Spyware Confidential

October 13th, 2008

Posted by David Grober @ 7:47 am

Categories: General

Tags:

title required?

October 2nd, 2008

FOWA 2009: Interview with Mozilla UX chief; what's next for the web?

Posted by David Grober @ 6:58 am

Categories: General

Tags:

Shortly after having a door slam in my face and it nearly breaking my nose, I sat down with Aza Raskin, the head of user experiences at Mozilla Labs to not just discuss where Mozilla is heading in the near future but what he sees in the next-generation World Wide Web.

This interview was done over a cup of coffee in a bustling room. Everything said here is from Raskin himself, with notes taken by myself and paraphrased on occasion to make it readable.

The views from the UX guy

As the head of user experiences at Mozilla Labs, he looks at future-proofing Mozilla as an organisation, and as a result focuses mainly on the web. He assists and helps out on other non-Firefox projects but does spend the most portion of time on the browser. Even though he and his team are separate from the Firefox development team, he has a large sway of input. On the other hand, some bits he suggests go in and some do not.

Firefox 3.6 will be the next release of Mozilla’s open-source browser and will be specifically designed to have Windows users in mind. The new user interface will incorporate many of the technologies that Vista and Windows 7 have such as the Aero theme; more so with Windows 7 though as multi-touch features will be included in the browsers functionality.

The future of the web is difficult to guess or estimate in any capacity. Nevertheless, everyone desires an open web. Microsoft, Apple, and Google with their respective browsers are all aiming for the sole majority share of the marketshare. Raskin assures me that this is not Mozilla’s aim. As a not-for-profit organisation, they benefit from having a wide range of users but on the most part the userbase is the size it is through personal, hands-on experience and “Word of Mouth 2.0″. The aim is not to get 100% of the marketshare, but enough to get the shift and the space to create.

Something Raskin mentioned in the “open web” were things such as Flash and Silverlight - technologies which are plug-ins but don’t allow you to view the source. In his opinion it is important that everything you see, view and use should provide the code alongside it. Having non-view source so you don’t know what is going on is not an “open web”. There will of course be exceptions to this, but I’m sure you understand what he means.

I asked why Firefox 3.5 had slowed down, become more sluggish and more lethargic in quality and usage from personal experience. On a slight digression…

As a journalist and the son of a psychologist I have a combined set of skills, albeit not qualified, to allow me to effectively and accurately pinpoint the personality traits and pitfalls of one’s character. In this case, I see Raskin as an honest man who cares for his work, who knows he is held accountable by the end-user but also a man who takes responsibility. Alongside that, I got the impression of subtle frustration with himself, perhaps, as a highly intelligent man unlike anything I have seen before, in that his perception of the world is different to that of the average person; seeing the world in numbers and what cannot be seen by most.

So throw the psychological element in this and I believed him whole-heartedly when he said it was predominantly Adobe Flash which slowed things down. More often than not, websites hold Flash advertising which is why when you open a selection of ten random tabs, the collective memory going towards running these advertisements cause Firefox’s memory footprint to rocket. I believed him; it made perfect sense.

He told me that Firefox 3.5 was introduced to make things better. With different technologies incorporating a more user-centric set of experiences such GeoLocation, Private Browsing and SeaMonkey, these were base-level features to make the end-user more client (rather than cloud) based and provide an overall enhanced experience; not only on their own volition but to keep up with other competing browsers.

Google and Microsoft have huge research departments with thousands of people working towards making their browsers accessible but also house the potential for a wealth of features for future releases. Mozilla has “tens” of people, but as Firefox is open source, anyone from academics, students, universities, developers and ordinary consumers make the research process so much more democratic. This is what drove him to work on Mozilla Ubiquity.

Along with this and their “personas”, the customisable themes which you can see in the first image above, the browser should be yours and not be the company developing the browser to determine what it should look like. People love personalisation through their sites, bookmarks and add-ons, which is another reason as to why Firefox has done so well.

The future of Firefox –>

November 19th, 2006

Zango's continued bad practices in light of FTC's proposed settlement terms

Posted by Suzi Turner @ 9:11 pm

Categories: Spyware/adware news

Tags:

Just over two weeks ago, the FTC announced a proposed settlement with Zango for the complaint filed earlier this year. Under terms of the settlement, Zango is required to give up $3 million in ill-gotten gains and to stop a number of bad practices that have been documented back to 2002. As usual Zango claims innocence, and on November 3 stated on their blog:

Zango has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006.

Since November 3, Chris Boyd (aka Paperghost) of Vitalsecurity has posted several articles showing more bad Zango practices, including Zango and the Licat worm, a nasty trojan serving Zango videos, a(nother) Zango profile on MySpace, and trojan named LowZones putting a bunch of Zango domains into Internet Explorer’s Trusted Zone on user’s computers. Security company Websense posted an alert on November 6 of fraudulent supposed You Tube videos with embedded Zango Toolbar installers on MySpace profiles. Just a week ago, Vitalsecurity posted about ProfileWatcher, another method of spreading Zango on MySpace. Read the rest of this entry »

November 6th, 2006

Zango, the FTC, MySpace and You Tube

Posted by Suzi Turner @ 6:18 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

This past Friday, the FTC announced a $3 million dollar settlement with Zango, formerly named 180solutions, in a lawsuit charging Zango with unfair and deceptive business practices, among other things. See ZDNet story here with more details. FTC announcement here.  Case documents can be downloaded here.

As usual Zango refuses to take responsibility for anything, again blaming it on their naughty affiliates. From the ZDNet article:

Zango's executives pointed a finger elsewhere, claiming that the federal violations were due to third-party distributors rather than the software manufacturer itself. "We relied too heavily on our affiliates to enforce our customer notice and consent policies," said CEO Keith Smith. "Unfortunately, this allowed deceptive third parties to exploit our system to the detriment of consumers, our advertisers, and our publishing partners." Smith went on to say that Zango would "embrace the new standards" required by the FTC.

Er, cough.. cough.  SOS, different day. How long have the anti-spyware bloggers been writing about this now? Ben Edelman wrote about 180solutions installation methods in July 2004. Eric Howes summed up 180solutions' activities in 2005 with links to over 60 news stories and blogs.

I spoke with Ben Edelman about the FTC's settlement with Zango.  Ben states he has proof that Zango is currently not in compliance with the FTC agreement.

180 continues plenty of bad practices, including some unlabeled ads, materially misleading installations that fail to disclose key aspects of 180's effects, and installation attempts predicated on security exploits. I have the proof, and I expect to post this on my web site in the coming weeks, subject only to my busy travel schedule.

I commend the FTC's efforts here, but serious diligence will be required to assure that 180 actually complies with its many obligations under the settlement. At this instant, I am confident that 180 is not in compliance.

Are we surprised?  Paperghost of Vitalsecurity blogged on Saturday, after the FTC announcement, that Zango download prompts are appearing along side the Licat IM worm.  Another rogue affiliate, I suppose. 

Today Websense released an alert titled Fraudulent You Tube video on MySpace installing Zango Cash.

Websense® Security Labs^TM has discovered a number of user pages on the MySpace domain which have videos that look like they are from You Tube. The videos have an installer embedded within them for the Zango Cash Toolbar.  When users click on the video, they are directed to a copy of the video, which is hosted on a site called "Yootube.info."

There are screenshots and a video.  It must be the naughty affiliates again.  What next guys? 

October 26th, 2006

Halloween sites tricking users with malware

Posted by David Grober @ 8:07 pm

Categories: Spyware/adware warnings

Tags:

Update October 27: This morning I contacted the owner of listed sites. The sites were indeed hacked, and the owner has since removed the malicious code from the web pages.

This is a nasty trick! There are a few Halloween sites being used to distribute malware, right at the time when unsuspecting web users might be searching for Halloween sites for fun. Patrick Jordan, aka, Webhelper has posted the details here with a screenshot of the code with iframe links to a well known malware distribution site.

The sites to avoid are:

Halloweensites.net, nwnlostsouls.com, vampirekits.com, and on the same IP address, but not a Halloween site, sudokugameboard.com. Other on a different IP address, californiaparanormalsociety.com and heatherclark.info are also poisoned with the iframe links. The links go to the domain and IP whois information at domaintools.com.

It’s not clear to me if these websites might be hacked, or if they are intended to push malware, but I suspect they are hacked sites, especially since one of them, vampirekits.com, has content for the hosting company, Webair.com. Before posting this, I contacted the support phone number for the hosting company, Webair.com, and spoke to a support person who would not give me his name. This person said he was unable to do anything and I should email their abuse reporting address or call back in the morning. Not cool! Earlier this week I contacted another ISP about a hacked site, and the tech support people had the site down in less than 30 minutes, and that was about 3:00 AM their local time.

Patrick Jordan also posted information about the group behind the malware distrubution site, and listed other sites in the same group. All should be avoided.

October 20th, 2006

Scary malware tricks part 1

Posted by Suzi Turner @ 11:57 am

Categories: Spyware/adware news

Tags:

In keeping with this Halloween season, I’m starting a series on scary malware tricks, similar to last year’s series on spyware tricks. Perhaps my personal focus has changed, but it seems to me spyware tricks are becoming far more devious and destructive. Last year I was testing mostly adware, whereas this year I’m testing more trojans, backdoors, rootkits, etc. Also scary — botnets are reportedly growing in frightening numbers.

CNET’s Joris Evers reported on the recent Virus Bulletin Conference, saying the future of malware is trojan horses. Instant messaging worms are on the rise. Rootkit-based malware is spookiest, and some IM worms are infecting users with rootkits.

Just this week we learned that Apple shipped some iPods with a trojan, (not to mention that Apple tried to push the blame on Microsoft.) In their announcement, Apple used the word virus, but it’s more like a worm with a backdoor trojan component.

The name of the malware process on the infected iPods is RavMone.exe. Symantec has a good description here, calling it W32.Rajump. When I first read the description, the name was Backdoor.Rajump, but either way, its malicious payload is the same. On initial infection, the malware creates RavMone.exe in the Windows directory and puts itself in a Run key in the registry to make sure it starts with every Windows boot-up. Symantec says it open a TCP port and immediately tries to phone home to the following URLs:

What happens next is anyone’s guess, but with a backdoor, it can be ugly. Both domains shown appear to be Chinese, as seen here and here. There has been some speculation that perhaps the infected iPods were shipped from a “contract manufacturer”, using Apple’s words, in China, but I’ve not seen any confirmation of that. If anyone has a sample of RavMone.exe, I’d be interested in getting it to test. My ZDNet bio has a contact form here.

Another example of very scary technology is the Gromozon rootkit, aka Trojan.LinkOptimizer. I’ll write about Gromozon in the next article in the series.

Gallery: Nine more Firefox add-ons to try

Gallery: Nine more Firefox add-ons to try
· More Photo Galleries

http://content.zdnet.com/2346-9595_22-289082.html?tag=gald

Oracle critical patch · FoxNews scareware
Microsoft: Exchange 2010 beta today
· Office 2007 SP2 April 28

Microsoft: Exchange 2010 beta today
·
Tier your workforce, save money

Jason Hiner: With industry giants like Cisco, Apple,
Microsoft and Google racking up huge cash reserves,
and the market price of many public tech companies
on a “50% off sale”, consolidation is in the air.
Although the IBM-Sun deal fell apart, expect more
tech acquisitions in 2009. These are most likely…

Photos: Cracking open the Dell Adamo
· More Photo Galleries

Apple releases third iPhone 3.0 beta

· How to adopt iPhone in the enterprise

http://blogs.zdnet.com/Apple/?p=3697

Photos: The robot designs of iRobot
· More Photo Galleries

http://content.zdnet.com/2346-9595_22-288760.html?tag=gald

October 16th, 2006

Edelman on 'Deceptive Door Openers' and Ask toolbars

Posted by Suzi Turner @ 10:09 am

Categories: Spyware/adware news

Tags:

In a new article posted this morning, Ben Edelman continues his investigation of high-profile companies clogging users' computers with junk.  Today's target: InterActiveCorp's Ask.com, known for its widespread "smiley" toolbars.

Last year I blogged about Ask's various toolbars and the trinkets Ask uses to get users to install them.  But Ben thinks there's a bigger problem here.  So I sat him down for an interview.

Q: Ben, what's the big deal with Ask's toolbars?

A: The core problem is that users are being tricked into installing them, under false pretenses.  Users are offered one thing, like "free smileys" or "top 10 cursors."  Then users end up getting Ask's toolbar too.

Q: Is that really so bad? You're not claiming these are security exploit installs, like what you documented last year. Users actually consent to these installations, right?  What's the problem?

A: The problem is that users' "consent" is obtained under false pretenses.  Ask gets users' attention with the promise of free tidbits that some users do indeed want.  Once it has their attention, it switches them over to something else — namely, free tidbits plus a bundled toolbar.

Q: Sounds like the old bait-and-switch routine.  Is that illegal?

A: Ask most folks, and they'll tell you no.  It's all in the EULA, they'll say, so they think it's just fine.  I want to push back on that a bit.

I've recently been rereading old FTC cases about unfair and deceptive trade practices.  One that particularly caught my eye is Federal Trade Commission v. Encyclopaedia Britannica, Inc., 87 F.T.C. 421 (1976).  Here's what happened.  Britannica door-to-door salesmen had various ruses "to get in the door" into users' homes — "door-opener" lines, they're called, because they get users to open the door and let the salesman in.  Apparently the salesmen often made promises about free vacations and the like.  It's thanks to these promises that consumers let them in. 

Now, ultimately the salesmen revealed that actually they were there to sell encyclopedias, albeit with some chance of a free trip thrown in too.  So the truth of the salesman's offer was made known prior to purchase.  But the Britannica case holds that that's just not good enough.  It's not enough for a salesman to talk his way in the front door with a deceptive opening line, planning to tell the truth later.  An honest sales pitch can't begin with a false or misleading offer.  Once a salesman uses such an offer to get a user's attention, there's no cleaning that up, however well the truth is disclosed later.

Q: That's most interesting.  How does this apply to Internet advertising?

A: I think the analogy is actually remarkably direct.  Ask's ads make promises like "free smileys."  But Ask no more offers "free smileys" (with nothing more) than the Britannica salesman offers a "free vacation."  To get (a chance at) a Britannica free trip, a customer apparently had to buy an encyclopedia set.  Similarly, to get an Ask free smiley, a user must install Ask's toolbar.  In both cases, the opening offer is materially misleading — promising something that's just not available on the specified terms (a free vacation with nothing more, or free smileys with nothing more). 

In both cases the truth is made known later: Ask ultimately does explain that users must accept its toolbar too.  But as the Britannica case holds, that's not enough.  The initial offer was so different from the resulting deal that the confusion can't be cured by a subsequent disclosure.

Q: Is there anything else wrong with Ask's approach?

Sure.  I show Ask advertising its toolbars through other vendors' spyware, even after Ask specifically promised it had "cleaned up" its advertising practices.  I show Ask's EULA link appearing off-screen, even after Ask specifically promised it fixed that too. 

Q: What about the Ask toolbar itself?  Is it worth installing?

No.  I discourage users from running Ask's toolbars for two reasons.  First, Ask moves the browser's Address Bar from top-left (where it is found in every browser I've ever seen) to top-right.  Ask puts its own search box in the top-left.  So Ask's software makes it highly likely that users will accidentally conduct searches when they intend simply to navigate to sites they request by name.

Second, Ask's toolbar leads to landing pages that are objectionable in their own right.  Ask's landing pages show ten ads — ten! — above the first organic result.  On a 800×600 screen, that means 2 full pages of ads, plus a little bit more after that, all before the first organic result.  That's ridiculous.  No user deserves that, especially since organic results are safer than sponsored links.

Q: Ben, do you have any big-picture thoughts?

A: Definitely.  These "deceptive door openers" are remarkably widespread. Many online advertisers use these schemes to pull in unwary customers.  "See what happens next in this video," invite several widespread banner ads, only to require users to give an email address or install software to actually see the rest of the video.  That's materially different from what the ad specifies, and it's a rotten deal for consumers.

It's reassuring that our legal system already confronted this kind of tactic.  These deceptive door opener cases were litigated before I was born, but they stand for a valuable consumer protection principle that withstands the test of time.  Companies ought not begin their interaction with a prospective customer by making false statements, misleading statements, or statements with material omissions.  That's a lesson Ask (among many others) ought to take to heart.

Ben, thanks for the interview. 

The full article can be read here.  There's also a video, made yesterday, showing a non-consensual installation of the Ask toolbar. 

October 13th, 2006

Is Zango stealing affiliate commissions from adult webmasters?

Posted by Suzi Turner @ 9:07 pm

Categories: Spyware/adware news

Tags:

It seems that Zango, formerly known as 180solutions, the company we all love to hate, has royally ticked off a bunch of adult webmasters. Paperghost, aka Chris Boyd, has the story, complete with links to forums where the adult webmasters discuss Zango allegedly stealing affiliate commissions.  True?  I don’t know, but considering some of Zango/180solutions’ past questionable business practices, nothing would surprise me. Interestingly enough, Zango’s blog has a very recent post about cookies, claiming that “Zango does not read, alter, modify or delete Web site or cookie content.” and  stating “Zango… do[es] not alter, manipulate, or delete third-party affiliate referral tracking information.”

In Boyd’s comments Dave Methvin of PCPitstop, explains what happens when affiliate cookies are overwritten and links to an article by Ben Edelman on “cookie stuffing”.  Dave writes:

[...] here’s how it works. Someone goes to Zango and buys a keyword and/or URL to generate an ad. When an infested user goes to a site or page with the keywords, Zango generates a popup window with the “ad” in it. However, the ad is actually a redirect to a URL with a parameter indicating this is a referral from an affiliate–the affiliate that bought the ad from Zango! It overwrites any other affiliate tracking code that the site was using.

It hasn’t been that long ago that the CDT filed their complaint to the Federal Trade Commission about 180solutions and their practices. One would think Zango would be minding their Ps and Qs, but maybe not.

October 12th, 2006

So what about user education on security?

Posted by Suzi Turner @ 9:05 pm

Categories: General

Tags:

CNET's Joris Evers writes about one security expert who says education users on computer security in the enterprise setting is "pointless".  Doctoral candidate Stefan Gorling, speaking at the Virus Bulletin Conference, said:

"I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal.

It can't work if it interferes."

Some of attendees agreed while others vehemently disagreed.

The trick is to know what you're talking about and to bring the information in a format people understand, said Peter Cooper, a support and education specialist at Sophos, a security company based in England.

"It is a long process, but if we admit defeat now we're just going to go to hell in a handbasket," Cooper said. "Education in every area works."

I agree with Cooper.  I understand trying to educate some users is like talking to the wall, but that does not mean we shouldn't try. I do know, from working with home users on my SpywareWarrior forum, where volunteers help users get free of malware, that some will probably never change their online behaviors, even when confronted with proof that their online carelessness is what got them infected. We had one user whose ID had been stolen by a keylogger and password-stealing trojan, and his bank account had been wiped out.  When told that he needed to update his Windows to Service Pack 2 and avoid file sharing, he insisted that he wouldn't change. Eventually we scared him into updating to SP 2, installing a bi-directional firewall, and scanning any downloaded files for malware before opening them. Getting him to update to SP 2 took about 2 months and literally scores of posts, but finally he did it.

There are some interesting points of view in the talkbacks to Evers' article, but the first commenter got it right.

EVERYONE, and I do mean EVERYONE, should be worrying about security. While at large corporations security is the primary concern of IT all users should be educated about it and be concerned about it.

At my forum, when we have repeat users, coming back for help a second or third time, I feel that we failed to properly educate them. It becomes frustrating at times, but we must keep working at educating users. To not do so is pure foolishness and inexcusable in my opinion.

October 10th, 2006

Malware being spammed as PDF from retail stores

Posted by Suzi Turner @ 8:41 pm

Categories: Spyware/adware warnings

Tags:

Reports surfaced today of spam purporting to be from Dell, Walmart, Circuit City or Sony confirming an order for a Sony Vaio computer with a PDF attachment, but the attachment is, in fact, a very nasty piece of malware named Haxdoor. Text of email:

Subject: Order ID : 37679041

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop. This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40

Order ID : 37679041

Payment by Credit card

Product : Quantity : Price

WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99

Shipping : 32.88

TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).  PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.  If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order! Thank you for shopping with us!

Donna's Security Flash blogged this and it was posted at CastleCops security forum.  I wouldn't be surprised if a lot of people fall for this.  As the poster at Castle Cops said:

So you're sitting there scratching your head thinking "What order?"  Boy oh boy… I sure as heck didn't oder no stinkin $2,449.99 Sony VAIO from Circuit City!

Really makes ya wanna open that zip file to see if you've been had, right?
 

The supposed PDF attachment is really an executable named 37679041.exe, which is detected by AV vendors by various names.  Kaspersky named it Backdoor.Win32.Haxdoor.lf.  Symantec detects it as Backdoor.Haxdoor.R and others are calling it a variant of Goldun. Whatever you call it, it's quite an evil piece of malware. Haxdoor typically uses rootkit technology to mask itself.  Haxdoor is known to steal passwords, give a remote attacker access to the machine, may display advertising and often makes changes to the registry that lower system security. Some variants also disable software firewalls and anti-virus apps.  McAfee has a report here.

October 9th, 2006

MVP awards, Messenger Plus! and adware -- a good combination?

Posted by Suzi Turner @ 9:19 pm

Categories: Spyware/adware news

Tags:

A controversy has been raging in certain circles the last few days over a MVP award, which has now been rescinded, to an adware pusher known as Patchou, Cyril Paciullo, the author of Messenger Plus!, now known as Messenger Plus! Live. Ed Bott blogged about it here. Patchou's devotees have been staunchly defending him and his app and are blaming a few MVPs for causing Microsoft to rescind the award.  There's a lot of nonsense going around and I'd like to clear some of that up. 

Why did the security MVPs, including myself, object to Patchou's award?  Simple answer — his app bundles adware and a rather nasty adware at that, best known as Lop even though Patchou and Messenger Plus! refer to it as the "sponsor". So what's wrong that?  The devotees say the adware is optional, which is true, but there's some guilt thrown at a user who opts out of the "sponsor".  The dialog says "I refuse to give my support, don't install the sponsor".  "Gee — I must be bad if I don't install the sponsor." See SunbeltBLOG for screenshots.  Also Messenger Plus! is widely known to be primarily targeted at kids under 18, who cannot enter into a legal contract and likely would not understand the EULA, if they bothered to read it. 

So what is this "sponsor" software?  I downloaded and installed MessengerPlus! Live, including the "sponsor" to see for myself. Lop is primarily advertising software that spawns pop-ups on the desktop. Lop used to include a toolbar and change the user's homepage, but that behavior has been eliminated. The "sponsor" installer adds a fake bho (browser helper object) in the registry and creates a hidden job that starts IE in the background and launches another executable. I observed Lop to keep two instances of Internet Explorer running constantly, even when I didn't have a browser open. Each time I opened IE one or two pop-ups immediately appeared.  These pop-ups are not branded, unlike WhenU and Zango even. When I tried to terminate the two instances of IE, one or two other files would kick into action and restart IE, files with names like JugsRoam.exe and heart bend send dash.exe. You can see a list of file names used by Lop here. Lop frequently changes file and folder names in an attempt to evade detection by anti-malware programs. The EULA even contains a clause prohibiting its removal by other applications. The Lop processes continuously contact these domains, ayb.dns-look-up.com and ads.dns-look-up.com, which reside on an IP address owned by C2 Media, the makers of Lop.

It's no wonder that many of the anti-malware vendors call the "sponsor software" a trojan, Trojan Swizzor. 

SunbeltBLOG has some additional gripes about the "sponsor".

Ok, to those who support Patchou?  Fundamental problem:  LOP stinks.  And imagine someone installing MessengerPlus and getting that little cute icon to "upgrade your antivirus program" and getting an outright fraudulent scam.  Imagine that person being a relative of yours who doesn't quite know much about computers, and getting scammed.  Or getting popups they don't know the source of (because LOP does not disclose that the popup was generated by LOP, unlike even WhenU or Zango).  

Note the link to the desktop icons placed by the "sponsor".  One additional thing — I mentioned earlier that a large percentage of Messenger Plus! users are under 18. The "sponsor" displays pop-ups that are entirely inappropriate to tweens and young teenagers, ads for AdultFriendFinder and the like. 

One of the best sources of technical information and history for Messenger Plus! and the sponsor software, short of installing it yourself, is from another Microsoft MVP, Sandi Hardmeier, who has chronicled Messenger Plus! and its changes for several years now. 

Personally, I think Microsoft made a mistake in awarding Patchou and did the right thing by rescinding the MVP award.  If Messenger Plus! wasn't bundled with adware, I would feel differently. I understand that Patchou has to earn a living and I hear that he is technically astute and an excellent programmer, but in my opinion, an adware distributor should not be given the MVP award, especially when the adware in question has such disturbing, trojan-like behaviors. 

September 20th, 2006

Spyware pushers cash in big on zero day exploit

Posted by Suzi Turner @ 9:24 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

I expect that most readers have already read about the latest zero day exploit, Microsoft Vector Graphics Rendering Library Buffer Overflow, discovered by Adam Thomas of the Sunbelt Software research team on Monday. I’m not going into detail on it — there is plenty of information about the exploit already, on ZDNet here, Secunia, US-Cert, SANS, and Microsoft Security Advisory (925568). George Ou has blogged that hardware enforced DEP stops the exploit from launching. A BleedingSnort signature has been created for the VML exploit.

SocketShield from Exploit Prevention Labs is said to block the exploit. SocketShield has a 30-day trial and the free Link Scanner on their website will check any URL for the exploit code. Sleazy porn sites are using this vulnerability to drop massive spyware on unsuspecting users.  Roger Thompson of Exploit Prevention Labs called it a "massive malware run" with "drive-by attacks hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities."

SunbeltBLOG lists nearly 50 threats being installed though this exploit, including familiar names like Virtumonde, BookedSpace, webHancer, SurfSideKick, Qoologic (also known as Qoolaid), Zenotecnico, TagAsaurus, with some trojan downloaders and a backdoor thrown in the mix. Many of these use affiliate programs where the affiliate gets paid per install, so somewhere affiliates of these adware/spyware companies are making a killing off this zero day exploit, trashing computers with their crapware. I have not tested this exploit yet, but it sounds like kind of payload that would render the machine nearly useless. 

September 18th, 2006

Should anti-spyware programs remove cookies?

Posted by Suzi Turner @ 10:17 pm

Categories: General

Tags:

Spyware expert Ben Edelman has written a great piece on anti-spyware programs and cookies. He tested eleven different anti-spyware programs against cookies from 50 advertising systems and posted detailed results including which anti-spyware programs detected which cookies and which programs detected the most cookies. 

At  the extreme ends of the scale, there are a few programs that don't detect cookies at all, including Microsoft's Windows Defender. PC Tools' Spyware Doctor is at the top of the list with the most cookies detected in Edelman's tests.

Why the fuss about cookies anyway? Some people insist that cookies are spyware. Walt Mossberg is one of those people. Advertisers are concerned because they say cookies are essential and necessary for online enterprise and that cookie rejection and deletion is harmful to the advertising industry and affects the bottom line. Some have accused anti-spyware vendors of fear-mongering to increase sales by labeling cookies as spyware. But when one anti-spyware vendor made cookie detection off by default, many users protested loudly.

My opinion is cookies are not spyware. They are simply small text files with no active code. But I do agree that third party cookies can be a privacy concern. I do not use anti-spyware programs to scan for and delete cookies. If the option is available to turn off cookie detection, I turn it off. But I do control cookies and delete the cookies that I see as having no value for me. I've tried several cookie management apps, and found WinPatrol to be the most convenient for my purposes.

I'd like to know readers' thoughts on cookies. Do you think cookies are spyware? Do you delete cookies, and if so, how do you manage them? Why do you delete them? If not, why not? Do you think anti-spyware programs should detect and remove cookies by default, or should it be optional, or not even part of the program? 

September 8th, 2006

DollarRevenue adware pushed through bot net for huge profits

Posted by Suzi Turner @ 6:34 pm

Categories: Spyware/adware news

Tags:

German Honeynet Project researchers report that adware company DollarRevenue is directly linked to a bot net attack exploiting the MS06-040 server service vulnerability reported last month. Bot net trackers estimate that one malicious hacker alone earned $430 in one day by installing malware/adware programs on infected machines.  7,700 machines were hacked in 24 hours using the vulnerability, and massively flooded with DollarRevenue files by a single command from the controlling IRC server.  As reported by Ryan Nariane, Thorsten Holz, a project founder, said about this hacker:

"He’s earning more than $430 in a single day with DollarRevenue, and that’s not the only piece of adware he’s installing. He’s installing others and also renting his botnet out to spammers,"

Ugh!  I’ve experienced some massive DollarRevenue infestations myself as blogged here.  DollarRevenue is typically accompanied by other adware including the likes of Look2Me, Qoologic, TagAsauras, SurfSideKick, NewDotNet, ZenoTecnico, InternetOptimizer and so on.  I’ve blogged about DollarRevenue previously. In June, well known spyware researcher Patrick Jordan, aka Webhelper, had his site DDoS’ed by a trojan linked to DollarRevenue.

DollarRevenue is known for its high pay outs to affiliates on a pay per install basis, which undoubtedly creates the motivation for these massive installs. DollarRevenue pays 30 cents per install in the USA, 20 cents per install in Canada, 10 cents in the UK, 1 cent in China and .02 cents in other countries. DollarRevenue.com describes their affiliate program here and here. Ryan Naraine describes the bot net operation involving DollarRevenue in more detail. 

Some anti-malware vendors describe DollarRevenue software as trojans, see McAfee’s description here, Symantec’s description here, CA’s description here. I’ve been infected with DollarRevenue software numerous times and have yet to see anything remotely resembling a EULA.  In my experience, DollarRevenue is always installed through an exploit with other malware, and DollarRevenue files initiate the installation of other malware/adware. I’ve seen spam bots and password stealing trojans installed along side DollarRevenue also. 

Who is responsible for DollarRevenue? Good question.  I wish I had an answer. The current dollarrevenue.com domain registration whois information shows private registration through Network Solutions. The DollarRevenue domain is hosted at IP 194.187.45.56 located in the Netherlands, but research shows their software is installed from multiple IPs and subdomains.

September 6th, 2006

FTC settles with Enternet Media for $2 million

Posted by Suzi Turner @ 7:06 pm

Categories: General, Spyware/adware news

Tags:

The Federal Trade Commission announced their settlement with Enternet Media for $2 million for putting spyware on users’ computers.

Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer’s computer use, including but not limited to distributing software code that tracks consumers’ Internet activity or collects other personal information, changes their preferred homepage or other browser settings, ‘Defendants also are permanently prohibited from making misleading representations.’ inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers’ computers.

The defendants also are permanently prohibited from making misleading representations regarding the performance, benefits, features, cost, or nature or effect of any type of software code, file, or content, including misrepresenting that the code is an Internet browser upgrade or other computer security software, music, song, lyric, or cell phone ring tone.

The order names Enternet Media Inc., Conspy & Co. Inc., Lida Rohbani, Nima Hakimi, and Baback (Babak) Hakimi, all based in California, whose software codes were “Search Miracle,” “Miracle Search,” “EM Toolbar,” “EliteBar,” and “Elite Toolbar.”

According to the FTC’s complaint, the Web sites of the defendants and their affiliates caused “installation boxes” to pop up on consumers’ computer screens. In one variation of the scheme, the boxes offered a variety of “freeware,” including music files, cell phone ring tones, photographs, wallpaper, and song lyrics. In another, the boxes warned that consumers’ Internet browsers were defective, and offered free browser upgrades or security patches. Consumers who downloaded the supposed freeware or security upgrades did not receive what they were promised; instead, their computers were infected with spyware that interferes with the functioning of the computer and is difficult for consumers to uninstall or remove.

The agency’s complaint also alleges that the defendants’ software code tracks consumers’ Internet activity, changes their home page settings, inserts new toolbars onto their browsers, inserts a large side “frame”or “window” onto browser windows that in turn displays ads, and displays pop-up ads, even when consumers’ Internet browsers are not activated.

The complaint against Enternet Media was filed last November. Case documents can be found here on the FTC website.

A description of Enternet Media’s Elitebar, also known as Elite toolbar, is here on Symantec’s site.

August 15th, 2006

The state of spyware according to Webroot

Posted by Suzi Turner @ 10:43 pm

Categories: Spyware/adware news

Tags:

Webroot released its quarterly report on spyware today, claiming spyware infection rates are at their highest since 2004. 

During the second quarter of 2006, Webroot researchers found that 89 percent of consumer PCs were infected with an average of 30 pieces of spyware – a slight increase from the first quarter of 2006 when infection rates returned to alarmingly high levels after a supposed lull in spyware infections during the second half of 2005. According to the report, new distribution channels, advanced spyware technologies and a reliance on free anti–spyware programs are all contributing factors to the startling increase.

The report states that the number of malicious websites increased from last quarter reaching 527,136.  Webroot claims the most prevalent trojan is Trojan–Downloader–Zlob with over a million traces detected. I don't know about Webroot's other statistics, but I do believe they are correct in saying Zlob is the most prevalent trojan. Zlob is typically responsible for downloading the rogue anti-spyware programs, like SpywareQuake, SpyFalcon, and so on. It seems like every week there is a new rogue anti-spyware program, typically downloaded by Zlob trojans. The most recent example I've seen, VirusRescue, has been written up here complete with screenshots.

August 14th, 2006

More disturbing long-tail content from Zango

Posted by Suzi Turner @ 6:12 pm

Categories: Spyware/adware news

Tags:

SunbeltBLOG asks “Is Zango partnering with a bunch of sickos? “ I won’t repeat much what’s posted there because it’s too disgusting, but here’s the first part.

unitedtoserve2005(dot)com redirects to a hard core porn site, search(dot)porn-info(dot)info, which offers “totally free porn videos”.

These are Zango porn videos — you watch them but get Zango spyware installed on your system.

More curious is that viewing unitedtoserve2005 with Javascript disabled brings up some very disturbing keywords, like the following (WARNING: very offensive language):

Just last week Zango was mentioned in the CDT report on adware advertising and the money trail. I’ve been so busy I haven’t kept up with all the news (hence no blogging), but CDT report is certainly worthy of delving into. Meanwhile Paperghost is still on the Zango trail at Vitalsecurity. There’s lots more on Zango and MySpace, Zango and Winamp, and now Zango video ads on The Guardian website. Recently Warner Bros. gave Zango a swift kick right out the door, so not all is peachy in Zangoland.

August 14th, 2006

Movieland.com sued for spyware

Posted by Suzi Turner @ 1:32 pm

Categories: Spyware/adware news

Tags:

Hot off the wires — I just got a press release stating Washington State Attorney General McKenna filed a suit against Movieland.com and 3 associates, all California based companies, for "installing software that takes control of a consumer’s computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."  From the press release:

“The defendants in our suit promote a movie download service through Web sites including movieland.com that offer consumers a free three-day trial,” McKenna said. “After the trial period, consumers are inundated with pop-ups that appear at least hourly and subject the consumer to a 40-second payment demand that cannot be closed. These messages are generated by software installed on their computers that cannot be easily removed.

“To stop these aggressive pop-ups, many frustrated consumers ultimately give in to the defendants’ unfair tactics and pay anywhere from $19.95 to nearly $100 for the service,” McKenna said. “Thousands of consumers nationwide have complained to my office, the Federal Trade Commission, the Better Business Bureau and others about the defendants’ unfair practices.

Washington’s lawsuit charges Digital Enterprises, of West Hills, doing business as Movieland.com; Alchemy Communications, of Los Angeles; AccessMedia Networks, of Los Angeles; and Innovative Networks, of Woodland Hills, with violating the state’s Computer Spyware and Consumer Protection acts.  Two company officials are also charged in the suit: Digital Enterprises’ Easton A. Herd, and Alchemy’s Andrew M. Garroni. Both men live in Los Angeles.

If found liable, each defendant could be fined $100,000 per violation of the Computer Spyware Act and $2,000 per violation under the Consumer Protection Act. They may also be required to pay restitution to affected consumers.

A copy of the full complaint can be downloaded here (PDF). A description of the Movieland software can be found here. Movieland.com’s website is here (click at your own risk) — see talkbacks.

Related links at ConsumerAffairs.org, MovieLand denies it pipes spyware onto users’ computers; and at VCN.com, how to remove Movieland from your computer.

July 28th, 2006

Zango caught in lies about their software on MySpace?

Posted by Suzi Turner @ 12:26 pm

Categories: Spyware/adware news

Tags:

Zango's videos have been found all over MySpace, along with a number of sites pushing Zango videos to MySpace users without disclosing the presence of Zango. Profiles named Zango were found on MySpace and Zango later admitted an employee created the profiles and said it was a "mistake". It looked like at one point that Zango was being pushed out of MySpace, but, alas, that has not turned out to be the case, per Boyd here.

When asked about their presence on MySpace, Zango spokesman Steve Stratz denied targeting MySpace to Information Week:

Zango denied it was targets MySpace as a distribution resource. "Are we targeting MySpace?" asked Stratz. "No. Does our content show up on MySpace? Yes." 

Spyware researcher extraordinaire Chris Boyd, aka Paperghost of Vitalsecurity, has been pursuing Zango's entanglement with MySpace like a trusty hound dog on a trail. Now Boyd claims to have proof that Zango was, indeed, targeting MySpace.

  An anonymous tipoff (who claims they were an affiliate of Zango, but got fed up with them emailing him all the time) recently saw the whole "Zango on Myspace" thing and was surprised to see Zango claiming they have a "hands off" policy towards Myspace. [...]

Surprised, because he claimed they sent him what appeared to be a mass-mail shot from a Zango rep, showing all these fun ways to push Zango on Myspace. Intrigued (and having this confirmed by another source), a third person then went and sent me a copy of (what I presume) is the full Email, completely unnanounced. As you might have guessed, it's a rather spectacular read.

Boyd posted some choice snippets from the email, like this:

"Zango is fairly new with myspace sites and it took me some time to see what works and what doesn't."[...]

…more profitably, *go to a bunch of your friends* who have popular profiles and pay them (it's up to you so much. One of my partners said 5$..maybe offer to split the money with them?) to put a zango video into their profile through your site. This will give you hundreds of extra installs a day (this probably works even better than having them on your actual site).

Boyd has more from the email. Full read here.

Update: Boyd has posted the full contents, minus names, of the email as a text file here. There's more propaganda by the Zango rep about how to push the videos. 

A Zango gateway is a “door” that the visitor passes through to access free content on the  other side. The “key” to the “door” is installing zango. This is very popular. For a great example of what a  zango gateway looks like, go to www.musicvideocodes.info and click on any of the songs. You’ll see the Zango gateway (first make sure zango’s not installed on your computer: you can see the zango icon on your desktop).

Fascinating –  a Zango gateway.  No thanks. TechWeb contacted Zango for their response, and got Boyd's rebuttal to Zango. In typical Zango style, they dance around the issue and refuse to take responsibility.

July 18th, 2006

Vonage and spyware

Posted by Suzi Turner @ 12:10 am

Categories: Spyware/adware news

Tags:

What does Vonage have to do with spyware? Ben Edelman has the answer to that question. In his usual meticulous style, Ben has documented with screenshots, packet logs and diagrams the relationship between Vonage and spyware. Vonage is caught being advertised by pop-ups from Direct Revenue, Targetsaver and others, sometimes not in the appropriate circumstances. (See spyware popping porn in all the wrong places) Ben notes:

I have repeatedly observed Vonage buying "ordinary" spyware pop-up ads from vendors like 180solutions, Direct Revenue, and eXact Advertising. See e.g. the top thumbnail at right, a March 2006 screenshot of a Vonage ad appearing through Direct Revenue. See also my March 2005 report of Vonage ads appearing through eXact Advertising. These relationships add up to big money: BusinessWeek last week reported that Vonage paid Direct Revenue $31,570 in a single month of 2005 — a remarkable $110 for each customer Direct Revenue sent to Vonage. Meanwhile, in its litigation against Intermix, the New York Attorney General specifically documented Vonage’s ads appearing in Intermix KeenValue pop-ups.

Vonage ads are being injected by spyware into other companies’ sites — note that injected into, which raises legal concerns of copyright infringement, among other concerns. Catch the video of an ad injection by DollarRevenue. Vonage ads are also being delivered by spyware using banner farms. See Ben’s write up on the problem of banner farms here.

Ben notes that Vonage won an Effie award just last month for the effectiveness of their advertising. The Effie site seems to be unreachable at the moment, but perhaps someone ought to rethink that award – why award a company that advertises with spyware? Ben notes that most companies don’t necessarily intend to have their ads shown by spyware and has suggestions for how Vonage could stop their ads from being delivered by spyware.