Spyware Sucks

Longhorn RSS Team Blog

The Longhorn RSS team have started their own blog - the best place to keep up to speed on the latest public information about this new ability in IE.

http://blogs.msdn.com/rssteam/

Trend Antispyware - another false positive?

See update 16 July 2005

This time it is “Windows Registry : SOFTWARE\Classes\AppID\bho.dll”, detected as 'adgoblin' by Trend:
(Associated CLSID 59AEAD8A-6822-4794-AF2E-8CC27312E26E)

On my system, that CLSID is associated with TechSmith's SnagIt product as its BHO AppID.

12 July:   I have an update on Trend Micro's false positive for AdGoblin when Camtasia's SnagIt product is installed.  I've been having an email conversation with the Lead Developer at Camtasia, and he confirms that the CLSID is theirs, and that this detection is a false positive.  I can also confirm that allowing Trend to 'clean' the key from the Registry will not cause problems for the SnagIT toolbar in Internet Explorer, provided that the SnagIt toolbar has been enabled in Internet Explorer at least once. Also, Camtasia believe that allowing Trend to 'clean' this false positive will not break SnagIt's uninstall routine (my concern was that the IE toolbar would be left behind).  Camtasia will complete further testing and advise if any problems may be experienced.

A file called BHO.DLL has been used in the past by malware, but the file does not exist on this PC, nor does it exist on any other PC on whicht the registry entry has been detected.  Generally if BHO.DLL is on the system, RSP.DLL and WINSTART.EXE will also appear, and entries will appear in the HOSTS file.  Also, the PC would be troubled by pop-up advertisements.

I recommend that the bho.dll detection be ignored - do not 'remove' the 'threat' - to do so may break Snagit's integration with other applications and the right click context menu ... 

PC-Cillin (installed as part of Trend's Internet Security 2005 product) and Trend Antivirus SMB also misdetect adgoblin, and directs me to this page:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_LINST.A

New public beta: Microsoft Shared Computer Toolkit

Microsoft has released a public *BETA* of a utility called the "Shared Computer Toolkit":
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx

This is a very cool tool that can be installed on Windows XP SP2 systems by those who want to lock down their PCs but don't know how, and don't have a tame IT Department to help them out.

We have an amazing array of options to choose from when configuring the security of a shared system, including:

Numerous Start Menu restrictions including hiding Control Panel, Printer and Network Settings; removing the Run and Search options; hiding various folders; and even removing the Shut Down Button...

General settings including restricting access to the Command Prompt, Task Manager and Registry Editor, hiding the Recycle Bin, disabling right click, restricting access to Microsoft Management Console Utilities and preventing password changes...

Some very useful software restriction policies including 'block any software outside of program files and the Winodws path from running', 'block default system tools from running' and 'block windows management tools that an admin could use to bypass toolkit security.

We can block internet access completely, prevent Internet Explorer from running, prevent Windows Messenger from running and prevent Microsoft Office programs from running.  VBA can be locked out.  There is even a session timer that forces a user to log off after a certain number of minutes, or if the system is idle. 

Access to hard drives can be locked out.

The above list of features is not comprehensive, simply the ones that I have found most useful. 

The restrictions are set per user, therefore you can have different restriction levels for different people who use the PC.

Shared Computer toolkit is a very powerful utility and should used with extreme care.  Do NOT go locking everything down for all users willy nilly, and if you are unsure, get expert advice from the support forum microsoft.public.windows.sharedaccess:

http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.sharedaccess

Be warned - the ever popular PC game “Halo” won't run if 'block any software outside of program files and the Windows path from running' is enabled (as my teenage son discovered to his disgust after I locked down his PC).  This is because Halo decrypts a stub file off the CD and places it within the users profile, where it is run to start the game.  Any other game that uses the same anti-piracy protocol will face the same problem.

FAQ page:
http://www.microsoft.com/windowsxp/sharedaccess/faq.mspx

IE7 and RSS support...

Ok, its been announced now, so now I can tell you about it.

IE will have RSS support:
http://www.microsoft.com/presspass/press/2005/jun05/06-24RSSIntegrationPR.mspx

Movie about same here:
http://wm.microsoft.com/ms/msnse/0506/25055/RSS/rss_longhorn_platform_2005_MBR.wmv

Trend Micro Anti-Spyware for the Web

See update 16 July 2005  <--- Click to see an important update dated 16 July 2005

As at 7 July 2005 Trend Micro Antispyware SMB is still misdetecting this CLSID - this is very disappointing considering they received intelligence about this misdetection nearly a fortnight ago.  That being said, I still have hopes that some more dialogue will get this and the other misdetection (adgoblin) resolved...

As you may know, Trend Micro has purchased Intermute, the owner of the famous antispyware product CWShredder (originally created by Merijn):
http://www.trendmicro.com/cwshredder/

TrendMicro have released an online Anti-Spyware scan called “Trend Micro Anti-Spyware on the Web”:
http://www.trendmicro.com/spyware-scan/

The reason for this blog is just to let everybody know that the scan is flagging a false positive in some circumstances, described as “BHJK_COOLWEBSEARCH.  The misdetected CLSID is:

30d02401-6a81-11d0-8274-00c04fd5ae38

The flagged CLSID is the CLSID for the Search Browser Bar (the search pane that appears to left of screen when you click on the search button on IE's toolbar or via View, Explorer Bar, Search):
http://msdn.microsoft.com/library/default.asp?url=/workshop/browser/webbrowser/reference/methods/showbrowserbar.asp

The false positive can safely be ignored - DO NOT delete the key.

It is important to let you know that thanks to a good friend/associate (hi Wayne) I've been able to alert Trend to the misdetection very quickly, and I have high hopes that the misdetection will be fixed very promptly.  Trend seem to be very open to dialogue and feedback.

On a similar note, Trend are releasing various Anti-Spyware products for purchase in various flavours.  I've tested teh consumer version of the product, and am currently experimenting with the SMB version on my home network - so far its working fine (apart from the false positives) but there are some usability issues and 'gotchas' that have bitten me in the butt - I'll blog about them soon.

Netscape have finally patched the XML bug

Netscape Version 8.0.2 apparently fixes the XML bug introduced by Netscape 8 back in May.

8.0.2 can be downloaded here:
http://browser.netscape.com/ns8/download/default.jsp

Outlook Express: Watched Message Bug and Begin Bug are finally fixed!!!

The fix is for XP SP2 only, but what the heck.. its a start...
http://www.microsoft.com/downloads/details.aspx?FamilyID=6bd9d050-dc56-47bc-9112-023e11c61f9d&displaylang=en&Hash=67HRYG5

http://www.insideoe.com/problems/bugs.htm#acctwatch FIXED!!
http://www.insideoe.com/problems/bugs.htm#beginattach FIXED!! (Well, almost) ;o)

Just so y'all know what I'm so excited about  It was at least a couple of Summits ago that I created a Flash movie demonstrating this bug, and I remember a member of the IE dev team telling me during one of my visits to Seattle that it had been watched by everybody on his Dev. team.  Can't remember if he said the OE team as it was then had watched it as well.  Its a pity it took so many years for a fix to finally come out:

Intermix Media to pay up.

Intermix Media Inc. has agreed to pay the state of New York $7.5 million to settle a lawsuit charging it with bundling hidden "spyware" along with millions of programs:
http://go.reuters.com/newsSearchResultsHome.jhtml?query=intermix&qtype=a

With a declared revenue of $24.1 million, that's gotta hurt - at least, I hope so.

AOL DoS zombies' favourite ISP - sensationalist claptrap!!

Hi all,

The subject of this blog is the byline for a news.com.au report today....which says, in part, that:

“AOL and other large internet service providers serve as launching pads for most "denial of service" attacks, according to Prolexic Technologies, which helps companies fend off such attacks.”
http://australianit.news.com.au/articles/0,7204,15620358%5E15318%5E%5Enbv%5E15306,00.html

It then goes on to say that “"Their clients may be exposed differently or they may be doing a poor job of filtering certain things from their clients," 

Say what?  Their clients are not exposed differently, nor are the ISPs doing a poor job of 'filtering', whatever that may mean.  I'd be interested to know exactly what sort of filtering our kind correspondent thinks should be instigated.

Blaming an ISP for malware and virus problems doesn't help matters.  Zombie-ware can be written to use any of tens of thousands of ports and users can be tricked using social engineering to manually download malware - what is an ISP meant to do? Block everything except for Ports 80, 110 and 25 in a vain attempt to stop Zombie machines on their networks from launching DDOS attacks?  Stop their users from downloading *.exe files? Force their users to use browsers with activex, java and file transfers disabled?  Get real.

Let's have a look at the original report, available here:
http://www.prolexic.com/zr/

Sure, it says AOL makes up 11.71% of US infected networks, but 11.71% is certainly not “most”, especially when you consider Comcast sits at 10.66%, Bellsouth at 7.46% and Verison at 7.40%.

To add to my disbelief, I read another column during the past 24 hours or so wherein AOL was basically blamed for the death of the old Usenet:
http://www.boston.com/business/technology/articles/2005/06/13/somehow_usenet_lumbers_on/

Let me say from the outset that I have a lot of respect for Hiawatha Bray.  Back in 1999 when the MVP Programme was suddenly cancelled we had a very nice email dialogue, and Hiawatha was very supportive before and after the MVP Programe's reinstatement.  (information about the infamous 'kiss off' can be found here: http://www.mvps.org/about/kissoff.html)  That being said, describing AOL users as “users [who] ravaged Usenet like a Mongol horde“ is just a little extreme.

Y'know, the popular media is *not* helping the spyware fight.  The number one weapon is education.  The second weapon is making sure PCs have the very latest patches installed (which reminds me of another pet hate of mine - far too often I see software providers 'refusing' to let their users install XPSP2 because their software will have problems. Well, fix your damned software!!)

It doesn't matter what defences an ISP puts up if their users don't know what the hell they're doing. 

Education is the only thing that works, combined with the conscientious application of security patches as they are released by MS, and protective software such as firewalls, antivirus and anti-spyware protectives.  But, that being said, it is not the ISPs responsibility to ensure all this is done, nor should the blame be placed on their shoulders.  We, as users, have a responsibility to look after ourselves and educate others that we have contact with, because social engineering is the number one weapon the malware purveyors have.

Internet Explorer June Cumulative Update has been released.

Go get it - available via Windows Update

http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx

More information here:

http://support.microsoft.com/kb/883939

Netscape XML bug.. still not fixed

Netscape still haven't fixed the XML bug I first mentioned on 26 May:
http://msmvps.com/spywaresucks/archive/2005/06/01/50066.aspx

Maybe they still think that a browser's XML ability is only important to developers and programmers.....

Update 18 June 2005: 8.0.2 apparently fixes this problem:
http://msmvps.com/spywaresucks/archive/2005/06/18/53896.aspx

Spyware Bill 2005 (Australia)

A new bill has been introduced into Federal Parliament here in Australia, called the 'Spyware Bill 2005'.  Note that the Bill is not yet law, and will not become so until Royal Assent is received. 

You can download the entire Bill, as a PDF, at this link:
http://parlinfoweb.aph.gov.au/PIWeb/view_document.aspx?id=1973&table=BILLS

Imagine... computer owners will have the opportunity to give SEPARATE approval to individual changes made to their PC, will be shown a sample advertisement, and each advertisement that is generated by adware/spyware will have to identity itself (for example: 'This advertisement is being brought to you by....'). Each pop-up or other advertisement must include a hyperlink to information about how to turn the ads off.  Not only that, the software must be easily and completely removable via Add/Remove Programs :o)

Hopefully the proposed Bill will become law, and then other countries and States will follow suit - burying feature disclosure within an EULA will no longer be sufficient notification.
 

Some of the more exquisite facets of the bill are as follows:

8.         Notice, consent and removal of software requirements:

...notice to the user of a computer must:

(a)    include a clear notification, displayed on the screen until the user either grants or denies consent to installation, of the name and general nature of the computer software that will be installed if the user grants consent; and

(b)   include a SEPARATE DISCLOSURE, with respect to each information collection, advertising, distributed computing and settings modification feature contained in the computer software, that remains displayed on the screen until the user either grants or denies consent to that feature; and

(c)    ….

(d)   in the case of an adverting feature, provides:

(i)                  a representative example of the type of advertisement that may be delivered by the computer software; and

(ii)                a clear description of the estimated frequency with which each type of advertisement may be delivered or the factors on which the frequency will depend; and

(iii)               a clear description of how the user can distinguish each type of advertisement that the computer software delivers from advertisements generated by other software, Internet website operators or services; and

(e)    …provides a clear description of:

(i)                  the type of information or messages the computer software will cause the computer to transmit; and

(ii)                the estimated frequency…or the factors on which the frequency will depend;

(iii)               the estimated volume of such information or messages, and the likely impact, if any, on the processing or communications capacity of the user’s computer; and

(iv)              the nature, volume and likely impact on the computer’s processing capacity of any computational or processing tasks the computer software will cause the computer to perform in order to generate the information or messages the computer software will cause the computer to transmit; and

(f)     in the case of a settings modification feature, provides a clear description of the nature of the modification, its function and any collateral effects the modification may produce, and procedures the user may follow to turn off such feature or uninstall the computer software.

Consent

…consent means:

(a)                …

(b)               …SEPARATE AFFIRMATIVE CONSENT by the user of the computer to each information collection feature, advertising feature, distributing computing feature and setting modification feature contained in the computer software.

Removal procedures

..computer software must:

(a)                …appear in the ‘Add/Remove Programs’ menu or any like feature…

(b)               be capable of being removed completely using the normal procedures for removing computer software…

(c)                in the case of computer software with an advertising feature, include an easily identifiable link clearly associated with each advertisement that the software causes to be displayed, such that selection of the link by the user of the computer generates an on-screen window that informs the user about how to turn off the advertising feature or uninstall the computer software…

Netscape again - are they nuts????

Y'know, I normally try to avoid repeating what other MVPs and anti-spyware bloggers are talking about, but this has got me seriously peeved.
http://netrn.net/spywareblog/archives/2005/05/30/aol-verisign-truste-direct-revenue/

And Ben Edelman's blog:
http://www.benedelman.org/spyware/ns8/

What the hell is going on in Netscape world?  First the Netscape 8 XML bug and now this?

Netscape touts their Trust Rating system as protecting users from, among other things, “Sites which attempt to inject malicious programs or code onto your system (Spyware, Adware, Trojans, and viruses)”.

Now, the sites mentioned in the spywareblog may not try to automatically install adware or spyware, but they sure as hell offer it for download.  There are some very well known, unsavoury, names listed on the spywareblog that have been associated with adware and malware that causes a lot of grief for PC users.

Sign me p*ssed off.