Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protections against Recent Malware Threats (2-Mar-08)

Subscribe

Check Point Reference: CPAI-2008-033
Date Published:
Severity:
Source: http://www.spywareremove.com/removeHDTBar.html
http://www.fbmsoftware.com/spyware-net/application/Dealio_Toolbar/
http://www.spywareremove.com/removeEZTracks.html
http://www.spywareguide.com/product_show.php?id=3367
http://www.spywareremove.com/removeBaiduBar.html
http://www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag
http://research.sunbelt-software.com/threatdisplay.aspx?name=PeoplePal%20Toolbar&threatid=48411
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
  • NGX R65
InterSpect
  • NGX
Connectra
  • NGX R62
  • NGX R61
Who is Vulnerable?
Microsoft Windows clients
Vulnerability Description
Malware is a software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general name for a variety of forms of hostile, intrusive, or annoying programs like Viruses, worms, Adware, Trojans, and spyware that exploit unprotected clients, using network access to intrude upon organizations, destroying or stealing data.

Spyware is computer software that is installed without the user's informed consent on a personal computer to intercept or take partial control over the user's interaction with the computer. Spyware programs can collect various types of personal information, install additional software, redirect Web browser activity, or divert advertising revenue to a third party.

Adware is an advertising-supported software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.

A Trojan horse is a program that installs malicious software while under the guise of doing something else.  Trojans are known for installing backdoor programs which allow unauthorized non permissible remote access to the victim's machine by unwanted parties with malicious intentions.
Vulnerability Details
The update includes new protections against 7 recent malware threats:

Spyware: HDTBar - HDTBar is an adware spyware that installs an Internet Explorer toolbar and shows commercial advertisements. It can also change browser's settings and may download arbitrary files from the Internet. HDTBar can silently install itself into the computer while visiting some insecure web sites.

Toolbar: Dealio - Dealio toolbar is a free shopping comparison utility bar for the web browser that provides search results for paid advertisers. It hijacks the error page.

Toolbar: Ez-Tracks - Ez-Tracks is an adware Internet Explorer toolbar that changes the browser settings. It redirects searches to a different server, tracks user's activities and delivers annoying and unwanted advertisements.

Toolbar: Deepdo - Deepdo toolbar is a Chinese based toolbar for the web browser that provides search results for paid advertisers. It hijacks the error page and displays ads.

Toolbar: Baidu - Baidu Toolbar is an adware toolbar affiliated with a Chinese search engine. It redirects search engine results and monitors user's search queries and browsing. It builds a marketing profile, based on the user's browsing habits.

Toolbar: Sofa - Sofa Toolbar, also known as Chinese Softomate is a third party utility bar for the web browser. It redirects searches to its own server and adds other advertising icons to the browser.

Toolbar: PeoplePal - People Pal Toolbar is an adware program that displays pop-up ads based on the surfing behavior of the user.

Protection Overview
The update enables the Header Rejection protection and the HTTP Worm Catcher to detect and block the malware based on pre-defined header names and worm signatures.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Header Rejection Settings > Mode, check Active.
3. Enable the following protections:

Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

4. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
5. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
6. Enable the following protections:

Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information:
Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

Attack Name: HTTP Worm Catcher
Attack Information:
Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection.
2. Enable the following protections:

Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

3. In the Web Intelligence tree , click Malicious Code > General HTTP Worm Catcher.
4. Enable the following protections:

Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information:
Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

Attack Name: HTTP Worm Catcher
Attack Information:
Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection and enable Peer to Peer.
2. Enable the following protections:

Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

3. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
4. Enable the following protections:

Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information:
Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

Attack Name: HTTP Worm Catcher
Attack Information:
Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

VPN-1 VSX NGX R65

How Can I Protect My Network?

1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Header Rejection Settings > Mode, check Active.
3. Enable the following protections:

Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

4. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
5. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
6. Enable the following protections:

Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

7. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information:
Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

Attack Name: HTTP Worm Catcher
Attack Information:
Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

VPN-1 VSX NGX

How Can I Protect My Network?

1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection and enable Peer to Peer.
2. Enable the following protections:

Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

3. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
4. Enable the following protections:

Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information:
Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

Attack Name: HTTP Worm Catcher
Attack Information:
Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection.
3. Enable the following protections:

Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

4. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
5. Enable the following protections:

Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

6. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information:
Toolbar: Dealio
Toolbar: Ez-Tracks
Toolbar: Deepdo
Toolbar: Baidu
Toolbar: PeoplePal

Attack Name: HTTP Worm Catcher
Attack Information:
Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the navigation tree, click Security > Web Intelligence. In the Malicious Code Protection pane click General HTTP Worm Catcher.
2. Under Worm Patterns, enable the following protections:

Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
 Upon attack, the following entries will be logged:

Attack Name: HTTP Worm Catcher
Attack Information:
Spyware: HDTBar
Toolbar: Sofa 1
Toolbar: Sofa 2