Spyware Sucks

A fraudware web site that will *not* close.

I see this:

I try to close using Red X, I get this:

I try to close using the Red X, which has always been sufficient in the past.  In this case, the dialogue box goes away but the god-damned window is still open.

So, I go have to go to Task Manager and shut down the IE window process:

I shut down the correct iexplorer.exe process and the window is FINALLY gone,taking along with it other Windows that were open:

What URLs hosted this nasty experience?   I'm not telling because it seriously is NASTY!

So, where is "antivirus-scanner.com" hosted?  At securehost (we are not surprised, are we).

Ok, there are a lot of people out there who are upset at being overcharged and defrauded by bucksbill.com.  Just check out the comments here and here.

Unfortunately, people are also emailing me directly because they (mistakenly) believe that I and/or this blog are associated with the fraudsters.  For example, check out this email:

"I dont know what this is but there was money taken from my account for this and I Know I DID NOT purshase this I have tried to call you several times and can not get through. Please contact me Donna Spencer 270-***-**** or 270-***-****. DO NOT TAKE ANY MORE MONEY FROM MY ACCOUNT CONTACT ME AS SOON AS POSSIBLE!!!!!"

I and this blog are NOT associated with bucksbill.com in any way.

Please, remember that victims of overcharging and unauthorised charges can dispute the charge with their bank or building society and request that the charge be reversed.

The Federal Trade Commission has published an advisory for victims of credit card fraud or overcharging that can be seen here:
http://www.ftc.gov/bcp/conline/pubs/credit/fcb.shtm

A comment has been made to this blog warnin that http://en.f1-live.com/f1/en/index.shtml has been serving malvertizements during the the past week or so.  We're investigating.  If anybody sees anything, please let me know.

I received this alert via email:

"My girlfriend was surfing boston.com last night and she landed on some nasty code that redirected her to that classic alert bos in the lower left hand corner of the screen. This time is was for XPShield which is widely known as rogue. Anyway I had known that you covered a boston.com incident before and wanted to let you know its still going on."

We're investigating.  If anybody sees anything untoward, please let me know.

SEATTLE – A 21-year-old Scottsdale, Ariz., man accused of coercing consumers to buy software that actually turned their computers into spamming machines agreed to a settlement that substantially restricts how he markets software in the future, the Washington Attorney General’s Office announced today.

The Attorney General’s Consumer Protection High-Tech Unit sued Messenger Solutions, LLC, and owner Ron Cooke, in March. The suit, filed in King  County Superior Court, accused Cooke of violating Washington’s Computer Spyware Act and Consumer Protection Act while marketing programs under the names Messenger Blocker, WinAntiVirus Pro 2007, System Doctor and WinAntiSpyware.

Under the settlement filed today, Cooke cannot use Net Send messages or simulated security alerts to market products, transmit software to another person’s computer without a user’s knowledge or make other misrepresentations in the advertising or sale of products.

He will pay $5,000 in attorneys’ costs and fees and $202 in restitution, which will be used to provide refunds to nine Washington consumers who purchased the software. The settlement also includes a $100,000 civil penalty, waived provided Cooke complies with the settlement.

“Ron Cooke now has a $100,000 fine hanging over his head as a reminder to him and other online marketers that the Attorney General’s Office won’t tolerate Internet anarchy,” said Assistant Attorney General Katherine Tassi. “There are plenty of opportunities for young entrepreneurs to profit online without deceiving consumers.”

The Attorney General’s Office launched its investigation in October 2007 after a computer in the High-Tech Unit’s lab received ads via Windows Messenger Service. The lab uses “honey pots” to detect hackers, spyware purveyors and other Internet mischief.

The state’s complaint alleged Cooke uses Windows Messenger Service to bombard consumers with a continuous stream of pop-ups advertising porn and sexual-enhancement products. Windows Messenger Service, not to be confused with the instant-messaging program Windows Live Messenger, is primarily designed for use on a network and allows administrators to send notices to users.

He then sent those same consumers another bout of pop-ups intended to simulate system warnings, which directed users to a Web site to buy software to supposedly block pop-ups.

Consumers who downloaded the software were further victimized when the program caused their computers to stealthily blast messages to other PCs at a rate of one every two seconds.

The Attorney General’s Consumer Protection High-Tech Unit has brought a total of six lawsuits under Washington’s Computer Spyware Statute, RCW 19.270, since the law was approved by the Legislature in 2005.

Messenger Solutions/Cooke Consent Decree

Messenger Solutions/Cooke Complaint

I am pleased to advise that one of the malvertizements that was appearing at photobucket.com, being the Tokyo Drift malvertizement being distrubted via adbureau.net, has been removed from circulation.

As far as I know, the other malvertizements, hosted by atlas-ads.com, may still be in circulation.

The malvertizements are gone because we alerted adbureau.net to the problem.  I have NOT received any reassurances from photobucket.com, either directly or via other correspondents, that photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again, or that they have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately, therefore my earlier stated advice to avoid all advertising on photobucket.com still stands.

Photobucket has been mentioned several times on this blog because of malvertizements appearing on the site.  The most recent outbreak is proving to be problematic, to say the least.

Photobucket have been advised several times that there are malvertizements appearing on the web site.  Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements.  Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the "advertising team".

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site?

This is the Lady Speedstick malvertizement appearing on photobucket.com:
atlas-ads.com/99000/728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf79.jpg

This is the Tokyo Drift malvertizement appearing on photobucket.com:
photobkt-images.adbureau.net/photobkt/cinema_photobucket_728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf80.jpg

Kimberley wrote about the malvertizements at photobucket several days ago, and reported the problem to photobucket on 8 May:
http://www.bluetack.co.uk/forums/index.php?s=05b1fcebf3d68bb448979919ca14aa83&showtopic=18064&st=60&p=87195&#entry87195

Kimberley reports on photobucket.com again on 10 May...
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87219

And again here, just under 10 hours ago:
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87235

rlslog.net were able to get rid of the malvertizements reported to them.  mininova.org were able to get rid of the malvertizements that were reported to them.  Why is it so hard for photobucket.com to clean up *their* act???

I have no choice but to recommend that nobody should visit photobucket.com unless they have software in place that will prevent any advertisements on that site from being displayed on their computer.  This advice stands unless and until the malvertizements are removed AND photobucket.com can reassure us that:

1. Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and
2. Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately. 

I have always said that I do not support such wholesale blocking of advertisements, because I have always held to the view that every person deserves to earn an income but in this case, because the malvertizements are still appearing despite our best efforts and despite several days having passed, I must recommend that visitors to the site protect themselves, even if it means that photobucket loses income, and all advertisers (legitimate and fraudulent alike) receive zero value from photobucket.com

Several comments have been posted to my blog recently about a malvertizement problem at mininova.org:

http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1601871
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1602159
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1614547

Anyway, I went looking and found a thread that claimed the malvertizements had been identified and removed on 5 May so I didn't take things any further (a decision which may have been a mistake)
http://forum.mininova.org/index.php?showtopic=235009007

Kimberley has now identified a malvertizement on mininova.org, again hosted by Akamai:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=60&gopid=87201&

The domains being used by the malvertizers are:

adoptserver.info
iexplorer-security.org
mystats.com
fastwebway.com
xponlinescanner.com

The malvertizement has been reported to Akamai.

Once again, communication and cooperation between anti-malvertizement activists around the world has resulted in success.

We have found the malicious malvertizements on photobucket.com - Kimberley has the details.

The incident has been reported to Photobucket.  The malvertizements themselves are not new.  Speedstick and TokyoDrift have been featured on this blog several times.  As noted by Kimberley, the malicious domains being used by the cretins behind the malvertizements are:

atlas-ads.com (host of a malicious SWF)
track.trackads.net
tds.maxconvert.com
adtds.trackads.net
spywaredestructor.com
adoptserver.info
iexplorer-security.org
fastwebway.com
xponlinescanner.com

photobkt-images.adbureau.net (host of a malicious SWF)

adbureau.net is Akamai - the incident has been reported.

Atlas-ads.com is registered via Estdomains, created on 10 April 2008.

Thanks to Susan for the heads up...

Cite:  http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/

Cite:  https://bugzilla.mozilla.org/show_bug.cgi?id=432406

Anybody who downloaded and installed the Vietnamese language pack ***since 18 February*** will have got an infected copy.  Symptoms include the display of unwanted advertising.

Mozilla notes that because only "16,667 total downloads of the Vietnamese language pack since November 2007" they consider that the impact on users will be "limited" - well, it may be limited in Mozilla's eyes, but I suspect that those affected will be less dismissive.

It is staggering that the infected file was in situ and being distributed for over two and a half months. It is also staggering that Mozilla seemingly did (does?) not complete regular scanning of their files to check for previously undetected malware - didn't they realise that there is always a period of time between malware being released to the wild, and security products updating their products to add detection of new malware??  By not regularly re-scanning all files available for download they expose(d) their users to real risk.

The malware is named in the bugzilla thread as "HTML.Xorer".

Advice is to disable the Vietnamese Language Pack.

I received an email alert overnight warning that photobucket is displaying malvertizements.

The problem we face in tracking down the reported malvertizements on photobucket.com is that the advertisements are country specific. 

This blog has readers all over the world - if anybody has seen something, please grab proof using Fiddler and let me know.

We have gone from this...                     to this....                                          Or this... showing only online friends.

And we get a choice of backgrounds.  The last background, "70s Tux", doesn't seem to be working properly on my system.

Me.dium have chosen to turn off "find similar pages" by default; instead, Me.dium will only show you the pages that your online friends are currently viewing.  The Talk and Friend tabs are gone, and the Friend and Facebook panes can be closed.. 

You can only chat to people on your friends list, and the shout-out pane which anybody could use to "talk" to other Me.dium users is gone.

Unfortunately it has been necessary for me to remove the Me.dium widgets from my blog and website because the widgets are triggering certificate errors in Internet Explorer, specfically a warning that the certificate being presented by Me.dium was issued for a different web site's address.   This error can occur if a company owns several websites and uses a certificate that was issued for one web address for another site and does not necessary indicate a security problem at the site, but it is still disturbing for visitors to my blog, and I do not like to contribute to desensitising people to security alerts (which is what I would be doing if I told people to ignore the error, or install the certificate despite the error), therefore the widget goes until the certificate issue is fixed.

         
         Original                                                Night                                                    Moss

         
                     Icy                                                  Gum                                               70s Tux