Spyware Sucks

The case of the mysterious colour changing, bouncing box

The PC on which the mysterious bouncing box appears is a brand new Compaq.

The bouncing box, which is translucent, is not clickable.  It seems to have no purpose other than to exasperate and confuse and encourage victims to "look here".

A short video of the mysterious bouncing box is here:
http://msmvps.com/files/folders/spywaresucks/entry619001.aspx

Here is a PDF copy of a comparison between two HJT logs - one taken when there was no bouncing window, one when the window was active. You will see there are only a few new processes:
http://msmvps.com/files/folders/spywaresucks/entry623616.aspx

The existence of the additional entries is not conclusive proof that the processes are causing the bouncing window.

There is a picture of the box at the end of this article:

Here is the story of the mysterious box in the words of the PC's owner - note that despite the steps taken the bouncing box reappeared.

"History:
My Wife's machine had suddenly got a "java coffee cup in a colored box" floating horizontally across her screen continually after some time online.  No scans for virii or spyware showed anything, no processes that looked unusual, etc. and it persisted for a few years. It finally disappeared some months ago. I had blamed it on her opening some website with some graphic/media/joke sent by a computer-illiterate friend. Last night I had to eat crow and apologize to my Wife! ;-)

Current Events:
I bought a "Black Friday" special (day after US Thanksgiving dealers sell stuff for ridiculous prices), a Compaq Presario SR2039X Media Center 2005 machine for $389.00 (with LCD, printer and free Vista upgrade)! Yesterday I took it out of the box and spent part of the day running Windows and other updates. NOTHING personal on the machine and only AIDA32 added for a baseline inventory, ZoneAlarm and AVG AV added. I did NOT enable Symantec's integrated protection junk! I just DL'd and installed Adobe Reader 8, walked away and came back to that infamous "java coffee cup in a colored box" floating across the screen! [I don't know if I had installed ZA and AVG before or after this happened.]

I did look thru Msconfig and Add/Remove Programs and found lots of junk I'd never let near a machine (WeatherBug, Wild Tangent, AOHell, Symantec, RealPlayer, etc.). Late in the day I did go about disabling and then uninstalling this junkware (as well as Java, just in case)."

So, gentle reader, do you have any idea what the mysterious bouncing box may be?  Have you seen it before?

Yuck! Spam via Incredimail....

The stuff of nightmares.... of course, y'all know NOT to go out and buy IWRS, yes?

Critical updates for Firefox released

Firefox has been updated to fix a major security flaw.  Updates have been released for Windows, Mac and Linux (being v.1.50.0.10 and 2.0.0.2).

The primary vulnerability addressed by this update is the location.hostname vulnerability.  It is a doozy, potentially allowing hackers to tamper with authentication cookies for third party sites, and control how Web sites are displayed and operate.  Phishers, in particular, would find this vulnerability very useful, because a user could be fooled into thinking they are connecting to their bank, when in fact it is a bad guy that is controlling what they see.

2.0.0.2 can be downloaded at www.getfirefox.com.  1.5.0.10 is available at http://www.mozilla.com/firefox/all-older.html

It should be noted that 1.5.0.x will only receive security and stability updates until 24 April 2007, then you're on your own.

Internet Explorer 7 vulnerability - browser entrapment

Ok, *this* vulnerability demo is good.  Unlike other IE7 vulnerabilities that have been reported that resulted in weird behaviour that made it obvious to all but the most unobservant user that something weird is going on, this one is pretty much impossible to spot.

That being said, to take advantage of the vulnerability you're going to have to convince somebody to visit a hostile site, and then convince the visitor to manually type a URL into the addressbar instead of using a link or favorite to go to a page, limiting its effectiveness.

The worst vulnerabilities are the ones that require no user interaction, or require user action that is normal behaviour.  Now, although it is 'normal behaviour' to type URLs into an addressbar under some circumstances, and it is normal that people are advised to do so, it must be remembered that they are advised to do so **instead of clicking hyperlinks in an email**, not when at a Web site.

The demonstration is here:
http://lcamtuf.coredump.cx/ietrap/

The Secunia advisory is here:
http://secunia.com/advisories/23014/

New IE7 KB article - blank Web pages in IE7

A Web page is blank in IE7
http://support.microsoft.com/default.aspx/kb/933006

No fix just yet; simply a note that they're aware of the cause and working on it.

More malware in advertisements on an MSN network

Following on from my article about malware spreading via the Windows Live Messenger banner advertisements, there is another report that malware was being advertised via MSN Groups.

You can see the report, and screenshots, here:
http://apcmag.com/5382/microsoft_apologises_for_serving_malware_to_customers

I'm hoping to get in touch with the magazine's correspondent to gather more information about the incident - times and dates etc - and yes, I've sent a heads up to Microsoft to make sure that the adverts have been neutralised as part of getting rid of the Windows Live Messenger banner ad malware.

A sobering thought

"You are only as good as the love you have for other people"
http://www.gapingvoid.com/Moveable_Type/archives/003737.html

Yes, I know, such sentiments don't pay the bills, but still, it hit true tonight.

New IE7 knowledge base articles, including an important one about IE7 and printing issues

Exchange System Manager crashes in Exchange Server 2003 after you install IE7
http://support.microsoft.com/default.aspx/kb/932513

FIX: Error message when you try to run a Web application that uses the window.external property in IE7: "Internet Explorer has encountered a problem and needs to close"
http://support.microsoft.com/default.aspx/kb/931324

The email message header does not print when you try to print an email message by using either Microsoft Office Outlook 2003 or Microsoft Outlook Express
http://support.microsoft.com/default.aspx/kb/931657

WARNING: Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements

Part of this article may fall to the bottom of screen on smaller displays - scroll down if this happens to you. 

Edit: I should point out that MSN Messenger's proper name is now Windows Live Messenger.

Pushers of the malware known as winfixer managed to infiltrated a provider of advertising content for MSN banner ads. The dangerous ads appeared in the Windows Live Messenger contact pane, as well as in banner ads on groups.msn.com.  The incidents were reported to secure@microsoft.com and they and the MSN ads team investigated and removed the ads.

Microsoft have issued an official statement as follows:

"Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at www.microsoft.com/protect." - Whitney Burk, Microsoft.

I was originally warned that this is happening by none other than Patchou of Messenger Plus! fame on Thursday 15 Feb 2007 at 7:33:00 am Perth time.  I received a second report from Johan Brune that confirmed what is happening at 11.56am Perth time, 18 February (about 3 and a half hours ago) and I have now been able to reproduce the problem on my own machine.  It says a lot for Patchou's integrity that he was willing to write to me and warn me about this problem despite our history.  I have been extremely critical of him and his Sponsor Program in the past and have said some very nasty things at times, yet despite all that we have been able to maintain an open dialogue which has borne important fruit - Patchou was the first person to report the winfixer infiltration to me.

Brief warnings appeared on www.mess.be and at Neowin (http://www.neowin.net/index.php?act=view&id=38176) after Patchou got in touch and while I was still investigating and trying to confirm the problems, but they contain little in the way of screenshots or detailed information.  Also, the articles report that the Free PC-Secure banners trigger dialogue windows, which is not my experience, or the experience of anybody that I have contacted to duplicate my tests and verify the problems.

So far I have seen two ways that the bad guys are using to try and get Winfixer on to a machine via MSN Messenger banner advertisements - one involved a pop-up alert that appeared with no user interaction - the other needs the user to click on the banner advertisement and visit a Web page, then manually download an installer.

The most dangerous banner advertisement looked like this screenshot on my system - nothing happens if you try to click on the banner advertisement BUT when the banner advertisement disappears when the ads are rotated, something worse happens.

When the banner advertisement is rotated (or, as in my case, I refresh the banner advertisement in an IE window) the classic Errorsafe pop-up window appears WITH NO USER INTERACTION REQUIRED - note the URL in the addressbar - it is the URL for the banner advertisements that appear in the MSN Messenger contact pane and proves that the advertisement is being served up by rad.msn.com

Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591117/original.aspx

Do not click on OK or Cancel when you see such windows!  I clicked on the red close button to shut the dialogue box and then saw this - a classic winfixer tactic.  I strongly recommend that you do NOT click on the OK button:

Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591121/original.aspx

The second banner advertisement that I have seen and which does not trigger a dialogue box looks like this - the user must click on the banner for anything to happen - further screenshots of the same banner advertisement are at the end of this article:

When the user clicks on the banner advertisement they end up at this Web site:

I downloaded the free PC scanner offered by that Web site and then uploaded it to VirusTotal for scanning - these are the results - WINFIXER again.

This is very bad news for users of MSN Messenger, and for MSN and Microsoft.  Those who read my blog regularly know that I have devoted a lot of time to fighting Winfixer, writing about how those behind Winfixer have attempted to infect victims via the Messenger Plus! Sponsor Program (for which Patchou has taken a lot of heat for years, not only from me, but from many other quarters), as well as Activewin and MySpace.

I am struggling to express how upset, and disappointed, and worried, I am that this has happened.  For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware.  Now, everything has changed.  Users have been put at direct risk through no fault of their own and they can't avoid the MSN banner advertisements when the contact pane is open without using a third party hack that is ethically wrong to use.  

This simply shouldn't have happened.  The people behind secure@microsoft.com have been extremely responsive and open with me about what they're doing to fight back, and are working on the problem as I write, but experience how shown me that if the bad guys behind winfixer can get in once, they'll continue to do so - they are sneaky, and dishonest, and know every trick in the book to slip in under the radar.

How hard is it to avoid winfixer advertisements once they infiltrate a network?  In the end, Circle Distribution (who supply the advertisements for the Messenger Plus! sponsor program) found it necessary to edit their users' HOSTS file to block known Winfixer URLs.  Right Media, who supply CiD with their content, and were also reported as being responsible for serving up winfixer advertisements to MySpace users, seem to be unable to stop those behind winfixer from getting in and haven't appreciated my criticism of them now that I have turned my focus away from CiD and Messenger Plus and concentrated my criticisms higher up the advertisement food chain.

I had a brief discussion with Bob of ActiveWin when I was in Las Vegas about the winfixer problems on that site, but do not know what steps they may have taken to protect their visitors.  As for MySpace - forget it - just block the site and have done with it.

I'll update this blog via the comments section as information is made public.  If history repeats itself, Microsoft and MSN are going to have a hell of a time getting rid of winfixer - the bad guys behind that product are nothing if not persistent.  I don't know how the hell they managed to infiltrate the rad.msn.com network, and I am extremely disappointed, and worried, that they have been able to do so.  MSN Messenger must have millions of users, all of whom are at risk of infection fromn the malware.

I strongly recommend that all users of MSN Messenger ensure that their antivirus and antispyware applications are up to date.  Do not click on any buttons in pop-up windows that you may see, and do not believe Web sites that report that they have found a problem on your computer - seriously, how the hell would they be able to tell?

Do not click on OK or Cancel buttons in the pop-up windows.  Close the window using the red x close button.

I also strongly recommend that MSN Messenger users download and install Mike Burgess's HOSTS file to help block winfixer and other bad guys.  You can find Mike's famous HOSTS file here:
http://www.mvps.org/winhelp2002/hosts.htm

As I mentioned earlier, there are third party add-ins that remove the advertisement pane from MSN Messenger as mentioned in the Neowin thread.  I have always spoken out against such tools when I believed that MSN Messenger advertisements were always safe, but now I have to seriously consider whether I should start recommending them.  All will depend on whether MSN and Microsoft are able to successfully block the winfixer malware advertisements from here on in.  Patchou has written to me to advise that the anti-ad patches may not work anyway.  He says that many of the patches just hide the IE control, it's still running so users will still get the messageboxes and what follows them so if anything it may make the situation even worse, hiding where the pop-ups may be coming from.

MSN Messenger are also advertising screensavers, but they are more traditional adware and don't use dirty tricks like the pop-up windows that winfixer are infamous for. I still recommend that you avoid such free software which invariably comes bundled with foistware such as toolbars and/or adware that generates pop-ups and stuff like that.

Further free PC scanner banner advertisement screenshots...

FYI: Trend CSM 3.5, Small Business Server 2003 and the .notaccount user account

I installed Trend CSM 3.5 on my SBS2003 server at the office a little while ago.  A few days later I noted security alerts in my Server Performance Reports that merited further investigation.

The errors are the classic "unknown user name or bad password" which is not unusual in and of itself - all of us who look after servers see such errors quite regularly when the bad guys try to guess usernames and passwords in an attempt to get into our servers.  What is unusual is that the username is strange, and the errors are occurring every day.

A little investigation reveals that the errors are being caused by Trend CSM 3.5.  Messy Trend, very messy - I don't like my security logs being filled with aberrant 529 alerts.

I conducted a quick search of Trend's online knowledgebase for ".notaccount", and "error 529" and "529" with zero results, so I don't have a fix yet

Screenshot of error:

IE7 will not launch without right-clicking and selecting "Run as Administrator"

I received an interesting email asking for assistance with an IE7 problem from a Brian Hansen this morning which illustrates quite well why we cannot always assume that IE7 is "broken" or causing problems.

Brian's email said: 

"My problem is that IE7 will not launch without right-clicking on “Run as Administrator.”  Some of the postings I’ve read indicate that one should turn off all add-ons, reboot and try to launch ie7 again.  I have done this without any improvement in the application’s ability to launch.

The dialogue box tells me that “a website wants to open web content using this program on your computer.”  I’m assuming this is the infamous Account Control.  The application is apparently “IE CRASH DETECTION”

If I tell it “Allow” IE 7 stops working, and I am given the option to close the program; it does close appropriately."

Now, what would you think is causing the problem if you read the above question.  The immediate culprits for me would be an aberrant IE7 add-on (for example a toolbar or plug-in), or perhaps a problem with a Web page that had been set as the home page (for example, if a home page had been somehow hacked and was serving up hostile code).

The cause of the problem surprised me, and is something to keep in mind when you are trying to diagnose IE7 problems.  Brian reported:

"An OCR program I installed with my Canon scanner (Omin SE) was trying to go out to the internet and grab and update, and it was creating a conflict.  Finally figured out how to run MSCONFIG and turn off startups one or two at a time, until I found the culprit."

Brian's experience illustrates quite well that we should not always concentrate just on IE when trying to fix IE problems.  How many of us would have thought to check on something unrelated to the internet such as OCR software when trying to diagnose problems with IE7?  I wouldn't.

New IE7 knowledge base articles

Memory usage increases in the iexplore.exe process when you refresh a Web page that contains XML content in IE7
http://support.microsoft.com/default.aspx/kb/929861

MS07-016 cumulative security update for IE
http://support.microsoft.com/default.aspx/kb/928090

A truncated or changed version of the original file name appears in the "Save As" dialog box in IE7
http://support.microsoft.com/default.aspx/kb/930228

FIX:  The configuration program for an application does not run and the RunOnceEx registry key is cleared when you restart a computer that is running IE7
http://support.microsoft.com/default.aspx/kb/927357

Be careful of Valentine's Day greetings

Brian Krebs of the Washington Post warns of the dangers of Valentine's Day e-greetings:
http://blog.washingtonpost.com/securityfix/2007/02/valentine_or_virus_1.html

Here in Australia Valentine's Day has been and gone, but the e-danger remains.  I'm seeing a lot of Valentine related spam hitting my network, many with viral payloads attached. 

I automatically remove executables from all emails before they are delivered to my users here at the office, but I cannot protect them from malware that is delivered to their personal email accounts and which they may be checking via Webmail during the day.  Therefore, we have a policy that users may not open non-business attachments using any company computer, whether it be emails received at the office, or accessed via a Webmail service.  When I reminded users of this policy, and specifically mentioned Valentine's Day emails,  I was accused by one person of throwing a bucket of cold water over the good feeling of the day, but that's too bad - they'd be feeling *far* worse if they infected one of my networks by opening something they shouldn't.

I have seen many companies with a 'no attachments' policy, but few stipulate that the ban extends to personal email accounts accessed via Webmail, and yes, I have seen users justify their behaviour by saying "but its not my work account".  They don't seem to realise that Webmail can infect their office computer.

So anyway, be careful out there gang. Don't open attachments and don't be tempted to visit spammed links - that spammed site may try to infect your system using a security exploit, whether it be a browser exploit, or a QuickTime exploit, or a Flash exploit or a java exploit or whatever else they can think up.  Curiosity doesn't just kill cats, it also kills computers.

New knowledge base articles for IE6

A blank page may open when you try to open a page that contains an ActiveX control in IE6
http://support.microsoft.com/default.aspx/kb/929883

MS07-016: Cumulative security update for IE
http://support.microsoft.com/default.aspx/kb/928090

In Windows XP with Service Pack 2, IE6 may stop responding when you use Outlook Web Access to reply to an email or to forward an email
http://support.microsoft.com/default.aspx/kb/924156

FIX: The authentication of the user name and of the password may fail when you try to log on to a Web site that uses Windows Live ID on a computer that is running IE6
http://support.microsoft.com/default.aspx/kb/928492

Dave Massy retires from Microsoft

Dave has announced that he is leaving Microsoft:
http://blogs.msdn.com/dmassy/archive/2007/02/14/zones-testing-and-dave.aspx
http://blogs.msdn.com/ie/archive/2007/02/13/Zones-and-Default-Settings.aspx

I've had the pleasure of spending time with Dave several times at MS in Seattle over the years, and have always enjoyed our exchanges, whether it be in person, in email or on IM.  I remember it was Dave who first showed me Quick Tabs way back when IE was still in early beta, long before the public saw a glimpse of it, and it was also Dave who jumped in and called in the troops when a Beta of IE7 broke the style sheets I was using for www.ie-vista.com.  The change that broke www.ie-vista.com happened after the changes to CSS were code complete, and should not have happened, but he and Marcus helped get things fixed very very quickly indeed.

Dave has always been a great champion for the end user, and has always been responsive, and helpful, sometimes going above and beyond the call of duty when I've yelled for help.

It's sad that I won't see Dave (and his beautiful car)  when I'm at the MVP Summit in Seattle in March, but I know that he's doing the right thing for him and his beautiful family.

Critical update for HP Director - fixes problem after IE7

Thanks Robear!!

Critical update to resolve an issue with HP Director after installing IE7: missing icons and contents of HP Director screens which may not function properly after upgrading to IE7

http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=oj-46104-1&lc=en&cc=us&dlc=en&product=73501&os=228&lang=en

Copiepresse 1 : Google 0

Ok, so Google was sued by Copiepresse in Belgium over Google News.  Google didn't bother to appear at the hearing in September 2006, and the Belgian court ruled against them (silly Google if they were repeating Spamhaus's mistake in taking the attitude that "we don't live in that country so who gives a hoot").

Uh oh, says Google, perhaps we'd better go for a rehearing.  Google got their rehearing, then lost again anyway.

Associated Press:
http://hosted.ap.org/dynamic/stories/B/BELGIUM_GOOGLE_VS_NEWSPAPERS?SITE=WIMIL&SECTION=HOME&TEMPLATE=DEFAULT

Yes, you can say "it's only Belgium" but what many people fail to consider is that the Courts do pay attention to decisions that are being made around the world in cases similar to those they are trying in their country.  It is dangerously simplistic to say "it didn't happen here, it doesn't matter".

BTW, this isn't the first news service to go after Google for copyright infringement - anybody remember AFP?
http://news.com.com/2100-1025_3-6095656.html

This month's security bulletins

Testing today - roll out for the rest of the network planned for tomorrow.  So far nothing has blown up - yes you will most likely need to reboot (bummer).

Summary here:
http://www.microsoft.com/technet/security/bulletin/ms07-feb.mspx

Microsoft Security Bulletin MS07-005
Vulnerability in Step-by-Step Interactive Training Could Allow Remote
Code Execution - 923723
http://www.microsoft.com/technet/security/Bulletin/MS07-005.mspx

Microsoft Security Bulletin MS07-006
Vulnerability in Windows Shell Could Allow Elevation of Privilege
- 928255
http://www.microsoft.com/technet/security/Bulletin/MS07-006.mspx

Microsoft Security Bulletin MS07-007
Vulnerability in Windows Image Acquisition Service Could Allow Elevation
of Privilege - 927802
http://www.microsoft.com/technet/security/Bulletin/MS07-007.mspx

Microsoft Security Bulletin MS07-008
Vulnerability in HTML Help ActiveX Control Could Allow Remote Code
Execution - 928843
http://www.microsoft.com/technet/security/Bulletin/MS07-008.mspx

Microsoft Security Bulletin MS07-009
Vulnerability in Microsoft Data Access Components Could Allow Remote
Code Execution - 927779
http://www.microsoft.com/technet/security/Bulletin/MS07-009.mspx

Microsoft Security Bulletin MS07-010
Vulnerability in Microsoft Malware Protection Engine Could Allow Remote
Code Execution - 932135
http://www.microsoft.com/technet/security/Bulletin/MS07-010.mspx

Microsoft Security Bulletin MS07-011
Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution
- 926436
http://www.microsoft.com/technet/security/Bulletin/MS07-011.mspx

Microsoft Security Bulletin MS07-012
Vulnerability in Microsoft MFC Could Allow Remote Code Execution
- 924667
http://www.microsoft.com/technet/security/Bulletin/MS07-012.mspx

Microsoft Security Bulletin MS07-013
Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution
- 918118
http://www.microsoft.com/technet/security/Bulletin/MS07-013.mspx

Microsoft Security Bulletin MS07-014
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
- 929434
http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx

Microsoft Security Bulletin MS07-015
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
- 932554
http://www.microsoft.com/technet/security/Bulletin/MS07-015.mspx

Microsoft Security Bulletin MS07-016
Cumulative Security Update for Internet Explorer - 928090
http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx

Vanishingpointgame.com winner announced

Congratulations to William Temple of Sacramento, California who has won the trip to space, courtesy of Microsoft and AMD.

Take a camera William - we want pictures

Source - http://www.microsoft.com/presspass/press/2007/feb07/02-12VanishingPointWinnerPR.mspx

Vulnerability: Phishers can bypass the Firefox Phishing Filter very easily

This is far too easy; the Firefox Phishing Filter can be disasbled simply by adding an extra slash after the domain suffix. 

Original advisory:
http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php

The discovery is on Bugzilla - a demonstration is mentioned in the comments. The URLs I tested with are two that are mentioned in the discussion being:

"http://222.173.145.98/.bankofamerica.com/sas/profile/step1.htm
triggers an alert

http://222.173.145.98/.bankofamerica.com//sas/profile/step1.htm
Does not trigger an alert"

Note this comment:

"Firefox is the only browser that fails with this, Opera's latest compilation has corrected this issue and IE is immune."

I can confirm that both of the above URLs trigger a phishing alert in Internet Explorer.  Firefox 2.0.0.1 only flags the first URL as a phishing page.

According to Bugzilla, the "fix" is something that needs to be done at Google's end.  I note that there is discussion saying that things should be changed, but nothing to say that it has be changed, so I downloaded Firefox 2.0.0.1 to see what the situation is.  Sure enough, the problem continues, so why is the bug closed as "resolved fixed"?

How can we trust a phishing filter that can be bypassed so easily? The simple answer is that we cannot.