My Anti Spyware

SmartBrowser have smart EULA

Spywareguide reported about site enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along! The site is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words “live now” next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt.

The name of the executable continues the baiting strategy – “open for instant access“. At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. However, when you install it, IE opens automatically and you see a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the “videos” mentioned on the frontpage – in fact, they don’t seem to exist. And as far as “watching the videos on the frontpage” goes, installing Smart Browser serves no purpose whatsoever.

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:

“YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND”

- “YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND”

- “YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS (PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON’T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND”

- “YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS.”

What we have here is a clear example of Bait and Switch – luring you in with one offer, only to be denied the desired item, but presented with a “substitute” at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process – I suppose you could call it a two for the price of one deal or a “bonus”. Even if the end-user doesn’t choose to download any Zango videos, they’ll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

Exploits for new microsoft vulnerabilities available

Internet Storm Center reported about available exploit code for MS06-034, MS06-035, and MS06-036.
If you haven’t already patched for these vulnerabilities you should take immediate action.

MS06-034 – unchecked IIS buffer vulnerability in ASP files processing

This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files.

In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important.

In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don’t know about any public exploits yet.

MS06-035 (CVE-2006-1314)

The vulnerability can be exploited remotely against the “Server” service.
So this would definitely be something that could be used for
widespread compromise with no user interaction, or a worm.

Looks like Windows 2000 SP4 is vulnerable by default. Windows XP SP2
and Server 2003 don’t appear to be vulnerable with a default
installation unless services are listening on Mailslots. At this
point, it is unclear exactly what software would enable Mailslots to
create a vulnerable condition.

MS06-036 – unchecked buffer Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

MS has said systems “Primarily” at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003.

“How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by answering a client’s DHCP request on the local subnet with malformed packets.”

“Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet.”

“Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical.”

How to protect from PowerPoint 0-day vulnerability ?

Some days ago has been found 0-day vulnerability in the Microsoft PowerPoint.

Unspecified vulnerability in mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows remote user-complicit attackers to execute arbitrary commands via a crafted PPT file, which causes a “memory corruption error,” and exploited by Trojan.PPDropper.B

For protect your PC follow next instructions:

• Don`t use administrator rights account for browse internet and check mail. Or use DropRights : How to drop rights for safe surf for make it.
• Don`t Open, Save, Cancel unknown attachments.
• Don`t visit unknown sites.
• Use PowerPoint Viewer 2003 to open and view files. PowerPoint Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. You can download PowerPoint Viewer 2003 for free.
• If you can, apply strict filtering of PPT files (maybe at least quarantine them, so they can be scanned and reviewed later). Users should be extra careful when opening PowerPoint files until Microsoft releases a patch (or some workaround is available)
• Good idea to turn on memory-based security mechanisms (Data Execution Prevention).

Wanna free anti spyware ? Get Adware.

Adware comes in all forms, and this time, it’s under the false pretense of being Webroot’s Spysweeper 5. To be specific, there is a torrent for SpySweeper 5 that comes with a “keygen” to bypass registration, but when executed it is actually adware —a 180solutions installer. It immediately connects to the net and then installs the Aquarium screensaver.

The link is here: www(dot)torrentspy(dot)com/torrent/793200/Spy_Sweeper_5_Final

As result, check twice before download antything from torent, donkey …

Thanks Sanbeltblog.

Browsezilla – next internet generation – Web browser that contains malware

PandaLabs has discovered that Browsezilla, a free web browser available on several web pages, infects computers with the adware PicsPlace, without users’ knowledge. This adware, which activates whenever a user starts up the infected PC, opens a series of adult web pages, although they are not visible to the user. This tactic is aimed at artificially increasing visits to these pages.

Browsezilla is an application similar in appearance to the widely-used Mozilla browser, and also uses a dinosaur as a logo, no doubt to encourage users to trust the application. Ironically, the creators claim that Browsezilla offers safer Internet use than other browsers, as it supposedly does not store the history of pages visited or favorites lists. To encourage users to install it, the official page offers an Internet search service. However, the search always results in a page advising that it is necessary to download the browser in order to obtain the requested information.

Browsezilla is detected as adware due to the following reasons:

• It is automatically downloaded to the computer when carrying out a search using it, without asking for user permission.
• It installs itself without user’s explicit permission and knowledge.
• It does not display an EULA (End User License Agreement) during its installation.
• One of its components downloads and runs automatically a file without asking for user permission.
• It offers links to adult content without clearly asking for user consent.

Browsezilla can be voluntarily downloaded when visiting certain websites for adults, and from the website belonging to the company that has developed it.

Note: although a former version of Browsezilla downloaded a copy of the adware PicsPlace to the affected computer, a newer version has been released, which does not carry out this action.

New way – Exploiting over distiance

An ISC reader pointed out this relatively new exploit vector. At the upcoming BlackHat conference, a duo is going to demonstrate hacking WiFi device drivers to assume control of a target machine.

The two researchers used an open-source 802.11 hacking tool called LORCON (Loss of Radio Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.

Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).

The combination of device drivers (which sit close to the kernel) and wireless technology makes this vector uniquely possible. Most devices drivers you couldn’t safely attack because devices are attached to the actual hardware, but wireless is meant to work over distance. The vector is still limited by distance to those close enough to some transmission agent, but with the growing prevalence of free wireless hotspots it is easy to find places where enough laptops congregate to get good results (say a conference or in an airport terminal).

Found new rogue antispyware – SpyHeal

Sunbeltblog reported about new rogue antispyware SpyHeal. This is probably the replacement for Spyware Quake (or SpywareQuake).

Sysprotectionpage(dot)com showed spyheal(dot)com as one of the new partner sites and some rogue anti spyware apps also.

After opening Sysprotectionpage(dot)com, i have got message:

Warning!
W32.Myzor.FK@yf is a virus that infects files with .exe extensions. It attempts to steal passwords and private information from the infected computer.
Type: Virus Infection
Length: 138,293 bytes
Systems Affected: Windows 95, 98, ME, NT (all versions), 2003, Windows XP (all service packs)
Systems Not Affected: DOS, EPOC, Linux, Macintosh, Novell Netware, OS/2, UNIX
Technical details: 1. Creates files in %Windir% directory. By default, this is C:\Windows. 2. Adds values to registry keys:
HKEY_LOCAL_MNACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3. Scans the hard drive for .exe files and infects any executable files.
Searches for passwords/information, which it may send to a remote attacker. Recomendations: Click “OK” to download officially approved security software. Always keep your patch levels up-to-date.

What strange , i have open this page in linux -”Not Affected System“, but got the fake message!

For protect your PC, add these sites to your blocklist: Sysprotectionpage(dot)com, spyheal(dot)com