Spyware Sucks

ALERT: Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability

Affected versions are 9.0.124.0 and 9.0.115.0.

The best analysis that I've seen so far is at SecurityFocus:
http://www.securityfocus.com/bid/29386/info

The frightening thing about this alert is that the vulnerability is being actively exploited, with tens of thousands of web sites being compromised (Symantec/Security Focus think that this is happening via SQL injection), with those compromised web sites being used to redirect victims to other sites that are hosting malicious Flash files.

At time of writing there is no workaround, patch or official advisory.  If you're using Firefox, install a copy of No Script for its script and Flash blocking abilities.  If you are using Internet Explorer get yourself a copy of IE7Pro, which includes an ad blocker and a Flash blocker (note: be careful with the maximum connections per server setting - I have seen that setting break some web sites, especially banking sites).

Or, simply uninstall Flash.

A new look dottunes malvertizement

A new style Dot Tunes advertisement:

The adopstools results are here:
http://www.adopstools.net/index.asp?page=quicklink&id=r60Siyiw02bZgpaa 

When the SWF is displayed on a system it hits the following URLs:

traveltray.com/crossdomain.xml

and

traveltray.com/stats.php?u={{removed}}&campaign=ofdidactic

The cross domain policy is "allow-access-from domain="*" " - in other words, there are no domain restrictions.  This document will help you understand the implications of such an open cross domain policy:
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

OK, this is NASTY!!!!

A fraudware web site that will *not* close.

I see this:

I try to close using Red X, I get this:

I try to close using the Red X, which has always been sufficient in the past.  In this case, the dialogue box goes away but the god-damned window is still open.

So, I go have to go to Task Manager and shut down the IE window process:

I shut down the correct iexplorer.exe process and the window is FINALLY gone,taking along with it other Windows that were open:

What URLs hosted a link that led to this nasty experience (that's right, it wasn't a malvertizement).   I'm not telling because it seriously is NASTY!

So, where is "antivirus-scanner.com" hosted?  At securehost (we are not surprised, are we).

I am NOT associated with bucksbill.com

Ok, there are a lot of people out there who are upset at being overcharged and defrauded by bucksbill.com.  Just check out the comments here and here.

Unfortunately, people are also emailing me directly because they (mistakenly) believe that I and/or this blog are associated with the fraudsters.  For example, check out this email:

"I dont know what this is but there was money taken from my account for this and I Know I DID NOT purshase this I have tried to call you several times and can not get through. Please contact me Donna Spencer 270-***-**** or 270-***-****. DO NOT TAKE ANY MORE MONEY FROM MY ACCOUNT CONTACT ME AS SOON AS POSSIBLE!!!!!"

I and this blog are NOT associated with bucksbill.com in any way.

Please, remember that victims of overcharging and unauthorised charges can dispute the charge with their bank or building society and request that the charge be reversed.

The Federal Trade Commission has published an advisory for victims of credit card fraud or overcharging that can be seen here:
http://www.ftc.gov/bcp/conline/pubs/credit/fcb.shtm

ALERT: Malvertizement at en.f1-live.com?

A comment has been made to this blog warnin that http://en.f1-live.com/f1/en/index.shtml has been serving malvertizements during the the past week or so.  We're investigating.  If anybody sees anything, please let me know.

ALERT: malvertizement at boston.com?

I received this alert via email:

"My girlfriend was surfing boston.com last night and she landed on some nasty code that redirected her to that classic alert bos in the lower left hand corner of the screen. This time is was for XPShield which is widely known as rogue. Anyway I had known that you covered a boston.com incident before and wanted to let you know its still going on."

We're investigating.  If anybody sees anything untoward, please let me know.

Press Release: Washington Attorney General settles case with man accused of using pop-ups to hawk software

SEATTLE – A 21-year-old Scottsdale, Ariz., man accused of coercing consumers to buy software that actually turned their computers into spamming machines agreed to a settlement that substantially restricts how he markets software in the future, the Washington Attorney General’s Office announced today.

The Attorney General’s Consumer Protection High-Tech Unit sued Messenger Solutions, LLC, and owner Ron Cooke, in March. The suit, filed in King  County Superior Court, accused Cooke of violating Washington’s Computer Spyware Act and Consumer Protection Act while marketing programs under the names Messenger Blocker, WinAntiVirus Pro 2007, System Doctor and WinAntiSpyware.

Under the settlement filed today, Cooke cannot use Net Send messages or simulated security alerts to market products, transmit software to another person’s computer without a user’s knowledge or make other misrepresentations in the advertising or sale of products.

He will pay $5,000 in attorneys’ costs and fees and $202 in restitution, which will be used to provide refunds to nine Washington consumers who purchased the software. The settlement also includes a $100,000 civil penalty, waived provided Cooke complies with the settlement.

“Ron Cooke now has a $100,000 fine hanging over his head as a reminder to him and other online marketers that the Attorney General’s Office won’t tolerate Internet anarchy,” said Assistant Attorney General Katherine Tassi. “There are plenty of opportunities for young entrepreneurs to profit online without deceiving consumers.”

The Attorney General’s Office launched its investigation in October 2007 after a computer in the High-Tech Unit’s lab received ads via Windows Messenger Service. The lab uses “honey pots” to detect hackers, spyware purveyors and other Internet mischief.

The state’s complaint alleged Cooke uses Windows Messenger Service to bombard consumers with a continuous stream of pop-ups advertising porn and sexual-enhancement products. Windows Messenger Service, not to be confused with the instant-messaging program Windows Live Messenger, is primarily designed for use on a network and allows administrators to send notices to users.

He then sent those same consumers another bout of pop-ups intended to simulate system warnings, which directed users to a Web site to buy software to supposedly block pop-ups.

Consumers who downloaded the software were further victimized when the program caused their computers to stealthily blast messages to other PCs at a rate of one every two seconds.

The Attorney General’s Consumer Protection High-Tech Unit has brought a total of six lawsuits under Washington’s Computer Spyware Statute, RCW 19.270, since the law was approved by the Legislature in 2005.

Messenger Solutions/Cooke Consent Decree

Messenger Solutions/Cooke Complaint

Photobucket.com - an update

I am pleased to advise that one of the malvertizements that was appearing at photobucket.com, being the Tokyo Drift malvertizement being distrubted via adbureau.net, has been removed from circulation.

As far as I know, the other malvertizements, hosted by atlas-ads.com, may still be in circulation.

The malvertizements are gone because we alerted adbureau.net to the problem.  I have NOT received any reassurances from photobucket.com, either directly or via other correspondents, that photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again, or that they have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately, therefore my earlier stated advice to avoid all advertising on photobucket.com still stands.

Photobucket are not cleaning up their act

Photobucket has been mentioned several times on this blog because of malvertizements appearing on the site.  The most recent outbreak is proving to be problematic, to say the least.

Photobucket have been advised several times that there are malvertizements appearing on the web site.  Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements.  Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the "advertising team".

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site?

This is the Lady Speedstick malvertizement appearing on photobucket.com:
atlas-ads.com/99000/728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf79.jpg

This is the Tokyo Drift malvertizement appearing on photobucket.com:
photobkt-images.adbureau.net/photobkt/cinema_photobucket_728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf80.jpg

Kimberley wrote about the malvertizements at photobucket several days ago, and reported the problem to photobucket on 8 May:
http://www.bluetack.co.uk/forums/index.php?s=05b1fcebf3d68bb448979919ca14aa83&showtopic=18064&st=60&p=87195&#entry87195

Kimberley reports on photobucket.com again on 10 May...
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87219

And again here, just under 10 hours ago:
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87235

rlslog.net were able to get rid of the malvertizements reported to them.  mininova.org were able to get rid of the malvertizements that were reported to them.  Why is it so hard for photobucket.com to clean up *their* act???

I have no choice but to recommend that nobody should visit photobucket.com unless they have software in place that will prevent any advertisements on that site from being displayed on their computer.  This advice stands unless and until the malvertizements are removed AND photobucket.com can reassure us that:

1. Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and
2. Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately. 

I have always said that I do not support such wholesale blocking of advertisements, because I have always held to the view that every person deserves to earn an income but in this case, because the malvertizements are still appearing despite our best efforts and despite several days having passed, I must recommend that visitors to the site protect themselves, even if it means that photobucket loses income, and all advertisers (legitimate and fraudulent alike) receive zero value from photobucket.com

Malvertizements on mininova.org

Several comments have been posted to my blog recently about a malvertizement problem at mininova.org:

http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1601871
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1602159
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1614547

Anyway, I went looking and found a thread that claimed the malvertizements had been identified and removed on 5 May so I didn't take things any further (a decision which may have been a mistake)
http://forum.mininova.org/index.php?showtopic=235009007

Kimberley has now identified a malvertizement on mininova.org, again hosted by Akamai:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=60&gopid=87201&

The domains being used by the malvertizers are:

adoptserver.info
iexplorer-security.org
mystats.com
fastwebway.com
xponlinescanner.com

The malvertizement has been reported to Akamai.

Hooray for teamwork - the malvertizements at photobucket.com have been identified

Once again, communication and cooperation between anti-malvertizement activists around the world has resulted in success.

We have found the malicious malvertizements on photobucket.com - Kimberley has the details.

The incident has been reported to Photobucket.  The malvertizements themselves are not new.  Speedstick and TokyoDrift have been featured on this blog several times.  As noted by Kimberley, the malicious domains being used by the cretins behind the malvertizements are:

atlas-ads.com (host of a malicious SWF)
track.trackads.net
tds.maxconvert.com
adtds.trackads.net
spywaredestructor.com
adoptserver.info
iexplorer-security.org
fastwebway.com
xponlinescanner.com

photobkt-images.adbureau.net (host of a malicious SWF)

adbureau.net is Akamai - the incident has been reported.

Atlas-ads.com is registered via Estdomains, created on 10 April 2008.

ALERT: Firefox 2 Vietnamese Language Pack infected by malware

Thanks to Susan for the heads up...

Cite:  http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/

Cite:  https://bugzilla.mozilla.org/show_bug.cgi?id=432406

Anybody who downloaded and installed the Vietnamese language pack ***since 18 February*** will have got an infected copy.  Symptoms include the display of unwanted advertising.

Mozilla notes that because only "16,667 total downloads of the Vietnamese language pack since November 2007" they consider that the impact on users will be "limited" - well, it may be limited in Mozilla's eyes, but I suspect that those affected will be less dismissive.

It is staggering that the infected file was in situ and being distributed for over two and a half months. It is also staggering that Mozilla seemingly did (does?) not complete regular scanning of their files to check for previously undetected malware - didn't they realise that there is always a period of time between malware being released to the wild, and security products updating their products to add detection of new malware??  By not regularly re-scanning all files available for download they expose(d) their users to real risk.

The malware is named in the bugzilla thread as "HTML.Xorer".

Advice is to disable the Vietnamese Language Pack.

Warning: malvertizements have been reported on photobucket.com

I received an email alert overnight warning that photobucket is displaying malvertizements.

The problem we face in tracking down the reported malvertizements on photobucket.com is that the advertisements are country specific. 

This blog has readers all over the world - if anybody has seen something, please grab proof using Fiddler and let me know.

Me.dium has undergone a major rework...

We have gone from this...                     to this....                                          Or this... showing only online friends.

And we get a choice of backgrounds.  The last background, "70s Tux", doesn't seem to be working properly on my system.

Me.dium have chosen to turn off "find similar pages" by default; instead, Me.dium will only show you the pages that your online friends are currently viewing.  The Talk and Friend tabs are gone, and the Friend and Facebook panes can be closed.. 

You can only chat to people on your friends list, and the shout-out pane which anybody could use to "talk" to other Me.dium users is gone.

Unfortunately it has been necessary for me to remove the Me.dium widgets from my blog and website because the widgets are triggering certificate errors in Internet Explorer, specfically a warning that the certificate being presented by Me.dium was issued for a different web site's address.   This error can occur if a company owns several websites and uses a certificate that was issued for one web address for another site and does not necessary indicate a security problem at the site, but it is still disturbing for visitors to my blog, and I do not like to contribute to desensitising people to security alerts (which is what I would be doing if I told people to ignore the error, or install the certificate despite the error), therefore the widget goes until the certificate issue is fixed.

         
         Original                                                Night                                                    Moss

         
                     Icy                                                  Gum                                               70s Tux

ALERT: Akamai Download Manager Arbitrary Program Execution Vulnerability

Akamai supplies both an ActiveX and a Java based download manager. The ActiveX control remains installed on the users computer until it is manually removed.  It is important to note that Akamai has been used by vendors such as Symantec and Microsoft (eg: Technet and MSDN) for file distribution.

Vulnerable versions:

Akamai Technologies Inc's DownloadManagerV2.ocx version 2.2.2.1
Akamai Technologies Inc's Download Manager Java Applet version 2.2.2.0

The security vulnerability makes it possible for an attacker to use the download manager to automatically download and execute files simply by tricking the victim into visiting a malicious web page.

The download manager user interface is displayed during an attack, but there may be insufficient time to cancel the download before exploitation occurs.

Workaround:

Setting kill-bits for the associated CLSIDs will prevent the ActiveX control from being loaded within Internet Explorer, being:

2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1

Disabling Java will prevent exploitation via the Java Applet.

Akamai has fixed this vulnerability in version 2.2.3.5 of their download manager product. Please refer to the following URL for upgrade instructions (and don't forget to make sure that the vulnerable activex control has been removed - you will find it in C:\Windows\Downloaded Program File.  The file name is "DownloadManagerV2.ocx"):

http://dlm.tools.akamai.com/tools/upgrade.html

Cite: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=695

Important information about Windows XP SP3 for Internet Explorer users

You will be unable to remove IE8 Beta or IE7 after installing Windows XP SP3 because Microsoft wants to make sure that you do not encounter a problem commonly known as "DLL Hell".

IE8 Beta 1 users

You will NOT be offered Windows XP SP3 unless and until you remove IE8 Beta 1.  This is because if you install  windows XP SP3 without removing IE8 Beta 1, then you will no longer be able to remove IE8 Beta 1 and the Remove option will be greyed out in Add/Remove Programs.

Internet Explorer 7 Users

You will be offered Windows XP SP3 as a high priority update BUT if you install it you will not be able to remove IE7 without removing Windows XP SP3 first.  It is recommended that you remove IE7, then install Windows XP SP3 then re-install IE7.

Internet Explorer 6 Users

You will be offered Windows XP SP3 as a high priority update.  Windows XP SP3 ships with an updated version of IE6.  No need to do anything else.

Microsoft Security Intelligence Report - July to December 2007

I have been reading through the Microsoft Security Intelligence Report covering the period July through to December 2007 over the past few days.  Although the bulk of the report focuses on security vulnerabilities, there are statistics specific to "rogue security software" (aka fraudware) and "potentially unwanted software" that I found interesting:

• The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family.  The report notes that "many of the more prevalent malware families rely on social engineering tactics that trick the user into taking action that bypasses or lessens the effectiveness of the user's existing protection".  I'm hoping as time goes on that I will see fewer "get Firefox" or "get a Mac" comments in response to reports of various fraudware outbreaks, as people come to realise that such responses do not address the base problem of social engineering.
  
  
• The most prevalent malware family (as distinct to rogue security software) was Win32/Zlob, being removed more than 3 times as often as the second half of 2007 (and from twice as many computers) as any other individual malware family.  Often disguised as a media codec (there's that social engineering again), Zlob uses pop-up advertisements and fake security alerts to encourage the victim to install, you guessed it, rogue security software.
  
  
• The second most prevalent malware family was Win32/Renos.  Renos, like Zlob, is used to install rogue security software.  Renos was found to have infected 79% more distinct computers during the second half of 2007 than was detected during the first half of the year.
  
  
• The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar (which, ironically, I have seen advertised via the Windows Live Messenger advertising pane).  Win32/Hotbar was in 4th place during the first half of the year.
  
  
• 129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals.  This is an increase of 66.7% in total detections and 55.4% in removals over the first half of 2007.
  
  
• Adware remains the most prevalent category of potentially unwanted software in the second half of 2007, an increase of more than 66%, from 20.6 million detections to 34.3 million detections.
  
  
• The most infected country/region in Europe is Albania; the least infected country/regions in Europe are Austria and Finland.  In the Asia-Pacific region the most infected countries/regions are Mongolia and Vietnam and the least infected Taiwan and Japan.
  
  
• When prompted about rogue security software, nearly 60 percent of users choose to remove it immediately, with a large proportion of the rest choosing to quarantine the software (I admit to not understanding why only 60% of users are removing rogue security software).

It should be noted with regards to points 3, 5 and 6 that some of the increase can be attributed to an increase in the number of computers running Microsoft's detection and removal tools, and "changes in the distribution practices for different pieces of potentially unwanted software [that] can have an effect on how many people are exposed to it and how often, and how they tend to respond to alerts raised about the software".

You can get your own copy of the Microsoft Security Intelligence Report at this URL:
http://www.microsoft.com/downloads/details.aspx?FamilyId=BCC879DB-9FE6-4331-B231-E274EA8FC804&displaylang=en

I love it when spammers screw up...

As irritating as it may be to have to approve every comment to this blog, and as disheartening as it is to know that the cretins behind spam are using tools that maximize output whilst minimizing personal effort, I still derive pleasure from seeing them screw up.

Spyware Sucks was hit by a spike in spam comments that managed to get through the filters, BUT I was pleased to see that every single comment that got through the filters contained the same error - it seems that an attention to detail and the ability to complete the fields in a spam-tool properly is not a quality enjoyed by this particular spammer...

Problem - unable to change Internet Explorer's home page

Another cry for help received via email...

"You are my last best hope...  I am just a regular guy from NY (not the city) with a problem.  My homepage in IE7 is locked on a page I dont want.  I try to change it in Internet options and it even says the homepage I want but it always goes to this other page. I set the page a month ago and now it wont go back.  I even reinstalled IE7 but no luck. Any ideas?  I can even send you a few bucks if you can help me out..."

Manufacturer/ISP Locking

Some computer manufacturers and suppliers of internet access set IE to their choice of home page and lock this setting via the registry. Hijackers use the same trick. The locking is done using registry settings as per the following:

Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting (Q320159)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q320159 

Specific registry settings affected are:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] - DWORD "HomePage"=dword:00000001 (grays out the whole section)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] - DWORD "NoSetHomePage"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] - DWORD "NoSetHomePage"=dword:00000001

Protective software

Check your protective software (especially antispyware and antivirus).  Spybot Search and Destroy, for example has a feature that will lock your home page.  Other products that may lock your home page including Ad-aware's Ad-Watch, SpywareBlaster, SpySweeper, Norton AntiVirus, McAfee VirusScan and Antispyware, and both versions of Zone Alarm.

If you are using Spybot S&D, check your 'Immunize' settings which may be locking your home page.
 
Malware and viruses

If your computer home page is set to about:blank against your wishes, or any other page, you have a malware problem. For advice on fighting malware, check out the link below - the page is a little old, and probably needs updating, but overall the advice is still good:
http://inetexplorer.mvps.org/tshoot.html

Problems with website certificates - IE7

Over the past few days I have seen a spike in the number of emails asking for help with website certificates.  For example, two correspondents have written:

"Thanks for providing the information about problems with certificates of IE7 in your website.  I tried to follow your instructions to access a secured site in IE 7 which I used to trust.  I clicked on the Certificate Error button, and then the View Certificate link, but I could not find the Install Certificate link or button.  Please advise."

and

"I admin a Citrix site that uses a SSL cert from verisign. We just renewed our cert. and I have a user running Vista and IE 7 who cant remove the old cert because the button is grayed out. After looking over your IE support site I was going to try lowering security to see if that works. The user claims he has admin rights to the PC."

Both users should run IE7 with Administrator rights (which is different to logging in to the computer as a local administrator).  This is achieved by right clicking the IE7 icon, then selecting "Run as Administrator".