Spyware Sucks

I am pleased to advise that one of the malvertizements that was appearing at photobucket.com, being the Tokyo Drift malvertizement being distrubted via adbureau.net, has been removed from circulation.

As far as I know, the other malvertizements, hosted by atlas-ads.com, may still be in circulation.

The malvertizements are gone because we alerted adbureau.net to the problem.  I have NOT received any reassurances from photobucket.com, either directly or via other correspondents, that photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again, or that they have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately, therefore my earlier stated advice to avoid all advertising on photobucket.com still stands.

Photobucket has been mentioned several times on this blog because of malvertizements appearing on the site.  The most recent outbreak is proving to be problematic, to say the least.

Photobucket have been advised several times that there are malvertizements appearing on the web site.  Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements.  Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the "advertising team".

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site?

This is the Lady Speedstick malvertizement appearing on photobucket.com:
atlas-ads.com/99000/728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf79.jpg

This is the Tokyo Drift malvertizement appearing on photobucket.com:
photobkt-images.adbureau.net/photobkt/cinema_photobucket_728x90.swf

Screenshot in situ:
http://www.bluetack.co.uk/Kimberly/Logs/swf80.jpg

Kimberley wrote about the malvertizements at photobucket several days ago, and reported the problem to photobucket on 8 May:
http://www.bluetack.co.uk/forums/index.php?s=05b1fcebf3d68bb448979919ca14aa83&showtopic=18064&st=60&p=87195&#entry87195

Kimberley reports on photobucket.com again on 10 May...
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87219

And again here, just under 10 hours ago:
http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=87235

rlslog.net were able to get rid of the malvertizements reported to them.  mininova.org were able to get rid of the malvertizements that were reported to them.  Why is it so hard for photobucket.com to clean up *their* act???

I have no choice but to recommend that nobody should visit photobucket.com unless they have software in place that will prevent any advertisements on that site from being displayed on their computer.  This advice stands unless and until the malvertizements are removed AND photobucket.com can reassure us that:

1. Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and
2. Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately. 

I have always said that I do not support such wholesale blocking of advertisements, because I have always held to the view that every person deserves to earn an income but in this case, because the malvertizements are still appearing despite our best efforts and despite several days having passed, I must recommend that visitors to the site protect themselves, even if it means that photobucket loses income, and all advertisers (legitimate and fraudulent alike) receive zero value from photobucket.com

Several comments have been posted to my blog recently about a malvertizement problem at mininova.org:

http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1601871
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1602159
http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550824.aspx#1614547

Anyway, I went looking and found a thread that claimed the malvertizements had been identified and removed on 5 May so I didn't take things any further (a decision which may have been a mistake)
http://forum.mininova.org/index.php?showtopic=235009007

Kimberley has now identified a malvertizement on mininova.org, again hosted by Akamai:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=60&gopid=87201&

The domains being used by the malvertizers are:

adoptserver.info
iexplorer-security.org
mystats.com
fastwebway.com
xponlinescanner.com

The malvertizement has been reported to Akamai.

Once again, communication and cooperation between anti-malvertizement activists around the world has resulted in success.

We have found the malicious malvertizements on photobucket.com - Kimberley has the details.

The incident has been reported to Photobucket.  The malvertizements themselves are not new.  Speedstick and TokyoDrift have been featured on this blog several times.  As noted by Kimberley, the malicious domains being used by the cretins behind the malvertizements are:

atlas-ads.com (host of a malicious SWF)
track.trackads.net
tds.maxconvert.com
adtds.trackads.net
spywaredestructor.com
adoptserver.info
iexplorer-security.org
fastwebway.com
xponlinescanner.com

photobkt-images.adbureau.net (host of a malicious SWF)

adbureau.net is Akamai - the incident has been reported.

Atlas-ads.com is registered via Estdomains, created on 10 April 2008.

Thanks to Susan for the heads up...

Cite:  http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/

Cite:  https://bugzilla.mozilla.org/show_bug.cgi?id=432406

Anybody who downloaded and installed the Vietnamese language pack ***since 18 February*** will have got an infected copy.  Symptoms include the display of unwanted advertising.

Mozilla notes that because only "16,667 total downloads of the Vietnamese language pack since November 2007" they consider that the impact on users will be "limited" - well, it may be limited in Mozilla's eyes, but I suspect that those affected will be less dismissive.

It is staggering that the infected file was in situ and being distributed for over two and a half months. It is also staggering that Mozilla seemingly did (does?) not complete regular scanning of their files to check for previously undetected malware - didn't they realise that there is always a period of time between malware being released to the wild, and security products updating their products to add detection of new malware??  By not regularly re-scanning all files available for download they expose(d) their users to real risk.

The malware is named in the bugzilla thread as "HTML.Xorer".

Advice is to disable the Vietnamese Language Pack.

I received an email alert overnight warning that photobucket is displaying malvertizements.

The problem we face in tracking down the reported malvertizements on photobucket.com is that the advertisements are country specific. 

This blog has readers all over the world - if anybody has seen something, please grab proof using Fiddler and let me know.

We have gone from this...                     to this....                                          Or this... showing only online friends.

And we get a choice of backgrounds.  The last background, "70s Tux", doesn't seem to be working properly on my system.

Me.dium have chosen to turn off "find similar pages" by default; instead, Me.dium will only show you the pages that your online friends are currently viewing.  The Talk and Friend tabs are gone, and the Friend and Facebook panes can be closed.. 

You can only chat to people on your friends list, and the shout-out pane which anybody could use to "talk" to other Me.dium users is gone.

Unfortunately it has been necessary for me to remove the Me.dium widgets from my blog and website because the widgets are triggering certificate errors in Internet Explorer, specfically a warning that the certificate being presented by Me.dium was issued for a different web site's address.   This error can occur if a company owns several websites and uses a certificate that was issued for one web address for another site and does not necessary indicate a security problem at the site, but it is still disturbing for visitors to my blog, and I do not like to contribute to desensitising people to security alerts (which is what I would be doing if I told people to ignore the error, or install the certificate despite the error), therefore the widget goes until the certificate issue is fixed.

         
         Original                                                Night                                                    Moss

         
                     Icy                                                  Gum                                               70s Tux

Akamai supplies both an ActiveX and a Java based download manager. The ActiveX control remains installed on the users computer until it is manually removed.  It is important to note that Akamai has been used by vendors such as Symantec and Microsoft (eg: Technet and MSDN) for file distribution.

Vulnerable versions:

Akamai Technologies Inc's DownloadManagerV2.ocx version 2.2.2.1
Akamai Technologies Inc's Download Manager Java Applet version 2.2.2.0

The security vulnerability makes it possible for an attacker to use the download manager to automatically download and execute files simply by tricking the victim into visiting a malicious web page.

The download manager user interface is displayed during an attack, but there may be insufficient time to cancel the download before exploitation occurs.

Workaround:

Setting kill-bits for the associated CLSIDs will prevent the ActiveX control from being loaded within Internet Explorer, being:

2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1

Disabling Java will prevent exploitation via the Java Applet.

Akamai has fixed this vulnerability in version 2.2.3.5 of their download manager product. Please refer to the following URL for upgrade instructions (and don't forget to make sure that the vulnerable activex control has been removed - you will find it in C:\Windows\Downloaded Program File.  The file name is "DownloadManagerV2.ocx"):

http://dlm.tools.akamai.com/tools/upgrade.html

Cite: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=695

You will be unable to remove IE8 Beta or IE7 after installing Windows XP SP3 because Microsoft wants to make sure that you do not encounter a problem commonly known as "DLL Hell".

IE8 Beta 1 users

You will NOT be offered Windows XP SP3 unless and until you remove IE8 Beta 1.  This is because if you install  windows XP SP3 without removing IE8 Beta 1, then you will no longer be able to remove IE8 Beta 1 and the Remove option will be greyed out in Add/Remove Programs.

Internet Explorer 7 Users

You will be offered Windows XP SP3 as a high priority update BUT if you install it you will not be able to remove IE7 without removing Windows XP SP3 first.  It is recommended that you remove IE7, then install Windows XP SP3 then re-install IE7.

Internet Explorer 6 Users

You will be offered Windows XP SP3 as a high priority update.  Windows XP SP3 ships with an updated version of IE6.  No need to do anything else.

I have been reading through the Microsoft Security Intelligence Report covering the period July through to December 2007 over the past few days.  Although the bulk of the report focuses on security vulnerabilities, there are statistics specific to "rogue security software" (aka fraudware) and "potentially unwanted software" that I found interesting:

• The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family.  The report notes that "many of the more prevalent malware families rely on social engineering tactics that trick the user into taking action that bypasses or lessens the effectiveness of the user's existing protection".  I'm hoping as time goes on that I will see fewer "get Firefox" or "get a Mac" comments in response to reports of various fraudware outbreaks, as people come to realise that such responses do not address the base problem of social engineering.
  
  
• The most prevalent malware family (as distinct to rogue security software) was Win32/Zlob, being removed more than 3 times as often as the second half of 2007 (and from twice as many computers) as any other individual malware family.  Often disguised as a media codec (there's that social engineering again), Zlob uses pop-up advertisements and fake security alerts to encourage the victim to install, you guessed it, rogue security software.
  
  
• The second most prevalent malware family was Win32/Renos.  Renos, like Zlob, is used to install rogue security software.  Renos was found to have infected 79% more distinct computers during the second half of 2007 than was detected during the first half of the year.
  
  
• The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar (which, ironically, I have seen advertised via the Windows Live Messenger advertising pane).  Win32/Hotbar was in 4th place during the first half of the year.
  
  
• 129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals.  This is an increase of 66.7% in total detections and 55.4% in removals over the first half of 2007.
  
  
• Adware remains the most prevalent category of potentially unwanted software in the second half of 2007, an increase of more than 66%, from 20.6 million detections to 34.3 million detections.
  
  
• The most infected country/region in Europe is Albania; the least infected country/regions in Europe are Austria and Finland.  In the Asia-Pacific region the most infected countries/regions are Mongolia and Vietnam and the least infected Taiwan and Japan.
  
  
• When prompted about rogue security software, nearly 60 percent of users choose to remove it immediately, with a large proportion of the rest choosing to quarantine the software (I admit to not understanding why only 60% of users are removing rogue security software).

It should be noted with regards to points 3, 5 and 6 that some of the increase can be attributed to an increase in the number of computers running Microsoft's detection and removal tools, and "changes in the distribution practices for different pieces of potentially unwanted software [that] can have an effect on how many people are exposed to it and how often, and how they tend to respond to alerts raised about the software".

You can get your own copy of the Microsoft Security Intelligence Report at this URL:
http://www.microsoft.com/downloads/details.aspx?FamilyId=BCC879DB-9FE6-4331-B231-E274EA8FC804&displaylang=en

As irritating as it may be to have to approve every comment to this blog, and as disheartening as it is to know that the cretins behind spam are using tools that maximize output whilst minimizing personal effort, I still derive pleasure from seeing them screw up.

Spyware Sucks was hit by a spike in spam comments that managed to get through the filters, BUT I was pleased to see that every single comment that got through the filters contained the same error - it seems that an attention to detail and the ability to complete the fields in a spam-tool properly is not a quality enjoyed by this particular spammer...

Another cry for help received via email...

"You are my last best hope...  I am just a regular guy from NY (not the city) with a problem.  My homepage in IE7 is locked on a page I dont want.  I try to change it in Internet options and it even says the homepage I want but it always goes to this other page. I set the page a month ago and now it wont go back.  I even reinstalled IE7 but no luck. Any ideas?  I can even send you a few bucks if you can help me out..."

Manufacturer/ISP Locking

Some computer manufacturers and suppliers of internet access set IE to their choice of home page and lock this setting via the registry. Hijackers use the same trick. The locking is done using registry settings as per the following:

Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting (Q320159)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q320159 

Specific registry settings affected are:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] - DWORD "HomePage"=dword:00000001 (grays out the whole section)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] - DWORD "NoSetHomePage"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] - DWORD "NoSetHomePage"=dword:00000001

Protective software

Check your protective software (especially antispyware and antivirus).  Spybot Search and Destroy, for example has a feature that will lock your home page.  Other products that may lock your home page including Ad-aware's Ad-Watch, SpywareBlaster, SpySweeper, Norton AntiVirus, McAfee VirusScan and Antispyware, and both versions of Zone Alarm.

If you are using Spybot S&D, check your 'Immunize' settings which may be locking your home page.
 
Malware and viruses

If your computer home page is set to about:blank against your wishes, or any other page, you have a malware problem. For advice on fighting malware, check out the link below - the page is a little old, and probably needs updating, but overall the advice is still good:
http://inetexplorer.mvps.org/tshoot.html