Intentional SpyWare Infection?

zagman asks: "I am doing some research on SpyWare / AdWare, and how to prevent/contain the problem, and am looking for some of those 'Bad Sites' - you know, the ones which take advantage of any of the known exploits and installs a whole bunch of software without your knowledge (or sometime with it). I am testing this on IE6 on an XP-SP1 box (no further patches) and also IE6.02 on a XP-SP2 box. Can anyone out there recommend some 'good' bad-sites for me to go? Benjamin Edelman did some similar work, and posted his results, but I also want to compare Mozilla and FireFox's response as well. Thanks out there!" Update: 11/24 4:05pm EDT by C : In case it hasn't been mentioned already, a considerable amount of infection can be obtained from a single website. Any other infectious goodies out there?

I've got one for you-

[Anonymous Coward]

Go to www.vcdquality.com [vcdquality.com] and leave your browser open overnight. I got about 18 different pieces of spyware that way through IE6. Now I use Firefox there and most everywhere else of course :)

Re:I've got one for you-

[jo42]

...and any of the sites hosting cracks, keys, serial #'s, etc.

http://windowsupdate.microsoft.com/

[jon787]

http://windowsupdate.microsoft.com/

lop.com

[the_maddman]

try out lop.com and see if you can clean that crap off.

Browse around less than reputable sites.

[comwiz56]

Just browse around some sites that might carry this stuff: warez, porn, probably some mp3 sites.

And google around, someone else has bound to have done this and have some links/tips.

Ironic timing...

[mikeage]

given that this [slashdot.org] article was just posted.

Re:Ironic timing...

[mikeage]

Are you an idiot?
Let's look at the definition you posted:
2: incongruity between what might be expected and what actually occurs

What might be expected -- person doesn't have any easy resources, so they Ask Slashdot
What actually occurs -- answer was just posted.

Now, since the submission was probably before the posting, you can say that this is not so true... but I still maintain that's not so clear.

another /. story that may help

[cliffyqs]

Thishttp://it.slashdot.org/article.pl?sid=04/11/23 /0331228&tid=172&tid=158&tid=201&tid=2 18 [slashdot.org] was also posted just recently here; he lists the sites he used.

Re:Another IE trash fest.

[Saeed al-Sahaf]

I love it. If you're not a sheep you're a troll. Ah, Slashdot! Got to love it!

Re:Another IE trash fest.

[sampowers]

You're either with us or against us, citizen!

Re:Another IE trash fest.

[Examancer2]

guess you couldn't be bothered to even read a whole paragraph. Look closely as the poster clearly indicates he wants to find sites that infect systems with Spyware and see how Firefox and Mozilla respond to the same sites, to see if they are as impervious as many claim. Also, at the beginning of the paragraph he says that he is doing this to find better ways to prevent and contain the problems with spyware/adware/malware, not to bash IE. Personally, I've already come across some Firefox/Mozilla SPECIFIC sp

when mentioning firefox

[Anonymous Coward]

as in here :"Firefox/Mozilla SPECIFIC" etc, it would be nice if the background OS was always mentioned as well. I'm seeing way too many stories and anecdotals in posts, etc talking about "firefox" like it's a totally complete operating system or something. Can't tell you how many times I've seen that, but it's quite a few lately. If it's a specific reference, than specify it.

It would be better to always say like "firefox/win" or "firefox/linux" if that makes a difference in the reference.

With that said, S

The easiest way...

[rritterson]

The easiest way is to download something like IESPYAD which puts a whole bunch of domains into the restricted sites zone in IE. Just open the data file and start browsing. You can download it here:

https://netfiles.uiuc.edu/ehowes/www/resource.htm# IESPYAD [uiuc.edu]

Another alternative is one of the many HOSTS files out there. Unfortunately, many of those also contain sites that serve ads, so you'll have to filter them yourself. Here are a few:

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://www.dozleng.com/hpguru/ [dozleng.com]

previous report with links

[WasteOfAmmo]

You may want to look at http://spywarewarrior.com/asw-test-guide.htm (see previous slashdot article [slashdot.org]. This not only gives a review of various anti-spyware programs but outlines the testing methodology that they used, lists the sites they went to in order to get infected, lists the critical "finger prints" of the infections, and also describes the setup they used.

Merlin.

pr0n

[Bastian]

I'm sure if you spend enough time visiting porn and warez sites, you'll get infected with all sorts of nasty spyware.

Re:pr0n

[kawika]

Warez yes, but pr0n not really. At least, not a pay pr0n site or a free site whose goal is to convert you to a paying customer. They already have a business model, selling you durty pictyers. You're more likely to see spyware in a P2P download that claims to be the full version of Adobe Photoshop.

kazaa

[noselasd]

uh, just installing kazaa should keep you busy for a while.

Re:kazaa

[Carnildo]

Grokster is even better.

Ugh!

[Anonymous Coward]

I hate those sites! The other day I was spending the afternoon looking at some midgets having sex with horses, when the website installed Bonzy Buddy on my coputer. What a bunch of sick bastards!

Re:Ugh!

[Yer Mom]

Whoa. Did they have to stand on stools, or something?

Lyrics sites

[kawika]

I've found that lyrics sites are very common offenders. Just Google some lyrics from a popular singer and you will quickly find an infinite [anysonglyrics.com] source [musicsonglyrics.com] of [songlyrics.com] spyware [songlyricscollection.com] and [elyrics.net] adware [asklyrics.com]. Now, they have ads for many different ineffective spyware removers [spywarewarrior.com] on those sites as well, so they are doing their best to screw their visitors twice.

VMware

[Kizzle]

I played around with spyware just for the fun of it on XP. Instead of going through the trouble of trashing a whole computer I installed XP to a virtual machine in VMware. With the original install backed up I was free to experiment as much as I wanted since I could reset it back to normal at any time. Backing up isn't done for you but it's easy enough to just keep a copy of the disk image it creates.

Re:VMware

[superpulpsicle]

Damn right vmware rulez. If there was any doubt about my activity trashing the system... up goes vmware. I have seen these virtual os take an absolute beating. It's even better when you just delete C-drive for fun to see what happens.

Re:VMware

[bakes]

Even better than copying the image file: take a snapshot. When you want to go back to the clean starting point, stop the VM (don't bother to shut down, just hit stop) and then hit the revert button. Start the VM, continue.

The Toronto Star

[mnmn]

The Toronto Star [thestar.ca] links to an obscene amount of ads, some of which tried to install software on my system. Visit the site several times, you'll find ads that cover 70% of the middle of the screen, and try to get you to install spyware. So much for the daily noose.

Some friends and I were just talking...

[hivemind_mvgc]

...about http://xpire.info/fa?d=get

I refuse to make it a link. If you really want to see it, you'll have to copy -> paste it yourself and cut your own throat.

ISC SANS just analyzed www.yahoogamez.com

[dapantzman]

Tom Listons Following the Bouncing Malware from ISC SANS has some amazing info. He did a complete analysis of www.yahoogamez.com. That site gave him some great infections.

FTBM - Part I -
http://isc.sans.org/diary.php?date=2004-07-23/ [sans.org]
FTBM - Part II -
http://isc.sans.org/diary.php?date=2004-08-23/ [sans.org]
FTBM - Part III -
http://isc.sans.org/diary.php?date=2004-11-04/ [sans.org]
FTBM - PART IV -
http://isc.sans.org/diary.php?date=2004-11-24/ [sans.org]