Do you know what is in your temp files? Maybe you ought to?

[vop]

Do you know what is in your temp files? Maybe you ought to? There might potentially be a new sneaky form of spyware and monitoring vulnerabilities happening there?

I certainly have been getting this indication as I monitor the contents of my *.TMP files. Some of those temp files may initially appear as hex files - I use the shareware tool ‘ULTRAEDIT’ to display all readable and converted contents (H button). I have been finding:

- Very selective content excerpts of my HOSTS file (twelve items at a time – only one file at a time - with occasional recurring duplication) [~df*.tmp],
- Excerpts/logs re: anti-virus checking and updates carried out [~df*.tmp],
- Contents of security alert related matters that I have been made aware of [sofe*.tmp],
- Recurring monitoring information on only very very selective spyware related links that I have gone to (all seemingly favicon related?) [www*.tmp]:
Dealing with Unwanted Spyware and Parasites

http://www.mvps.org/winhelp2002/unwanted.htm

Can you go too far to protect your Windows PC?

http://aroundcny.com/technofile/texts/bit092502.html

Script Sentry - block potentially malicious scripts

http://www.snapfiles.com/get/scriptsentry.html

Potential relationship between favicons and spyware?

http://www.google.ca/search?q=favicon+spyware&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search&meta=

Recurring (registry-like) filename entries in the temp files directory

http://groups.google.ca/groups?num=...&scoring=d&q=fffe+tmp+file+-linux&btnG=Search

- Many of these such files immediately get recreated at the next boot or user profile change regardless of whether they have been deleted or not.
- A potentially related issue is that

http://www.favicon.com

seemingly is both a source of favicon icons and a source of spyware. I have notice a recurring pattern. In each case a favicon (a very distinctive icon) has appeared only to soon thereafter be replaced by the standard IE icon.

Who or what processes are behind this? Which temp files have a legitimate or necessary purpose, and which are just simply vulnerably invasive? Potentially, such content could be sent out over the Internet without challenge from a firewall (through open port 80). Such information, in the wrong hands, might provide the capability to:

- Identify, for replacement, browser filter blocks that are in place (127.0.0.1) in the HOSTS file,
- Flag the status of my anti-virus updates,
- Monitor security alerts that I have been made aware of via email,
- Selectively monitor spyware related links that I have gone to and am aware of (information that might contribute to the protection of my system).

Can anyone report similar happenings – especially the occurrences of

http://www*.tmp

files? I have not been able to find the same occurrences on any other machines for which I am responsible. How does one neutralize such suspect behaviours? Any suggestions?

 

[vop]

Why are the contents of my HOSTS file being (selectively) probed and recorded in temp files – to what purpose? Who and what is behind this? Why, when such a file is deleted, will that exact same content often reappear for at least a number of successive occasions?

[4 instances]
127.0.0.1 adserv3-404-sjc2.radiate.com
127.0.0.1 adserv3-405-sjc2.radiate.com
127.0.0.1 adserv3-406-sjc2.radiate.com
127.0.0.1 adserv3-407-sjc2.radiate.com
127.0.0.1 adserv3-408-sjc2.radiate.com
127.0.0.1 adsoftware.com
127.0.0.1 aim.adsoftware.com
127.0.0.1 aim.aureate.com
127.0.0.1 aim1.adsoftware.com
127.0.0.1 aim1.aureate.com
127.0.0.1 aim2.adsoftware.com
127.0.0.1 aim2.aureate.com
127.0.0.1 aim3.adsoftware

[2 instances]
127.0.0.1 host192.247media.com
127.0.0.1 host193.247media.com
127.0.0.1 host194.247media.com
127.0.0.1 host195.247media.com
127.0.0.1 host196.247media.com
127.0.0.1 host197.247media.com
127.0.0.1 host198.247media.com
127.0.0.1 host199.247media.com
127.0.0.1 host20.247media.com
127.0.0.1 host200.247media.com
127.0.0.1 host201.247media.com
127.0.0.1 host202.247media.com
127.0.0.1 host203.247media.com

 

[vop]

http://www*.TMP

content examples (*** = number of times observed):



[DEFAULT]*********
BASEURL=http://www.webattack.com/get/scriptsentry.shtml

[InternetShortcut]
URL=http://www.webattack.com/get/scriptsentry.shtml
Modified=403294D1C21CC4017A
IconFile=

http://www.snapfiles.com/favicon.ico

IconIndex=1



[DEFAULT]**********
BASEURL=http://aroundcny.com/technofile/texts/bit092502.html

[InternetShortcut]
URL=http://aroundcny.com/technofile/texts/bit092502.html
Modified=203C7D8CC11CC40107
IconFile=

http://aroundcny.com/favicon.ico

IconIndex=1



[DEFAULT]********
BASEURL=http://www.google.ca/search?q=favicon+spyware&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search&meta=

[InternetShortcut]
URL=http://www.google.ca/search?q=favicon+spyware&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search&meta=
Modified=E0645D51EA1FC401C0
IconFile=

http://www.google.ca/favicon.ico

IconIndex=1

 

[vop]

One further example of wierd TEMP FOLDER content behavior:



Pattern: sofe*.tmp

[2 instances of the same content both at the same time – redundancy is normally an indication of importance. Why might such duplication be so important in a temp file?]

Received: from smtp2.zd-swx.com ([204.92.158.15])
by simmts3-srv.bellnexxia.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id <20040416143951.TKJA6896.simmts3-srv.bellnexxia.net@smtp2.zd-swx.com>
for <xxx@xxx.ca>; Fri, 16 Apr 2004 10:39:51 -0400
Received: from smtp2.zd-swx.com (unknown [127.0.0.1])
by smtp2.zd-swx.com (Postfix) with ESMTP id 383BA7145C111
for <xxx@xxx.ca>; Fri, 16 Apr 2004 10:11:03 -0400 (EDT)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_10821246633808550"
MIME-Version: 1.0
X-Mailer: MIME::Lite 2.117 (F2.6)
Date: Fri, 16 Apr 2004 14:11:03 UT
To: xxx@xxx.ca
From: Inside PC Magazine Online <PCM_Insider@eletters.pcmag.com>
Reply-To: PCM_Insider@eletters.pcmag.com
Subject: Mini Digital Camcorders Arrive; New IE Hole Could Leave You Vulnerable; DVD Video on A Cell Phone?; Time to Get Some Basic Mail Etiquette; Know Who is Doing What Online
X-Campid: cid=81-uid=9556A122-C81E-4A65-BC64-2B3C42E1F31E-mid=667-pid=1--
X-Eid: xxx@xxx.ca
Message-Id: 20040416141103.383BA7145C111@smtp2.zd-swx.com


I hope that the preceding examples show the kind of wierd content that can appear in your TEMP FOLDER. Vigilence over the nature of such content certainly seems to be in order here.

 

[2ffat]

(vop)Why are the contents of my HOSTS file being (selectively) probed and recorded in temp files

Radiate, Adsoft, and Aureate are spyware hosts. Most likely they are looking for places you visit that are in your hosts file. They may be looking for more places to spy on, or for common places you visit so they can send you ads. Some of these also modify your hosts file to force you to their sites. It wouldn't suprise me that one of them is altering you hosts file, then another sees it has changed and alters it again, then another does the same, and on and on and on.

I'm not familiar with 247media but it may do the same. Have you run Ad-aware and Spybot?

James P. Cottingham

^{There's no place like 127.0.0.1.
There's no place like 127.0.0.1.}

 

[vop]

2ffat:

I use SpyBlocker. Nothing can be added or removed from the HOSTS file unless it is disabled. THe HOSTS file can also be locked by SpyBOT S&D. I also run all the standard sanitization tools when it comes to spyware detection and prevention. I am and have been seemingly spyware free for the most part. The only content in my HOSTS file are blocked url entries - all attempts at access to those urls goes to 127.0.0.1 (i.e. nowhere via loopback process).

I am not concerned about any specific list that ends up in a TEMP file. I am sure I have seen over 50 unique lists over the last few weeks - always small snippits of information. I/we should be concerned by the fact that thay are or could be generated in the first place. If the casual agent can be determined, it should be removed as would be the case under any spyware detection and removal tool.

THese snapshots are being gathered for a purpose. If that purpose is get aggregate statistics, this may assist them in knowing when to add new urls (some urls have hundreds of blocked domain variations in my HOSTS file). Or such snopping may be to find unblocked urls from the hundreds that they have at their disposal (for redirection/ substitution purposes).

Spyware is a very lucrative and dirty business. Look at the recent DDOS attacks at SpywareInfo and other spyware help sites. They have beenhaving a horrible time defending themselves against the impacts of such attacks (operationally and financially in bandwidth consequences). These terrorists will do everything to protect their (pay-per-click/view financial) interests. When they fight back - we need to fight back by removing any and all possible source of intelligence and access points that they are seeking.

 

[bfks3230]

The latest version of Black Ice also does a good job keeping spyware out. But it often asks you to okay any program you want to run.

 

[vop]

Update:

The duplicate SOF*.TMP entries appear to be a legitimate process associated with email (OUTLOOK). They are a pair of open session files that remain on disk until the email client is closed. It appears to be the scratchpad area for incoming emails. If ten (10) emails come in, only the contents of the last email received can be found in those 2 files.

I have been able to significantly reduce the extent of 'questionable' temp file content appearing in *.TMP files. Starting from a clean slate for *.TMP files and for all (non-sypware flagged) cookies, I have kept a File>Find>*.TMP window open to monitor what TEMP files are being added, and examine the content or nature of each and every new entry.

It is not enough to find such content after the fact and to delete it. It is important to link cause and effect to thereby prevent, in the first place, such invasive trackable content where possible.

Furthermore, I did stumble across a very troubling situation in Internet Explorer - Internet Options>Content>Publishers. There I found and removed a Trusted Publisher entry for ‘Worldwinner.com’. Software that has been published by a publisher in this list can be installed (updated?) without your explicit approval. That sounded very dangerous to me (also being the only such entry). What else might they be doing besides gaming apps - spyware perhaps?

See the following link for more information:

http://www.mvps.org/winhelp2002/restricted.htm#Why.

Unfortunately, I did not separate the cookie removal step from the above step to be able to know exactly why things have seemingly improved dramatically.