Spyware Weekly Newsletter :· May 18, 2004

The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/may18,2004.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

Browser hijackers are annoying. They lock you out of your own browser controls. They redirect you to porn sites or bogus search portals. Many of them launch a barrage of pop-up ads. Most set hooks deep into Windows and hold on for dear life when you try to remove them. Some people simply give up and turn off their computers permanently.

For some people, becoming infected with a browser hijacker can ruin their life. Someone, who's company computer becomes infected with the pornographic variety of browser hijacker, may find themselves in very hot water. People have lost their jobs, their spouses and, in some cases, people have been put in jail.

From Wired News:

"The police raided my house on Sept. 17, 2002," said "Jack," who came to the United States from the former Soviet Union as a political refugee, and has requested that his name not be published. "Nobody gave me a chance to explain. I was told by judge and prosecutor that I will get years in prison if I go to trial. After negotiations through my lawyer I got 180 days in an adult correctional facility. I was imprisoned for 20 days and then released under the Electronic Home Monitoring scheme. I now have a felony sex-criminal record, and the court ordered me to register as a predatory sex offender for 10 years."

Jack originally believed that the images found on his computer were from a previous owner -- he'd bought the machine on an eBay auction. But he now thinks a browser hijacker may have been responsible.

"When I used search engines, sometimes I got a lot of porn pop-ups," Jack said. "Sometimes I was sent to illegal porn sites. When I tried to close one, another five would be opened without my will. They changed my start page, wrote a lot of illegal porn links in favorites. The only way to stop this was turn the (computer's) power off. But when I dialed up to my server again, I started with illegal site, then got the same pop-ups. There were illegal pictures in pop-ups."

Whether this one person is telling the truth or not, I have no doubt that this is happening to innocent people. Not only do the people who distribute hijacker software make cash by trespassing on private property and altering system settings, they do so legally while their victims are at risk of going to jail. It is long past time to criminalize this activity.

If you agree with me on this, I urge you to contact your US Senators and ask them to support the SPYBLOCK Act, S. 2145. This activity will never stop as long as it is perfectly legal to engage in it.

Permlink | Top

There is the sort of spyware that comes from installing programs like Kazaa and Imesh. This kind of spyware will track your web usage to produce more relevant pop-up ads. This is an annoying and unfair invasion of privacy. However, other than the aggravation of dealing with pop-up ads and spam, this kind of spyware usually is not dangerous. These can be cleaned up relatively easily with Ad-aware and Spybot.

More dangerous are the surveillance and monitoring programs. These programs are used to steal passwords to bank and credit card accounts. A business rival can bribe an employee to install spyware on the company network. Further, the company itself might install spyware to watch you while you work. These commercial spyware programs cost money to buy for testing and not all antispyware companies can afford to keep up with each new version.

SpyCop is the leading solution for finding computer monitoring spy programs, keyloggers and commercially available software designed specifically to record your screen, email and passwords. SpyCop will detect the spy, tell you when it was installed and disable it. SpyCop claims to have the largest database of surveillance spyware, over 400 targets in all.

SpyCop also makes Evidence Terminator, a program that cleans out the traces of computer usage that Windows leaves lying around. This includes browser cache, temp files and recently opened documents among other things. You should shred paper documents at home and in the office if you don't want people reading them after you are through with them. The same goes for your PC.

Spycop and Evidence Terminator are discounted 20% for SpywareInfo readers for this week. Evidence Terminator and Spycop together are discounted by nearly $45.00.

More information about Spycop http://www.spywareinfoforum.info/downloads/spycop/
More information about Evidence Terminator http://www.spywareinfoforum.info/downloads/spycop/eterminate.php

Permalink | Top

An Israeli programmer who hangs out in SpywareInfo's chat room has been tearing apart a new parasite recently. I don't know very many details about it but this is a very nasty little bugger.

There are two files loaded into memory and a third element involved which I don't want to discuss publicly. It is nearly impossible to force these files out of memory. If you remove any one or two elements, one of the other two will reload them into memory. While you can see these files running with a process manager, somehow they hide their files and parent directory from the operating system, making it difficult to find them on the hard drive.

If the infected computer is using the FAT32 file system, you can use a DOS window to enter the directory and find the files. Unfortunately, you cannot remove the parent directory (c:\windows\system32\f0r0r\) and the files are reinstalled as soon as the computer reboots.

The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.

This is a very clever piece of programming that someone spent a significant amount of time working on. It is nearly impossible to detect and nearly impossible to remove. How it installs is a mystery, for the moment. Possibly it infects unpatched Windows machines through one of the RPC flaws discovered recently in Microsoft Windows.

You can tell if your machine is infected if you can change to c:\windows\system32\f0r0r in a DOS or CMD window with this command: cd c:\windows\system32\f0r0r\ (that's a zero, not an "o"). If your hard drive is FAT32, you can boot into MS-DOS and delete the directory from outside of Windows and that should remove the infection (no guarantees here). To my knowledge, no antivirus or antispyware products detects this parasite.

If anything new is discovered, I'll let you know.

Permalink | Top

Clothing retailer L.L. Bean has filed suit against four competitors for trademark infringement. The defendants, Nordstrom, J.C. Penney, Atkins and Gevalia, have bought pop-up ads through the Claria Corporation (known formerly as Gator Corporation) that uses L.L. Bean's trademark as a trigger. L.L. Bean's suit alleges that the defendants are trading on their good name and infringing upon their trademark by buying pop-up ads based on that trademark. An L.L. Bean spokesperson says that their relationship with their customers is damaged when they are confronted with advertisements that pop up when they visit the company's web site.

Claria is the company which distributes Gator, Precision Time, Dashbar, Weatherscope, Date Manager and Websecurealert. These products all include software which serves pop-up advertisements. Gator collects information about which web pages are loaded into Internet Explorer. The software records how the user interacts with the ads popped up by Gator. Gator's software rifles through the user's computer to record the names of all the software installed on that computer. The software will gather the user's first name and zip code. The software collects information that is entered into the forms on a web page, including part of the user's credit card number.

All of this information is cross referenced with that unique tracking number generated when the software is installed, then it is uploaded to Gator-owned servers over the internet. This tracking behavior has led to all antispyware vendors to target and remove all known products from Claria for years.

The legality of Claria's advertising practices always has been questioned. Many web site operators consider the practice of software displaying advertisements, while a user is visiting their sites, to be theft. Just this past March, a German court ordered Claria to stop popping up advertisements while users are visiting the web site of Hertz's German division. Many other web site owners have sued Claria over the practice.

Permalink | Top

Those of you who were reading this newsletter, when I first started writing it, might remember that I once tried using Linux. Eventually I removed it because it was just too weird.

I have no intention of using Microsoft Longhorn when it comes out (except on a test machine) and Macs are just too expensive, so I've decided to give Linux another chance. I downloaded Mandrake 10 (a slow, painful process because of my ISP's ridiculously low bandwidth limit) and installed it on a test machine. I liked it so much that I've installed it on my main PC and am using it almost exclusively now.

Many people would like to try Linux but think it is too complicated. This is not true at all. I picked Mandrake because of its reputation for installing easily and being easy to use and it certainly has lived up to it. Other distributions of Linux can be more complicated and some are only for true *nix geeks, but Mandrake is not hard at all to use.

That's not to say it doesn't have a few problems. There are a couple of programs that crash every time I try to use them; my mouse's scroll button doesn't work; and I have yet to figure out how to install a driver for my laptop's wireless card. That I haven't figured out how to fix these problems is due mostly to cluelessness on my part, particularly with the driver.

For an average computer user, Linux is nothing to fear. Choose the KDE desktop environment when it asks which desktop to use during installation. What you end up with isn't very different from Windows. There is a scrolling menu similar to the Windows start menu, a task bar, a system tray and desktop icons that work the same as in Windows.

For power users, Linux is far more capable than Windows and far more configurable. Unlike Windows, if you don't like a piece of preinstalled software, you delete it and that's the end of it. Try doing that to Internet Explorer.

Give Linux a try. It really is very easy to use. It is also very, very safe. A home user of Linux doesn't need to worry about viruses or having their browser hijacked by some advertising parasite. It also REQUIRES a "root" (administrator) password before it allows anything or anyone to change a system setting.

If you would like to try Linux out before installing it, download a .iso file for Knoppix Linux from http://www.knoppix.net/ and burn it to a CDR. Knoppix runs completely from its CD and requires no installation. It is limited in what it can do but it will give you a good idea of what Linux is like.

I should mention that although Mandrake can be downloaded for free, they want users to join the "Mandrake Club", which is how they make money back for their time spent in development. You can also purchase Mandrake itself online and receive far more software than what comes with the downloadable version. If you search around, you can find plenty of 100% free distributions of Linux but most won't be as easy to install or use as Mandrake.