The Legacy Sunbelt Software Blog

SecurityFocus has published an advisory on yet another WMF vulnerability.

We have seen no exploits in the wild on this one.  We hope not to before Microsoft patches it.

Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the ‘ExtCreateRegion’ and ‘ExtEscape’ functions.

These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data.

Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well. Any code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.

Link here.

Update: This vulnerability is more related to triggering a denial of service attack on a vulnerable system.  The exploit code we have observed does not prove that code could be run on a machine (unlike the last WMF exploit), but this type of danger is always an issue with buffer overflows. We will keep this blog updated with the latest relevant news.

 

Alex Eckelberry
(Thanks Adam)

 

Ben Edelman has written an extensive treatment on 180Solutions new installation methods.

This blog has followed nonconsensual 180solutions installations at excruciating length.  These terrible installations haven’t been hard to find, and they’re truly outrageous.  But what about 180’s run-of-the-mill installations?  In a piece posted today, Ben Edelman looks at installations 180 itself seems to consider its best — installations 180 promotes on its own blog.  Ben points out that 180 is installing on a kids site, that 180 doesn’t disclose that it shows pop-ups, that 180 doesn’t disclose its privacy effects, that 180’s license is unusually hard to read, and that 180 makes false statements to discourage removal.

Link here.

 

Alex Eckelberry

Opinion piece in the Baltimore Sun about privacy: 

Experts worry that, over time, continued sweeping invasions of our privacy – whether for commercial convenience or national security – will fundamentally change what it means to be an American.

When we know that our movements, phone conversations, purchases and behavior are monitored, recorded and used to judge us, how can we retain the sense of personal pride and independence that defined us?

In the words of Louis Brandeis: ”Privacy is the right to be alone – the most comprehensive of rights, and the right most valued by civilized man.”

Link here via Catherine.

 

Alex

With all the CES hoopla about Yahoo and Google offering video, one site has taken the time to put together what portals(AOL, Google, etc.) are offering in terms of video.

Link here via Paul
.

Alex Eckelberry

Came across this one doing some spyware testing today (it was popped up from a nasty site).    Using basic iframe tags, it looks like Google, and it is Google, but with some slight differences. 

The sites whole purpose is to contact another site to display an advertisement, which is actually set to be so small that you’ll never see it, but the owner of this fake Google site will still get paid for displaying an ad.  Basically, a way to rip off advertisers. 

To wit, the html code from the page:

<iframe name=”contact” src=”http://google.com/“
width=”100%” height=”100%” marginwidth=0 marginheight=0 hspace=0 vspace=0
frameborder=0 scrolling=no></iframe>
<iframe name=”contact” src=”http://66.230.164 99/… (this is the ad being called from the SearchMeUp crowd, resulting in an advertiser being charged)
width=1 height=1 marginwidth=0 marginheight=0 hspace=0 vspace=0
frameborder=0 scrolling=no></iframe> (the ad is in a frame that is so small it will not be detected on the page by the user)

The site is http://m-game(dot)name/tr/

So here’s the scam: The perpetrator signed up as an affiliate with SearchMeUp (part of UmaxSearch).  He then links to a search result, which results in the advertiser being charged for a click-through from SearchMeUp.  He conveniently bypasses any blocklists (since he’s in with a rough crowd that is likely on the bad lists of even the gray-area advertising community) because his site (at this point) is innocuous.  The end user never sees any ad, because it’s hidden in the fake Google page. 

Advertisers run the gamut from typical smaller advertisers (casinos, cigarette vendors, etc.) to companies like Progressive Insurance.

Cute.

 

Alex Eckelberry

Today, Google announced GooglePack, a way to get free software through a coordinated, “Googlefied” download mechanism. The software selections are optional — you just pick and choose what you want. 

Since the packs have a security angle (AV and antispyware), we took a quick look and while its software offerings are not necessarily new or extraordinary, it’s has an elegantly designed download and updating mechanism.  It also gets a Google Updater on your system, providing Google the opportunity to offer you more things in the future…

So what can you get with GooglePack?

• Adobe Reader 7
• Ad-Aware SE Personal
• GalleryPlayer HD Images
• Google Desktop
• Google Earth
• Google Pack Screensaver
• Google Talk
• Google Toolbar for Internet Explorer
• Mozilla Firefox with Google Toolbar
• Norton AntiVirus 2005 Special Edition
• Picasa
• RealPlayer
• Trillian

Basically, mostly free stuff that you can get off the net. (The Norton AV is not a full AV product.  It’s a six month trial edition, and it doesn’t include worm protection and “extended threat protection”, which detects spyware and certain non-virus threats such as adware and keystroke logging programs.)  

 

Alex Eckelberry

 

SpyAxe is a rogue antispyware program that uses extremely deceptive behavior to get on a system, and is very difficult to remove.

A new player, SpywareStrike,  looks to be a rebrand of SpyAxe.

Running a quick test shows a terrifying warning message about… cookies.  You must spend $49.50 to remove these cookies.

Suzi Turner at ZDNET also writes about it here.

 

Alex Eckelberry
(Thanks Adam)

 

If you’ve been tracking this blog, you’ve seen a number of examples of rogue antispyware products trying to install on people’s system — including through the WMF exploit. My disgust is utter and complete at these types of marketing practices.

Now, two of these fraudsters have been nailed by the FTC: SpywareAssasin and SpyKiller. 

The scans invariably told consumers their computers were infested with spyware, whether they actually were or not. Consumers who freaked out and paid the $30 for the software were no better off after having done so, the FTC said, because the “protection” software was a worthless pile of garbage.

Link here.

Spyaxe, SpySherrif, WinFixer and all the rest — you’re in for your day in court.  Better get packing.

Remember, you can see a comprehensive list of rogue antispyware products at SpywareWarrior.

And while we’re at it, let’s not forget that a couple of legitimate antispyware companies are playing on the edge by offering “free” scans and then requiring the users to pay to remove what’s found.  Not cool, but it certainly results in larger “conversion rates”, which is where the scramble is in online marketing of antispyware apps these days.  

 

Alex Eckelberry

RSS Popper, my favorite RSS reader, now supports Outlook Express.

That means you can view feeds from this blog (hint) and others right from within Outlook Express.

Link here.

Alex Eckelberry

This is one of the most out-there spyware stories I’ve seen in a long time.

According to spyware-busting samurai Paperghost at VitalSecurity, a megabundle of crap is being propagated through an AOL Instant Messenger worm, and it includes such choice tidbits as:

• 180Solutions Zango
• A custom version of BitTorrent that pushes Mr. Bean, the Movie. 
• A rootkit to hide its nefarious actions.
• And last, but certainly not least, a copy (apparently legit) of Mark Russinovich’s Rootkit Revealer (the tool which Mark, a Windows superguru programmer, used to bust the Sony rootkit).  Massive dose of irony here.

The worm lures victims through the following AOL Instant Messenger with the following messages:

“great picture 🙂 http://www.picteurestrail.net/Mastermon/XXXXXX.JPG”, or

“not a right time to take a picture haa 🙂 http://www.picteurestrail.net/Mastermon/XXXXXX.JPG”

“not a right time to take a picture haa 🙂 http://www.pictrail.net/Matelord/XXXXXX.JPG”

“not a right time to take a picture haa 🙂 http://www.picstrailx.net/Mateslord/XXXXXX.JPG”

Paperghost’s writeup here. Advisory from his employer, FaceTime, here.

Alex Eckelberry

The gutter slime have a few more sites.  From Sunbelt spyware researcher Patrick Jordan:

securitycaution(dot)com
dnserror404(dot)com
todaywarnings(dot)com
updatesystempage(dot)com 
yoursecuritysystem(dot)com 

 

Installs of SpyAxe, etc. are a plague right now on the net.  Mark Russinovich of Sysinternals,  (you’ll recall him as the man who broke the Sony rootkit story) writes about these rogue programs here.

Update:  And the venerable Andrew Clover drops by the blog to give us a few more:

needupdate(dot)com
warningmessage(dot)com
notfound404(dot)com
syserrors(dot)com
updateyoursystem(dot)com

Alex

In the heat of the spam battles a couple of years ago, a number of experts started to work on various ways to authenticate email messages.  The idea was that email should be authenticated to insure it’s from a trusted source.  In other words, “Joe Love” couldn’t send you an email promising new ways to enlarge various body parts, improve your prowess or buy pills illegally.  That’s because Joe Love would be seen to be a false sender through authentication.

The problem has always been that email is sent using a wonderfully flexible but very dated protocol, Simple Mail Transfer Protocol (SMTP).  

For example, it’s trivial to spoof an email (meaning, to make it seem like it came from someone else). In our iHateSpam program for Outlook, we have a “Bounce” feature which attempts to bounce a fake message back to the spammer that your email account is no longer active.  It’s always been a problematic feature, because actually getting the message back to the original sender is quite difficult, and users have a hard time understanding how this could be.  Well, in order to actually follow the email back to the source, you need to find the source.  Believe it or not, it’s fairly difficult to do this without using a tool like Sam Spade. 

At any rate, the idea of authentication never really went anywhere, and Larry Seltzer at eWeek writes about a new article by John Levine, who pulls no punches in what he believes is the heart of the problem:

…Part of the reason it’s taking so long to agree on a standard is that the process is infested with academic theoreticians who are more interested in arguing about hypotheticals and pushing their pet spam solutions than in doing something useful, but the main reason is that it’s a hard problem. Making changes to the e-mail system is akin to open heart surgery on a beating heart, in that you can’t stop it while you’re working on it, and the consequences of an ill considered change are bad.

Admittedly, this article will appeal to the more technical readers of this blog, but it’s a good overview of an area that deserves continued attention. 

But perhaps part of the problem is money.  As Allan McDaniel, our lead developer of iHateSpam told me “nobody has figured out how to make any money off of a solution.  It’s hard to compete against free, even MS wasn’t able to pull that off.”

Link here through Larry Seltzer.

 

Alex Eckelberry

Got this from Suzi Turner: Online marketing consultant Jeff Molander has audio interviews with Ben Edelman.(Ben is one of the most knowledgeable experts on adware, spyware and the advertising community).

Part 1 here.

Part 2 here.

 

Alex Eckelberry

Some people got a bit concerned over a report that “Google Belarus” was hawking ads on the front page. 

Well turns out it’s not a real Google site.  The Google legal team is on it…

More at John Battelle’s site.

This is a link from yesterday, but it’s still interesting.

How well did AV engines fare against 206 variants of the WMF exploit?

Link here via Donna.

 

Alex Eckelberry

I noticed this on the SANS the other day and remembered I had wanted to check into this earlier.

Vmware has released a “safe browser appliance”.  Basically, it’s a version of ubuntu linux bundled with Firefox, that you run inside of their free Vmware player.

I took a quick look and it’s pretty nifty.  It’s linux, so if you’re Windows-centric, it will appear a bit unfamiliar.  But it certainly is a safer way to browser the Internet and fairly easy to use.

Personally, I prefer to use Vmware with Windows, but if you download this freebie from Vmware, it’s a great way to get acquainted with linux and Windows — and to have a safer web browsing experience.  

Alex Eckelberry 

From Rod Trent:

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.

Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete.

…The security update will be available at 2:00 pm PT as MS06-001.

…Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions.

Link here.

Official MS bulletin.

Alex Eckelberry

SecuriTeam interviews Ilfak Guilfanov

Seeking to put some of the confusion about the recent Windows Metafile vulnerability to rest, I interviewed one of the most reliable sources of information on the bug: Ilfak Guilfanov. In addition to discussing the temporary patch he authored, Ilfak offers valuable guidance and accurate information on a more general level for those dealing with this vulnerability.

Link here.

Alex Eckelberry
(Thanks Michael)

Well, not surprising really, with all the quality assurance required (it’s really not a light thing for them — imagine testing and patching every language, every affected version, etc.).

Once we were made aware of the issue (December 28, 2005) we immediately began developing a security update for the WMF vulnerability on an expedited track. Normally the entire process of creating a security update from start to finish, creation, to testing, to release, takes four to six weeks. By taking as many as 200 of our people and having them focus 100% on this issue only we have cut that time down to two weeks and expect to update to be ready on January 10th for release as part of our normal release schedule (again, this is dependant on it clearing all of our quality testing but the potential is high that it will be done on time).

Link here.

Alex Eckelberry
(Thanks Rod)

 

 

We continue to host the files on our site, but you can see his site is back up, and he’s got an FAQ too. Discussion forum here.

 

Alex Eckelberry