Spyware Sucks

You would expect Fortune 500 companies to have high end antivirus, antispyware and antimalware software yes and have their networks set up to block the end result of PCs that may be infected?  Apparently not.

Check out this article at the Washington Post by Brian Krebs:
http://blog.washingtonpost.com/securityfix/2007/03/fortune_500s_unwittingly_becom.html

The outted companies are:

Oracle Corp - spam seen as far back as 21 February - http://psbl.surriel.com/listing?ip=148.87.13.7

American Electric Power - infected hardware apparently owned by a contractor - spam seen as far back as 7 December - http://psbl.surriel.com/listing?ip=167.239.128.222.  AEP's excuse for the problem is that "AEP was obligated to set up the contractors with Web mail, instant messaging and other communications tools that generally are not allowed inside of the company's network".

Hewlett-Packard - declined to comment about the incident

ExxonMobil - oh yay, spam from that IP as far back as October last year!! - http://psbl.surriel.com/listing?ip=158.21.255.8 

IndyMac Bank - February 2007 - http://psbl.surriel.com/listing?ip=65.214.149.253

Home Depot

Electronic Arts

Dow Jones - spam seen back in mid March - http://psbl.surriel.com/listing?ip=205.203.128.199&list=PSBL+list+query

Best Buy - infected since October 2006!!  (http://bl.csma.biz/cgi-bin/listing.cgi?ip=198.22.122.118 and http://psbl.surriel.com/listing?ip=198.22.122.118&list=PSBL+list+query) 

I saw this tonight when I went to check the detection status of the now infamous ie7.0exe.

Putting aside a delay of between 8 and 12 minutes, it is well and truly time that Virustotal should have fixed their site to work with IE7 - check out the mess made of the last few scan entries.

To say that I am disappointed by the lack of detection is an understatement.  Reality is that malware sent via spam mail can be spread around the world within hours, therefore antispyware and antivirus must react within hours.  Such bad results, 12 hours or so after *I* first saw the emails, is simply not good enough.  Some of the Web sites hosting the malware (hacked sites) were shut down faster than the AV companies have responded.

virus.org, on the other hand, is far neater, and includes Trendmicro, a primary focus of mine when dealing with false positives or failures to detect malware.

IE7 and IE6 - Microsoft does not support changing the location of the Programs Files folder by modifying the ProgramFilesDir registry value:
http://support.microsoft.com/default.aspx/kb/933700

When you set the ProgramFilesDir registry value to use a location other than the default location, Microsoft hotfixes, updates, and security updates do not update files that are in the default location. Therefore, you may experience system instability and unexpected problems with Microsoft programs and software updates. For example, you may experience any of the following problems:

• Microsoft hotfixes, updates, and security updates may not be installed correctly. 
• New versions of Microsoft Internet Explorer or Microsoft Windows Media Player may not be installed correctly. 

Additionally, the Microsoft Windows File Protection feature that helps protect files in the Internet Explorer folder does not support changing the default location of the Program Files folder.

HOTFIX - IE6 may close unexpectedly, and an access violation may occur in the mshtml.dll file when you close a popup window:
http://support.microsoft.com/default.aspx/kb/926840

There is a screenshot of the malware email at the Sunbelt URL below - please get the word out, warn those you know not to access the Web site, and do not attempt to download the file:
http://sunbeltblog.blogspot.com/2007/03/beware-fake-ie-7-downloads.html

I can see several samples of the malware email in my webmail accounts - none have been received at the office, thankfully.  That gives me time to ensure that I block them server side.

Update: I've grabbed a copy of the graphic used in the malware-mail from one of the hacked web sites being used as a host.  Here it is, full size, in all it's glory - it's looks very professional and realistic, yes?

Vulnerability in Windows Animated Cursor Handling
http://www.microsoft.com/technet/security/advisory/935423.mspx

I've already adjusted my network's protections to strip any *.ani that are received via email - I recommend you do the same.   The next important step is to ensure that OL and Windows Mail are set to display all messages in plain text only.  Corporate environments can use a group policy to enforce such a setting. 

Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. 

Do not forward or reply to the dangerous email when using Windows Mail because you are at risk.

SANS reports that if you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file it will exploit the system.

Outlook 2007 users are protected by default because Outlook 2007 is set to use Word to display HTML email messages.

Trend reports that the vulnerability is being exploited in the wild:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX&VSect=P

IE7 on Vista (when running with protected mode on) is not vulnerable.  Note that if you have turned off UAC, you have also turned off Protected Mode for IE7.

IMPORTANT: Trend recommends that you turn off system restore before scanning system for malware before scanning for viruses.  Please do not do this.  Firstly, removing malware can damage the installed operating system and programs leading to system instability and crashes.  If System Restore has been turned off you will have no way to roll back and try a different way to remove the infection.  Second, you will be unable to use Microsoft's new Change Analysis Diagnostic which support professionals are beginning to use to make 'before infection' and 'after infection' system comparisons to help them spot how a system has been changed as part of an infection.

What is the Change Analysis Diagnostic tool? 

The Change Analysis Diagnostic tool simplifies the identification of recent changes to computers running Windows XP by checking for recent changes to the following:

• Operating system components, such as patches, that are installed as hotfixes or downloads from Windows Update.
• Installed application entries listed in the Add or Remove Programs control panel.
• All kernel mode device and file system drivers.
• Browser helper objects loaded by Internet Explorer.
• ActiveX controls loaded by Internet Explorer.
• Programs loaded automatically during Windows XP startup.
• Programs and Dynamic Link Libraries (DLLs) loaded when an application starts.

The Change Analysis Diagnostic tool depends on the existence of restore points to work.

Information about a URL encoding change in Windows IE7
http://support.microsoft.com/default.aspx/kb/934279

Fix: The autocomplete feature does not work after you click a javascript hyperlink on a web page in IE6:
http://support.microsoft.com/default.aspx/kb/931298

Fix: IE6 may unexpectedly close when you try to use digest proxy authentication to connect to secure (HTTPS) web sites:
http://support.microsoft.com/default.aspx/kb/931299

Some sites say today (29 March)... some sites say 26 April.. who to believe...

Hmm, it seems we are looking at a 2nd delay - with sentencing originally deferred to 29 March, but now deferred for a 2nd time to 26 April?:
http://www.courant.com/news/local/hc-amerodelay0327,0,511626.story

As reported on bugtraq@securityfocus.com by "nsp", Firefox 2.0.0.3 and Opera 9.10 apparently fail to detect a phishing site if it is embeded in an IFRAME / OBJECT label:

Demonstration pages can be seen here (warning, the URLs will prompt to install a Chinese language pack - there is no need to install the language pack):

http://zonafirefox.googlepages.com/prueba.html (using Javascript to create an iframe object)
 
http://zonafirefox.googlepages.com/prueba2.html (without Javascript)

The author of the email, nsp, states:

"Also, the following code can be used to bypass the phishing protection:
 
"<object type="text/html" classid="(phishing site)" data="(phishing site)"></object>"
 
The tests were realized using several many sites from Phishtank database. IE7 has no problems."

As a reminder, other problems with the Firefox phishing filter were revealed when it was reported back in February that the Firefox Phishing Filter can be disasbled simply by adding an extra slash after the domain suffix:
http://msmvps.com/blogs/spywaresucks/archive/2007/02/12/570602.aspx

According to Bugzilla, the "fix" for the backslash problem is something that needs to be done at Google's end.  I note that there is discussion saying that things should be changed, but nothing to say that it has be changed, so I downloaded Firefox 2.0.0.1 to see what the situation is.  Sure enough, the problem continues, so why was the bug closed as "resolved fixed"?

I'm wondering if there is anything like this happening in the USA, Canada or elsewhere.

Australian university students can purchase a perpetual licence for Office 2007 for $75,00 (AUD) or $25.00 (AUD) for one year.

The software is available via CD (to be distributed via the participating Universities) or via download.

Each eligible student is limited to one purchase of either Microsoft® Office Ultimate 2007 (perpetual licence) or Microsoft® Office Ultimate 2007 Subscription (12 month licence). Students that purchase the Microsoft® Office Ultimate 2007 Subscription (12 month licence) will be offered the opportunity of purchasing a Microsoft® Office Ultimate 2007 (perpetual licence) for AUD$50.00 at the conclusion of their 12 month licence.

In the event of the program being discontinued, students that have purchased the Microsoft® Office Ultimate 2007 Subscription (12 month licence) will still be offered the opportunity to purchase a Microsoft® Office Ultimate 2007 (perpetual licence) for AUD$50.00 at the conclusion of their 12 month licence. The subscription licence must be activated prior to May 28, 2007.

This offer commenced at 12.00PM (Sydney time) on February 26, 2007 and all purchases must be made by 11:59PM (Sydney time) on May 28, 2007.

Details here:
http://www.microsoft.com/australia/education/unistudentoffer/default.mspx

Promotional competition for Australian university students:
http://www.itsnotcheating.com.au/form.asp 

A contact at Microsoft put me in touch with the appropriate people at AOL this morning - an advertising tech lead and a gentleman involved in policy and compliance.  Thanks to a network capture that I gave to AOL they were finally able to track down the rogue advertiser who had infiltrated the AOL ad network to serve up winfixer malware advertisements and shut the ads down.

Once the guys at AOL and I actually hooked up, it only took a few hours to get the account shut down.  Damned if I know why it took so long for us to connect, but it did.

AOL's official statement on the incident is:

"We use a wide range of technical and policy measures to prevent malware distributors from placing advertisements on our networks, but apparently one was able to circumvent those measures.  We have blocked this ad campaign and [are] working with our technical and legal teams to take additional steps to block similar issues in future."

Not long ago Winfixer also infiltrated the MSN advertisement network.  At the time MS issued the following answers to questions put to them:

1. What are Microsoft's policies on what is acceptable in terms of content in ads?
Microsoft's advertising policy states that our customers' online experience is protected from deceptive and misleading advertisements. We also have a high standard for the content that appears in ads. Some categories of advertisements-such as pornography, gambling or spyware/malware-are simply not appropriate for our audience. Additionally, we also exclude our competitors from running ads on our network and on specific sites.

2. What are Microsoft's policies and practices around content in ads on the Live/MSN properties?
Microsoft's Creative Acceptance Policy dictates the type of content ads that are appropriate for the MSN and Windows Live network. According to the policy, Microsoft follows three core guidelines when reviewing ads for MSN and Windows Live properties:
*       Images and text must accurately represent the product or services.
*       Cross media campaigns must deliver consistent imagery and messaging.
*       Offers and sweepstakes must clearly identify the appropriate actions necessary.
To ensure that advertisements meet our standards, ads are visually reviewed for compliance with the Creative Acceptance Policy.

Microsoft have not issued a formal statement to me about the Winfixer outbreak on their network per se, but I did have a one-on-one meeting with a Director in Community & Intelligence, Security Research and Response about the incident and what needs to happen going forward.  The primary point of the meeting was to discuss my concern that historically, once winfixer manages to infiltrate a network once, they continue to do so.

Reality is that the problem of "bait and switch", and other deceitful practices that the bad guys employ to prevent discovery, is not going to go away.  We can write all the policies and procedures that we want, and lay down rule after rule, but if the bad guys ignore said policies and procedures and rules and do what they can to circumvent them and minimise detection, then our only hope is to catch them in the act - and that, gentle reader, is far easier said than done.

When I see talk of policies and procedures, and rules and regulations, being used to police and control the bad guys I can't help but reflect on the fact that the bad guys don't care about, and invariably ignore, such rules and regulations, policies and procedures.  We are not dealing with gentlemen, working by gentleman's rules, who are bound by morals and ethics that control their actions.  The persons behind malware such as winfixer are not constrained by such things as morals or ules. Until we accept this basic reality we will continue to be outwitted by the bad guys.

I am not confident that MS and AOL and the advertising networks they use are going to be able to block the bad guys going forward, not unless they make the difficult (and financially penalising) decision to host their own creatives, thereby preventing bait and switch.  Technical safety measures are failing and as long as we allow third parties to host the content that we display on your networks, we are at risk.

It's an arms race out there. The bad guys get in - we learn from the incident - we plug the hole and they then try to find another way.  The bad guys try to avoid detection by their hosts by using various tricks, but reality is that sooner or later their wares must appear on a victim's computer and they are then detectable, and traceable.  

We tracked them down on the MSN network, and we tracked them down on the AOL network, and I'll continue to do what is needed to track down those behind future outbreaks.  The game is by no means over.

This is simply not good enough.

MSN / Microsoft acted fast when *their* advertising network was infiltrated.  AOL, it seems, are either incapable or unwilling to do anything to protect their readers.

The following was captured only minutes ago.  This has been going on for days now, yet AOL remains unresponsive, leaving how many millions of users at direct risk of winfixer infection.  I am going to use every means at my disposal, pull every string, take advantage of every relationship, to try and convince AOL to act. 

If AOL will only act under a barrage of negative press, then so be it.  Reality is that MS/MSN reacted, and reacted fast, when their network was infiltrated.  I won't share exactly what MSN/MS did, but I will say that they took extremely strong steps to neutralise the risk to their users - steps that proved to me beyond a shadow of a doubt that MS and MSN were putting the safety of their users before everything else - steps that AOL seem to be unwilling or unable to take.

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3956, Total IP Length = 932
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=892, Seq=4159520276 - 4159521168, Ack=3989674427, Win=4380 (scale factor 2) = 17520
- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
    Command: GET
  + URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    ContentType:  application/x-www-form-urlencoded
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  www.errorsafe.com
    Proxy-Connection:  Keep-Alive
    Cookie:  lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
    HeaderEnd: CRLF

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3957, Total IP Length = 845
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=805, Seq=4159521168 - 4159521973, Ack=3989675429, Win=4129 (scale factor 2) = 16516
- HTTP: Request, GET http://adfarm.mediaplex.com/ad/ck/50866
    Command: GET
  + URI: http://adfarm.mediaplex.com/ad/ck/50866?mpt=[CACHEBUSTER]&aid=oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    Cookie:  svid=7106602301
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  adfarm.mediaplex.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3960, Total IP Length = 936
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=896, Seq=4159521973 - 4159522869, Ack=3989675758, Win=4047 (scale factor 2) = 16188
- HTTP: Request, GET http://www.systemdoctor.com/download/2006/
    Command: GET
  + URI: http://www.systemdoctor.com/download/2006/?p=10&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    Cookie:  cnt=AU; lng=en; aid=oflikely_rdt_ed2_au_en; lid=keyin; affid=pp_5608015641; lang=en
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  www.systemdoctor.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF