CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 940
Comments: 25
block bottom
spacer spacer
image Spyware: Sunbelt updates Counterspy to thwart the vicious keylogger image
Sunbelt Software Counterspy
Sunbelt's Patrick Jordan in an earlier article discovered a heinous CoolWebSearch ID Theft Ring. Today, Alex Eckelberry updates netizens with more details. This keylogger is coined "Srv.SSA-KeyLogger": is a backdoor program that, among other things, secretly steals data from users’ internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and other programs that use html forms to collect personal information. It is a new variant of a family of existing trojans generally known as Dumaru or Nibu.

So far, the earliest known infected hijackthis log is from Dec 20, 2004. See this post with winldra.exe. More information can be found in this startup entry (with references to Symantec and Sophos).

Quote: – It runs under Internet Explorer (IE), so it is generally undetectable by a software or hardware firewall. So much for my ranting about the need to run a software firewall.

A typical practice with Zone Alarm is to set a Prompt flag on Internet Explorer (and other browsers) when it tries to access the Net. There have been malware applications in that past that would launch a new parent ID instance of Internet Explorer which would gain outside access because users typically "trust" IE in their firewall. With Zone Alarm, setting it to Prompt on new IE instances will prevent that from occuring without gaining the users permission first. No more transparent net access riding on a new IE process ID. We do not know at this time if that is the case with winlrda.exe, or if somehow winlrda.exe is gaining entry to an existing IE process connection which is authorized external access.

Alex continues in his blog:

Protecting yourself against this keylogger: On Thursday, Sunbelt will be offering a free detection and removal tool on its website specifically targeted at this keylogger.

As an alternative, users can immediately download the two week trial version of CounterSpy, which provides free scanning and remediation for this keylogger and a large number of other spyware threats.

Visit the official Counterspy forums for details.

Note: As the story unfolds and more information is made available, Sunbelt quote: "This keylogger is not  CoolWebSearch.  It was discovered during a CoolWebSearch (CWS) infestation, but it actually is its own sophisticated criminal little trojan that's independent of CWS. "
Posted on Wednesday, 10 August 2005 @ 17:35:10 UTC by Paul (2229 reads)
[ Trackback ]		image

"Spyware: Sunbelt updates Counterspy to thwart the vicious keylogger" | Login/Create an Account | 1 comment | Search
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Sunbelt updates Counterspy to thwart the vicious keylogger (Score: 1)
by Toker  on Saturday, 13 August 2005 @ 13:18:00 UTC
(User Info | Send a Message)
CWS is part of GammaCash and hasn't been pushing
the XXXtoolbar for awhile.
Nor are they dumb enough to add that to a Toolbar
as they have too big a company to risk..
If you want I could give you the url for the XXXtoolbar (CWS) affil help forum...

I would love to see the url for what Sunbelt used.
Toolbars like CWS are Adware so to speak and not Spyware.
Not even Hooper who wrote iSearch and loads it into
all downloads from iDownload.com is stupid enough to
add spyware to a toolbar which make surfing hell and can't be overlooked.

Most of the actual Spyware is wrote in Java Jars and
can be found in the jpi-cache/Jar/1.0 folder.
Most people don't even know they have it and that it's sending info to a url to be collected.
But Spyware is quiet and doesn't want to let anyone
know it's there.
The biggest percent of Spyware is pushed by Russian
or webmasters from that part of the world and the
domains are registered at ESTdomains.

Also almost all the actual spyware info is sent to just
a few urls and would be easy to stop..

Might surprise you to know MIT in Boston writes
some of it..

And how does Doubleclick still get away with collecting info when they've been taken to Federal Court and fined in the past?
Bet ya have a cookie from doubleclick.net..




 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· HotScripts
· W3 Consortium
· HTML Standard
· Sunbelt Software
· Official Counterspy Forum
· More about Sunbelt Software Counterspy
· News by Paul

Most read story about Sunbelt Software Counterspy:
CoolWebSearch found in massive spyware ring
block bottom
Article Rating
spacer
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
183ppm 0.184s (0.019s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer