Spyware Sucks

More information about the Curves SWF

Well, I said I would get in touch with Doubleclick - their response was interesting - I quote:

"it's to confuse people... look you get the same results:

openadstream.net/ad0.php?url=http://www.google.com/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043

openadstream.net/ad0.php?url=http://www.microsoft.com/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043"

The original URL I provided was:

openadstream.net/ad0.php?url=http://ad.doubleclick.net/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043

Each of those URL renders the same result - a plain white white page with the text "stats=917174773"

Oh, and guess who supplies the name servers for openadstream.net - yep, you guessed it - estboxes.com aka estdomains - a domain that has already been mentioned once in my blog today.

What the heck???

I received this email today via my Spyware Sucks "Contact Me" link:

"At least a have a problem that i find no pleasent, i think it comes from your url, a receyve continusely messages that my pc is infected by viruses or spam.  I ask you for  all of your possibilitys no more sending those messages in the future on my pc. What kan i do for removing this messages always a receyving ?  Ps) a appologise for the grammatical faults in the mail becaaause my english is not my primary language."

Ok, so we all know that my blog does not harbour any advertisements that could trigger such an effect therefore I feel grave concern that his computer is already infected.

English is his second language so it is going to be difficult to assist him.  His email address is an @pandora.be address, so if anybody knows what his native language is, feel free to comment...

Oxfam impersonated by Errorsafe pimps

Oxfam does fantastic work - in fact several people received "Oxfam Unwrapped" gift cards from me for Christmas (donations on their behalf) - and it makes me FURIOUS to see Oxfam's good name taken advantage of, and a malicious advertisement featuring their name used as a conduit to fraudware.

I received a sample SWF today, an advertisement touting Oxfam - screenshots below.

An examination of the internal code reveals:

www.errorsafe.com/pages/scanner/index.php?aid=50ftf0rm&lid=sw23&ax=1&ed=2, __self.str, _root.c4.color(14688422)

which redirects to:

errorsafe.com/download/2007/index.php

Y'know, I already do all I can to track down, and shut down, the bastards behind malicious banner advertisements.  I promise you this, if there is one thing that the criminals can do to make me even more determined to chase them to the ends of the earth, it is to do something like impersonating Oxfam.

A closer look at the Curves SWF

Interesting. 

"openadstream.net/ad0.php?url=http://ad.doubleclick.net/click/nxtgcbb80290000125ave/direct/wi/ai&key=V24567233828272323&c=127500043"
"iexplorer-security.org/?id=463400043"

iexplorer-security.org has hidden some information behind Privacy Protect, but we can find out some things.

First, iexplorer-security.org is hosted by Masterhost in Russia.  Second, its nameservers are provided by the infamous eshosst.com (aka estdomains) - the list of malicious/fraudulent domains associated with Estdomains is staggering.

I'll need to get in touch with Doubleclick about their appearance in a variable.

Firstchoice comments on malicious banner advertisements...

Just like Skyauction, Emusic and QPAD before them, Firstchoice have advised that they have nothing to do with the malicious advertisements featuring their company.

I quote the contents of an email from Firstchoice to the web site that supplied the copy of the malicious advertisement from Forceup to me for analysis:

"1. Our site [is] firstchoice.co.uk not firstchoice.com. (Which is a chain of hairdressers in the US!)

New malicious SWF featuring "Curves"

More later... I'm out of office at the moment and don't have access to my normal toolset.

Screenshot:

Online analysis of SWF:
http://www.adopstools.net/index.asp?page=quicklink&id=2526I2UFLC7Ri029 

Forceup.com - here is more information about the malicious Firstchoice advertisement

The SWF has been analysed.  We find this URL in the code:
quinquecahue.com/statsa.php?u=1202136191&campaign=oseximious 

The allowed countries for this particular malicious campaign are ZA, US and UK

Banned IPs: 

209.160.0.0-209.160.255.255 Hop One Internet Corporation
196.36.0.0-196.36.255.255 (Internet Solutions (Pty) Ltd (South Africa)

Banned cities: Johannesburg, Tukwila

Kudos to Kimberley for decrypting the SWF contents.

Forceup.com caught trying to sell a malicious advertisement featuring firstchoice.com

I received an email tonight warning me that a Diane Samuels from forceup.com is contacting web sites wanting to place an advertising banner.  I was contacted by those behind a web site with checks in place that identified the advertising banner as "a virus of some sort".

The creative's name was firstchoise_728x90.swf.

"Diane Samuels" did not respond to emails from the web site's staff once they discovered that the advertisement was bad - a failure to respond is standard operating procedure for the b*stards behind the malicious advertisements - if they get caught by one web site, they just move on to the next one.

Forceup.com is a well known name to those of us who watch and report on malicious banner advertisements - if you search this blog for that name you will find that forceup is mentioned nine times.

First, I am *very* pleased that the intended victim site's checks and balances alerted them to a problem, aka "a virus of some sort".

Second, I am *very* pleased that the creative was detected as a virus.

Third, I have a copy of the actual creative that I can analyse it and report on, and provide screenshots.

An analysis of the creative at adopstools reveals that the creative contains "a sprite/movieclip which is containing Malware actionScript code".

Here are screenshots of the advertisement provided by forceup.com - you have been warned. 

If I receive further information I will blog again.

Pakistan hijacks YouTube...

Those of you with a technical mindset may find this explanation about what happened, and the timeline, informative:
http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube.shtml

Some chatter at NANOG (with a few glimmers of paranoia to add spice):
http://www.merit.edu/mail.archives/nanog/threads.html#06347

New Internet Explorer Knowledgebase articles

Here you go - this month's new KB articles.  You know what they say.. never lose sight of your roots.. and for me, my roots are buried deep in supporting users of Internet Explorer from a technical perspective, not a spyware/malware perspective, and let's face it - when was the last time you saw a kernel32.dll error caused by a video driver? IE is *way* more stable than it used to be.

Maybe things will hot up on the Internet Explorer scene now that the IE8 beta is around the corner.  I confess to feeling some excitement when I think about putting IE8 through its paces.  The team have been very secretive - not even *I* know for sure what's coming.

Anyway, let's take a look at the new Knowledgebase articles for this month....

------

IE6 and IE7:  An Internet Explorer Automatic Component Activation (IE ACA) Preview #2 update is available to disable the "Click to activate" behavior

Microsoft is releasing an Internet Explorer Automatic Component Activation (IE ACA) update that will disable the “Click to activate” behavior of the Internet Explorer ActiveX update that was originally released in April 2006.

It is strongly recommended that this update only be deployed for testing purposes.

http://support.microsoft.com/default.aspx/kb/947518

-----

IE5.01, IE6, IE7:  MS08-010: Cumulative security update for Internet Explorer

Microsoft has released security bulletin MS08-010. The security bulletin contains all the relevant information about the security update. This information includes file manifest information and deployment options, as well as known issues.

http://support.microsoft.com/default.aspx/kb/944533

-----

IE6 and IE7:  You may be unable to view some PDF documents in Windows Internet Explorer 7 or in Internet Explorer 6

This problem occurs because of the method that is used to determine the MIME type of downloaded content. This problem occurs even if the content MIME type is declared as "application/pdf."

http://support.microsoft.com/default.aspx/kb/945686

-----

IE6:  If you configure Internet Explorer 6 to use a proxy autoconfiguration (.pac) script, URLs may be identified as being in the Internet zone instead of as being in the local intranet zone

This problem occurs because Internet Explorer (Iexplore.exe) starts to process the .pac script when it first connects to the network from the client computer.

If the security zone of the target URL is identified after the exception list of the .pac script is read, the Web site is displayed as being in the local intranet zone. Conversely, if the target URL is accessed before the exception list is read, the Web site is identified as being in the Internet zone.

Therefore, depending on the timing, the .pac script may incorrectly identify a URL as being in the Internet zone instead of as being in the local intranet zone.

http://support.microsoft.com/default.aspx/kb/946240

-----

IE6 and IE7: Internet Explorer uses HTTP/1.0 GET requests instead of HTTP/1.1 GET requests to connect to a Web site

This problem occurs because of a design change in how the Wininet.dll file reads the values of the Use HTTP 1.1 option and the Use HTTP 1.1 through proxy connections option as a policy. In this case, the Security_HKLM_Only registry entry is enabled. This design change does not consider the effect of the Security_HKLM_Only registry entry. When the Security_HKLM_Only registry entry is enabled, the default settings for the Use HTTP 1.1 option and for the Use HTTP 1.1 through proxy connections option are set to be disabled. By default, the EnableHttp1_1 registry entry and the ProxyHttp1.1 registry entry do not exist. Therefore, when the Wininet.dll file tries to read them in the registry, the values of these registry entries are determined to be turned off.

The Security_HKLM_Only registry entry is stored in the following registry subkey:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

http://support.microsoft.com/default.aspx/kb/947513

-----

IE7: Windows Internet Explorer 7 may exit unexpectedly when you view a Web page that sets a scroll bar style attribute for an element

When you view an HTML page that uses scroll bar (scrollbar) style attributes for an element, Windows Internet Explorer 7 may exit unexpectedly. Additionally, you may receive an access violation error message in the Mshtml.dll file.

http://support.microsoft.com/default.aspx/kb/942368

-----

Error message when you run a script that is encoded by using Script Encoder (Screnc.exe) in Windows Server 2003 or in Windows XP

This problem occurs because the non-encoded scripts use comments as encoding markers. These comments resemble one of the following:

• '**Start Encode** for Microsoft Visual Basic Scripting Edition (VBScript) 
• //**Start Encode** for JScript 

These comments and the lines that come before them should be visible in the encoded script. However, they are invisible.

http://support.microsoft.com/default.aspx/kb/948527

Google and Feedburner versus Extended Validation Certificates - and "this page contains both secure and non-secure items" errors

Well, the EV problem experienced at Tim Callan's blog has been fixed - by removing Google Analytics and Feedburner tracking code from the page.  I should point out that Google's code was removed LAST, therefore it is possible that Feedburner may be blameless - we won't know for sure unless the site is tested with Feedburner tracking code reinstated.

This incident is a timely warning for web site owners to consider the security implications of all code that they add to their sites, especially their HTTPS sites.  If a site owner has invested the time and expense required to qualify for an EV certificate, they will not want their customer's experience to be complicated by error messages such as those we saw on Tim's blog. 

I note that Google Analytics code (when used on an HTTPS page) is not the only example of a Google service triggering the "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?" error.  I have also seen the error on Gmail's log in page when the "Sign Up For Gmail" pane uses a graphic instead of a simple hyperlink.  Google also faced (faces?) a similar problem with their Google Checkout service which also triggered (triggers?) the error message - can you imagine how scary it would be for somebody purchasing products from a web site if they saw that error?

Cite: http://groups.google.com/group/google-checkout-api-troubleshooting/browse_thread/thread/5e855a0fee76b181/b0f83bbee904b8c4?lnk=st&q=%22This+page+contains+both+secure+and+nonsecure+items%22#b0f83bbee904b8c4

I also note that "someone at Google" had advised the complainant that the "available solutions" to get rid of the alert window are to use a different web browser or lower the browser security settings.

I'll be honest - as far as I'm concerned it is not acceptable in this day and age, from a security standpoint, to tell customers of any web site that they can avoid an alert message by "lower[ing] their browser security settings".  Just imagine if the site in question was hacked (or any site that the user visits which uses the same Internet security zone).  The negative implications for customers if they followed such advice is frightening.

Suggesting that people swap to a different web browser is taking the easy way out (as we know from Tim's experience changing web browser doesn't fix the green address bar problem anyway).

Oops... Tim Callan's Verisign blog is having issues with EV certificateS...

But, to be fair, his blog is not the only Verisign page that is missing the green address bar when it ought not...

Let's visit Tim's blog at https://blogs.verisign.com/ssl-blog/.  Check this out.

We load the URL - we see an alert about "secure and nonsecure items".  When we see this error it generally means that the page in question, an HTTPS page, includes content that is being pulled from an HTTP (no S) address:

If we click "Yes", we see this - no green bar:

If we click "No" we see this - a green bar:

I first blogged about this interesting phenomenon back in February 2007 - a year ago.  Methinks I need to get in direct touch with Tim and let him know about what I am seeing.  We've corresponded in the past, so I should have his address here somewhere....

BTW, Firefox Beta 3 introduces green address bar support for EV certificates without the need for an add-on:

Unless you are viewing a Verisign site, that is...

Interestingly, if you go to a different site, then use the back button to return to Verisign, the EV works...

Refresh the page, and the green bar will disappear.

As we know, EV certificates are not cheap, and it is important for Web site designers and site owners to bear in mind that if they are going to pay good money for, and go through all the rigmarole that must be endured to win an EV, then they must make sure that they are not going to inadvertantly break the green address bar.

Batten down the hatches - we've got a new User Agent String

It always happens - a new version of Internet Explorer is released and some web sites break because they are *not* using best practice when detecting browser versions.

Internet Explorer 8 will introduce a new UAS, Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), and I know that web sites are going to break.  The most common problem encountered (in my experience) is the web site will erroneously report that you are using an old (unsupported) version of IE and prompt you to upgrade.

Please, consider using conditional comments if you must detect Internet Explorer version.  Far too often web sites break, not because they will not display properly in IE7 or later and the web designer has made a conscious decision to address the problem by barring access to the latest browser version, but simply because the site does not recognise the latest UAS and serves content that is completely inappropriate.  Ironically, every time I have encountered such a site, it displays just fine if I spoof the UAS.

Malicious advertisement on MySpace.com

Sadly, the criminals behind the malicious Flash banner advertisements have been using "How2Vacation" creatives for a long time - in fact, How2Vacation was listed way back on May 2007 by MikeOnAds as a known malicious advertisement.

The challenge that the advertising industry faces is how to share information more effectively.  It is frustrating to see incidents such as that which hit MySpace - frustrating because those of us who have been monitoring malicious advertisements recognize potential danger in a heartbeat.

This particular advertisement is, in fact, quite unsophisticated.  If we analyse the creative we immediately detect suspicious content.  For example, we see that the creative contains the following actionscript:

System.security.allowDomain("*")

Also, we see this:

mysurvey4u.com/statsa.php?campaign=me9ntthe

mysurvey4u.com is a known "shell" web site that uses a nameserver at, you guessed it, securehost.com.  Domains sharing name servers and mail servers include:

candid-search.com  
loffersearch.com  
manage-search.com  
roller-search.com  
rombic-search.com  
se7ensearch.com  
search-the-prey.com  
searchmandrake.com  
searchonline-ease.com  
searchvirtuoso.com  
simplesamplesearch.com  
stratosearch.com  
traveltray.com   <-- mentioned on this blog before
treekindsearch.com  
wontu-search.com  
zooworld-search.com 

Its Registrar is YESNIC CO LTD, yet another name that appears far too often in association with malware and fraudware sites.

Ok, so now we know that malicious advertisements featuring "how2vacation" have been around for a while now, and that mysurvey4u.com is highly suspicious, that it has a very bad reputation, and that it is sharing a bed with some bad names.  Let's look at what the advertisement actually does.

The URL of the malicious SWF is cache.opt.fimserve.com/contents/61/27/27061/CR_(SeptthroughDec)How2vacation_120x600_V2.swf.

fimserve.com is MySpace (ns1.myspace.com and ns2myspace.com, fimserv.myspace.com)

In the case of this particular campaign, it is coded so that the redirect will *not* trigger under the following conditions:

1. If the computer is in the following countries - IN, IL, AU, NZ
2. If the computer is in the following IP ranges - 207.46.0.0-207.46.255.25; 216.178.0.0-216.178.255.25; 216.205.0.0-216.205.255.25

As a point of interest, MySpace uses the following IP addresses - you will note that they fall within the IP ranges listed above:

216.178.39.14, 216.178.38.130, 216.178.39.16, 216.178.39.15, 216.178.39.74, 216.178.39.12, 216.178.39.11, 216.178.39.13, 216.178.38.131, 216.178.38.129

What is the significance of the script system.security.allowdomain("*")

I shall quote Adobe:

"If two SWF files are served from the same domain -- for example, http://mysite.com/movieA.swf and http://mysite.com/movieB.swf -- then movieA.swf can examine and modify variables, objects, properties, methods, and so on in movieB.swf, and movieB.swf can do the same for movieA.swf. This is called cross-movie scripting or simply cross-scripting.

If two SWF files are served from different domains -- for example, http://mysite.com/movieA.swf and http://othersite.com/movieB.swf -- then, by default, Flash Player does not allow movieA.swf to script movieB.swf, nor movieB.swf to script movieA.swf. A SWF file gives SWF files from other domains permission to script it by calling System.security.allowDomain(). This is called cross-domain scripting. By calling System.security.allowDomain("mysite.com"), movieB.swf gives movieA.swf permission to script movieB.swf."

Cross domain scripting can be a "bad thing".  Advertising networks should consider very carefully whether they are willing to allow such content into their networks, especially content that uses a wildcard when calling system.security.allowdomain. 

The above call, system.security.allowdomain("*"), means that the SWF at CR_(SeptthroughDec)How2vacation_120x600_V2.swf is allowing ANY SWF on ANY DOMAIN to script it.

First of all, MySpace should have been aware that there was a risk involved in hosting this SWF because it features how2vacation.com.  Second, even a cursory examination using a service such as adopstools reveals the dangerous script, and the mysurvey4you.com URL.  In short, this advertisement should never have made it through security checks.

Cleanator advertised on groups.msn.com

Cleanator.com has been mentioned on this blog before.  It shares an IP address with the now infamous macsweeper.com (and a I note a new entry according to Robtex.com, kavianltd.net.

The advertisement and malicious redirect have been reported to the appropriate parties.  Bear in mind that with only a screenshot it will take a while to identify the malicious advertisement.

Screenshot of cleanator.com advertisement on display at MSN UK and and fraudware popup below:

Thanks to JudyC for the report.

Two suspicious Flash advertisements

An industry contact sent me two malicious SWF advertisements over the weekend.  Here are screen shots.

Let's have a look at who is behind malicious Flash advertisements...

Let's have another look at incidents reported on this blog over time so that we can take a closer look at the inter-relationships we find between each incident.  We will look at just three incidents.

INCIDENT 1: Malicious advertisement source - 4cetera.com

INCIDENT 2: Press Release by Emusic about unauthorised malicious advertisements featuring Emusic - uniqads.com, adtraff.com and forceup.com

INCIDENT 3: Unauthorised malicious advertisements featuring Skyauction including a fake letter of mandate - netmediagroup.net...

A check of the 5 domains using www.robtex.com reveals several identical IP addresses:

Going forward I am going to be reporting on not only the advertising network hosting malicious content, but also will be trying to identify, and expose, those who are providing the advertising creatives to web sites and ad networks in the first place so that you can do what you can to avoid them.

Please read my article "Avoiding the bad guys - detecting potentially malicious advertising campaigns".  As you can see from the examples I have highlighted above, it is critically important when you are approached by an advertiser that you not only complete standard background checks (credit check, WHOIS, referees etc), but that you also check out who is using the same infrastructure using a service such as www.robtex.com.  If you see any mention of Securehost.com be extremely cautious.

You should also be cautious about any referees provided.   For example, you may be approached by an advertiser, and that advertiser may provide referees with several different @domain email addresses.  But, if you dig a little deeper, once again using a service such as www.robtex.com, you may discover that the apparently independent referees may be closely related.  You may even discover a connection between the advertiser itself and the referees.

Be careful everybody, and do your research.  I know for a fact that the criminals are still actively selling their malicious advertisements, using domain names that have been featured on this blog over and over and over again.

Malicious banner advertisement at 123greetings.com

If you get a Valentine's Day greeting from 123greetings.com DO NOT GO THERE.

There is a malicious banner advertisement being displayed with the egreeting card.  The malicious advertisement looks identical to the last one that I found, advertising DriveCleaner.

This is the third time in the past month or so that I have seen a malicious advertisement on 123greetings.com.  Avoid that site.

More later.

The February security updates are available.

The IE Cumulative Security Update for February 2008 is now available via Windows Update.

I've already rolled out this month's patches - so far so good

Information about all of this month's security updates can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx

Time to get a few things off my chest.

I stand by my statement - Adobe Flash is turning into, nay is, the Typhoid Mary of the Internet.

Information Week has picked up on my Typhoid Mary statement, and written about it here.  Let's have a look at the article, and the comments.

Those who have commented on the Information Week article have turned the problem of malicious banner advertisements, and the fact that there is no way for the end user to turn off or control the functionality in Flash that is being misused by criminals, into a Microsoft versus Silverlight fight.  Have I held up Silverlight as some sort of panacea or cure? No, I bloody well have NOT!  On the contrary, it is the Information Week reporter who brings up Silverlight and "Microsoft's antipathy towards Flash" which the commentators then latched on to and started an Adobe versus Microsoft fight.  How the hell Thomas's sentence morphed into Silverlight being held up as a cure to the malicious banner advertisement problem, by me or anybody else, is beyond comprehension.  As far as I know Microsoft has never said anything like that.  I don't say anything like that.  I don't know of anybody in my field who has said that.

I have not looked at Silverlight; I have not tested Silverlight; if you search my blog you will find that I have mentioned Silverlight *once*, and even then it was NOT mentioned in relation to malicious advertisements.  I do not know what user controls (if any) Silverlight provides, and I don't know if the criminals behind the malicious Flash advertisements will be able to abuse Silverlight in the same way that they do Adobe Flash.  So do me and everybody else a favour - stop putting words in my mouth.

I also see that "magenta" calls me a "Microsofter".  And Thomas Claburn says "It would thus be easy to dismiss Hardmeier's assertion as techno-partisanship..."  

Let's make something perfectly clear.  Yes I am a Microsoft MVP (here is my profile), and have been since 1999, but I am *NOT* and never have been an employee of Microsoft, nor am I a techno-partisan, nor am I biased towards Microsoft products.

My little black book of contacts includes upper-management names and email addresses at Microsoft and AOL and Google, at Doubleclick and ITV, at RealMedia and at Sensis, and at Valueclick, and contains the names of those responsible for management and control of myriad web sites around the world.  I am 'non denominational' and do not recommend Microsoft over another company unless I think they offer the best solution for a particular need. Heck, for years I promoted Deepnet Explorer as an alternative Web browser on my own web site (which is an Internet Explorer technical support site, by the way) until I got sick of Deepnet breaking file type associations all the time.  Even now it features Kopassa as an interesting alternative browser.

"magenta" then goes on to say "Let's see a study comparing how many people worldwide have been infected over the years with viruses due to Flash vulnerabilities, compared to how many have been infected due to Outlook vulnerabilities!"  Is "magenta" saying that it doesn't matter that Flash is being used a conduit to expose people to fraudware because Outlook has a problem too?  If so, that attitude sucks.  And anyway, Microsoft changed Outlook's (and Outlook Express) behaviour to address the problem of viruses by blocking access to some attachments and increasing security levels etc.  Is Adobe going to do the same with Flash now that they know that their product is being misused?

With regard to "how many people worldwide have been infected over the years", I would not be at all surprised if the number of computers exposed to fraudware via malicious banner advertisements is as high as the number of computers infected by Outlook vulnerabilities (there are a lot more Internet Explorer and Firefox users than there are Outlook users).  How many visitors do you think sites like expedia.com, rhapsody.com, nationalgeographic.com, excite.com, yahoo.com, mlb.com, ok-magazine.com and the myriad other sites that have been affected see per day? Per month? Per year?  That is how big this problem is.

Then we have BruceB saying "the ultimate responsibility is on the end user to keep their system up to date".  I'd love to know what update it is that BruceB thinks fixes the problem of the malicious SWF creatives and the redirects that they trigger.

This is what it all boils down to:

1. Victim visits a web site
2. Web site displays a malicious SWF advertisement
3. Malicious SWF advertisement redirects victim to another web site, immediately and without any user interaction required
4. Victim is exposed to fraudware and other security risks

Give us a way to stop that redirect - change things so that the redirect will not occur without user interaction.

Edited for clarity and to fix typos.