March 2007 - Posts

Fortune 500 computers sending spam

You would expect Fortune 500 companies to have high end antivirus, antispyware and antimalware software yes and have their networks set up to block the end result of PCs that may be infected?  Apparently not.

Check out this article at the Washington Post by Brian Krebs:
http://blog.washingtonpost.com/securityfix/2007/03/fortune_500s_unwittingly_becom.html

The outted companies are:

Oracle Corp - spam seen as far back as 21 February - http://psbl.surriel.com/listing?ip=148.87.13.7

American Electric Power - infected hardware apparently owned by a contractor - spam seen as far back as 7 December - http://psbl.surriel.com/listing?ip=167.239.128.222.  AEP's excuse for the problem is that "AEP was obligated to set up the contractors with Web mail, instant messaging and other communications tools that generally are not allowed inside of the company's network".

Hewlett-Packard - declined to comment about the incident

ExxonMobil - oh yay, spam from that IP as far back as October last year!! - http://psbl.surriel.com/listing?ip=158.21.255.8 

IndyMac Bank - February 2007 - http://psbl.surriel.com/listing?ip=65.214.149.253

Home Depot

Electronic Arts

Dow Jones - spam seen back in mid March - http://psbl.surriel.com/listing?ip=205.203.128.199&list=PSBL+list+query

Best Buy - infected since October 2006!!  (http://bl.csma.biz/cgi-bin/listing.cgi?ip=198.22.122.118 and http://psbl.surriel.com/listing?ip=198.22.122.118&list=PSBL+list+query

Posted by sandi with 1 comment(s)

Virustotal overloaded?

I saw this tonight when I went to check the detection status of the now infamous ie7.0exe.

 

Putting aside a delay of between 8 and 12 minutes, it is well and truly time that Virustotal should have fixed their site to work with IE7 - check out the mess made of the last few scan entries.

To say that I am disappointed by the lack of detection is an understatement.  Reality is that malware sent via spam mail can be spread around the world within hours, therefore antispyware and antivirus must react within hours.  Such bad results, 12 hours or so after *I* first saw the emails, is simply not good enough.  Some of the Web sites hosting the malware (hacked sites) were shut down faster than the AV companies have responded.

virus.org, on the other hand, is far neater, and includes Trendmicro, a primary focus of mine when dealing with false positives or failures to detect malware.

Posted by sandi with 3 comment(s)

New Internet Explorer knowledge base articles

IE7 and IE6 - Microsoft does not support changing the location of the Programs Files folder by modifying the ProgramFilesDir registry value:
http://support.microsoft.com/default.aspx/kb/933700

When you set the ProgramFilesDir registry value to use a location other than the default location, Microsoft hotfixes, updates, and security updates do not update files that are in the default location. Therefore, you may experience system instability and unexpected problems with Microsoft programs and software updates. For example, you may experience any of the following problems:

• Microsoft hotfixes, updates, and security updates may not be installed correctly. 
• New versions of Microsoft Internet Explorer or Microsoft Windows Media Player may not be installed correctly. 

Additionally, the Microsoft Windows File Protection feature that helps protect files in the Internet Explorer folder does not support changing the default location of the Program Files folder.

HOTFIX - IE6 may close unexpectedly, and an access violation may occur in the mshtml.dll file when you close a popup window:
http://support.microsoft.com/default.aspx/kb/926840

 

 

WARNING! Massive spam blast of fake admin@<domain.com> email messages pointing to fake IE7 downloads

There is a screenshot of the malware email at the Sunbelt URL below - please get the word out, warn those you know not to access the Web site, and do not attempt to download the file:
http://sunbeltblog.blogspot.com/2007/03/beware-fake-ie-7-downloads.html

I can see several samples of the malware email in my webmail accounts - none have been received at the office, thankfully.  That gives me time to ensure that I block them server side.

Update: I've grabbed a copy of the graphic used in the malware-mail from one of the hacked web sites being used as a host.  Here it is, full size, in all it's glory - it's looks very professional and realistic, yes?

Posted by sandi with no comments
Filed under:

Vulnerability in Windows Animated Cursor Handling

Vulnerability in Windows Animated Cursor Handling
http://www.microsoft.com/technet/security/advisory/935423.mspx

I've already adjusted my network's protections to strip any *.ani that are received via email - I recommend you do the same.   The next important step is to ensure that OL and Windows Mail are set to display all messages in plain text only.  Corporate environments can use a group policy to enforce such a setting. 

Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. 

Do not forward or reply to the dangerous email when using Windows Mail because you are at risk.

SANS reports that if you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file it will exploit the system.

Outlook 2007 users are protected by default because Outlook 2007 is set to use Word to display HTML email messages.

Trend reports that the vulnerability is being exploited in the wild:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX&VSect=P

IE7 on Vista (when running with protected mode on) is not vulnerable.  Note that if you have turned off UAC, you have also turned off Protected Mode for IE7.

IMPORTANT: Trend recommends that you turn off system restore before scanning system for malware before scanning for viruses.  Please do not do this.  Firstly, removing malware can damage the installed operating system and programs leading to system instability and crashes.  If System Restore has been turned off you will have no way to roll back and try a different way to remove the infection.  Second, you will be unable to use Microsoft's new Change Analysis Diagnostic which support professionals are beginning to use to make 'before infection' and 'after infection' system comparisons to help them spot how a system has been changed as part of an infection.

It is, of course, important to flush restore points AFTER your system has been successfully cleaned, but not before.  Here is an article that I wrote about the 'to disable or not disable system restore' debate which I recommend you read:
http://msmvps.com/blogs/spywaresucks/archive/2005/09/17/66724.aspx

What is the Change Analysis Diagnostic tool? 

The Change Analysis Diagnostic tool simplifies the identification of recent changes to computers running Windows XP by checking for recent changes to the following:

• Operating system components, such as patches, that are installed as hotfixes or downloads from Windows Update.
• Installed application entries listed in the Add or Remove Programs control panel.
• All kernel mode device and file system drivers.
• Browser helper objects loaded by Internet Explorer.
• ActiveX controls loaded by Internet Explorer.
• Programs loaded automatically during Windows XP startup.
• Programs and Dynamic Link Libraries (DLLs) loaded when an application starts.

The Change Analysis Diagnostic tool depends on the existence of restore points to work.

Download details: Change Analysis Diagnostic (KB924732):
http://www.microsoft.com/downloads/details.aspx?familyid=097976f8-1124-45b8-9769-b48429a7a6a1&displaylang=en&tm

Posted by sandi with 2 comment(s)

New IE7 KB article

Information about a URL encoding change in Windows IE7
http://support.microsoft.com/default.aspx/kb/934279

Posted by sandi with no comments
Filed under:

New IE6 knowledge base articles

Fix: The autocomplete feature does not work after you click a javascript hyperlink on a web page in IE6:
http://support.microsoft.com/default.aspx/kb/931298

Fix: IE6 may unexpectedly close when you try to use digest proxy authentication to connect to secure (HTTPS) web sites:
http://support.microsoft.com/default.aspx/kb/931299

Posted by sandi with no comments
Filed under:

Julie Amero - sentencing today?

Some sites say today (29 March)... some sites say 26 April.. who to believe...

Hmm, it seems we are looking at a 2nd delay - with sentencing originally deferred to 29 March, but now deferred for a 2nd time to 26 April?:
http://www.courant.com/news/local/hc-amerodelay0327,0,511626.story

 

Posted by sandi with no comments
Filed under:

Iframes / objects can apparently bypass phishing protection in Firefox 2.0.0.3 and Opera 9.10 - IE7 is unaffected

As reported on bugtraq@securityfocus.com by "nsp", Firefox 2.0.0.3 and Opera 9.10 apparently fail to detect a phishing site if it is embeded in an IFRAME / OBJECT label:

Demonstration pages can be seen here (warning, the URLs will prompt to install a Chinese language pack - there is no need to install the language pack):

http://zonafirefox.googlepages.com/prueba.html (using Javascript to create an iframe object)
 
http://zonafirefox.googlepages.com/prueba2.html (without Javascript)

The author of the email, nsp, states:

"Also, the following code can be used to bypass the phishing protection:
 
"<object type="text/html" classid="(phishing site)" data="(phishing site)"></object>"
 
The tests were realized using several many sites from Phishtank database. IE7 has no problems."

As a reminder, other problems with the Firefox phishing filter were revealed when it was reported back in February that the Firefox Phishing Filter can be disasbled simply by adding an extra slash after the domain suffix:
http://msmvps.com/blogs/spywaresucks/archive/2007/02/12/570602.aspx

According to Bugzilla, the "fix" for the backslash problem is something that needs to be done at Google's end.  I note that there is discussion saying that things should be changed, but nothing to say that it has be changed, so I downloaded Firefox 2.0.0.1 to see what the situation is.  Sure enough, the problem continues, so why was the bug closed as "resolved fixed"?

Posted by sandi with 1 comment(s)

Australian university students can purchase a perpetual licence for Office 2007 for $75.00, or 1 year for $25.00

I'm wondering if there is anything like this happening in the USA, Canada or elsewhere.

Australian university students can purchase a perpetual licence for Office 2007 for $75,00 (AUD) or $25.00 (AUD) for one year.

The software is available via CD (to be distributed via the participating Universities) or via download.

Each eligible student is limited to one purchase of either Microsoft® Office Ultimate 2007 (perpetual licence) or Microsoft® Office Ultimate 2007 Subscription (12 month licence). Students that purchase the Microsoft® Office Ultimate 2007 Subscription (12 month licence) will be offered the opportunity of purchasing a Microsoft® Office Ultimate 2007 (perpetual licence) for AUD$50.00 at the conclusion of their 12 month licence.

In the event of the program being discontinued, students that have purchased the Microsoft® Office Ultimate 2007 Subscription (12 month licence) will still be offered the opportunity to purchase a Microsoft® Office Ultimate 2007 (perpetual licence) for AUD$50.00 at the conclusion of their 12 month licence. The subscription licence must be activated prior to May 28, 2007.

This offer commenced at 12.00PM (Sydney time) on February 26, 2007 and all purchases must be made by 11:59PM (Sydney time) on May 28, 2007.

Details here:
http://www.microsoft.com/australia/education/unistudentoffer/default.mspx

Promotional competition for Australian university students:
http://www.itsnotcheating.com.au/form.asp 

 

Posted by sandi with 1 comment(s)
Filed under:

AOL and Winfixer.. the malware advertisements should be gone.. for now.

A contact at Microsoft put me in touch with the appropriate people at AOL this morning - an advertising tech lead and a gentleman involved in policy and compliance.  Thanks to a network capture that I gave to AOL they were finally able to track down the rogue advertiser who had infiltrated the AOL ad network to serve up winfixer malware advertisements and shut the ads down.

Once the guys at AOL and I actually hooked up, it only took a few hours to get the account shut down.  Damned if I know why it took so long for us to connect, but it did.

AOL's official statement on the incident is:

"We use a wide range of technical and policy measures to prevent malware distributors from placing advertisements on our networks, but apparently one was able to circumvent those measures.  We have blocked this ad campaign and [are] working with our technical and legal teams to take additional steps to block similar issues in future."

Not long ago Winfixer also infiltrated the MSN advertisement network.  At the time MS issued the following answers to questions put to them:

1. What are Microsoft's policies on what is acceptable in terms of content in ads?
Microsoft's advertising policy states that our customers' online experience is protected from deceptive and misleading advertisements. We also have a high standard for the content that appears in ads. Some categories of advertisements-such as pornography, gambling or spyware/malware-are simply not appropriate for our audience. Additionally, we also exclude our competitors from running ads on our network and on specific sites.

2. What are Microsoft's policies and practices around content in ads on the Live/MSN properties?
Microsoft's Creative Acceptance Policy dictates the type of content ads that are appropriate for the MSN and Windows Live network. According to the policy, Microsoft follows three core guidelines when reviewing ads for MSN and Windows Live properties:
*       Images and text must accurately represent the product or services.
*       Cross media campaigns must deliver consistent imagery and messaging.
*       Offers and sweepstakes must clearly identify the appropriate actions necessary.
To ensure that advertisements meet our standards, ads are visually reviewed for compliance with the Creative Acceptance Policy.

Microsoft have not issued a formal statement to me about the Winfixer outbreak on their network per se, but I did have a one-on-one meeting with a Director in Community & Intelligence, Security Research and Response about the incident and what needs to happen going forward.  The primary point of the meeting was to discuss my concern that historically, once winfixer manages to infiltrate a network once, they continue to do so.

Reality is that the problem of "bait and switch", and other deceitful practices that the bad guys employ to prevent discovery, is not going to go away.  We can write all the policies and procedures that we want, and lay down rule after rule, but if the bad guys ignore said policies and procedures and rules and do what they can to circumvent them and minimise detection, then our only hope is to catch them in the act - and that, gentle reader, is far easier said than done.

When I see talk of policies and procedures, and rules and regulations, being used to police and control the bad guys I can't help but reflect on the fact that the bad guys don't care about, and invariably ignore, such rules and regulations, policies and procedures.  We are not dealing with gentlemen, working by gentleman's rules, who are bound by morals and ethics that control their actions.  The persons behind malware such as winfixer are not constrained by such things as morals or ules. Until we accept this basic reality we will continue to be outwitted by the bad guys.

I am not confident that MS and AOL and the advertising networks they use are going to be able to block the bad guys going forward, not unless they make the difficult (and financially penalising) decision to host their own creatives, thereby preventing bait and switch.  Technical safety measures are failing and as long as we allow third parties to host the content that we display on your networks, we are at risk.

It's an arms race out there. The bad guys get in - we learn from the incident - we plug the hole and they then try to find another way.  The bad guys try to avoid detection by their hosts by using various tricks, but reality is that sooner or later their wares must appear on a victim's computer and they are then detectable, and traceable.  

We tracked them down on the MSN network, and we tracked them down on the AOL network, and I'll continue to do what is needed to track down those behind future outbreaks.  The game is by no means over.

Posted by sandi with 5 comment(s)

What the hell does it take to get AOL to clean up their advertising network?

This is simply not good enough.

MSN / Microsoft acted fast when *their* advertising network was infiltrated.  AOL, it seems, are either incapable or unwilling to do anything to protect their readers.

The following was captured only minutes ago.  This has been going on for days now, yet AOL remains unresponsive, leaving how many millions of users at direct risk of winfixer infection.  I am going to use every means at my disposal, pull every string, take advantage of every relationship, to try and convince AOL to act. 

If AOL will only act under a barrage of negative press, then so be it.  Reality is that MS/MSN reacted, and reacted fast, when their network was infiltrated.  I won't share exactly what MSN/MS did, but I will say that they took extremely strong steps to neutralise the risk to their users - steps that proved to me beyond a shadow of a doubt that MS and MSN were putting the safety of their users before everything else - steps that AOL seem to be unwilling or unable to take.

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3956, Total IP Length = 932
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=892, Seq=4159520276 - 4159521168, Ack=3989674427, Win=4380 (scale factor 2) = 17520
- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
    Command: GET
  + URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    ContentType:  application/x-www-form-urlencoded
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  www.errorsafe.com
    Proxy-Connection:  Keep-Alive
    Cookie:  lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
    HeaderEnd: CRLF

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3957, Total IP Length = 845
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=805, Seq=4159521168 - 4159521973, Ack=3989675429, Win=4129 (scale factor 2) = 16516
- HTTP: Request, GET http://adfarm.mediaplex.com/ad/ck/50866
    Command: GET
  + URI: http://adfarm.mediaplex.com/ad/ck/50866?mpt=[CACHEBUSTER]&aid=oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    Cookie:  svid=7106602301
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  adfarm.mediaplex.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3960, Total IP Length = 936
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=896, Seq=4159521973 - 4159522869, Ack=3989675758, Win=4047 (scale factor 2) = 16188
- HTTP: Request, GET http://www.systemdoctor.com/download/2006/
    Command: GET
  + URI: http://www.systemdoctor.com/download/2006/?p=10&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    Cookie:  cnt=AU; lng=en; aid=oflikely_rdt_ed2_au_en; lid=keyin; affid=pp_5608015641; lang=en
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  www.systemdoctor.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

Posted by sandi with 9 comment(s)

AOL and Winfixer- the saga continues

As of 10 minutes ago the AOL advertising network is still compromised by winfixer infiltration.  I visited http://money.aol.com/news/articles/_a/technical-goof-wipes-out-38-billion/20070320140609990001 and was immediately redirected to a SystemDoctor site. 

Unfortunately Wireshark crashed with a runtime error before I could save the capture evidencing the redirect - damn it.

Ok, I'm going back to using Microsoft Network Monitor - I am NOT happy that I lost that capture.

AOL should be ashamed of themselves.  Microsoft/MSN shut down the dangerous advertisements within hours of being notified of the problem.  **WHY** is it taking AOL so long to act??

Posted by sandi with 4 comment(s)

Please say it isn't so - Canadian killed by poison pills bought on the net

Source: http://www.canada.com/topics/bodyandhealth/story.html?id=ada62a41-2482-4bf2-bb34-cc00c5ead4a9&k=43298

"The public is being warned about the dangers of purchasing medicine on the Internet following the death of Quadra Island resident Marcia Bergeron.  The 57-year-old apparently died of poisoning after purchasing pills through an online source, said Vancouver Island regional coroner Rose Stanton.  A toxicology report showed that Bergeron's anti-anxiety medication and sedative were laced with dangerous mineral traces, Stanton said.  "The pills had traces of uranium, strontium, selenium, aluminum, arsenic, barium and boron," said Stanton."

My God, this really does put the Winfix problem into perspective, doesn't it.  Sure, Winfixer rips you off with its false positives, tricking you into handing over $$ to fix a computer infestation that doesn't exist, but at least it won't kill you.

Note the further comments in the article:

"Bergeron's medications, confiscated by the coroner, were generic pills in plastic bags with nothing to identify them. There was no information about proper dosage, and no printed materials.  "There's no drug name, there's no dosage information -- that's dangerous," said Stanton. "I think the risk is very high that someone else could suffer the same fate."  Stanton said that the website Bergeron used had fake endorsements from medical agencies.  "These fake sites look very realistic," Stanton said. "They would fool a lot of people. And they mention the names of organization and companies that don't exist."  Stanton said the fake sites set up for very short periods of time -- often just a few days -- then shut down to avoid the authorities, and often set up again under a different name."

What are we going to do about what "the Internet" is turning into?  What happened to the brave vision of the past where "the Internet" would empower us, help us learn, expose us to alternative viewpoints and cultures, and allow us to communicate with loved ones far away and share knowledge... is that all going to be lost to the criminal element?  We can't protect everybody, and reality is that "the Internet" is accessible to so many people now that would never have dreamed of accessing it not so many years ago.  Computers have gone down in price, Internet availability has gone up, broadband is more and more widespread, internet cafes abound for those who do not have computers, and even when we are on the move we can get online via hotspots.  More and more and more people are surfing, but they are not being educated about the dangers out there, and I am struggling with the question "whose responsibility is it" and "what can we do going forward"? 

The catchcry "AOL killed the internet" came to be because of the lack of education and detrimental behaviour of that company's inexperienced, netiquette illiterate subscribers (http://catb.org/~esr/jargon/html/S/September-that-never-ended.html).  Now we are seeing a danger far worse than a deterioration in the quality of conversation in newsgroups.  We are having to face the danger of a criminal element taking advantage of the innocence and naivity of who-knows-how-many millions of users who simply do not know better, and have nobody sitting next to them to guide, protect and train them as they step out into an online world with very few safeguards or protections from shysters, fraudsters and crooks.  And now, somebody has died.

I don't know if Marcia Bergeron is the first person to die under such circumstances, and I feel a great fear that she will not be the last.

Doctors' surgeries have a quota? Since when?

Ok, so my youngest offspring, my daughter, is unwell and showing all the signs of having developed an ear and sinus infection.  We headed down to the medical surgery that our family has been using for more than 20 years to see about treatment.  Ours is not a family that goes to the doctor at the sign of the slightest sniffle, but this time, going on the pain she is in, and the symptoms she is exhibiting, it seems that this time antibiotics may be required.

We arrived more than hour before scheduled closing time, only to be confronted by a locked door and a sign that says "We have reached our quota. 25/03/07".

Huh? What quota? Number of patients seen quota? Hours allowed to stay open quota? Staff payroll quota? We don't know.

Things have been deteriorating ever since my GP's medical surgery was bought out by Mayne Health (now known as Symbion Health).  Opening hours have been cut back.  Bulk billing has stopped.  And now we see this rubbish about mysterious "quotas". 

I want to go back to the days when medical surgeries were owned and run by traditional family doctors - these big multinationals have different priorities.

Posted by sandi with no comments

Winfixer ad network infiltrations - ponderings

My articles about Winfixer infiltrating the MSN and AOL advertising networks have garnered a lot of interest over the past few weeks.  Trawling through the referrers and trackbacks for my various articles shows just how topical and pervasive the malware advertisement infilitrations are becoming.

AOL and MSN are, of course, only two victims of winfixer infiltration.  Any site that uses the same ad network is at risk.

For example, forum.winamp.com is another site that has been hit - and yes, I was saw a systemdoctor redirect at that site this morning.  http://forums.winamp.com/showthread.php?s=&threadid=268303&highlight=spyware

The banner adverts on the winamp forum that I am seeing come from the following URL:
http://ar.atwola.com/html/93166273/107551034/aol

Unlike MS/MSN who responded very quickly to my reports to them of winfixer infiltration, it seems that AOL have not done a damned thing yet, and that is simply not good enough.

I was in Seattle not long ago for the MVP Summit.  While I was there I had a short meeting with a Director of Community & Intelligence, Security Research & Response at Microsoft who has been dealing with the fall-out of the Winfixer infiltration of the Windows Live Messenger banner ad network.  The primary purpose of the meeting was to discuss my concern that the fact that winfixer had managed to infiltrate the MS/MSN ad network once meant that it would happen again.

Microsoft certainly understands the risks being faced by users of their software which includes advertisements - whether it be Windows Live Messenger, or Windows Mail Desktop with its advertisement pane, or MSN, or Hotmail.  But unfortunately, although I am pleased at the high level of collaboration I am seeing at MS/MSN as a result of the Winfixer outbreak,  I am not confident that another outbreak will not occur.

As long as advertising networks do not directly host creatives they will be at risk of bait and switch.  Winfixer is popping up in so many places, we cannot be sure that *any* Web site that displays dynamic advertisements will be safe.  So what can we, as users, do about this problem, considering the advertising networks seem to be unable to control the problem by themselves? 

Yes, we can get rid of Flash.  We can use ad blockers. We can use Mike Burgess's hosts file to redirect known advert and URLs to localhost.  We can disable active x completely.  I'll fight against users having to cripple their Web browsers and sacrifice access to content such as Flash and active x in an attempt to avoid malware.  Mike Burgess's HOSTS file, on the other hand, is what I recommend - block the adware content without crippling your browser or sacrificing Flash.

Web site owners and those running advert networks must surely understand the risk to their revenue streams as more and more people actively block advertisements as a self defence mechanism against malware.  If we, the visitors, don't see the adverts we are not going to click on them.  If we don't click on the adverts, there is no income.  Maybe once the advertising networks realise they are at risk of losing more and more viewers, the cost of directly hosting creatives will become less prohibitive - after all, it is better to have a lowered income than no income at all.

A final note - Mikeonads has an interesting write-up about the winfixer malware problem that is worth reading:
http://www.mikeonads.com/what-is-errorsafe-and-how-do-we-stop-it/

Posted by sandi with 3 comment(s)
Filed under:

GOTCHA! Winfixer and AOL

I've posted a couple of times on this blog about how visits to AOL pages were redirecting at random to the scareware/malware commonly known as Winfixer (aka SystemDoctor and ErrorSafe aka several other names).  On previous occasions I did not have network monitors running, and therefore could only offer screenshots and my word as "proof" of the incidents.

(http://msmvps.com/blogs/spywaresucks/archive/2007/03/22/701346.aspx)
(http://msmvps.com/blogs/spywaresucks/archive/2007/03/21/697330.aspx)

This time, however, Microsoft Network Monitor was running when I visited the AOL page (http://money.aol.com/news/articles/_a/technical-goof-wipes-out-38-billion/20070320140609990001) and was redirected to an ErrorSafe page.

Below are snippets of relevant network data - the full logs are available for inspection and use by the appropriate authorities Party!!!

BTW, some of you may find this URL interesting - http://locator.contentsvc.com/sites/winantivirus.com/main/img/en/flash_world_end.swf 

I have included a description of what happens when we are redirected to http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2 (with screenshots) at the end of this article.

Editorial:  It is well and truly time for MSN, MS, AOL and any other big name that has had their advertising networks infiltrated by the crud that is commonly known as Winfixer to go after Winfixer, its affiliates, and the sites that host the malware by using every legal avenue open to them, and with no holds barred.  I say join forces and go after those behind Winfixer, those who host it, and those who spread it, with everything legal weapon at your disposal.  Shut them down, and shut them down for good!

What is Winfixer and why is it so bad?

Winfixer is betrayware and scareware. Detailed information about ErrorSafe, the winfixer example cited in this article, is here:
http://research.sunbelt-software.com/threatdisplay.aspx?name=ErrorSafe&threatid=42636

More information is available at Wikipedia:
http://en.wikipedia.org/wiki/WinFixer

Rogue Antispyware (also known as Betrayware):
http://www.spywarewarrior.com/rogue_anti-spyware.htm

DISCLAIMER: PLEASE DO NOT VISIT THE URLS IN THIS ARTICLE UNLESS YOU ARE USING A COMPUTER THAT IS WELL SECURED, YOU ARE RUNNING THE LATEST VERSION OF YOUR WEB BROWSER, AND YOU HAVE INSTALLED ALL SECURITY PATCHES RELEVANT TO YOUR SYSTEM AND SOFTWARE, AND YOU KNOW WHAT YOU ARE DOING - SOME OF THE FOLLOWING URLS *WILL* TRY TO INSTALL ERRORSAFE ON TO YOUR COMPUTER.

Network captures....

- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
    Command: GET
  - URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
     Location: http://www.errorsafe.com/pages/scanner/index.php
     aid: oflikely
     lid: 728
     ax: 1
     ex: 1
     ed: 2
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
    ContentType:  application/x-www-form-urlencoded
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  http://www.errorsafe.com/
    Proxy-Connection:  Keep-Alive
    Cookie:  lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
    HeaderEnd: CRLF

- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
    Command: GET
  - URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
     Location: http://www.errorsafe.com/pages/scanner/index.php
     aid: oflikely
     lid: 728
     ax: 1
     ex: 1
     ed: 2
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
    ContentType:  application/x-www-form-urlencoded
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  http://www.errorsafe.com/
    Proxy-Connection:  Keep-Alive
    Cookie:  lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
    Proxy-Authorization:  Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHAXAAAADw==
    HeaderEnd: CRLF

- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
    Command: GET
  - URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
     Location: http://www.errorsafe.com/pages/scanner/index.php
     aid: oflikely
     lid: 728
     ax: 1
     ex: 1
     ed: 2
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
    ContentType:  application/x-www-form-urlencoded
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Cookie:  lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
    Proxy-Connection:  Keep-Alive
    Proxy-Authorization:  Negotiate TlRMTVNTUAADAAAAGAAYAIYAAAAeAR4BngAAABoAGgBYAAAACgAKAHIAAAAKAAoAfAAAABAAEAC8AQAAFYKI4gYAcBcAAAAPsK
xKTdXkb42e5CbZCmE/GUgAQQBSAEQATQBFAEkARQBSADIAMAAwADMAcwBhAG4AZABpAEYAVABRADAANADiS3am/gxUr5ks7Z7nHPrlXntugRWVeronRvfqMZhglYzRdEj

- HTTP: Request, GET http://adfarm.mediaplex.com/ad/ck/50866
    Command: GET
  - URI: http://adfarm.mediaplex.com/ad/ck/50866?mpt=[CACHEBUSTER]&aid=oflikely_rdt
     Location: http://adfarm.mediaplex.com/ad/ck/50866
     mpt: [CACHEBUSTER]
     aid: oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
    Cookie:  svid=7106602301
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Proxy-Connection:  Keep-Alive
    Host:  adfarm.mediaplex.com
    HeaderEnd: CRLF
 

- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/
    Command: GET
  - URI: http://www.errorsafe.com/pages/scanner/?p=18&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=oflikely_rdt
     Location: http://www.errorsafe.com/pages/scanner/
     p: 18
     ax: 1
     ex: 1
     ed: 2
     mpt: [CACHEBUSTER]
     aid: oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
    Cookie:  lang=en; gI=YTo0OntzOjEyOiJjb3VudHJ5X2NvZGUiO3M6MjoiQVUiO3M6NzoiY291bnRyeSI7czo5OiJhdXN0cmFsaWEiO3M6NToic3RhdGUiO3M6MTY6
Indlc3Rlcm5hdXN0cmFsaWEiO3M6NDoiY2l0eSI7czo1OiJwZXJ0aCI7fQ%3D%3D; aid=oflikely; lid=728; cnt=AU; lng=en
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  www.errorsafe.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

Who are 2mdn.aolcdn.com?  Well, here is the DNS Lookup: 2mdn.aolcdn.com A record:

Searching for 2mdn.aolcdn.com A record at k.root-servers.net [193.0.14.129]: Got referral to j.gtld-servers.net. (zone: com.) [took 77 ms]
Searching for 2mdn.aolcdn.com A record at j.gtld-servers.net. [192.48.79.30]: Got referral to dns-07.ns.aol.com. (zone: aolcdn.com.) [took 312 ms]
Searching for 2mdn.aolcdn.com A record at dns-07.ns.aol.com. [64.236.1.107]: Got CNAME of 2mdn.aolcdn.com.edgesuite.net. and referral to d.root-servers.net [took 84 ms]
Searching for 2mdn.aolcdn.com.edgesuite.net A record at a.root-servers.net [198.41.0.4]: Got referral to B.GTLD-SERVERS.net. (zone: net.) [took 30 ms]
Searching for 2mdn.aolcdn.com.edgesuite.net A record at B.GTLD-SERVERS.net. [192.33.14.30]: Got referral to ns1-137.akam.net. (zone: edgesuite.net.) [took 396 ms]
Searching for 2mdn.aolcdn.com.edgesuite.net A record at ns1-137.akam.net. [193.108.91.137]: Got CNAME of a1551.g.akamai.net. and referral to h.root-servers.net [took 5 ms]
Searching for a1551.g.akamai.net A record at h.root-servers.net [128.63.2.53]: Got referral to d.gtld-servers.net. (zone: net.) [took 29 ms]
Searching for a1551.g.akamai.net A record at d.gtld-servers.net. [192.31.80.30]: Got referral to zf.akamaitech.net. (zone: akamai.net.) [took 36 ms]
Searching for a1551.g.akamai.net A record at zf.akamaitech.net. [195.27.203.4]: Got referral to n2g.akamai.net. (zone: g.akamai.net.) [took 102 ms]
Searching for a1551.g.akamai.net A record at n2g.akamai.net. [69.31.88.58]: Got CNAME of a1551.g.akamai.net.47581f45.1.cn.akamaitech.net. and referral to g.root-servers.net [took 11 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at j.root-servers.net [192.58.128.30]: Got referral to I.GTLD-SERVERS.net. (zone: net.) [took 389 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at I.GTLD-SERVERS.net. [192.43.172.30]: Got referral to zd.akamaitech.net. (zone: akamaitech.net.) [took 110 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at zd.akamaitech.net. [61.200.81.116]: Got referral to n7cn.akamaitech.net. (zone: cn.akamaitech.net.) [took 372 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at n7cn.akamaitech.net. [72.247.127.103]: Reports a1551.g.akamai.net.47581f45.1.cn.akamaitech.net. [took 800 ms]

Following is a description of what happened when I visited http://money.aol.com/news/articles/_a/technical-goof-wipes-out-38-billion/20070320140609990001

My Web browser was redirected to http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2  ?

Then, we are immediately redirected to the site at the URL below:

Clicking on the red X close button results in another redirect, this time to the page below.  Note the info bar warning of an attempt to ErrorSafeNewReleaseInstall.cab, and the "Error Detected" alert.  It is important to note that the close button on the "Error Detected" alert is NOT clickable.  A user has three choices, click on "OK", click on "More Info" or close the page in its entirety. 

Clicking on "More Info" simply closed the alert, and clicking on "OK" leads to this URL http://www.errorsafe.com/pages/scanner/download_sp1.php?aid=oflikely_rdt_au_en_ed2&lid=keyin (and triggers the two dialogue boxes that appear in the last two screenshots).

 

I closed the window and immediately saw another dialogue box - as always I strongly recommend AGAINST clicking on the OK or Cancel buttons. Use the red X close button instead.

I used the red close button to close that dialogue box and immediately saw the following.  After clicking on the red X close button, the Web site *finally* closed.

 

Posted by sandi with 9 comment(s)

The AOL advertisement network has DEFINITELY been infiltrated by winfixer

Winifixer has DEFINITELY infilitrated the AOL advertisement network.

Just like last night, I saw a systemdoctor redirect the first time I accessed this URL and I blogged about it
http://money.aol.com/news/articles/_a/technical-goof-wipes-out-38-billion/20070320140609990001

I saw exactly the same thing tonight.  They are being damned sneaky - unlike the MSN advertisement outbreak, when I could track down the ad and trigger winfixer behaviour very quickly, I'm only seeing the Winfixer advertisement on the AOL advertisement network sporadically, often only the first time that I load a URL - from that time on there is no repetition until a good 24 hours has passed.  Considering AOL's readership, even *one* advertisement per day per reader is one hell of a user pool to fish in.

Screenshots of the malware with URLs is below.  It is now time to track these b**tards down and get them *out* of that advertisement network, just like with did with the MSN network. 

I am not confident that we will be able to get AOL to respond to this problem as quickly as MSN.

We are, once again, dealing with a hostile Flash ad (note the reference to CACHEBUSTER).

 

Posted by sandi with 1 comment(s)

IE7 kb article - error 1003 error_can_not_complete

FIX: Error message when an application tries to use IE7 to retrieve a proxy configuration script: "1003 ERROR_CAN_NOT_COMPLETE"
http://support.microsoft.com/default.aspx/kb/931195
Posted by sandi with no comments
Filed under:

Tutorial/training - reverse engineering malware

"To many of us the world of reverse engineering is a rather exotic one. Many people don’t even know how to go about doing it. In this article series we shall go over how to apply this rapidly growing computer security field."

http://www.windowsecurity.com/articles/Reverse-Engineering-Malware-Part1.html

Posted by sandi with 1 comment(s)
Filed under:
More Posts Next page »