Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat content from adservdb.com with extreme caution

August 28th 2008

Malicious destination URL: security-scan-pc.com Malicious campaign URL: adservdb.com/ads/?id=d3 The id=d3 URL completes various checks (browser version mostly) and then redirects to this URL: adservdb.com/tmp01.asp The tmp01.asp URL sets a cookie, and completes various checks (Year, Month, Date, Hours, Minutes, Milliseconds, browser version) and, if the PC passes the test, we are redirected to this URL: […]

Read On No Comments

IE8 Beta 2 has been released…

August 27th 2008

Enjoy:http://www.microsoft.com/windows/internet-explorer/beta/   Upgrading notes: PLEASE READ THE RELEASE NOTES!!! Compability issues: HP Smart Web Printing (some versions); Google Toolbar (some versions); DriveLetterAccess (Roxio) (some versions); Skype add-in (some versions); Visual Studio .NET Version 7; Real Player 11; Windows Live Mail; Netflix; VB6.0 ActiveX Controls; Window-Eyes; Hotmail log-off – details are in the Release Notes, but […]

Read On 1 Comment

ALERT: please treat all content from admarketcenter.com with extreme caution

August 26th 2008

admarketcenter.com have been implicated in the distribution of malvertizements. AdMarketCenter.com – IP: 216.195.62.169 Registrar: Godaddy.comDate created: 15 November 2006 WHOISRegistrant, admin and technical contact: bert_205@hotmail.com hostnames sharing ip with a-records: excursionglobe.commypussyworld.com sharing mailserver IP: Nil sharing name server:lots Excursionglobe.com is a known bad actor.  See this blog entry:http://msmvps.com/blogs/spywaresucks/archive/2008/01/13/1459605.aspx Note that the script mentioned in that […]

Read On No Comments

winningsurveys advertisement – potential malvertizement

August 25th 2008

Created using Fuse.

Read On No Comments

mediamate malvertizements – several samples

August 25th 2008

I received three separate samples of a mediamate malvertizement today, all with different names.   First sample This time it hit googiesindication.com – IP: 217.150.254.47 Registrar: TLDS, LLC DBA SRSPLUSCreation date – 26 November 2007 Registrant, administrative and billing contact: Jon Lod (mail@googiesindication.com) domains sharing nameservers (there are some old names here – all known […]

Read On No Comments

Totally off topic!!

August 23rd 2008

How cute is my little nephew?  He is reading THE most important section of the newspaper – Cars for Sale – he’s going to be a car fan, just like his daddy (no, that’s not his daddy in the picture, that’s one of his uncles).  He’s the only almost-3-year-old I know who, when asked what […]

Read On 1 Comment

Anatomy of a malware scam – The evil genius of XP Antivirus 2008

August 22nd 2008

Love the title Jesper! http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/ Jesper’s article includes a description of a browser hijack intended to dump its victim at a fraudware site.  It also takes a close look at the fraudware itself – its installation, its behavior after install, and how it tries to convince victims to part with their hard earned cash by […]

Read On 4 Comments

Another potential malvertizement – so new, it’s still warm from the oven….

August 22nd 2008

Not confirmed, but suspicious – generated using Fuse:

Read On No Comments

Your questions answered: fraudware infection vectors

August 22nd 2008

I received this email a few days ago:   Dale’s email is certainly worth answering; I’ll do my best ;o) Fraudware such as XP Antivirus 2009 (or 2008) and its myriad stablemates does not come in strictly via the Clipbook vector.  On the contrary, my opinion is that the clipboard trick is one of their […]

Read On 1 Comment

Successfully detected malvertizing samples are flooding in…

August 22nd 2008

Featuring…. Careerbuilder.com… (hits newstat.net, profitabill.com and adverdaemon.com) Skype (hits statsgroup.net, profitabill.com and adverdaemon.com) mediaman (hits statsgroup.net, profitabill.com and adverdaemon.com as well as stats.sellmosoft.net and stats2.reliablestats.com) nielsen and  bighip  

Read On No Comments