Spyware Sucks

EOLAS patent - settled

I'm not sure how I feel about this; the fall out from the now infamous EOLAS patent dispute has had a fundamental effect on how we interact with the Web when using Internet Explorer, and I have never felt that the change was for the better.  Heck, I never supported the patent in the first place(another MVP described it as a "hot button issue" for me in an email dialogue tonight).

Many will not remember this, but a few years ago there was a "developer preview" (my terminology, can't remember exactly what they called it) that was released for a short while for testing that directly addressed the EOLAS patent - it was a horrid thing, and I'm so glad they didn't go ahead with it.  Basically, every single control on a web page that required user interaction triggered a dialogue box.  I remember testing the changes at Java Boutique, sometimes triggering dozens of dialogue boxes per page.

Thankfully, the original version of the changes to Internet Explorer didn't proceed, and we ended up with the discreet, "Click to activate and use this control" prompt.  The prompt is becoming more rare nowadays, as web sites learn how to work around the changes.

The following shots show how Microsoft's adaptations to address the EOLAS patent matured over the years.  Here you see the very irritating dialogue box that popped up for every affected control, an older version of the mouseover text, and the final version.  Sadly, I can't remember when the change from "Press SPACEBAR or ENTER to activate and use this control" to "Click to activate and use this control" occurred - perhaps one of my readers will share their knowledge of that.

The entire EOLAS brouhaha has been a real roller coaster ride; EOLAS were originally awarded $521 million by jury in 2003 but that award was partially overturned on appeal - one of the facets of the appeal was should the jury have been allowed to consider whether EOLAS patent was/is invalid.  The case was due back at court last month for a retrial, but was postponed. 

In the midst of the lawsuit, in November 2003 the Deputy Patent Commissioner of the US Patent and TradeMark Office, Stephen G Kunin, ordered the agency's examiners to reconsider the EOLAS patent that had been awarded to the University of California back in 1998.  That had only happened 151 times in the last 22 years!!!

This led to the patent being invalidated in March 2004 in a preliminary ruling:
http://www.theregister.co.uk/2004/03/05/eolas_web_patent_nullified/

Then, in August 2004, Microsoft has another win, with the Patent Office reported as rejecting all 10 patent claims under review:
http://news.com.com/Microsoft+wins+again+in+Eolas+patent+dispute/2100-1032_3-5315367.html?tag=nefd.lede

But then in 2005, the patent was upheld, although I do note that Microsoft do have permission to fight it out once again after it was issued with a patent covering the same concepts as the EOLAS patent - basically it's a "who invented it first" fight - the hearing was scheduled for June this year; I haven't found any evidence of a result, and that could take up to a year. 

Then the cats was put right in the middle of the EOLAS pigeons.  A recent US Supreme Court decision cast real doubt on the original award of $521 million when that Court ruled that Microsoft cannot be forced to pay for patent infringements that occur when copies of Windows are made and installed on computers abroad.  Remember, the jury originally granted the University of California and Eolas US$1.47 for each of the 354 million copies of the Windows operating system that included the Internet Explorer browser between Nov. 17, 1998, when the patent was issued, and Sept. 30, 2001 - but that count of 354 million was *worldwide*.   By reducing the scope of computers caught by patent infringement penalties, EOLAS were looking at a potential reduction in their award from US$521 million award to US$187 million - a massive drop in anyone's language.

On August 2007 EOLAS Chief Operating Officer Mark C Swords released a letter to EOLAS shareholders advising that although he could not talk about the exact terms of the settlement, the Board of EOLAS were anticipating a dividend of between $60 and $72 per share, although I must point out that there has been no direct link drawn between the release of the dividend and the settlement with Microsoft in the letter from Mr Swords.  There will be an informal meeting for EOLAS shareholders at 7.00pm on Tuesday 4 September 2007 at the Holiday Inn Select, 1801 Naper Boulevard, Naperville, Illinois, at which the "future business plans of EOLAS, its finances, and "such information regarding the settlement as [EOLAS] are permitted to disclose" will be discussed.

So, it all seems to be over - it has not only been a roller coaster ride, it has also been fascinating watching the US legal system and its events here, and the US Patents Office, and how activities there affected what was happening in the Courts. 

In the end, EOLAS got their settlement and Internet Explorer users got the short end of the stick... have EOLAS gone after other those behind other web browsers in the same way as they went after Microsoft? Um, not as far as I know...

Yay! Anti-Spyware Vendor protected by 47 USC 230(c)(2) - Zango v Kaspersky

"The court says, clearly and unambiguously, that anti-spyware vendors' labeling judgments are completely protected by 47 USC 230(c)(2), a statute designed to protect online filtering judgments. In support of this conclusion, the court says that:

1) Kaspersky qualifies as an interactive computer service provider (specifically, as an access software provider)
2) The labeled software does not have to be actually "objectionable;" the vendor qualifies for protection so long as it subjectively considers the software objectionable.
3) There is no "good faith" standard in the statute for the vendor's decision to consider software objectionable."

Source: http://blog.ericgoldman.org/archives/2007/08/antispyware_ven.htm

Calling all Geekgirls

Bronwyn has put out a call for members to join geekgirlsblog; I suppose I'd better put my name in the hat

I haven't met Bronwyn - our respective home towns are many thousands of miles apart, and I don't get to travel much nowadays - but those I know who have met her have nothing but good things to say.  Hopefully one day our paths will cross.

Source: http://techtalkblogs.com/blog/archive/2007/08/30/3132.aspx

Fiddlercap - designed to help the non-expert gather HTTP logs (great for helping to track down malware-adverts)

One of the biggest problems I face when tracking down malicious banner advertisements is gathering proof sufficient to convince a web site and/or advertising network that they have a problem.  Sometimes I am unable to reproduce a reported hijack by a banner advertisement despite my best efforts.  When my correspondent is inexperienced they can struggle to gather the required data for me to analyse and publicise.

Eric Lawrence of Microsoft has also seen the need for a product that will make it easy for the inexperienced to generate an HTTP or HTTPS log, so he has created a simpler version of Fiddler especially to address this need.

Called Fiddlercap, the product can be used to easily take a snapshot of HTTP traffic, which is then sent to a "debugging buddy" (that would be me) :o)

My only question is whether Fiddlercap and Fiddler can be installed side by side.  I must ping Eric about that, see what I can find out.

You can download Fiddlercap here: http://www.fiddler2.com/fiddler/help/log.asp

Spam slam

Ok, so the neanderthals behind the Storm spam (whose grammatical skills leave a lot to be desired) have given up, for now, on the idea of playing to the guilty conscience and voyeurism.  Now they're trying to lure people in with music videos.

Subject: dude this is not even on MTV yet
Subject: Cool Video is out
Subject: Hot new video
Subject: OMG, check out the new video
Subject: this video is out out yet
Subject: this video rocks
Subject: your gonna love this. lol
Subject: awesome new video

------
Beyonce just cut there new video.

See it before the video is released. Click on the link to pull it off my
server: <<<URL deleted>>>
------
P. Kelly finished a new video.

See the cut before it hits MTV. Paste this address in your browser for the video: <<URL deleted>>
------
Fergie just filmed their new video.

See it here before it releases. Go here for the video:
<<URL removed>>
------
Snoop Dog did a new video.

Be the first to see it. Click on the link to pull it off my server:
<<URL removed>>

If you are silly enough to go to the Web sites being offered you will see:

"If the video does not start playing you need to load the right codec.  Click on the link to install it.
------

The download offered is Zhelatin/Storm worm aka Email-Worm.Win32.Zhelatin.hs. Believe me, you don't want to take the bait and go to those sites, even for curiosity's sake.

HOTFIX: When you use IE7 to browse a Web page, the state of the "Edit with <HTML editor>" command on the File menu may be inconsistent with the state of the "Edit with <HTML editor>" command on the Page menu

You use Windows Internet Explorer 7 to browse a Web page, and you examine the state of the Edit with <HTML editor> command on the File menu. However, you notice that the state of this command is inconsistent with the state of the Edit with <HTML editor> command on the Page menu. For example, the Edit with Notepad command on the File menu may be enabled, while the Edit with Notepad command on the Page menu is disabled.

Additionally, the state of Edit with <HTML editor> command on the Page menu will vary from disabled to enabled if either of the following conditions is true:

• You refresh the Web page in the current Internet Explorer window.
• You open the same Web page in another Internet Explorer window.

Note The <HTML editor> placeholder represents a program that you can use to edit HTML files. For more information about how to specify the HTML editor, see the "More information" section.

http://support.microsoft.com/default.aspx/kb/939946

Winfixer at seo.mhvt.net

All URLS broken for safety reasons:

The bad advertisement is hxxp://b1.adbrite.com/iads/35249.swf (an advertisement for monstermarketplace.com).  Please read this article if you cannot reproduce the hijack.

Note: there may be more hijacking adverts - this is just the one I found today.  The owner of the blog knows about this information and will be able to get rid of the dangerous advertisement, then we will monitor the situation.

Summary:

Referer: hxxp://seo.mhvt.net/blog/?p=137  --> Host: ads.adbrite.com

Referer: hxxp://b1.adbrite.com/mb/banner_shim.swf?bannerURL=hxxp://b1.adbrite.com/iads/35249.swf
&clickTAG=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclickx-flash-version: 9,0,47,0 --> Host: b1.adbrite.com

Referer: hxxp://b1.adbrite.com/iads/35249.swf  --> Host: www.errorsafe.com

Referer: hxxp://b1.adbrite.com/iads/35249.swf  --> Host: winantivirus.com

Referer: hxxp://b1.adbrite.com/iads/35249.swf  --> Host: drivecleaner.com

Referer: hxxp://b1.adbrite.com/iads/35249.swf  --> Host: www.mysurvey4u.com

Referer: hxxp://b1.adbrite.com/iads/35249.swf  --> Host: www.errorsafe.com

Details...

GET /mb/text_group.php?sid=404027&zs=3136305f363030 HTTP/1.1
Accept: */*
Referer: hxxp://seo.mhvt.net/blog/?p=137
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: ads.adbrite.com
Cookie: <<deleted>>
HTTP/1.1 200 OK
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Date: Wed, 29 Aug 2007 23:55:14 GMT
Content-type: text/html
Server: lighttpd/1.4.16
Cache-Control: no-cache, no-store, must-revalidate
P3P: policyref="hxxp://www.adbrite.com/p3p.xml",CP="NOI NID"
Set-Cookie: <<deleted>>
Set-Cookie: <<deleted>>
------------------------------------------------------------------
GET /iads/35249.swf HTTP/1.1
Accept: */*
Referer: hxxp://b1.adbrite.com/mb/banner_shim.swf?bannerURL=hxxp://b1.adbrite.com/iads/35249.swf
&clickTAG=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick
x-flash-version: 9,0,47,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: b1.adbrite.com
Proxy-Connection: Keep-Alive
Cookie: <<deleted>>
HTTP/1.1 200 OK
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 15639
Date: Wed, 29 Aug 2007 23:55:14 GMT
Content-Type: application/x-shockwave-flash
ETag: "5853fd-3d17-46c1ca76"
Server: Apache
Last-Modified: Tue, 14 Aug 2007 15:29:58 GMT
Accept-Ranges: bytes
X-Pad: avoid browser bug

------------------------------------------------------------------
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: hxxp://b1.adbrite.com/iads/35249.swf
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive

------------------------------------------------------------------

HTTP/1.1 302 Found
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 29 Aug 2007 23:55:17 GMT
Location: hxxp://winantivirus.com/download/2007/index.php?aid=
59idf95t&ax=1&ex=1&ed=2&h=10&j=1&mtrt=tmpsron
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Set-Cookie: <<deleted>>
Set-Cookie: <<deleted>>

-----------------

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: hxxp://b1.adbrite.com/iads/35249.swf
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive

------------------------------------------------------------------

HTTP/1.1 302 Found
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 29 Aug 2007 23:55:17 GMT
Location: hxxp://winantivirus.com/download/2007/index.php?aid=
59idf95t&ax=1&ex=1&ed=2&h=10&j=1&mtrt=tmpsron
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Set-Cookie: <<deleted>>

------------------------------------------------------------------

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: hxxp://b1.adbrite.com/iads/35249.swf
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: winantivirus.com

------------------------------------------------------------------

HTTP/1.1 302 Found
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 29 Aug 2007 23:55:18 GMT
Location: hxxp://drivecleaner.com/.freeware/index.php?aid=
59idf95t&ax=1&ex=1&ed=2&h=10&j=1&mtrt=tmpsron&lid=dc-p22&mtrt=null&p=22
Content-Type: text/html; charset=UTF-8
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Set-Cookie: <<deleted>>

------------------------------------------------------------------

/.freeware/index.php?aid=59idf95t&ax=1&ex=1&ed=2&h=10&j=1&mtrt=tmpsron&lid=dc-p22&mtrt=null&p=22 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: hxxp://b1.adbrite.com/iads/35249.swf
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: drivecleaner.com

------------------------------------------------------------------

HTTP/1.1 200 OK
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 29 Aug 2007 23:55:18 GMT
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Set-Cookie: <<deleted>>

------------------------------------------------------------------

GET /stats.php?campaign=59idf95t&u=1188431995592 HTTP/1.1
Accept: */*
Referer: hxxp://b1.adbrite.com/iads/35249.swf
x-flash-version: 9,0,47,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.mysurvey4u.com
Proxy-Connection: Keep-Alive

------------------------------------------------------------------

HTTP/1.1 200 OK
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Date: Wed, 29 Aug 2007 23:59:57 GMT
Content-type: text/html
Server: lighttpd/1.4.13
X-Powered-By: PHP/5.2.0-8+etch7
Last-Modified: Wed, 29 Aug 2007 23:59:57 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

------------------------------------------------------------------

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: hxxp://b1.adbrite.com/iads/35249.swf
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive

------------------------------------------------------------------

HTTP/1.1 302 Found
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Wed, 29 Aug 2007 23:59:58 GMT
Location: hxxp://winantivirus.com/download/2007/index.php?aid=59idf95t&ax=1&ex=1&ed=2&h=10&j=1&mtrt=tmpsron
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Set-Cookie: <<deleted>>

------------------------------------------------------------------

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: hxxp://b1.adbrite.com/iads/35249.swf
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: winantivirus.com

------------------------------------------------------------------

HTTP/1.1 302 Found
Via: 1.1 <<deleted>>
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Thu, 30 Aug 2007 00:02:52 GMT
Location: hxxp://www.errorprotector.com/free/index.php?aid=59idf95t&ax=1&ex=1&ed=2&h=10&j=1&mtrt=tmpsron&lid=erp-l1&mtrt=null&l=1
Content-Type: text/html; charset=UTF-8
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Set-Cookie: <<deleted>>

MSN Messenger Web Camera Stream Vulnerability

MSN Messenger and Windows Live Messenger contain a heap overflow in the handling of malformed webcam streams. By convincing a user to accept a webcam invitation, a remote attacker may be able to execute arbitrary code with the privileges of the user on an affected system.

US-CERT is aware of publicly available exploit code for this vulnerability.

More information regarding this vulnerability can be found in Vulnerability Note VU#166521.

US-CERT recommends users upgrade to Windows Live Messenger 8.1 to mitigate the security risk.

Source: http://www.us-cert.gov/current/index.html#msn_messenger_web_camera_stream

FIX: Windows Mail - email stuck in outbox

Two updates have been released, one for Vista and one for Vista x64 - both require validation.

This update apparently resolves an issue where messages become stuck in the Outbox and cannot be deleted when using Windows Mail. After you install this update, you may have to restart your computer.

Vista
http://www.microsoft.com/downloads/details.aspx?FamilyID=09f002d9-a140-42a8-99f5-a86f2b7e39f1&DisplayLang=en

Vista x64
http://www.microsoft.com/downloads/details.aspx?FamilyID=09dabf39-1e37-46dd-91bc-be5abe3f39b7&DisplayLang=en

What the???

The feeds are not password protected!!!

Today's spam slam

Voyeurism and guilty consciences will get 'em every time

Each 'youtube.com' hyperlink actually points to an IP address unrelated to youtube itself.  The sites in question will try to infect visiting computers with the Storm Trojan.

It just goes on and on and on....

-----

Subject: Dude, what if your wife finds this?
Subject: OMG, what are you thinking
Subject: LMAO, your crazy man
Subject: LOL, dude what are you doing
Subject: man, who filmed this thing?
Subject: how did you get that on film, man?
Subject: oh man your nutz
Subject: Where did you take that?
Subject: LOL, that is too cool..
Subject: HAHAHAHAHAHA, man your insane!
Subject: sheesh man, what are you thinkin
Subject: this is too crazy, but she is hot
Subject: Dude your gonna get caught, lol
Subject: I cant belive you did this
Subject: are you kidding me? lol
Subject: Who is that your with? lol
Subject: where did you hide that camera?
Subject: where did you hook up with that?
Subject: ROTFLMAO, who is that your with?
Subject: Dude dont send that stuff to my home email...

-----

You can see your face right in the video. its all over the web dude. here is the link I got
http://www.youtube.com/<<deleted>>

You can see your face right in the video. its all over the web dude. this is the link to it.
http://www.youtube.com/<<deleted>>

You can see your face right in the video. its all over the web dude. here is where I found it
http://www.youtube.com/<<deleted>>..

-----

If your mom sees this she this video of you she is gonna freak. here is where I found it
http://www.youtube.com/<<deleted>>..

If your mom sees this she this video of you she is gonna freak. go look at it...
http://www.youtube.com/<<deleted>>

If your mom sees this she this video of you she is gonna freak. take a look, lol
http://www.youtube.com/<<deleted>>

If your mom sees this she this video of you she is gonna freak. check it out yourself
http://www.youtube.com/<<deleted>>

-----

What are you thinkingif pat sees this your divorced dude. :-{) go look at it
http://www.youtube.com/<<deleted>>

What are you thinkingif pat sees this your divorced dude. :-{) this is the link to it.
http://www.youtube.com/<<deleted>>..

-----

this i not good. If this video gets to her husband your both dead. see for yourself
http://www.youtube.com/<<deleted>>

-----

LMAO, I cant believe you put this video online. Everyone can see your face there. LOL here is the link I got
http://www.youtube.com/<<deleted>>

LMAO, I cant believe you put this video online. Everyone can see your face there. LOL here is where I found it...
http://www.youtube.com/<<deleted>>

-----

You need to take this offline, it is in everyones email. :-( take a look, lol...
http://www.youtube.com/<<deleted>>

-----

If your dad see this video you made, he is gonna kill you. go look at it...
http://www.youtube.com/<<deleted>>

-----

Dude I know thats you, someone emailed me a link to the video. see for yourself
http://www.youtube.com/<<deleted>>

Dude I know thats you, someone emailed me a link to the video. here is where I found it...
http://www.youtube.com/<<deleted>>

-----

OMG, what are you doing man. This video of you is all over the net. go look at it
http://www.youtube.com/<<deleted>>..

OMG, what are you doing man. This video of you is all over the net. this is the link to it.
http://www.youtube.com/<<deleted>>

OMG, what are you doing man. This video of you is all over the net. see for yourself
http://www.youtube.com/<<deleted>>

-----

Man you have got to tell me where you picked her up. I saw this on the web, it has to be you. this is the link to it.
http://www.youtube.com/<<deleted>>

Man you have got to tell me where you picked her up. I saw this on the web, it has to be you. see for yourself
http://www.youtube.com/<<deleted>>

Man you have got to tell me where you picked her up. I saw this on the web, it has to be you. take a look, lol...
http://www.youtube.com/<<deleted>>

----

Is Firefox, even on a MAC, immune to Winfixer redirects??

Umm, no - so, please, those of you who are saying "use Firefox" to avoid the scareware, please stop.

http://commercial-archive.com/node/136476

forum.avast.com hacked!

It seems to be clean now:
http://forum.avast.com/index.php?topic=30118.msg248379#msg248379
http://www.wilderssecurity.com/showthread.php?t=183634

Here's hoping those behind Avast know how their forum was compromised, because if they do not know how the bad guys managed to get in, it may happen again.  I've seen sites remove hostile code, only to have it reappear again very quickly when the underlying vulnerability that allowed the hack to occur in the first place is not resolved.

whitepages.com cleaned up?

I was contacted overnight by a representative of whitepages.com by email and via a comment to my blog.  whitepages.com have apparently tracked down two rogue advertising campaigns thanks to the data I was able to capture, and have suspended the accounts, which is excellent news.  Only time will tell if any campaigns remain.

Coincidentally, I see that linkedin.com was also infiltrated by a rogue advertising campaign during the past week, just like whitepages.com.  It just goes to show, this problem can pop up anywhere, at any time.

If you ever experience a winfixer incident, please let me know and I'll do all I can to get the advertising campaign shut down, and will take great pleasure in doing so

me.dium - wow, that's a change...

Check out this screen:

This particular facet, a pre-customised command bar, has been the most problematic for me during this beta.. in short, it just doesn't work.

That being said, such a large dialogue box, what can I say... it ain't gonna work.  Heck, 99% of my users struggle when faced with a "yes", "no", or "accept" "cancel" selection turn into a quivering heap of ex-humanity in a corner... and I know of what I speak... the 'man in the street' and his actions/reactions being a particular speciality of mine...

Oh, and as for "read all of these steps in the completely".... excuse me while I put my hand up and offer my services as a proof reader.... (guys, I am only half joking here... I have a hell of a lot of respect for the people behind me.dium, but seriously... "read all of these steps in the completely"... ???? How the heck did that slip through???)

Then there is "you will lick the "stop" button".  I'm sorry, those behind me.dium may hate me for pointing this out, but that one sentence had me laughing more than the entire week has managed to do....  you know, I suspect I would be fired if I tried to "lick" anything computer related, assuming I did not electrocute myself first...

Ok, guys, seriously, call me before I do myself an injury I love your product, I really do, and I'll give you all the publicity you want - I believe in it that much - but somehow I don't think the intention was for your dialogue boxes to be comedic relief....

whitepages.com - another malicious SWF

Advertising Oxfam Oxjam Music Festival - redirects the user to errorprotector.com

As always, be aware of the dangers of accessing such files.....

hxxp: // oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf

Winfixer hide 'n' seek: explaining why some people see the ads, and some people don't

I've been watching reactions to my articles about the latest winfixer outbreak that I have been focusing on.  I am seeing some confusion out there, and sometimes outright disbelief, based around a couple of questions - first, why do only some people see the malicious behaviour, and second, why don't the web sites in question do something about it if it is so bad.  It might be worthwhile sharing with you some of the difficulties faced when tracking down these malicious advertisements.

As web sites and advertising networks have become more aware of the problem of malicious advertisements, and have started to watch for them, the low-lifes behind the malicious ads have focused on avoiding detection for as long as possible.  Some of the ways they do this are:

1. The malicious SWF (Flash advertisement) often checks your geographical location by checking your IP address; it also checks your time zone. The bad guys may set things up so that the advertisements only appear at certain times of the day - outside of business hours, for example.  Then, the malicious behaviour will only be triggered if the IP address/timezone/geographical location/time of day matches in with the SWF requirements.
   
   Such trickery by the bad guys minimises the risk of website owners and advertising networks noticing the dangerous ads, and it also makes it difficult for them to investigate. For example, the bad guys may be displaying their advertisements on a USA based website and/or using a USA based advertising network. To help avoid detection they may code the malicious flash advertisement to remain dormant if it is displayed on a computer located in the United States.  If the advertising network does not take the time to closely examine Flash files by decompiling and checking for malicious code, then bad stuff slips through.
   
   Every single time I or my correspondents have reported a winfixer outbreak to a website, the response has been that the technical staff cannot reproduce the problem. Every single time I publicise an incident there are as many, if not more, people on various forums and mailing lists saying they cannot reproduce the problem as there are people confirming the problem.  Invariably I have to provide cast iron proof before steps are taken to shut down dangerous ads.
   
   
2. Often the incident will trigger only once per day or less on a particular machine. To reliably trigger a malicious redirect at will you will need to delete not only stored cookies, but flash cached objects as well.

I have a set routine nowadays that maximises my chances of reproducing a winfixer incident pretty much as often as I wish which involves deleting cookies, and the Flash cache.

On Windows XP based systems you can find the Flash directories at ..\Documents and Settings\{username}\Application Data\Macromedia\Flash Player\#SharedObjects\{randomly named folder} and ..\Documents and Settings\{username}\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys.  I delete the entire contents of the {randomly named folder} and sys.  I then load the reported web site.  Sometimes the malicious advert will trigger immediately, sometimes it may take a while before it hits. 

Edit:  With regards to the application data folder, you won't see that unless you have the option to view hidden files and folders enabled.  You can get to that via Control Panel, Folder Options, View tab (show hidden files and folders).  If that doesn't work, also turn off the option to "hide protected operating system files".  Oh, and turn off the option to hide extensions for known files types as a standard safety precaution.

Even after taking these steps, it may be that I can't reproduce the incident using ISP-A, but can trigger it using ISP-B.  Sometimes I may need to call in one of my contacts in another country to see if they can reproduce the problem.

I am sure you can understand what sort of problems the trickery I describe can cause.  Far too often I have people write to me after getting the brush-off from whatever web site's technical support - invariably the reaction of the technical staff has been "we are unable to reproduce the problem, therefore it is not us - your computer is infected".

Without proof such as an Ethereal (aka Wireshark) or Microsoft Network Monitor capture, or Fiddler data, it can be very difficult for a website to put pressure on it's advertising network (assuming you can get the site to believe that the problem is coming from the ads on their site in the first place), but at the same time, such programmes (except for Fiddler) can expose extremely sensitive information such as email user names and passwords (if you have an email programme running), and other sensitive information.  Even Fiddler exposes what can be considered to be sensitive information - server names if you're on a network for example, and your geograpical location and the like, so even Fiddler is not something that I would recommend to the untrained home user.  Far better, I think, to refer incidents to people such as myself, or Mike of www.mikeonads.com or Mike Burgess of MVP Hosts file fame so that we can gather the needed data and try to get malicious advertisements shut down.

whitepages.com - still serving up malicious SWF

And here is the latest URL - do not try to access that URL unless you want to be hit by a redirect and potential infection of your system:

hxxp: // oasads.whitepages.com/RealMedia/ads/Creatives/QPAD_LB_Aug07/qpad_728x90.swf

Today's Spam Slam

Only a few - maybe they're running out of inspiration

-----

Welcome Member,

Are you ready to have fun at Ringtone Heaven.

Member Number: 587675538
Temorary Login: user9871
Temorary Password: eg105

This Login Info will expire in 24 hours. Please Change it.

Follow this link, or paste it in your browser: Ringtone Heaven

Enjoy,
New Member Services
Ringtone Heaven

---

Welcome Member,

We are glad you joined Fun World.

Member Number: 8439158792955
Login ID: user2299
Password ID: tz668

For security purposes please login and change the temporary Login ID and Password.

Use this link to change your Login info: Fun World

Enjoy,
Welcome Department
Fun World

-----

New Member,

Welcome To Bartenders Guide.

User Number: 517617338
Your Login ID: user5044
Temorary Password: rr530

Your temporary Login Info will expire in 24 hours. Please login and change it.

This link will allow you to securely change your login info: Bartenders Guide

Enjoy,
Technical Services
Bartenders Guide

-----

Greetings,

Thank You for Joining Internet Dating.

Account Number: 5455119482
Temorary Login: user7526
Temorary Password: lx625

Please Change your login and change your Login Information.

Click on the secure link or paste it to your browser: Internet Dating

Welcome,
Internet Support
Internet Dating

-----

Welcome,

Thank You for Joining Fun World.

Account Number: 3716922527
Temorary Login: user8276
Password ID: hf968

Your temporary Login Info will expire in 24 hours. Please login and change it.

Follow this Link: Fun World

Enjoy,
New Member Services
Fun World

-----

New Member,

We are glad you joined Mobile Fun.

Membership Number: 557622649963
Login ID: user2654
Your Password ID: xl251

Please keep your account secure by logging in and changing your login info.

This link will allow you to securely change your login info: Mobile Fun

Enjoy,
Welcome Department
Mobile Fun

-----

Greetings,

Here is your membership info for Ringtone World.

Member Number: 937125221437
Temp Login ID: user6020
Your Password ID: tt558

For security purposes please login and change the temporary Login ID and Password.

Use this link to change your Login info: Ringtone World

Enjoy,
Internet Support
Ringtone World

-----

HOTFIX; The system stops responding when you access a Web page or open an HTML document on a Windows XP SP2 based computer

When you use Microsoft Internet Explorer 6 to access a Web page or to open an HTML document on a Windows XP SP2-based computer, the system stops responding. Additionally, you notice that the CPU usage is almost 100%.

This issue may occur if the Web page or the HTML document has a RUBY element. For example, when you open the Web page by using the HTML editor, some lines of the source code resemble the following:

<ruby>123<rt style='layout-grid-mode:line'>abc</rt>A</ruby>

When Internet Explorer 6 parses the line that contains the RUBY element, an infinite loop occurs. The infinite loop causes this problem.

http://support.microsoft.com/default.aspx/kb/908917