Sunday, March 26, 2006

Spyware Quake Update

Some new files found with this infection:
%SYSDIR%\dxmpp.dll
%SYSDIR%\ginuerep.dll
%SYSDIR%\dfrgsrv.exe

And the aforementioned stickrep.dll has been found to have a brother, with a different MD5. There is also an installer being analyzed as we speak.


This fix
is fully automated, no need for users to manually delete any files.

Friday, March 24, 2006

Possible New Rogue: SpywareQuake

UPDATE MAR 25-1:25MST:

There has been a fix created over at Bleeping Computing. Spyware Quake Fix

********************************

OK, it appears the culprit dll in this variant is: stickrep.dll

It will be located in the system32 folder. Deleting that along with the Spyware Quake related folder and SpywareQuake.exe may remove the infection entirely. Still waiting for more reports, first one in seems to have worked. Unsure if running the SmithRem fix is absolutely needed at this time, seeing as it can't be included in the database as yet. See here

******************

There are 4-6 of these in a few forums. And all are exhibiting the same types of symptoms as SpyFalcon\SpywareStrike\AlphaCleaner and all the other variants. More to come soon.

Thursday, March 23, 2006

180Solutions Loses 3 Contracts Over CDT Report

Gotta love this. As its clients discover the oh-so-shady business practices of 180, they drop 'em like hot potatoes. Read More Here

Wednesday, March 22, 2006

180Solutions Responds To CDT Report

180Soloutions posts some great propaganda over at their blog in reply to the CDT report. Read: 180Solutions Fires Back At CDT

Tuesday, March 21, 2006

Adware Reports Posted

Both the CDT & StopBadware.org have released their respective reports. Read CDT & STopBadware.org Adware Reports Now Listed

Claria Leaving Adware Biz

Abandons current practices to concentrate on new adware tactics, 'web portals'. See: Claria Leaving Adware Biz............Kinda

Exposing Botnets

Great write-up by Brian Krebs of Security Fix on how volunteers keep track of botnets. Read More Here

Monday, March 20, 2006

Adware Reports This Week

CDT & StopBadware.org to release adware reports this week. They will name names and give details on how and why adware proliferates. Following closely behind that Ben Edelman provides major vendors supporting 180Solutions.

Sunday, March 19, 2006

Winfixer\Blackworm

Well for the last week or so there has been a semi-new variant of Winfixer purporting to users they are infected with the 'Blackworm virus'. Note that this has been around for a little while, but just recently has begun to really get around.

The good news is that the infection it carries with it, is actually Vundo\Virtuamondo (Blackworm), and is easily removed with this fix from Atribune.

As usual, I always like to get users who are infected with it to post a HijackThis! logfile into our forum so we can help with removal and look for any other nasties which may be present.

Thursday, March 16, 2006

Why Anti-Spyware Apps Fail With Keyloggers

In this article, Brian Krebs of Security Fix talks about the inherent flaws in which anti-spyware apps use to detect keyloggers and has some good info from a couple of researchers. Read More Here

Instant Messagings E-Commerce Exploits:PART II

In this part, PG interviews the guy who gave him the inside info about these botnets. Very cool reading for sure. Read More Here

Wednesday, March 15, 2006

Spam Moderation Now Enacted

Well I got my first bit of blog spam today, and it will be the last. Moderation is now on and will stay on. Screw you greedy scumbags who do this and turn blogging into a money making venture. Don't be so F-ing cheap, go buy advertising, you cheap bastards.

Instant Messaging E-Commerce Exploits

Paperghost and SpywareGuide once again have sunken deep undercover into the Dark Side of the Net and uncover a botnet comprised of nearly 150,000 boxes!! And just how did many of these machines get taken over? You guessed it, via IM.

Unsuspecting users who click on links sent by other compromised machines can have files installed which search their machines to get critical information to access all sorts of sensitive data. The botmasters even install special script to look for exploits in many of the e-cart applications such as CCBill, Comersus Cart and CactuShop.

If these couple of articles and their follow ups don't prevent you from clicking links all the time, I don't know what will. Read More Here

Monday, March 13, 2006

Direct Revenue Settle Lawsuit

Direct Revenue make unprecedented concessions, yet still are not required to keep an eye on the ever present, all powerful, excuse invoking affiliates. Read More Here

Paperghost On Infection Analysis

Paperghost on why it's important to consider nearly every angle of an infection. From what it is, to what it does to who made it and why they made it. Not to mention what they have done in the past. As
Webhelper says: "
One must know the past in order to understand the future, if one is to change the future" Read More Here

Saturday, March 11, 2006

Aluria\Earthlink\WhenU Connection

CatleCops has another article recapping the Aluria\WhenU 'whitewash' and subsequent missteps taken by one of Aluria's outgoing executives. Seems in this Spyware Warrior thread he was caught giving false reviews (called astro turfing) to the Aluria product at download.com. There is also more info in the CastleCops Forum Newsletter

BraveSentry Install Documented

Blogger documents a BraveSentry unauthorized install. Nicely done with screenshots and everything. Found via Sunbelt Blog. NetSato Blog

Zone Alarm Suite Vulnerability

Some white hat researchers have found a vulnerability in the popular system suite. Zone Labs was informed in December and has yet to reply to the info provided. More Here

Friday, March 10, 2006

Rogue\Suspect Anti-Spyware Updates

In the last 24 hours, 7 new rogues have been added to the Rogue\Suspect Anti-spyware list. Be sure and check it out via the link to the right.

New SpySherriff Clone:Pest Wiper

Another day another rogue. This time it's a SpySherriff clone: PestWiper. Hosted on the same servers as other rogues and blacklisted by everyone. Read More Here

Wednesday, March 08, 2006

Viewpoint: Spyware or Not?

Viewpoint media player called spyware by one journalist, he tells users how to prevent its installation. Viewpoint didn't like it. Read More

UPDATE on Aluria\WhenU Whitewashing

This thread is now over at Spyware Warriors and it's not a pretty sight for Aluria, they ignore obvious lies and refuse to answer questions put forth. Read Here

New Rogue: Brave Sentry

New rogue found, pushing two anti-spyware apps on users. Found by Sunbelt Software researchers. Read More

Saturday, March 04, 2006

New Vundo Variant, Tool Updated

New variant of Vundo found, tool created by Atribune updated and working.

Friday, March 03, 2006

New SpyFalcon .dll

A new file has been found in the SpyFalcon infection:

ginuerep.dll

Located in the C\WINNT\system32 folder.

The fix at Bleeping Computing has been updated to include its removal.

Aluria & WhenU on Digg

Now posted on digg, in security section, go digg it!!

Thursday, March 02, 2006

Anti-Spyware Vendor Caught Erasing History

Aluria software vendor is trying to remove traces of its scandal from back in October 2004 which involved their reclassification of WhenU software.

It appears all references of press releases are disappearing from their website at an alarming rate. And it seems there is a new classification in the anti-spyware business: 'consumer ware' which is what they now call WhenU. Oh, and what else is listed as this new found section of consumer ware? 180Solutions. More to read here

Wednesday, March 01, 2006