Spyware Weekly Newsletter :· March 13, 2005

The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/mar13,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

Quick! Run for the hills! Firefox spyware is running rampant and infecting every computer in sight!

*sigh*

Sometimes I just want to bang my head on the desk and keep doing it until the desk surrenders unconditionally. If you were to believe several online news sites, there is an epidemic of spyware infecting Internet Explorer by way of Firefox. If you were also to believe that these accounts were written by competant journalists who have checked their facts, you would be wrong on both counts.

The situation to which these people are "reporting" (to use the term loosely) is about a malware installer using Sun's Java runtime environment. Let me explain what Java is.

Java is similar to Microsoft's .Net environment. It is a programming language which requires the user to have the "runtime environment" files installed on the computer. It also is similar to the Visual Basic runtime environment. You have to have Windows Scripting Host installed for visual basic files to run. For .Net or Java programs to operate, you have to have the proper files for those programming environments installed.

All current graphical web browsers include support for a Java "plug-in". What that does is allow small Java programs, or applets, to be run inside of a web browser window. You can do some pretty cool things with java applets. These applets are being run by the Java environment installed on the computer, not by the browser.

Normally, a Java applet runs in a "sandbox", a protected area of computer memory that cannot interact with the rest of the system. Unlike ActiveX, a Java applet can't install software without explicit permission because of this sandboxing. If a Java applet tries to access the system outside of its sandbox, a security alert will pop-up warning the user and asking if the user wishes to allow the action.

The Java applet causing the current ruckus installs a number of spyware and adware programs. However, before it can do that, a security prompt pops up. The pop-up is labeled "Warning - Security". It warns that the "Publisher authenticity can not be verified", that "the security certficate was issued by a company that is not trusted" and that "the security certificate has expired or is not yet valid". Under no circumstance does this rogue Java applet install software without the user giving it permission to do that. And to be honest, you'd have to be pretty dense to click "Yes" to such a prompt arriving out of nowhere.

What is truly sad here is that the news sites I mentioned earlier are portraying this as a spyware targeting and infecting the Firefox web browser. These news sites are doing a grave disservice to their readers by misleading them. This is not a problem with Firefox or with any other web browser.

It is Java running this installer. In fact, Java is doing exactly what it was designed to do by popping up the security warning when the installer attempts to bypass the protected sandbox. This is the very reason the sandbox exists, to stop malicious software exactly like this. This is an extra layer of security beyond what you'd see with ActiveX. With ActiveX, you either let it run or not. With Java, you either let it run or not and it also warns you when the Java applet is trying to do something suspicious after it has started to run. Yes, this sandboxing can be bypassed if a flaw exists and is discovered. Be sure you keep your installation of Java up to date because Sun fixes these flaws when they are discovered.

Whether or not this is a problem with Java is debatable. Personally, I don't see this installer as a problem. It can't do anything unless the user ignores a very stern security warning. Still, people can debate this all they want.

My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.

Update

It has come to my attention that several people have sent hate mail to the authors of the articles linked below. Don't do that. That is foolish. If you are going to disagree with the writer(s), do it politely. Save the hate mail for people who write spam and spyware.

Related Links:

Alternative browser spyware infects IE
Firefox Spyware infects IE?

Permalink | Top

Everything you do on your computer leaves a trail behind. When you surf to a web site, you leave behind internet cache, address bar history, web site visit history, and cookies. When you open a document, Windows saves the filename into the registry. When you run certain programs, Windows saves a file into a temporary folder, and often doesn't delete it afterward.

Evidence Terminator optionally cleans all of the following:

Recycle bins on every drive in your system. Internet history logs stored on your hard drive. Internet cookies. Temporary Internet Files (caches and other media files). Temporary program files. Recent documents list. Backup files. LOG files. CD burner software temp files. Program temp files not in the system temp folder. Those evil index.dat files no matter how many of them you have. Overwrites files to help prevent recovery. The drop down URL list from IE. The run list, find computers list, and recently searched file list.

Evidence Terminator is made by the authors of Spycop anti-spyware software. Spycop is an excellent program for detecting and removing surveillance spyware such as Spectorsoft, iSpynow, WinWhatWhere and others. It is considered by some to have the largest database of surveillance spyware on the market.

If you have any problems with the ordering page or with the coupon code (SPYC-YB5E-EVT), please email Catherine http://www.spywareinfo.com/email2.php. Be aware that the reduced price won't be reflected on the purchase site until you reach the checkout page.

Permalink | Top

iDownload, the company responsible for a toolbar known as iSearch, has resorted to threatening to file lawsuits against several web sites that categorize the software as spyware or malware. Claiming that their brand has been disparaged falsely, iDownload is demanding that these web sites remove any material which labels iSearch as malware, foistware or spyware.

Is iSearch malware? Yes, it is. And I can prove it.

You may remember that a few months ago, trojans began circulating file sharing networks disguised as protected media files.

Windows Media Player (WiMP) has DRM features that allow music and video files to be restricted. The restriction may be that you can only listen to the file a certain number of times or for a certain period of time. To determine this, when the file is loaded into WiMP, it will contact an internet server to retrieve information about the license and any restrictions. If a license is not found, WiMP will load a license window using the Internet Explorer browser engine.

An antipiracy company named Overpeer has been exploiting this behavior to infect unsuspecting computer users with spyware and adware. They have been flooding file sharing networks with fake music files with embedded DRM instructions. When played in WiMP, these files cause WiMP to open a license acquisition window in Internet Explorer. When that happens, the page loaded within the license window tries to install spyware using various security flaws.

Among the dozens of programs that could be installed by way of these trojans is the iSearch toolbar. If you run one of these trojans, it will pop up a license window which loads a page prepared by iDownload. That will load an ActiveX applet which attempts to install iSearch. If your security settings are configured properly, you will see a security warning asking your permission to install software. This security dialog claims to be a required update to "Media Player 9". In fact, it has nothing to do with Media Player but is really iSearch software from iDownload. You can see an example of this security warning pop-up at DSLReports.

The security pop-up is intentionally misleading. It is designed to trick the user into thinking they are installing some sort of update for Windows Media Player. Since the process that leads up to this security warning is the playing of a file in Windows Media Player, no doubt many people would be fooled into installing it. This behavior, on its own, is malicious.

If you are unfortunate enough to be fooled into installing iSearch, your computer undergoes one of the most serious hijacks I have ever witnessed. There are three different pieces of software from iDownload with which you may end up. A single piece of iDownload software might not exhibit all of the behaviors listed below, but between the three, these are the behaviors you may encounter.

1.) Your Internet Explorer home page is changed to isearch.com. You cannot change the home page to point it to any other web site while the software is installed.

2.) If you mistype the name of a web page and the web site's server returns an error, instead of seeing the error message, you are redirected to isearch.com. You cannot change this behavior while the software is installed.

3.) The software will begin launching a barrage of pop-up and pop-under ads.

4.) The software will store logs of your web surfing habits.

5.) The software will connect to iDownload servers to download and install updates to itself. It also may install completely unrelated software from other adware and/or spyware companies. Further, it may also scatter icons all over your desktop.

6.) The software may disable competing adware software. While that in itself is not such a bad thing, disabling some of those adware programs may render inoperable the programs they are "sponsoring". For instance, if Cydoor adware is disabled, KaZaa stops working.

7.) There have been numerous reports of antivirus and antispyware software being disabled by iSearch. I haven't seen this for myself but there are numerous reports of it.

8.) If you try to delete the files involved with iSearch, the software will reinstall itself. If you run the company's uninstaller, rather than uninstalling the software, it simply reinstalls anything you might have removed yourself (Sources [1][2]). This behavior is soon to be outlawed if the US House of Representatives passes the SPY ACT. So not only is it malicious, it also soon will be illegal.

iDownload knows that if they actually were to take an antispyware web site owner to court, they would lose the trial. It would be a simple matter to demonstrate the behavior of this software. I have no doubt that any judge and/or jury would agree that the software is malicious and deserves the label of "malware". This explains why all of the sites that have received these threats are independent sites run mainly by volunteers. Even when you are right, it still costs anywhere from $10,000 to $12,000 to prove it in court.

There is a difference between SpywareInfo and most other antispyware sites. The difference is that SpywareInfo makes money. Between the loyal readers of this newsletter who buy the products promoted here and the grateful former spyware victims who send donations through Paypal or by mailing checks, SpywareInfo has the resources to face any threat to its existence.

You may remember last year that a powerful denial of service attack was launched against SpywareInfo. For a brief period, the site was gone. Then, three weeks later, SpywareInfo came back to the web and it has stayed ever since. This was accomplished through the purchase or rental of nearly a dozen redundant web servers. The attackers tried for months to knock down the site. When they realized that I had more resources to fight them than they had to fight me, they finally gave up. There hasn't been a serious attack on the site for several months.

iSearch is malware. This is easily demonstrated. Any sane jury would agree once they see the demonstration. Simply put, I have more than enough resources to fight a frivolous lawsuit. I have more than enough evidence to win a lawsuit. If iDownload wants to challenge my statements in court, the mailing address is PO Box 2378, Reidsville, GA USA 30453.

Permalink | Top

Having been a player in the spyware world for so long, nothing really should surprise me anymore. Still, this shocked me. It seems that web sites designed for children visitors are most likely to try to install spyware and/or browser hijackers.

I really can't put my finger on why this surprises me. Spyware and hijacker makers have no ethics or morality. They care for nothing except for sneaking their garbage onto as many PCs as possible. Why not target children?

I don't know what the final version of the various spyware bills floating around Congress will look like. I do have copies of the latest drafts but those are just drafts. I sincerely hope that whatever law finally is signed outlaws the automatic installation of hijackers.

Permalink | Top

The National Telecommunications and Information Administration (NTIA) has mandated that domain registrars selling .us domains can no longer permit their customers to use proxy services to register their domain. All .us owners are being required to make their names, addresses, email addresses and telephone numbers available to all stalkers and criminals via the public WHOIS database.

I own malware.us. Right after I bought it, I registered it with DomainsByProxy in order to keep my information out of the public WHOIS database. This is to keep the people who make the software I help to destroy from harassing or threatening me. Unless this law is repealed before that domain comes up for renewal, I will have to decide whether or not to make my information public, put in false information or drop the domain.

Bob Parsons, the CEO of GoDaddy, is doing all he can to fight this. He went to Washington D.C. to talk to the NTIA. Unfortunately, he was given the brush off.

This is a disgusting development. The NTIA claims that forbidding the use of proxy registration services was a part of the original agreement between the Department of Commerce (NTIA's parent organization) and the domain registrars accredited to sell .us domains. This is a lie. No such clause exists in the agreement.

The NTIA claims this is being done in order to aid law enforcement agencies. This is a lie. Law enforcement agencies prefer private registrations because the people who use them are far more likely to provide accurate information to the proxy service. They can get at that information with the use of a valid warrant.

The NTIA has exceeded its authority in this matter. Some nameless, faceless bureaucrat decided to implement policy on his own and this was the result. Interestingly, the NTIA refuses to name the person responsible for this new policy. It must be nice to be the only person allowed to shield your name and telephone number from the public.

Parsons recommends that everyone who objects to this policy contact their senator or congressperson. I wrote letters to my representatives which I will reproduce below:

Dear Congressman Marshall:
Dear Senator Isakson:
Dear Senator Chambliss

I am the owner of a web site named www.malware.us. The purpose of this site is to provide a private forum for vendors of security software and independent researchers to exchange information about software viruses, worms, spyware and security flaws. A mailing list is provided to these persons and companies, free of charge. I would like to point out that an employee of the Federal Trade Commission (Beverly Thomas) is subscribed to this mailing list. I have worked with her in the past as she worked on behalf of the FTC on spyware issues and look forward to working with her and FTC in the future.

At malware.us there also is a repository of malicious software. This repository is provided so that security software vendors may have free access to malicious files gathered by independent researchers. As a result of my activities on this site, unscrupulous and unethical persons who spread malicious software around the internet see their creations targeted by a wider array of security software, such as Lavasoft's Ad-aware and Magnus Mischel's TrojanHunter program.

This places me in the awkward position of being responsible for causing financial damage to criminals with no morality or ethics. To protect myself from harassment and the possibility of physical attack, I registered this web site with a proxy service to protect my name, address and phone number. The registration information published in the WHOIS database reflects the proxy company's contact details, not my own. This is to protect my privacy and safety from people who no doubt would wish to harass or harm me.

I recently become aware of a decision made by the National Telecommunications and Information Administration (NTIA) that prohibits private domain name registrations for .US web domain names. This decision was made by the NTIA unilaterally and without public hearings of any kind. I believe that the NTIA’s decision violates my right to privacy as an American and goes against the legislation enacted by Congress in recent years to enhance the privacy of individuals. It also places me in physical danger.

I ask that you, as my representative in the US government, contact the NTIA and have them explain why they made this decision and why they feel they have the right to deny me, as a law abiding citizen, my right to privacy and safety. I also ask that you direct the NTIA to reverse its decision and once again allow private registrations for .US domain names.

Sincerely,

Mike Healan
Editor,
www.spywareinfo.com

Permalink | Top

If you are a California citizen and have ever discovered any of the following software on your computer (and you have no idea how you came to have that software installed), please send me an email: Bullseye, Navisearch, eXact Searchbar, Photo Gizmo, FunGamesDownloads, eXact Match, Cashback by BargainBuddy. I have someone who is very interested in interviewing you.

Permalink | Top

As you probably know, Windows XP comes with its own firewall. In Service Pack 2, that firewall may come enabled by default, if no other firewall is present. The purpose of a software firewall basically is to close network ports to any piece of software trying to access those ports, as well as to keep remote traffic from entering through those ports.

Someone recently discovered that Microsoft has left a glaring hole in this firewall. Any application running on the computer simply is allowed to edit the registry and have itself exempted from the firewall's rules. That means that the Windows firewall will just ignore a piece of software if that software performs a simple registry edit. That defeats the purpose of having a firewall in the first place if software can bypass it so easily.

Well, no one ever claimed that the Windows firewall was any good. My own preference for a firewall is Kerio 2.15 (I don't like the newer 4.x versions). Kerio finally seems to have deleted all references to 2.15 from their web site but you still can download the 2.15 installer from http://www.kerio.com/dwn/kpf2-en-win.exe. DSLReports has an excellent user support forum for Kerio.

Permalink | Top

A doctoral student at the University of California has devised a means of fingerprinting a computer and tracking that computer across the internet. This fingerprinting defeats all known methods of hiding the identity of a computer. Attempting to use proxy servers, NAT firewalls, routers or any other methods fail to hide the identity of the computer.

The fingerprinting is very simple to understand. Every computer has an internal clock. That clock is inaccurate by a miniscule amount of time. Only an atomic clock is perfectly accurate. This inaccuracy is referred to as "clock skew". By analyzing the network packets being sent by a computer, the clock skew in the computer's internal clock can be measured. It is believed that no two computer clocks will have the exact same level of clock skew. Changing the computer's time will have no effect on this fingerprinting process.

The only way to defeat this fingerprinting is to instruct your computer to not attach a time stamp to every packet it sends over a network or to falsify the timestamps. Doing this can be either simple or very complicated, depending on your experience with computers. I wouldn't know how to do it myself. I wouldn't be very surprised if someone comes out with a software tool to do just that.

Permalink | Top

After acquiring Advertising.com recently, AOL has terminated all business between Advertising.com and adware companies such as WhenU and Claria.

Somehow, it just feels wrong to praise AOL for anything. However, I very much applaud this decision. Sadly, Yahoo decided against making this exact decision when they acquired Overture last year. A significant percentage of the income generated by Claria comes from its business with Overture. Yahoo even briefly exempted Claria and other adware from its antispyware scanner. After a nasty public backlash, they reversed that decision.

Say what you will about AOL, recently they have been very active in protecting their users from spyware and spam.

Still, I can't mention AOL without bashing it at least once. With that in mind, I will mention that the terms of service for their AIM instant messenger program have been updated recently. These new terms are rather hostile to their users. The new terms give AOL the right to eavesdrop on instant message chats and to use those messages in any way they see fit. They explicitly deny their users any right to privacy over the AIM network.

All I can say is not to use the AIM network for chatting. Use ICQ, MSN, Yahoo or Jabber. There are other instant messenger networks out there. And even if you aren't using the AIM program, if you use a program such as GAIM or Trillian to chat over AOL's network, the terms still apply to you. So be careful what you say to someone if you are using AOL's network. You could find it published somewhere by AOL.

Update

Having read several of the stories about this, AOL's Andrew Weinstein has stated in an interview with the Houston Chronicle that the offending clause of their Terms of Service does not apply to AIM and that chatters are not being spied upon. You can read his statements here: http://www.chron.com/cs/CDA/ssistory.mpl/tech/blog/3082956

I'll mention this, with commentary, in the next newsletter.

Update 2

AOL has decided to rewrite their TOS to specifically exempt user-to-user chatting from the objectionable portions. The phrase "you wave any right to privacy" will be removed entirely. According to my interpretation of what AOL is saying, those terms will apply only to people using their message board, not to their chat program.

Permalink | Top

In a very odd move, both Lavasoft and Computer Associates removed detection for WhenU software last month. What was odd about it is the fact that neither company was willing to discuss the decision. Both sites also removed virtually every mention of WhenU from their online databases.

After a taking a nasty beating from their users on several web sites, Lavasoft reversed their decision. Saying that the decision to delist WhenU was due to their rating on Lavasoft's Threat Assessment Chart, Lavasoft said that they would be revising their targeting guidelines and reintroducing WhenU software into their targeting database. From all appearances, Lavasoft's rigid adherence to an arbitrary "malware scoring system" led to them painting themselves into a corner.

What is most bizarre is that at nearly the same time, Aluria Software added WhenU back into their own targeting database. Aluria announced last year that they had certified WhenU's software to be spyware free and removed WhenU software as a target. Aluria even partnered with WhenU to produce software. It was a surprising and unpopular decision that cost Aluria the goodwill and trust of much of the antispyware community.

Aluria's president Rick Carlson stated during an interview that Aluria will continue to target WhenU's software in the current and future versions of Aluria Spyware Eliminator. Aluria has introduced a new category of software that will be targeted in their antispyware program. The new category is labeled "consumerware" and will be for software that doesn't fit the strict definition of spyware or malware but still deserves to be targeted by the antispyware scanner.

WhenU will be in this "consumerware" category, as well as other software such as VNC. VNC is software that allows one person to control a computer completely across a network. While it has a perfectly legitimate purpose, it can be misused to remotely take over a computer, without the owner's knowledge.

Carlson hinted that this "consumerware" category was Aluria's intention all along, when they publicly delisted WhenU's software late last year. He admitted to being shocked and dismayed at the negative response to Aluria's decision to delist WhenU and to partner with them on creating software. Carlson believes Aluria is helping to move WhenU into more legitimate business practices by obligating them to adhere to the "spyware free" certification.