[Full-Disclosure] Re: block all popups [google knockoff]

From: sh0rtie (this.is_at_gmail.com)
Date: 08/26/04

  • Next message: Todd Towles: "RE: [Full-Disclosure] Automated ssh scanning"
    To: Jeremy Heslop <vector@ezy.net>
    Date: Thu, 26 Aug 2004 22:06:38 +0100
    
    

    its spyware
    a quick peek inside the installer reveals links to toolbarshopper.com
    so definatly not google (although the toolbar does have links to use
    google as well as the usual affiliate links to other sites (using
    linksynergy)

    the site at ipaddress where the installer is located has links selling
    an ebook ,following the money (purchase) leads to a site
    called moreinfo4you.net a whois of this site reveals

    domain: moreinfo4you.net
    status: production
    organization: CSI
    owner: James Real jackson
    email: domainalias@yahoo.com
    address: 23244 Avenida Pico
    city: San Clemente
    state: CA
    postal-code: 92654
    country: US
    admin-c: domainalias@yahoo.com#0
    tech-c: domainalias@yahoo.com#0
    billing-c: domainalias@yahoo.com#0
    nserver: ns.dnsfree.biz
    nserver: ns2.dnsfree.biz
    registrar: JORE-1
    created: 2004-08-22 19:53:30 UTC JORE-1
    modified: 2004-08-22 22:25:43 UTC JORE-1
    expires: 2005-08-22 15:53:28 UTC
    source: joker.com
    db-updated: 2004-08-26 20:40:16 UTC

    fake details and joker.com is a public dns service often used by
    scammers because they can change domain ipaddresses (where the domain
    points to) quickly

    the ipaddress where the exe is located is based in korea (probably a
    compromised adsl machine)

    inetnum: 61.248.0.0 - 61.255.255.255
    netname: KRNIC-KR
    descr: KRNIC
    descr: Korea Network Information Center
    country: KR
    admin-c: HM127-AP
    tech-c: HM127-AP
    remarks: ******************************************
    remarks: KRNIC is the National Internet Registry
    remarks: in Korea under APNIC. If you would like to
    remarks: find assignment information in detail
    remarks: please refer to the KRNIC Whois DB
    remarks: http://whois.nic.or.kr/english/index.html
    remarks: ******************************************
    mnt-by: APNIC-HM
    mnt-lower: MNT-KRNIC-AP
    changed: hostmaster@apnic.net 20010321
    changed: hostmaster@apnic.net 20010606
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Host Master
    address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
    address: Seoul, Korea, 137-857
    country: KR
    phone: +82-2-2186-4500
    fax-no: +82-2-2186-4496
    e-mail: hostmaster@nic.or.kr
    nic-hdl: HM127-AP
    mnt-by: MNT-KRNIC-AP
    changed: hostmaster@nic.or.kr 20020507
    source: APNIC

    regards

    On Tue, 24 Aug 2004 21:49:41 -0400, Jeremy Heslop <vector@ezy.net> wrote:
    > Not sure who this should go to, but I received an email the other day
    > and it is advertising the google toolbar. It installs a toolbar, but not
    > googles. Looks sketchy to me and similar to other phishing attempts. URL
    > to valuebar_setup.exe was in email.
    >
    > Jeremy
    >
    > Html email here: http://footon.jheslop.com/block%20all%20popups.html
    > txt email here: http://footon.jheslop.com/block%20all%20popups.txt
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Todd Towles: "RE: [Full-Disclosure] Automated ssh scanning"

    Relevant Pages

    • Re: block all popups [google knockoff]
      ... so definatly not google (although the toolbar does have links to use ... the site at ipaddress where the installer is located has links selling ... remarks: KRNIC is the National Internet Registry ... > and it is advertising the google toolbar. ...
      (Incidents)
    • Exploiting the Google toolbar (GM#001-MC)
      ... Google toolbar version 1.1.58 and prior. ... Enable features with privacy implications. ... This method is hardly perfect for the attacker since there's no way to know ...
      (Bugtraq)
    • [NEWS] Exploiting the Google Toolbar
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Google is a popular and precise search engine. ... vulnerabilities have been found in the Google toolbar allowing a remote ... This method is not perfect for the attacker since there is no way to know ...
      (Securiteam)
    • Exploiting the Google toolbar (GM#001-MC)
      ... Google toolbar version 1.1.58 and prior. ... Enable features with privacy implications. ... This method is hardly perfect for the attacker since there's no way to know ...
      (NT-Bugtraq)
    • Re: QUICK LAUNCH toolbar disappears whenever I reboot
      ... All advices given till now repeat those given in Google ... Launch in Taskbar tab of Start, ... toolbar would display program icons. ...
      (microsoft.public.windowsxp.basics)