Spy Sheriff - so how do people get infected w/ this thing?

  • Thread starter Thread starter Todd H.
  • Start date Start date
T

Todd H.

I've now had two friends get nailed with this Spy Sheriff rogue
anti-spyware app. While I've managed to clean up the infections (and
there are several resources on that out there on the net to help with
that) for these folks, but what I'm most interested in is:

"Where/how are people getting this?"

Both are XP SP2 users. What's concerning is that this second buddy of
mine is a person that's generally careful and does all the stuff yer
supposed to do to use windows semi safely (not use IE or OE, he uses
Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
enabled, knows not to click on things in emails, keep the antivirus
scanner updated religiously, periodically scan with ad aware se, etc),
yet he STILL got infected. The only thing he does that I don't
recommend is that he does have an AOL account and runs their stuff
periodically to connect to them. Software is AOL 9.0 AOL
16.4184.5300.

So does anyone happen to know the vulnerability/sites where folks are
picking this up?

For those who haven't seen it, it's a tricky friggin program
apparently. It somehow gets installed, and then pops up telling you
it's detected all sorts of malware and offers to clean it up, but then
stonewalls the (typical) user from doing anything else with their
computer until they register the software and pony up their money.

As in:
http://elamb.blogharbor.com/hacked/removespysheriff.htm

Helpful in cleanup:
http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please-help_25398.html


Best Regards,
 
Todd H. said:
I've now had two friends get nailed with this Spy Sheriff rogue
anti-spyware app. While I've managed to clean up the infections (and
there are several resources on that out there on the net to help with
that) for these folks, but what I'm most interested in is:

"Where/how are people getting this?"

Both are XP SP2 users. What's concerning is that this second buddy of
mine is a person that's generally careful and does all the stuff yer
supposed to do to use windows semi safely (not use IE or OE, he uses
Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
enabled, knows not to click on things in emails, keep the antivirus
scanner updated religiously, periodically scan with ad aware se, etc),
yet he STILL got infected. The only thing he does that I don't
recommend is that he does have an AOL account and runs their stuff
periodically to connect to them. Software is AOL 9.0 AOL
16.4184.5300.

So does anyone happen to know the vulnerability/sites where folks are
picking this up?
Click to expand...


Your friend could run System Restore and look at the checkpoints saved
therein. If it triggered due to an install, it lists what triggered it. He
might see whatever he installed for awhile back. Your friend should also
get accustomed to saving a checkpoint before performing an install and
noting why he created the checkpoint. Your friend probably got it from
something else he installed; i.e., it was bundled in something else. Your
friend should also reconfigure their browser to prompt for ActiveX downloads
so he/she knows when some site is trying to pushing one onto their computer.
AX is another method of delivery for this rogueware.
 
(e-mail address removed) AKA Todd H. on 1/2/2006 in
I've now had two friends get nailed with this Spy Sheriff rogue
anti-spyware app. While I've managed to clean up the infections (and
there are several resources on that out there on the net to help with
that) for these folks, but what I'm most interested in is:

"Where/how are people getting this?"

Both are XP SP2 users. What's concerning is that this second buddy of
mine is a person that's generally careful and does all the stuff yer
supposed to do to use windows semi safely (not use IE or OE, he uses
Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
enabled, knows not to click on things in emails, keep the antivirus
scanner updated religiously, periodically scan with ad aware se, etc),
yet he STILL got infected. The only thing he does that I don't
recommend is that he does have an AOL account and runs their stuff
periodically to connect to them. Software is AOL 9.0 AOL
16.4184.5300.

So does anyone happen to know the vulnerability/sites where folks are
picking this up?

For those who haven't seen it, it's a tricky friggin program
apparently. It somehow gets installed, and then pops up telling you
it's detected all sorts of malware and offers to clean it up, but then
stonewalls the (typical) user from doing anything else with their
computer until they register the software and pony up their money.

As in:
http://elamb.blogharbor.com/hacked/removespysheriff.htm

Helpful in cleanup:
http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please-help_25398
.html


Best Regards,
Click to expand...
******************Reply Separator*************************
You did not mention any real-time scanning, anti-spyware programs that
your friend uses.
I have written some pages to help you.

Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html

max
 
I appreciate the responses thus far, and the posters who've taken the
time to make them. If possible though, I'd like to refocus the
question:

What are examples of specific web sites with specific exploits in
place that endeavor to install Spy Sheriff?

I'm trying to figure out which unpatched application is the
vulnerability by which this nasty manages to installed by a user of
the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
platform.

In short, has anyone out there done a full malware analysis of the
Spyware Sheriff installer, and where it's found out there in the wild.

I realize this may be a tall order, but this particular bit of a
spyware is particularly intriguing to me because it's so pernicious.


Best Regards,
 
(e-mail address removed) (Todd H.) wrote:

|>
|>I appreciate the responses thus far, and the posters who've taken the
|>time to make them. If possible though, I'd like to refocus the
|>question:
|>
|> What are examples of specific web sites with specific exploits in
|> place that endeavor to install Spy Sheriff?

Anything download'd (link'd) from this site http://www.astalavista.us/
will come with in a Zip file a file called START.EXE which is whatever
the flavor of the month is.

I want'd to test for this post; I link'd to a site from there:
http://www.XXXXXXandr.net/sn/?l=n&pn=8
This tries the WMF exploit (remove X's to test)

Other links hit me with worms, virus's and other malware, I got so
tired of dodging attacks I never did download a zip file.

|>I'm trying to figure out which unpatched application is the
|>vulnerability by which this nasty manages to installed by a user of
|>the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
|>platform.
|>
|>In short, has anyone out there done a full malware analysis of the
|>Spyware Sheriff installer, and where it's found out there in the wild.
|>
|>I realize this may be a tall order, but this particular bit of a
|>spyware is particularly intriguing to me because it's so pernicious.
|>
|>
|>Best Regards,
 
Todd said:
"Where/how are people getting this?"
Click to expand...



Neither adware nor spyware, collectively known as scumware,
magically install themselves on anyone's computer. They are almost
always deliberately installed by the computer's user, as part of some
allegedly "free" service or product.

While there are some unscrupulous malware distributors out there,
who do attempt to install and exploit malware without consent, the
majority of them simply rely upon the intellectual laziness and
gullibility of the average consumer, counting on them to quickly click
past the EULA in his/her haste to get the latest in "free" cutesy
cursors, screensavers, "utilities," and/or wallpapers.

If you were to read the EULAs that accompany, and to which the
computer user must agree before the download/installation of the
"screensaver" continues, most adware and spyware, you'll find that
they _do_ have the consumer's permission to do exactly what they're
doing. In the overwhelming majority of cases, computer users have no
one to blame but themselves.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
R. McCarty said:
What about the latest Wmf exposure with IE ? - If I understand it
correctly, it requires only the visiting of an infected web site.
Here's an interesting FAQ on it:
http://isc.sans.org/diary.php?rss&storyid=994
Click to expand...

I never claimed that the danger didn't exist, only that it was a
relatively rare, compared to the malware distributors who rely upon the
uninformed or lazy consumer.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
I wasn't taking exception to your analysis - just that these jackasses
are always looking for new ways to get a toe hold on a computer.
Build the wall higher and they dig under it. Make it thicker and they
use a software trampoline to jump over. I agree that most Malware
gets on from bad browsing or download habits. The best Security
software in the world can't stop the "This is dangerous !" and they
go right ahead and Click into - Poker, Porno and "Freebies". Trying
to keep a PC "Safe-&-Secure" takes as much time as you spend
actually using the thing. You can teach a PC, unfortunately the user
is quite as quick a learner.
 
R. McCarty said:
I wasn't taking exception to your analysis - just that these jackasses
are always looking for new ways to get a toe hold on a computer.
Build the wall higher and they dig under it. Make it thicker and they
use a software trampoline to jump over. I agree that most Malware
gets on from bad browsing or download habits. The best Security
software in the world can't stop the "This is dangerous !" and they
go right ahead and Click into - Poker, Porno and "Freebies". Trying
to keep a PC "Safe-&-Secure" takes as much time as you spend
actually using the thing. You can teach a PC, unfortunately the user
is quite as quick a learner.
Click to expand...


We're pretty much in complete agreement, then. I guess I just
misunderstood the intentions of your reply to me. And, thanks to your
reminder, I do reckon it's time to upgrade my emphasis of that
particular danger.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
Todd said:
I appreciate the responses thus far, and the posters who've taken the
time to make them. If possible though, I'd like to refocus the
question:

What are examples of specific web sites with specific exploits in
place that endeavor to install Spy Sheriff?

I'm trying to figure out which unpatched application is the
vulnerability by which this nasty manages to installed by a user of
the Mozilla (suite) browser or AOL web browsers under a WinXP SP2
platform.

In short, has anyone out there done a full malware analysis of the
Spyware Sheriff installer, and where it's found out there in the wild.

I realize this may be a tall order, but this particular bit of a
spyware is particularly intriguing to me because it's so pernicious.


Best Regards,
Click to expand...

I have seen it on three customer's computers in the last three days. They
were all up to date with Windows updates, running an antivirus, one was
running MS AntiSpyware. As near as I can tell they all came in via the .wmf
exploit. One was in a spam email. They had the preview pane open and viewing
the email installed the malware. Two were while surfing the net. Both times
they clicked on a link in a google search and they were immediately
infected. See the following link for details of the exploit.

http://www.microsoft.com/technet/security/advisory/912840.mspx

The only effective workaround right now is to enable hardware DEP for all
programs (software DEP won't stop it) or disable the Windows picture and fax
viewer. Both workarounds can cause problems. Hardware DEP may break some
drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
the best workaround but it may cause some minor problems with html email and
some web sites.

Kerry
 
Kerry Brown said:
I have seen it on three customer's computers in the last three days. They
were all up to date with Windows updates, running an antivirus, one was
running MS AntiSpyware. As near as I can tell they all came in via the .wmf
exploit. One was in a spam email. They had the preview pane open and viewing
the email installed the malware. Two were while surfing the net. Both times
they clicked on a link in a google search and they were immediately
infected. See the following link for details of the exploit.

http://www.microsoft.com/technet/security/advisory/912840.mspx

The only effective workaround right now is to enable hardware DEP for all
programs (software DEP won't stop it) or disable the Windows picture and fax
viewer. Both workarounds can cause problems. Hardware DEP may break some
drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
the best workaround but it may cause some minor problems with html email and
some web sites.
Click to expand...

Hi Kerry,

Thanks for sharing your experience.

There seems to be mounting evidence that these Spy Sheriff bastards
mihgt be leveraging multiple vulnerabilities out there, and evolving
with the state of patches.

One machine I cleaned up was about 3 weeks ago, and the friend
involved had an up to date XP2 box, and he said that the computer had
beenthat way for a week or more prior to my arrival. I think this
predates the WMF issue's release. That user, however, is fairly
novice and isn't terribly careful, so god knows where he could've
gotten it. He was using a very old version of Mozilla on that box.


The second Spy Sheriff infected machine I just cleaned up was an XP
sp2 machine with its updates, but the user reported that manual
symantec liveupdates haven't worked for a while, and he also had a
Mozilla version that was a couple revs old (1.7.8). I think his
infection of spy sheriff was probably in the timeline for the WMF
exploit. Then again Spy sheriff as it turns out was only one of a
long list of infections it managed to contract.

Thanks to all for their experiences with this one. This malware is
getting extremely crafty, and financial profit seems to be creeping up
the list of motivations for the black hats. I hope a few attorneys
general hit the Spy Sheriff weasels hard. In the mean time, if you
know anyone who was social engineered into paying to register spy
sheriff, have them dispute that credit card charge and at least hit
them in credit card admin fees. Visa/MC might get fed up enough to
revoke their merchant id.

Best Regards,
 
I have seen it on three customer's computers in the last three days. They
were all up to date with Windows updates, running an antivirus, one was
running MS AntiSpyware. As near as I can tell they all came in via the .wmf
exploit. One was in a spam email. They had the preview pane open and viewing
the email installed the malware. Two were while surfing the net. Both times
they clicked on a link in a google search and they were immediately
infected. See the following link for details of the exploit.

http://www.microsoft.com/technet/security/advisory/912840.mspx

The only effective workaround right now is to enable hardware DEP for all
programs (software DEP won't stop it) or disable the Windows picture and fax
viewer. Both workarounds can cause problems. Hardware DEP may break some
drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
the best workaround but it may cause some minor problems with html email and
some web sites.
Click to expand...

According to some experts, the best workaround is Ilfak's fix here:

http://www.hexblog.com/2005/12/wmf_vuln.html

Art

http://home.epix.net/~artnpeg
 
Bruce said:
Neither adware nor spyware, collectively known as scumware,
magically install themselves on anyone's computer. They are almost
always deliberately installed by the computer's user, as part of some
allegedly "free" service or product.
Click to expand...

No, that is not the case. There is hardly a byte on my PC that I don't
know about but nevertheless I still get a few minor trojans from time to
time, usually in the Cookies, which last as long as it takes me to run
ad-aware, spybot etc or clean the cookies by hand, which I do every day
or couple of days. Of course lots of people do click on any old link
and so deserve what they get but that is not the only way to be
infected.
 
On that special day, Todd H., ([email protected]) said...
These spy sheriff infections predated the release of the wmf exploit
by a month or so though. :-\
Click to expand...

If there is a new and easy way to infect even updated machines without
having the user to lure into a "click me" dialog box, a criminal like
that spy sherriff distributor will gladly adopt it, for sure.

There are a lot of worming bots out in the net, which use all kinds of
vulnerabilities, the numbers of their variants being in the hundreds,
if not thousands... why should it be different with this kind of -
shall we call it foistware?


Gabriele Neukam

(e-mail address removed)
 
You've got it backwards. Spysheriff does use that vulnerability. That
vulnerability was always there it did not just appear, it was just recently
discovered probably because of spysheriff like malware.

--


(e-mail address removed)
remove 999 in order to email me
 
ilovepcbutts1 said:
From: "Leythos" <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>
Subject: Re: Spy Sheriff - so how do people get infected w/ this thing?
Date: Mon, 2 Jan 2006 10:52:31 -0800
Lines: 39
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-RFC2646: Format=Flowed; Original
Message-ID: <u$2#[email protected]>
Newsgroups: comp.os.ms-windows.misc,microsoft.public.windowsxp.general,alt.comp.anti-virus,comp.security.misc
NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net 69.237.53.123
Path: news-wrt-01.ohiordc.rr.com!news-server.columbus.rr.com!hwmnpeer01.lga!hwmedia!newshub.sdsu.edu!msrtrans!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: news-wrt-01.ohiordc.rr.com comp.os.ms-windows.misc:201080 microsoft.public.windowsxp.general:1413638 alt.comp.anti-virus:93309 comp.security.misc:110153
Click to expand...

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

Please note that PCBUTTS1 is the poster of the above message using my
NickName "Leythos". He posts from the above host, which you can validate
in the Usenet headers, since Microsoft deletes his posts from their
servers due to his lack of ethics, his theft of others code, and his
violations of their Usenet standards.

As a "formal" request, for documentation reasons, I request that you
stop using my name to forge posts. You have been warned now.
 
Back
Top