zOMG SPYWAREZ (24)

1 Name: hotaru!hoTarufiRE!!Cizp3pu2 05/01/02(Sun)22:41 ID:kgh92aWB [Del]

www.lyricspy.com installs spyware (only on windows systems, AFAIK) without any user interaction in internet explorer or firefox... probably in opera, too, but i don't have opera on this computer to test it...

2 Post deleted by user.

3 Name: CYB3R H4XX0R G33K 05/01/03(Mon)01:41 ID:Heaven [Del]

how?

4 Name: CYB3R H4XX0R G33K 05/01/03(Mon)04:19 ID:Heaven [Del]

I just opened the page with a safe browser (Sam Spade 1.14) and I can't seem to find where it executes and javascript that may be malicious. All I've found is that the page was built originally as a Dreamweaver Template and they forgot to clean up the mess that it left behind, and some window resizing in the small amounts of javascript present.

Could >>1 please at least try to help source where this "spyware injection" occours in the page's code?

5 Name: hotaru!hoTarufiRE!!Cizp3pu2 05/01/03(Mon)04:21 ID:FtK/Rjox [Del]

i don't know... i just know i clicked on a link to that site from google (and firefox was the only program i had running and that was the only thing open in it) and the yellow bar popped up in firefox saying firefox prevented the site from installing spyware and then some "TSA Installer" appeared in the system tray... and when i killed the process the machine blue-screened... it took me half an hour to get all the junk off that machine... and i know none of it was on there before because i just reinstalled windows the day before and the computer was not used at all until today...

6 Name: Albright!LC/IWhc3yc 05/01/03(Mon)05:37 ID:Heaven [Del]

Spyware? What is this... spyware... you speak of?

(And people wonder why Mac users are so devoted...)

7 Name: Sling!myL1/SLing 05/01/03(Mon)05:48 ID:V79ZzTd8 [Del]

>>5
Another "TSA Installer" horror story:
http://www.dvd.reviewer.co.uk/forums/thread.asp?Forum=292&Thread=373560&Type=1&NewPosts=1

btw do you have a firewall?

8 Name: Sling!myL1/SLing 05/01/03(Mon)06:01 ID:V79ZzTd8 [Del]

Was the name of the file tsa.exe?
If so it's a spyware that monitors browsing habits and distributes the data back to the author's servers for analysis.

9 Name: Jedi_Vader20!KxPtEJqYRA!!JGEbj+wR 05/01/03(Mon)06:39 ID:Heaven [Del]

I'm half tempted to have a look myself....But not on this machine of course.

10 Name: Jedi_Vader20!KxPtEJqYRA!!JGEbj+wR 05/01/03(Mon)06:42 ID:Heaven [Del]

The page loaded fine...I really fail to see the issue with it, maybe you already had this spyware from another site?

shrugs

11 Name: hotaru!hoTarufiRE!!Cizp3pu2 05/01/04(Tue)04:41 ID:xdOhWwpZ [Del]

>>8
the name of the file was "tsa_instaler.exe"

>>10
i reinstalled windows and then installed firefox and went straight to that site and it happened again...

12 Post deleted by user.

13 Name: Sling!myL1/SLing 05/01/04(Tue)07:10 ID:pfxrLh8s [Del]

firewall, firewall, do you have a firewall?

14 Name: !WAHa.06x36 05/01/04(Tue)13:34 ID:0koaxK2s [Del]

I did some testing, and I didn't seem to catch anything from going to the front page in either IE or Firefox, on XP or ME. However, these computers do sit behind quite a big firewall. Also, you said you followed a Google link - did this happen on a subpage or on the front page? I only viewed the front page.

15 Name: hotaru!hoTarufiRE!!Cizp3pu2 05/01/04(Tue)18:35 ID:BM9MwOAJ [Del]

>>13
no, i don't have a firewall

>>14
the first time it happened from a subpage, but then after i reinstalled windows and went to the site it happened on the front page.

16 Name: Sling!myL1/SLing 05/01/04(Tue)18:43 ID:x6GgmRhq [Del]

>no, i don't have a firewall

ok then that's one big vulnerability right there.
Install a firewall, for example ZoneAlarm.

Next question will be: what version of Windows do you use?

17 Name: hotaru!hoTarufiRE 05/01/04(Tue)22:47 ID:pT0N8Yq5 [Del]

>>16
perhaps you can recommend a firewall that would be free for me to install on this machine? it's at the school where i work... and http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=nav_za says "ZoneAlarm is free for individual and not-for-profit charitable entity use (excluding governmental entities and educational institutions)."
also, i'm using windows 2000.

18 Name: Sling!myL1/SLing 05/01/05(Wed)00:53 ID:x6GgmRhq [Del]

>also, i'm using windows 2000.

Is it up-to-date on security patches against direct attack viruses like Blaster/Sasser?

19 Name: CYB3R H4XX0R G33K 05/01/05(Wed)01:24 ID:pT0N8Yq5 [Del]

>>18
yes, it is up to date.

20 Post deleted by user.

21 Name: hotaru!hoTarufiRE 05/01/05(Wed)01:26 ID:pT0N8Yq5 [Del]

>>19 is me, as you can see from the ID... for some reason the cookie didn't get set when i posted before...

22 Name: Sling!myL1/SLing 05/01/05(Wed)04:52 ID:x6GgmRhq [Del]

The next step would be to install a firewall.
I don't know any free firewall for non-personal use but if it's the school computer they should get/buy a firewall asap. Non-firewalled computers become zombie computers in no time nowadays.
Then if the attack still happens with the firewall in place, we can start looking for jpeg exploits and similar nasties. Tho if you have your security patches up-to-date the jpeg exploit is less likely.
Oh wait... which version of Firefox are you using?

23 Name: hotaru!hoTarufiRE!!Cizp3pu2 05/01/05(Wed)06:12 ID:C0oG1NY0 [Del]

firefox 1.0

24 Name: Sling!myL1/SLing 05/01/05(Wed)07:20 ID:x6GgmRhq [Del]

Ah. Then we are back to the firewall.

This thread has been closed. You cannot post in this thread any longer.