R. McCarty wrote:
> I wasn't taking exception to your analysis - just that these jackasses
> are always looking for new ways to get a toe hold on a computer.
> Build the wall higher and they dig under it. Make it thicker and they
> use a software trampoline to jump over. I agree that most Malware
> gets on from bad browsing or download habits. The best Security
> software in the world can't stop the "This is dangerous !" and they
> go right ahead and Click into - Poker, Porno and "Freebies". Trying
> to keep a PC "Safe-&-Secure" takes as much time as you spend
> actually using the thing. You can teach a PC, unfortunately the user
> is quite as quick a learner.
>


We're pretty much in complete agreement, then. I guess I just
misunderstood the intentions of your reply to me. And, thanks to your
reminder, I do reckon it's time to upgrade my emphasis of that
particular danger.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

On that special day, Todd H., (comphelp@toddh.net) said...

> I'm trying to figure out which unpatched application is the
> vulnerability by which this nasty manages to installed by a user of
> the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> platform.

http://www.f-secure.com/weblog/archi....html#00000752

this *might* have been, how it happened.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Todd H. wrote:
> I appreciate the responses thus far, and the posters who've taken the
> time to make them. If possible though, I'd like to refocus the
> question:
>
> What are examples of specific web sites with specific exploits in
> place that endeavor to install Spy Sheriff?
>
> I'm trying to figure out which unpatched application is the
> vulnerability by which this nasty manages to installed by a user of
> the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> platform.
>
> In short, has anyone out there done a full malware analysis of the
> Spyware Sheriff installer, and where it's found out there in the wild.
>
> I realize this may be a tall order, but this particular bit of a
> spyware is particularly intriguing to me because it's so pernicious.
>
>
> Best Regards,

I have seen it on three customer's computers in the last three days. They
were all up to date with Windows updates, running an antivirus, one was
running MS AntiSpyware. As near as I can tell they all came in via the .wmf
exploit. One was in a spam email. They had the preview pane open and viewing
the email installed the malware. Two were while surfing the net. Both times
they clicked on a link in a google search and they were immediately
infected. See the following link for details of the exploit.

http://www.microsoft.com/technet/sec...ry/912840.mspx

The only effective workaround right now is to enable hardware DEP for all
programs (software DEP won't stop it) or disable the Windows picture and fax
viewer. Both workarounds can cause problems. Hardware DEP may break some
drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
the best workaround but it may cause some minor problems with html email and
some web sites.

Kerry

Gabriele Neukam <Gabriele.Spamfighter.Neukam@t-online.de> writes:

> On that special day, Todd H., (comphelp@toddh.net) said...
>
> > I'm trying to figure out which unpatched application is the
> > vulnerability by which this nasty manages to installed by a user of
> > the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> > platform.
>
> http://www.f-secure.com/weblog/archi....html#00000752
>
> this *might* have been, how it happened.


That is a huge vulnerability I agree--I expect to see lots of
computers cross my desk to repair the fallout of that huge hole.

These spy sheriff infections predated the release of the wmf exploit
by a month or so though. :-\

--
Todd H.
http://www.toddh.net/

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> writes:
> Todd H. wrote:
> > I appreciate the responses thus far, and the posters who've taken the
> > time to make them. If possible though, I'd like to refocus the
> > question:
> >
> > What are examples of specific web sites with specific exploits in
> > place that endeavor to install Spy Sheriff?
> >
> > I'm trying to figure out which unpatched application is the
> > vulnerability by which this nasty manages to installed by a user of
> > the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
> > platform.
> >
> > In short, has anyone out there done a full malware analysis of the
> > Spyware Sheriff installer, and where it's found out there in the wild.
> >
> > I realize this may be a tall order, but this particular bit of a
> > spyware is particularly intriguing to me because it's so pernicious.
> >
> >
> > Best Regards,
>
> I have seen it on three customer's computers in the last three days. They
> were all up to date with Windows updates, running an antivirus, one was
> running MS AntiSpyware. As near as I can tell they all came in via the .wmf
> exploit. One was in a spam email. They had the preview pane open and viewing
> the email installed the malware. Two were while surfing the net. Both times
> they clicked on a link in a google search and they were immediately
> infected. See the following link for details of the exploit.
>
> http://www.microsoft.com/technet/sec...ry/912840.mspx
>
> The only effective workaround right now is to enable hardware DEP for all
> programs (software DEP won't stop it) or disable the Windows picture and fax
> viewer. Both workarounds can cause problems. Hardware DEP may break some
> drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
> the best workaround but it may cause some minor problems with html email and
> some web sites.

Hi Kerry,

Thanks for sharing your experience.

There seems to be mounting evidence that these Spy Sheriff bastards
mihgt be leveraging multiple vulnerabilities out there, and evolving
with the state of patches.

One machine I cleaned up was about 3 weeks ago, and the friend
involved had an up to date XP2 box, and he said that the computer had
beenthat way for a week or more prior to my arrival. I think this
predates the WMF issue's release. That user, however, is fairly
novice and isn't terribly careful, so god knows where he could've
gotten it. He was using a very old version of Mozilla on that box.


The second Spy Sheriff infected machine I just cleaned up was an XP
sp2 machine with its updates, but the user reported that manual
symantec liveupdates haven't worked for a while, and he also had a
Mozilla version that was a couple revs old (1.7.8). I think his
infection of spy sheriff was probably in the timeline for the WMF
exploit. Then again Spy sheriff as it turns out was only one of a
long list of infections it managed to contract.

Thanks to all for their experiences with this one. This malware is
getting extremely crafty, and financial profit seems to be creeping up
the list of motivations for the black hats. I hope a few attorneys
general hit the Spy Sheriff weasels hard. In the mean time, if you
know anyone who was social engineered into paying to register spy
sheriff, have them dispute that credit card charge and at least hit
them in credit card admin fees. Visa/MC might get fed up enough to
revoke their merchant id.

Best Regards,
--
Todd H.
http://www.toddh.net/

On Mon, 2 Jan 2006 09:04:08 -0800, "Kerry Brown"
<kerry@kdbNOSPAMsys-tems.c*a*m> wrote:

>I have seen it on three customer's computers in the last three days. They
>were all up to date with Windows updates, running an antivirus, one was
>running MS AntiSpyware. As near as I can tell they all came in via the .wmf
>exploit. One was in a spam email. They had the preview pane open and viewing
>the email installed the malware. Two were while surfing the net. Both times
>they clicked on a link in a google search and they were immediately
>infected. See the following link for details of the exploit.
>
>http://www.microsoft.com/technet/sec...ry/912840.mspx
>
>The only effective workaround right now is to enable hardware DEP for all
>programs (software DEP won't stop it) or disable the Windows picture and fax
>viewer. Both workarounds can cause problems. Hardware DEP may break some
>drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
>the best workaround but it may cause some minor problems with html email and
>some web sites.

According to some experts, the best workaround is Ilfak's fix here:

http://www.hexblog.com/2005/12/wmf_vuln.html

Art

http://home.epix.net/~artnpeg

Bruce Chambers wrote:
> Todd H. wrote:
>
>>
>> "Where/how are people getting this?"
>>
>
>
>
> Neither adware nor spyware, collectively known as scumware,
> magically install themselves on anyone's computer. They are almost
> always deliberately installed by the computer's user, as part of some
> allegedly "free" service or product.

No, that is not the case. There is hardly a byte on my PC that I don't
know about but nevertheless I still get a few minor trojans from time to
time, usually in the Cookies, which last as long as it takes me to run
ad-aware, spybot etc or clean the cookies by hand, which I do every day
or couple of days. Of course lots of people do click on any old link
and so deserve what they get but that is not the only way to be
infected.

On that special day, Todd H., (comphelp@toddh.net) said...

> These spy sheriff infections predated the release of the wmf exploit
> by a month or so though. :-\

If there is a new and easy way to infect even updated machines without
having the user to lure into a "click me" dialog box, a criminal like
that spy sherriff distributor will gladly adopt it, for sure.

There are a lot of worming bots out in the net, which use all kinds of
vulnerabilities, the numbers of their variants being in the hundreds,
if not thousands... why should it be different with this kind of -
shall we call it foistware?


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

In article <u$2#028DGHA.1816@TK2MSFTNGP11.phx.gbl>, ilovepcbutts1
@withapassion.com says...
> From: "Leythos" <ilovepcbutts1@withapassion.com>
> References: <847j9j17qe.fsf@ripco.com> <xn0egqrrl2fujd2001@news-server.neo.rr.com> <847j9j58k5.fsf@ripco.com> <dpbj38$bod$03$1@news.t-online.com> <84ek3qsg1z.fsf@ripco.com>
> Subject: Re: Spy Sheriff - so how do people get infected w/ this thing?
> Date: Mon, 2 Jan 2006 10:52:31 -0800
> Lines: 39
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> X-RFC2646: Format=Flowed; Original
> Message-ID: <u$2#028DGHA.1816@TK2MSFTNGP11.phx.gbl>
> Newsgroups: comp.os.ms-windows.misc,microsoft.public.windowsxp.general,al t.comp.anti-virus,comp.security.misc
> NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net 69.237.53.123
> Path: news-wrt-01.ohiordc.rr.com!news-server.columbus.rr.com!hwmnpeer01.lga!hwmedia!news hub.sdsu.edu!msrtrans!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
> Xref: news-wrt-01.ohiordc.rr.com comp.os.ms-windows.misc:201080 microsoft.public.windowsxp.general:1413638 alt.comp.anti-virus:93309 comp.security.misc:110153

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

Please note that PCBUTTS1 is the poster of the above message using my
NickName "Leythos". He posts from the above host, which you can validate
in the Usenet headers, since Microsoft deletes his posts from their
servers due to his lack of ethics, his theft of others code, and his
violations of their Usenet standards.

As a "formal" request, for documentation reasons, I request that you
stop using my name to forge posts. You have been warned now.

--

spam999free@rrohio.com
remove 999 in order to email me

In article <e7uwQI9DGHA.2292@tk2msftngp13.phx.gbl>, ilovepcbutts1
@withapassion.com says...
> Subject: Re: Spy Sheriff - so how do people get infected w/ this thing?
> From: Leythos <ilovepcbutts1@withapassion.com>
> Newsgroups: comp.os.ms-windows.misc, microsoft.public.windowsxp.general, alt.comp.anti-virus, comp.security.misc
>
> NO! prove to me that you own the name "Leythos" and I will stop using it.
> Stop Stalking me and I will stop using it. Hehe forging your name you must
> be crazy, That's the funniest thing I've heard all year. Got lost stalker.

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

Please note that PCBUTTS1 is the poster of the above message using my
NickName "Leythos". He posts from the above host, which you can validate
in the Usenet headers, since Microsoft deletes his posts from their
servers due to his lack of ethics, his theft of others code, and his
violations of their Usenet standards.

As a "formal" request, for documentation reason, I request that you stop
using my name to forge posts. You have been warned now.

--

spam999free@rrohio.com
remove 999 in order to email me