Month: November 2005

Looks like the Sony BMG rootkit contains LAME (an open-source MP3 encoder) and that they (or First 4) are not in compliance with the terms of the LAME license.

According to (apparently) Brenno de Winter:

This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Of course, Sony BMG got this rootkit from First 4, so perhaps First 4 didn’t do their homework.

Developing….

Link here .

Alex Eckelberry

We have received emails from end-users concerned that we’re “not getting “W32.Sinnaka.A@mm”.

Here’s one such email from a user:

Contact name: (masked)
Contact email: (masked)

Spyware was found here:
————————————————————
Brief description of spyware:

Microsoft Security Center is reporting the following spyware that your software is not picking up:

W32.Sinnaka.A @mm

————————————————————

There are also forum posts such as this one.

Of course, this is utter nonsense. It’s coming from bogus security sites like syserrors(dot)com, warningmessage(dot)com, and security2k(dot)net, trying to foist off rogue security software:

Be wary of these sites.

Alex Eckelberry
(Thanks Adam Thomas, Patrick Jordan from the Sunbelt Spyware Research Team)

Fake Internet Explorer error page, pushing rogue antispyware app SpyTrooper.

Alex Eckelberry
(Thanks to Sunbelt spyware researcher Adam Thomas)

Eric Howes sent me this earlier. We see a 180 Solutions installer at a site for a 2nd grade class site:

Now, this is because the good teacher Mrs. Hall is hosting her site at Cjb.net, unwittingly spawning spyware on The Innocent.  She has been contacted by us as she has no idea this is going on. 

Testing this site on a non-SP2 XP system, I received the same ActiveX dialog box after simply hitting refresh once or twice.  On a patched SP2 system, I did not receive it, instead getting popups for pharmacies, online dating services and casinos.  

You can see a video of more cjb.net sites here, taken by Eric Howes.

Suzi has blogged on this as well, here.

…there are several problems with this scenario, not the least of which is the misleading text in the security warning (ActiveX) box. It says “Website Access By Zango Search Tools”. There’s an implied meaning that in order to view the website, one needs to download the “Website Access”, whatever that is. Not true!!

What kind of page is that and who is going to be viewing it? It says “Come on in to Mrs. Hall’s second grade class […]”. It looks to me like a page Mrs. Hall made for her second grade students and their parents. Nice. I’m sure Mrs. Hall meant well. How old are second graders? Six or seven, depending on when their birthday is. Can 6 or 7 year olds enter into contractual agreements? No. Will 6 or 7 year olds know what that warning means? No. Will they click yes because they want to see what’s on the page? Most likely. Are they going to click the link that says “Website Access By Zango Search Tools” and read the EULA? I think not. Here’s another short clip to show what happens when you click “Yes”. Click for video. Notice at 0:58 I click “Yes” and the license agreement comes up again. Note the box that says “I am 18 or older…” is checked by default. The wide, short window is known to be the most difficult for users to read as well. The text at the top of the EULA window says “The content on this site is FREE thanks to Zango”. There’s another misleading statement. At CJB.net, the webhosting is “free”. It has absolutely nothing to do with the website content. More about CJB.net in a bit.

Alex Eckelberry

Ben Edelman recently gave a presentation at Ad:Tech, a conference for online marketing folks.

Suzi Turner sent me a link to something that Elizabeth Hines at adBUMb (a newsletter for online marketing) had to say about Ben’s presentation:

“…I have to give Ben Edelman a nod for his extraordinarily good and detailed presentation on Spyware, which he delivered on Tuesday afternoon during lunch. For some reason this event was never listed in the ad:tech program, which is a shame; every single one of the conference attendees could have stood to hear what Edelman had to say—whether to educate themselves on the danger that Spyware poses to the industry at large, or to defend themselves against the claims he’s made about ad networks’ and affilates’ role in promulgating Spyware (at least one company with a staff member in attendance—Commission Junction—tried to do just that, with somewhat middling success).”

adBUMb link here.

Ben’s Powerpoint presentation is, in fact, outstanding and you can see it here.

Alex Eckelberry

Don’t forget when you’re dumping an old PC or server, you need to wipe the data completely.

An interesting tool that was mentioned for that purpose over at ToaSecurity is Darik’s Boot and Nuke (DBAN).  It’s apparently especially useful if you’re looking to nuke a drive using something like DoD compliance.   Put it on a floppy and off you go.

Darik’s Boot and Nuke (“DBAN”) is a self-contained boot floppy that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

Here’s a picture from ToaSecurity’s blog:

Remember, be extremely careful if using this tool.  One of its features is the ability to “bulk delete” hard drives…

Link here via ToaSecurity.

 

Alex Eckelberry

Update here.

The recent FTC complaint focused on Enternetmedia’s use of blogs to propagate spyware.

Spyware buster Roger Karlsson emailed me an absolute treasure yesterday, a great video of something else — Enternetmedia’s SearchMiracle being installed with absolutely no notice and consent and not even an add/remove entry (you have to remove it through the toolbar itself or at Searchmiracle’s website).  In his video, he downloads a game called Balloon Pop from Lookoutsoft.net (http://www.lookoutsoft(dot)net/freewebgames/baloonpop(dot)html) and subsequently got a stealth-install of SearchMiracle.

You can see his video here.  

So last night and today, I tested it and sure enough, Roger is right.  This is nasty.

Here’s what my Add/Remove programs looked like before:

I go to install this stupid Balloon Pop game and get absolutely no EULA.  Nothing. Now, we’re jaded, but this is usually the practice of CoolWebSearch gang types, not this type of operation. 

Then, look at my Add/Remove after:

Instant mess.  Not only did I get Search Miracle, but I also got 180 Search Assistant and Internet Optimizer — all without any notice, disclosure, consent, anything.  Just “poof”.  The 180 Search Assistant didn’t even give me that new little “S3” dialog that they’re using now (which tells you that 180 is being installed).    This shows that Lookoutsoft is using an older version of 180 Search Assistant.

And of course, along the way I get this popup from Adult Friend Finder.  What if a kid had installed this game? 

Now, notice there is no add/remove for this install of SearchMiracle/Elite Toolbar.  You have to either go to searchmiracle.com and use their uninstaller, or do it through the toolbar:

Here’s what LookoutSoft.net says in their Contact Us section:

*Please note that all software produced by Visaid Development is ad supported. We appologize [sic] for any inconviences [sic] this may cause you. This is necessary to insure that everything produced by Visaid Development, Inc. may remain free and full version. All ad bundles are created by third party affilliates [sic] and verfied [sic] for your safety by Visaid Development, Inc. Any ad placements bundled with software produced by Visaid Development, Inc. may simply be removed by going to Start>>Control Panel>>Add/Remove Programs. Visaid Development, Inc. accepts no responsibility for any actions taken by it’s advertisers and included advertisement bundles.

Right.  So you bury the fact that you’re stealth installing spyware in a Contact page.  And you can’t spell worth a damn.  You guys are jackasses. 

Checking around the rest of their site, one sees that their main product is Easy Guitar Tabs Maker Pro, which is also ad-supported.  However, at least in the case of downloading that product, you get a EULA (actually a number of them, since a lot of crap is installed with this guitar program).   

Feel free to send them a happy friendly email — the addresses are on the contact page.  

 

Alex Eckelberry
(Thanks Roger, great catch!)

Link here.

We do not intend (at least right now) to have this removal capability in CounterSpy, simply because it is incredibly hard to remove this rootkit without disabling the CD-ROM player. Suggestion: Either use Sony’s uninstaller or use Sophos’.

Update: We are now decloacking the rootkit. Note that Sophos’ removal tool also does not remove — it merely decloaks.

Alex Eckelberry

From Paul Thurrott at Windows IT Pro — Microsoft says we should see Vista Beta 2 in Jan/Feb instead of December.  Microsoft still committed to a release in the back half of 2006.

More here.

Alex Eckelberry

Daniel Cuthbert, a security expert, was suspicious of a a charity site for Tsunami victims and performed a simple test. He ended up getting convicted of gaining unauthorized access. 

Man, that was BS.

From CNET today (link here):

Martin O’Neal, director at Corsaire, confirmed Friday that Cuthbert had actually joined the company before his trial. O’Neal, though, isn’t worried that one of his employees is a high-profile breaker of the Computer Misuse Act (CMA).

“The reason being, we’ve known Daniel for a long time. He was well known in the security industry, even before the case. His integrity has never been called into question,” O’Neal told ZDNet UK on Friday.

Cuthbert was found guilty under the Computer Misuse Act of gaining unauthorized access to an appeal site for victims of the Asian tsunami in December 2004. Cuthbert said in court that he had made a donation and then became concerned that he’d fallen victim to a phishing scam. To check, he added “../../../” to the URL in an attempt to access the site’s higher directories–an action that triggered an alarm.

Security experts and ZDNet readers have expressed concern about the conviction. O’Neal shares this view.

“As for the conviction, it’s frankly ridiculous. It highlighted how untried and untested the CMA is. The main problem is how you define unauthorized access and intent in the context of an open Web server,” O’Neal said.

Yup.

Alex Eckelberry

The ZiffDavis story on RetroCoder got posted to Slashdot.  Unfortunately, Slashdot referred to the situation us being “sued”, which is incorrect (the Ziff Davis story didn’t say that and neither have we).

I made a post on Slashdot clarifying the situation and interestingly, got a reply from the Spymon fellow (no name on the post).  Here’s what he said:

…I’ve been trying to get this Slashdot article amended – but nobody here is apparently listening – maybe you will have better luck.

Looks like you have a lot of supporters (based on the various death threaths [sic] we have had) and ideally we could come to some sort of compromise where antispy/antivirus software would tell the user that (if its a commercial program) that the “trojan” is a non-destructive commercial program. In return the commercial software could tell the anti-virus software house how to safely delete it and put a marker so it will not return.

Death threats? Nah, no one has to go that far.

Anyway, we ended up having an exchange, which you can view here. 

Strange day.

Alex Eckelberry

(This poll is for IT people only).

We keep getting told by Those Who Know that enterprise customers want integrated antivirus, antispyware, firewall, etc. 

I’m curious — what are your thoughts?

Go to our website (here) and go to the SunPoll:

Alex Eckelberry

Clearly, it’s because they’ve been reading my blog that they finally took my advice! (well, maybe).

…Music publisher Sony BMG said on Friday it would stop making CDs that use a controversial technology to protect its music against illegal copying.

“As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology,” it said in a statement.

Link here via Catherine.

 

Alex Eckelberry

 

The EFF writes damning comments about Sony’s EULA.

Well, on a lighter note, sharp-eyed Eric Howes sent me this EULA from iMesh.  Fipping through, there are some interesting statements in there, which I’ve highlighted in bold:

…These terms constitute your license agreement. Please read it and don’t wait for the movie version. This is a legal contract between you and iMesh, Inc. (“iMesh”) that governs your use of iMesh’s online music services available at www.imesh.com consisting of the iMesh subscription service (the “Subscription Service”) and the iMesh download sales service (the “Download Service”, together with the Subscription Service, constitute the “Service”)…We recommend you grab a glass of water before reading the rest. To agree to these terms, click “AGREE” where indicated.  If you do not agree to these terms, do not click “AGREE,” and do not use the Service.  If you’re not sure, think about it a little and then decide. But you have to decide. Our lawyers worked hard to make this contract understandable. We wanted to take this opportunity and say “Thank you”.

 

Let’s go. Stand clear of the closing doors.

 

…To access the Service, you will need to install or activate from time to time the iMesh proprietary (isn’t this a cool word?) software application …Drink milk.

 

By now you are probably asking yourself, “what is a Sample?” Well, here it is – a “Sample” is a portion of a Song or, in some cases, an entire Song that you can play directly from and while logged on to the Service on a promotional basis at no cost to you. You may play as many samples as you want.. In fact, you can even go to bed listening to these Samples…. Please be nice to our Samples, they are very sensitive.  

 

…Any security technology that is provided with a Song is an inseparable part of the Song. Please don’t try to separate them. They really like each other.

 

The burning or transfer capabilities provided for herein shall not operate to waive or limit any rights of the copyright owners in the Songs or any works embodied in them. Don’t cheat.

 

Don’t use iMesh to steal music! If you violate the copyright laws or any other intellectual property laws, fines or criminal charges may be brought against you.  You may even go to jail. Do you really want to go to jail? They may not let you take your iMesh with you.

 

…In no event will such parties be liable for the removal of or disabling of access to any such products, Content or materials under this Agreement. MusicNet and iMesh and their licensors may also impose limits on the use of or access to certain features or portions of the Service, in any case and without notice or liability. Sorry.

 

Customer Support. Please direct any questions concerning the Software, the Service, billing and/or usage rules to an iMesh customer service representative by contacting us from: <http://wa.imesh.com/support/bugreport/> . Questions about the meaning of life, the universe and everything should not be directed to iMesh. We are totally clueless.

 

Instant Messaging and Public Areas.  iMesh is a community. Most of the people in the community are nice. You all should read this, but this is especially for those of you who choose not to be nice. …Be polite to other users. Eat your vegetables. Wear sunscreen.

 

…If any of your billing information changes, you must update that information in the “my account” area of our Service.  Just to make sure we have your money, we will bill you in advance for subscriptions and purchases will not be completed until the charge is processed.

 

In the future, we’ll work to extend the Service to other locations. Antarctica residents – don’t hold your breath (you may suffocate). 

 

SMOKING

 

Smoking overall is bad for you. It gives you bad breath and may kill you sooner than you’d expect.

 

All Media Guide Data We partnered with some nice people in Ann Arbor, MI (which in itself is a pretty cool place to go to). They are called All Media Guide, LLC (“AMG”)…

 

Okay, next.

 

iMesh and MusicNet reserve the right to modify, suspend, or discontinue the Service (or any part thereof, including without limitation access to any of the Content) at any time with or without notice to you, and neither iMesh nor MusicNet will be liable to you or to any third party should either such party exercise such rights and iMesh will not refund any amounts that you have previously paid. We sure hope that never happens.

 

DISCLAIMERS

 

Now here’s the fun part. You understand and agree that your use of the Service, the Songs and the Software is solely at your own risk…If you can read this, you don’t need glasses.

Alex Eckelberry

The Electronic Frontier Foundation is looking for plaintiffs in a class action lawsuit.

EFF is collecting stories from EFF members and supporters who have purchased Sony-BMG CDs that contained the “rootkit” copy protection software. We’ve previously posted at least a partial list of CDs infected here

We’re considering whether the effect on the public, or on EFF members, is sufficiently serious to merit a lawsuit.

If you satisfy the following criteria, we would like to hear from you:

1. you have a Windows computer;
2. First 4 Internet’s “xcp” copy protection has been installed on your computer from a Sony CD (for more details, see our blog post referenced above or SysInternals blog);
3. you reside in either California or New York;
4. you are willing to participate in litigation.

We have not made any final decisions about filing any legal action, but we would like to hear from music fans who have been harmed by the Sony-BMG “rootkit” copy protection technology. Please contact allison@eff.org.

Link here.

Alex Eckelberry

If you buy a Sony CD with DRM, it looks like you get it on your Mac, too.  But contrary to some of the chatter out there, it’s NOT a rootkit.  It’s just typical DRM stuff from SunnComm.  Still not good, but quite a bit different than a rookit.

Sony BMG’s ‘rootkit’ copy protection technology may affect Macs – and the software can also be exploited by malicious hackers, reports claim.

MacInTouch reports claims by a reader who recently purchased a Sony BMG CD. The reader found that the CD installs a Mac application, “Start.app” which itself installs two files: PhoenixNub1.kext and PhoenixNub12.kext.

This is not the same software that is causing such a furore against Sony BMG at present. The Register claims: “It’s a Mac version of SunnComm’s DRM software, MediaMax, which Sony BMG uses to copy-protect a range of CDs.”

Link here via Catherine.

Alex Eckelberry

If you’re truly paranoid and delusional, you’ve certainly thought of using aluminum foil helmets to ward off dangerous radio signals.

Is this practice effective, though?  No!  In fact, you might make the situation worse! 

An MIT group disects the science behind aluminum foil helmets and comes up with this conclusion:

The helmets amplify frequency bands that coincide with those allocated to the US government between 1.2 Ghz and 1.4 Ghz. According to the FCC, These bands are supposedly reserved for ”radio location” (ie, GPS), and other communications with satellites (see, for example, [3]). The 2.6 Ghz band coincides with mobile phone technology. Though not affiliated by government, these bands are at the hands of multinational corporations.

It requires no stretch of the imagination to conclude that the current helmet craze is likely to have been propagated by the Government, possibly with the involvement of the FCC. We hope this report will encourage the paranoid community to develop improved helmet designs to avoid falling prey to these shortcomings.

Link here via John Murrell

 

Alex Eckelberry

The Anti-Phishing Working Group has published a whitepaper on phishing:

“This report examines the information flow in phishing attacks of all types. Technologies used by phishers are discussed, in combination with countermeasures that can be applied. The focus is primarily on technology that can be deployed to stop phishing. Both currently available countermeasures and research-stage technologies are discussed.”

 

Link here via beSpacific.

Alex Eckelberry

Well, the whole RetroCoder Incident is now flaming across the ‘net.  If you missed my earlier blog entry on this subject, RetroCoder is trying to stop Sunbelt (and other security companies) from even examining their product, by using this agreement:

CMP has an article, here.  P2pnet has some thoughts on it, here.  The original story from Joris Evers at Zdnet is here.  It also got Slashdotted, here, with lots of interesting comments.  

The Slashdot post got it a bit wrong — we are not getting sued.  We have only been threatened by Retrocoder.  Here’s what they sent to us through our standard submission process:

 A developer has submitted information about their product which may be flagged as spyware.

 

 Company: RetroCoder Limited

 Company website: www.SpyMon.com

 Contact name: Anthony Ball

 Contact email: anthony@spymon.com

 Product name affected: SpyMon

 Product versions affected: all

 Product is detected as: spy program

 Software can be downloaded here:

 ?

 ————————————————————

 Brief description of software:

 Program to allow you to monitor other computers

 ————————————————————

 Reason for submission:

 If you read the copyright agreement when you downloaded or ran our

 program you will see that Anti-spyware publishers/software houses are

 NOT allowed to download, run or examine the software in any way.  By

 doing so you are breaking EU copyright law, this is a criminal

 offence.  Please remove our program from your detection list or we

 will be forced to take action against you. Thankyou,

 Anthony Ball

 ————————————————————

 

 Submitted: 20051028231212

 Code: DEV_SPYWARE

 

 

 

 

 

Alex Eckelberry

 

A bunch of PC manufacturers are being hit with bad capacitors.  (If you slept through high school electronics, capacitors are used to temporarily store electrical charge and regulate voltage — old timers sometimes call them condensers).

CNET has a good picture of the problem:

You can see the swollen caps in the back.  These things swell and then leak a kind of yellow goo which crusts over, utlimately causing video problems and intermittent system failures.  

Dell has this problem on some Optiplex workstations (incidentally, the very workstation I have in my office).  But they aren’t the only ones.  We’re talking about HP, Apple and apparently others have this issue. 

Unknown is how widespread the problem is. 

CNET article here.

 

Alex Eckelberry