Month: April 2006

Video News Releases (VNRs) are pre-made newsreels sent to TV stations, who in turn broadcast them as “news”.  The stations may or may not modify the VNRs, but they are always about one thing:  Promoting an agenda.  

VNRs are often thought of as coming from big pharmaceuticals or political parties.  While this is true (never trust a TV news spot for a new novel “drug”), VNRs are also used in a wide variety of other industries.   It’s even happening in high tech.

Take, for example, this clip from an antivirus company.  Watch the original VNR, then watch this version, which is what an actual TV station used.  (You only need to watch the first 15 seconds to get it).

Or take this clip from Intel (original and then as run on a TV station).

News?  No.  It’s just “good PR”.  A big player in the space is D S Simon Productions. 

You can see a whole bunch of other fake TV news here, and more information at the Center for Media and Democracy.

Alex Eckelberry

An article in BusinessWeek about the adware cash cow:

…Edelman shows how ads purchased for placement on Yahoo and partner sites by companies such as Cablevision Systems Corp. (CVC ) were also redistributed until they showed up as pop-ups. According to Edelman, Yahoo became blind to the trail of its own ads. One partner, Ditto.com, presented a Yahoo ad through another site, NBCSearch (not affiliated with the TV network). That company passed it along to one of its own partners. (NBCsearch and Ditto.com did not respond to requests for comment.) Sometimes, the ads showed up in pop-ups from spyware programs. In a prepared statement, Yahoo says it “takes the quality of its search ad distribution network very seriously. We are carefully investigating the claims that have been raised.”

Link here via MediaPost.

Alex Eckelberry

This is a completely worthless and, in fact, potentially dangerous application that pre-installs 180Solutions Zango and does nothing but apparently redirect you to a porn site.  A relationship to child porn is even suggested from posts by Andrew Clover (who calls it the “kidporn browser”) and PaperGhost.

You can see here the URL “microsoft.com” is redirected to this porn page:

More worrisome is a Russian document (related to the highconvert gang) that we uncovered on April 4th which suggests that the YapBrowser will be used for some very nasty spyware installs.  You can read the translated document here.

Some snippets:

Since we’ve already developed our own bot system we’ve decided to provide our partners with some convenient tools. We’ve invented Adware system. The idea of this system is to have software that will be installed on user’s PC by our Loader. After being installed on user’s PC this application will do anything necessary to show ads to the user. It can be some console, icons, messages, screen savers, home page replacements and so on. Programmers’ creative minds have no limits J There will be couple of versions of software – simple and aggressive and our partner will be available to choose the most appropriate for them.

 

..Create a mini-browser and install its icon to system tray. Every 10 minutes it will show pop ups (customizable) and if user clicks on tray icon this will invoke our mini-browser. Mini-browser will have a toolbar with a search bar and buttons and links and it will show our web pages. We will implement specific designs for that. (Pop ups and browser itself fits well for showing RRS or dating web sites).

…System messages with any possible content. They are very good to alert the user about some possible threat (virus for example, and it’s very good for advertisement). It’s possible to implement it in a form of “Blue Screen of Death”.  Please think about it and implement anything that is possible.

…Replace 404 error page, home page, search page and local page. Replacement will be done with local html page (local feed). Local pages will be loaded to user’s PC in multiple forms and different designs. They might look like this: www.yapsearch(dot)com

 

…Invisible clickers. Most appropriate for Dating web sites since they pay for every click as well as for RRS. However for this type of application we have to make sure that it doesn’t behave like clicking on all possible URLs but rather imitates the real user. Clicker will work with certain web sites according to the way it was set up.

 

…Replacement for Google, Yahoo, MSN. For example if user goes to Google web site and searches something from there then search results won’t be taken from Google but rather from our RRS. Think of how this can be implemented. This is very common these days so it’s possible to implement it.

 

…Change Security level to… Low (good for installing toolbars, dialers).

 

…This means that admin console [redacted] will provide every advert a link named “Adware Soft”. That’s exactly where new modules will be created. Advert will be able to select what functionality he wants. For instance if somebody doesn’t really want to completely kill user’s machines may choose only one function – replace 404 error messages, home pages and search page or to install our mini-browser only or desktop icons only or all the above.

…This means that admin console [redacted] will provide every advert a link named “Adware Soft”. That’s exactly where new modules will be created. Advert will be able to select what functionality he wants. For instance if somebody doesn’t really want to completely kill user’s machines may choose only one function – replace 404 error messages, home pages and search page or to install our mini-browser only or desktop icons only or all the above.

…Since our AdWare software will be delivered to the end users not only by our system then we must make it customizable for every partner. For example we can create a brand new web site.

 

…On that web side we will offer to adverts our software only and will ask for 30% share in installations. Advert will be able to build .EXE configured in a special way with all functions that he needs. Definitely 30% of his users will see our mini-browser with our content, not his.

Just stay the heck away from YapBrowser and Yapsearch(dot)com.  Nothing but bad can come from this.

Alex Eckelberry

Update:   From VitalSecurity: “Just been informed that Techdirthas just picked this up. …and Wayne Porterrevisits the ghosts of the past.”

People often get adware on their systems through their kids.  Children don’t read EULAs.  They want the funny “punch the monkey” video, so they click away.  That’s why advertising adware to children is considered a Bad Thing.

Last night, Eric Howes, Sunbelt’s director of malware research, was testing an application and did a search on “kids games”. He saw this advertisement:

Games for Kids
Free online games from Zango games. No trial periods, no locked levels, no purchase or subscription required. Get immediate, unlimited access to deluxe game versions for free.
www.zango.com

And checking again this morning, I see the following by simply searching “kids games” on Altavista:

Clicking the link takes you to the landing page on this second screenshot — note the keyword bid info in the URL. It’s quite apparent that 180 knows that they’re targeting kids, and Overture/Yahoo knows they’re doing it, too.  Logs here. 

Check this article (near the end) for Daniel Todd denying that 180 targets kids:

“There is a general misnomer that game sites are kid sites,” he said, adding that 180 Solutions doesn’t target children.

So what is the truth?

Alex Eckelberry

[As it turns out, adware vendors do use search engines to target kids. Direct Revenue’s business records indicate that it buys ads from both Google and Yahoo. And this article finds that many top search results and ads, for one top keyword, yield spyware and other unwanted software — and estimates that Google makes millions of dollars per year from these types of ads. (Thanks Ben).]

I got this through Donna (one of my favorite security blogs).

A recent patch, MS06-015, could cause some problems, such as:

•	Unable to access special folders like “My Documents” or “My Pictures”.
•	Microsoft Office applications may stop responding when you attempt to save or open Office files in the “My Documents” folder.
•	Office files in the “My Documents” folder are not able to open in Microsoft Office.
•	Opening a file through an application’s File / Open menu causes the program to stop responding .
•	Typing an address into Internet Explorer’s address bar has no effect.
•	Right-clicking on a file and selecting Send To has no effect.
•	Clicking on the plus (+) sign beside a folder in Windows Explorer has no effect.
•	Some third-party applications stop responding when opening or saving data in the “My Documents” folder.

And then there’s this little mention:

The VERCLSID.EXE process is flagged by Sunbelt Kerio Personal Firewall. Sunbelt Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm) has a feature which flags any attempt by an application to launch another application for the user’s approval. Kerio is flagging Explorer.exe’s launch of VERCLSID.EXE. When this occurs, VERCLSID.EXE’s execution stops until the user clicks through Kerio’s notification dialog. Users can configure Kerio to allow VERCLSID.EXE to execute without prompting.

Well, it’s nice to be made famous this way, but the resolution is here, in KB918165.

Alex Eckelberry

I see so many compromised servers out there it’s not funny.  Phishing sites, malware, whatever.  

Many hacks are avoidable if people update the software on their web servers to the latest versions.  And then apply good security practices.

PHP, Apache, IIS, whatever you’re running, update it religiously.  

Suzi Turner writes a good post on the subject:

I’ve seen some statistics on phishing sites including estimates of how many of them were compromised sites.  The stats indicate that most of the sites are running older versions of Apache, really old versions in a lot of cases, and a high percentage have PHP. 

Link here.

Alex Eckelberry

A few days ago, a family member was having problems with her email. Since she uses AOL, I figured I’d download AOL Instant Messenger (which I had uninstalled in the past) and use that to IM her the location of a file I wanted her to download.

But as you know, AIM is gone, replaced by Triton, a big fat happy application.  

It also installs AOL Explorer, which you cannot remove through Add/Remove Programs.  And, of course, it puts that irritating “Try AOL Risk Free” entry in your Start menu.

AOL Explorer is basically a skin for Internet Explorer, and provides you no more security than IE.  And I already have IE and Firefox on my home machine, so why would I want a third browser?

Well, after a quick search on Google, I found an entry on Trikenit that explains the painfully obvious way to uninstall AOL Explorer:  You run the uninstallation program that’s located in the program files directory, under AOL, under Explorer.  Thankfully, that’s gone.

And, a comment on Trikenit’s blog alerted me to a place where I can find old versions of AIM.  I went right back to AIM 5.5 (which tries to pre-install WeatherBug and WildTangent, but you just need to opt-out of those if you don’t want them).

Alex Eckelberry 

One wonders.

China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law.

Link here via /.

Alex Eckelberry

A number of us here found this (admittedly sophomoric) ad for Firefox painfully funny on a number of levels.  

Link here via John Murrell

Alex Eckelberry

Interesting.

…An important recent decision applies the law in a novel context: the case of an employee who, upon his departure from the company, destroyed company data.  

The employer in the case was engaged in the real estate business.  The employee’s job was to identify properties the employer might want to acquire, and he stored the relevant data on the company-owned laptop that he used.  The employee quit to go into business for himself.  Before returning the laptop to the employer, he deleted the data with the use of a secure-erasure program designed to prevent its recovery.

More here.

Alex Eckelberry

Use Microsoft Update instead.  Our friends over at F-Secure brought up this point today and it’s a good one.  Microsoft Update gives you everything that Windows Update does, with more — it checks for things like Office updates.

I have moved to using Microsoft Update myself and it’s much better.

Alex Eckelberry

The createTextRange() zero-day vulnerability has been patched in the latest round of security updates from Microsoft.  

If you’re curious to see the exploit in action at one site, you can see this video here.  In it, the AppWiz keylogger is installed.

Patrick Jordan
Senior Spyware Researcher

This was back in late March, but for some reason, I missed it.  I’m completely appalled by this.

The IRS is quietly moving to loosen the once-inviolable privacy of federal income-tax returns. If it succeeds, accountants and other tax-return preparer will be able to sell information from individual returns – or even entire returns – to marketers and data brokers.

Link here.

Now, the preparer will supposedly have to get permission from the individual before sharing their data.  But imagine some person walking into H&R Block and getting a tax return done, and along with a huge pile of things to sign, there’s a notice that their information may be sold to third party marketers.  While my trusty blog readers would balk, not all people read the fine print.

I guess my earlier voiced thoughts on perhaps moving to an anonymous tax system may need to be revisited.  In an electronic world, your personal information is increasingly at risk.

Alex Eckelberry

Interesting interview.  Some snippets:

Q. What’s driven your interest in spyware and advertising on the desktop? Why is Yahoo! the focus of that interest?

A. There’s so much that can be done in terms of how to get onto users’ computers and what to do once your software is there. The concept is so complicated. There are a lot of things that can go terribly wrong, and there’s a lot of room for me to add value by cataloging what’s going on.

Speaking to the second question, time and time again, when I look in dark alleys, Yahoo! is there to be found. I didn’t pick Yahoo!. Yahoo! picked me.

Q. What comes to mind when I say “legitimate adware”?

A. Not much. It’s like “military intelligence” or something. Of the adware that I look at, very little would be installed by a thoughtful, careful informed consumer. It’s just a bad deal. Who wants to trade dozens of pop-up ads for a screen saver that only appears when you’re not even sitting at your computer?

Link here.

Alex Eckelberry

Software Online, a big spender with Direct Revenue, has settled with the Washington State AG.

In April 2006, the State of Washington sued SoftwareOnline.com for unfair business practices arising out of marketing of Software Online’s security software. Complaint (PDF) alleges misrepresenting the extent to which software is necessary for security or privacy, misrepresenting functions on advertisements (e.g. fake user interface ads, where an “x” opened a new ad rather than closing a window), misrepresenting uninstall, and misleading negative-option billing (automatic renewals and future charges). The State of Washington simultaneously announced a stipulated judgment and order (PDF) requiring payment of $40,000 of costs and fees, $400,000 of civil penalties (with $250,000 suspended on condition of complaince with other provisions of settlement). Judgment includes findings of fact as to Software Online’s deceptive practices, as well as conclusions of law as to Software Online’s liability. Settlement prohibits misrepresentation, directly or by implication, of the urgency or need for security products; utilizing fake user interface elements; showing pop-up or pop-under ads through a trial version; and various other deceptive practices.

As you may know, Paul and Robin Laudanski and I started PIRT recently, a project to take down phishing sites.  It’s doing gangbusters and sites are getting shut down at a rapid clip (if you want to volunteer to be a takedown handler, we constantly need help — click here).

Well, sometimes it seems some ISPs just don’t care that much.  Take the example of WebNames in Russia.  

Here’s the email:

—– Original Message —–
From: “WebNames.Ru Support” <support @  webnames.ru>
To: “CastleCops PIRT Squad” 
Sent: Wednesday, April 12, 2006 12:26 AM
Subject: Re: [PIRT #4291] Chase Phish site on your network

CastleCops PIRT Squad пишет:
CastleCops PIRT Squad Report 4291

 It has been discovered that a Chase phish is currently operating at 
location(s):

 http://mmn-chase(dot)com/…/ 

 This domains will be checked and disabled in a two days [my emphasis]

 — 
Regards, Michail Egorov,
WebNames.Ru technical support
 

Two days?  Huh?  Hey WebNames, what’s up, you trying to protect somebody?  These are still live, as I post this blog, stealing people’s money.

Alex Eckelberry

All this upset over the government trying to get search records from Google. But here is another government agency, the IRS, compelling PayPal to turn over records:  

A federal court in San Jose, California, gave the IRS permission to ask PayPal Inc. — a company that enables online money transfers — for account information for American taxpayers who have bank accounts, credit cards or debit cards issued by financial institutions in more than 30 countries reputed to be tax havens.

Link here via /.

I’ve not had bad experiences with the IRS personally.  But income tax is so 20th century.  It was, in fact, deemed unconstitutional by the Supreme Court in the early part of the 20th century, until an amendment had to be ratified just to make it legal. 

How about something like the FairTax, that is strictly a tax on retail items with exemptions for the indigent?  

Alex Eckelberry

No, I’m not talking about the musical.  There was an article in the Oklahoma Gazette today that criticized a new antispyware bill being introduced by the Oklahoma Legislature that was written with the assistance of Microsoft.

If you click that “accept” button on the routine user’s agreement, the proposed law would allow any company from whom you bought upgradable software the freedom to come onto your computer for “detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.”

The bill, called the Computer Spyware Protection Act (HB 2083) does have some language which indicates that this may be is the case:

Sections 4 and 5 of the Computer Spyware Protection Act shall not apply to the monitoring of, or interaction with, the Internet or other network connection, service, or computer of an owner or operator, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, maintenance, repair, network management, authorized updates of computer software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.

You can read the bill here  and decide for yourself. 

My feeling?  We don’t need new laws.  Believe it or not, we have laws that work just fine for spyware. 

Adding new laws to combat spyware does two Bad Things:

1. Introduces the law of unintended consequences, such as may be the case here.

2. Creates the potential of creating a “safe-harbor” for adware companies and the like (remember, by the time these laws get into legislation, they are watered down by lobbyists, such as we saw with CAN-SPAM, a relatively worthless piece of legislation).

What we need is enforcement of existing laws, and we need to give the Feds more power to work across borders to nail pernicious spyware vendors. 

And if there was one law I would really like to see introduced, it would be punishment for ISPs who knowingly or indirectly support malware sites on their networks.   Why is it you can shut a site down immediately by invoking the dreaded DMCA, but not get it shut down immediately for providing malware? 

Alex Eckelberry
(Thanks Eric)

A group of Jewish “sex commandos” are after porn sites, hacking into them and replacing offensive pictures with a picture of Rabbi Menahem Mendel Schneerson.

More here via the Inquirer.

Alex Eckelberry

I’m sure Marvel would not be too happy about this one.

Captain America used to promote an apparent rogue antispyware application.

IP Address: 66.230.138.193 
IP Location:  – Isprime Inc 

Registration Service Provided By: SOMIC, INC
Contact: +7.8412487023
Domain Name: SPY-ELIMINATOR.COM
Registrant:
  HAYTER MERCHANTS INC.
  Gaspar Santimateo Brias    
  Jasmine Court, 35A Regent Street,POBox 1777
  Belize City
  null,NA
  BZ
  Tel. +420.775688660
Creation Date: 18-Mar-2005
Expiration Date: 18-Mar-2007

Domain servers in listed order:
  ns1.setnames.net
  ns2.setnames.net

Administrative Contact:
  HAYTER MERCHANTS INC.
  Gaspar Santimateo Brias    (info @ i3dk.com)
  Jasmine Court, 35A Regent Street,POBox 1777
  Belize City
  null,NA
  BZ
  Tel. +420.775688660

Status:ACTIVE

Patrick Jordan
Senior Spyware Researcher