Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-12-31 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Look Inside a Dirty Computer

Published: 2006-12-31
Last Updated: 2007-01-01 02:52:00 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Once again this week I had the opportunity to look at a computer that had been visited by the world of NEWdotNET.

The initial complaint from the computer's owner was that they couldn't connect to the Internet anymore.  The error they were getting was "An error occurred while renewing interface Local Area Connection: the requested service provider could not be loaded or initialized.", along with various protocol errors.  Another error indicated that there was a socket error.  Upon initial investigation I found that NEWdotNET was installed on the computer. 

This is not the first time that I have dealt with a computer that had been lured in by NEWdotNET, so I head to NEWdotNET's website to check the removal instructions.  Of course, I can not find removal instructions easily, so I search the web to see what removal instructions I could find.  There in the search I did find NEWdotNET's webpage with removal instructions.  Following the instructions on the NEWdotNET removal website proved to once again leave me less than satisfied with their removal procedures.  In researching the removal of the "garbage" installed by NEWdotNET, I discovered that they are now changing the winsock and tcp/ip stack with their own code.  Of course, now when you attempt to remove the programs and settings made by their installs you are left with a computer that can no longer connect and lots of socket errors.  In spite of the claims from their website that following the removal procedures will remove the software,  I found that it does not.

Off to Microsoft Knowledge Base to find out what can be done to return the computer to the settings that Microsoft intended XP to have.  I came across a knowledge base article that has the steps needed to determine and recover winsock corruption.  So step by step I made my way through the process to recover the winsock and repair the corruption.

http://support.microsoft.com/kb/811259/en-us

Ok now the winsock is reset. What about TCP/IP?  I found another article on Microsoft's Knowledge base that dealt with the TCP/IP stack and the need to reset it after a winsock error.  So now, step by step I repair the TCP/IP stack as well.

http://support.microsoft.com/kb/299357/en-us

All is well the computer is once again running. All of the NEWdotNET leftovers have been removed. 

So what is NEWdotNET?  As far as I can tell they are a DNS provider. From their website "NEW.NET seeks to become the world's leading domain name registry by introducing and selling domain names with new extensions that offer greater relevance and meaning than current Web site addresses ending in .com, .net, and other existing top-level domains. We are making this possible initially by encouraging millions of users to activate their Internet browsers to recognize NEW.NET domain names and partnering with leading Internet Service Providers to activate our domain names automatically at the network level."

Sounds innocent enough, however, in order for me to see those web pages that have the other extensions, I have to have their software installed.  Their software is a plug-in to the browser that you are using.  According to Counter Exploitations site:

http://www.cexx.org/newnet.htm

"The NewDotNet software is what we like to call Foistware: it's something that you probably didn't ask for, and never felt a need for, but it came along anyway with an unrelated program you downloaded. NEWdotNET accomplishes this by compensating the authors of unrelated third-party software, which has ranged from media players to peer-to-peer file sharing programs, for "bundling" the browser plugin with their program. At one time, NEWdotNET advertised a 5 cent commission for each system the plugin was successfully installed on; however, we are unable to find current published figures for compensation."

It appears that NEWdotNET is not happy about the adverse publicity that their software has received over the years.  They claim that their software is not being installed without the permission of the owner of the computer.  I really take issue with this.  Of the computers that I have worked on that have had the software installed, I can not find one person who confirmed that they knew that NEWdotNET was being installed and agreed to the installation. 

From the website? they themselves claim to have 174,661,619 enabled users.  My question is how many of the nearly 175 million users even know that the software is installed?  How many agreed to the installation?  How many realize that the software leaves the computer open so that newdotnet can update the software whenever an update comes along (and by the way doesn't inform the user that an update is being done)?

(I would really like to know how many people actually remember being asked to install the newdotnet software.)

This computer may well have been the biggest challenge that I dealt with in 2006.  Some of you are probably saying, "Man why don't you just format and reinstall".  Sometimes I do, but if I didn't go through these types of exercises I would never know how this stuff works, I would not understand what to look for next time and would not be able to help people understand the importance of things anti-virus software, anti-spyware software and firewalls. 

I encourage each of our readers to take a look at what programs are running on your computers.  Make sure that the computers in your home, especially community computers are free from spyware, viruses and the like.  Make a resolution for 2007 to clean up your computers, check out the programs that are running on them and make sure that you understand what they are.  Make sure that your Anti-virus software, anti-spyware software is up-to-date and that you have a good firewall in place.

With that I wish each and every one of you a Happy New Year and a safe and prosperous 2007.



Keywords:
0 comment(s)

Windows Defender expires today

Published: 2006-12-31
Last Updated: 2006-12-31 15:57:11 UTC
by Deborah Hale (Version: 1)
0 comment(s)
For those of you using Windows Defender just wanted to remind you that the old version expires today.  Microsoft has a new version available for download at Windows Defender Update.

We have received a report from one of our readers that his Windows Defender install just stop working, no warning other than a service failed to start. Thanks for reporting this to us Karl. Is anyone else seeing this behaviour?

If you are running Windows Defender you may want to do the update today. 


Update:  It has been brought to our attention that Microsoft Windows Defender is no longer intallable or supported for Windows 2000.  Microsoft states that W2K is out of lifecycle and is no longer supported.  So those of you running Windows Defender on Windows 2000, you will need to look for another program. 



Keywords:
0 comment(s)

Update on Postcard virus emails

Published: 2006-12-31
Last Updated: 2006-12-31 14:27:41 UTC
by Deborah Hale (Version: 1)
0 comment(s)
One of our readers made an interesting observation, one which I have confirmed with the headers of the emails that I have received with the Nuwar virus.  All of the emails have a common user agent:  Thunderbird 1.5.0.9 (Windows/20061207).  I am not sure of the significance of this, but it is an interesting observation.

Thanks Karl for the information.

Keywords:
0 comment(s)
Diary Archives