Spyware Sucks

I'm in Seattle from 24 September till 1 October inclusive for a Publisher's Summit and this year's MVP Summit so things may be quiet for a while.

I see Patchou reports that Microsoft has fixed the MSAS misdetection of Messenger Plus' executable, and some are claiming that this happened because of the petition, and because of various Messenger devoted forum posts and messages (Patchou says “You can be sure that the support you gave to Messenger Plus! on so many internet sites and forums, in addition to the petition, is what made this change a reality“). 

Microsoft has fixed other problems/misdetections with MSAS!  Reporting an error via the standard reporting channels is all that is required.  Several other false positives have been fixed during the past couple of weeks. 

The day that I have proof that MSAS changed their detections for any reason other than genuine error and the day a petition is required before corrective action is taken, is the day I actively start campaigning against the product.  That day has not come.

Historical blogs:

9 Sept 2005 - http://msmvps.com/spywaresucks/archive/2005/09/06/65524.aspx
27 August 2005 - http://msmvps.com/spywaresucks/archive/2005/08/27/64290.aspx
24 August 2005 - http://msmvps.com/spywaresucks/archive/2005/08/24/63918.aspx
19 August 2005 - http://msmvps.com/spywaresucks/archive/2005/08/19/63394.aspx
18 August 2005 - http://msmvps.com/spywaresucks/archive/2005/08/18/63180.aspx

http://my.opera.com/community/forums/topic.dml?id=103038

“anybody have any experience ridding themselves of this malware?...it will not go away by using every spyware tool out there...driving me crazy with constant opening of tabs in Opera???...thanks”

I don't know how the machine was infected (via Opera? via IE? via something else?), and have no intention of drawing any conclusions, but I will say this - its good that the malware adverts are coralled to tabs instead of popping up all over screen - even better if they open in the background so we don't have to look at the content of the damn things ;o)

And its about time too:
http://www.opera.com/free/

“"We want to become the second-biggest browser. The number one (held by Microsoft's Internet Explorer) is a little inaccessible," Opera Software chief executive Jon von Tetzchner said.

A lighter version of Opera has until now been available for free download on the internet, but with ad banners.

"We've always stood up well in comparison with our competitors in technical tests but users disliked that they had to pay $US39 and that we had ads. We decided to eliminate these obstacles in order to attract users," Mr von Tetzchner said.

"This decision is not aimed at Firefox. It's aimed at increasing our market share," he said. “

Source:
http://australianit.news.com.au/articles/0,7204,16673017^15318^^nbv^15306,00.html

I've always liked Opera, even with the banner ad - that being said, I'm pleased its gone :o) 

As many of you may know, I have been a Microsoft MVP specialising in Internet Explorer since October 1999.  Some of you may expect my answer to my byline question to be "Internet Explorer is safest".  You'd be wrong.

Symantec has released its Internet Security Threat Report for 2005.  You can download a copy here:
http://enterprisesecurity.symantec.com/content.cfm?articleid=1539

Symantec say a lot of stuff in the document, but specific to web browsers, they say:

"During the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all browsers. During this period, 25 vendor confirmed Mozilla vulnerabilities were disclosed, compared to 32 in the previous reporting period and two in the first half of 2004. 18 of the 25 Mozilla vulnerabilities in this period, or 72%, were classified as high severity. This is up from the 14 high-severity Mozilla vulnerabilities in the second half of 2004 and one in the first half of 2004.

During the first six months of 2005, 13 vendor confirmed Microsoft Internet Explorer vulnerabilities were disclosed. This is a decrease from the 31 documented in the second half of 2004. During the first half of 2004, seven Internet Explorer vulnerabilities were confirmed by Microsoft.

The average severity rating of the vulnerabilities associated with Internet Explorer during the first six months of 2005 was high. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered high-severity in the last six months of 2004, amounting to 58%. In the first half of 2004, four of the seven, or 57%, were rated high severity."

Symantec also says:

"The time between the disclosure of a vulnerability and the release of associated exploit code decreased from 6.4 days to 6.0 days. In addition, an average of 54 days elapsed between the appearance of a vulnerability and the release of an associated patch by the affected vendor."

Several news sites have picked up on the Symantec report, but if you are interested in the topic then I recommend that you download and read this document for yourself rather than depend on the opinion of popular press.  Why? Well first of all, the original PDF document is 106 pages long - its hard to distill such a long document into a few hundred words - believe me, I tried ;o)  Its also hard to accurately distill the entire document into a few snappy bylines.

Secondly, interpretation varies depending on a person's perspective.  For example, news.com.au says (after interviewing the Australian Managing Director of Symantec):
http://australianit.news.com.au/articles/0,7204,16650762^15306^^nbv^,00.html

"Mr Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source development model itself part of the problem."

Yet the Symantec report itself says:

"The fact that Mozilla browsers had the most vendor confirmed vulnerabilities over the past two six-month periods may suggest that Mozilla is currently acknowledging and fixing vulnerabilities more quickly than other vendors. This could be because the Mozilla browsers are open source and may be more responsive to reports of new vulnerabilities and subsequently developing and delivering associated patches."

It has always been a pet hate of mine how the more extreme proponents of different operating systems and browsers put their particular favorite forward as some type of panacea.  The Symantec report makes it plain that there is no panacea - no browser or operating system is 'safe'.   I say read the document to learn of the latest trends - arm yourself with knowledge - but don't use the document as a weapon in the Firefox/IE ; Windows/Mac/Linux wars.  We have to *try* and stay neutral when helping our users stay safe.  The spread of vulnerabilities across many different browsers shows that we should *not* hold up one particular browser or operating system as the ultimate - and we should not encourage such a false sense of security.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

I worked with this product during the beta and must say that I was and am very impressed.  If you have kids, or a shared computer, or run an internet cafe, or have a computer that is accessible to the public, you will find it a very powerful tool for protecting your computers, and your users or family.  It may prove to be a very powerful tool in the fight against malware (although because of insufficient disk space I have not been able to do sufficient testing of this feature - Windows Disk Protection requires a minimum of 1 Gig unallocated disk space).

I strongly recommend that you read all information, and watch the webcast *before* installing and using the toolkit, and proceed with caution. This is a very powerful utility.  Leave one administrator account unmanaged.

More later...

A friend has asked me to check out “Columba”, a java based email client available at http://columba.soundforge.net

I must admit, my initial reaction was a shudder.  As a rule I don't like java based applications.  I particularly remember when Novell rolled out ConsoleOne - a java based management client that was/is as slow as a dog and an absolute pain to use.

I must admit, Columba is quick, but it is also nowhere near ready for prime time.  First, it downloads remote graphics by default.  This is a big security risk.  Embedded remote graphics are the number one way that spammers confirm whether or not a particular address is live.  I hope those behind Columba get that problem fixed, quick smart.

While on the topic of html emails and remote graphics, I opened an html email from Harvey World Travel which included remote graphics, and from that moment on Columba refused to display anything but that email - even when other emails were selected.  After shutting down and restarting Columba it simply refused to display any email at all!!

Double clicking an email opens an empty window - another bug.

The setup is easy enough - mind you, setting example name of 'Bill Gates' and sample mail server as 'mail.microsoft.com' is just a little preoccupied, don't you think?

Currently the anti-spam feature isn't working - they'd better get that fixed - Outlook Express 7 (sorry, Windows Mail) will, at time of writing, include an antispam feature (yes, I say at time of writing - I remember how Microsoft was sued the last time that they tried to add an anti-spam feature to Outlook Express back in during the beta of version 5 - nothing is certain in this world until products are released).

Ok, so if you are using Windows, what version do I recommend you install?  That's easy - the Windows installer *without* java.  This is because you *must* ensure you have the latest vesion of the Sun Java client, and the only way to do that is to go direct to Sun and download the latest version:
http://www.java.com/en/download/manual.jsp

While we're on the topic of Sun Java... watch out... when you update Sun Java older vulnerable versions of the product are not removed automatically - this is a big problem - more information here:
http://msmvps.com/spywaresucks/archive/2005/08/22/63670.aspx

Ok, that's it for now. I've only scratched the surface of the product.  Its fast, and has potential, but is nowhere near ready for primetime, and I'm not comfortable recommending it yet.

Its a *really* slow day here.  I am installing Windows Vista 5219 to a Microsoft Virtual PC VM as we speak, but thanks to a bug that I am unable to fix Virtual Machine is running as slow as molasses - despite my laptop being a 1.2 Intel with over 800 Meg devoted to the VM.

But that's neither here nor there - while Vista is installing my laptop is pretty much useless making it well nigh impossible to get done what I need to do.   So, I have two choices - kick back and watch DVDs with the kids and eat too much, or catch up on other stuff - y'all who know me well know which path I will choose...

Which leads me to the topic of my discussion - the new Internet Explorer Developer Toolbar.  This is a seriously useful utility (despite my site failing CSS and HTML tests)

Ok, anyway.... the tool works with IE6 and IE7 and is well worth a look-see.  The IE team blog which mentions the tool is here:
http://blogs.msdn.com/ie/archive/2005/09/16/469686.aspx

If you are a casual web surfer - let's be realistic - the tool is of no worth to you - but if you are a developer it is extremely useful - one of my correspondents described it today as “probably one of those things where you wonder how you got on without it before.”

Google helps you search web sites, it helps you search newsgroups, it helps you search your computer... now it helps you search Blogs.

http://blogsearch.google.com/blogsearch

It seems to be truly dynamic... with search results changing regularly depending on who is the very latest to mention a particular topic.  For a short while there, I was the number one hit for 'Patchou' and I'm still number one hit for 'Trend Antispyware' - thanks to this entry:
http://msmvps.com/spywaresucks/archive/2005/07/16/57639.aspx

Bryan Starbuck, the Dev Lead for Outlook Express and all around nice guy, and survived being interviewed by Robert Scoble for Channel 9.

Outlook Express will be renamed to Windows Mail in Windows Vista.

The video interview includes shots of OE in Windows Vista in action - go check it out:
http://channel9.msdn.com/showpost.aspx?postid=116711

Side note: Its quite ironic that OE will finally have a spam filter.  Some of us remember how OE *nearly* had a spam filter back when OE5 was being readied for release, until Blue Mountain sued Microsoft, forcing the removal of the filter.

Nowadays Microsoft (or more precisely MSN) are friends with Blue Mountain again - Blue Mountain provides the animated winks and backgrounds for MSN Messenger.  How times change.

Back in March of this year I wrote a column entitled "Bug Busting: Getting Rid of Spyware".  In it I advise:

"Some people recommend that System Restore be turned off and all Restore Points deleted before attempting spyware removal. DO NOT DO THIS. If something goes wrong (anything is possible) you will have no way to reverse your actions. You'll want to delete your old Restore Points, but the time to do that is later, not now."
http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx

Other MVPs are of a like mind.  For example, Jim Eshelman, MVP of aumha.net, in his article at http://aumha.net/viewtopic.php?t=15265&sid=f99fc4aceedff192a5242516fe78cd83 says:

"..it is also true that, in cleaning highly infected systems, sometimes you make mistakes that cripple Windows and it is better to be able to take a step back to a working version of Windows - even an infected one! - rather than have Windows trashed completely. To quote Mow Green, "a leaky lifeboat is better than no lifeboat in a storm."

What we recommend is: (1) Understand that using System Restore on an infected system MIGHT [my emphasis] bring back virus-infected files you don't want. (2) Leave System Restore in place until your computer is clean and stable. (3) Then get rid of the old infected restore points."

Donna Buenaventura, MVP of dozleng.com and a member of the Alliance of Security Analysis Professionals says:

"Deleting your restore point prior cleaning the system is not the first thing to do."
http://dozleng.com/internetsecurity/?p=72

Unfortunately, some companies and advisors advocate disabling system restore *before* attempting a cleanup.  This is dangerous advice.  First, things can and do go wrong when attempting to remove malware.  Second, the Restore Points may not be infected anyway.  Third, any malware that may be in a Restore Point is harmless unless and until System Restore is used to restore a system to an earlier state, and that won't happen without direct user intervention.

You say things can and do go wrong when attempting to remove malware.. what could go wrong?
The most common problem caused by the removal of malware is an inability to access the internet. One of the first widespread, and consequently high profile, examples of this problem was the removal of the now infamous new.net back in 2002. 

After new.net was removed using what was, at the time, the most popular antispyware product around (AdAware), victims were left unable to access the Internet:
http://inetexplorer.mvps.org/data/newnet.htm

An inability to access the internet is not the only thing that can go wrong.  A system may be left unstable after malware removal - Internet Explorer may crash or no longer run - worst case scenario is a system that is unable to load Windows at all. 

If System Restore is disabled there is no easy way to recover when things go wrong.  We should never leave ourselves or those we advise, in the position of having no easy way back, but that is what is happening when people are told to disable System Restore before attempting a cleanup.  For a person that owns more than one computer, or has access to somebody else's machine in an emergency, or who has the support of a friendly IT Department or Helpdesk or resident geek with sufficient knowledge to undo the damage, losing internet access or being left with a damaged machine does not leave them isolated from help. But for the normal home user with only one machine, it can be disasterous.

You say the Restore Points may not be infected.. how is this possible?
System Restore does not monitor all files and folders.  The default file and folder inclusions and exclusions in effect on a particular machine are listed in a file called filelist.xml, saved to the directory C:\WINDOWS\system32\Restore\

Microsoft lists the default file type inclusions at this URL:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sr/sr/monitored_file_extensions.asp

Of particular interest to us when discussing Web based malware are the Internet Explorer related directories that are *not* monitored by default which include:

..\cookies
..\favorites
..\History
..\internetcache
..\Downloaded Program Files
..\Offline Web Pages
..\temp
..\TMP
..\Documents And Settings\All Users\Favorites
..\Documents And Settings\All Users\Documents
..\Documents And Settings\Default User\My Documents
..\Documents And Settings\Default User\Favorites
..\Documents And Settings\Default User\Cookies
..\Documents And Settings\Default User\Cache
..\Documents And Settings\Default User\Local Settings\History
..\Documents And Settings\Default User\Local Settings\Temp
..\Documents And Settings\Default User\Local Settings\Temporary Internet Files

If malware has dumped its wares into the commonly used folders listed above, deleting Restore Points is a waste of time. 

It is especially important to note that ..\Downloaded Program Files is excluded from System Restore.  This is the file to which add-ins, BHOs, chat plugins, java, activex files etc are saved when downloaded via Internet Explorer.

The inclusion of *:\Documents And Settings\*\Application Data\Microsoft\Internet Explorer\Quick Launch is of no danger.  This is simply the shortcuts that appear on the Quick Launch taskbar.

You say any malware that may be in a Restore Point is harmless unless and until System Restore is used .. how is this possible?
It is important to understand that files in the _Restore folder are inactive - think of it as a type of suspended animation.  Only the System Restore process itself is able to access files in that folder.  Hostile programs and processes cannot, of themselves, use a Restore Point to reinstall or repair themselves. 

To be clear, an application *create* a Restore Point, it can *remove* a Restore Point, but it cannot *use* a Restore Point.  (Under debate)

Is there any benefit to disabling System Restore before attempting malware removal?
No. There is no harm in leaving a Restore Point in place as an emergency backup in case things go wrong. Do not leave yourself with no easy way out if malware removal causes problems.

Ok, so what is the right thing to do?
Follow the instructions at the URL below to try to clean your system:
http://www.microsoft.com/windows/IE/community/columns/bugbusting.mspx

You will see that my article:

1. advises you to create a backup of essential data and a Restore Point before doing anything else (because we don't know if/when the last point was created, and we want to be able to undo immediate damage);
2. recommends several cleaners and, just as importantly, two programs that should fix LSP problems;
3. shows you how to use the helper programs to greatest effect;
4. shows you show to create a 'known good' Restore Point after your system has been cleaned;
5. shows you how to avoid infection in the future.

A last word
There are articles on the Microsoft site and elsewhere that advise you to disable System Restore before attempting a cleanup - please, do not follow that advice.  I and other MVPs who have been dealing with malware for a long time and have seen what can go wrong, even for the experienced, are trying to convince the authors of such articles to change the error of their ways, but its an uphill battle.

There is a URL circulating that purports to fight back against phishing sites, being http://www.phishfighting.com/

Sunbelt reckons its “fun” to fight back:
http://sunbeltblog.blogspot.com/2005/09/sparring-with-phishers.html

Here's the deal.  The sentiment is great, but the reality is not.  Having “fun“ is of no practical use (although it may make you feel good). 

Many phishing sites are hosted on compromised computers - computers that have been hacked.  The owners have no idea what has happened to their systems, and invariably each phish site only lasts 5 to 9 days (on average) before the phishers move on.

Who are we punishing here?  The victim whose computer has been hacked and who has to pay for the phisher's bandwidth, and now the bandwidth generated by sites like phishfighting?  Are we punishing the phishers? They don't care.  When one site is compromised they simply create a new one. 

We're dealing with professionals who are more than capable of weeding out and discarding fake data.  All they need to do is whip up a little programme that will retrieve, and test, information provided with no human interaction or effort.  If you think that there is a person, or a series of people, wading through print-outs trying out each log-on by hand, I'm betting you're wrong in that assumption.  Think about it. How many millions of phish emails do you think are sent out every day? 

Microsoft reported in their Anti-Phishing White Paper back in mid 2005 that over $2 billion has been lost to phishers. $2 billion!!!  With that sort of money the phishers can handle as much fake data as phishfighting can throw at them.

Let's also consider the fact that unless phishfighting changes their IP address regularly their fake data is easily captured and dumped.  Its very easy to whip up a programme to search for mulitple submissions by one IPs, and just as easy to find submissions sent via anonymous remailers and cloakers.

Not only that, the Anti Phishing Working Group advised in their July report that there has been a 100% increase in the number of phishing sites that attempt to infect systems with keyloggers and trojans to capture sensitive information such as usernames and passwords.  The implications are far worse, in such circumstances, than the compromise of username and password for one financial institution.

What is phishfighting's “Method One” for retrieving a phishing URL?  They say “Simply click on the link and copy the real url from the browser bar.  Caution: This method can be hazadardous. If you system is not well protected, it is possible that clicking the link could download viruses, trojans or other unwanted programs.“  (The stuff in blue was added after this Blog entry first went live) - at least we know those behind phishfighting are listening) 

NO!!!  DON'T DO IT!!!!!  Don't open the email!!!  Don't click on the link!!!!! 

Edit: Let's expand on this - If a phishing email includes remote graphics, and your email client is set to download such things, simply by opening the email you are confirming that your email is “live“, making it immediately valuable to all kinds of spammers, and saleable. 

URLs used by spammers and phishers are sometimes unique - another way that spammers sniff out whether an email address is live or saleable. 

This means that, even if they don't get your financial details, the scammers can still make money off you by selling your name and your email address to other spammers and phishers.  Please, don't expose yourself to the bad side of town like that.

Some phishing emails and phishing web sites attempt to infect computers as soon as an email is opened, or the site is visited, by using certain old security vulnerabilities that *should* be patched, but may not be.

DO NOT open spam emails. DO NOT go to phishing sites. End of story.

All that we get from services such phishfighting is a misplaced sense of satisfaction that we are somehow hurting the phishers. 

There is NOTHING on the phishfighting site that teaches users how to report phish sites to ISPs and get them shut down legitimately.

Phishfighters say that they are not using a DOS (denial of service) tactic because they only send one fake alert every 20 seconds.  Is that 20 seconds per report, or 20 seconds per URL?  The site doesn't say.

Don't use services such as phishfighting. 

Use spamcop to report spam emails (http://www.spamcop.net/)

Learn how to read emails headers and report spammers to their ISP (http://www.stopspam.org/email/headers.html) but remember, the spamming computer may be a zombie, the owner may have no idea what has happened, so be nice.

 Use allwhois (http://www.allwhois.com/) to trace the host of phish sites and report their existence direct to the host ISP - get the site shut down.  Again, remember the host computer may have been hacked, and the owner completely unaware of what has happened.  Be nice. 

Please, don't use services such as phishfighting and DON'T open the emails or click on the link ... please.