Posted on 03/03/2005 1:39:36 PM PST by holymoly
Security experts issued a warning this morning after detecting infections caused by Searchmeup, the first adware to use the Exploit/LoadImage vulnerability which downloads itself onto computers without the user's permission.
Panda Software's PandaLabs warned that the pages from which Searchmeup are downloaded also contain a series of exploits to download other malware onto the computer, such as the Tofger.AT Trojan, which steals banking passwords, Dialer.BB and Dialer.NO, and adware called Adware/TopConvert.
Searchmeup is downloaded onto the computer when the user visits maliciously coded web pages. Once installed it changes the home page to that of a search engine that displays pop-ups every time it loads with the aim of installing spyware and diallers on infected computers.
Searchmeup affects computers running Windows 2003, XP, 2000, NT, Me and 98, and allows arbitrary code to be run.
It could be exploited by an attacker hosting a specially crafted cursor or icon on a malicious web page or HTML email. Microsoft has released a patch to correct this problem, and users are advised to install it immediately.
The web pages from which Searchmeup is downloaded also drop Tofger.AT onto computers, a Trojan which runs every time Internet Explorer is opened.
Tofger.AT keeps track of the user's internet activity, logging passwords for secure 'https' connections which are often used for connections with online banks. Once it has collected this information, Tofger.AT sends it to a remote server.
Searchmeup can also generate an error in the 'services.exe' file, informing users that the computer will be restarted in one minute.
After the restart, the computer operates perfectly. On some occasions Searchmeup can also display blue screen errors, and Tofger.AT can actually update itself to a new version.
"The Exploit/LoadImage vulnerability can be used on web pages or HTML email by crafting a special icon or image file that causes a buffer overflow that in turn can be used to take control of the user's computer," said Patrick Hinojosa, chief technology officer at Panda Software US.
"This can be very serious as the user does not have to do anything unusual like opening a suspicious attachment. This is what is sometimes referred to as a 'drive by' attack."
Luis Corrons, director of PandaLabs, added: "The appearance of Searchmeup is a sign of the continuous evolution of malware, and of spyware and adware in particular.
"The first stage was that adware reached computers as a component of a freeware application, then web pages appeared that installed adware on users' computers using ActiveX.
"Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now."
That is a fantastic site. Thank you very much. A wealth of information.
Couldn't they just hack the dll file and change the pointers ?
If you knew what I knew about the net you wouldn't sbe so sarcastic. Anything is possible. The whole internet is based on zero's (0) and ones (1).
The top entries are for Internet Explorer- check these boxes:
temporary internet files
delete index.dat files
Be sure cookies are unchecked if you wish to keep them, likewise typed url's ( they appear in the address box in IE when you poke the bar on its right. They can be useful, but if you check and see a large number you don't use, you can check the box and be rid of them ). Autocomplete form history may be worth saving, too, so be sure it is unchecked.
Next is Windows Explorer ( this is not IE; it's part of the system that lets you look at and delete files, copy, etc.
I recommend checking all the boxes there.
Next is system- again, check all the boxes there.
The last category is Advanced- be sure all are unchecked-- don't check a one.
Then, poke "run cleaner" at lower right, and the right pane will fill with all the junk your PC has acquired. It will be a lot, the first time- then simply "exit."
Who's being sarcastic?
If you ever worked with a programming language such as assembler you would realize it doesn't matter what software you use it's just a matter of reverse engineering a file and changing the pointers.
But, I am tired of hearing from the IE crowd, "Just wait until they target you...".
I suppose.
But in order for someone to hack your AV dll, wouldn't they already need access to your system, via a trojan, etc.?
Perhaps you could limit/reduce the possibility by creating a firewall rule (or rules) which would restrict your AV/Updater to the IP (or range of IPs) of your AV update server(s).
I personally run a fairly restrictive firewall. For instance, I limit my email client to a single IP address - that of my mail server - and ports 110 & 25.
Live whatever way you can then... before they getcha.
I don't think he was being sarcastic. He's just a little jaded about freeware. ;)
~she~ And you're otherwise right. :~D
Cool, I was half right. That should improve my average significantly. ;)
When you become a target you have to be careful. :-)
Got it. I'll give it a try. If you don't see me again.....BYE BYE. And thanks.
I assume it also executed the Trojans, or put them somewhere on your filesystem (path, etc) where they would be executed? Which Trojans were they, and how much trouble did you have fixing their effects?
Ping for info
See how dumb I am at computers. It took me this long. I got rid of 64.5MB......is that a lot?
"I got rid of 64.5MB......is that a lot?"
Based on 2 home machines and the wife's lobby computer, that's about average.
Just for informational purposes, look here:
There are folders on your computer that Microsoft has tried hard to keep secret.
http://www.fuckmicrosoft.com/content/ms-hidden-files.shtml
These files are part of a detailed series of articles on system maintenance in the LangaList newsletters-
http://www.langa.com/cleanall_bat.htm
Scary bump!
Thanks for the info.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.