-
December 7th, 2004, 08:03 AM
#1
Corporate owned worm?
I was investigating an AIM worm today, that linked back to:
http://www.funbuddyicons.com
http://www.funwebproducts.com
http://bar.mywebsearch.com
to install various toolbars. I am not done reviewing it, but supposedly it also injects ads into sent instant messages. I don't have a default installation to work on now, but I will soon to get the specifics.
Some interesting things though...
whois:funwebproducts.com
Administrative, Technical Contact:
Focus Interactive, Inc. (7K8J76EVN)
One Bridge Street Suite 42
Irvington, NY 10533
United States
Phone: 914-591-2000 Fax: 914-591-2000
whois:askjeeves.com
Ask Jeeves, Inc.
DNS Administrator
5858 Horton Street, Suite 350
Emeryville, CA 94608
US
both are addresses listed here:
http://sp.ask.com/docs/jeevesinc/a5.html
I found that connection, so I looked for anything public and found this:
http://www.infoworld.com/article/04/...20APPLICATIONS
Ask Jeeves Inc. will buy the privately owned Interactive Search Holdings Inc. (ISH) for about $343 million in a move that the Emeryville, California, company expects will double its search market share, it announced Thursday.
ISH properties and brands include My Way, My Search, My Web Search, Excite, iWon, the advertising network ********* and Focus Interactive. Berkowitz said that ISH currently employes about 200 people, and that while it has international visitors, it has no international presence. In December, ISH's Web properties reached 17 percent of U.S. Internet users, Berkowitz said.
Now I am not 100% positive on the AIM worm going around now, but so far it looks like it gets installed in the javascript runaround on the domains listed above and is installed w/o permission. Which is illegal, but I am not positive that is how it is done yet.
What I am very interested in, is if anyone here has any proof that one of the products listed above were installed on a box through illegal means, (exploit or whatever) at all in the past.
It is just suprising to me that the crap I have been removing the past 2 years has been linked to a familiar name like askjeeves.com. They could get nailed, class action style. It's not some shady basment run industry, it might be askjeeves?
-
December 7th, 2004, 03:29 PM
#2
Interesting conclusion. I know a lot of our users use AskJeeves and a lot have My Search crap on them. Hmmmm.
\"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn
-
December 7th, 2004, 10:54 PM
#3
Update:
If you receive buddies.funbuddyicons.com in an instant message and click on it, you will be directed to a site that will ask to install a buddy icon software. If you agree, your homepage is changed, (not hijacked forever, idk yet) and more importantly, there are new tools installed in your instant messanger. When you send messages, an advertisement for buddies.funbuddyicons.com is appended and the sender cannot see it being appended. If it exploited the user this would be a corporate worm, but it doesn't exploit anything.
However, in the EULA:
http://www.funwebproducts.com/eula_1104/
It mentions nothing of this way of advertising through AIM message injections. So in a sense, is there a form of exploitation going on? I'm no lawyer, but could someone look over that with me and see where it gives the software permission to alter your outgoing messages?
Although someone agrees to the installation, this part of the software is not outlined in the EULA.
I ran all this on a virtual install of a default installation of windows. There was a uninstall listing in add/remove programs, but when I did it, it broke my internet connection on the next reboot. I used this tool:
http://www.spychecker.com/program/winsockxpfix.html
, removed a .cab in HJT, and a reboot fixed it. I don't know for sure yet if a second reboot fixed it, the .cab, or the winsock tool fixed it. I will be messing around more to see.
As for now, I think Focus Interactive broke their license agreement. Could others please have a look at it with me? It's a pretty intimidating document...
Thanks!
-
December 8th, 2004, 04:03 AM
#4
Well it seems they have changed the URL that infects the clicker... Now it sends them through a description of what they are downloading...
I still don't like knowing that the software is still out there... being advertised through invisible IM's.
Wheres a ghost smiley when you need one.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|