MowGreen

From Winfixer and ValueClick – an oft appearing association, as blogged by MVP Sandi Hardmeier

My regular readers will remember my various articles about the Winfixer infiltration of the AOL and MSN advertising networks that happened not long ago. Winfixer infiltration of Web site advertising (as well as forum and comment spam) continues to be problematic, and one name that keeps on popping up over and over again is adfarm.mediaplex.com (Mediaplex is owned by ValueClick). The problem seems to be so endemic that any web site, forum or Web comment that utilises links that redirect to adfarm.mediaplex.com are potentially placing their visitors at risk of a Winfixer infection.

Over the past couple of months I have had in-person and telephone conferences with representatives and technical staff at MSN and AOL as a direct result of the Winfixer infilitrations of various advertising networks. They have learned a lot from the events of the past few months, as have I. I don't think any of us realised how widespread the problem was, or just how sophisticated the bad guys were getting, until we started taking a close look.

Mike Burgess and I have been having a close look at adfarm.mediaplex.com. I have tried to contact ValueClick regarding the adfarm.mediaplex.com problems using their “contact us” page on their Web site, but as of yet have received no response (and those of you that know me well know that a failure to respond is sure to intensify the attention that I pay to a problem advertisement network). I will be contacting them directly via an email address given to me by an associate as soon as this article goes live, and will report on their responses, if any.

These products appear under a variety of names and produce a variety of results for the end user, ranging from limited or no detection capability, coupled with a fraudulent request to pay for a “full” version, to outright malicious behavior, such as installing malicious software without the user’s consent in order to give the product something to detect. In many cases, the people behind such software would attempt to get the infected individual to pay them for removal of purported infections using fraud and social engineering.

Posted by MowGreen at 10:49 AM | Permalink | Comments (0) | TrackBacks (0)

NOTE: There will be new software controls being installed for the V7 Windows/Microsoft Update sites soon. If you do not want to wait for them and are experiencing the SVCHOST issue, then download the latest Windows Update Agent for x86 [Win2K, XP, Microsoft Windows Server 2003, Vista] or Windows Update Agent for x64 [XP, Microsoft Windows Server 2003, Vista]
Save it, do NOT run it.
Then download and save KB927891 This is NOT FOR VISTA When the downloads are complete close the browser.
Now run WindowsUpdateAgent30-xXX.exe
Finally, install KB927891
PLEASE NOTE that there are different download links on the KB927891 page for x86 | x64 XP ,an x86 version for Win 2K, and x86 | x64 | ia64 for Microsoft Windows Server 2003
This is NOT FOR VISTA
Restart the system
From The WSUS Product Team Blog - Update on svchost/msi performance issue and 3.0 Client distribution plan

There are numerous threads in the Microsoft Windows Update Newsgroup that deal with the Infamous SVCHOST Issue
MS states that it's caused by the Windows Installer, specifically the msi.dll.
There are even [b]2[/b] MSKB articles that offer a newer version of msi.dll.
KB916089 states that one should not even bother with it. Instead, MS states KB927891 supercedes KB916089

Symptoms of the issue usually appear when a system first boots up, is awakened from Standby, Sleep, or Hibernation, and/or, accesses the Windows or Microsoft Update sites.
When systems with the Automatic Updates service running do any of the above , SVCHOST will start to consume most of the CPU cycles while spawning the wuauclt.exe [Windows Automatic Update Client] process.
SVCHOST may even take all of the CPU cycles, effectively locking the system up, temporarily, until the detection scan has finished.
Other contributing factors in this issue may also be disk fragmentation, data | log corruption, left over files,binaries, or metadata in the SoftwareDistribution folder, and/or interference | file corruption by security software.

Temporary steps that will help mitigate this issue :
1) First, show hidden files, folders, and system files
2) Using Windows Explorer, navigate to the WINDOWS\SoftwareDistribution\Download folder.
Delete the contents of this folder. Exit Windows Explorer.
Initiate a manual visit to the Windows|Microsoft Update site.
If that did not resolve the issue
3) Go to Start > Run > type in net stop wuauserv
Click OK or press Enter
Using Windows Explorer, navigate to the WINDOWS\SoftwareDistribution\DataStore folder
Delete DataStore.edb
NOTE: This will remove the update history that one sees on the Windows | Microsoft Update sites
4) Go to Start > Run > type in net start wuauserv
Click OK or press Enter
Initiate a visit to the Windows|Microsoft Update site.
5) If the above does not resolve the issue, then stop the Automatic Updates service from either the Services console or by running the command previously given.
Then either rename the SoftwareDistribution folder to SoftwareDistribution.old or delete it's contents, not the folder itself.
Now restart the Automatic Updates service.
The contents of SoftwareDistribution will be recreated the first time the system accesses the Windows | Microsoft Update sites or when the Windows Automatic Update Client is spawned.

The Hard Drive can be defragmented using either the native Windows utility or from a 3rd party tool.
Please consult the Help file from Start > Help and Support
Enter disk defragmentation in the Search field and then click the Green arrow.

Check the Help file of the installed antivirus software so that it can be configured to not scan the SoftwareDistribution folder during regularly scheduled system scans. At this time, there is no malware that uses that folder as an infecting vector.


UPDATE - Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP

Do not scan the following files and folders. These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any one of these based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the following files.
• Microsoft Windows Update or Automatic Update related files
• The Windows Update or Automatic Update database file. This file is located in the following folder:
%windir%\SoftwareDistribution\Datastore
Exclude the Datastore.edb file.
• The transaction log files. These files are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Exclude the following files:
• Edb*.log

Note The wildcard character indicates that there may be several files.
• Res1.log
• Res2.log
• Edb.chk
• Tmp.edb

Posted by MowGreen at 10:35 PM | Permalink | Comments (0) | TrackBacks (0)

From Secunia.com
Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow

*Secunia Advisory: SA24742

Release Date: 2007-04-04

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Yahoo! Messenger 5.x
Yahoo! Messenger 6.x
Yahoo! Messenger 7.x
Yahoo! Messenger 8.x

Description:
A vulnerability has been reported in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the AudioConf ActiveX control (yacscom.dll) component of Yahoo! Messenger. This can be exploited to cause a stack-based buffer overflow by setting the "socksHostname" and "hostName" properties to an overly large string and then calling the "createAndJoinConference()" method.

Successful exploitation allows execution of arbitrary code when a user visits a malicious web site.

The vulnerability is reported in version 8.x. Other versions may also be affected.

Solution:
Update to the latest version.

Set the kill-bit on the affected ActiveX control

Posted by MowGreen at 12:54 PM | Permalink | Comments (0) | TrackBacks (0)