Warning to those using Sun Java on their systems.

  • Thread starter Thread starter John Corliss
  • Start date Start date
J

John Corliss

There is a server side based spyware out there named "Redsheriff".
Neither Adaware nor Spybot caught it. I found it on my system and as a
result, I unintalled both it and Java until more info becomes
available. To read about this villain in their own words, go here:

http://www.redsheriff.com/us/content/home.html

Also, check this out:

http://lists.lab.net/archive/ip-exploder/2003-March/005158.html

From what I can tell, this is not a new threat apparently, but it has
kinda slipped in under the wire and not too many seem to know about it.

What to do with freeware? Java is freeware. Using it puts you at risk
to this spyware. On my system, the file was:

c:\WINDOWS\.plugin141_03.trace

and it creates "reports" that it sends in. There may be other files
involved as well.

Anybody else know any more about it?
 
John said:
There is a server side based spyware out there named "Redsheriff".
Neither Adaware nor Spybot caught it. I found it on my system and as a
result, I unintalled both it and Java until more info becomes available.
To read about this villain in their own words, go here:

http://www.redsheriff.com/us/content/home.html

Also, check this out:

http://lists.lab.net/archive/ip-exploder/2003-March/005158.html

From what I can tell, this is not a new threat apparently, but it has
kinda slipped in under the wire and not too many seem to know about it.

What to do with freeware? Java is freeware. Using it puts you at risk to
this spyware. On my system, the file was:

c:\WINDOWS\.plugin141_03.trace

and it creates "reports" that it sends in. There may be other files
involved as well.

Anybody else know any more about it?
Click to expand...
By the way, check this link out too:

http://www.altavista.com/web/results?q=+Redsheriff++spyware&kgs=0&kls=1&avkw=aapt

(may wrap)
 
Anybody else know any more about it?
Click to expand...
</snip>

John, you might want to mention this in alt.privacy.spyware aswell.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
 
John Corliss said:
There is a server side based spyware out there named "Redsheriff".
Neither Adaware nor Spybot caught it. I found it on my system and as a
result, I unintalled both it and Java until more info becomes
available. To read about this villain in their own words, go here:

http://www.redsheriff.com/us/content/home.html

Also, check this out:

http://lists.lab.net/archive/ip-exploder/2003-March/005158.html

From what I can tell, this is not a new threat apparently, but it has
kinda slipped in under the wire and not too many seem to know about it.

What to do with freeware? Java is freeware. Using it puts you at risk
to this spyware. On my system, the file was:

c:\WINDOWS\.plugin141_03.trace

and it creates "reports" that it sends in. There may be other files
involved as well.

Anybody else know any more about it?

--
Regards from John Corliss
No adware, cdware, commercial software, crippleware, demoware,
nagware, shareware, spyware, time-limited software, trialware, viruses
or warez please.
Click to expand...
My version of AdAware caught Redsheriff recently. I'm using Version 6, Build
6.181. What version do you use? Maybe you need to upgrade.
Badger
 
Hey everyone.... Johnny Moron gave you a link to the site that *installs*
the tracker on your pc... without your consent. Also, this numbnuts putz
thinks you can opt out on the site? Good luck.
Click to expand...


This is the file to watch out for: measure.class
 
"MAMEngineer" <[email protected]> pawed at the keyboard to
spell out:

<<<SNIP>>> <<<SNIP>>> <<<SNIP>>>

Why don't you take your little bucket of vindictiveness and go play in
the middle of the street?? Your rancid mutterings are real tedious,
so it is with great relish that I do this:

**PLONK** **PLONK** **PLONK**

Ahhhhhhhhhhh, that's better!
 
John Corliss wrote on 14-1-2004 :
There is a server side based spyware out there named "Redsheriff". Neither
Adaware nor Spybot caught it. I found it on my system and as a result, I
unintalled both it and Java until more info becomes available. To read about
this villain in their own words, go here:

http://www.redsheriff.com/us/content/home.html

Also, check this out:

http://lists.lab.net/archive/ip-exploder/2003-March/005158.html

From what I can tell, this is not a new threat apparently, but it has kinda
slipped in under the wire and not too many seem to know about it.

What to do with freeware? Java is freeware. Using it puts you at risk to this
spyware. On my system, the file was:

c:\WINDOWS\.plugin141_03.trace

and it creates "reports" that it sends in. There may be other files involved
as well.

Anybody else know any more about it?
Click to expand...

I haven't found a 'plugin141_03.trace', a 'measure.class' or something
that 'looks' like Redsheriff on my system, but I have Java installed.
Does this mean that I'm safe???

With kind regards,

--
Henk de Jong
The Netherlands
(e-mail address removed) (Remove _NO_SPAM_)
'Links to Freeware'
http://www.linkstofreeware.vze.com/
http://home.hccnet.nl/hmdejong/
 
While strolling through alt.comp.freeware, Seabat was overheard
plotting:
"MAMEngineer" <[email protected]> pawed at the keyboard to
spell out:

<<<SNIP>>> <<<SNIP>>> <<<SNIP>>>

Why don't you take your little bucket of vindictiveness and go
play in the middle of the street?? Your rancid mutterings are
real tedious, so it is with great relish that I do this:

**PLONK** **PLONK** **PLONK**

Ahhhhhhhhhhh, that's better!
Click to expand...

You advertising the PLONK is just as bad as what you just chastised him
for. Do it silently, no one cares whose in your killfilter but you.
 
**PLONK** **PLONK** **PLONK**

Cool. So then you don't need to know that it's all a hoax....
 
FWIW I've got a

c:\WINDOWS\.plugin142_03.trace

also from Sunsystems. But don't I need it as the MS js doesnt comply (they
tell me) - I know it often didn't work, that's why I put Sun js in.

mike r
 
My version of AdAware caught Redsheriff recently. I'm using
Version 6, Build 6.181. What version do you use? Maybe you need to
upgrade.
Click to expand...

It's also listed as a hijacker in SpyBot.
 
You advertising the PLONK is just as bad as what you just chastised him
for. Do it silently, no one cares whose in your killfilter but you.
Click to expand...

Doesn't do a damn bit of good trying to reason with these people David...
the intelligent folks understand what they are.
 
There is a server side based spyware out there named "Redsheriff".
Click to expand...

Posts relative to this are here:
http://forums.spywareinfo.com/index.php?s=4dcaed0193f52ec7413d62b68c50b6cf&showtopic=2239&st=0

URL may wrap (and I don't know how to use the "tinyurl" thingies yet).

There are posts there about using Proxomitron and DNS Kong to block it
as well as the HOSTS file entries below.

This HOSTS file list will block their current servers, if not any new
ones they might use.

127.0.0.1 dk.imrworldwide.com
127.0.0.1 fe-au.imrworldwide.com
127.0.0.1 fe1-au.imrworldwide.com
127.0.0.1 fe1-fi.imrworldwide.com
127.0.0.1 fe1-it.imrworldwide.com
127.0.0.1 fe2-au.imrworldwide.com
127.0.0.1 fe2-gc.imrworldwide.com
127.0.0.1 fe3-au.imrworldwide.com
127.0.0.1 fe3-gc.imrworldwide.com
127.0.0.1 fe3-uk.imrworldwide.com
127.0.0.1 fe4-uk.imrworldwide.com
127.0.0.1 imrworldwide.com
127.0.0.1 lycos-eu.imrworldwide.com
127.0.0.1 ninemsn.imrworldwide.com
127.0.0.1 rc-au.imrworldwide.com
127.0.0.1 redsheriff.com
127.0.0.1 secure-au.imrworldwide.com
127.0.0.1 secure-uk.imrworldwide.com
127.0.0.1 secure-us.imrworldwide.com
127.0.0.1 secure-jp.imrworldwide.com
127.0.0.1 server-au.imrworldwide.com
127.0.0.1 server-br.imrworldwide.com
127.0.0.1 server-by.imrworldwide.com
127.0.0.1 server-ca.imrworldwide.com
127.0.0.1 server-de.imrworldwide.com
127.0.0.1 server-dk.imrworldwide.com
127.0.0.1 server-ee.imrworldwide.com
127.0.0.1 server-fi.imrworldwide.com
127.0.0.1 server-fr.imrworldwide.com
127.0.0.1 server-hk.imrworldwide.com
127.0.0.1 server-it.imrworldwide.com
127.0.0.1 server-jp.imrworldwide.com
127.0.0.1 server-lt.imrworldwide.com
127.0.0.1 server-lv.imrworldwide.com
127.0.0.1 server-no.imrworldwide.com
127.0.0.1 server-nz.imrworldwide.com
127.0.0.1 server-pl.imrworldwide.com
127.0.0.1 server-ru.imrworldwide.com
127.0.0.1 server-se.imrworldwide.com
127.0.0.1 server-sg.imrworldwide.com
127.0.0.1 server-stockh.imrworldwide.com
127.0.0.1 server-ua.imrworldwide.com
127.0.0.1 server-uk.imrworldwide.com
127.0.0.1 server-us.imrworldwide.com
127.0.0.1 telstra.imrworldwide.com
127.0.0.1 www.telstra.imrworldwide.com
127.0.0.1 www.imrworldwide.com
127.0.0.1 www.imrworldwide.com.au
127.0.0.1 www.redsheriff.com

I seem to have most of these in my current HOSTS files, so if you use
one that is relatively recent, see if you already have all of these.
 
It says it's an applet (if it is true). Just disable/block Java applets
in your browser.
Click to expand...

Actually, according to some articles I've just read, they just a Java
applet, and if that fails, JavaScript, and if that fails a "web bug".

Apparently the company is more of a Web traffic analysis firm than a
particularly sleazy spyware firm. They were acquired by NetRatings, a
part of Nielsen, apparently.

Apparently this applet doesn't do much but capture your time spent on
Web pages and the like and passes it back for traffic analysis.

Technically spyware but apparently nothing to be overwhelmed about.

Unless of course they changed it since 2002 which wouldn't surprise me
either.
 
Alastair said:
users of kerio personal firewall can block this by using filters from
Sponge's site

www.geocities.com/yosponge
Click to expand...

From http://www.geocities.com/yosponge/blockips.txt,
add these to the restricted/blocked zone of your firewall (if you have that
option):

Network Mask Description
203.89.243.0 255.255.255.0 RedSheriff
203.166.18.0 255.255.255.0 RedSheriff
210.81.223.192 255.255.255.224 RedSheriff
212.187.205.0 255.255.255.240 RedSheriff
195.165.248.144 255.255.255.240 RedSheriff
206.112.99.96 255.255.255.224 RedSheriff
 
MAMEngineer said:
Hey everyone.... Johnny Moron gave you a link to the site that *installs*
the tracker on your pc... without your consent. Also, this numbnuts putz
thinks you can opt out on the site? Good luck.
Click to expand...

Using sock puppets to avoid my filter, eh? Now we all know you're a
troll. And a very juvenile one at that. Grow up.
 
Back
Top