Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Proctor & Gamble outsources security to IBM, but keeping security staff
Updated management appliance corrals Apple iPhone
Critics question Comcast broadband caps
Privacy feature in IE8 leaks private data
Wireless LANs face huge scaling challenges
Banks mining cash from their computer gear
Industry mourns slain Cisco exec
IBM flash memory breaks 1 million IOPS barrier
Microsoft virtualization tools reinforce user's data center plans
Novell revenue up, net income loss at $15 million
Watch Out! Firing IT Workers Can Cost You
Microsoft buys European comparison shopping site for $486M
Steve Jobs' death greatly exaggerated; obit a mistake
Sprint brings more partners aboard for WiMAX rollout
Samsung stained by ink cartridge suit
Applications /

Proxomitron poses problem

Gearhead archive By Mark Gibbs
Network World, 10/01/01

Last week we delved into Proxomitron, an excellent (and free) HTTP proxy designed to automagicly edit incoming content on the fly to remove things such as pop-ups, pop-unders and nosey JavaScript. We discussed Proxomitron's search and replace specifications and how they are used, and this week we'll discuss how Proxomitron revealed other software doing things we could live without.

One of the neat features of Proxomitron is an HTTP message logger. This is launched from Proxomitron's main window, which is accessed from the system tray.

The logger displays the headers of HTTP requests and responses proxied by Proxomitron, and for each response lists the rules that are applied to the content. Oddly, we noticed that every few minutes, the Proxomitron logger would show HTTP exchanges between our PC and a couple of Web sites.

Advertisement:

This is what we saw in the logger for a request to one of the mysterious sites:

GET /un?2130212 HTTP/1.0
Accept: /
PEABODY-VER: 1.4
PEABODY-SWVER: 2.0
PEABODY-OS: WIN
PEABODY-OSVER: 4.10.1998
PEABODY-UID: E50486C2A46C11D5973300A0CC231387
PEABODY-LASTUPDATED: 11
PEABODY-UNINSTALL: 1
User-Agent: SpaceBison/0.01 [fu] (Win67; X; SK)
Host: ps1.streamingcash.com
Pragma: no-cache

In the above case, the target site is "ps1.streamingcash.com" and the GET request is "/un?2130212." (The User-Agent header string "SpaceBison" is the ID of Proxomitron and, no, we have no idea why.)

When we browsed the sites - ps1. streamingcash.com and bis.180solutions. com - we found nothing intelligible. The chase was on.

To make a long story short, it came down to spyware - a topic we discussed some weeks ago. The streamingcash.com access is the action of a piece of spyware called SVAPlayer from QuickFlicks. We installed this software when we were checking out another application called WeatherBug. SVAPlayer, which delivers headlines and other "stuff," was an installation option. Little did we realize that SVAPlayer would be so impolite.

The other Web site that was being deviously accessed - bis.180solutions.com - is the goal of a nasty piece of software called msbb.exe (which, despite what you might assume, has nothing to do with Microsoft - it is apparently from a company called Web3000.

Msbb.exe seems to live (at least on our system) in the subdirectory "c:/program files/n-case." We were gifted this piece of spyware by installing a screensaver called "Fireworks" that we downloaded from Galt Technology.

This swinish software records all the URLs you request for, we believe, the previous 24 hours and stores them in a file called "fiz1" which, we further believe, is regularly uploaded to the target server.

Worst of all, we are even further led to believe that msbb.exe will hang on to your PC with the tenacity of a terrier worrying a bone. Not only are there registry entries that try to start the program at bootup but we have also read that there is a helper application that attempts to replace msbb.exe and its registry entries if you should delete them. Any information you may have on this topic would be most welcome.

Anyway, it turns out that the Lavasoft Ad-Aware spyware blocking system (see column) rather disappointingly can't detect either of these versions of spyware. We finally got rid of SVAPlayer by deleting everything associated with it (interestingly, despite having deleted its companion, Weatherbug, there was still a registry entry to run one of Weatherbug's background processes that wasn't removed).

A similar exercise was required to get rid of msbb.exe. To find all of the registry entries that run the components of these vile pieces of software, we recommend an excellent, neat and free utility called Startup Control Panel by Mike Lin (and check out his StartupMonitor - a tool that monitors and manages applications that try to install themselves to run at startup).

So the moral is start checking your networks now to see how much spyware is running and how it got installed. And let us know what you find - we will treat your revelations with the utmost secrecy.

Next week, we'll wrap up Proxomitron. Honest. Diversions to gearhead@gibbs.com.

RELATED LINKS

Comments and suggestions to gh@gibbs.com.

Gibbs Forum
The place to discuss Gibbs's columns.

Check out this week's edition of

Backspin for more musings from Gibbs.

More on Proxomitron
Gearhead, 09/24/01.

Download Proxomitron

Spying on the flip side
A look at spyware. Gearhead, 05/14/01.

Getting rid of spyware
Some tips. Gearhead, 05/21/01.

Startup Control Panel

StartupMonitor


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.