Spyware Sucks

Neowin.net announces a new version of Spybot Search & Destroy, but.....

Neowin says:

"Spybot - Search & Destroy detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications. Spyware silently tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven't intentionally installed, if your browser crashes inexplicably, or if your home page has been "hijacked" (or changed without your knowledge), your computer is most probably infected with spyware. Even if you don't see the symptoms, your computer may be infected, because more and more spyware is emerging."

First up, spyware is NOT a "relatively new kind of threat" - it has been around for years.  Second, it is INCORRECT to claim that spyware is "not yet covered by common antivirus applications". 

It's well and truly time for Spybot S&D to update their advertising blurb.

Report: Malvertizements that have been circulating

XM Radio

Exposed domain: aboutstat.net

XM Radio again

Exposed domains: waytotheprofit.com/?cmpid=weannalist and officialstat.com/c/index.php, both of which are known malvertizement domains.

waytotheprofit.com/?cmpid=weannalist leads us to an adverdaemon.com URL which then leads on to diskretter.com.

adverdaemon.com is hosted by PEER1, with name servers supplied by none other than securehost in the Bahamas.  Lots and lots of known bad domains are sharing name servers with adverdaemon.com

Hostnames sharing ip with a-records
ad2profit.com
adgurman.com
adnetserver.com
adredired.com
astalaprofit.com
bizmarketads.com
brandmarketads.com
bucksbill.com
glorymarkets.com
iddqdmarketing.com
intervarioclick.com
invulnerableads.com
luckyadcoin.com
luckyadsols.com
mythmarketing.com
popadprovider.com
prevedmarketing.com
rocktheads.com
waytotheprofit.com
popadprovider.com

Report: Malvertizements that are currently circulating

perfectmatch.com

Domains exposed:

profitabill.com/?cmpid=cancrineso

stat-diagnostic-imaging.net/c/index.php

profitabill.com

Hosted by Plusserver, Germany.  Administrative contact is the infamous Serg Moon - WHOIS details are, of course, unhelpful.

Note: WHOIS notes that registration services are provided by NameCheap.com, which shares IP indirectly via cnames with davidrohlf.com, georgerohlf.com, kristinerohlf.com and therohlfs.com.

Registar is the well known Enom, Inc - created on 25 March 2008

hostnames sharing ip with a-records
manzano181.serv.lt
xen-su-01.serv.lt

Lots and lots and LOTS of bad domains sharing name servers with profitabill.com

Report: Malvertizements that are currently circulating

First Choice in French (we have seen malvertizements featuring First Choice before - eg: this one in English)

This malvertizement exposes a domain to us, waytotheprofit.com/?cmpid=atrecreant and click.adlbrite.com. 

adlbrite.com is hosted by nine.ch in Switzerland (yes, the same nine.ch that has hosted domains used by malvertizements in the past).

click.adlbrite.com is also sharing name servers with several well known malvertizement domains, including:

aboutstat.com
akamahi.net
entrerrenglonadura.com
newstat.net
officialstat.com
quinquecahue.com
stat-diagnostic-imaging.net
stat-diagnostic-imaging.com
stathisranch.net
station-appraisals.com
station-appraisals.net
thetechnorati.com
vozmiliogaranon.com
googiesindication.com
statestr.com
statgroup.net
staticglobalsources.com
staticglobalsources.net
statnation.net
statsla.net
statworld.net

adlbrite.com's registrar is TLDS, LLC DBA SRSPLUS.  The WHOIS is unhelpful, being:

Sara Sen  (mail@adlbrite.com)
Hight  str  45 
Baltim, NONE  8232
CL
152656555

waytotheprofit.com is just as interesting, sharing IP with A-Records and mail servers with many known malvertizement domains including:

ad2profit.com
adgurman.com
adnetserver.com
adredired.com
astalaprofit.com
bizmarketads.com
brandmarketads.com
bucksbill.com
glorymarkets.com
iddqdmarketing.com
intervarioclick.com
invulnerableads.com
luckyadcoin.com
luckyadsols.com
mythmarketing.com
popadprovider.com
prevedmarketing.com
rocktheads.com
popadprovider.com

waytotheprofit.com also shares name server with many, many, MANY known fraudware and malvertizement domains, as well as domains associated with the sale of malvertizements.

OSX.Trojan.PokerStealer Trojan Horse

Information courtesy of Intego, a company specializing in security products for the Mac.

Intego has released a security memo describing a trojan horse for the Mac - a poker game that, when run, harvests the username, password and IP address of the victim and transmits it to a server, as well as enabling ssh on the victim's Mac computer.  As noted by Intego, once ssh is enabled, the attacker can "attempt to take control of [the Mac], delete files, damage the operating system, or much more".

The poker game is an effective example of social engineering, and demonstrates that anybody, whether he be a Windows or Mac user, can be tricked into handing over our username and password, and the existence of the software is worth publicizing in the hope that it will make all of us stop and think the next time we are asked to enter our admin password when installing software.

Already I am reading about comments deriding Intego's "financial incentive for discovering and reporting" on Mac specific trojan horses and whatnot.  Those making such comments are not doing anybody any favours and, to be honest, they need to get over themselves.  Yes, Intego can gain a financial benefit from such publicity - after all, they sell security software for the Mac - but reality is that the malicious software is out there, and is a good example of an effective mechanism for tricking Mac users.

Screenshot:

Off topic: there is nothing like starting the day with a laugh ...

:o)

Source: http://ars.userfriendly.org/cartoons/?id=20080623

Microsoft Security Intelligence Report (July through December 2007) - Key Findings Summary (Australia, Canada, Germany, Japan, Netherlands and Norway)

Downloadable here:
http://www.microsoft.com/downloads/details.aspx?familyid=671355c2-4002-4671-8619-95c96c8a897f&displaylang=en&tm

The worldwide average was malware removal from 1 out of every 123 Windows-based computers in the second half of 2007.

Summary - Australia

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 204 Windows-based computers it was executed on.

Zlob (Trojan) 6.9%
Starware (Potentially unwanted software) 4.4%
Hotbar (Adware) 2.7%
WhenU (Adware) 3.3%
Winfixer (Potentially unwanted software) 2.7%
Agent (Trojan and trojan downloader) 2.6%
All others - 77.7%

Summary - Canada

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 172 Windows-based computers it was executed on.

Zlob - 6.4%
Hotbar - 4.6%
Agent - 4.2%
Starware - 4.0%
ZangoSearchAssistant (Adware) - 3.1%
WhenU - 3.1%
All others - 73.6%

Summary - Germany

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 226 Windows-based computers it was executed on.

Zlob - 12.2%
WhenU - 5.9%
Hotbar - 3.9%
Renos (Trojan downloader) - 2.6%
Zango Search Assistant - 2.6%

Summary - Japan

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 685 Windows-based computers it was executed on.

CnsMin (Spyware) - 8.6%
Zlob - 4.3%
Antinny (Worm) - 3.9%
Rbot (Backdoor) - 3.4%
WhenU - 2.9%
All others - 76.9%

Summary - Netherlands

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 170 Windows-based computers it was executed on.

Zlob - 7.4%
WhenU - 4.7%
Virtumonde (Trojan and adware) - 3.3%
Hotbar - 3.1%
ConHook (Trojan) - 2.9%
All others - 78.6%

Summary - Norway

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 160 Windows based computers it was executed on.

Zlob - 12.5%
WhenU - 4.7%
Winfixer - 3.7%
Zango Search Assistant - 3.5%
Hotbar - 3.4%
All others - 72.2%

Other important notes from the key findings summary (all countries)

• The total amount of malware removed from computers worldwide via the Microsoft Malicious Software Removal Tool (MSRT) increased over 40% during the second half of 2007 to more than 450 million unique computers worldwide per month.
• During the second half of 2007 there was a 300% increase in the number of trojan downloaders and droppers detected and removed.
• The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family. Winfixer displays erroneous alerts warning of severe system threats. The program then offers to remove the erroneous detections for a fee. These warnings appear under multiple false product names in several different language versions.
• 129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals. These figures represent increases of 66.7% in total detections and 55.4% in removals over the first half of 2007.
• Adware remained the most prevalent category of potentially unwanted software in the second half of 2007.
• The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar.

New malvertizement featuring gifttree.com

I have received a copy of a new malvertizement featuring gifttree.com.

Analysis reveals two malicious URLs, being:

waytotheprofit.com/?cmpid=itlocation
station-appraisals.com/c/index.php?

The waytotheprofit.com URL leads us to an adnetserver.com URL which in turns leads us to a german language fraudware site, being diskretter.com (which, by the way, shares IP with A-records and mail servers with several domains including securepccleaner.com and exterminadordevirus.com.

ALERT: Spyware Sucks may go offline for a few days

Details here:
http://msmvps.com/blogs/bradley/archive/2008/06/16/houston-we-have-a-problem.aspx

Update: We'll be offline until as late as Friday:
http://msmvps.com/blogs/bradley/archive/2008/06/16/offline-for-a-couple-of-days.aspx

Sandi joins Truste

I am pleased to announce that I have joined Truste as an Online Compliance Researcher.  The Press Release is here:
http://www.truste.org/about/press_release/06_12_08.php

I am very excited about this new opportunity.  It has always been my dream to be able to focus all of my energies on studying, and tracking down the distributors of, spyware and malware and now that dream is coming true.

Wayne Small, SBS MVP, has also written an announcement about my new role.  I couldn't help but smile when I read it.  MInd you, I can't claim to have singlehandedly saved all those MSN Messenger users - it was Patchou of Messenger Plus! fame who first alerted me to the fact that there was a malvertizement appearing in the Windows Live Messenger advertising pane.
http://blog.sbsfaq.com/Lists/Posts/Post.aspx?ID=191

New malvertizements featuring diamondharmony.com

Screenshot of diamondharmony.com malvertizement

Press Release: Attorney General McKenna’s new laws go into effect Thursday

The full press release is below.  The section most relevant to this blog is the new laws related to spyware.  A change that I anticipate will have a great impact is that the new laws "Create liability for web hosting services who ignore violators’ use of their products".  I believe that this new law will encourage web hosting services to act quickly when malvertizement activity is reported to them.  Far too often web hosting services have responded to my complaints by saying that they are not responsible for what their clients are doing, or they say that all they can do is contact their client and tell them that there has been a complaint, or they don't respond at all.  Now that web hosting services can be found to be directly liable for the activities of their clients, it is going to be harder to ignore or fob off our complaints.

Here is the House Bill 2879 (the Bill related to changes to spyware laws):
http://apps.leg.wa.gov/documents/billdocs/2007-08/Pdf/Bills/House%20Passed%20Legislature/2879-S.PL.pdf

The important changes as relate to malvertizings follow - the changes are bold and underlined, or struck through:

The definition of "Transmit" has been changed to ensure that if a web hosting service "knows or reasonably should have known" that the chapter is being violated, then that web hosting service is liable for violations under the chapter.

"Transmit" means to knowingly, or with conscious avoidance of knowledge, transfer, send, or make available computer software, or any component thereof, via the internet or any other medium, including local area networks of computers, other nonwire transmission, and disc or other data storage device.  "Transmit" does not include any action by a person providing:

(a) The internet connection, telephone connection, or other means of transmission capability ((such as a compact disk or digital video disk)) through which the software was made available;

(b) The storage or hosting of the software program or a web page through which the software was made available, unless the person providing the storage or hosting services knows or reasonably should know there is or will be a violation of this chapter, and participates in or ratifies the actions constituting the violation;"

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

PRESS RELEASE:

OLYMPIA – New laws requested by Attorney General Rob McKenna dealing with mortgage foreclosure schemes, identity theft, spyware and third-party marketing of cell phone numbers will go into effect on Thursday.

“These new laws address critical threats to consumers from the purveyors of modern frauds—from mortgage rescue schemes to identity theft and online spying” McKenna said. “Also beginning this week, consumers’ cell phone numbers will be protected from solicitors, since they can no longer be published without express consent. I want to thank legislators from both parties who helped pass these crucial protections.”

The following laws go into effect on Thursday, June 12:

Prohibiting third-party marketing of cell phone numbers

House Bill 2479 requires any person in the business of compiling, marketing or selling phone numbers for commercial purposes to obtain a consumer’s express opt-in consent before publishing his or her wireless phone number in a directory. A violation of the law is punishable by a fine of up to $50,000. The Attorney General may bring actions to enforce compliance and may notify first-time violators with a letter of warning.

Mortgage Foreclosure Legislation

House Bill 2791 adds protections for homeowners from losing their homes in “mortgage rescue” scams by:

·       Requiring a written contract with clearly disclosed terms be completed, signed and dated by the homeowner and the purchaser prior to the property’s transfer;

·       Providing the foreclosed homeowner the right to cancel the contract within five business days;

·       Requiring that the purchaser demonstrate that the foreclosed homeowner is able to meet the terms of the contract including making interest and lease payments and is capable of purchasing the property within the allowable period;

·       Requiring that the homeowner must receive at least 82 percent of the difference between the property’s fair market value and the underlying mortgage in the event of a sale to a third party.

A violation of the law is a per se violation of the Consumer Protection Act, making the outcome of litigation against foreclosure rescue schemes substantially certain and resulting in broad deterrence.

Identity Theft Legislation

Senate Bill 5878 creates a statutory requirement for police to take reports from victims of the identity theft.

·       Victims have the option to file a report in their local jurisdiction or with the agency where the crime occurred.

·       Allows prosecutors to bring separate charges against an accused identity thief for each use of a particular piece of someone’s personal information. This bill reverses policy set in State v. Leyda (2006), where the Washington Supreme Court held that a defendant may only be charged once for use of someone else’s information even when that information is used in multiple locations multiple times.

House Bill 2637 allows records provided by out-of-state businesses to be authenticated by affidavit, rather than in person, in criminal cases. When properly served with a request for records, the recipient must provide the records within 20 business days and verify the authenticity by providing a signed affidavit, declaration or certification. This allows for the more effective prosecution of identity thieves.

Shutting Down Spyware

House Bill 2879 remedies loopholes and weaknesses in the state’s Computer Spyware Statute by:

·       Removing onerous requirements that hinder the ability to prove cases against violators;

·       Creates liability for web hosting services who ignore violators’ use of their products;

·       Adds violations for new forms of spyware; and

·       Clarifies the standards for proof of violations and the circumstances under which actions may be brought.

Circulating malvertizements: driveway and dreammates

First, driveway:

waytotheprofit.com/?cmpid=comedogeni&adid=intl

statgroup.net/c/index.php?id=WmhuaHhDTEFpUXm7NkiZmOVpYVnd4cGtoPTEyMDgxNjk3MDUmcG56Y252dGE9cGJ6cnFidHJhdgYNkiDgNmYNkiDgNm

Next, dreammates:

waytotheprofit.com/?cmpid=comedogeni&adid=intl

stat-diagnostic-imaging.net/c/index.php?id=eklscHhaSzFya3JIUElYNjNm7NkiZeUloPTEyMTIwNzc5MjYmcG56Y252dGE9cGJ6cnFidHJhdgYNkiDgNmYNkiDgNm

You can see that both malvertizements use the same waytotheprofit campaign URL.

I ended up at goldenantispy.com on one occasion, and antispyarewaremaster on another and performanceoptimizer.com on another. You will end up at different sites depending on what country you reside in.

goldenantispy and antispywaremaster try to download software to visiting computers using the infamous Microsoft Dynamic HTML Editing Control (Safe for Scripting) that has been removed from Vista.  If a computer is running Windows Vista, and is up to date with security patches, then infection is difficult if not impossible to achieve without user interaction.  Be warned, though, that I was testing with a bare metal version of Windows. There is every chance that other exploits affecting non-Microsoft products could be used at any time to attempt to infect systems.

The site also utilises archive.easydownloadsoft.com to distribute its wares, specifically:

archive.easydownloadsoft.com/goldenantispy.com/GoldenAntiSpy/install_en.cab

I'm also seeing adnetserver.com and b2adz.com, as well as prevedmarketing.com, waytotheprofit.com and statgroup.net.

There are several domains related to goldenantispy.com, including:

meinbesterschutz.com, virusvakt.com, zebraantivirus.com, pcprivacytool.com and virusstopper.com, as well as antispyarecontrol.com, antispywaresuite.com, winanonymous.com, winpcdoctor.com, winspycontrol and anchisupaisutsu.com

goldenantispy.com is registered via tucows, and has as an admin contact webstarhosting@yahoo.com.

Its mail server is mail.prevedhosting.com (regular readers of my blog will recognize that name).

antispyaremaster.com is also registered via tucows, and has an administrative contact that I recognize, being "no_name_inc@yahoo.com" aka "John Green".

antispywaremaster.com has "relationships" with diskretter.com (a name I recognize as being involved with malvertizement incidents in the past), schijfbewaker.com, toolsicuro.com, exterminadordevirus.com and securepccleaner.com.

If we dig deeper using robtex, we find relationships wiht antivirusmaqique.com, defensedudisque.com, erreuchasseur.com, fairukyua.com, qubbishremover.com, limpietodo.com, as well as name server relationships withadvancedcleaner.com, antispywaresuite.com and avsystemcare.com as well as old classics such as drivecleaner.com, errorsafe.com, systemdoctor.com, winspycontrol.com and yourprivacyguard.com.

ALERT: Malvertizements at disney.fr

These criminals, whoever they are, have absolutely no shame.  I thought that they were the scum of the earth when they impersonated Oxfam; now they are getting their malvertizements onto popular chidren's sites.

As reported by Kimberley - the malvertizements have been reported to RealMedia:

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_SKY_CINEMA_NOW/cinemanow_120x600.swf

adoptserver.info/_stat029.gif?url=[removed]
windowsxp-privacy.net/?id=987650098
xponlinescanner.com/soft.php?aid=024217&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77024217

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_MEGA_CINEMA_NOW/cinemanow_728x90.swf

adoptserver.info/_stat029.gif?url=[removed]
windowsxp-privacy.net/?id=987650097
xponlinescanner.com/soft.php?aid=024218&d=3&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77024218

New "surveys" malvertizement

Adopstools.com was not able to analyse the sample that I have, but there is more than one way to get things done.

The malicious SWF exposes victims to two different URLs:

impressiontracker.com/url/sc_6.php

and

yourredirect.com/soft.php?aid=000417&d=3&product=XPA

The yourredirect.com URL redirects to a fraudware site, being:

onlinescannerxp.com/2008/3/freescan.php?aid={removed}

yourredirect.com was created on 4 April 2008 and is protected by privacyprotect.org

impressiontracker.com was created on 8 April 2008, and WHOIS refers us to a "Carol Hamilton" of eosads.com .

Both impressiontracker.com and yourredirect.com use mynickname.com name servers...

eosads.com (the domain revealed by a WHOIS check of impressiontracker.com) is, in turn, registered via none other than the infamous estdomains.  The domain was created on 8 February 2007, updated on 10 March 2008 and expires on 8 February 2009.

Screenshots of the malvertizement:

The malicious SWF is hosted by content.yieldmanager.edgesuite.net.  The appropriate parties have been notified.

Another eBooks malvertizement

Regular readers may recall the new eBooks malvertizement highlighted the other day - this one:

Here's another version, slightly tweaked. You'll notice the different wording and different font:

Mark Russinovich: The Case of the Random IE and WMP rashes

I have just finished glancing over Mark Russinovich's latest blog entry, in which he described how he tracked down the cause of, and fix for, crashes affecting Internet Explorer on his Vista x64 gaming system, as well as crashes affecting Windows Media Player.

The diagnostic steps that Mark uses make for fantastic reading for the geeks amongst us - heck, all of his articles make for fantastic reading (especially his "The Case Of" blog entries).

I admit that I am not surprised that nVidia were at fault.  Back in the days of IE5 (and to a lesser extent IE6) video card drivers were notorious for causing problems for Internet Explorer.  It was standard operating procedure, especially for crashes involving kernel32.dll, to recommend updating video drivers and reducing hardware acceleration, and nuking a potentially corrupt IE cache (or, more precisely, a problematic index.dat file).

You can read Mark's article, "The Case of the Random IE and WMP rashes", here:
http://blogs.technet.com/markrussinovich/archive/2008/06/02/3065065.aspx

malvertizement featuring eBooks

Screenshots (had to smile at the appearance of the word "malware"):

I'm also seeing a steady stream of ringtone:

and American Singles malvertizements: