Spyware Sucks

Posted to the Google Online Security Blog

"Currently, we know of hundreds of thousands of websites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there. This is where we need your help in filling in the gaps. If you come across a site that is hosting malware, we now have an easy way for you to let us know about it. If you come across a site that is hosting malware, please fill out this short form. Help us keep the internet safe, and report sites that distribute malware."

Note this blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet). 

The cynic in me sees the blog entry as no more than a cynical attempt at damage control, but Google deserves some credit for creating the form, I suppose - yay them for giving their readers a warm fuzzy feeling when they report whatever site, but let's be honest it - it ain't gonna make any real difference.  First, victims need to know the report page exists.  Second, they have to report on it.  Third, Google has to act on it.  And, realistically, when we're dealing with domains with nonsense names, made up of random letters, and random lengths - I'm sure that all of you with a fundamental grasp of mathematics and understanding of "odds" know what the chances are of this form making a real difference.

If Google wants to fight the bad guys one site at a time, then all power to them .. I sure as hell hope they have a hell of a lot of manpower behind them - they're gonna need it.  Consider the analogy of the elephant and the ant.  The elephant is massive - the ant is miniscule, but the elephant is one, and the ants are millions.  A swarm of ants can overwhelm anything if they put their minds to it,even the elephant.  Now replace "elephant" with "Google" and "malicious web sites" with "ants".  I think you see my point.

I'd far prefer that Google focus their efforts on something far more effective - like stopping malware sites from getting into their search results in the first place.  There is a basic, basic, flaw in the way that search engines work when the bad guys are able to play the system so easily.

There are some areas of the internet that are turning into the online version of Typhoid Mary, and these areas of the internet, I am sorry to say, may need to be judged guilty until proven innocent.  The modern Typhoid Mary is not just particular countries (like China, some eastern bloc countries and countries with lower socio-economic standards) but may also be Registrars that are known to have a higher than acceptable ratio of problematic sites, low standards when accepting new registrations, and domain servers that host a greater than average number of malicious or suspicious sites.

All search engines, and Google in particular, want to be all things to all people.  Their goal is to index the web and show you everything possible pertaining to your particular query or interest.  But, reality is that this is no longer safe.  We may need to take the hard decision to isolate some areas of the Internet as guilty until proven innocent.

Haute Secure is trying a Typhoid Mary type approach - in some ways it has a "guilty until proven innocent (or clean)" attitude to malware, but, ironically, I have expressed concern more than once that HS is too chatty and is warning against too many sites when no real danger exists, whether it be because there used to be a risk that is now gone, or there is a potential risk.  So, I understand what the implications for Google are if they decide to use the "guilty until proven innocent" protocol - after all, I ended up turning off Haute Secure because its warnings occurred so often.  I stopped paying attention to HS, turned some of its warnings off, and it fell victim the the modern version of the "Boy Who Cried Wolf" syndrome.  Google does not want to suffer the same fate.

That being said, the innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone.  The criminals have taken that dream away from us.  That is the reality.  And we all of us who create or host online content have some hard decisions to make.

When you view a Web page by using Microsoft Internet Explorer 6, a GIF image that is located on the Web page appears as expected. However, if you press F5 to update the display, or if you click Refresh to update the display, the GIF image no longer appears. Instead, a red "X" appears as an image placeholder.

You experience this problem if the following conditions are all true:

• You visit the Web site over a Secure Sockets Layer (SSL) connection.
• You use a proxy server to connect to the Web site.
• The Web site uses NTLM authentication to access the Web page.

A hotfix is available to address this problem.  Note that you must edit the registry after installing the Hotfix or it will not work.

Source: http://support.microsoft.com/default.aspx/kb/936994

You may recall that Alex Eckelberry alerted us to a massive seeding of Google and other Web searches with malicious web sites.  Google and the other sites, to their credit, certainly cleaned things up very quickly, and the incident quickly hit the popular press.

Sadly, it seems that Google, although they reacted quickly to the last incident, have seemingly not found a way to counter the basic problem, because Alex and Adam have reported that they are seeing signs of another attempt to infiltrate search results. Alex and Adam note that the sites are not dangerous at the moment, but of course that could change.

While we're on the topic of malicious searches, TrendMicro's team pointed out a new behaviour that all of us need to keep in mind when investigating these outbreaks.  Trend say that:

"However, there is a little catch for us security researchers. We now look at the “if” statement where it relies on the “document.referrer” function. The code tells that in order for the “eval” function to be executed, the page where the user visited before arriving on the malicious Web page should be a page containing Google search results. Also, the search string used by the user must not have the “inurl:” and “site:” Google search functions. Thus, direct visit or access of the malicious site will not trigger the evil script and not redirect us to the site hosting the malicious binary file.

For security reseachers developing tools to automate the capture of the malicious files found on Web threats, this is something to consider. It is clear that this is a limitation for tools designed to directly access the malicious site aiming to capture the malicious files. The affected tools include honeyclients, Web crawlers, and downloaders."

You may recall my previous advice about this problem which is to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly to avoid 'nonsense' domains.  If you look at the latest Sunbelt shots, one of the sites is "pavtd.com.cn" which, at least according to the quick straw poll I just conducted, would not ring alarm bells for the average user.  Apparently it's "not nonsensical enough".

Important note: These reports are unconfirmed.

A person has posted a comment to my blog warning that they experienced a redirect while using Hotmail aka Windows Live Mail - you can read the comment here:
http://msmvps.com/blogs/spywaresucks/archive/2007/11/08/1287908.aspx#1369705

Earlier this month I spotted a similar complaint affecting MSN Groups:
http://groups.msn.com/ArtifactsofMars/general.msnw?action=get_message&mview=1&ID_Message=568

I've notified the appropriate parties about both of these reports, but am interested to know if any more of my readers have seen, or heard of, such problems in recent times.  If you have done so, please contact me or post a comment.  It will be very helpful if you could also tell me on what date(s) the redirct happened, and what country you are in.  It would be even better if you can record evidence using Fiddler or Fiddlercap.

The advertising network used by MSN has been infiltrated in the past. Those who have been reading my blog for a long time will remember the outbreak that hit Windows Live Messenger, Hotmail and MSN Groups back in February this year.

The FBI's Operation Botnet is starting to bite.  According to today's Press Release, just some of the people charged include:

• Jason Michael Downey of Covington, Kentucky, is charged with an Information with using botnets to send a high volume of traffic to intended recipients to cause damage by impairing the availability of such systems. (FBI Detroit);

• Robert Alan Soloway of Seattle, Washington, is alleged to have used a large botnet network and spammed tens of millions of unsolicited email messages to advertise his website from which he offered services and products. (FBI Seattle)

Press Release: http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm

Headline archive: http://www.fbi.gov/page2/june07/botnet061307.htm

Here we go again....

December 2007 cumulative time zone update for Microsoft Windows operating systems
http://support.microsoft.com/default.aspx/kb/942763

This update supersedes and replaces update 933360, which was released in August 2007. This update also includes additional time zone changes that were signed in to law after update 933360 was created. If you have already deployed update 933360, read the descriptions of the specific time zone changes that are addressed in this Microsoft Knowledge Base (KB) article to determine whether you must deploy this update immediately. If systems are not directly affected, you can schedule deployment at the next available opportunity. We recommend that you deploy the most current Windows cumulative time zone update to guarantee the consistency of the time zone database on all systems.

I read this and my head hurts - How to address time zone changes by using the Time Zone Data Update Tool for Microsoft Office Outlook:
http://support.microsoft.com/kb/931667/

Time zone changes in the December 2007 update: 

• Arabic Standard Time:
Adjusts DST start dates and end dates for the Baghdad time zone for changes after the prior cumulative time zone update was created (August 2007).

• Australia:
Central Australia Standard Time
Australia Eastern Standard Time
Tasmania Standard Time
Adjusts DST start times and end times for these time zones so that they start and end on the same day. This was changed after the prior cumulative time zone update was created (August 2007).

• Egypt Standard Time:
Adjusts DST start dates and end dates for the Cairo time zone for changes after the prior cumulative time zone update was created (August 2007).

• Israel Standard Time:
Adjusts DST start and end dates for the Jerusalem time zone for changes after the prior cumulative time zone update was created (August 2007).

Note Updates for the Jerusalem time zone are not included in the Windows Vista package for this update. The Jerusalem time zone updates have been available in Windows Vista since Windows Vista was originally released. 

• South America:
E. South America Standard Time
Central Brazilian Standard Time
Adjusts DST start dates and end dates for the Brasilia time zone and for the Manaus time zone for changes after the prior cumulative time zone update was created (August 2007).

• Venezuela Standard Time:
Adds a new time zone for the Caracas time zone for changes after the prior cumulative time zone update was created (August 2007). 

This is of interest to my alter-ego

"Some e-mail messages remain in the queue on a server that is running Microsoft Exchange Server 2003. Additionally, the message sender receives non-delivery report (NDR) 4.4.7 messages that indicate the delivery failures.

This problem does not occur [recur?] if you restart the Microsoft Exchange Information Store service on the Exchange 2003 server.

This problem occurs because the Microsoft Exchange Information Store service populates an internal property cache with incorrect e-mail message header data. When this problem occurs, the cache in the Microsoft Exchange Information Store service reaches the maximum limit of 65,536 entries. When the cache is fully populated, more entries cannot be added. This behavior causes an error condition in which some messages cannot be sent.

To reset the cache, restart the Microsoft Exchange Information Store service."

Source: http://support.microsoft.com/default.aspx/kb/941060 

Santa has responded to my wish for Fiddler on a MAC.  He says:

"You can, however, run Fiddler on a Windows machine, and point the Mac's proxy settings at WINMACHINE:8888. If Fiddler is configured to allow remote clients to connect, it will successfully proxy the traffic from the Mac. It's non-trivial, but it does work."

Cool trick!

A new version (1.1) of FiddlerCap is available at http://www.fiddlercap.com.

The new version includes a checkbox that controls whether or not cookies and form POSTs are stored within the .SAZ file.

Fiddlercap is proving to be absolutely invaluable in the fight against malicious banner advertisements - Fiddlercap makes it easy for even the most inexperienced computer user to quickly and easily capture undeniable proof that a malicious banner advertisement is redirecting them away from a web site - proof that can be sent direct to me and other security professionals, a website's technical support, and to advertising networks.  We can gather and distribute the proof we need to get malicious advertisements shut down faster than we have ever been able to.

My Christmas wish to Santa is that a version of Fiddler and Fiddlercap be released that will run on a MAC  

You start sounding the alarm, that's what you do.  I urge you to read this link, and spread the word.

http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

Take a close look at the URLs for the malware links; they are all random collections of letters and numbers, and they're all Chinese domains.  Users of Google (and other web search engines) need to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly avoid 'nonsense' domains like those in the Sunbelt screenshots.

FWIW, a quick check using Windows Live Search does *not* result in a slew of malicious sites.

If Google wants to be the Sun around which we all revolve then they are going to have to clean up their act, and fast.  I admit, Google do try to flag sites that they know are dangerous, but *none* of the malware links in the screenshots are flagged as malicious.

Alex Eckelberry of Sunbelt has been in touch with me to advise that he has contacted AdOn Network about the malicious SWF that we have been studying on this blog over the past day or so - something I am ashamed to admit I had not done yet.

AdOn advise that they have removed the advertiser, and all staff have been instructed to no longer accept the advertisement within their network.  AdOn advised that they manually review all advertisements before entering them on the network, and that the Tube advert was apparently ok at the time of submission.  They will be reviewing all accounts to remove "this type of ad" and hopefully prevent a recurrence.

So, US based visitors to the National Geographic site can rest a little easier.

Edit: 12.45pm GMT +0900, 27 November

I just checked and the SWF is still available at rmedia.adonnetwork.com/images/560766_90_728_200711011430_tubesnow_728x90.swf, and it is still malicious - redirecting people to the malware site.  It needs to be moved to a non-public area and/or deleted.

 HTTP capture of a visitor to the National Geographic website being hijacked and redirected to scanner2.malware-scan.com.  As we know, we've traced the guilty advertisement as far back as 66.179.234.173/images/1847_560766_7006263_90_728.html

I only have time to post screenshots at the moment - the malicious advertisement can be seen at:
66.179.234.173/images/1847_560766_7006263_90_728.html

A Google search reveals that the IP address 66.179.234.173 has a history of involvement with malicious banner advertisements:
http://www.google.com/search?q=66.179.234.173&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

The SWF itself is being pulled from:
rmedia.adonnetwork.com/images/560766_90_728_200711011430_tubesnow_728x90.swf

With javascript being pulled from:
rmedia.adonnetwork.com/adon_flash_v2.js
 

and

I'll post more specific details in roughly 9 hours time... I won't have time before then to go through the Wireshark capture evidencing the redirect.

Posted to Shark Bait not long ago
http://sharkbait.computerworld.com/?q=node/1902

There's my Dad, searching the net for an update to a particular specialist programme on his system; he finds what he wants, he downloads, he starts to install (we don't know if he closed his Web browser first - I'm bettting not), he's prompted to update *DirectX* and whammo, he's hit with spyware.cyberlog-x.

Unfortunately:

1. he doesn't remember what the URL was that he downloaded the software from;
2. he's not sure in what order various events occurred; and
3. IE's history, just for today, has been deleted (an interesting symptom in and of itself) - IE's history record for previous days is intact. 

The affected system is an XPSP2 system and my Dad fell victim to a standard combination of circumstance; a nice dose of social engineering, being confronted by a dialogue box that mentioned a name that was familiar enough to not be too scary, and not paying close enough attention to what he was downloading, and just as importantly, where from.

My father's experience today, and our difficulties when trying to clarify exactly what happened and how it happened, combined with other interactions I have seen between IT and computer users, reminds me that the average user really doesn't "get it" when it comes to working with IT staff.  They are sometimes their own worst enemies; not paying attention, and not recording what is, for us, essential information and not interacting well with their IT support.  The user mis-steps that I see happening most often are:

1. The average user will not read the error message on the screen.
   
   There was the time a very grumpy person complained that somebody had changed his password, because he was sure he was putting it in correctly, but it kept failing.  It turned out that the true situation was that he was trying to unlock a locked screen and didn't read the dialogue box that appeared after he entered his username and password which said (paraphrased) that "this computer is locked, if you proceed the other logged on user's programs will be shut down and they may lose data".  Instead, he assumed it was an incorrect password dialog, hit enter (which triggered 'cancel'), pressed ctrl/alt/del, tried again, didn't read the message again, hit enter again, rinse/wash/repeat.  After 4 or so tries he came to me to complain, and a lot of frustration could have been saved if he had read the dialogue box and acknowledged the warning by clicking ok instead of cancel....
   
   And this guy had an admin account - don't let him near a server... please...
   
   
2. Practice patience. 
   
   If the hourglass is spinning, it won't do you any good at all to keep clicking; in fact, with some of the line of business applications that I support it will guarantee a crash.  Go and get yourself a tea, coffee, fruit juice or whatever and if the problem is still there when you get back, call IT and ask for advice.
   
   
3. If the cursor turns into a hand, *single* click, don't double click... again, I support some line of business applications that *will* crash if you double click instead of single click.
   
   
4. If it doesn't work the first time that you click, it won't work if you click 2, 3, 5, 10 or 20 times. 
   
   
5. Swearing at the computer won't help - it can't hear you.
   
   
6. Swearing and being angry when talking to IT support won't help either. Stress is bad for both of you.
   
   
7. Sometimes a simple reboot is all that is needed to stabilise your system, especially if you leave it running 24 hours a day.
   
   
8. It is not a good idea to delay rebooting after installing security updates if prompted to do so - to avoid weird problems and errors, please restart your computer when prompted, even if you're really really really busy - it doesn't take that long.
   
   
9. "It's been crashing for about a week, but I really need this report right now".  
   
   Please call IT support before it becomes an emergency.  We don't have crystal balls... we don't discover that you are having problems via some sort of mysterious osmosis, and if you've left things for a week before calling us we have somewhere between "nil and buckleys" chance of working out what went wrong and why.  Also, it is difficult for us to minimise the frustration you're feeling if you only call us after you've been "putting up with it" for a week, and you're now seriously pissed off and ready to throw your computer (and your IT support professional) out the nearest window.
   
   
10. "There was a weird message then it crashed"...
    
    "Ok, what was the message?" ... <<silence except for the sound of crickets chirping in the darkness>> ... "I dunno.  I clicked on ok, and now nothing works". 
    
    If you experience a crash, stop what you are doing, read it and write it down, then call me.
    
    
11. "I didn't do anything!" .... sometimes, my friend, yes you jolly well did.
    
    
12. If your thoughts immediately before clicking are anything like "maybe if I try this..." or if you feel a desire to close your eyes and cross your fingers as you click, then don't click.
    
    
13. "It has never worked!!" .... Ok, we're dealing with the crystal ball thing again, aren't we...
    
    
14. Please, don't try to fix it yourself.  You may "know a bit about computers" but if your efforts change a simple fix into a complicated procedure or an "easier to reformat" situation, you won't win any friends, especially if you call IT and say "It's been crashing for about a week, but I really need this report right now".

Check out this URL:
http://www.itnews.com.au/News/NewsStory.aspx?story=65660

See this quote towards the very end:

"In Australia earlier this month, a majority of Sensis websites including Whitepages, Telstra Bigpond and Yellowpages had to remove advertising on their site after a local security professional and Microsoft MVP discovered malicious malware embedded in the ads."

For whatever reason, IT NEWS decided to omit my name from that paragraph, despite specifically mentioning that a "local security professional and Microsoft MVP' were involved, and I am finding it impossible to comprehend why they would do so.

I have been fighting malware for years, long before it became the "cause de célébrité" with the popular press, and I've done it all for free - given up my days, my nights, and my weekends - never charging a penny, fighting the good fight, and running up one hell of a personal debt in the process, but when my name is dropped like this, I wonder why I try so damned hard to protect internet users at large from malicious banner advertisements and hacked web sites.

I don't want to be patted on the back every damned day, I don't, but if you're going to mention something I did, and mention what I am, please... don't leave my name out. It's unkind and it's unfair.

Malware found on LaoAirlines.com, travellers beware of other sites

"Sophos has warned Australian travellers looking to book flights to South East Asia to make certain their anti-virus software is up to date before going online after yesterday intercepting malware on Lao Airlines.com.

Users who simply embark on the site will automatically be redirected to another site in China which then attempts to run an exploit and download an executable."

All we can do is keep warning our users to always be careful, always be vigilant.

This one is interesting to my alter-ego...

Consider the following scenario. In a Microsoft Exchange Server organization, the Exchange Server server has no size restrictions for e-mail attachments and no quota settings on mailboxes. Additionally, size restrictions are set on the firewall.

In this scenario, you may receive non-delivery reports (NDR) when you send e-mail attachments that are larger than a specific size. For example, you may receive an error message that resembles the following error message:

----- The following addresses had permanent fatal errors -----
<user@domain.com>

----- Transcript of session follows -----
... while talking to mail.domain.com.:
>>> DATA
<<< 552 Requested mail action aborted: exceeded storage allocation
554 <user@domain.com>... Service unavailable

Final-Recipient: RFC822; user@domain.com
Action: failed
Status: 5.2.2
Remote-MTA: DNS; mail.domain.com
Diagnostic-Code: SMTP; 552 Requested mail action aborted: exceeded storage allocation
Last-Attempt-Date: Fri, 2 May 2003 16:59:59 -0400 (EDT)

The above error is actually being caused by the *Firewall*, not by any storage allocation limits.

Source: http://support.microsoft.com/default.aspx/kb/944281

It is unfortunate that the error generated does not give a true indication of the cause; if you were a technician diagnosing this error, you'd be led astray by the message.  A google search for SMTP 552 is similarly unhelpful.

Uh oh...

Somebody using the pseudonym MWT has posted a comment warning that he was hit by a banner advertisement redirect when browing a National Geographic article.

Note that he was using Opera at the time (his name is a link to a screenshot of the redirect).

I also have screenshots of such malware redirects affecting Firefox, and Firefox on a MAC, and that is a worry because these advertising campaigns rely as much on social engineering as they do exploits, and its only a small step to change from redirecting to a fake security software site to redirecting to a site that has been compromised by MPACK or equivalent - and remember, MPACK targets exploits that affect IE, Firefox *AND* Opera.

This is absolutely essential that such advertisements are shut down as soon as they are discovered.  I'm off to the National Geographic site now to try and capture evidence of the redirect.

If any of my gentle readers want to help out, you'll see a link to Fiddlercap, and a link to a Macromedia page that will flush out cached Flash data, in the News pane to left of screen.  If you manage to capture a redirect affecting National Geographic, please contact me using the Contact link at top of screen.

More later if I find anything.