Watch the hits come in on virus web bug

[P. Thompson]

The fine folks at esthost/atrivo are hosting a web site which distributes
a variation of the W32/Apher.AE69-tr trojan at
hxxp://24-7-search.com/12.hta then same URL cmdexe.exe.

Anyway, the author thoughtfully included a web bug in the hta file so that
he, and consequently we, can watch the hits come in on his lovely little
baby.

Judging by the hits on the last 20 days table, he popped this festering
sore onto the world somewhere around 08 Feb, 2005.

So watch and enjoy:

http://extremetracking.com/open;unique?login=sw2005

 

[Bart Bailey]

The fine folks at esthost/atrivo are hosting a web site which distributes
a variation of the W32/Apher.AE69-tr trojan at
hxxp://24-7-search.com/12.hta then same URL cmdexe.exe.

Anyway, the author thoughtfully included a web bug in the hta file so that
he, and consequently we, can watch the hits come in on his lovely little
baby.

Judging by the hits on the last 20 days table, he popped this festering
sore onto the world somewhere around 08 Feb, 2005.

So watch and enjoy:

http://extremetracking.com/open;unique?login=sw2005

When you look at the number of hits and the percentage using MSIE,
it's not surprising that this newsgroup has become so popular. ;-)
http://extremetracking.com/open;sys?login=sw2005

 

[Smoke2much]

Bart Bailey says...

When you look at the number of hits and the percentage using MSIE,
it's not surprising that this newsgroup has become so popular. ;-)
http://extremetracking.com/open;sys?login=sw2005

I just switched to Firefox v1.01 from MSIE v6. Am I less vulnerable to
this crap running Firefox?

thanks,

Smoke

 

[Beauregard T. Shagnasty]

I just switched to Firefox v1.01 from MSIE v6. Am I less
vulnerable to this crap running Firefox?

Extremely so.

Get the PrefBar extension with Firefox, so you can toggle off
JavaScript and other bits as well.
http://prefbar.mozdev.org/
...and here it is on mine, with the Customize dialog open:
http://home.rochester.rr.com/bshagnasty/images/prefbar.png
It's the toolbar that begins with [ ] Colors.

 

[P. Thompson]

Bart Bailey says...

I just switched to Firefox v1.01 from MSIE v6. Am I less vulnerable to
this crap running Firefox?>

Firefox is generally safer, until the market shifts to the point that more
malware authors target Firefox. I don't doubt the Firefox code gets
better attention paid to security issues by its programmers since it has
not been idling in maintenance mode like IE has been since it vanquished
all opposition and took over the world.

I notice that the hits on the web bug have dropped way off perhaps because
now antivirus software is targeting that trojan. 12.hta was still there,
last I checked.

 

[Bart Bailey]

Firefox is generally safer, until the market shifts to the point that more
malware authors target Firefox. I don't doubt the Firefox code gets
better attention paid to security issues by its programmers since it has
not been idling in maintenance mode like IE has been since it vanquished
all opposition and took over the world.

The mythology behind your comment is that MSIE is more exploited than
other browsers because of its popularity, when in fact, it's all the
built-in vulnerabilities that allow such exploitation that other
browsers do not have, regardless of how much attention gets paid them.

 

[P. Thompson]

In Message-ID:<[email protected]>
posted on Sun, 27 Feb 2005 02:45:21 GMT, P. Thompson wrote: Begin

The mythology behind your comment is that MSIE is more exploited than
other browsers because of its popularity, when in fact, it's all the
built-in vulnerabilities that allow such exploitation that other
browsers do not have, regardless of how much attention gets paid them.

Don't read too much in between the lines of what I said:

I do think market share is a component. I also think that more usage of
firefox will equal more scrutiny which will equal more exploits. I would
not bet money that it would ever get as bad as IE.

 

[Smoke2much]

Beauregard T. Shagnasty says...

I just switched to Firefox v1.01 from MSIE v6. Am I less
vulnerable to this crap running Firefox?

Extremely so.

Get the PrefBar extension with Firefox, so you can toggle off
JavaScript and other bits as well.
http://prefbar.mozdev.org/
..and here it is on mine, with the Customize dialog open:
http://home.rochester.rr.com/bshagnasty/images/prefbar.png
It's the toolbar that begins with [ ] Colors.

I've been using the PrefBar extension as you suggested for a couple of
weeks now. It's awesome! Thanks very much for the tip!

regards,

Smoke

 

[Beauregard T. Shagnasty]

Beauregard T. Shagnasty says...

I just switched to Firefox v1.01 from MSIE v6. Am I less
vulnerable to this crap running Firefox?

Extremely so.

Get the PrefBar extension with Firefox, so you can toggle off
JavaScript and other bits as well.
http://prefbar.mozdev.org/
..and here it is on mine, with the Customize dialog open:
http://home.rochester.rr.com/bshagnasty/images/prefbar.png
It's the toolbar that begins with [ ] Colors.

I've been using the PrefBar extension as you suggested for a couple
of weeks now. It's awesome! Thanks very much for the tip!

Glad you like it. Enjoy!

 

[Russ]

Hello,

We have contacted EstHost regarding the abusive client. They will have
48 hours to take action against the client themselves. If they fail to
take action, we will take all necessary measures to terminate the abuse
from happening further.

In future abuse complaints (If any), Please use: (e-mail address removed) for a
Faster response to your claim(s).

Thank you for taking the time to make a complaint. Have a great day.

Sincerely,
Russell Mitchell - Russ[at]Atrivo.com
Atrivo Technologies
http://www.atrivo.com
925-550-3947

P.S: When reporting abuse(s) regarding clients on our network via these
Newsgroups or the abuse[at]atrivo.com email, please forward any logs or
Information that can be used as collateral for our investigation. If
You provide no proof of the abuse(s) we will not have any grounds for
Investigation of the client's system.

 

[P Thompson]

We have contacted EstHost regarding the abusive client. They will have
48 hours to take action against the client themselves. If they fail to
take action, we will take all necessary measures to terminate the abuse
from happening further.

In future abuse complaints (If any), Please use: (e-mail address removed) for a
Faster response to your claim(s).

Thank you for taking the time to make a complaint. Have a great day.

There is a veritable treasure trove of AUP violations about halfway
down the thread here:

http://support.drweb.com/forums/viewtopic.php?t=1066

and AUP violators here

http://webhelper4u.com/CWS/cwsal_atrivo_ips.html

that I'm sure you'll just want to get to right away.

 

[Russ]

Hello,

The hosts found on the first listing located at:
http://support.drweb.com/forum­s/viewtopic.php?t=1066 is currently
pending removal.

As for the second list, I am not to sure what you expect me to do with
this one. It's a large listing of IP addresses and domains which are
apparently apart of the "CoolWebSearch" party. It states things like
domain names and "Runs Exploits". This page contains nothing for me to
work with. If you can provide me with actual abuses located on the IPs
from that list I will "get right to it". There's nothing for me to work
with on that listing.

Thank you for your time in advising us of the AUP violations @
drweb.com. Have a great day.

Sincerely,
Russell Mitchell - Russ[at]Atrivo.com
Atrivo Technologies
http://www.atrivo.com
925-550-3947

 

[P Thompson]

Are ALL of the virus infected files in that listing ALL Atrivo hosts?

I'm gathering up all the IPs and I'll terminate the one's still active.

Not all are atrivo and not all are still active.

I am getting all prepared to be impressed if a reduction actually occurs
in atrivo related virus traffic.

If there are any other lists such as this or any other abuses you would like to
report, Please let me know and I'll take care of them.

Oh, OK. Bored on a Friday are you:

hxxp://69.50.166.213/users/bond/web/winxp/classload.jar
hxxp://69.50.191.68/eb/or/index.html
hxxp://69.50.191.68/eb/be/zaebal0000.exe
hxxp://69.50.191.66/test/ii.chm
hxxp://69.50.166.213/users/bond/web/counter.php
hxxp://69.50.166.213/users/bond/web/winxp/EXPLOIT.CHM
hxxp://69.50.166.213/users/bond/web/win9x/classload.jar
(hxxp://69.50.166.213/users/bond/web/*)

hxxp://69.50.168.117/sf/bntc/exp_10/w9x_ie.php
hxxp://69.50.168.117/sf/bntc/exp_3/index.php
(sf/bntc/exp_*/* esstentially)

hxxp://2hmr.biz/sf/bntc/exp_3/loader.exe
hxxp://69.50.166.204/555.ani
hxxp://69.50.191.68/eb/be/ass.html
hxxp://69.50.191.68/eb/rr/x.html

hxxp://hotoffers.info/v185/dropper.chm
hxxp://hotoffers.info/v185/wow.html
hxxp://69.50.161.13/users/paul/web/chkntfsfat.exe
hxxp://69.50.161.13/users/paul/web/dosxpd.exe
hxxp://69.50.161.13/users/paul/web/diantzpt.exe
hxxp://69.50.190.131/?to=nbss&from=in
hxxp://69.50.161.142/inc/nbss.html
hxxp://justload.com/1008/load/menu.jr
hxxp://justload.com/1008/load/indexsp2.html
hxxp://justload.com/1008/load/indexold.html
hxxp://justload.com/1008/load/index.chm
hxxp://justload.com/1008/load/hta.txt
hxxp://justload.com/1008/load/server.exe

hxxp://justload.com/1008/load/start.html
(this one is mostly not working now)