Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Wednesday, November 08, 2006

Presenting: Zangozones

...yes, I just made "Zangozones" up but it does fit with the latest Zango related finding (in that Zango is involved, and the infection file is related to the LowZones Trojan). LowZones lowers your Internet Explorer security settings, assuming you were wondering (and I know you were). Just in case you missed the last few writeups, here's a brief timeline first to set the scene:

November 3rd, 2006: The FTC lay down a 3 million dollar - sorry, THREE MILLLLLION DOLLAR fine (God bless you, Dr Evil) on Zango for all their past Internet based silliness. Zango recant on their deathbed or whatever, and blame it all on those affiliates. Naughty affiliates. It's okay though, because the great Zango affiliate cleanup has begun. No, really. It has. Check it out:

November 4th, 2006: I pull a writeup out of the Ether regarding Zango installer prompts in a particularly nasty variant of the Licat Worm. Besides randomly dumping up to 500MB of individual Ad/Spy/Malware onto the PC, it'll quite often blue screen it and unless you know what you're doing, at that point your PC is completely screwed. Great piece of affiliate watching there.

November 5th, 2006: A few months back, Zango staggered into a minefield of Biblical proportions when I spilled the beans on their Myspace related antics. Claim and counterclaim issued forth from the Zango camp, and I proceeded to slice through them like a large angry man with a choppy sword thing. For anyone that wants a cheap laugh, check out the complete spiritual destruction of the affiliate at the center of this fiasco here. You'd think they wouldn't go near Myspace ever again - well, check out their latest profile on Myspace, courtesy of what looks like a Zango employee. Awesome.

November 6th, 2006: An amazingly dodgy Trojan not only hits you with Zango porn popups (which presumably make a tidy sum for the webmaster affiliate pushing the Zango videos), but puts an icon on your Start Menu which opens up a website with about six zillion Zango movies on it too! Oh, then there's the nosebleed inducing Toolbar, the endless popups and the wonderfully scammy search engine which is forever trying to get you to install things. More sexy affiliate policing, I guess.

November 7th, 2006: The kickass guys over at Websense stagger into the jungle that is Myspace, and come away with completely fake "Youtube" movies that actually try to install the Zangocash Toolbar. Is it just me, or is there a subtle theme of THESE AFFILIATES ALL SUCK playing out here?

...at any rate, here comes the November 8th find! One of the sites closely related to the Trojan hijack from the November 6th writeup was pushing some interesting wares. So interesting, that running it through Virustotal hit me with a big pile of information relating to the Trojan LowZones (as you've already seen from the first screenshot).

If this particular file runs on the target PC, you'll see the rather odd little box appear in the above screenshot (click to enlarge, you crazy fools! Do it!) For those that can't be bothered, the text says "Trusted Site Security Settings were Successful".

....but what does that mean, exactly? Well, go fire up Internet Explorer, click on some random stuff until you get up - you guessed it, the Trusted Zones box and....

.....a bunch of Zango domains have been inserted into your Trusted Zone. Nice!

In this case, the domains are content.licenceaquisition.org, cds.zangocash.com and static.zangocash.com.

To give you an idea of why someone would want to bother sticking anything in your trusted zone - think clean thoughts, please - check out the following notable quotable from this website:

Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone.

.....hooray!

At this point, I'm inclined to think I'll be doing a Zango writeup every day this week. Maybe a freakish high tide has washed all these suckers ashore or something, but remember this - there's more Zango stuff on the way from Ben Edelman. I'd write more about it, but I'm currently holding my little finger up to my mouth, Dr Evil style so we'll have to end this latest Zangofest right here.

I'm sure it won't be long before we're back for the encore.

Labels:

posted by paperghost at 7:27 AM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.