Spyware Sucks

The PC on which the mysterious bouncing box appears is a brand new Compaq.

The bouncing box, which is translucent, is not clickable.  It seems to have no purpose other than to exasperate and confuse and encourage victims to "look here".

A short video of the mysterious bouncing box is here:
http://msmvps.com/files/folders/spywaresucks/entry619001.aspx

Here is a PDF copy of a comparison between two HJT logs - one taken when there was no bouncing window, one when the window was active. You will see there are only a few new processes:
http://msmvps.com/files/folders/spywaresucks/entry623616.aspx

The existence of the additional entries is not conclusive proof that the processes are causing the bouncing window.

There is a picture of the box at the end of this article:

Here is the story of the mysterious box in the words of the PC's owner - note that despite the steps taken the bouncing box reappeared.

"History:
My Wife's machine had suddenly got a "java coffee cup in a colored box" floating horizontally across her screen continually after some time online.  No scans for virii or spyware showed anything, no processes that looked unusual, etc. and it persisted for a few years. It finally disappeared some months ago. I had blamed it on her opening some website with some graphic/media/joke sent by a computer-illiterate friend. Last night I had to eat crow and apologize to my Wife! ;-)

Current Events:
I bought a "Black Friday" special (day after US Thanksgiving dealers sell stuff for ridiculous prices), a Compaq Presario SR2039X Media Center 2005 machine for $389.00 (with LCD, printer and free Vista upgrade)! Yesterday I took it out of the box and spent part of the day running Windows and other updates. NOTHING personal on the machine and only AIDA32 added for a baseline inventory, ZoneAlarm and AVG AV added. I did NOT enable Symantec's integrated protection junk! I just DL'd and installed Adobe Reader 8, walked away and came back to that infamous "java coffee cup in a colored box" floating across the screen! [I don't know if I had installed ZA and AVG before or after this happened.]

I did look thru Msconfig and Add/Remove Programs and found lots of junk I'd never let near a machine (WeatherBug, Wild Tangent, AOHell, Symantec, RealPlayer, etc.). Late in the day I did go about disabling and then uninstalling this junkware (as well as Java, just in case)."

So, gentle reader, do you have any idea what the mysterious bouncing box may be?  Have you seen it before?

The stuff of nightmares.... of course, y'all know NOT to go out and buy IWRS, yes?

Firefox has been updated to fix a major security flaw.  Updates have been released for Windows, Mac and Linux (being v.1.50.0.10 and 2.0.0.2).

The primary vulnerability addressed by this update is the location.hostname vulnerability.  It is a doozy, potentially allowing hackers to tamper with authentication cookies for third party sites, and control how Web sites are displayed and operate.  Phishers, in particular, would find this vulnerability very useful, because a user could be fooled into thinking they are connecting to their bank, when in fact it is a bad guy that is controlling what they see.

2.0.0.2 can be downloaded at www.getfirefox.com.  1.5.0.10 is available at http://www.mozilla.com/firefox/all-older.html

It should be noted that 1.5.0.x will only receive security and stability updates until 24 April 2007, then you're on your own.

Ok, *this* vulnerability demo is good.  Unlike other IE7 vulnerabilities that have been reported that resulted in weird behaviour that made it obvious to all but the most unobservant user that something weird is going on, this one is pretty much impossible to spot.

That being said, to take advantage of the vulnerability you're going to have to convince somebody to visit a hostile site, and then convince the visitor to manually type a URL into the addressbar instead of using a link or favorite to go to a page, limiting its effectiveness.

The worst vulnerabilities are the ones that require no user interaction, or require user action that is normal behaviour.  Now, although it is 'normal behaviour' to type URLs into an addressbar under some circumstances, and it is normal that people are advised to do so, it must be remembered that they are advised to do so **instead of clicking hyperlinks in an email**, not when at a Web site.

The demonstration is here:
http://lcamtuf.coredump.cx/ietrap/

The Secunia advisory is here:
http://secunia.com/advisories/23014/

A Web page is blank in IE7
http://support.microsoft.com/default.aspx/kb/933006

No fix just yet; simply a note that they're aware of the cause and working on it.

Following on from my article about malware spreading via the Windows Live Messenger banner advertisements, there is another report that malware was being advertised via MSN Groups.

You can see the report, and screenshots, here:
http://apcmag.com/5382/microsoft_apologises_for_serving_malware_to_customers

I'm hoping to get in touch with the magazine's correspondent to gather more information about the incident - times and dates etc - and yes, I've sent a heads up to Microsoft to make sure that the adverts have been neutralised as part of getting rid of the Windows Live Messenger banner ad malware.

"You are only as good as the love you have for other people"
http://www.gapingvoid.com/Moveable_Type/archives/003737.html

Yes, I know, such sentiments don't pay the bills, but still, it hit true tonight.

Exchange System Manager crashes in Exchange Server 2003 after you install IE7
http://support.microsoft.com/default.aspx/kb/932513

FIX: Error message when you try to run a Web application that uses the window.external property in IE7: "Internet Explorer has encountered a problem and needs to close"
http://support.microsoft.com/default.aspx/kb/931324

The email message header does not print when you try to print an email message by using either Microsoft Office Outlook 2003 or Microsoft Outlook Express
http://support.microsoft.com/default.aspx/kb/931657

Part of this article may fall to the bottom of screen on smaller displays - scroll down if this happens to you. 

Edit: I should point out that MSN Messenger's proper name is now Windows Live Messenger.

Pushers of the malware known as winfixer managed to infiltrated a provider of advertising content for MSN banner ads. The dangerous ads appeared in the Windows Live Messenger contact pane, as well as in banner ads on groups.msn.com.  The incidents were reported to secure@microsoft.com and they and the MSN ads team investigated and removed the ads.

Microsoft have issued an official statement as follows:

"Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at www.microsoft.com/protect." - Whitney Burk, Microsoft.

I was originally warned that this is happening by none other than Patchou of Messenger Plus! fame on Thursday 15 Feb 2007 at 7:33:00 am Perth time.  I received a second report from Johan Brune that confirmed what is happening at 11.56am Perth time, 18 February (about 3 and a half hours ago) and I have now been able to reproduce the problem on my own machine.  It says a lot for Patchou's integrity that he was willing to write to me and warn me about this problem despite our history.  I have been extremely critical of him and his Sponsor Program in the past and have said some very nasty things at times, yet despite all that we have been able to maintain an open dialogue which has borne important fruit - Patchou was the first person to report the winfixer infiltration to me.

Brief warnings appeared on www.mess.be and at Neowin (http://www.neowin.net/index.php?act=view&id=38176) after Patchou got in touch and while I was still investigating and trying to confirm the problems, but they contain little in the way of screenshots or detailed information.  Also, the articles report that the Free PC-Secure banners trigger dialogue windows, which is not my experience, or the experience of anybody that I have contacted to duplicate my tests and verify the problems.

So far I have seen two ways that the bad guys are using to try and get Winfixer on to a machine via MSN Messenger banner advertisements - one involved a pop-up alert that appeared with no user interaction - the other needs the user to click on the banner advertisement and visit a Web page, then manually download an installer.

The most dangerous banner advertisement looked like this screenshot on my system - nothing happens if you try to click on the banner advertisement BUT when the banner advertisement disappears when the ads are rotated, something worse happens.

When the banner advertisement is rotated (or, as in my case, I refresh the banner advertisement in an IE window) the classic Errorsafe pop-up window appears WITH NO USER INTERACTION REQUIRED - note the URL in the addressbar - it is the URL for the banner advertisements that appear in the MSN Messenger contact pane and proves that the advertisement is being served up by rad.msn.com

Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591117/original.aspx

Do not click on OK or Cancel when you see such windows!  I clicked on the red close button to shut the dialogue box and then saw this - a classic winfixer tactic.  I strongly recommend that you do NOT click on the OK button:

Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591121/original.aspx

The second banner advertisement that I have seen and which does not trigger a dialogue box looks like this - the user must click on the banner for anything to happen - further screenshots of the same banner advertisement are at the end of this article:

When the user clicks on the banner advertisement they end up at this Web site:

I downloaded the free PC scanner offered by that Web site and then uploaded it to VirusTotal for scanning - these are the results - WINFIXER again.

This is very bad news for users of MSN Messenger, and for MSN and Microsoft.  Those who read my blog regularly know that I have devoted a lot of time to fighting Winfixer, writing about how those behind Winfixer have attempted to infect victims via the Messenger Plus! Sponsor Program (for which Patchou has taken a lot of heat for years, not only from me, but from many other quarters), as well as Activewin and MySpace.

I am struggling to express how upset, and disappointed, and worried, I am that this has happened.  For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware.  Now, everything has changed.  Users have been put at direct risk through no fault of their own and they can't avoid the MSN banner advertisements when the contact pane is open without using a third party hack that is ethically wrong to use.  

This simply shouldn't have happened.  The people behind secure@microsoft.com have been extremely responsive and open with me about what they're doing to fight back, and are working on the problem as I write, but experience how shown me that if the bad guys behind winfixer can get in once, they'll continue to do so - they are sneaky, and dishonest, and know every trick in the book to slip in under the radar.

How hard is it to avoid winfixer advertisements once they infiltrate a network?  In the end, Circle Distribution (who supply the advertisements for the Messenger Plus! sponsor program) found it necessary to edit their users' HOSTS file to block known Winfixer URLs.  Right Media, who supply CiD with their content, and were also reported as being responsible for serving up winfixer advertisements to MySpace users, seem to be unable to stop those behind winfixer from getting in and haven't appreciated my criticism of them now that I have turned my focus away from CiD and Messenger Plus and concentrated my criticisms higher up the advertisement food chain.

I had a brief discussion with Bob of ActiveWin when I was in Las Vegas about the winfixer problems on that site, but do not know what steps they may have taken to protect their visitors.  As for MySpace - forget it - just block the site and have done with it.

I'll update this blog via the comments section as information is made public.  If history repeats itself, Microsoft and MSN are going to have a hell of a time getting rid of winfixer - the bad guys behind that product are nothing if not persistent.  I don't know how the hell they managed to infiltrate the rad.msn.com network, and I am extremely disappointed, and worried, that they have been able to do so.  MSN Messenger must have millions of users, all of whom are at risk of infection fromn the malware.

I strongly recommend that all users of MSN Messenger ensure that their antivirus and antispyware applications are up to date.  Do not click on any buttons in pop-up windows that you may see, and do not believe Web sites that report that they have found a problem on your computer - seriously, how the hell would they be able to tell?

Do not click on OK or Cancel buttons in the pop-up windows.  Close the window using the red x close button.

I also strongly recommend that MSN Messenger users download and install Mike Burgess's HOSTS file to help block winfixer and other bad guys.  You can find Mike's famous HOSTS file here:
http://www.mvps.org/winhelp2002/hosts.htm

As I mentioned earlier, there are third party add-ins that remove the advertisement pane from MSN Messenger as mentioned in the Neowin thread.  I have always spoken out against such tools when I believed that MSN Messenger advertisements were always safe, but now I have to seriously consider whether I should start recommending them.  All will depend on whether MSN and Microsoft are able to successfully block the winfixer malware advertisements from here on in.  Patchou has written to me to advise that the anti-ad patches may not work anyway.  He says that many of the patches just hide the IE control, it's still running so users will still get the messageboxes and what follows them so if anything it may make the situation even worse, hiding where the pop-ups may be coming from.

MSN Messenger are also advertising screensavers, but they are more traditional adware and don't use dirty tricks like the pop-up windows that winfixer are infamous for. I still recommend that you avoid such free software which invariably comes bundled with foistware such as toolbars and/or adware that generates pop-ups and stuff like that.

Further free PC scanner banner advertisement screenshots...

I installed Trend CSM 3.5 on my SBS2003 server at the office a little while ago.  A few days later I noted security alerts in my Server Performance Reports that merited further investigation.

The errors are the classic "unknown user name or bad password" which is not unusual in and of itself - all of us who look after servers see such errors quite regularly when the bad guys try to guess usernames and passwords in an attempt to get into our servers.  What is unusual is that the username is strange, and the errors are occurring every day.

A little investigation reveals that the errors are being caused by Trend CSM 3.5.  Messy Trend, very messy - I don't like my security logs being filled with aberrant 529 alerts.

I conducted a quick search of Trend's online knowledgebase for ".notaccount", and "error 529" and "529" with zero results, so I don't have a fix yet

Screenshot of error:

I received an interesting email asking for assistance with an IE7 problem from a Brian Hansen this morning which illustrates quite well why we cannot always assume that IE7 is "broken" or causing problems.

Brian's email said: 

"My problem is that IE7 will not launch without right-clicking on “Run as Administrator.”  Some of the postings I’ve read indicate that one should turn off all add-ons, reboot and try to launch ie7 again.  I have done this without any improvement in the application’s ability to launch.

The dialogue box tells me that “a website wants to open web content using this program on your computer.”  I’m assuming this is the infamous Account Control.  The application is apparently “IE CRASH DETECTION”

If I tell it “Allow” IE 7 stops working, and I am given the option to close the program; it does close appropriately."

Now, what would you think is causing the problem if you read the above question.  The immediate culprits for me would be an aberrant IE7 add-on (for example a toolbar or plug-in), or perhaps a problem with a Web page that had been set as the home page (for example, if a home page had been somehow hacked and was serving up hostile code).

The cause of the problem surprised me, and is something to keep in mind when you are trying to diagnose IE7 problems.  Brian reported:

"An OCR program I installed with my Canon scanner (Omin SE) was trying to go out to the internet and grab and update, and it was creating a conflict.  Finally figured out how to run MSCONFIG and turn off startups one or two at a time, until I found the culprit."

Brian's experience illustrates quite well that we should not always concentrate just on IE when trying to fix IE problems.  How many of us would have thought to check on something unrelated to the internet such as OCR software when trying to diagnose problems with IE7?  I wouldn't.

Memory usage increases in the iexplore.exe process when you refresh a Web page that contains XML content in IE7
http://support.microsoft.com/default.aspx/kb/929861

MS07-016 cumulative security update for IE
http://support.microsoft.com/default.aspx/kb/928090

A truncated or changed version of the original file name appears in the "Save As" dialog box in IE7
http://support.microsoft.com/default.aspx/kb/930228

FIX:  The configuration program for an application does not run and the RunOnceEx registry key is cleared when you restart a computer that is running IE7
http://support.microsoft.com/default.aspx/kb/927357