Spyware Sucks : I ain't happy about this....., Vulnerabilities, viruses and exploits

Jesper won't be at TechEd Australia, New Zealand or Japan

sandi — Sun, 13 Aug 2006 01:42:00 GMT

He's being "prevented" from speaking. That sucks
http://blogs.technet.com/jesper_johansson/archive/2006/08/12/446247.aspx

Jesper says "I have unfortunately been prevented from speaking at TechEd" and "I cannot express how terrible I feel about this".

Michael says Jesper is "now not able to make it".

If somebody has told Jesper that he is no longer allowed to present at TechEd, then that somebody needs to be taken into a quiet room for some frank and open discussion. That being said, it may be that other circumstances have conspired to keep Jesper away from TechEd.

Australia, New Zealand and Japan attendees of TechEd can still see Jesper in one of the videos available for viewing here:
http://www.microsoft.com/uk/technet/itsshowtime/result_search.aspx?speaker=9&x=28&y=7

Trend Micro Antispyware false positive - updated

sandi — Sat, 11 Mar 2006 16:12:00 GMT

Important update: http://msmvps.com/blogs/spywaresucks/archive/2006/03/15/86345.aspx

-----------------------------------------------------------------------------

I've added an update to my original blog entry:

http://msmvps.com/blogs/spywaresucks/archive/2006/03/11/85979.aspx

Guys and gals, I don't know how long it will take to fix the online scan, and I am seriously frustrated. When Trend Micro was hit by a false positive affecting SnagIT, they fixed the problem quite quickly for the packaged product, but the online scan languished for months :o(

My approaches, so far, have been met with "this has been fixed in pattern update 3.31". Well, guess what.. there is no pattern update for the online scan.. we're completely dependent on Trend updating that, and they always take months to get around to it. Why? Because its free? I honestly don't know, but that's what the cynic in me is saying.

I've given this one last go... called in Microsoft *and* a big gun at Trend... unfortunately said big gun is SMB focused (small and medium business), but I'm hoping he has an equivalent in the consumer space... watch this blog for developments.

The powers to be at Trend need to realise that the man in the street uses the online scan as a benchmark to judge the quality of the pay-for product. So, please don't tell me that there is no income stream for free scans. When Trend f**ks up the online scan they will not be trusted with a person's money.

Ok, now Trend has been taken care of, now for McAfee

sandi — Sat, 11 Mar 2006 02:50:00 GMT

http://www.incidents.org/diary.php?storyid=1179
http://isc.sans.org/diary.php?n&storyid=1184

"NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products. Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment."

Want to know what some of the 'quite prominent third party products' are? We're looking at excel.exe, graph.exe, adobeupdatemanager.exe...
http://news.com.com/2100-1002_3-6048709.html

For pity's sake, don't these companies TEST their definitions before rollout???

Another stuff-up by Sophos from not long ago:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/22/84530.aspx

Y'know, there was a time when Activenetwork (aka ActiveWin) was worth reading...

sandi — Mon, 06 Mar 2006 11:36:00 GMT

[Text edited 28 August and missing graphics recovered]

Note: On smaller screens this article may fall to the bottom of the page.. sorry 'bout that guys.. known IE bug...

Y'know, there was a time when Activenetwork (aka ActiveWin) was worth reading...but now? Forget it.. there are so many other sites out there that have the same information, without risky banner advertisements, smiley advertisements and screensaver malware (eg neowin.net)

I went to an article about "Windows Media Components for QuickTime" at Activenetwork (this URL). At the very top of the Activenetwork site we see this advertisement flashing and bouncing oh-so-urgently:

The advertisement led to a Winfixer advertisement page .. (URL removed). Ok, so let's click on that advertisement and see where we go and what happens next...

We land at a Winfixer site... and we see this:

Two words... HELL NO!!!

DO NOT click on the OK or Cancel button. Click on the Red X in the top right hand corner. Believe me, you do *not* want to touch those other buttons. But its persistent, and will keep going.

Click on the red x gang.

So, what happens next? Persistent little thing, isn't it:

Ok, let's ignore that dialogue, but remember, those uses older, insecure versions of Internet Explorer would, by now, be infected with Winfixer.

What happens if we try to use the Back button in IE? We see this:

Let's have a look at what happens if we close that dialogue box using the Red X, or when I try to close the Winfixer advertisement page. We get one last dialogue box:

Oh, look at that... no cancel button, and text written to fool the poor user into thinking they have no damned choice but to install the Winfixer crapware.

You still have a choice. Do NOT click on the Ok button... see that Red X? Click there... nowhere else.

So, what does Counterspy say about Winfixer?
http://research.sunbelt-software.com/threat_display.cfm?name=WinFixer&threatid=41898&search=winfixer

Winfixer is described as "elevated risk".. and check this out:

"WINFIXER is typically installed though security exploits and bundled with spyware/malware. WINFIXER sponsors an affiliate program via www.softwareprofit.com. Webmasters participating in the program are paid according to the sales generated from installation."

How the once-on-the-way-to-mighty have fallen. There was a time when Activenetwork (aka ActiveWin) may have had content that was fresh enough, and unique enough to be worth a visit, but not anymore.. there are other sites with equivalent content that don't run bannerads advertising Winfixer. Run, nay run *screaming* away from ActiveWin.. go to Neowin instead (yeah yeah, I know... never thought I'd see the day, but anything is better than the malware being pimped via Activenetwork). Bink.nu almost won a mantle, but he touts mess.be which is just a tad on the dodgy side, donchathink? A Messenger Plus! fan site, and also touting those horrid animated cursor malware programs. That one advert is enough to tip the balance in the negative as far as bink.nu is concerned.

Want to see a movie of the Winfixer site in action, proving access via the Activenetwork site? Be warned, there's a lengthy period of white screen.. one of the bugs of my capture software... slows things down... Download here (roughly 12 Meg)

Sun Java Vulnerabilities... again

sandi — Wed, 08 Feb 2006 22:05:00 GMT

Check this out:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

"Seven (7) vulnerabilities with the use of "reflection" APIs in the Java Runtime Environment may independently allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet....

... It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective java.sun.com download pages."

Ok, so why the hell does Sun Java leave vulnerable versions of their software installed when we update? You have to go in and manually remove the exploitable stuff via add/remove programs.

Historical blogposts:
http://msmvps.com/blogs/spywaresucks/archive/2005/08/22/63670.aspx
http://msmvps.com/blogs/spywaresucks/archive/2005/03/25/39584.aspx

My understanding of Sun's attitude to this problem is that there are some applications out there (invariably business applications) that will only work with a particular version of Java, therefore they will not automatically remove old versions of their product to avoid breaking said applications.

Sun have got things back to front.

The internet community as a whole should not be exposed to risk because of the needs of a minority.

Applications that break with later versions of Java should be updated so that users are not exposed to risk.

It is the responsibility of any business that depends on applications that may be broken by a java update to ensure that they don't download incompatible updates, and lock down their network so that their users are not put at risk by the use of vulnerable versions of Java.

It is not the responsibility of the Internet Community as a whole to be left at risk just because there is an old programme that may be in use somewhere in the world that will break if java is updated.

There is some real nasty malware/spyware out there that targets vulerable versions of Sun Java and the protection of the Internet Community as a whole should take priority.

Let the applications that may be broken by newer versions of Java, and the businesses that use them, look after themselves by not updating. Don't leave the rest of us exposed to risk.

Messenger Plus, Patchou, the Sponsor Program and suitable advertisement content

sandi — Mon, 05 Dec 2005 19:28:00 GMT

Tochjo (forum super mod at www.msghelp.net and official tester) said on 12 April 2005 that the MP Sponsor “contains no adult content”.

Patchou said on 2 November 2004 that “I assure you my sponsor doesn't display any adult popup”. He also said on 25 September 2004 that his sponsor program is "100% 'child friendly' ".

Cookierevised said on 8 July 2005 that “It also does NOT contain any adult related materials“

And on 11 January 2005 he said “there is a strict contract between Patchou and the sponsor of what the sponsor may do (eg: not including adult popup ads, etc...).“

Somebody is telling someone fibs, the rules have changed, or we have a basic disagreement about what are 'adult related materials' and 'adult popup(s)'.

Check out this page:
http://inetexplorer.mvps.org/graphics.htm

The screenshot on that page was captured on October 30, 2005. I have screenshots of several other 'adultfriendfinder.com' popups that were generated by the Messenger Plus! sponsor program.

Does adultfriendfinder advertise with lop.com elsewhere? Yes!!

Remember, the Messenger Plus sponsor program is popular with kids!! Yes, kids!! Do you want your *children* exposed to such things? Do you want your *teenagers* exposed to such an environment?

Maybe Patchou has no idea that his sponsor programme is generating such non-family and non-child friendly, adult advertisements. If he is unaware, he needs to take a serious look at his relationship with his sponsor and ask himself how the hell something like this happened. If he *does* know, then he needs to come clean and clarify exactly what he thinks “100 child friendly“ popups are.

adultfriendfinder.com is in Wikipedia
http://en.wikipedia.org/wiki/adultfriendfinder

Did you know that the Messenger Plus! sponsor program stipulates that you must be over 18 to install the sponsor, and that you must get the explicit approval of any person who may use the computer on which it is going to be installed before installing (unless you have legal authority to give permission for all users).

More to come later. Other information about the Messenger Plus! sponsor program:
http://inetexplorer.mvps.org/answers/43.html