scam.
-
Spyware down, but profit still there
Last I heard companies like claria are still making a mint.
Maybe the decline can be linked to the fact that now these companies are turning around and offering consulting for the problems they helped propogate? -
Re:This is getting ridiculous
-
It's not just the non-technical users
I downloaded my first program with BitTorrent a few weeks ago -- a TV show that my VCR failed to record. While doing that, I accidentally clicked on a certain part of the web page. Bingo slammo, my system was infected with spyware, this nasty Aurora and nail.exe
Being a technical guy, familar with the registry, COM, and how windows works, I went about trying to kill this pesky snake. A few hours later, after saying some words I won't repeat here, I decided to wipe the machine and start over (it was a lighly loaded box, so no major loss)
I could have gotten SoftIce and gone into kernal mode to trap this bastard, but it was way beyond my effort vs. reward tolerence level. Spyware has gotten so complicated and sneaky nowadays: to me it is worse of a threat than virsuses ever were.
Now I run double anti-spyware programs in addition to my A/V and firewall. I think that we technical people are also misunderestimating the danger posed by this junk to our own machines.
Run With the Bulls, Swim With the Sharks -
Yes, it's realAt least the information is accurate. www.spywarewarrior.com reported on this last week (An excellent malware blog/information site). http://netrn.net/spywareblog/archives/2005/07/01/
m icrosoft-antispyware-ignores-claria/Part of the article...
Sunbeltblog reports: A brief check of our database updates from Microsoft shows that Claria adware has been set to a default action of "Ignore" since at least early June (Claria continues to be listed in our database with a default action of "Quarantine").
You might recall that Microsoft acquired its antispyware application from GIANT, who had a close business relationship with Sunbelt Software. As part of the deal, Sunbelt continues to receive definitions from Microsoft until June 2007. Sunbelt, however, has its own research team and adds its own definitions to the database in addition to what they get from Microsoft.
In the current Spyware Weekly newsletter, Mike Healan of SpywareInfo.com comments:
I can't imagine what they are thinking at Microsoft. I would be hard pressed to think of a better way for Microsoft to alienate their users. I certainly hope that the opposition from within Microsoft prevails and that this deal dies on the negotiating table.
Ben Edelman has updated his write up to include the news of the changed detections.
This is exactly the kind of conflict of interest I worried about three paragraphs above--but I didn't anticipate how quickly this problem would come into effect!
Wayne Porter, blogging at ReveNews calls it Conflict of Interest 102 His site at SpywareGuide.com reports, interestingly enough, that Gator (Claria) is currently the top detection. See the site for full the top 10 list.
1 Gator 6.55% 2 MySearch 5.53% 3 CoolWebSearch 4.38% 4 180 Search Assistant 4.02%
-
Re:Does it really matter what ad-ware does?
Ad-Aware and other anti-spyware/adware software have recently (and quietly) removed WhenU software from their listings. Beware.
I checked this out, since I'm a happy Ad-Aware user -- it looks like more recently, they've put WhenU back in:
http://netrn.net/spywareblog/archives/2005/03/09/w henu-is-back-in-ad-awares-definitions-that-is/ -
Re:The issue...
From the page you link to:
Note that the latest version of Internet Explorer, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in my video and discussed above.
Furthermore, the only reason the malware was able to install itself on the machine pre-sp2 was because IE was run as Administrator.
Run as Limited User, and back in July '04 the malware may have been able to execute it's code through the security hole, but XP's ACL's would have kicked in and no modifications would have been possible to program files, to your host file, or to any system directory.
Again, I'm not saying that vulnerabilities do not exist. IE is bug-ridden and I rather like running Firefox. You are not a looney (as far as I can tell :}). But XP is a solid OS. People who get infected practice unsafe habits (like running everything as administrator), and so this solidifies the original poster's point. Would you run your linux or your mac box as root all the time? Probably not!! -
Re:The issue...Sure. The first Google hit (just for kicks) is from Spyware Warrior and describes exactly what I'm talking about.
My work machine is an XPSP2 system and last year this IFRAME vulnerability was found in October and patched in December. I had tested in on my work machine (against the warnings of my coworkers) and sure enough, using the Secunia exploit example a web page was able to add items to my startup folder with no prompt whatsoever. And according to this story (from November, pre-patch) one of The Registers' advertisers used this very exploit to stealth install spyware.
So I'm not a crazy looney (well, I am but for other reasons entirely), this stuff does happen. And often.
-
Howdy folks, and some quick comments
Just noticed this thread -- was offline most of the day.
The interview was a nice little piece -- but as several comments above mentioned, it really was just a little email discussion I had with the Orange Crate admins. Personally, I wouldn't have thought it worthy of the honor of a Slashdot thread all its own... But then again sometimes the things I think are important still don't get Slashdot threads...
Meanwhile, here's something that almost everyone will agree is important: Spyware companies getting endorsed by supposedly-impartial associations of anti-spyware vendors. Such endorsements are particularly problematic when based on spyware companies' claims of improved practices, but where such practices have yet to be observed in the real world. (Companies' true practices remain outrageous -- installation via security holes, no notice and consent, etc.) I have a very specific example in mind: 180solutions' endorsement by COAST just yesterday. See coverage at Spyware Warrior.
Earlier today I observed 180 installed through a security hole, where the page invoking the security hole was a privacy policy at a web site. Read the privacy policy, get spyware. What a world! I expect to add the video and write-up to my site shortly.
Ben -
More fake programsI found a comment from this page very informative:
Rogue Anti-spyware Programs Part 3
Looks like this program isn't the only one.I mentioned some of these before, but this is a more inclusive list.
Spy Wiper
AdWare Remover Gold
BPS Spyware Remover
Online PC-Fix SpyFerret
SpyBan
SpyBlast
SpyGone
SpyHunter
SpyKiller
SpyKiller Pro
SpywareNuker
TZ Spyware-Adware Remover
xp-AntiSpy
SpyAssault
InternetAntiSpy
Virtual Bouncer
AdProtector
SpyFerret
SpyGone
SpyAssaultSources: Doxdesk.com: parasite, Tom Coyote Forums, Spywareinfo.com forums, safernetworking.org, home of Spybot Search & Destroy