Spyware Sucks

Several comments have been posted to my blog recently about a malvertizement problem at mininova.org:

http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1601871
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1602159
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1614547

Anyway, I went looking and found a thread that claimed the malvertizements had been identified and removed on 5 May so I didn't take things any further (a decision which may have been a mistake)
http://forum.mininova.org/index.php?showtopic=235009007

Kimberley has now identified a malvertizement on mininova.org, again hosted by Akamai:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=60&gopid=87201&

The domains being used by the malvertizers are:

adoptserver.info
iexplorer-security.org
mystats.com
fastwebway.com
xponlinescanner.com

The malvertizement has been reported to Akamai.

Once again, communication and cooperation between anti-malvertizement activists around the world has resulted in success.

We have found the malicious malvertizements on photobucket.com - Kimberley has the details.

The incident has been reported to Photobucket.  The malvertizements themselves are not new.  Speedstick and TokyoDrift have been featured on this blog several times.  As noted by Kimberley, the malicious domains being used by the cretins behind the malvertizements are:

atlas-ads.com (host of a malicious SWF)
track.trackads.net
tds.maxconvert.com
adtds.trackads.net
spywaredestructor.com
adoptserver.info
iexplorer-security.org
fastwebway.com
xponlinescanner.com

photobkt-images.adbureau.net (host of a malicious SWF)

adbureau.net is Akamai - the incident has been reported.

Atlas-ads.com is registered via Estdomains, created on 10 April 2008.

Thanks to Susan for the heads up...

Cite:  http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/

Cite:  https://bugzilla.mozilla.org/show_bug.cgi?id=432406

Anybody who downloaded and installed the Vietnamese language pack ***since 18 February*** will have got an infected copy.  Symptoms include the display of unwanted advertising.

Mozilla notes that because only "16,667 total downloads of the Vietnamese language pack since November 2007" they consider that the impact on users will be "limited" - well, it may be limited in Mozilla's eyes, but I suspect that those affected will be less dismissive.

It is staggering that the infected file was in situ and being distributed for over two and a half months. It is also staggering that Mozilla seemingly did (does?) not complete regular scanning of their files to check for previously undetected malware - didn't they realise that there is always a period of time between malware being released to the wild, and security products updating their products to add detection of new malware??  By not regularly re-scanning all files available for download they expose(d) their users to real risk.

The malware is named in the bugzilla thread as "HTML.Xorer".

Advice is to disable the Vietnamese Language Pack.

I received an email alert overnight warning that photobucket is displaying malvertizements.

The problem we face in tracking down the reported malvertizements on photobucket.com is that the advertisements are country specific. 

This blog has readers all over the world - if anybody has seen something, please grab proof using Fiddler and let me know.

We have gone from this...                     to this....                                          Or this... showing only online friends.

And we get a choice of backgrounds.  The last background, "70s Tux", doesn't seem to be working properly on my system.

Me.dium have chosen to turn off "find similar pages" by default; instead, Me.dium will only show you the pages that your online friends are currently viewing.  The Talk and Friend tabs are gone, and the Friend and Facebook panes can be closed.. 

You can only chat to people on your friends list, and the shout-out pane which anybody could use to "talk" to other Me.dium users is gone.

Unfortunately it has been necessary for me to remove the Me.dium widgets from my blog and website because the widgets are triggering certificate errors in Internet Explorer, specfically a warning that the certificate being presented by Me.dium was issued for a different web site's address.   This error can occur if a company owns several websites and uses a certificate that was issued for one web address for another site and does not necessary indicate a security problem at the site, but it is still disturbing for visitors to my blog, and I do not like to contribute to desensitising people to security alerts (which is what I would be doing if I told people to ignore the error, or install the certificate despite the error), therefore the widget goes until the certificate issue is fixed.

         
         Original                                                Night                                                    Moss

         
                     Icy                                                  Gum                                               70s Tux

Akamai supplies both an ActiveX and a Java based download manager. The ActiveX control remains installed on the users computer until it is manually removed.  It is important to note that Akamai has been used by vendors such as Symantec and Microsoft (eg: Technet and MSDN) for file distribution.

Vulnerable versions:

Akamai Technologies Inc's DownloadManagerV2.ocx version 2.2.2.1
Akamai Technologies Inc's Download Manager Java Applet version 2.2.2.0

The security vulnerability makes it possible for an attacker to use the download manager to automatically download and execute files simply by tricking the victim into visiting a malicious web page.

The download manager user interface is displayed during an attack, but there may be insufficient time to cancel the download before exploitation occurs.

Workaround:

Setting kill-bits for the associated CLSIDs will prevent the ActiveX control from being loaded within Internet Explorer, being:

2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1

Disabling Java will prevent exploitation via the Java Applet.

Akamai has fixed this vulnerability in version 2.2.3.5 of their download manager product. Please refer to the following URL for upgrade instructions (and don't forget to make sure that the vulnerable activex control has been removed - you will find it in C:\Windows\Downloaded Program File.  The file name is "DownloadManagerV2.ocx"):

http://dlm.tools.akamai.com/tools/upgrade.html

Cite: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=695

You will be unable to remove IE8 Beta or IE7 after installing Windows XP SP3 because Microsoft wants to make sure that you do not encounter a problem commonly known as "DLL Hell".

IE8 Beta 1 users

You will NOT be offered Windows XP SP3 unless and until you remove IE8 Beta 1.  This is because if you install  windows XP SP3 without removing IE8 Beta 1, then you will no longer be able to remove IE8 Beta 1 and the Remove option will be greyed out in Add/Remove Programs.

Internet Explorer 7 Users

You will be offered Windows XP SP3 as a high priority update BUT if you install it you will not be able to remove IE7 without removing Windows XP SP3 first.  It is recommended that you remove IE7, then install Windows XP SP3 then re-install IE7.

Internet Explorer 6 Users

You will be offered Windows XP SP3 as a high priority update.  Windows XP SP3 ships with an updated version of IE6.  No need to do anything else.

I have been reading through the Microsoft Security Intelligence Report covering the period July through to December 2007 over the past few days.  Although the bulk of the report focuses on security vulnerabilities, there are statistics specific to "rogue security software" (aka fraudware) and "potentially unwanted software" that I found interesting:

• The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family.  The report notes that "many of the more prevalent malware families rely on social engineering tactics that trick the user into taking action that bypasses or lessens the effectiveness of the user's existing protection".  I'm hoping as time goes on that I will see fewer "get Firefox" or "get a Mac" comments in response to reports of various fraudware outbreaks, as people come to realise that such responses do not address the base problem of social engineering.
  
  
• The most prevalent malware family (as distinct to rogue security software) was Win32/Zlob, being removed more than 3 times as often as the second half of 2007 (and from twice as many computers) as any other individual malware family.  Often disguised as a media codec (there's that social engineering again), Zlob uses pop-up advertisements and fake security alerts to encourage the victim to install, you guessed it, rogue security software.
  
  
• The second most prevalent malware family was Win32/Renos.  Renos, like Zlob, is used to install rogue security software.  Renos was found to have infected 79% more distinct computers during the second half of 2007 than was detected during the first half of the year.
  
  
• The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar (which, ironically, I have seen advertised via the Windows Live Messenger advertising pane).  Win32/Hotbar was in 4th place during the first half of the year.
  
  
• 129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals.  This is an increase of 66.7% in total detections and 55.4% in removals over the first half of 2007.
  
  
• Adware remains the most prevalent category of potentially unwanted software in the second half of 2007, an increase of more than 66%, from 20.6 million detections to 34.3 million detections.
  
  
• The most infected country/region in Europe is Albania; the least infected country/regions in Europe are Austria and Finland.  In the Asia-Pacific region the most infected countries/regions are Mongolia and Vietnam and the least infected Taiwan and Japan.
  
  
• When prompted about rogue security software, nearly 60 percent of users choose to remove it immediately, with a large proportion of the rest choosing to quarantine the software (I admit to not understanding why only 60% of users are removing rogue security software).

It should be noted with regards to points 3, 5 and 6 that some of the increase can be attributed to an increase in the number of computers running Microsoft's detection and removal tools, and "changes in the distribution practices for different pieces of potentially unwanted software [that] can have an effect on how many people are exposed to it and how often, and how they tend to respond to alerts raised about the software".

You can get your own copy of the Microsoft Security Intelligence Report at this URL:
http://www.microsoft.com/downloads/details.aspx?FamilyId=BCC879DB-9FE6-4331-B231-E274EA8FC804&displaylang=en

As irritating as it may be to have to approve every comment to this blog, and as disheartening as it is to know that the cretins behind spam are using tools that maximize output whilst minimizing personal effort, I still derive pleasure from seeing them screw up.

Spyware Sucks was hit by a spike in spam comments that managed to get through the filters, BUT I was pleased to see that every single comment that got through the filters contained the same error - it seems that an attention to detail and the ability to complete the fields in a spam-tool properly is not a quality enjoyed by this particular spammer...

Another cry for help received via email...

"You are my last best hope...  I am just a regular guy from NY (not the city) with a problem.  My homepage in IE7 is locked on a page I dont want.  I try to change it in Internet options and it even says the homepage I want but it always goes to this other page. I set the page a month ago and now it wont go back.  I even reinstalled IE7 but no luck. Any ideas?  I can even send you a few bucks if you can help me out..."

Manufacturer/ISP Locking

Some computer manufacturers and suppliers of internet access set IE to their choice of home page and lock this setting via the registry. Hijackers use the same trick. The locking is done using registry settings as per the following:

Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting (Q320159)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q320159 

Specific registry settings affected are:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] - DWORD "HomePage"=dword:00000001 (grays out the whole section)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] - DWORD "NoSetHomePage"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] - DWORD "NoSetHomePage"=dword:00000001

Protective software

Check your protective software (especially antispyware and antivirus).  Spybot Search and Destroy, for example has a feature that will lock your home page.  Other products that may lock your home page including Ad-aware's Ad-Watch, SpywareBlaster, SpySweeper, Norton AntiVirus, McAfee VirusScan and Antispyware, and both versions of Zone Alarm.

If you are using Spybot S&D, check your 'Immunize' settings which may be locking your home page.
 
Malware and viruses

If your computer home page is set to about:blank against your wishes, or any other page, you have a malware problem. For advice on fighting malware, check out the link below - the page is a little old, and probably needs updating, but overall the advice is still good:
http://inetexplorer.mvps.org/tshoot.html

Over the past few days I have seen a spike in the number of emails asking for help with website certificates.  For example, two correspondents have written:

"Thanks for providing the information about problems with certificates of IE7 in your website.  I tried to follow your instructions to access a secured site in IE 7 which I used to trust.  I clicked on the Certificate Error button, and then the View Certificate link, but I could not find the Install Certificate link or button.  Please advise."

and

"I admin a Citrix site that uses a SSL cert from verisign. We just renewed our cert. and I have a user running Vista and IE 7 who cant remove the old cert because the button is grayed out. After looking over your IE support site I was going to try lowering security to see if that works. The user claims he has admin rights to the PC."

Both users should run IE7 with Administrator rights (which is different to logging in to the computer as a local administrator).  This is achieved by right clicking the IE7 icon, then selecting "Run as Administrator".

Washington State Attorney General Rob McKenna today announced another win in the state’s fight to protect consumers from online fraud. A King County Superior Court Judge found that Internet affiliate advertisers Securelink Networks, LLC, and NJC Softwares, LCC, and their officers violated Washington’s consumer protection and spyware laws while marketing registry-cleaner software.

“Some people say you can’t police the Internet but today’s court ruling proves we can,” McKenna said. “We’ve reached another victory in our crusade to make the Internet a safer place for consumers and a fair, competitive environment for business.”

The Attorney General’s Consumer Protection High-Tech Fraud Unit filed its suit in February 2007 against California-based defendants Securelink Networks, LLC, and owner Manuel Corona, Jr., of Brea; NJC Softwares, LCC, and company officer Rudy O. Corella, of Lake Elsinore; and FixWinReg and owner HoanVinh V. Nguyenphuoc, of Redondo Beach.

The defendants were accused of using Net Send messages and deceptive free scans to market each other’s products, including Registry Sweeper Pro, Registry Rinse, Registry Doc, Registry Cleaner 32 and Registry Cleaner Pro.

King County Superior Court Judge Glenna Hall today granted the state’s requests for summary judgment, ordering Securelink Networks and NJC Softwares and their owners to provide refunds to hundreds of Washington consumers who bought products owned or advertised by the defendants.

Additionally, the businesses will each pay $400,000 in civil penalties and $141,000 in attorneys’ fees and costs. The orders prohibit them from using Net Send messages to promote products or services, misrepresenting that a consumer’s computer is at risk, installing software without the computer user’s consent, making other misrepresentations and failing to review all advertisements for products they own.

According to court documents, the defendants advertised their products by sending Net Send messages to computers running Windows Messenger Service. Windows Messenger Service, not to be confused with the instant-messaging program Windows Live Messenger, is primarily designed for use on a network and was traditionally used by network administrators to broadcast pop-up messages to computer users about service outages.

The messages resembled system alerts with alarmist wording such as “WARNING! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has detected CRITICAL SYSTEM ERRORS. … FAILURE TO REPAIR AN INVALID OR CORRUPT SYSTEM REGISTRY MAY LEAD TO DATA LOSS OR SYSTEM FAILURE!”

“The defendant’s deceptive pop-ups directed consumers to Web sites where they were encouraged to download a free trial version of software that will scan their computer for registry errors,” said Assistant Attorney General Katherine Tassi. “In every case, the scan identified ‘critical errors.’ In order to remove the so-called errors, consumers were told they had to pay $29.95 or more to buy the full version of the program.”

Corella was also found to have transmitted bundled software that changes Internet browser home pages. While downloading a trial version of Registry Doc, an unrelated search toolbar called Twikibar installed itself on users’ computers.

HoanVinh V. Nguyenphuoc and FixWinReg agreed to a settlement in October 2007. Under the agreement, which did not include a finding or admission of wrongdoing, he paid $25,000 in attorneys’ costs and fees. He’ll pay an additional $75,000 in civil penalties if he fails to comply with the settlement, which includes similar injunctive provisions prohibiting misrepresentations in marketing products or services.

The Attorney General’s Consumer Protection High-Tech Unit has brought a total of six lawsuits under Washington’s Computer Spyware Statute, RCW 19.270, since the law was approved by the Legislature in 2005.

McKenna thanks Tassi and forensics investigator Rebecca Henderson for their work on this case.

“Our Consumer Protection High-Tech Fraud Unit’s record speaks volumes. Assistant Attorney General Katherine Tassi, who led this case, has a black belt in kung fu and another in fraud fighting,” McKenna said.

DOCUMENTS:

Securelink Networks and Manuel Corona, Jr. summary judgment

NJC and Rudy O. Corella summary judgment

FixWinReg and Nguyenphuoc Settlement

Securelink, NJC and FixWinReg Complaint