UPDATE:  30 October 2006 - Spyware Beware! is back up.

Imagine my surprise when I get an email from Danny aka dknoppix from HijackThisAid.org that the Alliance of Security Analysis Professionals (ASAP) domain Spyware Beware! has expired.

This is a major development, as Spyware Beware! is an excellent resource in the fight against Malware. Hopefully maddoktor can get this sorted out in short order.

In the meantime all you ASAP members need to correct or remove the link to the ASAP page in your signatures.

You can use this image, if needed:
[img]http://dknoppix.com/Pictures/Site%20Pics/asap.jpg[/img]

and you can point the link in your signature, if needed, to:
http://securitycadets.com/asap

or

http://www.malwareteks.com/page.php?1

More information will be forth coming as it is available.

Source US-CERT

We are aware of proof-of-concept code for a denial-of-service vulnerability in Microsoft Internet Explorer. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), Internet Explorer may crash when processing a specific method in the ‘ADODB.Connection’ ActiveX Object. It is not clear at this point whether an attacker may be able to execute arbitrary code with this vulnerability.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#589272 - ADODB.Connection ActiveX control unspecified vulnerability

Until an official update, patch, or more information becomes available, we recommend the following actions to help mitigate the security risks:

• Disable the ADODB.Connection ActiveX control in Internet Explorer as specified in the Microsoft Support Document 240797.
• Disable ActiveX as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
• Do not follow unsolicited links.
• Review the steps described in Microsoft’s document to improve the safety of your browser.

US-CERT Vulnerability Note VU#58927

Mozilla Releases Major Update to Firefox and Raises the Bar for Online Experience

Enhancements to usability, security and customization make Firefox 2 a must-have upgrade for all Web users

MOUNTAIN VIEW, CALIF. – Oct. 24, 2006 – - Mozilla today released Firefox® 2, a major update to its popular and acclaimed free, open source Web browser. Firefox is developed by an international community of contributors working together under the umbrella of the Mozilla Foundation, a non-profit, public-benefit organization dedicated to improving the Internet experience for people everywhere.

In less than two years, tens of millions of people worldwide have discovered the easier, faster and safer online experience that Firefox provides. Translated into more than 35 languages at its release, Firefox 2 is available in a native language version for more people around the world than any other Web browser.

Firefox 2 is immediately available for Windows, Mac or Linux operating systems as a free download from www.getfirefox.com.

“Firefox 2 delivers the best possible online experience for people today,” said Mitchell Baker, CEO, Mozilla. “The improvements Mozilla has made to the ease of use, performance, and security in Firefox 2 reflect our ongoing, singular focus on meeting the needs of Web users all over the world.”

What’s New in Firefox 2

Improvements to the user interface, security tools and options for customization, combine to deliver a rich, engaging, safer and more productive Web browsing experience for all.

Tabbed browsing. Firefox popularized tabbed browsing, enabling multiple Web sites to be viewed as separate tabs contained within a single browser window, and improving people’s efficiency by helping them better organize their desktops. In Firefox 2, tabbed browsing has been further improved with the addition of individual close buttons on each tab, enhanced tab navigation features, and a session restore system that automatically restores previously-open windows and tabs when a new browsing session is started.

Spell checking. Modern Web sites are increasingly complex with the rollout of new, rich Internet applications, such as word processors, spreadsheets and blogging tools. Inline spell checking in Firefox 2 automatically checks for spelling errors and suggests corrections as users interact with Web sites, bringing a common desktop feature to the Web.

Search. Search is one of the most frequently used features of the Web. With Firefox 2, Mozilla improves the browser’s integrated search capabilities, making it even easier for users to find the information they are looking for. The new Search Suggestions feature dynamically updates a drop-down list of suggested search terms as users enter text into the search bar for Google, Yahoo! or Answers.com search engines.

Web feeds. Firefox users can now take better advantage of the frequently updated content offered by Web sites, with increased options for handling Web feeds. Users now see a preview of the content being offered and are given the option to subscribe to a feed as a Live Bookmark, using a Web service such as Bloglines, My Yahoo!, or Google Reader, or with a desktop application.

Identity theft protection. In addition to its award-winning safeguards for blocking drive-by installation of spyware and unwanted pop-up windows, Firefox 2 helps protect users from identity theft by quickly informing them when they surf to a questionable Web site. To protect users’ privacy, Phishing Protection is active by default with a local blacklist that updates hourly, rather than sending information to an external online service. An enhanced mode is available where users may optionally elect to have Firefox check the validity of Web sites with a third-party Web service, such as Google, prior to loading the site. Phishing Protection provides warnings, advice and guidance when Firefox encounters a Web site that appears to be fraudulent or malicious.

Proven security model. Mozilla’s open and transparent community-driven security model helps ensure Firefox provides the safest possible online experience. Thousands of security experts and technical contributors from around the world examine and analyze the Firefox source code, uncover potential threats and vulnerabilities, and work together to quickly identify and address emerging threats. This open, distributed, innovative approach to security puts people’s interests first and delivers the safest Web experience possible.

Customization. No other browser can be customized like Firefox 2. With thousands of add-ons that enhance the browser’s functionality and features, Firefox lets users personalize their Web browsers to fit their interests and style.

For more information on Mozilla Firefox 2 and how it delivers an easier, faster and safer online experience, visit www.mozilla.com/firefox/features.html.

Mozilla Firefox 2 is available now as a free download from www.getfirefox.com

Doing my daily Blog reading, what do I find? AntiVermins.

OK, what is AntiVermins?

Antivermins is one of the most hi-tech, visible achievements on development of the software of protection all over the world, which guarantee to you safe use of the Internet resources and just any information which can be infected with Spyware. Its popularity is known almost all large companies and home’s users in many countries. Just remember: you not safe from Spyware if you have only Anti-virus and FireWall programs. You are still being unprotected without special Anti-Spyware program, the most dangerous online threat.

Wait a minute, that has got to be some of the worst English; I have ever seen. That would probably be because English is not the native language of the writer. Good chance that Russian is their native tongue. Russian? How would I know that? The registration data for the domain:

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ANTIVERMINS.COM

Registrant:
N/A
Alex Konchekov (alex.konchekov@gmail.com)
Russia, 119334, Vernadskogo pr, 16-67
Moscow
Moskovskaya oblast,119334
RU
Tel. +007.3100240

Creation Date: 02-May-2006
Expiration Date: 02-May-2007

Domain servers in listed order:
ns2.antivermins.com
ns1.antivermins.com

AntiVermins IP address: 85.255.119.66

Alex Konchekov from Moscow, Russia; cool. Probably not his real name anyway.

Familiar hosting company at that:

Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
Abuse notifications to: abuse@inhoster.com

Many ‘Rogue” applications are coming from the ESTDOMAINS hosted on Inhoster servers.

I paided a vist to the AntiVermins Website, and had a look at several pages on the site and here is some of the information I found.

What is AntiVermins

Antivermins is one of the most hi-tech, visible achievements on development of the software of protection all over the world. Its basic applicability is to relieve you of dangerous programs, which destroy your system.

Ah, OK. Let’s see if I can decipher that statement. I’m not really sure what they are trying to communincate with that first sentence, but with the second; they are obviously stating that this program is supposed to rid your system of dangerous programs that can destroy your system.

Considering that this program affords no protection, what so ever; I fail to see how it could possibly rid your system of “dangerous” programs.

About 92% of all PC are infected by viruses which can’t be identifying by your antiviral program.

92%? I have no idea where they came up with that, but the rest of the statement is true.

Nobody safe today! Who may say his PC is not infected?

Pure FUD (Fear, Uncertainty and Doubt). Well, maybe not complete FUD. If one has the appropriate protections in place and excercises safe computer habits, there is a reasonable expectation that the system is not infected. There is no 100% guarantee that a system will be infection free, when one takes the appropriate measures to protect their system. See Protect Yourself From Malware: Tools And Tips.

I think I am going to stop quoting the site at this point, the poor command of the English language and trying to decipher what they mean is giving me a headache; and I received a “Classical” education which included being taught Oxford English.

I lied, one more quote:

These viruses get to inexperienced user through “free-of-charge” software products more often.

Too funny, considering that their piece of garbage will cost you $49.95 USD. It doesn’t have to be “Free” to infect your system.

Here’s a screenshot of what the program looks like:

If you have fallen victim to this type of scam. Start a new thread in the Malware Removal Forum of this site.

(You must Register before posting anywhere on this board. Registering is 100% FREE)

We ask that you first complete all the steps outlined in our Malware Cleaning Guide before starting a thread in the Malware Removal Forum.

Before considering or installing an Anti-Spyware product, please check out this excellent resource: Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites

I’m a little slow on the up take with this one; but I was reading the SunbeltBLOG last Sunday. When I came across this item of interest; New new security scam hijacker sites. So, I decided to visit one of the sites listed in the SunbeltBLOG article.

Why, would I do such a thing? The blog article says these are scam sites pushing “Rogue” Anti-Spyware applications. Those who work in the world of PC security and Malware Removal, know exactly why I would do such a thing. To find out exactly what is being pushed onto the unsuspecting, uninformed Internet traveler.

So, I paid a visit to uptodateprotection(dot)com; and this is what I found. Upon the page opening I was immediately greeted by a pop-up, see figure 1, warning me about the W32.Myzor.FK@yf virus. Which, I suspect is meant to lead one to believe that their system is infected by this little nasty.

What is W32.Myzor.FK@yf?

W32.Myzor.Fk is a threat detected by rogue antispyware program. It displays a warning: “W32.Myzor.FK@yf. is a virus that infects files with .exe extensions.”

It also hijacks your Browser and redirects the webpage.

Of particular note is the Systems Affected by this Trojan. It doesn’t say Windows 2000 (all service packs) is affected. That’s interesting since 2000 is an NT based OS. If all versions of NT are affected and every Windows version after 2000 is affected then it stands to reason that Windows 2000 would also be affected.

Make a note of the Systems Not Affected. I will revisit that item a little later in the article.

In the Technical Details it tells you that W32.Myzor.FK@yf creates files in the %Windir%\ directory. Which, by default is C:\Windows. %Windir% is the system variable for the Windows directory. Which can be C:\Windows or C:\Winnt. It depends on which OS is installed.

Adds values to the Registry Key: HKEY_LOCAL_MNACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

This is not a valid Windows Registry Key. The correct Registry Key would be: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

Recommendations: Click “OK” to download officially approved security software. Always keep your patch level up-to-date.” ‘Officially approved’ by who? Microsoft? I don’t think so. The last part of that statement is actually good advice; always keep your OS and software updated

Clicking “OK” on the pop-up redirects to a new page, see figure 2.

Getting back to the information displayed about my system. The browser type detected is: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060915 CentOS/1.0.5-0.1.el4.centos4 SeaMonkey/1.0.5. Looks a little cryptic, but really isn’t. The browser used during this session is Mozilla Sea Monkey 1.0.5 and my language setting is English (US). Now this is were it gets a little interesting. The site was not able to properly detect my OS. Well that information was transmitted by my browser; and if you look back at the information about my browser, you will see the OS. Which, in this case is Linux i686; specifically CentOS.

Let’s go back to the pop-up when I first opened the site. Do you remember which, OS’ were not affected by the W32.Myzor.FK@yf virus? Just so that you don’t have to scroll all the way back to the beginning of the article; I’ll list them here again. Systems Not Affected: DOS, EPOC, Linux, Macintosh, Novell Netwear, OS/2.

That’s funny, my OS is listed as VULNERABLE; but I’m running Linux. So, the author’s of this want me to believe my system is infected with a virus that will only execute on Windows; and that an intruder can gain access to:

- \Windows\System32
- \Program Files\Internet Explorer
- \My Documents
- Drive C:\ files

Files and Folders.

In all seriousness, I am running Linux on this system; but the vast majority of PC users are using Windows. Be it 98, ME, or XP; but it is Windows and is vulnerable to exactly this type of attack.

The people who create these sites and programs rely on “Social Engineering” to get you to click on one of the many links on this type of page and install a program that will not perform as advertised. These programs will install several Trojans on your system.

If you have fallen victim to this type of scam. Start a new thread in the Malware Removal Forum of this site.

(You must Register before posting anywhere on this board. Registering is 100% FREE)

We ask that you first complete all the steps outlined in our Malware Cleaning Guide before starting a thread in the Malware Removal Forum.

It is highly recommended that you read the article, Protect Yourself From Malware: Tools And Tips, and adjust your practices, software, and settings as necessary.

Before considering or installing an Anti-Spyware product, please check out this excellent resource: Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites