Spyware Sucks

Don't click on the link!

A quick-n-dirty check is to hover your mouse cursor over a link in an email to reveal what it *really* points to.

The first 3 links (with ticks beside them) point to a legitimate site, it is only the "pick up" link that is dangerous...

Over the Christmas break I have received reports of malicious banner advertisements hitting espn.com, Lycos mail and usatoday.com, as well as smaller sites such as adrants.com, marketingvox.com, minnesparare.com, all of which I am investigating.

The above reports are bad enough, but by far the most worrying report that I received was the one alleging that visitors to MLB.COM were being redirected to a pornographic web site - of course, this one is going to get my immediate attention. 

Sadly, I can confirm that this hijack is occurring - a quick analysis of what is happening is as follows.

Let's work backwards from the end pornographic site, and trace our steps back to MLB.COM.

The target pornographic site is (URL mangled for obvious reasons):
hq tube . com

The referrer for hq tube . com was:
ad.doubleclick.net/1674952/mlb_chanel.swf?clickTag=http%3A//ad.doubleclick.net/click%253Bh%3Dv8/3639/3/0/%252a/p%253B167905078%253B0-
0%253B0%253B5683346%253B4307-300/250%253B24079572/24097425/1%253B%253B%257Eaopt%253D3/1/ff/0%253B%257Esscs%253D%253fhttp%3A//
chanel.com/wfj-global/en-us/index.php%3Ffullscreen%3D1%26x%3D-4%26y%3D-4%26width%3D1288%26height%3D778

 
(Thanks Kimberley for the screenshot of the SWF in question)

Each and every attempt to load the URL above immediately redirects me to the pornographic site.  If we clean things up even further and simply load the URL ad.doubleclick.net/1674952/mlb_channel.swf? I am still redirected to the pornographic site.

We step back one further - the referrer for the doubleclick URL is:
mlb.mlb.com/news/article.jsp?ymd=20071219&content_id=2333449&vkey=news_mlb&fext=.jsp&c_id=mlb

Ok, so now we have evidence that the malicious advertisement is ad.doubleclick.net/1674952/mlb_channel.swf, and that it is being displayed on the MLB.COM web site. As always, a Fiddler capture (in fact several captures) are available to the appropriate authorities, as well as authorized representatives of MLB.COM and Doubleclick.  I also have a video capture of the redirect in AVI format.

The first appearance of Doubleclick ID 1674952 is this URL:
ad.doubleclick.net/adi/mlb.mlb/homepage;;pos=1;sz=300x250;tile=1;ord=274715194

Whatever you do, don't try to load that URL as it appears above - it will send your web browser into an uncontrollable loop of new windows being opened.  I had to pull the plug on internet access and wait several minutes for the test system to stabilisz before I could close the browser windows and continue my investigation.

So, let's clean up the above URL so that it can be loaded safely, and have a look at this URL:
ad.doubleclick.net/adi/mlb.mlb/274715194

As you will see, there are several different advertisements that appear in rotation.  So, which one is the culprit?  That is not something that I can answer, but I can promise you that I will be passing this information on to people far brainier than me.

This is a very frightening development.  The fact that fraudware such as winfixer and its ilk is using malicious coded banner advertisements to hijack visitors to legitimate sites is bad enough - now that the porn pushers are getting involved surely it will force the advertising industry to act - not to mention the governmental authorities that are going to be extremely concerned that anybody, no matter what their age, may be involuntarily exposed to hard core pornography.

Watch this space for developments.  Below are screenshots that capture the fact of the redirect - you'll see that mlb.com content is still being displayed, but that we've been redirected to the porn site, which is in the midst of being loaded.  Note the addressbar URL, the title of the tab, and the status bar information "waiting for http://..."

Doubleclick and MLB are being contacted.

It's Christmas Eve and my holiday break is about to begin.  We (myself, my long-suffering hubby, and our two teenage offspring who, by the way, insist that at 16 and 18 years of age they are not too old to have a Christmas Stocking at the end of the bed) have the pleasure of the company of more family members this year than has been the case for a very long time, therefore my plans are to *not* blog between now and 2 January 2008.  Instead, I'll be baking pumpkin pies and making English Trifle, overseeing BBQs, unwrapping presents, retrieving cats from the top of Christmas trees, rescuing said cats from the tender affections of my 2 year old nephew, sampling a wide range of whiskeys, watching myriad DVDs, and generally having a fantastic, non-computer, time.

I will be checking my email once a day or so and keeping an eye on the world of malicious Flash banner advertisements, but please don't expect a response during my break period unless there's a real urgency - rest assured, though, that I'll have a lot of info to share in the New Year 

I hope to see all of my readers on the flip-side, and wish each and every one of you a very Merry Christmas and Happy New Year - of course, if you don't happen to celebrate Christmas or believe in St Nick then please translate the previous sentence to suit your particular preferences.

Stay safe, stay happy, and be nice to each-other.

Now... somebody pass me an eggnog - I've got some relaxing to do...

Same computer, same web page, same time, same place ...

VIDEO: IE 8: On the Path to Web Standards Compliance - ACID 2 Test Pass Complete
http://channel9.msdn.com/showpost.aspx?postid=367207

Firefox 2.0.0.5 - default install

Internet Explorer 8

Firefox 3 Beta 2 - default install

Internet Explorer 8

Opera 9.25 - default install - for some reason I believed that Opera 9 rendered the Acid2 test as well as IE8.

Internet Explorer 8

Internet Explorer 7 - ouch - by far the worst of the lot!

Internet Explorer 8

Microsoft has launched a $250,000 Sweepstakes competition to show users how Internet Explorer can enhance online trust and confidence.  The interactive site quickly demonstrates IE7's Phishing Filter and EV Certificates (the green address bar).  Once the demonstration is finished, the visitor is given the opportunity to enter the Sweepstakes.

Note: The competition is only open to residents of the 50 United States and District of Columbia.  You must be 18 years of age or older at the time of entry.

Entries close 31 January 2008

Google's Orkut Hit with a Javascript (Flash?) Worm

"You get an email notification (or find out on Orkut) that you have a new scrapbook entry. It's from a friend. It says.

2008 vem ai... que ele comece mto bem para vc

There's no need to click on anything, just viewing it does the trick. The scrap deletes itself, and adds you to the Orkut Community "Infectados pelo Vírus do Orkut". That group, as I write this, is gaining members at a rate of at least one hundred per minute."

One hundred per minute!  According to F-Secure, 400,000 accounts were affected before the attack was stopped by removing a download file that was needed to complete the hijack.  What was the download file?  Well, according to this site, a piece of javascript code, named virus.js was fetched (files.myopera.com/virusdoorkut/files/virus.js)

From what I can gather after trawling myriad blog entries about the incident, it seems that the exploit worked in a similar manner to the more traditional malicious Flash advertisements.  This blog entry has an interesting discussion about what was happening.

It certainly is becoming obvious that Flash is turning into the Typhoid Mary of the Internet.  There is no way for end users to easy disable the functionality that allows malicious banner advertisements and Flash content such as was used in the Orkut incident.  Yes, we can simply uninstall Flash, or use a Flash and advertisement blocker, but that doesn't solve the problem, does it. It simply hides it.

Adobe needs to have a close look at what is going on and work out a way to stop the unsavoury types from using their product for malicious purposes, otherwise we will be playing whack-a-mole with the bad guys for a very long time to come and more and more visitors to web sites are going to block all advertisements for security reasons, not just because they don't like ads.  This will, of course, have a negative flow-on effect on advertising revenues for web sites, not to mention the bad blood that will develop between web sites and advertising networks.

Update: more info on the McAfee blog and the Trend blog.

Oh, and in answer to the question "does the security update for Flash stop this from happening" ... the answer is NO.

Yep, I thought that would get your attention

Microsoft have announced the following about Internet Explorer 8:

1. Microsoft are targeting 1H08 (first half of 2008) to deliver IE8 beta 1.
   
   
2. IE8 in standards mode now correctly renders the Acid2 Browser Test.  For compatibility purposes IE8’s rendering engine will default to “quirks” or “standards” mode.  Site developers will need to insert a new opt-in flag to request the page to render using “IE8 standards mode.”   Websites that are coded for previous versions of IE will behave in exactly the same way in IE8 unless the website authors opt-in to IE8 standards mode by placing a simple tag at the head of their HTML document.
   
   
3. There will be an IE8 video made available at http://channel9.msdn.com/.
   
   
4. IE8 will include "a number of innovative and beneficial features for enterprises, consumers and partners " - details to come.

 More info on the team blog
http://blogs.msdn.com/ie/archive/2007/12/19/internet-explorer-8-and-acid2-a-milestone.aspx

As we know, there have been reports of some IE6 users running Windows XP SP2 having problems accessing web pages after installing the December IE Cumulative Update - IE stops responding.

The problem has apparently been restricted to some customised installations.

A Knowledgebase article has been released that discusses the problem, and the fix (modifying the registry).

http://support.microsoft.com/kb/946627

Good morning everybody.

Thing have been quiet on this blog with regards to malicious Flash advertisements, but that doesn't mean that nothing has been happening - on the contrary - there has been a lot going on behind the scenes.

Good news is that the malicious SWF implicated in the soccernet outbreak (content owned by adtech.de and distributed by Akamai in the soccernet incident) is no longer being distributed, although it is still accessible via direct URL - I class that as kind of a half win - I'd much prefer the SWF to be moved completely out of public view.

It is interesting to contrast the steps that Akamai and adtech.de have taken by simply stopping distribution with the steps that Sensis took when they were hit - not only did they immediately stop distribution of the advertisement, they also made sure it could no longer be accessed online.

Now, to keep things interesting, Mike Burgess (another MVP) has been focusing on a USA based network that is hosting actual malicious files and trying to get the network to stop distributing winfixer type applications.

Mike Burgess has comprehensive information about the malware being hosted by LimeLight, and his efforts to get the company to take down the content, to no avail:

Limelight Networks serving up Malware (December 5):
http://msmvps.com/blogs/hostsnews/archive/2007/12/05/1380292.aspx

LimeLight Networks and connecting the dots (December 7)
http://msmvps.com/blogs/hostsnews/archive/2007/12/07/1384205.aspx

More malware found at Limelight Networks (December 16)
http://msmvps.com/blogs/hostsnews/archive/2007/12/16/1400161.aspx

Limelight distributes hundreds of Rogue Antispyware products
(December 17)
http://msmvps.com/blogs/hostsnews/archive/2007/12/17/1401525.aspx

So, for the time being, our focus should be campaigning to get LimeLight to stop distributing malware.  Of course, I continue to be on the lookout for malicious advertisements as well.

Mike's comment that LimeLight's "partners" may not appreciate being associated with malware, and that they should perhaps be made aware of Mike's discoveries, is a very interesting one.  All's fair in love and fighting malware.

Mike's blog is well worth subscribing to. He's as passionate about stopping the distribution of malware online as I am, and he has a lot of information about things such as fake video codecs and what not.

Hi all,

You may have noticed that my Me.dium widgets (both here and on ie-vista) are blank.

I received an email late on Sunday night warning me that the Me.dium widget at www.ie-vista.com had offered to a visitor to my site the URL for the orientalorgy domain.  The content offered by the URL was pretty hard core pornography, and completely unacceptable to me, and to Me.dium. I have personal experience of them deleting Me.dium user accounts on the basis of inappropriate chat content, and know that they're pretty hard line about such things.

Me.dium (who were immediately informed of the incident, and are as upset as I am about what happened) have advised me with regret that in their opinion the best recourse for me, taking into consideration my zero tolerance for such incidents, is to disable the widgets on both my sites until either the filters are improved to cope with non-English content (this work is in progress), or the ability to create user created neighbourhoods can be made available, and this is what they have done for me.

Me.dium has always taken steps to filter pornographic sites using a filter that utilises content from various third party services, but it turns out that the filters being used are not as effective against non-English pornographic sites.  For reasons that I don't quite understand yet, for the past few days the Me.dium widget at www.ie-vista.com has been offering nearly 100% Asian language content on the map, and this is how the pornographic URL snuck in.  According to the statistics that I have access to, Asian language visitors make up a very small minority of visitors to www.ie-vista.

It stands to reason that if a particular language group is more heavily represented than another language group, then the preferred content of the language group with the higher number of users will naturally be seen as more popular - Me.dium, after all, works on popularity as it pertains to the number of Me.dium users visiting a particular site.  If that popularity is not adjusted to take into consideration the ratio of Language Group 1 to Language Group 2, then we may see effects such as the one we saw at www.ie-vista.com (non English content being offered on an English language site) and other skewed results.

We're all learning as Me.dium changes and grows.  This incident has reminded me of the risk that I assume when I allow unmoderated content (such as the Me.dium widget) to be a part of my sites, and Me.dium have discovered a deficiency in their content filtering.  I just wish that the incident, and its fall-out, were a little less embarrassing

We'll revisit Me.dium once the filters are improved, or the user created neighbourhoods are available.

You use Microsoft Internet Explorer 6 to browse to a Web page. However, Internet Explorer 6 may crash under certain circumstances, such as when you open and close a modal dialog box several times.

http://support.microsoft.com/KB/944435

Just catching up on the paperwork here...

IE6 and IE7: Proxy server settings are not set correctly in IE6 afer you download a proxy script that uses chunk encoding

Install IE update MS07-069 then enable the fix by editing the registry

http://support.microsoft.com/default.aspx/kb/843289

----------

MS07-069: Cumulative security update for Internet Explorer

http://support.microsoft.com/default.aspx/kb/942615

---------

Some customized security settings for the Trusted sites zone in Internet Explorer 7 are reset to the default values on a Windows Vista-based computer

On a Windows Vista-based computer, you customize the following security settings for the Trusted sites zone in Windows Internet Explorer 7:

• Automatic Prompting for ActiveX controls 
• Download signed ActiveX controls
• Automatic prompting for file downloads
• Allow Script-initiated windows without size or position constraints 

However, after you install Internet Explorer cumulative security update 931768 (MS07-027) or security update 933566 (MS07-033), the security settings are reset to the default values.

Fix: Install the December update MS07-069.

http://support.microsoft.com/default.aspx/kb/943141

I see this:

I change to this:

I click on Postpone.... 10 minutes later I see this again:

I mean, for chrissakes, the minimum reminder is 10 minutes, so why am I being nagged within less than 5 minutes????

IE6 has a problem wherein if you uninstall some toolbar items the following may occur:

• On the View menu of Internet Explorer 6, when you point to Toolbars to show the toolbar items, the toolbar names may become blank.

• In some cases, when you click to select one toolbar item, a different toolbar item may appear.

Microsoft advises that an update is available to resolve this problem and is available from the Windows Update Web site.

http://support.microsoft.com/default.aspx/kb/942202

SANS have done a great job with getting info out about the patches released this month - I love the table they have put together - so let's just point straight to their page this month :o)

http://isc.sans.org/diary.html?storyid=3735

Note there are updates affecting versions of Internet Explorer all the way back to 5.01 on Windows 2000, and even IE7 on Vista and Vista x64.

The EOLAS lawsuit and its side effects continue their death throes.  As part of the process, a preview of the update that will remove the changes forced by the EOLAS lawsuit is available for download here:  http://support.microsoft.com/kb/945007/en-us

Note that the download is only a *preview* and for testing purposes only.  Formal release is scheduled for April 2008.

Another important thing to note is that when the update (not the preview) is finally released, it *must* be installed on any system with MS07-069 installed.  Likewise, you should not install the ACA update without MS07-069.

Vlad and Susan have both announced that Yoda (the msmvps.com server) is getting a girlfriend server, by the name of Brianna (hey Susan, I still say we should have gone with Jar Jar as the name for our new server).

I adore Susan - she epitomises the ultimate in philanthropic spirit, as does the Felix Kasza, the ex-MVP who has personally bankrolled the mvps.org domain and email service since around 1999, and who continues to do so despite having not been an MVP since around 2000 when he joined Microsoft and had to give up MVP status, and despite the explosive growth of the MVP Program over the years, and the resultant massive increase in demand for his *free* service.  And yes, we love Vlad too, even when he's grumpy ;o)

Brianna is going to make a big difference to the msmvps.com family - welcome, and don't you take any nonsense from Yoda - and thank you to Susan, and Vlad and Felix, and all the other MVPs and ex-MVPs who make our online family what it is.

BTW, Yoda has his own blog ;o)

Let's play whack-a-mole!!

The big advertising networks are getting better at avoiding malicious advertisements, which is good and protects potentially millions of people from malicious banner advertisements, but now we are seeing signs that there is a shift in activity from infilitrating large networks to selling malicious advertisements direct to victim sites (cite the recent Sensis outbreak, the defsounds outbreak, and every other site that was hosting malicious advertisements within their own infrastructure).

I had a very interesting phone chat tonight about malicious banner advertisements and what not - and one of the facets that came up was a question of how long the malicious advertisements have been around.

We know that MSN was hit around February 2007, and AOL maybe a month later... but what do we know of earlier examples?  I'm sure the behaviour has been around for a long time, but the question is, have I documented it?  Let's have a look.

Well, back in March 2006 I wrote about Winfixer related advertisements that hit ActiveNetwork, but the important point is that you had to click on the advert - it wasn't an automatic redirect.

So, when did I first document an actual redirect? Well, we have December 2006.

Actually, let's go back to April 2006, and a bit later, July 2006.

So, we can safely say that I saw the redirects happening in April 2006, a good 10 months before they hit MSN, and then AOL.  If we go purely on what I have documented on this blog, the winfixer guys made the shift to adverrtisements with hostile code that triggers automatic redirects somewhere between March and April 2006.

I remember that Winfixer type advertisements were so problematic for the advertising network behind the Messenger Plus Sponsor Program thats the advertising network that supplied the content for Patchou's Messenger Plus Sponsor Program, and Patchou, decided to edit MP users' HOSTS file to map winfixer type domains to localhost and thereby avoid the malicious advertisement - an effective measure, but only ever a stopgap.

That reminds me, I really should install the Sponsor Program on a sacrificial lamb and check out what sort of advertising content is being offered nowadays.  The only problem is, I can remember from times past that for whatever reason, the SP would not show pop-up advertisements unless the user was actively surfing.  Oh well, IE7Pro with it's auto refresh should be sufficient to convince the Sponsor Program that there is somebody actually sitting at the computer...

Also, nowadays we have to deal with geo-fencing, which means I'll need to set up a sacrificial lamb in my DMZ so that I can easy switch between proxies without having to screw around with my network defences too much.  I did give Privoxy (spelling?) a go a while back, but it doesn't play nice my firewalls and I wasn't comfortable with punching too many holes in same to get it to work - my (lack of) knowledge about such stuff is sure to lead to my leaving my network's rear end hanging out in the fresh air all ready to be whipped by whatever bad guy happens past. 

 A sacrificial box in the DMZ is definitely the best alternative.  Sadly, though, I've suffered some hardware losses recently - stuff just gets old and dies - so I need to try and find a cheap (if that is even possible) small form factor PC that can be nice and unobtrusive and sit in my DMZ ticking away happily.  I don't like using virtual machines - it needs to be a real box sitting surfing the 'real' internet.

I admit, my greatest concern at the moment is the new routine I am seeing where malicious advertisements are sold direct to web sites, thereby bypassing the big advertising networks and their checks and balances.  I contemplate the enormity of the chore that we face, educating who knows how many hundreds of thousands of webmasters about the reality of malicious advertisements and fake "letters of mandate" or commentation or authority, and I feel exhausted at the thought.

Anyway, onward and upward.  We may not win the war via this humble little blog, but I sure as heck will have a fantastic time scoring some direct hits against the bad guys when I can, and if we manage to isolate mal-networks like adtraff and its kin so that nobody in their right mind will buy their wares, then that's good - that's a win for us.

Realistically though, the best thing the security-professional-on-the-street and web site owner can do is blog his story when he is fooled into displaying malicious advertisements.  Tell us what happened and about the networks involved.  At least then if somebody does undertake a Web search to research whatever advertising network they will have the chance of being forewarned.

This is such a con.
http://blog.billerickson.net/post/21135494

Robert's not too happy, saying "We’re such suckers for going along with this scheme".  Now, Rob's always been a bit of a media whore (I say that in the nicest possible way - I really do like the guy and have known him for years), and he's done quite well out of his always-out-there-finger-in-every-social-networking-pie-anybody-can-be-on-my-friends-list online lifestyle, but now his propensity for adding all and sundry to his various online 'friend' lists, and his decision not to be guarded with regards to the online associations that he allows to be created, is biting him in the butt.  General Motors has gotten a free endorsement for one of its products from one of the highest profile bloggers out there - and they got it for free.

It's just plain wrong.

This problem occurs if the following conditions are true:

• Protected mode is enabled in Internet Explorer 7.
• The window in which you specify the text size contains Web pages that use an encoding type other than UTF-8 encoding, such as Shift-JIS character encoding.

Note this problem does not affect Windows XP or Windows Server 2003

http://support.microsoft.com/default.aspx/kb/939944