malware bypasses zonealarm

from Patrick Kolla on the Spybot site ...

"Normally I don't spend time writing a news article for detection updates, but this time I want to notify you about a addition. ClientMan is a new Malware target; first reported as suspicious, it became clear soon that it will pass the ZoneAlarm firewall without user consent. When it tries to connect to the Internet, and ZoneAlarm displays it's dialog whether the program should be allowed to connect or not, ClientMan will auto-click the 'Yes' button after checking the 'Always' checkbox. This way, it grants itself Internet Access without the user even noticing more than a short flash of the ZA dialog. "

new Spybot detections are available today.



mark

 

mr.mark--I presume you are saying that Clientman gets in attached to some other file/software and then ZoneAlarm can not stop it from dialing out. Do you know if the latest updates to SpywareBlaster can stop it getting in or whether Spybot and/or Ad-Aware can detect it when a scan is run?

 

small point of clarification here... the above words belong to patrick kolla, the Spybot author. he is the one i quoted.

but yes, that appears to be what patrick is saying.

i haven't determined if spywareblaster or ad-aware list clientman in their data base, but yes, spybot detects it. spybot is the one bringing it to everyone's attention. <g>

also read on grc.com that this is only impacting the free version of za, in that za pro and plus have password protected access rights. that alone, imo, given this recently disclosed malware exploit, seems like a good enough reason to spring for the dough to go from zaf to zap.



mark

 

i just found clientman in the latest spywareblaster database

 

mr.mark--Thanks for your further info.
"also read on grc.com that this is only impacting the free version of za, in that za pro and plus have password protected access rights "
Now that's a little scary depending how cynical one is. Seems like ZAP benefits from this new threat.
Wonder how Agnitum's Outpost handles "password protection ".
I meant to ask another question. Any idea how one gets Clientman? (With what program it piggybacks?)

 

you're welcome, jim. <g>

i know exactly what you mean, the thought crossed my mind too. and who really knows? certainly not you or me! <g> but i choose to take a less cynical approach... for example, would it be correct to conclude that security alarm companies are the ones committing burglaries merely because they benefit from them?

i doubt that firewall vendors create exploits to sell product, but i admit that a degree of good faith is involved in formulating that opinion.

i don't know, i haven't researched it, jim. Spybot calls it ClientMan (aka iPend), so maybe that will give you a leg up on further identifying what this spyware does or how it arrives. sorry i can't be of further help, but i'd love to hear more if anyone does know.



mark

 

mr.mark--I guess I was a little hard on ZoneAlarm
And now that I read Patrick Kolla's paragraph on Clientman, I see he says Agnitum's Outlook does not seem similarly affected.
I ran searches on Clientman and iPend on both Google and AlltheWeb and came up with nothing too suspicious.
MSN Companion involves a file called Clientman
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q274256
but Uncle Bill would not do spyware, would he??