Spyware Confidential

Larry Dignan, Jason Perlow, Tom Steinert-Threlkeld

Spyware pushers cash in big on zero day exploit

By Suzi Turner | September 20, 2006, 9:24pm PDT

Summary

Nearly 50 malware threats being installed though the VML zero day exploit, including familiar names like Virtumonde, BookedSpace, webHancer, SurfSideKick, Qoologic (also known as Qoolaid), Zenotecnico, TagAsaurus, with some trojan downloaders and a backdoor thrown in the mix. Many of these use affiliate programs where the affiliate gets paid per install, so somewhere affiliates of these adware/spyware companies are making a killing off this zero day exploit, trashing computers with their crapware.

Topics

Blogger Info

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

I expect that most readers have already read about the latest zero day exploit, Microsoft Vector Graphics Rendering Library Buffer Overflow, discovered by Adam Thomas of the Sunbelt Software research team on Monday. I’m not going into detail on it — there is plenty of information about the exploit already, on ZDNet here, Secunia, US-Cert, SANS, and Microsoft Security Advisory (925568). George Ou has blogged that hardware enforced DEP stops the exploit from launching. A BleedingSnort signature has been created for the VML exploit.

SocketShield from Exploit Prevention Labs is said to block the exploit. SocketShield has a 30-day trial and the free Link Scanner on their website will check any URL for the exploit code. Sleazy porn sites are using this vulnerability to drop massive spyware on unsuspecting users. Roger Thompson of Exploit Prevention Labs called it a “massive malware run” with “drive-by attacks hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.”

SunbeltBLOG lists nearly 50 threats being installed though this exploit, including familiar names like Virtumonde, BookedSpace, webHancer, SurfSideKick, Qoologic (also known as Qoolaid), Zenotecnico, TagAsaurus, with some trojan downloaders and a backdoor thrown in the mix. Many of these use affiliate programs where the affiliate gets paid per install, so somewhere affiliates of these adware/spyware companies are making a killing off this zero day exploit, trashing computers with their crapware. I have not tested this exploit yet, but it sounds like kind of payload that would render the machine nearly useless.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Full Bio
Contact

More from “Spyware Confidential”

Should anti-spyware programs remove cookies?

MVP awards, Messenger Plus! and adware -- a good combination?

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

cmd.exe-application error

Ask a Question Start a Discussion

Talkback Most Recent of 2 Talkback(s)

Follow via:: RSS; Email Alert

What do advertisers think?

"If you hire this company to spread your advertising, they will bundle your material with 50 kinds of spyware and sneak it onto the computers of people who visit porn sites.

As a result, people's computers will become so sluggish that they will pay money to make your advertising disappear.

Because of the potential PR hazard, the rates for this form of distribution are unusually cheap."

As sales pitches go, this one seems comparatively unlikely to be successful.
Anton Philidor

09/21/2006 11:03 AM
- Reply to
- Flag
RE: Spyware pushers cash in big on zero day exploit

http://www.analogstereo.com/lamborghini_diablo_owners_manual.htm
jj_forums

05/04/2008 01:50 PM
- Reply to
- Flag