Spyware Sucks

OFF-TOPIC: Spam King kills family members, then himself...

sandi — Fri, 25 Jul 2008 01:09:19 GMT

What a shocking turn of events

http://www.denverpost.com/breakingnews/ci_9985333

The dead child was only 3 years old :o(

I have always considered spammers to be the scum of the earth, but this - what sort of person must he have been to be capable of such an act ... I can only hope that there is a Hell, and that he is in it.

Google introduces HTTPS for GMAIL

sandi — Fri, 25 Jul 2008 00:32:46 GMT

And, it's about time too!!

Full details are available via the Google Team announcement:

http://feeds.feedburner.com/~r/OfficialGmailBlog/~3/344985025/making-security-easier.html

UPS spam

sandi — Thu, 24 Jul 2008 10:40:00 GMT

There is a lot of it out there .. here is a screenshot of just one that I received:

First of all, I didn't send a postal package. Secondly, UPS isn't going to us that qq.com address. Thirdly, UPS offers online parcel tracking - why on earth would they send you a document to open? Finally, as far as I know, sending such emails is not standard operating procedure for UPS.

UPS did issue a warning about the virus, but the URL no longer works:
UPS Virus warning

According to urbanlegend.about.com, the text of the warning was:

Attention Virus Warning

We have become aware there is a fraudulent email being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up.

This e-mail attachment contains a virus. We recommend that you do not open the attachment, but delete the email immediately.

UPS may send official notification messages on occasion, but they rarely include attachments. If you receive a notification message that includes an attachment and are in doubt about its authenticity, please contact customerservice@ups.com.

Please note that UPS takes its customer relationships very seriously, but cannot take responsibility for the unauthorized actions of third parties.

Thank you for your attention.

Further information about the UPS spam (the purpose of which, btw, is to fool you running the exe in the zip file, thereby infecting your system with fraudware) can be found here:

http://msmvps.com/blogs/donna/archive/2008/07/14/ups-packet-service-malware-spam.aspx

http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=9301

http://www.dslreports.com/forum/r20789896-UPS-packet-upsinvoicezip-WORM

http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY%5FZBOT%2EPF

http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/342457447/

http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/337327468/

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=132901

http://my.opera.com/harrywaldron/blog/2008/07/16/united-parcel-service-fake-email-for-package-non-delivery

Fraudware via Blogspot - no advertising required...

sandi — Wed, 23 Jul 2008 13:17:37 GMT

Actually, it could be fraudware or it could be a p0rn site trying to tempt you into installing a fake media codec depending on the luck of the draw...

Anyway, part of my 'day job' nowadays is keeping an eye on the programs that have been whitelisted by TRUSTe's Trusted Download Program (hence my official title of "Online Compliance Researcher"). There I was, trawling the net, searching for signs of trouble when my PC was broadsided by an unexpected browser hijack...

* !!!WARNING WARNING WARNING!!! - DO NOT VISIT ANY OF THE FOLLOWING URLS WITHOUT THE PROTECTION OF REALLY GOOD ANTIVIRUS AND ANTISPYWARE SOFTWARE, AND A WILLINGNESS TO REFORMAT YOUR COMPUTER TO GET RID OF THE CRUD IF YOUR REALLY GOOD ANTIVIRUS AND ANTISPYWARE SOFTWARE HAPPENS TO FAIL - !!!WARNING WARNING WARNING!!*

Ok, hopefully that warning is big enough and flashy enough and scary enough that *all* of my readers will PAY ATTENTION to the warning.

By a combination of circumstances I ended up at a malicious blog being:
spyware-doctor-2008.blogspot.com/2008/06/desktop-spyware-block-spyware-reduce.html.

(BTW, I should make it clear that the blog in question has *NOTHING* to do with any whitelisted application. The blog page simply happens to mention the name of an application that I was checking on and I stumbled across it thanks to the wonders of modern search engines. There is no association between any TRUSTe whitelisted application and the blog in question. There.. we're clear on that? Good!)

That fun little page has a piece of javascript in the source code that redirects visitors to c1_spyware-doctor-2008_2336_bs.oughtworld.com/images/header.php.

The bs.oughtworld.com site, in turn, pushes us to spyware-doctor-2008_2336_bs.oughtworld.com/index.html, and from there things get a bit random.

Every time I re-tested the oughtworld.com/index.html page, I was redirected to a different site, being one of the following:

grander5.com/soft.php?aid=0253&d=2&product=XPA which redirected to
freewebscanner.com/2009/1/freescan.php?aid=880253

-or-

grander5.com/soft.php?aid=0253&d=2&product=XPC which redirected to online-xpcleaner.com/2/freescan.php?aid=880253

-or-

onlinestreamvide.com/freemovie/541/1/ (which tries to trick visitor into installing a fake video codec)

-or-

avwav.com/2099.htm (this site has some encrypted javascript that I haven't bothered to decode)

-or-

windows-scannernv.com/2008/3/_freescan.php?aid=880218 (a fraudware (fake security software) page)

-or-

getmyvideonow.com/exclusive5/id/3913044/5/black/white/0/Video/ (another site that tries to trick visitors into installing a fake video codec) - WARNING: graphic content via pop-up window

After a certain number of visits to the bs.oughtworld.com/index.html page, we start hitting an Error 404 - there is some IP tracking going on, and once you've had what the bad guys consider to be your fair share of web content, well, they lock you out.

Incidents such as this one make it too easy to draw a connection between various fraud activities, in this case fraudware and online porn and fake video codecs. Yay them.

DOMAIN INFORMATION

oughtworld.com - created 3 June 2008, Registrar DIRECTI INTERNET SOLUTIONS PVT LTD. Its Name Server (itsfreedns.com) Registrar is none other than the infamous ESTDOMAINS.

grander5.com - created 7 July 2008, Regisrar DIRECTI INTERNET SOLUTIONS PVT LTD. WHOIS hidden behind privacyprotect.org. I note that "australianembassy.ru" shares IP address with mynick.name - somebody has a sense of humour.

onlinestreamvide.com - created 17 May 2008, Registrar ESTDOMAINS (why are we not surprised?)

avwav.com - created 5 April 2008, Registrar ESTDOMAINS.

windows-scannernv.com - created 22 July 2008, Registrar DIRECTI INTERNET SOLUTIONS, name servers supplied by MYNICK.NAME. WHOIS hidden behind privacyprotect.

getmyvideonow.com - created 7 July 2008, Registrar ESTDOMAINS. Contact email "iedefender@gmail.com" - those with long memories will remember a fraudware called IEDEFENDER. Coincidentally (yes, I am being facetious) the Registrar for iedefender.com is, can you guess? Yep, ESTDOMAINS.

While we are on the topic of iedefender@gmail.com

Other sites/fraudware associated with iedefender@gmail.com, discovered after just a few minutes digging include:

free-viruscan.com
getvideoc.com
downloaditrightnow.com
files-secure.com
fast-viruscanner.com

My gentle readers may take some amusement from this URL - "IE Defender Folks Playing Games"
http://blog.malwareteks.com/ie-defender-folks-playing-games/

The following is very interesting - the language is, apparently, Ukranian. Promonaut is talking about malwarebytes. Anybody want to translate? I have an archive of the whole page, just in case it disappears ;o)

URL: http://promonaut.livejournal.com/223473.html

CNET hit by malvertizements

sandi — Fri, 18 Jul 2008 06:32:48 GMT

Why is it that after I pontificate that "pushers of malvertizing are finding it harder and harder to get their wares on to high profile, high traffic sites" we receive word that CNET was hit? That'll teach me to keep my mouth shut won't it :o)

Ok, this is a new dialogue box - it appeared when I tried to close the fraudware site window ... yes, clicking on OK does seem to open the Add Favorites window, but who knows what else it may be doing in the background - I still recommend that you use the Red X to close the dialogue box.

Thanks to Donna for the heads up:
http://www.dozleng.com/updates/index.php?showtopic=16111

Spyware Sucks rated 8.3 (Great) on Blogged.com

sandi — Fri, 18 Jul 2008 02:04:41 GMT

How cool is this? I just spotted this email in my overloaded inbox.

"Dear Spyware Sucks author,

Our editors recently reviewed your blog and have given it an 8.3 score out of (10) in the Technology/Internet category of Blogged.com. This is quite an achievement!
http://www.blogged.com/directory/technology/internet
We evaluated your blog based on the following criteria: Frequency of Updates, Relevance of Content, Site Design, and Writing Style.
After carefully reviewing each of these criteria, your site was given its 8.3 score [out of a possible score of 10]."

Nice :o)

Spyware Sucks resides in the sub-category of Internet Security.

Press Release: New Internet Safety Web content provides valuable information for teens, parents, educators and seniors

sandi — Fri, 18 Jul 2008 01:50:23 GMT

Building on the work of his Youth Internet Safety Task Force and the high-tech unit in his Consumer Protection Division, Attorney General Rob McKenna today announced a number of updates to his office’s Internet Safety Web pages.

In partnership with national Internet safety expert, Linda Criddle, author of the Internet safety manual Look Both Ways, McKenna’s office has added fresh information to its Web site for youth, adults, seniors and educators.

“The Internet has made life easier for all of us in so many ways, but it’s also made it easier for criminals, scammers and bullies,” McKenna said. “This new information will help people update their Internet safety regimen and learn ways they may be exposing themselves to ID theft, stalking, scams and other Internet threats.”

Top tips for youth include:

Your personal information is a commodity: Every piece of information you post, and every action you take online has commercial value to someone. The site shows kids how they put can put personal information at risk just by taking surveys, participating in chat, discussion boards, and forums, online dating, creating personal e-mail aliases, sharing images and video, and gaming online. Then it shows them how to protect themselves.
You can be an identity theft victim without even knowing it. Because youth do not check their credit reports, they are prime targets for thieves who open credit in their names and rack up bills the youth may never learn about until it’s too late. Learn how to protect yourself and ways to repair your credit if it is too late.
Even if you and your friends are careful to protect your identities on-line, you may be exposing yourselves to predators through chats on your social media pages. The site demonstrates how easy it is for on-line predators to gather information when people are not careful.
Everything you post is permanent. Once information is posted on the Internet, it can be downloaded and stored indefinitely—even if you take it down—and you have no idea who has viewed it—potential employers, stalkers, classmates, parents.

Information for adults includes:

Ways to be smarter about spending and saving on-line like creating strong passwords, identifying secure sites and safely participating in on-line auctions and classifieds;
Tips for defensive computing including things to keep in mind as you browse, download or share information via the Web; and
Things to keep in mind while mobile computing, including using public computers and mobile phones.

Parents and educators can learn how to protect children with information like:

A checklist for family internet safety, including a family Internet safety contract;
How to protect kids from on-line bullies; and
Unintentional consequences of sharing student information on-line, including photos, school sports schedules and other information that could expose students to predators.

The site also includes tips for seniors like:

How to safely socialize on-line and avoid on-line dating scams;
How to avoid scams that prey on emotions when you are posting information about weddings or deaths; and
Other specialized advice for those with limited experience on the Internet.

TRUSTe changes from not-for-profit to for-profit

sandi — Tue, 15 Jul 2008 09:05:00 GMT

Edited to fix typographical errors

The news is out - TRUSTe is now a for-profit, instead of a not-for profit.

As I am sure all of you have noticed, I have been silent about TRUSTe since I started working with them on 16 July 2008. But now, I think, the time has come to speak.

The number one question being asked of me in my tiny corner of the world, now that the world at large knows that TRUSTe is no longer a not-for-profit, is "Sandi, did you know this was going to happen?"

The answer to the question is yes, I did know that this change was coming. TRUSTe have been completely open and honest with me about their plans. They understood that by associating my name with theirs I was also associating my hard-won good reputation with their reputation, and they wanted to be sure I walked in with my eyes open.

The next question that is asked of me is "Why did you agree to work with TRUSTe?". In personal emails one of my correspondents even described TRUSTe as a scam, and I have been told, more than once, that my own reputation would be harmed by being associated with TRUSTe, and I can understand why they felt such concern. For example, people such as Ben Edelman and Eric Howes have been, and continue to be, very critical of TRUSTe (Eric's comment to Alex Eckelberry's blog entry at Sunbelt about the change from not-for-profit is an excellent example of some of the more negative opinions that are held).

Anyway, the short answer is that I agreed to work with TRUSTe because TRUSTe and I have some of the same goals, and because TRUSTe (and I) saw within TRUSTe a real need that I can fill. Let me try to explain.

I have been doing this ("this" being fighting malware and associated misbehaviors on the Internet in its many forms) for many years - since early 2000. In fact, this October I am up for my 10th Microsoft MVP Award in a row. My world - my sphere of concern, of interest, and of influence - encompasses not only the end user but also the anti-virus and anti-spyware community, and businesses and persons who earn a living from "the Internet". I have had to face up to, and settle within myself to the best of my ability, the inevitable conflicts of interest that arise when I consider the wants and needs of all of those different parties and I cannot pretend that it has not been a challenge.

Just one facet of my struggle has been reconciling the needs and wants of the end user with the needs and wants of the businesses that service them. Over the years, and especially during recent times, I have corresponded with, and spoken in person to, several "bad actors" (aka adware purveyors) who have been working to improve their software's behavior, and one message has come through loud and clear, which is that they often encounter, and are discouraged by, what they perceive as a lack of forgiveness on the part of some members of the security/antispyware community. The strongest impression that I am left with is that the attitude they face is one of "once a sinner, always a sinner" - calls are not returned, emails are not acknowledged, attempts at explanation are rejected, and attempts to get improvements acknowledged and, when justified, changes made to antivirus/antispyware software to stop it from flagging and removing the software that has changed its behavior have been discouragingly difficult to achieve.

My personal opinion is that the "once a sinner, always a sinner" attitude is wrong. To treat "bad actors" as evil personified or not worthy of forgiveness or redemption when they are trying to change their ways, is discouraging at best, and at worst may lead them to throw up their hands and say "why bother trying to change if I'm going to be stuck on the blacklist forever anyway". If that happens, what good have we, the champions for the end user, really done?

Another thing that has been communicated to me over the years is that, sometimes, the demands of the security community may directly harm a business's right to protect itself from piracy or misuse/abuse of its software.

For example, let's look at trial software. If such software leaves behind a registry key, or a hidden file, that is used to prevent the reinstallation of time-limited software, and that key or file has a deliberately obscure name, is that necessarily wrong? Should the fact that a registry key or file being left behind on uninstall be disclosed to the user, even if it means that such disclosure will make it easier for the user to bypass anti-piracy protection? This is just one of the problems I have been confronted by, and have had to devote a lot of time and thought to. What do I put first? The right of the end user to be able to easily find everything related to a particular piece of software (and potentially use that knowledge to 'play the system') or do I give priority to a business's right to avoid piracy of their software?

Some demand that every file, every folder, every registry key, be removed when software is uninstalled and will accept no reasoning nor excuse for its remaining, even if this means that any protection against misuse of trial software is lost. Is this right? In short, no. We have to find a balance - a sustainable balance between the needs of the end user, and the needs of the business that services them.

Then there is the question of advertising and adware. To some, all adware is bad. To others, adware is acceptable with full disclosure, but at the same time long spiels of disclosure text are not acceptable. So, how much disclosure is enough, and how should it be communicated? The greater the disclosure, the more the user has to read and acknowledge, and the greater the risk of confusion. For what its worth, my personal opinion is that the traditional requirement that an EULA be displayed and acknowledged should be discarded. Instead, a succinct list of important points should be displayed, with further detail (aka the full EULA) to be made available on clicking a link. Or, the most important words in an EULA should be highlighted in bold font to draw the eye.

How does all of the above tie in with why I decided to work with TRUSTe? I'm getting to that :)

After many years of watching and talking - of thinking and listening - of agonizing and beating of my breast (ok, I admit it, that last one was deliberately over the top) here are the beliefs on which I stand. I admit that over the years my stance has changed - in the past I have held extremist (and dare I say unrealistic) views about software and software behavior, but so be it. As far as I am concerned, the ability to stand up and say "yeah, I was wrong" is just as important as being right:

Adware is not all bad. I have said several times over the years that I believe that every (wo)man deserves their wage, and I do not have a problem with software authors earning an income from adware. That being said, I also believe that users of software are entitled to know exactly what the adware is, what it will do, and what effect it will have on their computers and their privacy and they *must* be given a clear opportunity to decline the adware if they so desire. I also believe that those who offer software for download have the right to refuse to supply us with their wares, or limit its functionality, if we are not willing to accept adware or pay for the software. I do NOT believe that anybody has the right to try and get around such requirements. We do not have a God-given right get stuff for free, or to play the system, just because we found it on the Internet (yeah yeah, just so you know I don't download movies off the Internet, or burn copies of CDs or DVDs or use pirated software - sucks to be me, but I put my money where my mouth is - do as I do, not just as I say).

Advertising is not all bad. Once again, I believe that every (wo)man deserves their wage. Reality is that it costs money to build and maintain a web site, and make it available to the masses. The alternative to advertising is for web sites to move to a user pays, access by registration only, model, and that is something I do NOT want to see. I do not use ad blockers and only recommend that web page advertising be blocked when the web site in question is displaying malvertizing, and that web site has refused to address the problem after being warned - safety must come first).

"The Internet", as the average user understands it, can not survive on philanthropy.

Good Internet behavior should be acknowledged and encouraged.

Work to rehabilitate and then forgive. Without a chance at redemption we eventually succumb to exhaustion and the temptation to continue down the path we have been treading. It is wrong to be so unwaveringly hard on somebody that they despair of forgiveness.

After many emails and phone calls I can say that I honestly believe that my beliefs and stance, and the beliefs and stance of those who work under the TRUSTe banner, can walk in tandem. And I do not easily lay my reputation on the line. It was hard fought for, and hard won. I am very aware that my readers' trust has been hard gained and can be easily lost but I truly believe that TRUSTe are not the "public relations front for privacy abusive online companies" that some believe them to be. TRUSTe have lofty goals, and the best of intentions, and deserve my support.

My personal opinion is that an important piece of the TRUSTe message and mission is missing from the public perception. A lot of people have focused on who TRUSTe has certified (and that certified party's pre-existing reputation), and TRUSTe's failures and missteps over the years, but how many have sat down and deeply considered the question of, or had a substantial one-on-one heart-to-heart with somebody at TRUSTe about, *WHY* TRUSTe does what it does and what its end goal is? Well, I did just that, and after all the talking and all the listening I believe that a primary goal of TRUSTe, in my own words, is to acknowledge and encourage good behavior; to rehabilitate, support and guide companies in the transition from bad netizen to good netizen, and to offer a chance at redemption and forgiveness, while at the same time maintaining a framework to discipline offenders. TRUSTe aims to encourage best practice, to encourage businesses to continue working toward a lofty standard, and they offer bad actors the chance of redemption. That is why I agreed to work with them, even though that means putting my own reputation on the line. Of course, by doing all of this TRUSTe put their own (and my) reputation on the line every time that they certify (even provisionally) an ex-bad actor, but that is the risk that they (and I) must take.

I don't want to be the unforgiving disciplinarian who is always wielding the big stick, and always hitting my correspondent over the head with the fact that they did bad things in the past, and I don't want TRUSTe to be that either. I see no long term benefit.

I will end with a commentary about the change from not-for-profit to for-profit. I recently spent a week at TRUSTe's office in San Francisco, working with the team behind the Trusted Download Program, and I was there when the change from not-to-profit to for-profit was in its final stages - I was in the room when the announcement was made to all staff and I have spoken in person with Fran Maier as well as TRUSTe management and employees about their dreams and goals and plans for TRUSTe and the effect that the change will have on day to day operations. It saddens me to see anybody allege that now that TRUSTe is a 'for-profit' that TRUSTe (and by association the people behind it) are only in it for the money, because I have seen no sign that such an allegation is true.

I have had far more time to consider this change, to talk to TRUSTe, to ask the hard questions and consider the responses I have received - by phone, by email and in one-on-one conversations where I can look them in the eye and watch them as they respond - than have most, if not all, commentators on this change. I see an opportunity for TRUSTe to improve and grow, not only to offer more services to clients but also, most importantly from my perspective, improve compliance monitoring. After all, that is why they brought me on board. And I can tell you this - every time I have brought an issue to TRUSTe's attention they have acted on the information I have supplied, and I have been happy with the steps that they have taken. Every...single...time.

"What issues?" I hear you say. Sadly, I am not in a position to share specifics - you will have to take my word on trust (no pun intended). I can only hope that I have, over the years, proven myself to be trustworthy in your eyes, and that you will give me, and TRUSTe, the benefit of the doubt.

For now, I need some rest.

Sandi.

A malvertizement featuring XE Radio rears its head again

sandi — Tue, 15 Jul 2008 03:43:02 GMT

Interestingly, the malvertizement features the same campaign as the MediaMan malvertizement that Kimberley found on isuisse, iquebec, ibelgique and ifrance back on 10 July.

Screenshots of the XM Radio malvertizement:

We see various domains when hit by a malicious redirect, including:

stathisranch.net/crossdomain.xml

stathisranch.net/c/index.php?<<removed>>

profitabill.com/?cmpid=asbarrator (this is the same as the MediaMan malvertizement mentioned above)

adnetserver.com/?<<removed>>

adverdaemon.com/?<<removed>>

antispywaremaster.com/data/<<removed>>

sicherheitstool.com/kontroller/?<<removed>>

New malvertizement featuring Levis, myownpursuit.com (Lexus) and the re-emergence of Lady Speedstick

sandi — Tue, 15 Jul 2008 02:11:25 GMT

There have been several malvertizements in circulation, being:

unicastads.com/<removed>/728x90.swf (the original malicious ad has already replaced with a 'clean' one)

unicastads.com/<removed>/300x250.swf (the original malicious ad has already replaced with a 'clean' one)

trueffect-cdn.com/<removed>/300x250.swf

trueffect-cdn.com/<removed>/728x90.swf

pointroll-ads.com/<removed>/300x250.swf?

unicastads.com is registered via Estdomains, as is trueffect-cdn.com and pointroll-ads.com.

At time of writing, the Levis malvertizement is leading users to fraudware sites, including "Vista Antivirus 2008". The pointroll-ads.com SWF also leads victims to fraudware sites, including tds.internetsecuritydeluxe.com/<removed>. I fully expect these two advertisements, now they have been 'outed' to also be 'cleaned'.

Watch out for these malvertizements...

sandi — Mon, 14 Jul 2008 15:12:39 GMT

I have not seen a malvertizement featuring this site before - muchmusic.com

dreammates.com - this one dumped me at virusremover2008.com (domain created on 20 May 2008)

Developments in the malvertizing world - a new distribution conduit involving MySpace

sandi — Mon, 14 Jul 2008 14:42:43 GMT

Kimberley writes about a new distribution conduit that she has found - in this example it is an old malvertizement with a currently inactive campaign.

Details here: Bluetack Forum

In short, funmunch.com is offering a "MySpace Banner" for download that is, in fact, a malvertizement (an old one, but still a malvertizement).

Here's the question - why would funmunch.com make the banner available for download in the first place, presumably without being paid for it, and why would they have left it there after the inevitable complaints were received (of course, we're assuming that MySpace users actually downloaded and used the SWF file, and that victims (sorry, visitors) to the MySpace pages were savy enough to work out how they being hijacked).

Coincidentally, a Jane McIntyre posted a comment to my blog, advising that she had been hijacked while surfing MySpace, and dumped at maxconvert.com (hosted in the Ukraine). I have highlighted maxconvert.com before, and it was discovered that maxconvert.com shares A records with promoplexer.com (a domain associated with fraudware) - a peak at that domain revealed associations with macsweeper and cleantor (both fraudware).

I'm not surprised that the criminals behind malvertizements are using whatever conduit they can to distribute their wares. As advertising networks have gotten better at spotting dodgy advertisements and as the networks pressure their clients (even 'self managing' clients) to check advertising when it is accepted, and as the major web sites have also become more cautious when accepting advertising, and as the names/domains behind malvertizements become more well known, I get the feeling that the pushers of malvertizing are finding it harder and harder to get their wares on to high profile, high traffic sites, with the result being that they are having to pimp their ads to lower traffic, less well known sites where, thankfully, the impact of malvertizing is proportionally lower.

Now, if only we could get MySpace to clean up their act...

Off topic: World's oldest blogger dies...

sandi — Mon, 14 Jul 2008 03:05:39 GMT

How sad, even though it is an event that comes to us all.

An Australian lady credited as being the oldest blogger in the world, Olive Riley, died on Saturday - her blog was a lovely thing to read.

Although her blog, www.allaboutolive.com.au, seems to no longer exist (there is no A Record and according to domain tools, no web site), but you can can get a taste of what she wrote about at a temporary blog set up by a friend called "World's Oldest Blogger".

The Sun Java installer still sucks....

sandi — Wed, 09 Jul 2008 12:34:10 GMT

I was prompted to install the latest update to Sun Java a short while ago, and the installer still sucks.

The installer still triggers a UAC prompt.
The installer still does NOT remove old versions of Java - old versions that take 136 megabytes per version.
The option to install Open Office is still enabled by default, and the English language skills of whoever it was that coded the text on the installer screen need attention.

I swear, if I see a press releases trumpeting an increase in "users" of OpenOffice...
There is still no cancel button, and the openoffice.org graphic sucks ... look how pixelated the text and graphics are.

ALERT: new malvertizement protocols, courtesy of Kimberley

sandi — Wed, 09 Jul 2008 06:30:42 GMT

As always, Kimberley's report makes for fascinating reading:

http://www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=88026

What is especially interesting is that the advertisement in question that started the whole thing was NOT a SWF - it was a GIF - hosted by 247mediadirect.com. The end target, a malicious SWF, is hosted at the same IP.

Hosted (again) in Malaysia, a Robtex search reveals many connections between 247mediadirect.com and known malvertizement domains:

WHOIS:

Registrant: Media Hosting Ltd. 32 Jacka Blvd St Kilda VIC, Melbourne 3182 AU +61-03-9534-52830

Domain Name: 247MEDIADIRECT.COM

Administrative Contact: Pearson, Ross rpearson79@yahoo.com 32 Jacka Blvd St Kilda VIC, Melbourne 3182 AU +61-03-9534-52830

Technical Contact: Pearson, Ross rpearson79@yahoo.com 32 Jacka Blvd St Kilda VIC, Melbourne 3182 AU +61-03-9534-52830

247mediadirect.com was created on 18 May 2008.

The WHOIS information looks legitimate, BUT, the phone number has one too many digits for Melbourne (or the whole of Australia for that matter), and as far as I can tell there is no such company as Media Hosting Ltd - and the address is a parking area close to the ocean.

The building that you see in the picture is "Donovans", a restaurant:

BTW, we have seen 247mediadirect.com before (back in January):
http://www.bluetack.co.uk/forums/lofiversion/index.php/t18306.html

ALERT: malvertizement featuring classmates.com

sandi — Wed, 09 Jul 2008 00:32:28 GMT

Campaign URLS (you will note that the campaign is identical to the one for the Skype malvertizement):

waytotheprofit.com/?cmpid=contangogo
station-appraisals.com/c/index.php?id=<<removed>>

ALERT: Malvertizement featuring Skype

sandi — Wed, 09 Jul 2008 00:17:23 GMT

No company is safe from impersonation....

Campaign URLS:

waytotheprofit.com/?cmpid=contangogo
station-appraisals.com/c/index.php?id=<<removed>>

The waytotheprofit URL leads us to an adverdaemon.com URL, and from there to the fraudware site - I ended up at a German site, being sicherheitstool.com.

Robtex reports that "sicherheitstool.com is a domain controlled by two nameservers at sicherheitstool.com themselves. They are on the same IP network. Incoming mail for sicherheitstool.com is handled by one mailserver which are also at sicherheitstool.com. sicherheitstool.com has one IP record . virusvakt.com, winanonymous.com, avsystemcare.com and at least seven other hosts point to the same IP."

sicherheitstool.com is hosted by Webair Internet Development Inc (http://www.webair.com/). Feel free to complain to them ;o)

An interesting browser hijacking that I have not seen before... watch out for the "free" Geobytes Geoflag

sandi — Tue, 08 Jul 2008 12:49:50 GMT

Edit: the Geobytes flag has been removed from the blog being discussed below - YAY!!!

I was pinged by another MVP tonight, who was very concerned because he had visited a blog on msmvps.com, only to have his web browser immediately hijacked - redirected away from the blog he wanted to read to ozdirect.com.au. So, I went to take a look.

I, also, was immediately redirected away from the blog to ozdirect.com.au.

Thankfully I had made sure that Fiddler was running in the background, just in case, because the hijack occurred once, and I can confirm that the free Geobytes Geoflag on the blog is what is hijacking visitors to the blog in question.

This is what happens.

When the blog loads, I see the following request and response:

Note the window.open and reference to ozdirect.com.au

Now, look what happens if I refresh the blog:

Request and

No more window.open or ozdirect.com.au.

Now, it just so happens that Geobytes states on their web page that, if you add the free Geoflag to your site, the following will occur:

Source: http://www.geobytes.com/GeoPhrase.htm

The site then goes on to say:

The problem is, the "new window [with] the original intended content" did not open - not for me, and not for my MVP correspondent.

I mean, seriously, what website owner in his or her right mind would agree to allowing his or her visitors to be hijacked - dragged away from their site and dumped somewhere else under such circumstances in a world where pop-up blockers are the rule, rather than the exception. Oh, and by the way, I have long since disabled the pop-up blocker in IE8 on my system - I need to see pop-ups as part of my role as an Online Compliance Researcher, so we can't even blame a pop-up blocker for Geobytes' failure to open the promised new window on this system.

We will report the problem to the blog's owner, so hopefully the nasty little flag will be gone soon... What nasty flag? This nasty flag - the Australian flag that you can see in the screenshot below:

New malvertizement featuring Forex AutoPilot

sandi — Sun, 06 Jul 2008 06:45:47 GMT

Kimberly, who is monitoring the ongoing malvertizement problems at isuisse.com, ibelgique.com and iquebec.com, has discovered a new malvertizement featuring Forex Autopilot.

"A yet unseen, new malvertizement is present on the homepage of isuisse.com, ibelgique.com & iquebec.com. The banner advertises Forex AutoPilot and the creative is belonging to the new generation created with Fuse Kit 2.1.4. This is now the FOURTH malicious banner discovered since June the 12th on websites belonging to the group iEUROP. Just on a site note, the XM Radio malvertizement is also being displayed at isuisse on the portal page. This brings the count up to THREE active malvertizements being served to the visitors!!! Imagine the number of users being redirected to fake online scanners ... Enough is enough, this has to stop."

Malicious domains:

adoptserver.info/_statis.gif?url=[removed]
windowsxp-privacy.net/?id=198760063
xponlinescanner.com/soft.php?aid=024202&d=3&product=XPA
xponlinescanner9.com/2009/1/freescan.php?aid=77024202 (registered 1 July 2008)

Fraudware sites:

antivirus-2009.com
antivirus-database.com
antivirus2009professional.com
xpantivirusonline.com
xponlinescanner.com
xponlinescanner9.com

Images courtesy of Kimberley

Source: http://www.bluetack.co.uk/forums/index.php?showtopic=18064&pid=87978&mode=threaded&show=&st=90&#entry87978

Oh goody. Another SWF display conduit to keep an eye on :o(

sandi — Thu, 03 Jul 2008 05:28:18 GMT

Adobe Reader 9 has been released, and guess what, it can display SWF and FLA files... I wonder what implication this has with regards to the security landscape surrounding malicious SWF. Are we going to have to watch out for PDFs which contain malicious SWF?

I simply do not have enough information to judge the safety implications (or otherwise) of this new Adobe Reader feature... I quote from the announcement on the Adobe reader blog:

"Adobe Reader 9 can natively display rich media content, which you'll notice immediately with Portfolios. Interested in viewing SWF and FLV files? Adobe Reader 9 is the answer."

The first thing that occurs to me that is our number one complaint about malicious SWF is that there is no way for the end user to stop the initial hijack that exposes them to malicious domains. If Adobe Reader 9 prompts for user permission before opening a web browser, then in that way Adobe Reader is a safer way to view SWF. If, on the other hand, the Reader allows an SWF to open a web browser without user interaction, then we are facing yet another conduit to danger.

Source: http://blogs.adobe.com/adobereader/2008/06/adobe_reader_9_is_here_1.html

Oh, and while I think of it - the ActiveX changes in Internet Explorer 8 have the potential to make things safer for users when it comes to malicious SWF (and other ActiveX controls). This is because IE8 will allow the user to choose to install ActiveX for all users, or just one user on the computer, AND it also will also introduce "per site" ActiveX. That is, when you are prompted to allow an ActiveX control to run, you will be able to choose to allow the control to run at that one web site, or all web sites. So, if you need Flash for one particular site, but don't want Flash to be available to other sites, then you will be able to approve Flash for just that one site - cool, yes?