Spyware Sucks

Posted to the Google Online Security Blog

"Currently, we know of hundreds of thousands of websites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there. This is where we need your help in filling in the gaps. If you come across a site that is hosting malware, we now have an easy way for you to let us know about it. If you come across a site that is hosting malware, please fill out this short form. Help us keep the internet safe, and report sites that distribute malware."

Note this blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet). 

The cynic in me sees the blog entry as no more than a cynical attempt at damage control, but Google deserves some credit for creating the form, I suppose - yay them for giving their readers a warm fuzzy feeling when they report whatever site, but let's be honest it - it ain't gonna make any real difference.  First, victims need to know the report page exists.  Second, they have to report on it.  Third, Google has to act on it.  And, realistically, when we're dealing with domains with nonsense names, made up of random letters, and random lengths - I'm sure that all of you with a fundamental grasp of mathematics and understanding of "odds" know what the chances are of this form making a real difference.

If Google wants to fight the bad guys one site at a time, then all power to them .. I sure as hell hope they have a hell of a lot of manpower behind them - they're gonna need it.  Consider the analogy of the elephant and the ant.  The elephant is massive - the ant is miniscule, but the elephant is one, and the ants are millions.  A swarm of ants can overwhelm anything if they put their minds to it,even the elephant.  Now replace "elephant" with "Google" and "malicious web sites" with "ants".  I think you see my point.

I'd far prefer that Google focus their efforts on something far more effective - like stopping malware sites from getting into their search results in the first place.  There is a basic, basic, flaw in the way that search engines work when the bad guys are able to play the system so easily.

There are some areas of the internet that are turning into the online version of Typhoid Mary, and these areas of the internet, I am sorry to say, may need to be judged guilty until proven innocent.  The modern Typhoid Mary is not just particular countries (like China, some eastern bloc countries and countries with lower socio-economic standards) but may also be Registrars that are known to have a higher than acceptable ratio of problematic sites, low standards when accepting new registrations, and domain servers that host a greater than average number of malicious or suspicious sites.

All search engines, and Google in particular, want to be all things to all people.  Their goal is to index the web and show you everything possible pertaining to your particular query or interest.  But, reality is that this is no longer safe.  We may need to take the hard decision to isolate some areas of the Internet as guilty until proven innocent.

Haute Secure is trying a Typhoid Mary type approach - in some ways it has a "guilty until proven innocent (or clean)" attitude to malware, but, ironically, I have expressed concern more than once that HS is too chatty and is warning against too many sites when no real danger exists, whether it be because there used to be a risk that is now gone, or there is a potential risk.  So, I understand what the implications for Google are if they decide to use the "guilty until proven innocent" protocol - after all, I ended up turning off Haute Secure because its warnings occurred so often.  I stopped paying attention to HS, turned some of its warnings off, and it fell victim the the modern version of the "Boy Who Cried Wolf" syndrome.  Google does not want to suffer the same fate.

That being said, the innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone.  The criminals have taken that dream away from us.  That is the reality.  And we all of us who create or host online content have some hard decisions to make.

When you view a Web page by using Microsoft Internet Explorer 6, a GIF image that is located on the Web page appears as expected. However, if you press F5 to update the display, or if you click Refresh to update the display, the GIF image no longer appears. Instead, a red "X" appears as an image placeholder.

You experience this problem if the following conditions are all true:

• You visit the Web site over a Secure Sockets Layer (SSL) connection.
• You use a proxy server to connect to the Web site.
• The Web site uses NTLM authentication to access the Web page.

A hotfix is available to address this problem.  Note that you must edit the registry after installing the Hotfix or it will not work.

Source: http://support.microsoft.com/default.aspx/kb/936994

You may recall that Alex Eckelberry alerted us to a massive seeding of Google and other Web searches with malicious web sites.  Google and the other sites, to their credit, certainly cleaned things up very quickly, and the incident quickly hit the popular press.

Sadly, it seems that Google, although they reacted quickly to the last incident, have seemingly not found a way to counter the basic problem, because Alex and Adam have reported that they are seeing signs of another attempt to infiltrate search results. Alex and Adam note that the sites are not dangerous at the moment, but of course that could change.

While we're on the topic of malicious searches, TrendMicro's team pointed out a new behaviour that all of us need to keep in mind when investigating these outbreaks.  Trend say that:

"However, there is a little catch for us security researchers. We now look at the “if” statement where it relies on the “document.referrer” function. The code tells that in order for the “eval” function to be executed, the page where the user visited before arriving on the malicious Web page should be a page containing Google search results. Also, the search string used by the user must not have the “inurl:” and “site:” Google search functions. Thus, direct visit or access of the malicious site will not trigger the evil script and not redirect us to the site hosting the malicious binary file.

For security reseachers developing tools to automate the capture of the malicious files found on Web threats, this is something to consider. It is clear that this is a limitation for tools designed to directly access the malicious site aiming to capture the malicious files. The affected tools include honeyclients, Web crawlers, and downloaders."

You may recall my previous advice about this problem which is to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly to avoid 'nonsense' domains.  If you look at the latest Sunbelt shots, one of the sites is "pavtd.com.cn" which, at least according to the quick straw poll I just conducted, would not ring alarm bells for the average user.  Apparently it's "not nonsensical enough".

Important note: These reports are unconfirmed.

A person has posted a comment to my blog warning that they experienced a redirect while using Hotmail aka Windows Live Mail - you can read the comment here:
http://msmvps.com/blogs/spywaresucks/archive/2007/11/08/1287908.aspx#1369705

Earlier this month I spotted a similar complaint affecting MSN Groups:
http://groups.msn.com/ArtifactsofMars/general.msnw?action=get_message&mview=1&ID_Message=568

I've notified the appropriate parties about both of these reports, but am interested to know if any more of my readers have seen, or heard of, such problems in recent times.  If you have done so, please contact me or post a comment.  It will be very helpful if you could also tell me on what date(s) the redirct happened, and what country you are in.  It would be even better if you can record evidence using Fiddler or Fiddlercap.

The advertising network used by MSN has been infiltrated in the past. Those who have been reading my blog for a long time will remember the outbreak that hit Windows Live Messenger, Hotmail and MSN Groups back in February this year.

The FBI's Operation Botnet is starting to bite.  According to today's Press Release, just some of the people charged include:

• Jason Michael Downey of Covington, Kentucky, is charged with an Information with using botnets to send a high volume of traffic to intended recipients to cause damage by impairing the availability of such systems. (FBI Detroit);

• Robert Alan Soloway of Seattle, Washington, is alleged to have used a large botnet network and spammed tens of millions of unsolicited email messages to advertise his website from which he offered services and products. (FBI Seattle)

Press Release: http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm

Headline archive: http://www.fbi.gov/page2/june07/botnet061307.htm

Here we go again....

December 2007 cumulative time zone update for Microsoft Windows operating systems
http://support.microsoft.com/default.aspx/kb/942763

This update supersedes and replaces update 933360, which was released in August 2007. This update also includes additional time zone changes that were signed in to law after update 933360 was created. If you have already deployed update 933360, read the descriptions of the specific time zone changes that are addressed in this Microsoft Knowledge Base (KB) article to determine whether you must deploy this update immediately. If systems are not directly affected, you can schedule deployment at the next available opportunity. We recommend that you deploy the most current Windows cumulative time zone update to guarantee the consistency of the time zone database on all systems.

I read this and my head hurts - How to address time zone changes by using the Time Zone Data Update Tool for Microsoft Office Outlook:
http://support.microsoft.com/kb/931667/

Time zone changes in the December 2007 update: 

• Arabic Standard Time:
Adjusts DST start dates and end dates for the Baghdad time zone for changes after the prior cumulative time zone update was created (August 2007).

• Australia:
Central Australia Standard Time
Australia Eastern Standard Time
Tasmania Standard Time
Adjusts DST start times and end times for these time zones so that they start and end on the same day. This was changed after the prior cumulative time zone update was created (August 2007).

• Egypt Standard Time:
Adjusts DST start dates and end dates for the Cairo time zone for changes after the prior cumulative time zone update was created (August 2007).

• Israel Standard Time:
Adjusts DST start and end dates for the Jerusalem time zone for changes after the prior cumulative time zone update was created (August 2007).

Note Updates for the Jerusalem time zone are not included in the Windows Vista package for this update. The Jerusalem time zone updates have been available in Windows Vista since Windows Vista was originally released. 

• South America:
E. South America Standard Time
Central Brazilian Standard Time
Adjusts DST start dates and end dates for the Brasilia time zone and for the Manaus time zone for changes after the prior cumulative time zone update was created (August 2007).

• Venezuela Standard Time:
Adds a new time zone for the Caracas time zone for changes after the prior cumulative time zone update was created (August 2007). 

This is of interest to my alter-ego

"Some e-mail messages remain in the queue on a server that is running Microsoft Exchange Server 2003. Additionally, the message sender receives non-delivery report (NDR) 4.4.7 messages that indicate the delivery failures.

This problem does not occur [recur?] if you restart the Microsoft Exchange Information Store service on the Exchange 2003 server.

This problem occurs because the Microsoft Exchange Information Store service populates an internal property cache with incorrect e-mail message header data. When this problem occurs, the cache in the Microsoft Exchange Information Store service reaches the maximum limit of 65,536 entries. When the cache is fully populated, more entries cannot be added. This behavior causes an error condition in which some messages cannot be sent.

To reset the cache, restart the Microsoft Exchange Information Store service."

Source: http://support.microsoft.com/default.aspx/kb/941060 

Santa has responded to my wish for Fiddler on a MAC.  He says:

"You can, however, run Fiddler on a Windows machine, and point the Mac's proxy settings at WINMACHINE:8888. If Fiddler is configured to allow remote clients to connect, it will successfully proxy the traffic from the Mac. It's non-trivial, but it does work."

Cool trick!

A new version (1.1) of FiddlerCap is available at http://www.fiddlercap.com.

The new version includes a checkbox that controls whether or not cookies and form POSTs are stored within the .SAZ file.

Fiddlercap is proving to be absolutely invaluable in the fight against malicious banner advertisements - Fiddlercap makes it easy for even the most inexperienced computer user to quickly and easily capture undeniable proof that a malicious banner advertisement is redirecting them away from a web site - proof that can be sent direct to me and other security professionals, a website's technical support, and to advertising networks.  We can gather and distribute the proof we need to get malicious advertisements shut down faster than we have ever been able to.

My Christmas wish to Santa is that a version of Fiddler and Fiddlercap be released that will run on a MAC  

You start sounding the alarm, that's what you do.  I urge you to read this link, and spread the word.

http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

Take a close look at the URLs for the malware links; they are all random collections of letters and numbers, and they're all Chinese domains.  Users of Google (and other web search engines) need to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly avoid 'nonsense' domains like those in the Sunbelt screenshots.

FWIW, a quick check using Windows Live Search does *not* result in a slew of malicious sites.

If Google wants to be the Sun around which we all revolve then they are going to have to clean up their act, and fast.  I admit, Google do try to flag sites that they know are dangerous, but *none* of the malware links in the screenshots are flagged as malicious.

Alex Eckelberry of Sunbelt has been in touch with me to advise that he has contacted AdOn Network about the malicious SWF that we have been studying on this blog over the past day or so - something I am ashamed to admit I had not done yet.

AdOn advise that they have removed the advertiser, and all staff have been instructed to no longer accept the advertisement within their network.  AdOn advised that they manually review all advertisements before entering them on the network, and that the Tube advert was apparently ok at the time of submission.  They will be reviewing all accounts to remove "this type of ad" and hopefully prevent a recurrence.

So, US based visitors to the National Geographic site can rest a little easier.

Edit: 12.45pm GMT +0900, 27 November

I just checked and the SWF is still available at rmedia.adonnetwork.com/images/560766_90_728_200711011430_tubesnow_728x90.swf, and it is still malicious - redirecting people to the malware site.  It needs to be moved to a non-public area and/or deleted.