Jump to content
Compatible Support Forums
Sign in to follow this  
Ali

HOW TO PUNISH A SPYWARE DISTRIBUTER

Recommended Posts

Hey everyone

 

Here is the deal: My computer is infected with sort of a spyware/virus/torjan/something and it keeps installing different BHOs on my system (ie. changes the homepage and default page) and even worse, everytime that happens it downloads ton to Torjan hourses and other spyware into my system. I found the domain where the page is hosted (normally you don't see the domain, it shows as about:blank and you have "search for...") to be "(changing numbers and letters).D8T.BIZ". I used my DNS service provider to find the Whois information for the owner of the domain:

Created by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM

 

there is a fake phone number (111111111 to be exact) and some yahoo mail.

Is there anything i could do according to law to stop these people from what they are doing?

anybody had any idea if there are any organizations who fight with such crimes? (is it FBI? who the hell is responsible for internet complaints? UN?)

 

any ideas?

 

Share this post


Link to post

As has been pointed out before, many websites stash javacontrols into the temp files of both IE and Mozilla. One of the most common is clientsniffer.js and vb_sniffer.js . All the script does is determine what kind of browser you are using. Anantech, Sudhian, and even Cnet's download.com does it. But, once it is on your hard disk, it can be exploited. As far as I know no anti-virus detects it, nor does Spybot or Ad-aware. Bring up windows explorer and search for clients*.js or vb_*.js to see if you have it. It is not harmful and you can leave it on if you like. But, it can be exploited. This is not necessarily the control that Alec is speaking about, but it is something as innocuous as this that seems to causing concern.

In IE there is a hosts file. It seems that this gets re-written and one is sent to an address where you don't want to go. This exploit has occured before, but apparently it is more stealthy.

Share this post


Link to post

I have to say that I highly recommend people use the hosts file as you can also help weed out pop-up ads and other crap sites too wink

 

APK has a lovely one in his APK Toolset and a nice engine to sort them out laugh

Share this post


Link to post

Only problem with a HOSTS file is that you break DNS. DNS by design is supposed to handle dynamic changes as indicated by the TTL value passed from the DNS server(s).

 

(Most) Any government agency will either not do anything at best, or get agitated for you wasting their time at worst.

 

Learn to protect against the vulnerabilities before they become such an issue. An ounce of prevention...

Share this post


Link to post

Well APK, when you have a static IP/name resolution specified in the HOSTS file, and that IP changes, it's broken.

 

If you were using only DNS lookups, it wouldn't break.

 

That's why most upstream DNS providers have a TTL value of 1 hour, so that any IP/host changes are quickly propigated downstream.

 

BTW, good to see you posting again, and good to be back... ;-)

Share this post


Link to post

About DNS server poisining, this is another good reason to run your own local DNS server, and forward lookups to one of the root servers.

 

Comprimise of the root servers is a lot less likely than your ISPs DNS server/cache.

Share this post


Link to post

Well, about costs, direct and indirect...

 

Personally I value my time more than anything. Money can always be made, but time cannot.

 

So, bearing that in mind, once a DNS server is set up, it just runs. No user/admin intervention necessary.

 

Hosts on the other hand takes time to set up and update (constantly black-listing advertisers, malicious content, etc.).

 

Also, the root servers are far more secure then any downlevel DNS server, such as local ISP DNS servers.

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×