Spyware Sucks

My family and I are on holidays for a few weeks, so things will be quiet around here.  I am not planning to do any blogging until mid-October.

That being said, keep an eye on my blog; there is an announcement already written and scheduled to go live in my absence

This issue occurs because of a change in behavior in Internet Explorer 7.

In Internet Explorer 6, the ShellWindows object is associated with the following CLSID:
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}

This object is a COM local server that exists for each desktop. When you use the CoCreate function to create a ShellWindows instance, the instance is bound to the server on the desktop where you create the instance. Therefore, the application can enumerate the Internet Explorer 6 windows in all desktops.

In Internet Explorer 7, the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ subkey is added together with the RunAs registry entry. And the value of the RunAs registry entry is set to Interactive User. This change in behavior for Internet Explorer 7 causes the ShellWindows instance to be bound to the server on the default desktop even if you create the instance in other desktops.

http://support.microsoft.com/default.aspx/kb/940998

Symptom 1

The POST method or the GET method may encode certain characters as Unicode numeric character references. For example, these methods may encode あ as %26% 2312354%3B.

This problem may occur in Web pages that contain Japanese characters. Additionally, the Web pages are marked with a charset of windows-31j in the HTTP headers.

Symptom 2

The POST method or the GET method cannot transmit Form data to the Web server. Additionally, you may receive a script error message that resembles the following:

Line: Line Number
Char: Number
Error: Unspecified error.
Code: 0
URL: URL

This problem may occur if the Form data contains Unicode-only characters at the start of a lone field. For example, the Form data may contain one of the following kinds of Unicode-only characters at the start of a lone field:

• A mixture of ASCII and Japanese characters.
• The character U+301C (tilde 〜) together with Chinese, Japanese, or Korean characters.
• The character U+3030 (tilde 〰) together with Chinese, Japanese, or Korean characters.

This problem occurs because Internet Explorer does not correctly use the code page for the required language when the Form data contains certain character combinations.

http://support.microsoft.com/default.aspx/kb/939941

Microsoft quietly added detection of the "Storm" family of malware to the September build of its Malicious Software Removal Tool.  The MSRT is released as part of the monthly security update cycle (although I do wish it was updated more often - it can be an extremely effective tool in the fight against malware, as you will see from this article).

Jimmy Kuo of the Anti-Malware Engineering Team has posted some very interesting statistics and snippets of background information about the effect that adding detection of "Storm" had on Windows PCs (and the Storm botnet) around the world which illustrates just how powerful the MSRT can be in the fight against malware.

Jimmy reports that:

"The Renos family of malware has been removed from 668,362 distinct machines.  The Zlob family has been removed from 664,258 machines.  And the Nuwar family has been removed from 274,372 machines.  In total, malware has been removed by this month’s MSRT from 2,574,586 machines.

So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT."

Sadly, as has always been the case in this type of battle, the criminals behind Storm fought back quickly.  Jimmy went on to say that: 

"Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of “Storm’s” Denial of Service (DoS) capability on September 11th.  Unfortunately, that data does not show a continued decrease since the first day.  We know that immediately following the release of MSRT, the criminals behind the deployment of the “Storm” botnet immediately released a newer version to update their software.  To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components.  Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the “Storm” botnet.  Machines that will be cleaned by MSRT in the subsequent days will be of similar nature."

The Malicious Software Removal Tool is offered as a critical update via Microsoft Update, Windows Update, and Auto Update to any computer that is running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003.  Comprehensive information about the MSRT, and download links, can be found here:
http://support.microsoft.com/?kbid=890830

An important note about the MSRT:

"**W32/HackDef typically hides other potentially unwanted software on the computer. If the cleaner tool reports that W32/HackDef was detected on the computer, we strongly recommend that you run a scan with up-to-date antivirus and antispyware programs (see http://www.microsoft.com/athome/security/spyware/default.mspx). If you want to view the software that W32/HackDef was hiding, first open the log file for the cleaner tool (%WINDIR%\debug\mrt.log). Next, in the Scanning Results section, find the line or lines that note the folder in which Win32/Hackdef was found. In that same folder, you should find the Win32/Hackdef configuration file that has the .ini file name extension. View this file to determine the software that Win32/HackDef was hiding on the computer."

As noted here, a vulnerability involving Firefox and QuickTime was reported, and code advising how to take advantage of that vulnerability has been published.

As noted by Mozilla, "Disabling JavaScript in the browser does not protect against this attack; in vulnerable versions scripts passed through the -chrome option would be executed regardless of the JavaScript setting for web content, much as interpreters for languages such as perl and Python execute scripts passed on the command line. The NoScript add-on, however, has provided protection against this class of attack since the cross-browser vulnerabilities described by MFSA 2007-23 were discovered."

It is strongly recommended that you download Firefox 2.0.0.7 as soon as possible, because it fixes this QuickTime vulnerability by removing the ability to run arbitrary scripts from the command line.

The IE team have blogged about the release of a new version of the SiteLock Template for ActiveX Controls.  I can't stress strongly enough how important it is that developers place security first when developing controls. 

Over the years there have been numerous instances where ActiveX controls have exposed a vulnerability that has been exploited by the bad guys, including controls that were never meant to be used on the internet per se.  IE7 addressed this problem by disabling many pre-installed activex controls, making them inaccessible to Web pages without user permission and interaction.  Microsoft, in conjunction with control developers, have at various times, released killbits to stop controls that were never meant to be used by IE from being used nefariously.  But, such steps do not relieve developers of their basic responsibility to code with security uppermost in their mind.

The great thing about the SiteLock Template is that it helps developers manage how their controls can be used (zone and domain name) and even allows a developer to impose a time frame for use, after which the control will no longer work.

"The Internet" has never been more dangerous than it is now for the casual web surfer and it is going to take a concerted effort by everyone to make a difference - *all* web browsers will have to continue to improve on safety (hopefully without 'breaking the web'); those who manage sites and servers will have to be conscious of security at all times with appropriate hardware and software defences, always patching and keeping their software up to date; developers will have to take advantage of services such as the SiteLock Template to guard against misuse of their products, and users have to take responsibility for their own safety by patching and updating software, practising safe-hex and not taking silly risks.

Far too often a web site is compromised because the back-end software is an older, vulnerable version, or because patches are missing.  The bad guys find these vulnerable servers and have no hesitation in getting in there and taking advantage of the situation, sometimes gaining access to hundreds, if not thousands, of sites in one fell swoop.  The people who own such servers bear first responsibility for allowing such a situation to develop in the first place, but their clients must also shoulder some responsibility for not educating themselves about the services and software they are using, or failing to make the sometimes financially detrimental decision to go elsewhere if their host will not clean up their act.

Far too often a user is infected because they haven't patched, or they haven't installed the latest version of their web browser or other software exposed to "the internet", or because they're turned off inbuilt protections or lowered their browser's security settings.

I miss the old days when internet dangers were pretty much restricted to attachments on email and risky behaviour such as surfing to porn sites or downloading warez, and removing adware or malware was simply a matter of deleting a few files and registry keys.  Nowadays, any web site at any time could potentially present a risk to a visitor - whether it be because of hacking, or malicious advertising.  And some malware is so difficult to remove, and the risk it presents to user security so grave, that reformatting is the only way to guarantee that nothing nasty has been left lying around.

Be careful out there gang.  Don't just use Windows Update - switch over to using Microsoft Update which will cover not only the operating system but other Microsoft software such as the Office suite - if you use a third party web browser update it.  If you use QuickTime, or Flash, or Java, or whatever else, update it.  Any piece of software that touches the internet is a potential risk that must be managed.

On a computer that has Windows Internet Explorer 7 installed, you may be unable to use an FTP application to upload a file to a remote server.

This problem occurs if the application is based on WinINet FTP functions.

This problem occurs because of an access violation that is caused by the InternetWriteFile WinINet API function.

When you use an application that is based on WinINet FTP functions to upload a file to a remote server, the remote file is created by using the APPE FTP command. However, when the operating system tries to use the InternetWriteFile function to write the file, this access violation occurs.

http://support.microsoft.com/default.aspx/kb/934376

This link, when clicked on in Outlook, generated an error message in IE7 (The original URL is now changed, so don't try it):

http://www.castlecops.com/a6827-eChecks_and_Credit_Charges_–_I_Didn't_Authorize_That.html

The error was:

Internet Explorer cannot read this webpage format  HTTP 406 
   What you can try:
     Go back to the previous page.
 
     More information

This error (HTTP 406 Not Acceptable) means that Internet Explorer was able to receive information from the website you visited, but the information was not in a format that Internet Explorer can display.

**But**, if we went to the site in question, then clicked on the very same link on the web page, the page opened successfully.

The site author needed to edit the URL so that it would work for IE7 users to this:

http://www.castlecops.com/a6827-eChecks_and_Credit_Charges_–_I_Did_Not_Authorize_That.html

The cause of the problem was the apostrophe in the original URL.  To quote the site owner when notified of the problem:

"for some folks its taken as a literal, for others its escaped.  The literal ' we 406 on"

We're taking a real family holiday in a few weeks - the first one that we have taken as an entire family in a very long time - and it is very special - Singapore then Cairo, then Frankfurt, then Zurich, then Paris, then Versailles, then Mont St Michel, then Neuschwanstein Castle.

Anyway, I'm hoping to prepare the kids for the experience that is Egypt - one is 16, one will be *just* 18.  Cairo is going to be a place that is nothing like anything they have ever experienced before.

I have found some fantastic guides, the best of which seems to be the "Spiral Guide" to Egypt.  The author obviously had an exquisite sense of honesty ... some quotes - and I swear, it really says this:

1. Taxis are much cheaper than in Europe, but rarely use their meters.  Even if they do, the amount shown will probably bear little resemblance to the fare charged by the driver.
2. Beejous have been nicknamed "flying coffins" as they tend to be driven fast, and recklessly. Accidents are common, especially at night.
3. If you hit someone in the countryside, report it immediately at the nearest police station, and be aware that you may be attacked by angry villagers.
4. Egyptian car mechanics are often masters of invention and can usually fix a breakdown - if you run into trouble, people will often gladly help you push your car to the next garage or the side of the road.
5. Budget hotels are rarely air-conditioned, but some will have cooling fans.  A few are real gems, old art-deco buildings with high ceilings, old-fashioned furniture and unreliable plumbing.  The less said about others, the better.

So anyway, does anybody have advice for the trip to Egypt?  What would *you* advise somebody who had never been to the country before?  My most important concern is that the family as a whole respects the traditions and cultures of the country being visited, and that my (teenage) kids have a handle on what to expect when we get there, that they understand the 'what', the 'why' and the 'wherefore', and that they learn the traditional greetings and responses... and understand the importance of traditions such as baksheesh in a country where such 'tipping' is often the only source of income, but where it can also cause offence if offered inappropriately.

What do my gentle readers have to say, especially about baksheesh?

This is nothing short of unbelievable.

"A VENEZUELAN man who had been declared dead woke up in the morgue in excruciating pain after medical examiners began their autopsy."

IE-VISTA is featured on the Internet Explorer Community Site, and the Windows Vista Community site, and my latest article, Don't Take The Bait!, is currently a featured column.

You can see my article about phishing scams, Don't Take The Bait!, here.  Word is that the article has the highest satisfaction rating ever, at 0.91 out of maximum rating of 1.00.

My previous article, which was also featured on the Windows Vista Community site, and titled Better Browsing, also achieved a high satisfaction rating, at 0.84 out of a possible 1.00.  The median user rating for articles is 0.42, and only 7.5 percent of Help topics have achieved a rating higher than 0.70.

An important change that needs to be noted is that all me.dium profiles are now public, albeit with limited information.   Looked at the from the perspective of my earlier comments about my concerns about people on my friends list having private profiles, the change is a good thing in that I'm not blocked from seeing *something* about those on my friends list, but at the same time, some may not be happy.  If, like me, you have a widget on your web site or blog, your friends list will grow very quickly as people use your widget to join the me.dium community and it is far nicer to be able to learn something about all these strangers - it's a fascinating social experiment.

Those of you who have already installed me.dium should be prompted to download and install the latest version when you start IE.  The same installer can be used on x86 and x64 systems (although I note that the installer still cannot add the me.dium button to the Command Bar on Vista x64 systems :o(  The process fails, and all custom buttons are removed.  IE must be restarted before any custom buttons can be added to the Command Bar using the standard dialogue box.

Me.dium had a part to play in a chat I had online with a friend, just today.  The only reason the conversation took place at all was I saw somebody who had been on my friend list for a while, and who I knew of from the original me.dium beta testing group, pop over to my latest article for the Windows Vista Community.  It turned out he did not know that I had written the article in question.  Then, in the course of the discussion, we chatted about phishing, and malicious web sites, and somehow moved on to holidays, travel, and eventually diving.  I was able to use me.dium to quickly guide my correspondent to a web site with lots of photographs from a boat charter service that I know of that specializes in sea lion tours.  All very cool.