Archive for: October, 2006
October 26th, 2006
Halloween sites tricking users with malware
Update October 27: This morning I contacted the owner of listed sites. The sites were indeed hacked, and the owner has since removed the malicious code from the web pages.
This is a nasty trick! There are a few Halloween sites being used to distribute malware, right at the time when unsuspecting web users might be searching for Halloween sites for fun. Patrick Jordan, aka, Webhelper has posted the details here with a screenshot of the code with iframe links to a well known malware distribution site.
The sites to avoid are:
Halloweensites.net, nwnlostsouls.com, vampirekits.com, and on the same IP address, but not a Halloween site, sudokugameboard.com. Other on a different IP address, californiaparanormalsociety.com and heatherclark.info are also poisoned with the iframe links. The links go to the domain and IP whois information at domaintools.com.
It’s not clear to me if these websites might be hacked, or if they are intended to push malware, but I suspect they are hacked sites, especially since one of them, vampirekits.com, has content for the hosting company, Webair.com. Before posting this, I contacted the support phone number for the hosting company, Webair.com, and spoke to a support person who would not give me his name. This person said he was unable to do anything and I should email their abuse reporting address or call back in the morning. Not cool! Earlier this week I contacted another ISP about a hacked site, and the tech support people had the site down in less than 30 minutes, and that was about 3:00 AM their local time.
Patrick Jordan also posted information about the group behind the malware distrubution site, and listed other sites in the same group. All should be avoided.
October 20th, 2006
Scary malware tricks part 1
In keeping with this Halloween season, I’m starting a series on scary malware tricks, similar to last year’s series on spyware tricks. Perhaps my personal focus has changed, but it seems to me spyware tricks are becoming far more devious and destructive. Last year I was testing mostly adware, whereas this year I’m testing more trojans, backdoors, rootkits, etc. Also scary — botnets are reportedly growing in frightening numbers.
CNET’s Joris Evers reported on the recent Virus Bulletin Conference, saying the future of malware is trojan horses. Instant messaging worms are on the rise. Rootkit-based malware is spookiest, and some IM worms are infecting users with rootkits.
Just this week we learned that Apple shipped some iPods with a trojan, (not to mention that Apple tried to push the blame on Microsoft.) In their announcement, Apple used the word virus, but it’s more like a worm with a backdoor trojan component.
The name of the malware process on the infected iPods is RavMone.exe. Symantec has a good description here, calling it W32.Rajump. When I first read the description, the name was Backdoor.Rajump, but either way, its malicious payload is the same. On initial infection, the malware creates RavMone.exe in the Windows directory and puts itself in a Run key in the registry to make sure it starts with every Windows boot-up. Symantec says it open a TCP port and immediately tries to phone home to the following URLs:
What happens next is anyone’s guess, but with a backdoor, it can be ugly. Both domains shown appear to be Chinese, as seen here and here. There has been some speculation that perhaps the infected iPods were shipped from a “contract manufacturer”, using Apple’s words, in China, but I’ve not seen any confirmation of that. If anyone has a sample of RavMone.exe, I’d be interested in getting it to test. My ZDNet bio has a contact form here.
Another example of very scary technology is the Gromozon rootkit, aka Trojan.LinkOptimizer. I’ll write about Gromozon in the next article in the series.
Gallery: Nine more Firefox add-ons to try
Gallery: Nine more Firefox add-ons to try
· More Photo Galleries
http://content.zdnet.com/2346-9595_22-289082.html?tag=gald
Oracle critical patch · FoxNews scareware
Microsoft: Exchange 2010 beta today
· Office 2007 SP2 April 28
Microsoft: Exchange 2010 beta today
·
Tier your workforce, save money
Jason Hiner: With industry giants like Cisco, Apple,
Microsoft and Google racking up huge cash reserves,
and the market price of many public tech companies
on a “50% off sale”, consolidation is in the air.
Although the IBM-Sun deal fell apart, expect more
tech acquisitions in 2009. These are most likely…
Photos: Cracking open the Dell Adamo
· More Photo Galleries
Apple releases third iPhone 3.0 beta
· How to adopt iPhone in the enterprise
http://blogs.zdnet.com/Apple/?p=3697
Photos: The robot designs of iRobot
· More Photo Galleries
http://content.zdnet.com/2346-9595_22-288760.html?tag=gald
October 16th, 2006
Edelman on 'Deceptive Door Openers' and Ask toolbars
In a new article posted this morning, Ben Edelman continues his investigation of high-profile companies clogging users' computers with junk. Today's target: InterActiveCorp's Ask.com, known for its widespread "smiley" toolbars.
Last year I blogged about Ask's various toolbars and the trinkets Ask uses to get users to install them. But Ben thinks there's a bigger problem here. So I sat him down for an interview.
Q: Ben, what's the big deal with Ask's toolbars?
A: The core problem is that users are being tricked into installing them, under false pretenses. Users are offered one thing, like "free smileys" or "top 10 cursors." Then users end up getting Ask's toolbar too.
Q: Is that really so bad? You're not claiming these are security exploit installs, like what you documented last year. Users actually consent to these installations, right? What's the problem?
A: The problem is that users' "consent" is obtained under false pretenses. Ask gets users' attention with the promise of free tidbits that some users do indeed want. Once it has their attention, it switches them over to something else — namely, free tidbits plus a bundled toolbar.
Q: Sounds like the old bait-and-switch routine. Is that illegal?
A: Ask most folks, and they'll tell you no. It's all in the EULA, they'll say, so they think it's just fine. I want to push back on that a bit.
I've recently been rereading old FTC cases about unfair and deceptive trade practices. One that particularly caught my eye is Federal Trade Commission v. Encyclopaedia Britannica, Inc., 87 F.T.C. 421 (1976). Here's what happened. Britannica door-to-door salesmen had various ruses "to get in the door" into users' homes — "door-opener" lines, they're called, because they get users to open the door and let the salesman in. Apparently the salesmen often made promises about free vacations and the like. It's thanks to these promises that consumers let them in.
Now, ultimately the salesmen revealed that actually they were there to sell encyclopedias, albeit with some chance of a free trip thrown in too. So the truth of the salesman's offer was made known prior to purchase. But the Britannica case holds that that's just not good enough. It's not enough for a salesman to talk his way in the front door with a deceptive opening line, planning to tell the truth later. An honest sales pitch can't begin with a false or misleading offer. Once a salesman uses such an offer to get a user's attention, there's no cleaning that up, however well the truth is disclosed later.
Q: That's most interesting. How does this apply to Internet advertising?
A: I think the analogy is actually remarkably direct. Ask's ads make promises like "free smileys." But Ask no more offers "free smileys" (with nothing more) than the Britannica salesman offers a "free vacation." To get (a chance at) a Britannica free trip, a customer apparently had to buy an encyclopedia set. Similarly, to get an Ask free smiley, a user must install Ask's toolbar. In both cases, the opening offer is materially misleading — promising something that's just not available on the specified terms (a free vacation with nothing more, or free smileys with nothing more).
In both cases the truth is made known later: Ask ultimately does explain that users must accept its toolbar too. But as the Britannica case holds, that's not enough. The initial offer was so different from the resulting deal that the confusion can't be cured by a subsequent disclosure.
Q: Is there anything else wrong with Ask's approach?
Sure. I show Ask advertising its toolbars through other vendors' spyware, even after Ask specifically promised it had "cleaned up" its advertising practices. I show Ask's EULA link appearing off-screen, even after Ask specifically promised it fixed that too.
Q: What about the Ask toolbar itself? Is it worth installing?
No. I discourage users from running Ask's toolbars for two reasons. First, Ask moves the browser's Address Bar from top-left (where it is found in every browser I've ever seen) to top-right. Ask puts its own search box in the top-left. So Ask's software makes it highly likely that users will accidentally conduct searches when they intend simply to navigate to sites they request by name.
Second, Ask's toolbar leads to landing pages that are objectionable in their own right. Ask's landing pages show ten ads — ten! — above the first organic result. On a 800×600 screen, that means 2 full pages of ads, plus a little bit more after that, all before the first organic result. That's ridiculous. No user deserves that, especially since organic results are safer than sponsored links.
Q: Ben, do you have any big-picture thoughts?
A: Definitely. These "deceptive door openers" are remarkably widespread. Many online advertisers use these schemes to pull in unwary customers. "See what happens next in this video," invite several widespread banner ads, only to require users to give an email address or install software to actually see the rest of the video. That's materially different from what the ad specifies, and it's a rotten deal for consumers.
It's reassuring that our legal system already confronted this kind of tactic. These deceptive door opener cases were litigated before I was born, but they stand for a valuable consumer protection principle that withstands the test of time. Companies ought not begin their interaction with a prospective customer by making false statements, misleading statements, or statements with material omissions. That's a lesson Ask (among many others) ought to take to heart.
Ben, thanks for the interview.
The full article can be read here. There's also a video, made yesterday, showing a non-consensual installation of the Ask toolbar.
October 13th, 2006
Is Zango stealing affiliate commissions from adult webmasters?
It seems that Zango, formerly known as 180solutions, the company we all love to hate, has royally ticked off a bunch of adult webmasters. Paperghost, aka Chris Boyd, has the story, complete with links to forums where the adult webmasters discuss Zango allegedly stealing affiliate commissions. True? I don’t know, but considering some of Zango/180solutions’ past questionable business practices, nothing would surprise me. Interestingly enough, Zango’s blog has a very recent post about cookies, claiming that “Zango does not read, alter, modify or delete Web site or cookie content.” and stating “Zango… do[es] not alter, manipulate, or delete third-party affiliate referral tracking information.”
In Boyd’s comments Dave Methvin of PCPitstop, explains what happens when affiliate cookies are overwritten and links to an article by Ben Edelman on “cookie stuffing”. Dave writes:
[...] here’s how it works. Someone goes to Zango and buys a keyword and/or URL to generate an ad. When an infested user goes to a site or page with the keywords, Zango generates a popup window with the “ad” in it. However, the ad is actually a redirect to a URL with a parameter indicating this is a referral from an affiliate–the affiliate that bought the ad from Zango! It overwrites any other affiliate tracking code that the site was using.
It hasn’t been that long ago that the CDT filed their complaint to the Federal Trade Commission about 180solutions and their practices. One would think Zango would be minding their Ps and Qs, but maybe not.
October 12th, 2006
So what about user education on security?
CNET's Joris Evers writes about one security expert who says education users on computer security in the enterprise setting is "pointless". Doctoral candidate Stefan Gorling, speaking at the Virus Bulletin Conference, said:
"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal.
It can't work if it interferes."
Some of attendees agreed while others vehemently disagreed.
The trick is to know what you're talking about and to bring the information in a format people understand, said Peter Cooper, a support and education specialist at Sophos, a security company based in England.
"It is a long process, but if we admit defeat now we're just going to go to hell in a handbasket," Cooper said. "Education in every area works."
I agree with Cooper. I understand trying to educate some users is like talking to the wall, but that does not mean we shouldn't try. I do know, from working with home users on my SpywareWarrior forum, where volunteers help users get free of malware, that some will probably never change their online behaviors, even when confronted with proof that their online carelessness is what got them infected. We had one user whose ID had been stolen by a keylogger and password-stealing trojan, and his bank account had been wiped out. When told that he needed to update his Windows to Service Pack 2 and avoid file sharing, he insisted that he wouldn't change. Eventually we scared him into updating to SP 2, installing a bi-directional firewall, and scanning any downloaded files for malware before opening them. Getting him to update to SP 2 took about 2 months and literally scores of posts, but finally he did it.
There are some interesting points of view in the talkbacks to Evers' article, but the first commenter got it right.
EVERYONE, and I do mean EVERYONE, should be worrying about security. While at large corporations security is the primary concern of IT all users should be educated about it and be concerned about it.
At my forum, when we have repeat users, coming back for help a second or third time, I feel that we failed to properly educate them. It becomes frustrating at times, but we must keep working at educating users. To not do so is pure foolishness and inexcusable in my opinion.
October 10th, 2006
Malware being spammed as PDF from retail stores
Reports surfaced today of spam purporting to be from Dell, Walmart, Circuit City or Sony confirming an order for a Sony Vaio computer with a PDF attachment, but the attachment is, in fact, a very nasty piece of malware named Haxdoor. Text of email:
Subject: Order ID : 37679041
Dear Customer,
Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop. This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.
Date : 08 Oct 2006 - 12:40
Order ID : 37679041
Payment by Credit card
Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99
Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87
Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ). PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader. If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.
We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.
You will receive another email with tracking information soon.
We hope you enjoy your order! Thank you for shopping with us!
Donna's Security Flash blogged this and it was posted at CastleCops security forum. I wouldn't be surprised if a lot of people fall for this. As the poster at Castle Cops said:
So you're sitting there scratching your head thinking "What order?" Boy oh boy… I sure as heck didn't oder no stinkin $2,449.99 Sony VAIO from Circuit City!
Really makes ya wanna open that zip file to see if you've been had, right?
The supposed PDF attachment is really an executable named 37679041.exe, which is detected by AV vendors by various names. Kaspersky named it Backdoor.Win32.Haxdoor.lf. Symantec detects it as Backdoor.Haxdoor.R and others are calling it a variant of Goldun. Whatever you call it, it's quite an evil piece of malware. Haxdoor typically uses rootkit technology to mask itself. Haxdoor is known to steal passwords, give a remote attacker access to the machine, may display advertising and often makes changes to the registry that lower system security. Some variants also disable software firewalls and anti-virus apps. McAfee has a report here.
October 9th, 2006
MVP awards, Messenger Plus! and adware -- a good combination?
A controversy has been raging in certain circles the last few days over a MVP award, which has now been rescinded, to an adware pusher known as Patchou, Cyril Paciullo, the author of Messenger Plus!, now known as Messenger Plus! Live. Ed Bott blogged about it here. Patchou's devotees have been staunchly defending him and his app and are blaming a few MVPs for causing Microsoft to rescind the award. There's a lot of nonsense going around and I'd like to clear some of that up.
Why did the security MVPs, including myself, object to Patchou's award? Simple answer — his app bundles adware and a rather nasty adware at that, best known as Lop even though Patchou and Messenger Plus! refer to it as the "sponsor". So what's wrong that? The devotees say the adware is optional, which is true, but there's some guilt thrown at a user who opts out of the "sponsor". The dialog says "I refuse to give my support, don't install the sponsor". "Gee — I must be bad if I don't install the sponsor." See SunbeltBLOG for screenshots. Also Messenger Plus! is widely known to be primarily targeted at kids under 18, who cannot enter into a legal contract and likely would not understand the EULA, if they bothered to read it.
So what is this "sponsor" software? I downloaded and installed MessengerPlus! Live, including the "sponsor" to see for myself. Lop is primarily advertising software that spawns pop-ups on the desktop. Lop used to include a toolbar and change the user's homepage, but that behavior has been eliminated. The "sponsor" installer adds a fake bho (browser helper object) in the registry and creates a hidden job that starts IE in the background and launches another executable. I observed Lop to keep two instances of Internet Explorer running constantly, even when I didn't have a browser open. Each time I opened IE one or two pop-ups immediately appeared. These pop-ups are not branded, unlike WhenU and Zango even. When I tried to terminate the two instances of IE, one or two other files would kick into action and restart IE, files with names like JugsRoam.exe and heart bend send dash.exe. You can see a list of file names used by Lop here. Lop frequently changes file and folder names in an attempt to evade detection by anti-malware programs. The EULA even contains a clause prohibiting its removal by other applications. The Lop processes continuously contact these domains, ayb.dns-look-up.com and ads.dns-look-up.com, which reside on an IP address owned by C2 Media, the makers of Lop.
It's no wonder that many of the anti-malware vendors call the "sponsor software" a trojan, Trojan Swizzor.
SunbeltBLOG has some additional gripes about the "sponsor".
Ok, to those who support Patchou? Fundamental problem: LOP stinks. And imagine someone installing MessengerPlus and getting that little cute icon to "upgrade your antivirus program" and getting an outright fraudulent scam. Imagine that person being a relative of yours who doesn't quite know much about computers, and getting scammed. Or getting popups they don't know the source of (because LOP does not disclose that the popup was generated by LOP, unlike even WhenU or Zango).
Note the link to the desktop icons placed by the "sponsor". One additional thing — I mentioned earlier that a large percentage of Messenger Plus! users are under 18. The "sponsor" displays pop-ups that are entirely inappropriate to tweens and young teenagers, ads for AdultFriendFinder and the like.
One of the best sources of technical information and history for Messenger Plus! and the sponsor software, short of installing it yourself, is from another Microsoft MVP, Sandi Hardmeier, who has chronicled Messenger Plus! and its changes for several years now.
Personally, I think Microsoft made a mistake in awarding Patchou and did the right thing by rescinding the MVP award. If Messenger Plus! wasn't bundled with adware, I would feel differently. I understand that Patchou has to earn a living and I hear that he is technically astute and an excellent programmer, but in my opinion, an adware distributor should not be given the MVP award, especially when the adware in question has such disturbing, trojan-like behaviors.
SponsoredWhite Papers, Webcasts, and Downloads
- Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
- Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
- Reducing Server Total Cost of Ownership with VMware Virtualization Software VMware VMware virtualization enables customers to reduce their server TCO and ... Download Now
Recent Entries
- 1083
- FOWA 2009: Interview with Mozilla UX chief; what’s next for the web?
- Zango’s continued bad practices in light of FTC’s proposed settlement terms
- Zango, the FTC, MySpace and You Tube
- Halloween sites tricking users with malware
Blogs From Our Sponsors
Top Rated
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- The more you simplify, the more you save
-
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
- Learn more >>
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- Learn more about tools to grow your business
-
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
- Save time with the UPS Business Essentials Guide
- Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
-
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
- Learn more about the free, six-month trial offer>>
Archives
Favorite Links
Blogs
- a notepet
- Ben Edelman
- Bits from Bill
- Donna’s SecurityFlash
- Email Battles
- F-Secure: News from the Lab
- Mark’s Sysinternals Blog
- Microsoft MVP - Harry Waldron Security
- ReveNews Wayne Porter
- Security Fix - Brian Krebs on Computer and Internet Security
- Security Ticker
- Spam Huntress
- Spyware Hunt
- SunbeltBLOG
- Techdirt
- Technology & Marketing Law Blog
- Test Link
- The Gripe Line Weblog by Ed Foster
- Viruslist Analyst’s Diary
- VitalSecurity
Links
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Technology and the Global Supply Chain
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
White Papers, Webcasts, and Downloads
- VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the costs of maintain ever larger data centers?or building ... Download Now
- The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
- The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
Popular Sanity Saver Videos
