Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Saturday, September 10, 2005

Help! My Interweb is burning!

Well, here's a crazy one and no mistake. After a tip-off from Jay Loden, I decided to have a play with some of the latest IM installers out there, and I can honestly say - they suck. You knew that, right? But what you may not know is that there are now a bunch of Arabic sites being popped open in the install process. What is it with these slightly "off the wall" sites and the IM bundles? Last time, it was the US Immigration site - this time round...well, you'll have to read on, won't you? These latest infections follow the link pops up / click link / pray for death pattern of old. However, there's a few new features and (to top it off) something I've never seen before. I have absolutely no idea what it does yet, but I'm sure it'll be fun finding out.

I won't bore you with the details of the install, because if you've seen one of these things, you've seen them all. We're talking the same old bundle with a few things added, a few things taken out. But now we get to the juicy parts - step up, ysbweb.com! In a lovely example of total and utter rubbishness, check out the screenshot to the left (click to make it go bigger, ooer and all that). When the install begins, the "Security Update" page opens up on the desktop, some crazy black boxes fill the screen and every piece of software known to man begins to install itself including Powerscan, 180 SA, Internet Optimizer and all that other stuff.


Taking a quick look at the source for the security update page, we can see the zany code that kicks it all off. And in an extremely thoughtful touch, the install is crafted in such a way that, if you reboot, the security update page loads at startup so you don't lose your ysbweb goodies. Hooray! Not that you'd actually want to remove such a thing from your desktop. Perish the thought.

Moving swiftly on, we come to the next stage of the process. After most of the software has downloaded itself to the end-user's PC, this website pops up on your desktop urging you to vote for about a million different websites. It also has a habit of opening itself multiple times, just to keep you busy with Alt+F4! I haven't seen this website mentioned anywhere so I imagine this is hot off the presses. I'll be checking out where some of the links lead to as well. Should be interesting(!)


And now, we approach end-game (get ready to click that image, picture-clicking fans!) When this small-box thing appeared on the desktop, I frankly had no clue what it was doing, and I still don't. Haven't seen this before - it seems to be waiting for something (hover over it and an egg-timer appears) but so far, nothing. If my screen should explode and the Interweb switch itself off, I wouldn't be surprised in the slightest. Rubbish gags aside, there's some rather odd information in the logs produced by these installs. So much so, that I'm going to do some more digging and, if all goes well, put another detailed buttkicking together on Spywareguide.com (It's great over there. They let me use orange font and everything). It may be something, it may be nothing, but there seems to be some "odd" activity here regarding Verisign certificates.

Stay tuned...

Note to Ginza: Move 'em out..

posted by paperghost at 4:15 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.