new pr0n trojan
Results 1 to 2 of 2

Thread: new pr0n trojan

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,049

    new pr0n trojan

    heres the latest trojan going about its a trojan that redirects you to pr0n site seems quite nasty
    report from security focus http://online.securityfocus.com/news/1350

    E-card Sneakware Delivers Web Porn

    A Trojan horse program created by an Internet adult entertainment company routes surfers to racy sites.
    By Kevin Poulsen, Oct 21 2002 12:08AM
    It's no coincidence that one of the most recent Trojan horse programs to enter the FBI's bi-weekly rogues gallery of malicious code is named after an Internet porn company.

    The program, dubbed "Cytron" by the bureau's National Infrastructure Protection Center (NIPC )and some anti-virus vendors, is a covert browser plug-in that gives Internet Explorer users something they probably don't want: more pop-up ads, promoting a slew of adult websites.

    Users are lured into accepting the program through a wholesome e-mail from egreetings@yahoo.com -- a forged return address. The mail looks convincingly like an electronic greeting card notification, with a cute smiley face background and the text "You have received an e-card" in squiggly block letters.

    Clicking on the graphic of a cartoon hand holding an envelope takes the recipient to surprisecards.net, where the surprise is an "e-card viewer plug-in" that they have to accept to read the card. If the user accepts the ActiveX control, which is signed with a credibility-boosting digital certificate, Internet Explorer will begin selectively feeding them racy full-sized pop-up ads for adult websites, mostly operated by Canada-based Cytron Communications Ltd. They never do get a greeting card.

    Small touches like the convincing domain name and the authentic digital certificate make the ruse smarter than the average covert adware delivery mechanism. "A lot of people see that it's an authentic certificate... and will just mindlessly click okay," says Jonathan Zdziarski, a Georgia software developer who was among the first to detect the spammy scam late last month after receiving one of the e-mails. "I can certainly see how your average doctor or oil change technician or anyone who's not in the technology field would fall for something like that."

    The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.

    "There some perfectly legitimate Internet porn operators, but it is a ruthlessly competitive industry that's constantly looking for new ways to get the click," says Jason Catlett, president of the anti-spam company Junkbusters. "They've always been at the leading edge of tactics, legitimate and illegitimate, for getting more traffic."

    Key Phrase Matching
    The Cytron program works by scanning the Web sites the victim views for key phrases like "hot sex" or "hard core," then serving up ads based on the matches. The technique seems designed to target only people in the market for porn, luring them away from Cytron competitors while catering to the user's particular sexual inclinations.

    But the covert phrase-matching software suffers from the same problem as keyword-based filtering programs: it's easily triggered by destinations that don't necessarily indicate a taste for adult content. In tests by SecurityFocus, browsing a USA Today story about the constitutionality of Internet porn spawned a window promoting the gay men's adult site "Tyler's Room," complete with thumbnail teaser photos of well-endowed models. Surfing to a Christian website selling the video "Porn: the Tragedy Exposed" exposed the front page of another Cytron site offering "The nets [sic] youngest women online," with a topless photo of one of them.

    Though Cytron is based in British Columbia, by luring U.S. netizens into installing the covert adware under false pretenses, the company may run afoul of U.S. computer crime laws and regulations prohibiting deceptive trade practices, says Catlett. "It's very ingenious... But if they're fooling people into downloading software, that's still going to be illegal under the Computer Fraud and Abuse act."

    The surprisecards.net site is served from a San Diego hosting company unrelated to Cytron, but the domain name is registered to Cytron president and CEO Richard Oliver.

    Reached by telephone Friday, Oliver didn't deny pulling the e-card scam. But Oliver says it's a jungle out there, pointing to the spyware and adware routinely bundled with popular file-swapping applications, without the average user knowing it.

    "I can name you about a hundred different companies, publicly traded companies, that are doing far worse than I am," said Oliver. "You've never heard of Kazaa, you've never heard of Morpheus, nobody's ever heard of any of these file-sharing companies that put all kinds of software on your computer?... Well, now you've heard of us."

    this is a link to what the email directs you to
    REMEMBER DO NOT DOWNLOAD THE PLUGIN
    http://www.surprisecards.net/viewcar...7&card=Pick+up

    this is a link for removal instructions
    http://and.doxdesk.com/parasite/Cytron.html


    Description

    Cytron is an Internet Explorer Browser Helper Object. It scans the content of pages being viewed for keywords and opens pop-up advertising when they are detected.
    Also known as

    POTD, after the filename and BHO name; Burnaby, the internal object name; TargetingSource, the name used to describe the control in Downloaded Program Files.
    Distribution

    Installed by ActiveX drive-by download on a page pointed to by mail claiming you have received an 'e-card'. The ActiveX control purports to be a viewer for e-cards.
    What it does
    Advertising

    Yes. When IE is started for the first time it attempts to connect to Cytron's servers to download a list of keywords to look for, and URLs of pop-ups to open.
    Privacy violation

    No.
    Security issues

    No.
    Stability problems

    None known.
    Removal

    There is no uninstall feature. However McAfee VirusScan can remove Cytron automatically.
    Manual removal

    First deregister the Cytron BHO. Open a DOS command prompt (Start->Programs->Accessories) and enter the following commands:
    cd "%WinDir%\System"
    regsvr32 /u "%WinDir%\Downloaded Program Files\potd.dll"

    You should then be able to delete the 'TargetingSource' entry in Downloaded Program Files (in the Windows folder), and the registry key HKEY_CURRENT_USER\Software\POTD (Start->Run->regedit).
    Links
    this is a link to mcaffee for info on this

    http://vil.nai.com/vil/content/v_99732.htm
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  2. #2
    Senior Member
    Join Date
    Mar 2002
    Posts
    153
    I think there is a good bout this virus. It will make ppl aware of porn site and think twice before they enter. So by than, may be there will be reducing of porn site. I think there is a lot of porn site and it still increasing. Well may be someday there is a hopefully there is a reducing of porn site. Never trust porn site.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •