Spyware Warrior

[questioneverything]

I Downloaded xcleaner_free.exe from

http://www.xblock.com/cgi-bin/download.pl/-13232-/xcleaner_free.exe

After running the application and exiting from the interface I noticed it kept itself resident in memory. When I returned to the http://spywarewarrior.com/ forum my firewall flagged a remote machine from the spywarewarrior domain attempting to control my machine via port 1181.

Whenever I attempted to navigate through the forum, the firewall flagged xcleaner_free.exe attempting to connect to the spywarewarrior IP. If the connection was ever allowed an immediate response to connect from the remote machine via 1181 was identified.

I find it awfully suspicious and a threat to this forum's credibility that xcleaner is placed as a sticky topic promoting the tool.

I have not had time to capture the packets or investigate further. Before I dig any deeper, would anyone like to share any insights.


OS: Windows 2000
Firewall: Sygate Pro
_________________
question everything!

[3162]

[questioneverything]

This online scanner was developed in partnership with XBlock
Sticky: Quick Fix for Spyware Removal is peddling a trojan horse itself!

<rd/xblock/>, maker of X-Cleaner Spyware Remover. It scans for all supported "adwares" and many of the "spywares", keyloggers, and trojans that the downloadable freeware version <http://www.xblock.com/cgi-bin/download.pl/-13232-/xcleaner_free.exe> of X-Cleaner also targets.


This is the message contained within the sticky post.

I continue to investigate and this is really awful. This one act may destroy the hard work of so many committed to providing accurate information. Just think the forum disguises itself as a support tool only to peddle torjan horses and malware itself. Is it possible? Sure it is - consider history itself. Now ask yourself, how come no one is answering or investigating the issue.
_________________
question everything!

[suzi]

Could you please post a link to the sticky that you are referring to?

I'm not really clear on what you are saying here.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[xblocksys]

The forum you are referring to seems to be spywareinfo.com? Are you saying Mike Healan is peddling spyware? I find that hard to believe.

In no way shape or form has Xblock ever downloaded a trojan horse on a person's harddrive or bundled rogue adware or spyware with our freeware. We have always been above aboard and have a long track record of this.

I will, however, have our tech team investigate the technical claims you make. Right off the bat I can tell you that X-cleaner freeware does NOT stay resident in memory. This is easily validated.

Can you provide the URL of the actual web page this was downloaded from- so we can eliminate the possability of some rogue using link masking. e.g. using the front of a reputable company to install their own form of malware.

[CYBERCYNIC]

I have a copy of X-cleaner free on my computer. It doesn't stay resident in memory, nor have I detected any suspicious internet activity.

LDH

[xblock]

Since we are "questioning everything":

There are no known trojans using port 1181 according to this.
http://lists.sans.org/pipermail/list/2003-February/055710.html

Are you sure you are not running any P2P by any chance?

The only thing that I found using that port is "RappidAssist".
http://www.rapidassist.com/requirements.asp

This is a _commercially licensed_ remote assistance program. I very much doubt that a "hacker" would be using it, because:
- It needs to be licensed against a server
- It always requests authorisation from the user
- The user can always see what is going on.

[MadameX]

After reading through this thread, I have to say, IMO, that this looks 'fishy' to me.

This person hasn't responded back to post.

Did he/she ever send any of the requested info to you, xblocksys?

If not, I'm of the mind that someone is trying to start trouble here.

Deb
_________________
CARMA

[Crap Wear Worrier]

Funny, that's what I wondered.

[xblock]

As of time of this post, nobody at XBlock.com received any futher information on this, or any file.

I see the following scenarios possible (no judgement implied)
- poster is confused/has unrelated infection on his machine
- Poster is doing FUD campain for a competitor

When/If we receive an actual file looking like "X-Cleaner", but with any of the alleged behaviour then I will:

- Run yet another security check on our server
- Appologise to the poster for the initial sceptisim
- Try to track down who pulled this one off, send a horde of hungry lawyers at them, and feed whatever remains to a canine at hand.
- Send a documented log of the analysis and a warning accross the entire anti-spyware community

Side note:
We have thousands of downloads a day of X-Cleaner freeware (check the download.com stats) , so if either the X-Cleaner version was hacked on our site (or even if it was xblock that did it), I suspect there would be a hailstorm of complaints on the net.

What we _did_ see in the past is some spyware playing tricks with the HOST file or the browser to hinder people from downloading X-Cleaner. There is little we can do against that, you cannot remotely protect a users PC BEFORE he downloaded the software.

[wawadave]

sounds like an infection allready presant.
and i thought only ms used fud?
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[xblock]

As of the date of this post, nobody at XBlock Systems received any supplemental information on the initial claim, wheter directly or indirectly.

So, I suggest we call it "a post caused by a misunderstanding", and close the thread ??

[3162]

Good enough for me.
Topic Locked.
_________________
Proud member of the Chest Zipper Club!