Security Incidents mailing list archives
RE: 030.com
From: "Lombardi, Chris" <Chris.Lombardi () qwest com>
Date: Mon, 11 Nov 2002 13:59:00 -0700
Pest Patrol v4.0 is also a pretty good adware/spyware detector/blocker, and will also detect some of the more insidious programs, such as keystroke loggers. A corporate evaluation copy can be downloaded at www.pestpatrol.com/downloads/eval/DownloadCorpEval.asp. Regards, Chris Lombardi Manager, Qwest National Network Element Security 303/992-7474 "The best security practices in the world can't outwit stupidity." Only the named recipient(s) should read this e-mail and/or it's attachments. It may contain privileged or confidential information. If you are not a named recipient or you received this e-mail by mistake, please notify me immediately by reply e-mail and delete this message. -----Original Message----- From: DonaldB () ecar org [mailto:DonaldB () ecar org] Sent: Friday, November 08, 2002 9:42 AM To: waitman () emkdesign com Cc: incidents () securityfocus com Subject: RE: 030.com Google returned the following link regarding 030.com: http://boards.cexx.org/spyware/messages/2052.html I strongly recommend using AdAware (with the most current signature file) from www.lavasoftusa.com My $0.02, DB -----Original Message----- From: Waitman C. Gobble [mailto:waitman () emkdesign com] Sent: Friday, November 08, 2002 10:56 AM To: incidents () securityfocus com Subject: 030.com Hello We realized earlier today that one of our Windows machines was attacked. Doing a keyword search from the address bar in Internet Explorer would send us to http://www.030.com. Modifying the system configuration and registry had no effect. After initial analysis it appears that the host file is tampered with, and an entry is made to trick Internet Explorer into sending you to the 030.com web site. Fixing the host file worked fine until this afternoon, when it was hijacked again. It really seems like it is an application on the machine, ie not coming from the Internet. It also appears that the host file is modified again, either after reboot or while running a particular application. Sending an email to the support contact at info () 030 com received a reply instructing me to go to their web site and click on a link that is supposed to remove the spyware. I sent emails to the IP block owners of both 030.com and the ip in the hosts file, requesting that they investigate this matter and terminate the activity. I could care less if the owner of the site sends a friendly email instructing how to disable the thing. The hijacking should not have happened in the first place. If anyone has the same problem with 030.com please contact me at your convenience. Thanks and Best, Waitman Gobble EMK Design 5681 Beach Blvd Ste 101 Buena Park California, 90621 Toll Free in the US 877-290-2768 +1.7145222528 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- 030.com Waitman C. Gobble (Nov 08)
- Re: 030.com Nick FitzGerald (Nov 11)
- <Possible follow-ups>
- RE: 030.com DonaldB (Nov 08)
- RE: 030.com Arnold, Jamie (Nov 11)
- RE: 030.com Lombardi, Chris (Nov 12)