Spyware Sucks

"My neighbours are stealing my wireless internet access"
http://www.ex-parrot.com/~pete/upside-down-ternet.html

Ok, so why isn't he securing his network?  While he's having fun with flip and -blur, his neighbours could be using his account to download kiddy p**n.  Guess what, the authorities ain't gonna be breaking down his neighbours' door.

taking your first born for his first driving lesson, especially in a big car

We went to a large shopping centre car park which, being a Sunday, was empty and away we went.  He didn't do too bad and we didn't hit anything apart from a few kerbs when going around corners.

I think its great he wants to get a manual licence (which I think Americans call a stick shift?) instead of taking the easy way out and getting an automatic only licence

Having seen this guy in action, and appreciated his insights and blog posts for a long time, I can say I'm gonna miss him.  I hope it all works out for him at amazon.com

http://blogs.technet.com/jesper_johansson/archive/2006/07/28/443888.aspx

The company behind Kazaa has signed on the dotted line and will pay $115 million to music companies and some movie studios to finally settle the epic battle between it and the RIAA:

http://www.computerworld.com.au/index.php/id;779551434;fp;16;fpid;0

I'm not sure how much this will help Kazaa in Australia.  Kazaa's assets in Australia were frozen after the Federal Court ruled against it last September.

As part of the settlement Kazaa has agreed to use "all reasonable means" to discourage online piracy, including building into its software a "robust and secure" way to prevent computer users from finding and downloading copyrighted music and movies.   Get ready for the arguments about what is "reasonable".

I see rumour and innuendo and downright falsehoods muddying the waters around Internet Explorer 7.  Its as if some are trying to scare people away from the Web browser, which is sad.  IE7 is going to make a *big* difference to the safety and security of internet users.  How many recent exploits have affected IE7?

Am I an IE apologist?  I like to think I am not.  For years I have recommended Opera for its download manager, and I used to recommend Deepnet for its RSS integration and high security (before it screwed up my file type association settings one too many times).  I've even referred users to Kopassa for its fun thumbnail views and specialised research slant.

If we are going to put users first, we have to be balanced... that means no more "MS is the evil empire".. no more "be secure run Linux"... no more "be safe run Firefox" ... um, guys, if a user cannot stay safe on Windows there is no *way* he is going to be safe running Linux.  And as for Firefox... the bad guys are starting to focus on it now ... and if Firefox is going to truly be as safe or safer than IE, then Firefox is going to have to ramp up its patching protocols... IE has the advantage of being covered by Windows, Microsoft and Automatic Updates - if something real bad comes out there is always the option of an out of band update.  Firefox users, on the other hand, have to wait for a new build to be released.

Ok, end of that rant.  I am seeing some silly FUD and allegations about what will or will not happen when IE7 is released so here are some reality checks about what will happen when IE7 is installed:

1. IE7 will *NOT* take over as default browser when installed.
   
2. IE7 will *NOT* change your default search engine.
   
3. IE7 will *NOT* change your home page (although it will display a runonce page to make it easy for users to enable the Phishing Filter, and check regional settings).
   
4. If you do not use Automatic Update, Microsoft Update or Windows Update, you will not be offered IE7.
   
5. IE7 will be offered as a "high priority" update, not a critical update.
   
6. I acknowledge that making IE7 "high priority" means that users who automatically accept all options in that section will download IE7, but I truly believe that the security improvements warrant the status of high priority and anyway, even as a "high priority" update, the user would have to be pretty inattentive to install IE7 and not realise it.
   
7. Even if you select "express install" in AU, WU or MU, which normally installs *all* updates that have been downloaded with no further user interaction required, IE7 will *STILL* not install unless and until the user accepts the installation outside of AU, MU or WU.
   
8. An opening screen for the IE7 install will appear which will say something along the lines of  "An upgrade to Internet Explorer is ready to be installed".  The user will have three choices "Install", "Don't install" or "Ask me later" (note: the finalised text may change, but the intention - making sure that the user knows what is happening and has a choice, won't change).  It will be very very hard for anybody to install IE7 by accident.
   
9. Some are saying that even *more* stop-gaps and intermediary screens are needed.  I say, get real guys!  If the user is not going to feel it when they're hit with a hammer, they're not going to feel being stroked with a feather.  To quote Fduch's comment in the IE blog... "You can "prevent this from being downloaded and installed" IF  1) You have eyes 2) You have brains 3) You can read 4) You can use computer.
   
   If a big blue screen is not enough to help people realise that they are about to install IE7, then typing "I agree" won't make any difference.  If they don't understand the blue screen, they're not going to understand what they are agreeing to.
   
10. If the user chooses to install IE7, the installer will remove any previous builds of IE7 that have been installed.
    
11. If your organisation uses WSUS or System Management Server 2003 you do not need to install the blocker.  The blocker is to stop IE7 being offered via Automatic Update, Windows Update and Microsoft Update.  The blocker will *NOT* expire.

As we know, the gang behind Firefox don't release security updates, they release entire new builds of their Web browser.

A new build has been released - 1.5.0.5 which addresses numerous vulnerabilities - 7 of which are classed as "critical":
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.5

You can download the new build here:
http://www.mozilla.com/firefox/

Microsoft will distribute Internet Explorer 7 as a high-priority update via Automatic Updates soon after the final version is released for Windows XP, planned for the fourth quarter of 2006. Sorry... when it comes to precise dates, those who know will not say, and those who say cannot know ;-)

Some important notes... firstly, although IE7 will be offered via Automatic Updates, Automatic Updates will first notify users when Internet Explorer 7 is ready to install and then show a welcome screen that presents key features and the choices to “Install, “Don’t Install” or “Ask Me Later.” In short, you won't be forced to install it, it won't be a silent install, it won't be a hidden install.

Secondly, I will have another gem to share with you regarding the installation, but can't tell you what that is without permission.. suffice to say the team has been reading the IE groups, and has been taking on board what is being said, and has addressed a pretty important issue.... there are a lot of people who are going to be awfully pleased. 

Thirdly, Microsoft will provide a free Internet Explorer 7 Blocker Toolkit for enterprise customers who may want to block automatic delivery of Internet Explorer 7 in their organization. The Blocker Toolkit will *not* expire and will include a Group Policy template and an executable script. The Blocker Toolkit will be/is available from the Microsoft Download Center to provide ample lead time for deployment. Additional information for IT administrators will be/is at the Windows Update/Microsoft Update site on TechNet.

The installer will automatically remove any beta versions of IE7 that area already on the machine.

More info and screenshots are available on the IE blog:
http://blogs.msdn.com/ie/archive/2006/07/26/678149.aspx

Yep, that target on Firefox and Apple's backside is getting bigger by the day - pull up a seat and buckle in tight guys - the easy ride that comes from not being a primary target of the bad guys may be over soon...

Full report here:
http://www.viruslist.com/en/analysis?pubid=191968025

I think the final two paragraphs of the report say it quite well:

"In the past, most authors of malicious code were seeking a place in the headlines. Today, they are looking for financial gain. Apple’s small share of the global personal computer market has, until now, protected Macs from the unwanted attention of malware authors. However, as Apple systems become more popular, this will change; once critical mass is reached, more malware will undoubtedly start to appear. Even though malware like IM-Worm.OSX.Leap.a and Worm.OSX.Inqtana.A and exploits like Exploit.OSX.Safari.a and Exploit.OSX.Script-Ex were all proof of concept code, and had no obvious malicious payload, these proof of concept programs showed that Mac OS X does contain security flaws, and that these can be used to compromise the system.

Whether the proof of concept code covered in this article will be used for financial gain in the near future remains to be seen. History, however, shows that once vulnerabilties are identified, malware writers are never far behind. "

Found at The Hive, an online forum of which IE-VISTA is a Featured Sponsor.

http://windowscoding.com/blogs/blake/archive/2006/07/25/Convert-your-firefox-favorites-and-feeds-into-IE7-with-_2200_Firefox-To-IE7_2200_.aspx

Still a work in progress, and worth keeping an eye on.  Unfortunately the only download on the site at time of writing is in RAR format, meaning you will need a special programme to access it.  RAR is not a format that is natively supported in Windows.

Edit (22.42 GMT+8): The file is now apparently available for download in Zip format

From Harry's blog
http://msmvps.com/blogs/harrywaldron/archive/2006/07/25/105724.aspx

"FormSpy (aka FireSpy) is a new spyware program designed to integrate into the Mozilla browser environment.  It is being spread by spam email spoofed to appear as a billing issue from Walwart.  It was launched on July 24th. The attachment contains a downloader malware agent that can install FormSpy as a Firefox plugin.  This new threat can be avoided easily by users avoiding spam email and attachments."

We knew that it (Firefox being directly targeted) would start happening sooner or later, and this attack is quite dangerous.

http://www.avertlabs.com/research/blog/?p=62
"Upon successful execution, FormSpy hooks mouse and keyboard events in the Mozilla Firefox web browser. It can then forwards [sic] information such as credit card numbers, passwords and URLs typed in the browser to a malicious website hosted at IP address 81.95.xx.xx

Typically, Mozilla Firefox components are installed via .xpi files where users are prompted to confirm the installation. FormSpy writes and modifies Mozilla configuration files directly which bypasses this confirmation process."

Can anybody reproduce this?

Click on any pre-existing favorite to visit the site (note the address in the tooltip) - screenshot taken before site loaded:

The site has now loaded.

Now click on any link on that page that takes you to a different URL on that same site - I chose one to take me to information about Port 6000... but look what has happened to my favorite - the URL has changed!!! (check out the tooltip - the Favorites URL now matches the new page being viewed).  Yes, if I click on the Favorite now or checks its properties, it confirms the Favorites URL really has been changed

I try another hyperlink on that page.. it happens again...

And again...

This is happening with every Favorite that I have tested so far - it is possible that my favorites folder or its contents have corrupted (despite this laptop having been reformatted only a couple of weeks ago), or that the favorites archive that I exported before reformatting, and later imported into this clean install, was corrupted somehow, and I'm still trying to work out how to reliably rule out that possibility.  I'll be interested in hearing if anybody can reproduce the problem.

Shortly after midnight a definition update was released (599) that flagged C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE as Troj_Generic.

The false positive was fixed by update 601 pushed out at 02:43am.

Thankfully, no damage was done (apart from Trend filling my inbox with 391 alarm-bell emails, and my Trend Console logs with close to 1500 virus alarms).  Trend was unable to delete WINVNC4.EXE - if the programme had succeeded in deleting the file I would have been real grumpy.

McAfee's Site Advisor has competition, strong competition, from LinkScanner, a new (free) offering by security startup Exploit Prevention Labs.  LinkScanner claims to be a real time exploit scanner, unlike McAfee's Site Advisor which it describes as "not immediate and not empirical".
cite: http://www.itnews.com.au/newsstory.aspx?CIaNID=35171

LinkScanner is the brainchild of Bob Bales, Greg Mosher, Chris Weltzien and Roger Thompson, three of whom have former ties with Pest Patrol, which was sold to Computer Associates in 2004.

LinkScanner will "visit the URL in a controlled environment on our servers. LinkScanner will inspect it in real-time for whether it is hiding any exploit code and, if so, what exploit."
cite: http://www.explabs.com/linkscanner/

Point one in LinkScanner's favour - its not owned by McAfee

Point two in LinkScanner's favour - it seems to do the job

Point three in LinkScanner's favour - its scans in real time and can report on any accessible URL, unlike SiteAdvisor which does not offer 100% coverage.

The fact that LinkScanner is real time gives it a major advantage over SiteAdvisor (assuming that those behind LinkScanner stay up to date with the latest exploits in use, and add detection of same).

IMPORTANT: Please do not visit the malware sites mentioned below - www.ie-vista .com and inetexplorer.mvps.org are, of course, safe to visit.

SiteAdvisor and LinkScanner sometimes give conflicting advice.  For example, SiteAdvisor's report on errorsafe.com states:

To me this says that the site is only dangerous insofar as it "links" to winfixer.com.  It does not make me believe that it is a site that should be avoided completely.  LinkScanner, on the other hand, reported the existence of malicious code:

I then tested a known site that uses exploits to try and infect PCs with malware.  Site Advisor reported:

LinkScanner, on the other hand, reported:

Just to be sure, I also tested some known "friendly" sites

Regular readers will remember the various reports about Leo Shyster (oops Stoller), the guy who tried to claim ownership of the word "Castle".
http://msmvps.com/blogs/spywaresucks/archive/2006/06/28/103057.aspx

It seems the USPTO has finally run out of patience with Mr Stoller:
http://www.shapeblog.com/Order%207-14-06.pdf

Some choice quotes:

"... your filing of more than 1100 requests for extension of time to oppose within the few months preceding the date of the show cause order suggested a serious violation of your responsibilities as a party before the USPTO.

...the exhibits from your website do not demonstrate your offering for sale any goods or services, other than the “rental” of the marks themselves, nor do the website exhibits demonstrate the use of any of the asserted terms as trademarks. These excerpts from your website, rather than evidencing support of any purported claim for damage, reinforce the conclusion that you are holding up thousands of applications in an attempt to coerce applicants to license, i.e., “rent,” trademarks to which you have not demonstrated any proprietary right.

...Your filing of an extraordinary number of requests for extension of time to oppose, particularly in light of your past behavior before the TTAB and the courts, constitutes a violation of your responsibilities under Patent and Trademark Rule 10.18(b).

...it is determined that you have not made a showing that you have a colorable claim of damage justifying the extension requests filed during the period in question and have failed to establish good cause for filing such requests. It is determined, further, that you filed the extension requests for improper purposes, namely, to harass the applicants to pay you to avoid litigation or to license one of the marks in which you assert a baseless claim of rights.

...The approval of each request for extension of time to oppose that you have filed since November 2005 is hereby vacated.

...You are hereby prohibited for a period of TWO YEARS from the date of this order from filing, on your own behalf or as an officer, director, or partner of any entity you control, any request for extension of time to oppose under Trademark Rule 2.102. This two-year prohibition applies whether or not you are represented by an attorney.

..You are PERMANENTLY prohibited from appearing before the USPTO on your own behalf or as an officer, director, or partner of any entity you control for the purpose of filing any request to extend time to file a notice of opposition or any paper associated therewith. Any such future request must be filed by an attorney, who will be bound to act in accordance with USPTO Rule 10.18(b).

Finally, you requested “direction” in how to proceed before the TTAB. As a frequent party to proceedings before the TTAB during the past ten years, you have been informed repeatedly about how the TTAB expects proceedings to be conducted. In the past, you have often ignored the direction given you by the TTAB, in the form of information or reprimand, or have found a way to side step such direction with improper or bad faith conduct.

Consequently, the TTAB’s “direction” to you will remain the same that it has been for many years and the same as that given to other litigants representing themselves: engage an experienced trademark lawyer. Failing that, read and follow the applicable statute, rules, and cases and consult the TBMP for guidance."

Castlecops are, of course, pleased at the decision of the TTAB:
http://sunbeltblog.blogspot.com/2006/07/stoller-pwned.html

My only comment to Castlecops... don't gloat *too* much... it may come back to bite you and only increase Stoller's determination to fight for his "rights".

Leo, being the type of guy that seems to like sticking his hand in a hornet's nest, has appealed:
http://thettablog.blogspot.com/2006/07/ttab-sanctions-leo-stoller-vacates-all.html

Why don't people patch their machines??  Over one million visitors to various myspace.com pages have been infected via the WMF exploit that was patched back in JANUARY.

myspace_ad_served_adware_to_mo.html

This scares me.. Microsoft can only do so much to protect users from themselves.  The use of this exploit has been such an amazing success for the bad guys that you can bet it is going to continue to happen.  We can't depend on site owners to spot the bad guys when they try dirty tricks like this.

I see from the article that Webshots was also targeted.. another immensely popular Web site.

The days are gone where we can say that they don't have to worry about patching or antivirus protection because we only go to "safe" sites.  These past six months or so have seen Web sites hacked and used to infect visitors, exploits being pushed out via pop-up advertisements and embedded ads and hardware driver updates being infected with viruses.

Basically, any site that shows advertisements, whether it be via pop-up advertisements (unless generated in-house) or embedded advertisements is a potential source of infection, so what do we do?

We can use a protective HOSTS file, such as that available at http://www.mvps.org/winhelp2002/hosts.htm, but the sites that serve up the bad stuff change from day to day.  This may not protect you from cutting edge stuff.

We can use antivirus and antispyware, but such products are simply not detecting everything that is out there:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/20/105331.aspx

It is imperative that computers are patched as quickly as possible after a security update is released.  The time between an exploit becoming public, and it being used by the bad guys, is getting shorter and shorter.

Update to Internet Explorer 7 to reduce the attack surface available to the bad guys.

Another protective step is to block all advertisements.  My firewall, for example, has an "HTML ad string blocking" option.  If you don't see the banner ads, they can't infect you.

Use a pop-up blocker for the same reason.

To give you an idea of how widespread this problem is becoming, remembering that I hear about only a tiny portion of the attacks that are happening out there, here are some historical entries warning of various compromised sites and downloads...

Circuitcity:
http://msmvps.com/blogs/spywaresucks/archive/2006/06/02/98941.aspx

spreadfirefox:
http://msmvps.com/blogs/spywaresucks/archive/2005/07/24/59438.aspx

Capital City Bank, Wakulla Bank and Premier Bank
http://msmvps.com/blogs/spywaresucks/archive/2006/03/30/88498.aspx

Myspace again:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/18/105039.aspx

Msblog:
http://www.msblog.org/?p=921

Debian:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/13/104655.aspx

Messenger Plus! sponsor advertising sponsors serving malware:
http://msmvps.com/blogs/spywaresucks/archive/2006/06/30/103407.aspx

HP files infected with virus:
http://msmvps.com/blogs/spywaresucks/archive/2006/06/02/98682.aspx

Consider the following scenario. You use Microsoft Internet Explorer 6 to visit a Web site that contains a link to a document. You click the link to the document, and then click Open to open the document.

For example, you connect to a Microsoft Windows SharePoint Services Web site, and then you click a link to open a document that is located in a document library.
The document opens as expected. Then, you click Back in Internet Explorer. When you click the link to the document again, you receive the following error message:

The page cannot be displayed.

You cannot open the document again.
http://support.microsoft.com/default.aspx?scid=kb;en-us;918692

Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows Server 2003 Service Pack 1 (SP1) add a new feature to Microsoft Internet Explorer 6: the information bar. The information bar is a gold bar that appears just under the address bar. The information bar provides information about downloads, blocked pop-up windows, potential security risks, and other activities. The information bar feature includes the ActiveX control auto-blocking feature. This feature uses the information bar to ask you whether you want to install an ActiveX control. Under certain conditions, an ActiveX control may be downloaded two times when you visit a Web page that includes the control.
http://support.microsoft.com/default.aspx?scid=kb;en-us;922659

Ok, so tell me something I *don't* know:
http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,2000061744,39263949,00.htm

The time is long past that I have depended on any antivirus or antispyware product to clean a system properly, or detect all malware files.  Instead I depend on products such as Process Explorer, GMER, Killbox, various rootkit analysers, packet sniffers and anything else that helps me analyse a system and search for, then analyse, then kill, aberrant processes and files.

At best, antivirus and antimalware products will reduce the signal to noise ratio by getting rid of the high profile, obvious, easy to remove stuff.  They may get rid of the files and services with big "shoot me" targets on their backsides, but the real important stuff is too often missed.  I have blogged several times about my work cleaning up malware infested PCs and servers and how the commercial products simply didn't pick up everything that is installed, even missing the primary re-infector.. the file/files that are instrumental to reinfection of a system. 

It doesn't do any damn good to get rid of the files with "shoot me" painted on their butts if the primary re-infector is left untouched.  I have seen HijackThis logs with *dozens* of entries pointing to randomly named malware files... each new entry being evidence of a failed attempted to remove malware by an antivirus or anti spyware application.  Is it any surprise that I have lost faith in commercial products as a whole?

A respected associate of mine pointed out that if the AV and antispyware companies are not called in to deal with the "weird and wonderful" infections that cross my desk every week, then those companies will not have the opportunity to improve their product and add detections.  That is fair enough, but here is the problem.  *Their* reach is far greater than mine.  They should be seeing this stuff before I do.  If a misconfigured terminal server is hit, and that terminal server is the only one a company has, then I don't have the freedom, or the time, to make a phone call and wait for <fill in name of antivirus company> to get back to me.  And anyway, even if they add detection for *that* malware, within a week something else will hit that is also not detected properly, and so it goes on and on and on and on and on.

So what do we do? Depending on software to protect our computers is not working.  Cure-all software isn't doing the job.  In the end, prevention is the only cure. 

Do you surf the Web using an administrator account?  That is bad.

Do you download freeware without checking into its spyware reputation?  That is bad.

Do you visit the seedier side of the internet?  That is bad.

Are you forgetting to patch your system?  Bad.

Have you turned off your pop-up blocker?  Bad.  A primary infector, nowadays, is pop-up windows.

Have you reduced your Internet security settings because a favorite site won't work properly at default security levels?  Bad.

Did you turn off your firewall 'cause your ISP told you to when you were having problems?  Bad.

Have you avoided installing Service Pack 2 for XP because one of your software products is "not supported" in SP2 environments?  Bad... stick that software on a PC that isn't used for Web surfing.  The same goes for software that will not run unless the user had administrator rights.... if you *must* use such software then fine, run as Admin, but if you must go on the net log in to a limited user account and surf from there. 

Does that sound like too much inconvenience?  Believe me, if you get infected the inconvenience you suffer then will be far worse.  Its not that hard to get used to multiple accounts.  On my networks I have two accounts, an administrator account and a regular user account. I only log in as administrator when I require elevated permissions for a specific task. For the rest of the time, I use a normal user account.  It took a little while to get used to, having to swap log ins, but the temporary pain is worth the security gain.

Go get it if you need it :)

http://www.microsoft.com/technet/prodtechnol/ie/ieak7/default.mspx