HOW TO PUNISH A SPYWARE DISTRIBUTER

[Ali 0]

Hey everyone

 

Here is the deal: My computer is infected with sort of a spyware/virus/torjan/something and it keeps installing different BHOs on my system (ie. changes the homepage and default page) and even worse, everytime that happens it downloads ton to Torjan hourses and other spyware into my system. I found the domain where the page is hosted (normally you don't see the domain, it shows as about:blank and you have "search for...") to be "(changing numbers and letters).D8T.BIZ". I used my DNS service provider to find the Whois information for the owner of the domain:

Created by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM

 

there is a fake phone number (111111111 to be exact) and some yahoo mail.

Is there anything i could do according to law to stop these people from what they are doing?

anybody had any idea if there are any organizations who fight with such crimes? (is it FBI? who the hell is responsible for internet complaints? UN?)

 

any ideas?

 

[Sampson 0]

As has been pointed out before, many websites stash javacontrols into the temp files of both IE and Mozilla. One of the most common is clientsniffer.js and vb_sniffer.js . All the script does is determine what kind of browser you are using. Anantech, Sudhian, and even Cnet's download.com does it. But, once it is on your hard disk, it can be exploited. As far as I know no anti-virus detects it, nor does Spybot or Ad-aware. Bring up windows explorer and search for clients*.js or vb_*.js to see if you have it. It is not harmful and you can leave it on if you like. But, it can be exploited. This is not necessarily the control that Alec is speaking about, but it is something as innocuous as this that seems to causing concern.

In IE there is a hosts file. It seems that this gets re-written and one is sent to an address where you don't want to go. This exploit has occured before, but apparently it is more stealthy.

[jmmijo 1]

I have to say that I highly recommend people use the hosts file as you can also help weed out pop-up ads and other crap sites too

 

APK has a lovely one in his APK Toolset and a nice engine to sort them out

[adamvjackson 0]

Only problem with a HOSTS file is that you break DNS. DNS by design is supposed to handle dynamic changes as indicated by the TTL value passed from the DNS server(s).

 

(Most) Any government agency will either not do anything at best, or get agitated for you wasting their time at worst.

 

Learn to protect against the vulnerabilities before they become such an issue. An ounce of prevention...

[Davros 0]

This can help with the BHOs:

 

http://www.definitivesolutions.com/bhodemon.htm

 

And you can use CWShredder to help with the hijackers, Ad-Aware and Spybot for adware.

[adamvjackson 0]

Well APK, when you have a static IP/name resolution specified in the HOSTS file, and that IP changes, it's broken.

 

If you were using only DNS lookups, it wouldn't break.

 

That's why most upstream DNS providers have a TTL value of 1 hour, so that any IP/host changes are quickly propigated downstream.

 

BTW, good to see you posting again, and good to be back... ;-)

[adamvjackson 0]

About DNS server poisining, this is another good reason to run your own local DNS server, and forward lookups to one of the root servers.

 

Comprimise of the root servers is a lot less likely than your ISPs DNS server/cache.

[adamvjackson 0]

Well, about costs, direct and indirect...

 

Personally I value my time more than anything. Money can always be made, but time cannot.

 

So, bearing that in mind, once a DNS server is set up, it just runs. No user/admin intervention necessary.

 

Hosts on the other hand takes time to set up and update (constantly black-listing advertisers, malicious content, etc.).

 

Also, the root servers are far more secure then any downlevel DNS server, such as local ISP DNS servers.

 

[adamvjackson 0]

A quick google for "open source" "dns server" "win32" turned this up:

 

http://posadis.sourceforge.net

 

Note that I have never used it, but maybe someone has?