Spyware Sucks : Security, Technology

Press Release: Attorney General McKenna’s new laws go into effect Thursday

sandi — Thu, 12 Jun 2008 00:25:00 GMT

The full press release is below. The section most relevant to this blog is the new laws related to spyware. A change that I anticipate will have a great impact is that the new laws "Create liability for web hosting services who ignore violators’ use of their products". I believe that this new law will encourage web hosting services to act quickly when malvertizement activity is reported to them. Far too often web hosting services have responded to my complaints by saying that they are not responsible for what their clients are doing, or they say that all they can do is contact their client and tell them that there has been a complaint, or they don't respond at all. Now that web hosting services can be found to be directly liable for the activities of their clients, it is going to be harder to ignore or fob off our complaints.

Here is the House Bill 2879 (the Bill related to changes to spyware laws):
http://apps.leg.wa.gov/documents/billdocs/2007-08/Pdf/Bills/House%20Passed%20Legislature/2879-S.PL.pdf

The important changes as relate to malvertizings follow - the changes are bold and underlined, or struck through:

The definition of "Transmit" has been changed to ensure that if a web hosting service "knows or reasonably should have known" that the chapter is being violated, then that web hosting service is liable for violations under the chapter.

"Transmit" means to knowingly, or with conscious avoidance of knowledge, transfer, send, or make available computer software, or any component thereof, via the internet or any other medium, including local area networks of computers, other nonwire transmission, and disc or other data storage device. "Transmit" does not include any action by a person providing:

(a) The internet connection, telephone connection, or other means of transmission capability (~~(such as a compact disk or digital video disk)~~) through which the software was made available;

(b) The storage or hosting of the software program or a web page through which the software was made available, unless the person providing the storage or hosting services knows or reasonably should know there is or will be a violation of this chapter, and participates in or ratifies the actions constituting the violation;"

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

PRESS RELEASE:

OLYMPIA – New laws requested by Attorney General Rob McKenna dealing with mortgage foreclosure schemes, identity theft, spyware and third-party marketing of cell phone numbers will go into effect on Thursday.

“These new laws address critical threats to consumers from the purveyors of modern frauds—from mortgage rescue schemes to identity theft and online spying” McKenna said. “Also beginning this week, consumers’ cell phone numbers will be protected from solicitors, since they can no longer be published without express consent. I want to thank legislators from both parties who helped pass these crucial protections.”

The following laws go into effect on Thursday, June 12:

Prohibiting third-party marketing of cell phone numbers

House Bill 2479 requires any person in the business of compiling, marketing or selling phone numbers for commercial purposes to obtain a consumer’s express opt-in consent before publishing his or her wireless phone number in a directory. A violation of the law is punishable by a fine of up to $50,000. The Attorney General may bring actions to enforce compliance and may notify first-time violators with a letter of warning.

Mortgage Foreclosure Legislation

House Bill 2791 adds protections for homeowners from losing their homes in “mortgage rescue” scams by:

· Requiring a written contract with clearly disclosed terms be completed, signed and dated by the homeowner and the purchaser prior to the property’s transfer;

· Providing the foreclosed homeowner the right to cancel the contract within five business days;

· Requiring that the purchaser demonstrate that the foreclosed homeowner is able to meet the terms of the contract including making interest and lease payments and is capable of purchasing the property within the allowable period;

· Requiring that the homeowner must receive at least 82 percent of the difference between the property’s fair market value and the underlying mortgage in the event of a sale to a third party.

A violation of the law is a per se violation of the Consumer Protection Act, making the outcome of litigation against foreclosure rescue schemes substantially certain and resulting in broad deterrence.

Identity Theft Legislation

Senate Bill 5878 creates a statutory requirement for police to take reports from victims of the identity theft.

· Victims have the option to file a report in their local jurisdiction or with the agency where the crime occurred.

· Allows prosecutors to bring separate charges against an accused identity thief for each use of a particular piece of someone’s personal information. This bill reverses policy set in State v. Leyda (2006), where the Washington Supreme Court held that a defendant may only be charged once for use of someone else’s information even when that information is used in multiple locations multiple times.

House Bill 2637 allows records provided by out-of-state businesses to be authenticated by affidavit, rather than in person, in criminal cases. When properly served with a request for records, the recipient must provide the records within 20 business days and verify the authenticity by providing a signed affidavit, declaration or certification. This allows for the more effective prosecution of identity thieves.

Shutting Down Spyware

House Bill 2879 remedies loopholes and weaknesses in the state’s Computer Spyware Statute by:

· Removing onerous requirements that hinder the ability to prove cases against violators;

· Creates liability for web hosting services who ignore violators’ use of their products;

· Adds violations for new forms of spyware; and

· Clarifies the standards for proof of violations and the circumstances under which actions may be brought.

New SWF analysis tools - thanks to TeMerc for pointing this out

sandi — Thu, 06 Dec 2007 23:58:00 GMT

Yay, a new tool. Thank you TeMerc, I owe you a drink of your choice when I am next in town...

"In light of a growing problem that has the potential to effectively place every internet user at risk, even when only visiting sites they would otherwise fully trust, there is at least a new tool available to assist the security researcher community with a means to better identify malicious SWF files. The timing for this is excellent, as I have personally only learned of this tool just this morning. This particular tool is the OWASP hosted project named 'SWFIntruder'."

There is a *lot* going on right now with regards to malicious advertising - too much to write about now - but watch this space. There may be FUN times ahead (for us, that is, not the purveyors of the malicious banner advertisements) :o)

Breaking news: skyauction.com, unauthorised malicious advertisements, a fake letter of mandate.. oh my...

sandi — Thu, 06 Dec 2007 23:15:00 GMT

My regular readers may recall my recent article about emusic's claim that various advertising networks (uniqueads.com, adtraff.com and forceup.com) were fraudulently claiming to represent emusic. Said advertising networks were apparently selling unauthorised, malicious, advertisements touting emusic.com; advertisements that hijacked users in an attempt to spread malware.

Well, I have received an email from the Chief Technology Officer at skyauction.com and he has quite a story to tell. Here is a quote from his email - information shared with permission:

"We were contacted by another company today that were duped into hosting one of the fraudulent ads for a couple of days (which have since been taken down). It seems that the source of the ads is a company called NetMediaGroup (http://www.netmediagroup.net). They are claiming to represent us and even provided a fake letter of mandate" (which I can email you) to one of their targets saying that they represent us. As with our logo, they were pretty sloppy creating this fake "mandate" because there are some obvious errors. In this case, someone with the pseudonym (one can only guess) of "Jim Burch" (jim@netmediagroup.net) contacted the site claiming to represent us and asking to put up ads on the contact's site. The the ads go up and deliver the fake malcious Skyauction ads until someone complains and they are finally taken down. NetMediaGroup appears at first glance to be a real company, but they are probably a completely
fraudelent one. The domain name is registered to some organization in Germany, but the contact us phone number seems to be in the Netherlands. All of the names on the web site are just generic (i.e. they don't give full names)."

Here is a picture of the fake letter of mandate as sent to me by skyauction.com - click on the graphic to view a full size copy:

Ok, so who are netmediagroup.net? Let's do a Whois search (copied below) - hmm, note the email address burnads_c@yahoo.com. Yep, that rings a bell - thinking back to the fake skyauction.com advertisement that hit soccernet.com, I remember that the name burnads appeared. The referrer for performanceoptimizer was: burnads.com/swf/gnida.swf?campaign=flatfootup&u=23423424. That URL, when I just loaded it in my system, redirected me immediately to fraudware site.

I think it is time to get in touch with the CTO of emusic and find out what *his* story is. The CTO of skyauction and I both believe that the best way to fight the fraudsters is to expose their activities.

Domain Name : netmediagroup.net

::Registrant::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18, Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Administrative Contact::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18, Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Technical Contact::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18, Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Name Servers::
ns1.netmediagroup.net
ns2.netmediagroup.net

::Dates & Status::
Created Date   2006-06-29 05:38:33 EDT
Updated Date   2007-06-27 17:59:00 EDT
Valid Date     2008-06-29 05:38:33 EDT
Status         ACTIVE

Is this the beginning of the end for malicious SWF files?

sandi — Thu, 06 Dec 2007 22:56:00 GMT

Oh, I hope so. Mind you, it's going to take me quite a while to get my head around this 7 page document, and all of the extra pages referred to ... anybody want to give me a crash course, or explain to my readers what sort of difference this will make in the fight against malicious banner advertisements? ;o)

Source: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

"In 2003, Flash Player 7 software introduced a channel of client-server communication that was new to the web: direct cross-domain data loading, authorized by policy files. Before policy files, web content could only perform two-way communication with its own server, such as runtime configuration or transactions without page reloads. Policy files allowed servers to open up their data selectively to client content from other domains, or generally to content from anywhere. Since the introduction of policy files, domain boundaries have been less of a barrier for authors of rich Internet applications.

Like most new technologies, policy files weren't perfect when they were first introduced. After four years, the Internet security community has found two undesirable situations (described later in this article) that can arise from the existence of policy files. The basic premise of policy files remains valid, and Flash developers can continue to rely on policy files just as they have since Flash 6. To address the new concerns, however, Adobe is specifying some stricter rules for the use of policy files. Additionally, there are a number of improvements that make policy files more useful and usable. We will try to explain the reasons for our changes clearly and simply."

Not even my immediate family is safe from malware....

sandi — Fri, 23 Nov 2007 12:00:00 GMT

There's my Dad, searching the net for an update to a particular specialist programme on his system; he finds what he wants, he downloads, he starts to install (we don't know if he closed his Web browser first - I'm bettting not), he's prompted to update *DirectX* and whammo, he's hit with spyware.cyberlog-x.

Unfortunately:

he doesn't remember what the URL was that he downloaded the software from;
he's not sure in what order various events occurred; and
IE's history, just for today, has been deleted (an interesting symptom in and of itself) - IE's history record for previous days is intact.

The affected system is an XPSP2 system and my Dad fell victim to a standard combination of circumstance; a nice dose of social engineering, being confronted by a dialogue box that mentioned a name that was familiar enough to not be too scary, and not paying close enough attention to what he was downloading, and just as importantly, where from.

My father's experience today, and our difficulties when trying to clarify exactly what happened and how it happened, combined with other interactions I have seen between IT and computer users, reminds me that the average user really doesn't "get it" when it comes to working with IT staff. They are sometimes their own worst enemies; not paying attention, and not recording what is, for us, essential information and not interacting well with their IT support. The user mis-steps that I see happening most often are:

The average user will not read the error message on the screen.

There was the time a very grumpy person complained that somebody had changed his password, because he was sure he was putting it in correctly, but it kept failing. It turned out that the true situation was that he was trying to unlock a locked screen and didn't read the dialogue box that appeared after he entered his username and password which said (paraphrased) that "this computer is locked, if you proceed the other logged on user's programs will be shut down and they may lose data". Instead, he assumed it was an incorrect password dialog, hit enter (which triggered 'cancel'), pressed ctrl/alt/del, tried again, didn't read the message again, hit enter again, rinse/wash/repeat. After 4 or so tries he came to me to complain, and a lot of frustration could have been saved if he had read the dialogue box and acknowledged the warning by clicking ok instead of cancel....

And this guy had an admin account - don't let him near a server... please...
Practice patience.

If the hourglass is spinning, it won't do you any good at all to keep clicking; in fact, with some of the line of business applications that I support it will guarantee a crash. Go and get yourself a tea, coffee, fruit juice or whatever and if the problem is still there when you get back, call IT and ask for advice.
If the cursor turns into a hand, *single* click, don't double click... again, I support some line of business applications that *will* crash if you double click instead of single click.
If it doesn't work the first time that you click, it won't work if you click 2, 3, 5, 10 or 20 times.
Swearing at the computer won't help - it can't hear you.
Swearing and being angry when talking to IT support won't help either. Stress is bad for both of you.
Sometimes a simple reboot is all that is needed to stabilise your system, especially if you leave it running 24 hours a day.
It is not a good idea to delay rebooting after installing security updates if prompted to do so - to avoid weird problems and errors, please restart your computer when prompted, even if you're really really really busy - it doesn't take that long.
"It's been crashing for about a week, but I really need this report right now".

Please call IT support before it becomes an emergency. We don't have crystal balls... we don't discover that you are having problems via some sort of mysterious osmosis, and if you've left things for a week before calling us we have somewhere between "nil and buckleys" chance of working out what went wrong and why. Also, it is difficult for us to minimise the frustration you're feeling if you only call us after you've been "putting up with it" for a week, and you're now seriously pissed off and ready to throw your computer (and your IT support professional) out the nearest window.
"There was a weird message then it crashed"...

"Ok, what was the message?" ... <<silence except for the sound of crickets chirping in the darkness>> ... "I dunno. I clicked on ok, and now nothing works".

If you experience a crash, stop what you are doing, read it and write it down, then call me.
"I didn't do anything!" .... sometimes, my friend, yes you jolly well did.
If your thoughts immediately before clicking are anything like "maybe if I try this..." or if you feel a desire to close your eyes and cross your fingers as you click, then don't click.
"It has never worked!!" .... Ok, we're dealing with the crystal ball thing again, aren't we...
Please, don't try to fix it yourself. You may "know a bit about computers" but if your efforts change a simple fix into a complicated procedure or an "easier to reformat" situation, you won't win any friends, especially if you call IT and say "It's been crashing for about a week, but I really need this report right now".

US-CERT alert - MAC OSX Leopard

sandi — Mon, 05 Nov 2007 23:20:00 GMT

"US-CERT is aware of reports of possible flaws in the Application-Based Firewall in Mac OS X Leopard. According to these reports, users may be misinformed of the status of their firewall rule set, thus placing users with listening network services at an increased risk."

What *were* Apple thinking? "Block all incoming connections" should do exactly that.

Heise Security have a detailed analysis of the Leopard firewall's protections, or more precisely lack thereof, and their verdict is:

"The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto."

Ok, so the Leopard firewall is off by default, even if you had your firewall turned on before upgrading to Leopard; it doesn't distinguish between network types (unlike Vista which allows you to set different security levels for different networks); it is application based (identifying programs via code signatures) and no longer not port based, and there are the reports of applications being unable to access the internet (Skype and World of Warcraft being two that come to mind).

More on the MAC malware

sandi — Thu, 01 Nov 2007 23:03:00 GMT

Word is starting to spread about the MAC targetting malware "MacCodec" aka OSX.RSPlug.A, but I admit to being concerned at some of the reactions that I am seeing.

"A spokesperson for Symantec suggested that Intego "has a tendency to over-hype things" - excuse me?? What an unhelpful statement by Symantec.

"It's not going to spread far because it prompts for the Administrator password" - ah, if only life were that simple, but reality is those dancing pigs are just too darned tempting....

"Practice safe browsing: lock-down your browser (instructions below), and only download from sites you trust and install programs that you download intentionally. If you are unsure whether a program is legitimate, you can check to see if that program is also available from a trusted download site like MacUpdate.com or VersionTracker.com (not all legit programs are available on these sites, but they can serve as a good reality check)." (source: http://www.smith.edu/its/technotes/?p=41)

My apologies in advance to the people at Smith College TechNotes - this isn't personal, ok? Your article just happened to be high up in a Google search and contained the type of advice that I wanted to highlight.

Ok, so let's look at the above in segments...

"Practice safe browsing: lock down your computer (instructions below)" - locking down your computer does not protect you from social engineering attacks where you are tricked into running what you think is a safe file, a file that is seemingly required to complete whatever task it is that you are doing on the computer. Locking down your computer only protects you from exploits and "drive by downloads", neither of which apply to the MAC trojan under discussion.

And, just what is "safe browsing" anyway? The hacking of *legitimate* "safe" web sites is becoming commonplace. I could tell you about some very big names that have had their Web sites hacked, or who have involuntarily offered infected files for download, or who have hosted malicious Flash based banner advertisements - names that you would never expect to be a danger. The MAC world is going to have to become far more distrusting, and far more cynical, now that the bad guys are targeting them.

"Only download from sites you trust" - see the previous paragraph - and anyway, does anybody actually trust a porn site? I don't. And what will happen when the bad guys start using less nefarious topics such as, for example, a "how to stay safe on the internet" as the theme for their websites and malicious movies?

"..and install programs that you download intentionally" - ok, but the user is expecting to view a video - he or she *wants* to view that video and being prompted to install a codec is not unusual. The trick (a fake codec) is a commonly used, and far too often successful, trick used in the Windows world. In light of that reality, I'm not sure how this little snippet of advice helps in a situation like the MAC trojan.

"if you are unsure whether a program is legitimate, you can check to see if that program is also available from a trusted download site..." - sorry, this ain't gonna work unless you decide that if a product or codec isn't listed, you're not going to run it AND that you will only download and run from said trusted site, AND it assumes that the site itself has not been compromised. AND, what happens when the bad guys mimic the name of a well-known, trusted product? In the Windows world, the bad guys often mimic the names of Windows system files, and well known software.

And, in the end, users are lazy. They're not going to stop what they're doing, write down the name of whatever it is they have found that wants to install, load another page so that they can view whatever download site and search for the file in question before deciding whether or not to enter their Administrator password.

MacWorld's article about the trojan is here:
http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php

So what does this all boil down to? All of the above advice is good, traditional, advice and it would have been enough in the past - but nowadays it is not a panacea and much of the advice is negated by social engineering attacks anyway.

MAC users are being targeted in a porn trojan social engineering attack

sandi — Wed, 31 Oct 2007 23:27:00 GMT

Source: http://www.theregister.co.uk/2007/10/31/in_the_wild_osx_trojan/

"Miscreants have released a sophisticated Trojan into the wild that targets Mac users, according to Intego, a company that markets security software that runs on OS X.

The malicious Trojan, dubbed OSX.RSPlug.A, is making the rounds on several porn websites. When Mac users try to view some videos, the site feeds them a page that says QuickTime is unable to play the file unless a special codec is installed first. If the user proceeds, a form of DNSChanger is installed that hijacks some web requests sent to eBay, PayPal and some banking websites, according to this write-up <http://www.intego.com/news/ism0705.asp> from Intego.

"The noteworthy part is that someone is targeting the [Mac] OS," said Randy Abrams, a security researcher at antivirus software provider Eset. "This may mean that the OS is beginning to gain enough users to be attractive to attackers."

The Trojan installs a root crontrab that makes minute-by-minute queries to check that the doctored DNS server is still active. The websites offer different versions of the malware, most likely to tailor web spoofing to the victim's particular country. There is no way for victims running 10.4 to see the changed DNS server in the OS X GUI. In 10.5, the DNS server is visible in the Advanced Network preferences, but the added servers are dimmed and can't be removed manually.

Apple PR representatives didn't respond to an email seeking comment for this story.

A barrage of spam posted to Mac forums invites readers to visit the malicious websites. The Trojan requires victims to enter the administrative password for their machine, a factor that is likely to mitigate the risk somewhat. Then again, Windows users have for years been tricked into installing malware <http://www.theregister.com/2007/10/19/return_of_trojan_bayrob/> that can wreak havoc on their PCs. We see no evidence that Mac users are any less resilient to social-engineering attacks."

An interesting article by my friend Mauricio, and a timely warning

sandi — Fri, 17 Aug 2007 00:41:00 GMT

Operating System security is [only] as good as the admins http://www.geekzone.co.nz/freitasm/3578 "This last week, 5 of the 8 servers that are loco hosted but Canonical sponsored, had to be shut down due to reports that they were actively attacking...(read more)

Extremely disappointing - Trend Micro fails anti-malware test

sandi — Mon, 06 Aug 2007 05:21:00 GMT

"All three of its software products report false positives in VB100 testing.

All three of the anti-malware products submitted by Trend Micro for Virus Bulletin's independent tests failed because they produced false positives.

Of the 20 products submitted for testing, six generated false positives when scanning a set of known clean files and failed to meet the requirements for VB100 certification.

"Trend Micro, one of the 'big four' anti-malware companies, submitted no fewer than three of its anti-virus products, all of which falsely identified a Microsoft development tool as spyware," said a statement from Virus Bulletin.

"Other products to generate false positives were FortiClient, Ikarus Utilities and VirusBuster."

Source: http://www.crn.com.au/story.aspx?CIID=88516&r=rss

Unfortunately there is no mention in the CRN article (or any of the other verbatim articles appearing on the various news sites) of what the "Microsoft development tool" was/is that triggered the false positive.