August 2006

Wilders Security Forum topic:
Marco Giuliani has written about this malware which emerged from a domain called Gromozon from which the Rootkit received it’s name.

Most people need guidance as to whether or not to attempt to remove such infections or reformat, so consider going to a security site and receiving assistance from volunteer malware fighters if you believe your PC has been compromised.

There are too many to name here, but a short list can be found in the right side panel here under Security Forums.

On a related note, Sophos has released a free anti-rootkit tool which joins others already offered by F-Secure, Grisoft, BitDefender, and Sysinternals among others.
List of available products at AntiRootkit.com

09-01-06

Update

Prevx has released a standalone Removal Tool

{ 0 comments }

SANS-Internet Storm Center
More MS06-042 woes

August 22nd 2006
Handler’s Diary

The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code.

eEye
MS06-042 Related Internet Explorer ‘Crash’ is Exploitable

Date: August 22, 2006
Security Alerts | AL20060822

Severity: Critical

Systems Affected:
Windows 2000 with IE6 SP1 and MS06-042 hotfix installed
Windows XP SP1 with IE6 SP1 and MS06-042 hotfix installed

Overview:
On August 8th Microsoft released MS06-042 which was a
cumulative update for Internet Explorer. Over the course of a few days after the release of this patch various Internet Explorer users and businesses started to experience Internet Explorer crashing problems when viewing certain websites.

Because of the widespread discussions and number of people experiencing the Internet Explorer crash various security researchers, including eEye, decided to investigate as a lot of times crashes can be exploitable.

Microsoft Security Bulletin MS06-042
Cumulative Security Update for Internet Explorer (918899)

Published: August 8, 2006 | Updated: August 22, 2006

Caveats: For some Internet Explorer 6.0 Service Pack 1 users, Internet Explorer may exit unexpectedly while attempting to access Web Sites using both the HTTP 1.1 protocol and compression. A hotfix and workaround for this issue is available, please see Knowledge Base Article 923762 for more information. On August 15, 2006 Microsoft announced that it would be re-releasing MS06-042 Tuesday, August 22, 2006 to address an issue affecting Internet Explorer 6 Service Pack 1 customers discussed in Microsoft Knowledge Base Article 923762. Due to an issue discovered in final testing, Microsoft will not be re-releasing MS06-042 on August 22nd, 2006. This update will be re-released for Internet Explorer 6 Service Pack 1 when it meets an appropriate level of quality for broad distribution.

In the aftermath of a privacy breach, AOL’s chief technology officer has left the company.

In an memo sent to staff, AOL Chief Executive Jonathan Miller said the company was taking steps to prevent such an incident happening again.

The Electronic Frontier Foundation (EFF) has filed a complaint with the Federal Trade Commission accusing AOL of breaking a promise to protect its subscribers’ privacy.

Seattle Times Article

VirusRescue has been noticed by the security community and gained itself a spot on the Rogue/Suspect Anti-Spyware Products & Web Sites list

Most recent additions: AntiSpyware Soldier (8-21-06), VirusRescue (8-21-06), VirusBlast (8-1-06), Spyware Removal Wizard (8-1-06), Easy SpyRemover (8-1-06), 1-2-3 Spyware Free (8-1-06), AdwareFinder (7-8-06), SpyHeal (7-8-06), Xmembytes AntiSpyware (6-13-06), TitanShield AntiSpyware (6-13-06), Trust Cleaner (6-13-06), KillAndClean (6-13-06), RemoveIT Pro (5-24-06), SpywareBot (5-14-06), SpyOnThis (5-7-06), Spyware Sheriff (5-7-06), Spyware Scrapper (5-7-06)

At Security Cadets someone using the name ‘VirusRescue’ posted refuting the information AndyAtHull had posted.

VirusRescue is not a Trojan and is not a rogue software. VirusRescue really removes all the infections from your PC and has on of the best scanning & detection engines in industry and is supported by daily database updates. It removes everything including mentioned SpywareQuake. VirusRescue has nothing to do with Spyheal and SpywareQuake.

suzi responded:

To VirusRescue:VirusRescue qualifies as rogue software based on it’s distribution methods regardless of its ability to clean spyware/viruses. Your program is being *PROMOTED* by malware — the fake codecs that are Zlob variants.

If you have this pest on your computer you can go to one of the Security Forums listed here in the right side panel for advice in it’s removal and to see if any other undesirables are lurking.

Nick at Security Ticker did a writeup with screenshots on Thursday, August 10, 2006

VirusRescue Appears to be New Trojan

{ 1 comment }

First a little background:

August 16, 2006
Posted by Shane Keats at 09:30 AM
Time Magazine Picks McAfee SiteAdvisor for “50 Coolest Websites”

According to Time, McAfee SiteAdvisor:
…aims to keep you out of trouble — or, to be precise, stop you from clicking through to websites where spyware, worms, and other cyber threats lurk…Why would you need this? Because simply clicking through to a suspect site can wreak havoc on a PC, and risky sites comprise a growing portion of search returns.

At http://www.siteadvisor.com/ I used “Look up a site report:” for ’sriaus.com’ rather than downloading the SiteAdvisor program.

Result:

Online affiliations for sriaus.com:

Links to green sites:

Most of this site’s links are to sites which are safe or which have only minor safety/annoyance issues.

Are they serious, those are links to PoRN

One of the domains in the sriaus.com ‘Green’ tree is iron-dignity.com

Sounds pretty normal compared to the other explicitly named urls.

Clicking on the iron-dignity.com box takes one to another SiteAdvisor page here:
http://www.siteadvisor.com/sites/iron-dignity.com/summary/

Another Green Tree of porn urls…….and so on and so forth.

Practice safe hex.

09-01-06
Update

I took a screen shot of the ‘green trees’ the day I originally posted and did not show it here because the content could have been found offensive.

The url for iron-dignity.com no longer links to seven of the porn urls formerly in it’s green tree, showing how quickly things can change. One url is now red.

Please note:
SiteAdvisor’s FAQ and support site:
Why don’t you rate Adult content?
How do you rate pornographic or adult Web sites?

SiteAdvisor’s key statement:

“Our goal is to help you stay safe online by testing everything on the web and reporting our test results on our Web site and through our software. We are testing primarily for safety, security, and online nuisances, not for potentially offensive content. So please don’t misconstrue our ‘green’ safety ratings as an endorsement of a Web site’s specific content or general subject matter, or as a general quality rating of the Web site. In particular, this means that many adult sites, which some people may find to have objectionable content, will receive green ratings if they pass our safety tests.”

Fair enough.

One question lingering is a ‘what if’ scenerio regarding possible re-directs, and knowing the speed of change…….

It boils down to the end user having to take responsibility for practicing safe surfing habits.

No matter what it is labeled, surfing for free porn is the source of countless computer infections.

{ 0 comments }

Those who intentionally or otherwise, search potentially illegal content might find theirselves redirected to disturbing videos.

Watch Zango porn and have Zango spyware installed on your PC ?

Sunbelt reports here and paperghost blogs his research here

After the discovery of AOL’s data release on 20 million searches performed by its customers, consumer complaints are mounting.

consumeraffairs.com
AOL Takes More Hits In Press, On Internet
August 7, 2006

AOL’s PR staff was working overtime this weekend, as the Internet Service Provider got some bad press in both old and new media for practices that are hardly news to those who’ve followed the company for years.

ST. LOUIS POST-DISPATCH
Even dead people can’t escape AOL
By David Sheets
08/04/2006

Gauthier even offered to send a copy of her father’s obituary as proof he truly was dead. AOL was unmoved.

“An AOL service guy told me to stop complaining and learn to use a computer,” she said. “Then he hung up.”

AOL bills the deceased, what’s up with that?
Article and Links

Google to continue storing search requests despite AOL gaffe
MICHAEL LIEDTKE
Associated Press
Posted on Wed, Aug. 09, 2006

SAN JOSE, Calif. - Although he was alarmed by AOL’s haphazard release of its subscribers’ online search requests, Google Inc. CEO Eric Schmidt said Wednesday the privacy concerns raised by that breach won’t change his company’s practice of storing the inquiries made by its users.

“We are reasonably satisfied … that this sort of thing would not happen at Google, although you can never say never,” Schmidt said during an appearance at a major search engine conference in San Jose.

Hardly a reassuring statement.

Release Date: August 2, 2006

Release Notes
Firefox 1.5.0.6 is a stability update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version.

• Fixed an issue with playing Windows Media content

Downloading Firefox 1.5.0.6

Harry Waldron’s MVP Blog
Some tips on FIREFOX AUTOUPDATE SETTINGS

Microsoft TechNet
August 3, 2006

On 8 August 2006 Microsoft is planning to release:

Security Updates

• Ten Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.

• Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool

• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

• Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).

• Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.