Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Auto download adware carries vicious payload
vnunet.com ^ | 03 Mar 2005 | Robert Jaques

Posted on 03/03/2005 1:39:36 PM PST by holymoly

Security experts issued a warning this morning after detecting infections caused by Searchmeup, the first adware to use the Exploit/LoadImage vulnerability which downloads itself onto computers without the user's permission.

Panda Software's PandaLabs warned that the pages from which Searchmeup are downloaded also contain a series of exploits to download other malware onto the computer, such as the Tofger.AT Trojan, which steals banking passwords, Dialer.BB and Dialer.NO, and adware called Adware/TopConvert.

Searchmeup is downloaded onto the computer when the user visits maliciously coded web pages. Once installed it changes the home page to that of a search engine that displays pop-ups every time it loads with the aim of installing spyware and diallers on infected computers.

Searchmeup affects computers running Windows 2003, XP, 2000, NT, Me and 98, and allows arbitrary code to be run.

It could be exploited by an attacker hosting a specially crafted cursor or icon on a malicious web page or HTML email. Microsoft has released a patch to correct this problem, and users are advised to install it immediately.

The web pages from which Searchmeup is downloaded also drop Tofger.AT onto computers, a Trojan which runs every time Internet Explorer is opened.

Tofger.AT keeps track of the user's internet activity, logging passwords for secure 'https' connections which are often used for connections with online banks. Once it has collected this information, Tofger.AT sends it to a remote server.

Searchmeup can also generate an error in the 'services.exe' file, informing users that the computer will be restarted in one minute.

After the restart, the computer operates perfectly. On some occasions Searchmeup can also display blue screen errors, and Tofger.AT can actually update itself to a new version.

"The Exploit/LoadImage vulnerability can be used on web pages or HTML email by crafting a special icon or image file that causes a buffer overflow that in turn can be used to take control of the user's computer," said Patrick Hinojosa, chief technology officer at Panda Software US.

"This can be very serious as the user does not have to do anything unusual like opening a suspicious attachment. This is what is sometimes referred to as a 'drive by' attack."

Luis Corrons, director of PandaLabs, added: "The appearance of Searchmeup is a sign of the continuous evolution of malware, and of spyware and adware in particular.

"The first stage was that adware reached computers as a component of a freeware application, then web pages appeared that installed adware on users' computers using ActiveX.

"Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now."


TOPICS: News/Current Events
KEYWORDS: adware; autoinstall; browser; dialer; driveby; hijack; malware; spyware; trojan
Navigation: use the links below to view more comments.
first 1-5051-100101-115 next last
More information about Exploit/LoadImage
1 posted on 03/03/2005 1:39:38 PM PST by holymoly
[ Post Reply | Private Reply | View Replies]

To: holymoly

freeware is ruined.


2 posted on 03/03/2005 1:42:07 PM PST by Huck (I only type LOL when I'm really LOL.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly
a Trojan which runs every time Internet Explorer is opened.

I just love Firefox!


3 posted on 03/03/2005 1:43:26 PM PST by frogjerk
[ Post Reply | Private Reply | To 1 | View Replies]

To: Huck

Anyone caught intentionally pushing malware on PCs should be shot, I mean it. This has ramifications for the economy.


4 posted on 03/03/2005 1:44:45 PM PST by dfwgator (It's sad that the news media treats Michael Jackson better than our military.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ShadowAce

Ping.


5 posted on 03/03/2005 1:47:29 PM PST by bkwells (GO NAVY! BEAT ARMY!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

Good information...

Important to stay up to date on everything... browsers, antivirus... and now this spyware adware stuff. I am using MS AntiSpyware Beta, even though I've never had any spyware or adware to speak of.


6 posted on 03/03/2005 1:47:33 PM PST by HairOfTheDog (It is no bad thing to celebrate a simple life!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dfwgator

Wrong! They should be tortured first, then hanged, then drawn and quartered...then shot.


7 posted on 03/03/2005 1:47:55 PM PST by Snardius
[ Post Reply | Private Reply | To 4 | View Replies]

To: holymoly

Ping for later


8 posted on 03/03/2005 1:48:03 PM PST by AAABEST (Kyrie eleison - Christe eleison )
[ Post Reply | Private Reply | To 1 | View Replies]

To: frogjerk

Bless your smug heart... the buggers will hassle you soon enough. ;~D


9 posted on 03/03/2005 1:48:55 PM PST by HairOfTheDog (It is no bad thing to celebrate a simple life!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: dfwgator
"Anyone caught intentionally pushing malware on PCs should be shot, I mean it. This has ramifications for the economy."

I don't know. The problem is if they can do it, Red China can do it. I want the systems secure. Nobody should be able to do it.

10 posted on 03/03/2005 1:49:54 PM PST by DannyTN
[ Post Reply | Private Reply | To 4 | View Replies]

To: holymoly

Way to be posting stuff from January 11th.

This has been patched since then and if you've simply had the autoupdate on, it hasn't affected you since then. It's what, March 3rd today?

PS. Firefox dl'd four trojans on me last week. IE was bulletproof on the same sites. FYI


11 posted on 03/03/2005 1:51:46 PM PST by Republicanus_Tyrannus
[ Post Reply | Private Reply | To 1 | View Replies]

To: HairOfTheDog
Important to stay up to date on everything... browsers, antivirus... and now this spyware adware stuff.

Which reminds me...

PC security-related links.   All software is freeware/open source.

Last Update: 02/18/2005
Anti-Virus:

Antidote SuperLite
On-demand virus checker

AntiVir® Personal Edition

AVG Anti-Virus

F-Prot Antivirus
The MS-DOS version is free

McAfee Stinger
On-demand scanner. Detects & cleans a small number of virii/trojans (around 50).

MicroWorld
On-demand AntiVirus Utility
Alternatives to MSIE, Outlook & Outlook Express:

Mozilla.org
Mozilla Suite (browser, email & usenet client), Firefox browser, Thunderbird E-mail client

Off By One
The world's smallest and fastest web browser

Popcorn E-Mail
E-Mail client

Xnews
Usenet client
Anti-Adware/Spyware:

Ad-Aware SE
On-demand scanner

Spybot - Search and Destroy
Offers on-demand scanning and full-time protection
Firewall:

Tiny Personal Firewall 2
(Last freeware version)

ZoneAlarm Free Download
Technical Help:

CastleCops Security Forums

Cyber Tech Help Support Forum

SpywareWarrior.com Forum

VirtualDr Forums

How To Ask Questions The Smart Way
This guide will teach you how to ask questions in a way that is likely to get you a satisfactory answer.
How-to and Tutorial:

PCWorld: How to Install a Firewall

Using Ad-Aware SE

Using Spybot - Search and Destroy
Useful sites, articles, etc.:

Firewall Test, Security Test and Security Scan

Leak Test
Test your firewall against internal extrusions (leaks)

Shields Up
Firewall Test

Spyware/Adware/Malware FAQ and Removal Guide

SpwyareWarrior.com
Waging the war against spyware

U.S. Computer Emergency Readiness Team

Miscellaneous:

Mozilla Plugin Support on Microsoft Windows

Netscape Browser Archive

OldVersion.com
Because newer is not always better

Ping Plotter
Internet diagnostic tool

TinyApps.Org

WinPatrol
Combats adware, spyware, trojans, etc.

12 posted on 03/03/2005 1:52:00 PM PST by holymoly ("A lot" is TWO words.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: dfwgator
Anyone caught intentionally pushing malware on PCs should be shot, I mean it.
I agree. Virus writers/Adware developers/Spyware authors are the absolute scum of the earth, and should be tied up and beaten with Louisville sluggers until only a bloody stump remains where their heads once existed.
13 posted on 03/03/2005 1:52:16 PM PST by bikepacker67 ("Donovan McNabb... I can't HEAR YOU" < / Who's your Mommy>)
[ Post Reply | Private Reply | To 4 | View Replies]

To: holymoly

Thanks!


14 posted on 03/03/2005 1:52:49 PM PST by P.O.E.
[ Post Reply | Private Reply | To 12 | View Replies]

To: holymoly

In addition to Spybot S&D and AdAware, I use HiJack This! It is a program that takes care of browser hijacking by malware after it happens.


15 posted on 03/03/2005 1:52:58 PM PST by peyton randolph (CAIR supports TROP terrorists)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

I don't see TDS3 or a2 personal in there, maybe add them?


16 posted on 03/03/2005 1:53:29 PM PST by RedBloodedAmerican
[ Post Reply | Private Reply | To 12 | View Replies]

To: dfwgator

I agree, and their body parts should be sold.
I have had many hours stolen from me the last 7 days fighting what sounds like the same thing.

I have beaten the stuff back, but my computer is going to have to have the hard drive replaced because of this garbage and I make my living from my computer.


17 posted on 03/03/2005 1:54:55 PM PST by HereInTheHeartland
[ Post Reply | Private Reply | To 4 | View Replies]

if you have XP service pack 2, you dont need the fix


18 posted on 03/03/2005 1:55:24 PM PST by KneelBeforeZod ( I'm going to open Cobra Kai dojos all over this valley!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Snardius

Don't forget to do the same to the spammers and virus writers.


19 posted on 03/03/2005 1:55:27 PM PST by Kozak (Anti Shahada: " There is no God named Allah, and Muhammed is his False Prophet")
[ Post Reply | Private Reply | To 7 | View Replies]

To: HairOfTheDog
Bless your smug heart... the buggers will hassle you soon enough. ;~D

He he he he...

20 posted on 03/03/2005 1:55:33 PM PST by frogjerk
[ Post Reply | Private Reply | To 9 | View Replies]

To: holymoly

That's a lot of links... my Microsoft life seems a lot simpler to me... and the people writing the code actually have jobs ;~D


21 posted on 03/03/2005 1:55:36 PM PST by HairOfTheDog (It is no bad thing to celebrate a simple life!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

Security ping


22 posted on 03/03/2005 1:55:37 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
Little illiterate computer tapper me is so confused. I'm about ready to sit this thing on the burn pile and blast it with my 12 ga.
23 posted on 03/03/2005 1:55:41 PM PST by processing please hold (Islam and Christianity do not mix ----9-11 taught us that)
[ Post Reply | Private Reply | To 11 | View Replies]

To: RedBloodedAmerican
What's TDS3? a2 is the anti-trojan, correct?

I only list freeware/open source, btw.
24 posted on 03/03/2005 1:55:42 PM PST by holymoly ("A lot" is TWO words.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: holymoly

Kerio has a free version of their firewall program here: http://www.kerio.com/us/kpf_download.html


25 posted on 03/03/2005 1:56:08 PM PST by Disambiguator (Encouraging heteronormativity wherever I go!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: peyton randolph

IMO HiJack this is a bit powerful for the average user. Most of the time, when the automated tools don't work for someome, I steer them towards the SpywareWarrior.com forum, where they can find out more about HiJack this, and post their logs for expert help. (Better safe than sorry.)


26 posted on 03/03/2005 1:57:31 PM PST by holymoly ("A lot" is TWO words.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: pbrown

Speaking of blasting computers with shotguns, http://www.homestarrunner.com/sbemail118.html
A little comic relief from one of the strangest sites out there.


27 posted on 03/03/2005 1:58:04 PM PST by Disambiguator (Encouraging heteronormativity wherever I go!)
[ Post Reply | Private Reply | To 23 | View Replies]

To: holymoly

Anti trojan. Free trial.

http://tds.diamondcs.com.au/


28 posted on 03/03/2005 1:59:38 PM PST by RedBloodedAmerican
[ Post Reply | Private Reply | To 24 | View Replies]

To: holymoly

This is the reason I no longer visit Drudge's page. He should change the name of his page to the Popup and Spyware Report. Who knows what measures he is taking to make sure the pop ads he accepts are clean. And if you clear out your adware, then visit his site and check again, you can see he has dropped three to five spyware programs on your computer.

I'll wait until someone posts on FR what is on Drudge to see what he has to say. Too risky going to his page.


29 posted on 03/03/2005 2:03:54 PM PST by BJungNan (Junk mail is killing email. Don't buy from spam emails!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Thanks!


30 posted on 03/03/2005 2:05:42 PM PST by Ernest_at_the_Beach (This tagline no longer operative....floated away in the flood of 2005 ,)
[ Post Reply | Private Reply | To 22 | View Replies]

To: holymoly
Microsoft has released a patch to correct this problem

Yes, nearly two months ago. Anyone with automatic updates turned on should already have this.

31 posted on 03/03/2005 2:06:24 PM PST by kevkrom (If people are free to do as they wish, they are almost certain not to do as Utopian planners wish)
[ Post Reply | Private Reply | To 1 | View Replies]

To: frogjerk

I'm not as cocky about Firefox as I used to be, since we're starting to see malware and Trojans coded for it. It's still generally safer than IE, and better too IMO (tabbed browsing, among other things), but now that it's getting notice and market share, the script kiddies are starting to find its holes. No software is perfect.

}:-)4


32 posted on 03/03/2005 2:08:42 PM PST by Moose4 (So how long will it take Hunter S. Thompson to figure out he's dead and not on an acid trip?)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Disambiguator
LOLOL. Just what I needed. Thanks. Put a hole in it huh? With a 12 ga.......'I can't relate'.

Thanks again.

33 posted on 03/03/2005 2:08:47 PM PST by processing please hold (Islam and Christianity do not mix ----9-11 taught us that)
[ Post Reply | Private Reply | To 27 | View Replies]

To: backhoe

fyi


34 posted on 03/03/2005 2:09:06 PM PST by Ernest_at_the_Beach (This tagline no longer operative....floated away in the flood of 2005 ,)
[ Post Reply | Private Reply | To 1 | View Replies]

This link has a great step by step proceedure for removing spyware:

http://forums.majorgeeks.com/showthread.php?t=35407

Sometimes it requires more than just installing Ad-Aware and Spybot.

35 posted on 03/03/2005 2:09:11 PM PST by faq
[ Post Reply | Private Reply | To 28 | View Replies]

To: Ernest_at_the_Beach

Thanks- I'll inform friends and relatives.


36 posted on 03/03/2005 2:10:28 PM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 34 | View Replies]

To: BJungNan
If you go to the Mozilla FTP site, you can download a ZIP of Firefox , which does not install in the common sense, as does the Windows EXE installer. (No registry changes, etc.)

It unzips to a "firefox" directory with all needed files. IIRC When you launch it the first time, it will create a "firefox" subdirectory under Windows\Application Data.

If you decide you don't like it, just delete the two "firefox" folders and that's it.

http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/
37 posted on 03/03/2005 2:10:47 PM PST by holymoly ("A lot" is TWO words.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Republicanus_Tyrannus
Way to be posting stuff from January 11th.

The article is dated March 3. You don't like it, tough.
38 posted on 03/03/2005 2:12:56 PM PST by holymoly ("A lot" is TWO words.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: kevkrom; All

I rec'd an email from MSFT today which said that there will be no new security updates for the month of March.


39 posted on 03/03/2005 2:17:23 PM PST by hsmomx3 (Steelers in '06)
[ Post Reply | Private Reply | To 31 | View Replies]

To: dfwgator
Anyone caught intentionally pushing malware on PCs should be shot, I mean it.

Them and whatever idiot invented blister packs for medications.
40 posted on 03/03/2005 2:17:41 PM PST by TomGuy (America: Best friend or worst enemy. Choose wisely.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: TomGuy
Anyone caught intentionally pushing malware on PCs should be shot, I mean it. Them and whatever idiot invented blister packs for medications.

And that clear plastic packaging that is so impossible to get into.

41 posted on 03/03/2005 2:24:04 PM PST by HairOfTheDog (It is no bad thing to celebrate a simple life!)
[ Post Reply | Private Reply | To 40 | View Replies]

To: Republicanus_Tyrannus

BS.

42 posted on 03/03/2005 2:25:03 PM PST by Nick Danger (The only way out is through)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Moose4

Note that IE doesn't need to be running to be vulnerable; that's just one of the many benefits derived from tight OS/browser integration.


43 posted on 03/03/2005 2:27:48 PM PST by larryw408
[ Post Reply | Private Reply | To 32 | View Replies]

To: RedBloodedAmerican
Is this scanner for trojans worms and bugs good ?
44 posted on 03/03/2005 2:37:57 PM PST by Prophet in the wilderness (PSALM 53 : 1 The ( FOOL ) hath said in his heart , There is no GOD .)
[ Post Reply | Private Reply | To 28 | View Replies]

To: dfwgator
"Anyone caught intentionally pushing malware on PCs should be shot...

Maybe using a variation of Internet goat hunting, but with a robotic boxer we can take turns controlling? After sentencing, of course.

45 posted on 03/03/2005 2:38:33 PM PST by polymuser
[ Post Reply | Private Reply | To 4 | View Replies]

To: holymoly
Really appreciate the link. I'll check it out. But is seems like a bit of trouble to go through just so I can check out Drudge's site.

Are they any other advantages to firefox? I've found the best protection is simply to surf safe. Perhaps impossible completely but it amazes me how many people will let their computer sleep with any other computer that asks.

Abstinence!
46 posted on 03/03/2005 2:42:00 PM PST by BJungNan (Junk mail is killing email. Don't buy from spam emails!!!)
[ Post Reply | Private Reply | To 37 | View Replies]

To: holymoly

bttt


47 posted on 03/03/2005 2:46:35 PM PST by aberaussie
[ Post Reply | Private Reply | To 12 | View Replies]

To: BJungNan

Mozilla and Firefox have two features which I value.

The first is cookie management, which allows you to prohibit the sites you choose from placing cookies on your system.

The second, of course, is tabbed browsing, where you may have any number of sites open within the browser.

There are probably others I'm forgetting.



48 posted on 03/03/2005 2:54:02 PM PST by holymoly ("A lot" is TWO words.)
[ Post Reply | Private Reply | To 46 | View Replies]

To: holymoly

I have nearly 300 cookies, is that bad?


49 posted on 03/03/2005 3:03:42 PM PST by processing please hold (Islam and Christianity do not mix ----9-11 taught us that)
[ Post Reply | Private Reply | To 48 | View Replies]

To: Nick Danger

Whatever. Fact is that Firefox Downloaded 4, not 1, not 2, not 3, but FOUR trojans.

Fact is that with Norton, the same sites failed to penetrate IE. But I see this kind of blind fanboyism all the time online by hyped pseudo 'experts'. Excuse me whilst I roll my eyes at you.

There.

Your opinion doesn't change my log files, nor the fact that Firefox was wide open. I call BS on your assertion - because where I'm from facts speak louder than fanboyism.
If you aren't able to secure IE then I suggest that you don't have the backing of your so ineloquent and sophomoric barb.


50 posted on 03/03/2005 3:04:58 PM PST by Republicanus_Tyrannus
[ Post Reply | Private Reply | To 42 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-100101-115 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson