Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 030 igetnet ignkeywords

From: "Waitman C. Gobble" <waitman () emkdesign com>
Date: 12 Nov 2002 06:34:57 -0800
Hello

Couple of things to note. The file is signed by IGetNet, LLC using a
Verisign cert. I suppose that signed applications are always
trustworthy?

I realize the obvious painful answer is that it was installed by
clicking on a link on a web site, and allowing it to install HOWEVER -
everyone I have heard from has NO recollection of doing such a thing.

IMO This thing behaves like a sticky virus, it mysteriously gets
installed on the machine, and seems to be difficult to remove. Chris
Wagner kindly posted a link on this ng to removal instructions that seem
to work, however one person telephoned me last night and indicated that
the conditions persist even after following the instructions.

I haven't heard anyone making the claim that the "browser upgrade" from
IGetNet is useful, in fact everyone I have heard from is upset about it
and from wants it permanently removed from their system as quickly as
possible.

It brings to my mind the term "viral marketing".

In my opinion IGetNet wants to come into the picture, apparently through
the back door, as a replacement for RealNames. I am not sure that
enough, if any, people would actually buy keywords from them. After
losing close to $1200 US when RealNames got its plug pulled, I wouldn't
touch IGetNet with a ten foot pole.


I have a hunch that this is coming in through a program that does
unattended (or attended for that matter) automatic updates, or a program
that routinely gets stuff off the Internet, like a music player.

Additionally, I imagine any day now the phone will start ringing off the
hook from our clients that have mysteriously contracted the virus and
seek removal.

My guess is that this is the tip of the iceberg - bigger better faster
harder is certain to come.

Best,

Waitman Gobble
EMK Design
Buena Park, California
+1.7145222528


On Tue, 2002-11-12 at 02:39, J. Foobar wrote:
    I have recently detected a few internal machines being
    solicited to download a file called
    "Internet.Explorer.Browser.Security.Upgrade.exe"
    
    I perform a parse of proxy logs looking for .exe
    downloads by users in my enterprise periodically
    (maybe 3 times a week) and I have just noticed this
    for the first time a few days ago in the 3-4 months I
    have been doing this.
    
    I have a close look at the traffic of the one internal
    dolt stupid enough to actually download the file.  He
    was surfing animatedgif.com, which is pop-up and
    cookie hell, and was probably solicited to download
    this by the IP 216.40.225.62, which serves some sort
    of "Keyword Tracking" function and is an IP assigned
    to Everyones Internet, Inc (ev1.net, Texas). 
    
    I wonder if they are related, at least conceptually.
    
    I have not yet had a chance to examine the end user's
    machine and I do not yet know if he was silly enough
    to actually run the .exe.
    
    Regards,
    Justin  
    
    
    --- "Waitman C. Gobble" <waitman () emkdesign com> wrote:
    > Hello
    > 
    > I have found more information regarding my original
    > 030.com post.
    > 
    > The machine that is infected is running Windows XP
    > Professional with all
    > service packs and hotfixes.
    > 
    > Additionally, it is running Norton Antivirus 2003
    > with the latest
    > database, and the machine checks clean.
    > 
    > There is a file running on boot:
    > 
    > C:\WINDOWS\WinStart.exe (the date of this file is
    > November 11, 2002)
    > 
    > The file properties indicate that it originates from
    > IGetNet, LLC. The
    > whois information shows that this is the owner of
    > ignkeywords.com
    > 
    > Also, this file exists:
    > C:\WINDOWS\prefetch\WINSTART.EXE-2C11637C.pf.
    > 
    > It's date and time reflect the last time the machine
    > was booted. Please
    > note that I am not sure what this file is, but it
    > seems to relate.
    > 
    > The machine now seems to go to ignkeywords.com,
    > however sometimes it
    > goes to 030.com, which is what we originally
    > observed.
    > 
    > The WinStart file is labelled as a "Browser Upgrade"
    > in the file
    > properties thingy.
    > 
    > Thanks and Best
    > 
    > Waitman Gobble
    > EMK Design
    > Buena Park, California
    > +1.7145222528
    > 
    > 
    > 
    >
    ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS
    > analyzer service.
    > For more information on this free incident handling,
    > management 
    > and tracking system please see:
    > http://aris.securityfocus.com
    > 
    
    
    __________________________________________________
    Do you Yahoo!?
    U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
    
    


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: