Re: 030 igetnet ignkeywords

From: Waitman C. Gobble <waitman(at)emkdesign.com>
Date: Tue Nov 12 2002 - 09:34:57 EST

Hello

Couple of things to note. The file is signed by IGetNet, LLC using a Verisign cert. I suppose that signed applications are always trustworthy?

I realize the obvious painful answer is that it was installed by clicking on a link on a web site, and allowing it to install HOWEVER - everyone I have heard from has NO recollection of doing such a thing.

IMO This thing behaves like a sticky virus, it mysteriously gets installed on the machine, and seems to be difficult to remove. Chris Wagner kindly posted a link on this ng to removal instructions that seem to work, however one person telephoned me last night and indicated that the conditions persist even after following the instructions.

I haven't heard anyone making the claim that the "browser upgrade" from IGetNet is useful, in fact everyone I have heard from is upset about it and from wants it permanently removed from their system as quickly as possible.

It brings to my mind the term "viral marketing".

In my opinion IGetNet wants to come into the picture, apparently through the back door, as a replacement for RealNames. I am not sure that enough, if any, people would actually buy keywords from them. After losing close to $1200 US when RealNames got its plug pulled, I wouldn't touch IGetNet with a ten foot pole.

I have a hunch that this is coming in through a program that does unattended (or attended for that matter) automatic updates, or a program that routinely gets stuff off the Internet, like a music player.

Additionally, I imagine any day now the phone will start ringing off the hook from our clients that have mysteriously contracted the virus and seek removal.

My guess is that this is the tip of the iceberg - bigger better faster harder is certain to come.

Best,

Waitman Gobble
EMK Design
Buena Park, California
+1.7145222528

On Tue, 2002-11-12 at 02:39, J. Foobar wrote:

    I have recently detected a few internal machines being     solicited to download a file called
    "Internet.Explorer.Browser.Security.Upgrade.exe"     

    I perform a parse of proxy logs looking for .exe     downloads by users in my enterprise periodically     (maybe 3 times a week) and I have just noticed this     for the first time a few days ago in the 3-4 months I     have been doing this.     

    I have a close look at the traffic of the one internal     dolt stupid enough to actually download the file. He     was surfing animatedgif.com, which is pop-up and     cookie hell, and was probably solicited to download     this by the IP 216.40.225.62, which serves some sort     of "Keyword Tracking" function and is an IP assigned     to Everyones Internet, Inc (ev1.net, Texas).     

    I wonder if they are related, at least conceptually.     

    I have not yet had a chance to examine the end user's     machine and I do not yet know if he was silly enough     to actually run the .exe.     

    Regards,
    Justin          

• "Waitman C. Gobble" <waitman@emkdesign.com> wrote:
  > Hello
  

  ---

  
  > This list is provided by the SecurityFocus ARIS
  > analyzer service.
  > For more information on this free incident handling,
  > management
  > and tracking system please see:
  > http://aris.securityfocus.com
  >
  

  ---

    Do you Yahoo!?
    U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2          

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 12 15:54:09 2002