Spyware Sucks : safety and privacy on the Internet, viruses and exploits

ALERT: Two malvertizements seen at Spaces (not skydrive) and Hotmail...

sandi — Tue, 18 Nov 2008 23:10:00 GMT

Edit: BTW, it is Spaces and Hotmail - I haven't seen the malvert at Skydrive yet.

Kimberley saw the first one, a malvertizement featuring perfectmatch.com:

I have discovered another malvertizement featuring IMIN - we have seen this advert several times in recent days in different places:

Details of hijack:

IMIN malvertizement undetectable using adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=j5WPzf37aZeMUVbT

Encrypted dynamic text in use

Hash: 11c8f432a9e70c56a171ddfa9df43a3a

Refers victims user to this URL (SWF disguised as GIF)
optimizedby.net/__utm.gif?<<snipped>>

Scans malicious at adopstools
http://www.adopstools.com/index.asp?page=quicklink&id=8010nJ21nJm6q02M

Hash: d730fba801a56311f9cf73587826821a

Leads victim fraudware domains, including windows-scannercenter.com/?id=<<snipped>>

optimizedby.net

ICANN Registrar: Regtime Ltd
Created 26 August 2008
NS1.OPTIMIZEDBY.NET (has 1 domain)
NS2.OPTIMIZEDBY.NET
Registrant: Sergey Bolshakov (serg.bolshakov@mail.ru)
IP: 212.95.32.166 - Netdirekt E.k

windows-scannercenter.com

ICANN Registrar: Directi
Created 21 September 2008
NS1.WINDOWS-SCANNERCENTER.COM (has 1 domain)
NS2.WINDOWS-SCANNERCENTER.COM
Registrant: Ali Said (kanobeliz@googlemail.com)
IP: 83.229.251.28 - Moskva - Moscow - Mchost.ru Inc

Domains sharing IP range 83.229.251.%

Microsoft Security Intelligence Report: January through June 2008

sandi — Sat, 01 Nov 2008 13:46:00 GMT

The Microsoft Security Intelligence Report for the period covering January through June 2008 has been released.

Executive Summary
Full report
Key findings summary

The full report is a hefty 150 pages long. I have only had time to take the briefest of glances at it, and even then I have focused only on my particular field of interest - browser based exploits and malware/potentially unwanted software.

A showstopper statistic is to left of screen. As you can see, the percentage of browser based exploits from the perspective of Microsoft software versus third party software swas 42.3% (MS) : 57.5% (TP) for Windows XP and an amazing 5.7% (MS) : 94.3% (TP) for Windows Vista. The results highlight just how important it is to ensure that *all* software on your computer is kept up to date and, to quote the authors of the MSIR report "uninstall software you don’t actively use. Malicious code can exploit vulnerabilities in software whether you use it or not".

The report also reveals that:

In 1H08, the total amount of malware and potentially unwanted software removed from computers worldwide increased by more than 43 percent compared to 2H07.
Despite this overall increase, there has been a 36% DECREASE in the number of computers infected with Win32/Winfixer family malware.
Although patterns of malware detected and removed by Microsoft security products varied across countries and regions, trojan downloaders and droppers constituted more than 30 percent of all malware removed by Microsoft security products worldwide. This trend builds on the significant increases in the volume of trojan downloaders and droppers detected over the past several years.
As a general rule, infection rates tend to be higher in developing countries/regions than in developed countries/regions, as reported by the Malicious Software Removal Tool (MSRT).
The most common system locale for victims of browser-based exploits was Chinese, accounting for 47 percent of all incidents, followed by US English with 23 percent of incidents.
The infection rate for Windows Vista is significantly lower than that of its predecessor, Windows XP, at any service pack level.
The infection rates for the 64-bit editions of Windows Vista were both lower than those of their 32-bit counterparts.
For each version of the operating system, higher service pack levels meant lower rates of infection. This trend can be observed consistently across client and server operating systems half-year period over half-year period.

Now, with regards to the 43% increase in detected malware and potentially unwanted software, the authors note that:

The ability of the tools themselves to detect malware continues to improve as researchers analyze samples and refine their detection algorithms.
Several prevalent malware families were added to the MSRT in 1H08, causing them to be detected for the first time on many previously unprotected computers.
More computers worldwide are running Windows Vista, which includes Windows Defender (available as a separate download for earlier versions of Windows) and allows the user to download the monthly Microsoft Windows Malicious Software Removal Tool (MSRT) by default.
Increased usage of Microsoft security products, like Windows Live OneCare and Microsoft Forefront Client Security, has contributed to the increase.
Any genuine increase in the prevalence of malware and potentially unwanted software would naturally tend to be reflected in the statistics, as well.

User actions and reactions

The following two statistical tables are very interesting - they show us the most removed, and least removed, detections. I struggle to understand, for example, why anybody would choose to ignore the detection of "severe" threats. The least removed statistics are unsurprising.

SWF for malware deployment

sandi — Fri, 31 Oct 2008 11:29:00 GMT

Mea culpa: Marian is apparently male, not female.

Marian Radu of the Microsoft Malware Protection Center has written about SWF being used for malware. She He states:

"What I found out is that, excluding flash exploits, SWFs are mainly used as redirectors"

Yep, we know this ... that is why Flash is "the Typhoid Mary of the Internet".

I'm glad that Marian has written about the problem of malicious SWF, but I admit that this got my back up:

"More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry."

I don't know about you, but I am not too happy with the "special cases where the submitter was actually right" quip.

Regular readers of my blog will know that we have been fighting this problem for years - "we" being me, other security researchers such as Kimberley, every big advertising network there is (and lots of small ones), the web sites who have been victims, the end user victims themselves - every big name has been hit at some time or other - Microsoft, Google, Yahoo, AOL, Doubleclick, 247RealMedia and myriad advertising networks. For Marian to call the examples that she he found "special cases" minimizes the existence of malicious SWF in a way that I find discomforting.

As for her his statement:

"I’ve been spending part of today tracking down some SWF files that are part of “the dark side”.

I wish she he had got in touch - I have thousands of samples available for her his viewing pleasure on this machine alone.

Hold fire on Fuse Kit....

sandi — Mon, 18 Aug 2008 09:57:00 GMT

Moses Gunesch, the author of Fuse Kit, has posted a comment to my blog here:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/17/1644872.aspx#1644983

I may have to eat an awful lot of humble-pie if I have misunderstood the capabilities and features of Fuse. I always hate, with a passion, getting things wrong. My understanding was that Fuse can be used to animate *and encrypt*, and it is encryption of the malicious SWFs that is causing problems - if you can't break an encryption you can't see the true code. If you can't see the true code, you can't assess risk.

Anyways, here is Moses's comment - he deserves full right of reply:

Hi Sandi,

I'm the author of the Fuse Kit. Your article is entirely misleading; Fuse Kit is simply an animation system for Flash that is entirely free, open and transparent. There is nothing in the code that can trigger malicious actions. Fuse is very simple, it can make things move around on the screen and create animation – It doesn't have a single network-enabled feature that can even call another website. That stuff is done using the Flash Player, which should probably be the target of your attacks.

I do not doubt that this banner creator used Fuse, it is even possible that they may have laced their own malicious code into their custom animation sequences (I don't write people's animation code for them), but in essence Fuse itself is just a fancy animation timer. The GetURL actions you mention – or any other network connectivity they used is part of Flash's native coding language (ActionScript), and absolutely does not rely on Fuse (or any other system) to operate.

To state clearly, I absolutely oppose malware myself, and would never think of writing code that enabled any such thing! I hope that you, Kimberly and the others will retract these implications that Fuse is somehow responsible for things it is not even capable of. It is damaging to my name as an Open Source developer who works for the good of the Flash coding community. (So you know, I'm a pretty above-board kind of guy: a published author, I speak at conferences and am generally considered a positive contributor in the Flash world. I really hope that your game is not just to tarnish people's reputations without just cause!)

You are in the business of trying to identify legitimate online threats, which I applaud. I would guess that your credibility must partially hinge on where you point the finger. The author of that banner should surely be excoriated (if you track them down please let me know, I would like to tell 'em a thing or two...), but their use of my animation kit is incidental at best.

Again, Fuse is an entirely open, free, and transparent open source code library. There is nothing scary or mysterious about it. I'll be happy to help explain it to you in more detail if you'd like! :-) But, this strong recommendation you've made against it is misguided and damaging, and I would very kindly ask you to reconsider!

Addendum:

This situation is proving to be quite an intellectual, and moral, struggle for me. Notwithstanding my possibly having to eat humble pie, I cannot ignore the reality that Fuse has been used with every 'undetectable' malvertizement that I have seen. That fact alone - the use of Fuse as a common denominator - can be seen as sufficient reason to advise that all such creatives be treated with extreme caution - especially when we are playing for such high stakes (trying to ensure the safety of web users and avoid seemingly 'undetectable' malvertizements) and we are struggling to find other reliable indicators of potential trouble (the visual content of the malverts changes as does the domains used by the pushers of the malverts, but the apparent use of Fuse is consistent, and we have been seeing such use for a while now).

I must emphasise, very strongly, that there is a subtle, but important, distinction between saying that [1]Fuse is being used with lots of malvertizements, or saying that [2]Fuse is bad. I have been saying the former[1], not the latter[2].

ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

sandi — Sat, 16 Aug 2008 11:21:00 GMT

Topic subjected edited to add the word "always". I stand by my statement that there are users out there who believe that "NoScript" will protect them from incidents like the clipboard hijack, even when they have disabled "Forbid Flash", and need to be told that this is not so. Perhaps my original article, without the edits and note in bold, was insufficiently clear, but that has been addressed.

The hijacking of clipboards by malicious SWF is proving to be a very popular topic:

http://www.trustedsource.org/blog/145/Rogue-Flash-ads-hijack-your-clipboard
http://news.bbc.co.uk/2/hi/technology/7567889.stm
http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/
http://blogs.pcmag.com/securitywatch/2008/08/mac_users_get_clipboardjacked.php
http://blogs.zdnet.com/security/?p=1733
http://www.scmagazineus.com/Clipboards-hijacked-by-furtive-code/article/115503
http://www.sophos.com/security/blog/2008/08/1671.html?_log_from=rss

Somebody posted at ZDnet to claim that "Once again, NoScript saves our collective keesters!" Sorry, but this is not true. You can try it out for yourself. Edit: you do, of course, need to have set NoScript to allow Flash to display by turning off the "Forbid Adobe Flash" option, or have otherwise allowed the Flash content to display.

Fire up Firefox with noscript, then go to this "proof of concept" URL:
http://raffon.net/research/flash/cb/test.html

Now, check your clipboard. You will find that it is populated with an "evil.com" URL. You will not be able to change that clipboard text until you close the raffon.net page in Firefox.

Some other points to pay particular attention to...

Some users have pointed out that the malicious URL leads to Google. This is standard operating procedure for malicious advertising campaigns that have not been 'activated' or that have been discovered and reported. Changing the destination URL from Google to a fraudware domain (and back again) is a trivial thing for the bad guys, accomplished in minutes.
Some users have recommended enabling the Internet Explorer setting that blocks programmatic access to the keyboard. This will not work. Blocking programmatic access to the keyboard only stops web sites from *reading* the clipboard; it does not stop them from *writing* to it.
Some users have said that they are forced to reboot the computer to get rid of the clipboard problem. This is not necessary. Once you identify and close the web page that is hosting the malicious SWF you will regain control of the content of your clipboard.
Some users are saying that it is no big deal because no malware is being installed on computers. That may be so, but the trick *is* getting the URL on to web pages, and therefore in to Google and other web searches. Viewers *will* click on the malicious link - not all of them, maybe not a lot of them, but some will click, and the bad guys will take any hits they can get.

So, what is the quickest and easiest way to avoid this problem? Block Flash.

Note: NoScript was set to allow Flash and Silverlight to display (which is not the default setting, but is a setting that is more common than some would like to admit). The raffon.net site is NOT a whitelisted site in NoScript, and the option to "temporarily allow" scripts on raffon.net was not selected, nor was any other "allow" option used.

ALERT: malvertizement at newsweek.com (hosted by washingtonpost.com)

sandi — Fri, 15 Aug 2008 18:46:00 GMT

Edit: Please review this article re Fuse:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/19/1644991.aspx

Once again, it is a malvertizement created using Fuse Kit. Again, there are signs that the malvertizement came from the now defunct trackstarmedia.

Kimberley has all the details at her forum. The advertisement is still live at time of writing.

It is quite obvious that the bad guys are going to take as much advantage as they can of the fact that their current malvertizements are extremely difficult to detect (malvertizements created using Fuse Kit). They are going to hit every site that they can, as often as they can, for as long as they can. It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating - not only newsweek, but at other big name sites like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo.

I am seeing reports of the malicious redirects remaining dormant for a week before visitors to victim web sites are hijacked and redirected to fraudware sites. Web sites simply *must* increase their due diligence checks with any new advertiser. It is going to take time, and it is going to cost money, but what alternative do web sites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more of visitors to their sites are going to block all advertising.

That being said, it is not all doom and gloom - not yet. There is something that you can watch out for, even if a particular advertisement passes the adopstools test, and passes other security tests. You see, even if the hijacking behavior of a malvertizement is "dormant" there are still subtle hints of trouble ahead that you can see if you know where to look.

For example, in the case of the newsweek malvertizement, by leaving network traffic capture software (or Fiddler) running when the advertisement displays on a web page, we see that the following URL is touched - adoptserver.info/state_.gif?url=[removed] and that the malvertizement is the referrer. adoptserver.info is a known "bad actor". Its name servers are supplied by the now infamous "estboxes". Any advertisement that leads to such a domain being touched should be suspended, no questions asked. Don't wait for the complaints to start.

If the bad guys want to continue to use the type of controls that they currently use to manipulate the behavior of malvertizements, then such tell tale signs in network captures are pretty much unavoidable, but the person examining the captured data needs to know what to look for, and needs to be familiar with the bad domains, and, sadly, needs a finely tuned "gut instinct" to be able to spot suspicious URLs. The bad guys use myriad "bad actor" domains, and they can register new names very quickly and easily, and sometimes they can hide for a while before we work out who/what they are. Even as I write, I can think of ways that they may change the way they do things to try and avoid even the tiny indication of trouble that is a single call touching a single bad URL. So, let me stress, once more, what I said the other day:

It is strongly recommended that any advertisement that has been created with Fuse be treated with extreme caution. In fact, let me go further - it may be worthwhile considering implementing a policy to refuse any advertisement that has been created using Fuse.

I also strongly recommend that you treat anybody who supplies such creatives with "extreme prejudice". Do everything you can to check into their bona fides. Complete not only the standard address, phone number and credit checks, but also undertake a comprehensive reputation check - look into the background and history of the advertiser and anybody providing a credit reference. Take a close look at their web sites - who hosts them, who shares their IP address, who shares their mail server and their name server - check what web sites are within the same IP range. If you have access to a domaintools.com Gold Membership take a close look at their hosting history. Check into their WHOIS history as well using the same service. Write to people such as myself and ask for advice and guidance.

I do not advise this course of action lightly. I ask that you seriously consider it unless and until we have found a reliable way to improve the detection of these newer types of malvertizements.

Even if an advertiser is not offering a Fuse creative, you should still exercise caution. If the advertiser is in a rush - if they want the ads to run as soon as possible - and if the advertiser is relatively unknown you have to ask yourself - how likely is it that such an unknown player would have been given a particular advertising campaign - especially if the advertisements feature well known brands. I find it amazing when we do not question how smaller advertising networks could end up with names such as Colgate in their stable of clients, or question why big names would have surprisingly small advertising budgets.

Follow your instincts people... if you smell a rat, or something just doesn't sit right, then proceed with extreme caution. And, be careful of any letter of mandate or authority that you may be given - back when the skyauction malvertizements were being distributed, the fraudsters pushing the advertisements were using a fake letter of mandate to convince victim sites of their bona fides.

Staff at the victim site commented that there is "a lot of action scripting for such a simple ad". I agree with their observation (hindsight is a wonderful thing). It is something to bear in mind when assessing a creative.

ALERT: malvertizement featuring cardstore.com

sandi — Thu, 14 Aug 2008 02:31:00 GMT

Edited to fix typos - changing cardshop to cardstore - (it had been a *long* day)

I finally got a sample of the malicious advertisement featuring cardstore.com:

Interesting points to bear in mind about this incident are:

The malvertizement was received from the currently defunct trackstarmedia.com.
The malvertizement passes preliminary security checks (including adopstools):
http://www.adopstools.com/index.asp?page=quicklink&id=a28IN1T1L0Y5EC2l
www.mosessupposes.com/Fuse/ was used to create the malvertizement as you can see from the code revealed by the adopstools check.
The campaign was live for a week before anything bad started to happen.

It is strongly recommended that any advertisement that has been created with Fuse be treated with extreme caution. In fact, let me go further - it may be worthwhile considering implementing a policy to refuse any advertisement that has been created using Fuse.

I also strongly recommend that you treat anybody who supplies such creatives with "extreme prejudice". Do everything you can to check into their bona fides. Complete not only the standard address, phone number and credit checks, but also undertake a comprehensive reputation check - look into the background and history of the advertiser and anybody providing a credit reference. Take a close look at their web sites - who hosts them, who shares their IP address, who shares their mail server and their name server - check what web sites are within the same IP range. If you have access to a domaintools.com Gold Membership take a close look at their hosting history. Check into their WHOIS history as well using the same service. Write to people such as myself and ask for advice and guidance.

I do not advise this course of action lightly. I ask that you seriously consider it unless and until we have found a reliable way to improve the detection of these newer types of malvertizements.

Even if an advertiser is not offering a Fuse creative, you should still exercise caution. If the advertiser is in a rush - if they want the ads to run as soon as possible - and if the advertiser is relatively unknown you have to ask yourself - how likely is it that such an unknown player would have been given a particular advertising campaign - especially if the advertisements feature well known brands. I find it amazing when we do not question how smaller advertising networks could end up with names such as Colgate in their stable of clients, or question why big names would have surprisingly small advertising budgets.

Follow your instincts people... if you smell a rat, or something just doesn't sit right, then proceed with extreme caution. And, be careful of any letter of mandate or authority that you may be given - back when the skyauction malvertizements were being distributed, the fraudsters pushing the advertisements were using a fake letter of mandate to convince victim sites of their bona fides.

Staff at the victim site commented that there is "a lot of action scripting for such a simple ad". I agree with their observation (hindsight is a wonderful thing). It is something to bear in mind when assessing a creative.

ALERT: malvertizement from trackstarmedia.com (domain suspended)

sandi — Tue, 12 Aug 2008 10:30:00 GMT

I have just received word that a malvertizement featuring cardstore.com has been discovered. The distributor of the malvertizement is, according to my contact, trackstarmedia.com

I'll post further information, and screenshots, as it comes to hand.

Thumbnail of trackstarmedia.com page, courtesy of Robtex.

Domain Name: TRACKSTARMEDIA.COM
Registrar: WILD WEST DOMAINS, INC.
Whois Server: whois.wildwestdomains.com
Referral URL: http://www.wildwestdomains.com
Name Server: NS49.DOMAINCONTROL.COM
Name Server: NS50.DOMAINCONTROL.COM

The URL www.trackstarmedia.com does not load. Its listed IP address, 216.195.62.80, redirects to the URL defaultpage.3fn.net/?htr=216.195.62.80:

A WHOIS search reveals this interesting message:

"trackstarmedia.com
This domain name has been suspended due to invalid Whois information. If you are the registrant of this domain name please contact us at: invalidwhois@secureserver.net."

Doesn't it warm the cockles of your heart to see the bad guys take a tumble?

We can use domaintools.com to review historical WHOIS data - this is what the WHOIS used to contain:

WHOIS records dated 18 January and 24 February, 3 June and 11 July note that the Registrar was "Wishing Tree Records", PO Box 197, Warren, Rhode Island.

WHOIS records dated 22, 25 and 28 July 2008 list the Registrant as Patrik Kelly of 580 Harrison Avenue, Boston MA 02118.

Then on 12 August the Registrant was changed to Oliver Gruner, 53 Marlborough Street, Boston, Massachusetts.

ALERT: Watch out for new malvertizements featuring ETRADE

sandi — Wed, 06 Aug 2008 18:46:00 GMT

Edited to fix title...

Microsoft Security Intelligence Report (July through December 2007) - Key Findings Summary (Australia, Canada, Germany, Japan, Netherlands and Norway)

sandi — Mon, 23 Jun 2008 02:45:00 GMT

Downloadable here:
http://www.microsoft.com/downloads/details.aspx?familyid=671355c2-4002-4671-8619-95c96c8a897f&displaylang=en&tm

The worldwide average was malware removal from 1 out of every 123 Windows-based computers in the second half of 2007.

Summary - Australia

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 204 Windows-based computers it was executed on.

Zlob (Trojan) 6.9%
Starware (Potentially unwanted software) 4.4%
Hotbar (Adware) 2.7%
WhenU (Adware) 3.3%
Winfixer (Potentially unwanted software) 2.7%
Agent (Trojan and trojan downloader) 2.6%
All others - 77.7%

Summary - Canada

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 172 Windows-based computers it was executed on.

Zlob - 6.4%
Hotbar - 4.6%
Agent - 4.2%
Starware - 4.0%
ZangoSearchAssistant (Adware) - 3.1%
WhenU - 3.1%
All others - 73.6%

Summary - Germany

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 226 Windows-based computers it was executed on.

Zlob - 12.2%
WhenU - 5.9%
Hotbar - 3.9%
Renos (Trojan downloader) - 2.6%
Zango Search Assistant - 2.6%

Summary - Japan

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 685 Windows-based computers it was executed on.

CnsMin (Spyware) - 8.6%
Zlob - 4.3%
Antinny (Worm) - 3.9%
Rbot (Backdoor) - 3.4%
WhenU - 2.9%
All others - 76.9%

Summary - Netherlands

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 170 Windows-based computers it was executed on.

Zlob - 7.4%
WhenU - 4.7%
Virtumonde (Trojan and adware) - 3.3%
Hotbar - 3.1%
ConHook (Trojan) - 2.9%
All others - 78.6%

Summary - Norway

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 160 Windows based computers it was executed on.

Zlob - 12.5%
WhenU - 4.7%
Winfixer - 3.7%
Zango Search Assistant - 3.5%
Hotbar - 3.4%
All others - 72.2%

Other important notes from the key findings summary (all countries)

The total amount of malware removed from computers worldwide via the Microsoft Malicious Software Removal Tool (MSRT) increased over 40% during the second half of 2007 to more than 450 million unique computers worldwide per month.
During the second half of 2007 there was a 300% increase in the number of trojan downloaders and droppers detected and removed.
The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family. Winfixer displays erroneous alerts warning of severe system threats. The program then offers to remove the erroneous detections for a fee. These warnings appear under multiple false product names in several different language versions.
129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals. These figures represent increases of 66.7% in total detections and 55.4% in removals over the first half of 2007.
Adware remained the most prevalent category of potentially unwanted software in the second half of 2007.
The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar.

New malvertizements featuring diamondharmony.com

sandi — Fri, 13 Jun 2008 14:47:00 GMT

Screenshot of diamondharmony.com malvertizement

ALERT: Malvertizements at disney.fr

sandi — Tue, 10 Jun 2008 15:10:00 GMT

These criminals, whoever they are, have absolutely no shame. I thought that they were the scum of the earth when they impersonated Oxfam; now they are getting their malvertizements onto popular chidren's sites.

As reported by Kimberley - the malvertizements have been reported to RealMedia:

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_SKY_CINEMA_NOW/cinemanow_120x600.swf

adoptserver.info/_stat029.gif?url=[removed]
windowsxp-privacy.net/?id=987650098
xponlinescanner.com/soft.php?aid=024217&d=2&product=XPA
xponlinescanner.com/2008/2/freescan.php?aid=77024217

openad.tf1.fr/RealMedia/ads/Creatives/OasDefault/AUTOPROMO_DISNEY_MEGA_CINEMA_NOW/cinemanow_728x90.swf

adoptserver.info/_stat029.gif?url=[removed]
windowsxp-privacy.net/?id=987650097
xponlinescanner.com/soft.php?aid=024218&d=3&product=XPA
xponlinescanner.com/2008/3/freescan.php?aid=77024218

ALERT: Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability

sandi — Wed, 28 May 2008 05:14:00 GMT

Affected versions are 9.0.124.0 and 9.0.115.0.

The best analysis that I've seen so far is at SecurityFocus:
http://www.securityfocus.com/bid/29386/info

The frightening thing about this alert is that the vulnerability is being actively exploited, with tens of thousands of web sites being compromised (Symantec/Security Focus think that this is happening via SQL injection), with those compromised web sites being used to redirect victims to other sites that are hosting malicious Flash files.

At time of writing there is no workaround, patch or official advisory. If you're using Firefox, install a copy of No Script for its script and Flash blocking abilities. If you are using Internet Explorer get yourself a copy of IE7Pro, which includes an ad blocker and a Flash blocker (note: be careful with the maximum connections per server setting - I have seen that setting break some web sites, especially banking sites).

Or, simply uninstall Flash.

A new look dottunes malvertizement

sandi — Tue, 27 May 2008 22:39:00 GMT

A new style Dot Tunes advertisement:

The adopstools results are here:
http://www.adopstools.net/index.asp?page=quicklink&id=r60Siyiw02bZgpaa

When the SWF is displayed on a system it hits the following URLs:

traveltray.com/crossdomain.xml

and

traveltray.com/stats.php?u={{removed}}&campaign=ofdidactic

The cross domain policy is "allow-access-from domain="*" " - in other words, there are no domain restrictions. This document will help you understand the implications of such an open cross domain policy:
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

I am NOT associated with bucksbill.com

sandi — Tue, 20 May 2008 00:17:00 GMT

Ok, there are a lot of people out there who are upset at being overcharged and defrauded by bucksbill.com. Just check out the comments here and here.

Unfortunately, people are also emailing me directly because they (mistakenly) believe that I and/or this blog are associated with the fraudsters. For example, check out this email:

"I dont know what this is but there was money taken from my account for this and I Know I DID NOT purshase this I have tried to call you several times and can not get through. Please contact me Donna Spencer 270-***-**** or 270-***-****. DO NOT TAKE ANY MORE MONEY FROM MY ACCOUNT CONTACT ME AS SOON AS POSSIBLE!!!!!"

I and this blog are NOT associated with bucksbill.com in any way.

Please, remember that victims of overcharging and unauthorised charges can dispute the charge with their bank or building society and request that the charge be reversed.

The Federal Trade Commission has published an advisory for victims of credit card fraud or overcharging that can be seen here:
http://www.ftc.gov/bcp/conline/pubs/credit/fcb.shtm

ALERT: Malvertizement at en.f1-live.com?

sandi — Mon, 19 May 2008 22:26:00 GMT

A comment has been made to this blog warnin that http://en.f1-live.com/f1/en/index.shtml has been serving malvertizements during the the past week or so. We're investigating. If anybody sees anything, please let me know.

ALERT: malvertizement at boston.com?

sandi — Mon, 19 May 2008 22:23:00 GMT

I received this alert via email:

"My girlfriend was surfing boston.com last night and she landed on some nasty code that redirected her to that classic alert bos in the lower left hand corner of the screen. This time is was for XPShield which is widely known as rogue. Anyway I had known that you covered a boston.com incident before and wanted to let you know its still going on."

We're investigating. If anybody sees anything untoward, please let me know.

Press Release: Washington Attorney General settles case with man accused of using pop-ups to hawk software

sandi — Mon, 19 May 2008 22:20:00 GMT

SEATTLE – A 21-year-old Scottsdale, Ariz., man accused of coercing consumers to buy software that actually turned their computers into spamming machines agreed to a settlement that substantially restricts how he markets software in the future, the Washington Attorney General’s Office announced today.

The Attorney General’s Consumer Protection High-Tech Unit sued Messenger Solutions, LLC, and owner Ron Cooke, in March. The suit, filed in King County Superior Court, accused Cooke of violating Washington’s Computer Spyware Act and Consumer Protection Act while marketing programs under the names Messenger Blocker, WinAntiVirus Pro 2007, System Doctor and WinAntiSpyware.

Under the settlement filed today, Cooke cannot use Net Send messages or simulated security alerts to market products, transmit software to another person’s computer without a user’s knowledge or make other misrepresentations in the advertising or sale of products.

He will pay $5,000 in attorneys’ costs and fees and $202 in restitution, which will be used to provide refunds to nine Washington consumers who purchased the software. The settlement also includes a $100,000 civil penalty, waived provided Cooke complies with the settlement.

“Ron Cooke now has a $100,000 fine hanging over his head as a reminder to him and other online marketers that the Attorney General’s Office won’t tolerate Internet anarchy,” said Assistant Attorney General Katherine Tassi. “There are plenty of opportunities for young entrepreneurs to profit online without deceiving consumers.”

The Attorney General’s Office launched its investigation in October 2007 after a computer in the High-Tech Unit’s lab received ads via Windows Messenger Service. The lab uses “honey pots” to detect hackers, spyware purveyors and other Internet mischief.

The state’s complaint alleged Cooke uses Windows Messenger Service to bombard consumers with a continuous stream of pop-ups advertising porn and sexual-enhancement products. Windows Messenger Service, not to be confused with the instant-messaging program Windows Live Messenger, is primarily designed for use on a network and allows administrators to send notices to users.

He then sent those same consumers another bout of pop-ups intended to simulate system warnings, which directed users to a Web site to buy software to supposedly block pop-ups.

Consumers who downloaded the software were further victimized when the program caused their computers to stealthily blast messages to other PCs at a rate of one every two seconds.

The Attorney General’s Consumer Protection High-Tech Unit has brought a total of six lawsuits under Washington’s Computer Spyware Statute, RCW 19.270, since the law was approved by the Legislature in 2005.

Messenger Solutions/Cooke Consent Decree

Messenger Solutions/Cooke Complaint

Photobucket.com - an update

sandi — Tue, 13 May 2008 23:56:00 GMT

I am pleased to advise that one of the malvertizements that was appearing at photobucket.com, being the Tokyo Drift malvertizement being distrubted via adbureau.net, has been removed from circulation.

As far as I know, the other malvertizements, hosted by atlas-ads.com, may still be in circulation.

The malvertizements are gone because we alerted adbureau.net to the problem. I have NOT received any reassurances from photobucket.com, either directly or via other correspondents, that photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again, or that they have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately, therefore my earlier stated advice to avoid all advertising on photobucket.com still stands.

Photobucket are not cleaning up their act

sandi — Mon, 12 May 2008 23:52:00 GMT

Photobucket has been mentioned several times on this blog because of malvertizements appearing on the site. The most recent outbreak is proving to be problematic, to say the least.

Photobucket have been advised several times that there are malvertizements appearing on the web site. Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements. Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the "advertising team".

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site?

This is the Lady Speedstick malvertizement appearing on photobucket.com:
atlas-ads.com/99000/728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf79.jpg

This is the Tokyo Drift malvertizement appearing on photobucket.com:
photobkt-images.adbureau.net/photobkt/cinema_photobucket_728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf80.jpg

Kimberley wrote about the malvertizements at photobucket several days ago, and reported the problem to photobucket on 8 May:
http://www.bluetack.co.uk/forums/index.php?s=05b1fcebf3d68bb448979919ca14aa83&showtopic=18064&st=60&p=87195&#entry87195

Kimberley reports on photobucket.com again on 10 May...
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87219

And again here, just under 10 hours ago:
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87235

rlslog.net were able to get rid of the malvertizements reported to them. mininova.org were able to get rid of the malvertizements that were reported to them. Why is it so hard for photobucket.com to clean up *their* act???

I have no choice but to recommend that nobody should visit photobucket.com unless they have software in place that will prevent any advertisements on that site from being displayed on their computer. This advice stands unless and until the malvertizements are removed AND photobucket.com can reassure us that:

Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and
Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately.

I have always said that I do not support such wholesale blocking of advertisements, because I have always held to the view that every person deserves to earn an income but in this case, because the malvertizements are still appearing despite our best efforts and despite several days having passed, I must recommend that visitors to the site protect themselves, even if it means that photobucket loses income, and all advertisers (legitimate and fraudulent alike) receive zero value from photobucket.com