cannot find spy

[Jay T. Blocksom]

On Tue, 12 Apr 2005 13:26:11 +0200, in <alt.privacy.spyware>, peter krom
<jonhy@rook.com> wrote:
>
[snip]
>
> After searching through my system I Uninstalled Mozilla Firefox, this
> was aparantly the source of sending the syn to kelcos.. Now that firefox
> is no longer installed, the Syn's aren't sent anymore.
[snip]

That was near-cwertainly unnecessary; and it makes little (if any) sense,
particularly in light of your original article. Nowhere in it did you state
that the SYNs were being sent *only* when Firefox was running. And besides,
Firefox itself is *not* in any way malicious; nor is it particularly
vulnerable to attack from malware (unlike, for a very pointed example, MSIE's
susceptibility to "home page hijackers"). So why would it be "phoning home"
to Kel Ellis? No, this just doesn't add up.

I *strongly* urge you to re-examine your system *very* closely. The odds are
overwhelming that either you did not tell the full and correct story
initially, or you did *not* completely clean things up -- or both.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

[peter krom]

In article <5p4o5198n8r1s9d9hpkfs4a9q3i14kqhlf@news.speakeasy .net>,
not.deliverable+usenet02@appropriate-tech.net says...
> On Tue, 12 Apr 2005 13:26:11 +0200, in <alt.privacy.spyware>, peter krom
> <jonhy@rook.com> wrote:
> That was near-cwertainly unnecessary; and it makes little (if any) sense,
> particularly in light of your original article. Nowhere in it did you state
> that the SYNs were being sent *only* when Firefox was running. And besides,
> Firefox itself is *not* in any way malicious; nor is it particularly
> vulnerable to attack from malware (unlike, for a very pointed example, MSIE's
> susceptibility to "home page hijackers"). So why would it be "phoning home"
> to Kel Ellis? No, this just doesn't add up.
> I *strongly* urge you to re-examine your system *very* closely. The odds are
> overwhelming that either you did not tell the full and correct story
> initially, or you did *not* completely clean things up -- or both.

I do think that Firefox itself is a good browser, I uninstalled it
reluctantly... When exiting firefox using ->file->exit a resident
portion stayed in memory, I was able it to remove it from memory using
taskmanager and that is when I discovered the syn's were gone. I have
been looking at all network related files installed and verified them by
using the original install information and calculating crc's. All
networkrelated files are in fact original. There was one file which did
not have the same crc as the original and replaced it. I am going to
reinstall mozilla and see what happens....

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 13-4-2005 15:05:16
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Paul Vader]

address@signature.blk writes:
>On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
><jonhy@rook.com> wrote:
> >
> > when running Netview I discovered that my Laptop sends a syn to a
> > certain ip-address, which looked up to - kelcos5.dynu.com -
> > at IP-address 81.215.160.197 every minute or so.

It's not sending a syn by itself - more likely it's trying to open a socket,
and you see 'SYN SENT' in netstat because the other end isn't up. Also note -
the DNS address of kelcos5.dynu.com has changed since you posted that.
Dynu.com is a dynamic DNS provider, like the more popular dyndns.org. I
can't think of a GOOD reason why your PC would be going there without your
knowledge. Spyware or a zombie trojan are possibilities.

The IPs don't seem to respond, but I'm not doing a portscan for you. Go get
some spyware software (on a different PC) and do a complete cleanup of the
affected PC. Do not bring it back online until you've done so. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Paul Vader]

peter krom <jonhy@rook.com> writes:
>After searching through my system I Uninstalled Mozilla Firefox, this
>was aparantly the source of sending the syn to kelcos.. Now that firefox
>is no longer installed, the Syn's aren't sent anymore. Furthermore All
>registry-entries concerning Mozilla Firefox are deleted. Thanx for the

If firefox itself is doing this I'll eat my hat. More likely, you had one
of several extensions that phone home, if the removal and the disappearance
of the connection attempts are in any way connected.

Neither firefox or a snarky extension can be making connection attempts
when firefox isn't running. If you see this only when you have a browser
open, look at your extension list. I've seen at least one that I consider
iffy - it, in exchange for some extra functionality in google, adds
affilliate links to certain sites and tunnels back to a central server for
some images. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Paul Vader]

peter krom <jonhy@rook.com> writes:
>I used 2 plug-ins in Firefox, the first one is Autocopy and the second
>one was Wizz RSS reader, both downloaded from the mozilla site btw. The

The homepage for the Wizz reader really creeps me out. Every piece of
supposed weirdness is apparently cause by bugs in firefox. I'd drop it and
find something else. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[peter krom]

In article <115qebe4u0480ec@news.supernews.com>, pv+usenet@pobox.com
says...
> peter krom <jonhy@rook.com> writes:
> >I used 2 plug-ins in Firefox, the first one is Autocopy and the second
> >one was Wizz RSS reader, both downloaded from the mozilla site btw. The
> The homepage for the Wizz reader really creeps me out. Every piece of
> supposed weirdness is apparently cause by bugs in firefox. I'd drop it and
> find something else. *

I'v read your 3 posts, I'll try to answer them in 1 msg:

It is becoming clearly now that one of the extensions was phoning home.
Most likely it was the wizz rss-extension. I have done a portscan at the
IP-address that this - let's say - piece of malicous software was
attempting to connect to and no ports were open...there was simply
nothing there. You can be sure... you don't have to eat your hat, I have
reinstalled mozilla without any extensions and nothing happened in any
of the previous discussed instances... I am glad to say that mozilla
itself is safe but let it be known that this rss-reader is a no-go. To
be able to read the rss-feeds I have made a small webpage on my server
with javascript so I can read my rss-feeds again... Leaves me with the
thought that everything is quiet on the western front and I am no longer
a tool for malicious entities who make thier money by bombarding people
with unsolicited mail and other things that we so deeply hate.

Thank you all for thinking with me (or against...) Now e have another
aplication to put on the blacklist: the wizz rss-reader

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 14-4-2005 1:31:01
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Dave Platt]

In article <MPG.1cc7c9fd3b5222a898968c@news.quicknet.nl>,
peter krom <jonhy@rook.com> wrote:

>I'v read your 3 posts, I'll try to answer them in 1 msg:
>
>It is becoming clearly now that one of the extensions was phoning home.
>Most likely it was the wizz rss-extension. I have done a portscan at the
>IP-address that this - let's say - piece of malicous software was
>attempting to connect to and no ports were open...there was simply
>nothing there.

Unfortunately, it's truly not possible to say for certain that this
was the case unless you've done a physical inspection of whatever
hardware may be routed at that address. It's quite possible to write
a malware server which would sit there, "see" the phone-home packets,
and yet look for all the world as if:

- There's no host there, and the net's router is responding with a
"no such host" ICMP response, or

- There's no host there, and the phone-home packets or ICMP responses
simply vanish, or

- There's a host there, but its ports are closed and are responding
with "connection refused".

You simply can't tell, from the outside, whether any particular "there
ain't nobody here" reaction is legitimate or misleading.

How one might write such a piece of spoofing server malware is left as
an exercise for the reader... no sense making it easier for the bad
guys.

--
Dave Platt <dplatt@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!

[Steve Baker]

On Wed, 13 Apr 2005 15:02:01 -0000, pv+usenet@pobox.com (Paul Vader)
wrote:

>
>It's not sending a syn by itself - more likely it's trying to open a socket,
>and you see 'SYN SENT' in netstat because the other end isn't up.

What's the difference between "sending a SYN" and "trying to open a
socket"?

Steve Baker

[Steve Baker]

On Wed, 13 Apr 2005 23:42:36 -0000, dplatt@radagast.org (Dave Platt)
wrote:

>- There's no host there, and the net's router is responding with a
> "no such host" ICMP response, or

How's that work, got a reference handy? I didn't know that routers
commented on the state of Internet hosts.

Steve Baker

[peter krom]

In article <115rbjcek6qmi32@corp.supernews.com>, dplatt@radagast.org
says...
> Unfortunately, it's truly not possible to say for certain that this
> was the case unless you've done a physical inspection of whatever
> hardware may be routed at that address. It's quite possible to write
> a malware server which would sit there, "see" the phone-home packets,
> and yet look for all the world as if:

Yes you are right... My router discards all Ping's from WAN so thank you
for clearing it up for me...

> How one might write such a piece of spoofing server malware is left as
> an exercise for the reader... no sense making it easier for the bad
> guys.

That's right... it is ashame though that these pieces of malware costs
globally over hunderds-of-millions of dollars and people haven't even
been asking for them....

Peter



---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 14-4-2005 9:47:55
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com