Nine Ball

Hi guys and gals!! :wave LTNS!! I ran across this today and wanted to see if anyone has heard of this bad boy.....

http://www.zonealarm.com/security/en-us/support/nine-ball.htm?cid=E200050

 

Yeah, where you been? You got a proper life or something? :-D

Re: ZoneAlarm. Hmmmm, the threat could be real, but do you suppose this is a ploy by ZoneAlarm to panic folk into buying the upgraded version of their security system?
Is there any way to defend against this malware without upgrading? Will our free anti malware programmes protect us against Nine Ball? I hope so, cos it's all I've got. :confused

 

I've just received an email from ZoneAlarm about "Nine Ball" malware (I use the ZA free firewall). The ZA email includes this statement:

"If you are running ZoneAlarm Free Firewall or ZoneAlarm Pro as your exclusive PC security software, you are at risk."

No doubt this will panic some people into buying one of the ZA security suites, but if read carefully it appears to me that what the statement above means is "If you only have the ZoneAlarm Free Firewall or ZoneAlarm Pro (which does not include anti-virus protection) and do not also have a good real time anti-virus program running on your computer, you are at risk."

Of course, this doesn't mean that all real time anti-virus programs will necessarily provide protection against "Nine Ball" as no anti-virus will prevent all infections or be able to clean all of them that it can detect as already present. So probably the best thing to do, assuming you have good anti-virus software already, would be to check at the respective AV's website to see if there is a clear indication that your AV can detect and prevent infection by "Nine Ball" or at least detect and remove it if your computer is already infected.

On the ZA web link posted by the OP there is this statement near the bottom of the page:

"NOTE: ZoneAlarm Pro and ZoneAlarm Free Firewall customers are not protected. These products do not include anti-virus or ForceField's browser security."

I think the meaning is the same as the quote from the email I received. It would have been clearer though if the statement read "...are not protected by these ZoneAlarm products."

It would be even better if it then included a sentence saying something like "If you do not have a good real time anti-virus program that is capable of detecting and preventing 'Nine Ball' from infecting your system your computer is at risk from this malware."

I'm going to check out my (free) AV software (AVG 8.5) re: Nine Ball protection and see what I can find out and will post back later.

Others who are concerned about this threat, which is apparently genuine, might want to do the same for their AV. If you don't have any real time AV protection you probably are at risk.

 

My Avira, that I'm used to see on top of things like these, doesn't mention Nine Ball at all... which makes me think that this is just another one of those "buy our antivirus before teh EVUL ONES eat you!" marketing emails that ZoneAlarm used to send me so often that they eventually drove me to uninstall their firewall just to get rid of the emails.

I find this type of scare tactic just to increase their own sales a bit... despicable, I think is the best word. I don't for a moment doubt that Nine Ball is a legitimate threat/virus, but I also don't think that anyone who has adequate protection on their PC already needs to be afraid of it.

 

Not sure what constitutes adequate protection in this particular case. I did a search in the virus library at AVG's website and got no hits for "nine ball" (or "nine ball trojan") nor when using a generic description. I did a web search and what I read wasn't reassuring as this particular trojan (as well as several recent similar ones) apparently is not easily detected. But, as is often the case, the exploit depends on finding some unpatched vulnerabilities, some known as far back as 2006 and others newer -- but patches are available for all of them.

This particular trojan has managed to infect 40,000 legit websites (though not, apparently, sites associated with major products/companies) with software which, when visited then redirects (in the background) the visitor to multiple sites before they end up at the "home" malware site where they are actually infected with a trojan horse that has the potential to log keystrokes and/or commandeer the infected computer as a "spam" zombie. You can read a description of how "Nine ball" works on these two links below:

http://www.pcadvisor.co.uk/news/index.cfm?newsid=117561&

http://www.securecomputing.net.au/N...injection-attack-compromises-40000-sites.aspx

As for ZoneAlarms' warning, I agree with you Mimsy. As I stated in my previous post in this thread their description/warning of this problem seems to suggest that unless you have their software you are not protected. No mention of patching the vulnerable programs as protection nor that other anti-virus/anti-malware programs may provide protection.

I've already done a full scan of my system with AVG (came up clean) and am going to run another scan with my Spyware Dr to see if I find anything related to "Nine ball".

Has anyone been able to clearly establish that their particular anti-virus or anti-spyware program (whether free or paid for) can detect and prevent or detect after infection and remove "Nine ball".

Also, should this discussion be moved to the software or malware forum?

 

I did make an effort to find information about this particular malware via google, and most of what I found indicated that in order for any real damage to be made, the file has to be manually installed, i.e. a "plug-in" for Twitter, Facebook, or similar social network site has to be downloaded and manually installed by double-clicking on the file.

If that is true, I have nothing to worry about. I never install anything a website tells me to install, and I am of the firm belief that no one else should either.

 

same problem here....malware problem some one help me how to solve .. the avast anti virus cant open my blog site

___________________
9 Ball Challenge

 

Here you go.