Results 1 to 4 of 4
  1. #1
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    Microsoft's HoneyMonkey Patrols the Web
    Sunbelt, the makers of anti-spyware tool called CounterSpy, sends out a newsletter. Here's a piece from their latest one about a new project by Microsoft called HoneyMonkey... where MS has set up machines to act as honey pots / honey traps to find bad behaving websites...

    Sunbelt's text from their emailed newsletter dated Aug 20, 2005:
    "Microsoft's HoneyMonkey Patrols the Web
    Microsoft has been testing a project called HoneyMonkey that functions as an automated Web patrol program using multiple WinXP computers to hunt down Web-based security exploits. Now they've officially launched the project, and it identified 752 URLs containing exploits that are infecting XP computers in its first month. You can read more about it here:
    http://www.wxpnews.com/rd/rd.cfm?id=...TI-HoneyMonkey "

    I couldn't find a link to the newsletter on Sunbelt's site... but here's another confirming article - from Microsoft:
    http://research.microsoft.com/HoneyMonkey/

  2. #2
    Internet Cowboy
    Join Date
    January 18th, 2005
    Posts
    4,662
    MS seems to be the only real player in networks that is against the bad things going on, or at least they are the only one who seems to be doing anything about it.


  3. #3
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Great application jointly developed by MS and the various Federal CyberCrime, FTC and Can-Spam projects. Bet Microsoft is throwing fear into the BHO infestation games and this one really targets the "zombie spam" and DDos exploiters also stuffing Spyware/Adware through those backdoors. Gates hates spammers and security hole exploiters. He'd save money by hiring 3rd world assassins to whack the perps as they exit their houses and run related news stories on MSNBC.... or Fox News...LOL.

    If you think the networks, monitizing these cybercriminals through their various affiliate channels, aren't under the microscope ...think again! Forwarding web pages that OUT the perps and tickle the CyberCrime units radars will lead to law suits and perp walks.

    Example: http://www.kephyr.com/spywarescanner...com-2005-08-17 as that one is a treasure trove for MS, The FBI's snoop app, and the likes of Ms.B and Ben needing some targets.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  4. #4
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Thumbs down
    "Internet attacks that use Web servers to exploit browser vulnerabilities to install spyware programs are a serious emerging threat. In this paper, we introduce the concept of Automated Web Patrol, which aims at significantly reducing the cost for monitoring malicious Web sites to protect Internet users. We describe the implementation of the Strider HoneyMonkey Exploit Detection System, (who says MS has no homor) which consists of a network of monkey programs running on virtual machines with different patch levels and constantly patrolling the Web to hunt for Web sites that exploit browser vulnerabilities.

    Within the first month of utilizing this new system, we identified 752 unique URLs hosted on 287 Web sites that can successfully exploit unpatched WinXP machines. The system automatically constructs topology graphs that capture the connections between the exploit sites based on traffic redirection, which leads to the identification of several major players who are responsible for a large number of exploit pages and appear to be building a business model based on such attacks. By monitoring the 752 exploit URLs on a daily basis, we were able to find a malicious Web site that was performing zero-day exploits of the unpatched javaprxy.dll vulnerability at that time. It was confirmed to be the first in-the-wild, zero-day exploit URL of the vulnerability reported to the Microsoft Security Response Center."
    http://www.usenix.org/events/sec05/wips/wang.pdf

    Funny how this wank is getting blips on the Cybercrime radar... http://www.google.com/search?sourcei...iscloth+INC%2E

    Bariscloth INC.
    P.O. Box 82532
    Tampa, Florida 33682
    United States

    Registered through: GoDaddy.com
    Domain Name: AIMFACE.COM
    Created on: 22-Dec-01
    Expires on: 22-Dec-05
    Last Updated on: 22-Nov-04

    Administrative Contact:
    Bariscloth INC., Bariscloth INC. dcwesley1@msn.com
    Bariscloth INC.
    P.O. Box 82532
    Tampa, Florida 33682
    United States
    8134760332 Fax --

    Potentially unwanted software installation practices

    During the last years new types of software have appeared, some show advertisements, monitor the web sites you visit, change the browser's search settings, change the browser's result, redirect you to a new site when you miss-type an URL, etc, and are generally advertised with wording such as "enhance your online experience", "assist you when you reach a non-existing page", and "improve your internet searches", while many end users call it "adware", "hijacker" and "spyware".

    Aimface.com - 05 Aug 2005
    April 2005 I visited a site called aimface.com which opened up a download dialog for a program called ChangeYourIcon.exe. When starting this .exe file a large number of additional software components were installed, without giving proper notice.

    Today I visited aimface.com once again. ChangeYourIcon.exe is still available and installs "AdDestroyer", "Internet Optimizer", "ISTsvc", "Media-motor", "Search Assistant" (from 180Solutions), "SideFind", "The ABI Network - A Division of Direct Revenue", "The BullsEye Network", "Virtual Bouncer" and "YourSiteBar", which appear in the Add/Remove Programs dialog. ChangeYourIcon.exe does still not give any notice that it installs roughly 20 MB of additional software.

    Update 2005-08-13: Josh has kindly assisted with me with some testing and it appears that US based systems get more unwanted software than I get on my machine. For the full details, please examine the HijackThis log before running ChangeYourIcon, the log after installing and the Microsoft Antispyware log.

    Permalink

    195.95.218.84 - 30 Jun 2005
    The 195.95.218.84 video shows how software is installed without user consent by exploiting a security hole. "The ABI Network - A division of Direct Revenue" and "WareOut" appear in the Add/Remove programs dialog, but there are also additional software installed which only appear in the logs generated with HijackThis (1, 2).

    Permalink

    IOWrestling.com Part I - 30 Jun 2005
    The iowrestling.com part I video shows the installation practices used by two Panamanian corporations.

    The first application is developed by a company called "much media", according to the EULA available at http://newsh.com/terms.html. Much media's custom installation dialog (01:39) is launched by exploiting a security hole and use the misleading text "Close this Window, Continue" on the button that should be clicked if you accept the software. The standard close button in the upper right corner does not close the window. Furthermore, no entry is available to remove the software from the "Add/Remove programs" dialog (05:20).

    The second application named "Browser Enhancer Tools software" from "KVM Media" opens an ActiveX dialog (03:03), with the misleading message "IE Browser update available. Your browser is not fully upgraded". If you choose to install it, no entry will be available in the "Add/Remove programs" dialog (05:20) to remove the software. "Browser Enhancer Tools" may also download third party software, some of them are named and have their EULAs attached. The following products names, company names, web sites and EULA links can be found in http://icannnews.com/eula.html.
    NewtonKnows, Virtumundo, Inc, http://privacy.virtumundo.com/optout/
    MEDIATICKETS, MEDIATICKETS, LLC, http://www.mediatickets.net/terms.php
    Surf Sidekick ad serving software, BTS
    Best Offers ad targeting software, Best Offers, LLC,
    eXact Advertising, LLC, CashBack by Bargain Buddy, Bullseye and NaviSearch
    Search Request Toolbar, also called DownloadsManager, http://206.58.237.248/remove/.
    BetterInternet, LLC, Ceres,
    404SEARCH SOFTWARE, 404Search Inc,
    Zango, 180solutions, Inc
    MainStreamDollars Affiliate Program, 617577 B.C. Ltd. D/b/a MainStreamDollars,
    Cash4Toolbar Affiliate Program, Cash4Toolbar.com
    TargetSaver, Inc
    BOOKEDSPACE PLUG-IN, BookedSpace.com
    Some of these will also install additional third party software.

    In your opinion, are Much Media's and KVM Media's installation practices acceptable?
    Yes, they are acceptable No, they are not acceptable

    View results
    Free Questionnaire
    For your reference I've created logs with HijackThis (1, 2, 3), generated a list of all files and registry entries which were added, deleted or modified during the installation, md5 and sha1 hashes for some for the files created during the installation and a network log.

    The following are the new entries that appear in the HijackThis logs:
    C:\DOCUME~1\Roger\LOKALA~1\Temp\nsh_115.exe
    O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
    O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\sgftpub.dll
    O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\stmpsnap.dll

    Vitalsecurity.org has documented a similar installation at IOWrestling.

    Permalink

    Crazy-toolbar.com Part II - 29 Jun 2005
    Warning! Do not visit crazy-toolbar.com! The Crazy-toolbar.com part II video shows how unwanted applications are installed without consent, by exploiting a security hole. "Content Devlivery Module", "Internet Optimizer", "RichEditor", "Spy Sheriff", "The ABI Network - A division of Direct Revenue", "The BullsEye Network", "TSA", "UCMore - The Search Accelerator" and "WeirdOnTheWeb" appear in the Add/Remove programs dialog, but there are also additional software installed which only appear in the logs generated with HijackThis (1, 2, 3, 4, 5).

    For your reference I've also created a list of all files and registry entries which were added, deleted or modified during the installation, md5 and sha1 hashes for some for the files created during the installation and a network log.

    See also "Crazy-toolbar.com Part I".

    Permalink


    FasterXP.com - 08 Jun 2005
    Fasterxp.com by Optisoft offers a program that according to the developer will boost your hard drive's speed, increase your connection speed by up to 200%, decrease your HDD's access time and fragmentation, block IE pop-up and pop-under ads, enhance your system, make it more effective, improve the reaction time of the Start menu, launch Internet Explorer much faster, search the web without loading search engines and promise to be 100% spyware free. The download page states that it is 100% free from virus, spyware and trojans.
    What is not that clearly disclosed is that the FasterXP program bundles additional software such as, "My Search Bar", "Search Assistant - My Search", and "The ABI Network - A Division of Direct Revenue" (all identified by the names in the "Add/Remove programs list") as shown by the FasterXP installation video (sorry for the low update rate). In order to find out FasterXP bundles additional software you have to click a tiny link at the fasterxp.com web page, scroll down to the end of the FasterXP license where a link to BetterInternet's EULA appears followed by the MySearch and TopReβates EULA.

    FasterXP bundles MySearch, TopReβates and software from BetterInternet. Do you think FasterXP's disclosure of the third party software is clear enough?
    Yes, it is clear enough No, it is not clear enough

    View results
    Free surveys
    For your reference I have created a log with Microsoft Antispyware and three HijackThis logs (1, 2, 3), where the first is generated before installing FasterXP. Microsoft Antispyware reports "Transponder.ABetterInternet.Aurora Spyware", "Transponder.ABetterInternet.Ceres Spyware", "My Search Bar Browser Plug-in" and "My Way Speedbar Browser Plug-in". Other observations from the videos:
    1) Internet Explorer's homepage changed to fasterhomepage.com. (I am not able find where this is disclosed in the FasterXP EULA, can you? The EULA is available at http://198.87.3.82/fasterxp/eula.html.)
    2) fasterhomepage.com does not offer any help how to change the homepage.
    3) fasterhomepage.com is reported to violate Google's terms of service.
    4) Entering a non-existing domain name redirects the browser to ms126.mysearch.com

    Other observations:
    1) ArcaVir reports "Trojan.Downloader.Multi.M30", Fortinet reports "W32/AGENT.OO-tr" and Kaspersky Anti-Virus reports "Trojan-Downloader.Win32.Agent.oo" when scanning fasterxp.exe with Jotti's malware scan.
    2) OptiSoft S.L. Madrid is the owner of the Blubster P2P software.
    3) fasterhomepage.com registrant: Alfredo J. Bravo C. Pavones 34B 4B Madrid 28032 Spain.
    4) fasterhomepage.com administrative contact: Soto, Pablo pablo@pioletBLOCKED.com Av. Mediterraneo 24 Madrid 28007 Spain 915011239 Fax.
    5) You may redistribute the unmodified FasterXP software, as stated in the FasterXP EULA: "USER MAY NOT, UNDER ANY CIRCUMSTANCES, REDISTRIBUTE SOFTWARE, UNLESS THE SOFTWARE IS IN ORIGINAL UNMODIFIED FORM AS DOWNLOADED FROM THE Optisoft WEBSITE. .." Can OptiSoft, BetterInternet, My Search and Top Reβates make sure that the EULA is displayed if someone else redistribute FasterXP?
    6) FasterXP appears to have file-sharing capabilities, according to the FasterXP EULA: "FasterXP OR Optisoft DO NOT OWN OR CONTROL ANY FILE SHARED USING THIS SOFTWARE. FasterXP IS ONLY THE SOFTWARE THAT ALLOWS YOU TO CONNECT TO OTHER USERS. WE DO NOT HAVE ANY CONTROL OVER THE CONTENT OF USERS OR THE ACTIONS OF OTHER USERS, AND WE ARE NOT ALLOWED TO EXAMINE THE INFORMATION THAT YOU CAN TRANSFER WITH THE SOFTWARE. THE GATEWAYS AND NODE CACHES THAT THE FasterXP SOFTWARE USES DO NOT INDEX ANY FILE LISTINGS, NOR DO THEY ENABLE FasterXP OR Optisoft TO CONTROL OR MONITOR THE ACTIONS OF ANY USER..".
    7) The seaWDurlIE.exe file mention "Piolet" as the company name. According to WikiPedia "Piolet is a MANOLITO servent developed by Pablo Soto. Piolet shares the same codebase as Blubster; the name change is a result of concerns from Pablo Soto's employer, Optisoft."

    Permalink

    ImBuddy.net - 13 Apr 2005
    ImBuddy.net has a large archive of buddy icons and away messages for instant messaging clients. When visiting some of the icons' web pages at imbuddy.net a download dialog will appear asking you to download a file called "ChangeYourIcon.exe". I scroll down the page look for links named "EULA", "License", "Terms", "Terms of Use", etc, something that would give more details about ChangeYourIcon.exe. None of these links appear, so I hope that ChangeYourIcon.exe file will launch a standard install wizard guide where it give me more details of the functionality. Unfortunately, the installation starts immediately without showing any additional information and adds a large number of software componenent on my system, failing to show any end user license agreements, failing to show a general description of the bundled software, even failing to inform the user that additional software will be installed. (ImBuddy.net documents the fact that additional software might be installed by the software provided from their website, however you must 1) scroll to the bottom of the web page, click "Privacy Policy" and scroll down to "VIII. Third Party Advertising", which mentions the same products and links to the same end user license agreements as the installation documented at aimface.com 2005-04-12, or 2) scroll down to the bottom of the web page, click "Uninstall", which mention the following "Add/Remove " entries: ShopAtHomeSelect Agent, 180search Assistant, Bullseye Network, WebSearch Tools, WinTools, WebSearch Toolbar, e2giveSoftware and Surf Sidekick. This list of products does not match the software products that are installed.

    The installation is documented with a video captured of ImBuddy.net. There are also logs from Microsoft AntiSpyware, Adaware and HijackThis available for reference of what was added to the system during the installation.

    Microsoft antispyware reports the following threats:
    ShopAtHome Spyware
    Xrenoder Browser Plug-in
    WindUpdates Browser Plug-in
    CoolWebSearch Browser Modifier
    AvenueMedia.DyFuCA Browser Plug-in
    IST.ISTbar Browser Modifier
    MoneyTree Dialer
    NCase Browser Modifier
    Twain Tech Adware
    IST.XXXToolbar Toolbar
    IST.SideFind Adware
    YourSiteBar Spyware
    TargetSaver Trojan Downloader
    Unclassified.Spyware.47
    WindUpdates.MediaAccess Adware
    Unclassified.Spyware.57
    AdDestroyer Adware
    IST.SlotchBar Toolbar
    IEPlugin Spyware
    Virtual Bouncer Adware
    180search Assistant Adware
    AdAware reports the following references:
    180Solutions
    AdDestroyer
    DyFuCA
    istbar
    MediaMotor
    Possible Browser Hijack
    SahAgent
    SideFind
    WindUpdates
    VirtualBouncer
    YourSiteBar
    Permalink

    Aimface.com - 12 Apr 2005
    AimFace.com offers a large collection of buddy icons and away messages for AOL Instant Messenger. When visiting somes of the icons' web pages at aimface.com a download dialog will appear asking you to download a file called "ChangeYourIcon.exe". Instead of immediately running this file, I decide to look for some sort of description of what the ChangeYourIcon programs does. The name of the file and the web site indicate that it will modify the icons in my AIM client, however I would not take it for granted, so I scroll down the page look for links named "EULA", "License", "Terms", "Terms of Use", etc, something that would give more details about ChangeYourIcon.exe. Since none of these links appear, I hope that ChangeYourIcon.exe file will launch a standard install wizard guide where it give me more details of the functionality. Unfortunately, the installation starts immediately without showing any additional information and adds a large number of software componenent on my system, failing to show any end user license agreements, failing to show a general description of the bundled software, even failing to inform the user that additional software will be installed.

    There is a video captured during the install processes were you can study the installation procedure more in detail. I wanted to show the "Add/Remove programs" list, but it had become inaccessible after the bundled software was installed so there is also another video captured after restarting the machine where the "Add/Remove list" is displayed showing some of the bundled software products. The following software was installed, identified by the names in the "Add/Remove Programs" dialog: "Ad Destroyer", "Internet Optimizer", "ISTSvc", "Media Access", "Media-motor", "OfferAgent", "ShopAtHomeSelect Cash Back", "SideFind", "Uninstall 180search Assistant", "Virtual Bouncer" and "YourSiteBar".

    A scan with Adaware reports 397 critical objects, summarized as :
    180Solutions
    AdDestroyer
    CoolWebSearch
    DyFuCA
    istbar
    MediaMotor
    Possible Browser Hijack attempt
    SahAgent
    SideFind
    WindUpdates
    VirtualBouncer
    VX2
    YourSiteBar
    Microsoft Antispyware reports the following threats:
    ShopAtHome Spyware
    Xrenoder Browser Plug-in
    WindUpdates Browser Plug-in
    AproposMedia Browser Modifier
    Transponder.DLMax Spyware
    CoolWebSearch Browser Modifier
    AvenueMedia.DyFuCA Browser Plug-in
    IST.ISTbar Browser Modifier
    MoneyTree Dialer
    NCase Browser Modifier
    Roings Search Browser Modifier
    Twain Tech Adware
    VX2.ABetterInternet Adware
    IST.XXXToolbar Toolbar
    IST.SideFind Adware
    MediaMotor Trojan Downloader
    YourSiteBar Spyware
    Popuppers Trojan Downloader
    Virtumondo Adware
    Transponder.ABetterInternet.Ceres Spyware
    iSearch.DesktopSearch Spyware
    Unclassified.Spyware.47
    Transponder.Pynix Spyware
    WindUpdates.MediaAccess Adware
    Network1.Popups Adware
    Unclassified.Spyware.57
    AdDestroyer Adware
    IST.SlotchBar Toolbar
    EUniverse Updater Browser Modifier
    IEPlugin Spyware
    IST.PowerScan Adware
    Transponder.Farmmext Adware
    OfferAgent Adware
    Virtual Bouncer Adware
    180search Assistant Adware

    Now ain't that a load of crapware!!
    Last edited by ecomcity; August 22nd, 2005 at 10:52 AM.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  5. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Replies: 11
    Last Post: December 8th, 2010, 03:25 AM
  2. Web 2.0 Software, Training & Support from Microsoft
    By Rhia7 in forum Programming / Datafeeds / Tools
    Replies: 10
    Last Post: April 17th, 2010, 11:13 PM
  3. Microsoft Web Platform
    By Georgie Peri in forum Domains & Hosting
    Replies: 5
    Last Post: October 20th, 2009, 12:22 AM
  4. Web hosting - from Microsoft
    By rahuja65 in forum Domains & Hosting
    Replies: 1
    Last Post: November 12th, 2008, 08:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •