Unwanted Toolbars

While I know this is old news and has been blogged/posted about a thousand times already - I still notice a lot of users having problems with an overload of toolbars they don't want/need.

More and more software (mainly free software) bundle their software package with a toolbar since it's an extra source of income.
While in some cases, a toolbar *can* be necessary or useful, always ask yourself if you really need/want this toolbar.

Additional Toolbars can slow down your browser since it takes longer to start them up, can interfere with certain webpages you want to view, can have compatibility issues with other toolbars/add-ons already installed or can even crash your entire browser.
Apart from a toolbar/BHO, some toolbars also add additional loading points (run key, service, appinit_dlls..) which may cause an extra slowdown of your computer in general.
Toolbars also take up extra space in your browser, leaving you with less content of the webpage you want to view.

Do you really want your browser to look like this?



If the answer is Yes, then I suggest you check with your eye specialist or stay away from computers and find another hobby.


Also, not all toolbars are as harmless as they look. Do you want them to monitor your browser activities? What sites you visit? Collect other info from your computer?
Do you want them to redirect searches? Change your startpage? Display Advertisements (targetted Ads)? If the answer is No, then uninstall them or don't install them in the first place.
In most cases, legit software with a toolbar bundled, offers the user the option to uncheck the toolbar during install. Too bad most have these toolbars pre-checked already, so many users who install the software just click through the installation screens (next) in a hurry and end up with toolbars they don't want or need.
And that's still the biggest mistake users make.

That's why it is always a good practice to read every part of the installation screens the software displays, so you don't miss the option where you can uncheck the toolbar or other junk during install.
Also, it's a good practice to always read the EULA/Privacy Policy when you want to install certain software.

Example:



Unfortunately, not every software bundled with a toolbar/other junk offers this option to uncheck during install. This is bad practice and such software should be avoided in the first place.

In case you have (accidentally) installed a toolbar you didn't want/need in the first place, use the Windows’ built-in "Add/Remove Programs" in the Control Panel ("Programs and Features" in Vista/Win7) and look if it's listed there so you can uninstall it.
Or, in case it's not listed there, you can disable or remove them them via your browser:
For Internet Explorer: http://technet.microsoft.com/en-us/magazine/dd364987.aspx or http://mintywhite.com/windows-7/7security/5-easy-ways-uninstall-toolbars-internet-explorer-8/
For Firefox: http://kb.mozillazine.org/Uninstalling_toolbars
For Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=en&answer=113907
For Opera: Click Tools > Preferences > Advanced Tab > Toolbars (listed on the left). There you can select and delete the toolbar.

In general, if you don't use/need toolbars, uninstall them or don't install them in the first place.

ABN AMRO Phishing mail

Another phishing mail I received today. Looks like my mailbox attracks phishing mails this week...
This certainly gives me a reason to blog more often again ;-)

This one is targeting Dutch ABN AMRO bank account users.



------

Geachte ABN-Amro klant,

® Op dit moment is ABN-Amro bezig met het vernieuwen van de systeembeveiligingen. Hierbij vragen wij u om uw persoonsgegevens opnieuw in te vullen door op de onderstaande link te klikken

Wij zullen de gegevens verifieren en als het nodig is de aanpassingen opnieuw in het systeem opnemen. Hierna wordt telefonisch contact met u opgenomen om de gegevens te beveiigen.


------

This one is sent from the spoofed mailaddress ABN AMRO NV customercare @ abnamro.nl
When you click the Log in button, it redirects you to a phishing page where it asks you to fill in your bank account and passnumber.





It looks like there are a lot of similar phishing mails going around lately to target ABN AMRO bank account users and I fear a lot of new ones will follow.
In case you have received a similar mail from ABN AMRO, please report it via their website:
https://www.abnamro.nl/nl/overabnamro/f_aanvragen.html

Beware Telenet.be users - Telenet.be phishing scam going around

First of all - WOW! It has been ages I have blogged here ! I really should start to blog more often again. Work & life has kept me real busy lately, so unfortunately there's not much extra free time left over anymore.
If only there were 36 hours in a day, so much I still want to do and learn...


Anyway, Just received the following in my mailbox today:


Dear 'pandora.be' E-mail User,

We are currrently upgrading our database and all account need to be verified.To complete your account activation with us, you are required to reply
to this message and enter your password in the space provided (********) you are required to do this before the next 48 hours of the receipt of this email or your database will be de-activated from our database.You are required to reply this message to telenet.be helpdesk database office on their email address: help-desk@email.com

Full Name:
username:
Password:
Thank you for using pandora.be.
Copyright 2011 © pandora.be web Team.


Stacy Williams
PANDORA.BE HELP DESK OFFICE
Hosting: Telenet Operaties N.V.
IP Address: 195.130.144.20





Telenet.be (Pandora.be is controlled by telenet.be) is one of the biggest ISPs here in Belgium
Above is a fake email and in no way associated with Telenet.be.
This mail is designed to steal your telenet.be credentials.
Telenet.be would never ask for your credentials via email, nor would any other company.
As a matter of fact, never ever give your passwords/credentials via mail, no matter who the company claims to be.

If you received this mail, delete it - certainly do not respond to it.
In case you have become a victim of this mail already and responded to it, change your password asap.
For telenet.be users, see here.

Rogue HDDDefragmenter

HDD Defragmenter is a rogue which appears quite easy to get rid of. That's not what I wanted to talk about. It's about how much Rogues have improved.

Once installed, you get the following message:



Your executables cannot launch. Clicking the 'Scan Hard Drives' button brings up the next image:



When scanning, it even has a FAKE safe mode. Desktop just goes black with the corners showing 'Safe Mode':




Next images show how convincing these rogues can be:







To get rid of it, scan with Malwarebytes or another Antivirus/Antispyware application.

Credits go to sUBs for screenshots and analysis

Fighting Trojan Horses is a Family thing

My cousin Jimmy also fights Trojan Horses, but in a slightly different way...



More info and Biography of Jimmy here:

http://www.ultimatemotorcycling.com/2010/red-bull-fmx-motocross-conquer-troy
http://espn.go.com/action/fmx/blog/_/post/3847313

IOBit Steals Malwarebytes’ Intellectual Property

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version since they deleted the thread - well, now the cached version got deleted as well. Glad I still have a screenshot, see below) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.



Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes’ Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can’t publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don’t want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, dummy.exe. It is a harmless dummy executable that runs, displays a “Hello World” message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! — the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes’ Anti-Malware software and indeed it was flagged as “Don’t.Steal.Our.Software.A”. We scanned it with IOBit using their current build and database version and it was flagged as the same “Don’t.Steal.Our.Software.A”. We have included log file file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, “rogue.exe”, matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other “fake.exe”, matches our Adware.NaviPromo definition (screenshot). VirusTotal results for “fake.exe” and “rogue.exe” so you can see they are benign. You can see a screenshot of our detections here.


During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes’ proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.


Copy/paste of the original Article here


Update to this post: IOBit’s Denial of Theft Unconvincing

My New Toy... a HTC Magic

I finally decided to buy a Smartphone...: http://www.htc.com/www/product/magic/overview.html


Love at first sight!
Too many options and too much stuff to configure. This will certainly keep me busy for a while....

Searchengine Redirects? It could be a patched ws2_32.dll file...

I was helping someone yesterday (online support via forums) who was complaining about searchengine redirects. Redirections mainly went to mybig-portal.com, virus-detect-soft.com, edmonds.com, us.peeplo.com, directkitchenremodeling.com...

There are already many different infections responsible for searchengine redirections, I see several different ones every day.... so after a while, it's getting easier for me where to look/search.
The info is mainly gathered from logs (Registry loading points, Rootkit scans, etc).

However, this one was different. I just couldn't find the culprit. Same scenario as with the first Daonol/JsRedirect/Gumblar variant I discussed here last year (October 2008).
People who know me also know that I will search untill I find it, so I finally found the culprit - a patched ws2_32.dll file.
The ws2_32.dll is a legit Microsoft Windows file that contains the Windows Sockets API used by most Internet and network applications to handle network connections.
In this case, it was patched by malware. Its copies in the dllcache and ServicePackFiles\i386 folder were also affected. Reference thread here.
It wasn't detected by any scanner yet. Sophos Antivirus will now detect this one as Troj/WShack-B.

So if you encounter the same and just can't find the culprit of a searchengine Hijack after trying anything else - then it *may be a patched ws2_32.dll file. Don't delete that file if it's indeed patched/infected, but replace it with a clean copy.
If unsure/in doubt, post you issue in the forums.

In case you're wondering....

Yes, I'm still alive, just extremely busy lately.

It's now already a couple of months that MalwareBytes hired me as Malware researcher, so that's where most of my time goes nowadays.
I've decided I will only blog here once in a while - I hope at least once a month - but I cannot promise anything :-)

Also... Thank you for the nice mails I've received lately via this blog and sorry I didn't respond earlier. It looks like something went wrong with the "Contact Me" mailform, so a lot of delayed (2 months or so) mails arrived just today. Anyway, this should be fixed now.

In between message...

It's been a while that I've blogged and since I'm going through some major changes in my personal and professional life (maybe new job), I won't have the time and inspiration either to blog in the next couple of weeks.
In a meanwhile... Click the icon to play a little game, so you didn't come here for nothing. :-)

See you later!