Spyware Weekly Newsletter :· September 30, 2003
The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/sept30,2003.
Spyware Program Impersonates E-Card
Beware of a new spyware program called Lover Spy, which has been advertised heavily through spam recently. The spam emails claim that potential customers can send a fake e-greeting to the person on whom they wish to spy. When the victim receives the fake e-card, they are sent to a web page to view it. The page tricks the victim into installing the spyware by claiming it is a plugin needed to view the e-card.
Once installed, Lover Spy will record emails, chats, web site visits, keystrokes, steal passwords, and take screenshots of opened windows. All of this information then is emailed to the person doing the spying.
Lover Spy has been added to the targeting databases of several antispyware programs, as well as a couple of antitrojan programs.
Spreading malicious software that pretends to be an e-greeting is nothing new. Last year, two companies distributed viruses using the same trick. The victim would receive an email saying someone had sent them an e-greeting and included a link to a web page.
When the victim visited the web page to view their card, they received a message telling them to install a free plugin. The plugin was a virus. Once installed, the virus sent emails to everyone in the victim's address book, telling them they had received an e-greeting and linked to the same web page. This went on for several weeks.
Please be very careful how you handle a notice of an e-greeting. If the email won't tell you who sent the card, assume it is malicious and delete the email. If the e-greeting comes from someone you know, but the site wants you to install a plugin, don't do it! The only legitimate plugin you would possibly need to view an e-card would be Macromedia's flash player, and chances are you already have that.
 |
Author: XBlock
Platform: Windows 9x, ME, NT 4.0, 2K, XP
License: $39.95 [10% off for SpywareInfo visitors]
Is your boss spying on you at work? Does the public internet terminal at Kinkos have a keylogger waiting in the background to steal your banking information? Did the e-card you just viewed install a spyware program? Find out with X-Cleaner antispyware.
X-Cleaner Spyware Remover is an award winning spyware detector that finds and removes commercial spyware programs. You can even put X-Cleaner on a floppy disk and carry it to work in an envelope or in your shirt pocket. Insert the floppy into your PC at work or at a public PC, scan, and zap any keyloggers found.
Features include:
- Remove traces of documents opened, pictures viewed.
- Detect and remove "spy" software that logs your activity.
- Find and remove forgotten pictures on your machine.
- Permanently erase files using the industrial shredder.
- Stop password theft! Know if people are snooping your keystrokes!
- Generate Secure Passwords that cannot be guessed by anybody.
- Portable! So small you can take it with you to public machines.
- No installation required - simply download and use.
Busts spyware like:
KeyKey, SubSeven, Stealth Keyboard Logger, Snapshotspy, Surf Spy, Net Spy, GhostKeylogger, PC Activity Monitor, PC Spy, STARR, Spector, eBlaster, Red Hand Pro, Hacker Whacker, FreeWhack, WinWhatWhere, BossEveryware, Conducent, Aureate and many more!
Please visit our X-Cleaner information page for more information.
Every week SpywareInfo arranges a discount on the programs best suited to keep your private life private. This arrangement lets us pay the bills to keep SpywareInfo running without having to sell ads to the likes of DoubleClick and X-10.
We do need your help, as the discount is for your benefit. What commercial privacy software would you like to see featured here at a discount? Drop us a note and let us know.
Links:
http://www.spywareinfoforum.info/downloads/x/ X-Cleaner information page
http://www.spywareinfoforum.info/email2.php Suggest a product
Are You Trying To Get To Google?
Are you trying to get to Google?
Your computer is running software that doesn't allow you to use Google.
The above is a message that many thousands of unfortunate browser hijack victims have been seeing recently, while trying to use certain major search engines. Someone has released a browser hijacker that exploits flaws in the Internet Explorer web browser to drop a bad HOSTS file on infected machines.
A HOSTS file is used to tell Windows that a web site is located at the IP address listed next to its name. When you load a web site, Windows checks this list to see if the site is listed there. If the site is not listed, Windows then checks your ISP's domain name servers to find the IP address of the web site.
This bad HOSTS file tells Windows that google.com, altavista.com, yahoo.com and other major search engines are located at the hijacker's IP address. Thankfully, it would seem the web host that owns that IP address terminated the attacker's account. Most likely, the attacker was running a pay-per-click search portal of his own and was hoping to profit from his victims.
In the place of whatever used to be at that address, someone has placed a link to a particular post at TweakXP's message board, that has instructions on fixing a HOSTS hijack. Unfortunately for TweakXP, so many victims clicked through to go to the page that it overwhelmed their web server.
How is it spreading?
There are several possible means of distributing this hijack. The most common way is to spam people with a link to a web site hosting the malicious code. Some email clients also may download and execute a malicious java applet as soon as the attacker's email is opened or previewed.
Please do not be fooled by "experts" who downplay the danger of this and other flaws by saying the victim would first have to visit a malicious web site. There are many ways to force a victim's computer to load a particular web site. We help dozens of victims of such hijacks every single day at the support forums.
Victims show none of the regular symptoms of a browser hijack other than a bad HOSTS file. There are no suspicious activex objects or other tell-tale signs of infections. This leads me to believe that the victim was hijacked using either Microsoft Java VM or MSHTA.
The CWS trojan is one example of malware that exploits the ByteVerify flaw in Microsoft's proprietary version of Java. Faulty code checking allows an attacker to run arbitrary code on the victim's machine. This flaw has been patched in an updated version of Microsoft VM. My advice is to install the much more secure Sun Java and to use that instead of Microsoft Java.
The other possibility is the object data flaw I've written about previously. A flaw exists in Microsoft Internet Explorer that allows a malicious hacker to fool it into running malicious scripts with reduced security restrictions. Microsoft released a patch for this flaw, but unfortunately it failed to fix the problem. A workaround is either to disable ActiveX controls and plugins in Internet Options > Security or to run the HTAStop program from NSClean.
What's the fix?
This is the easy part. Download Hosts File Reader to the location of your choice on the computer. Run the program, click the "Read Hosts File" button, click the button labeled "Reset Defaults" and click "Save Changes". That kills the hijack.
After you have done this, update the antivirus program on the computer and run a scan. There are several trojans exploiting both of these flaws and most likely the machine is infected with one or more of them.
Links:
http://www.java.com :: Sun's Java
http://www.imilly.com/google.htm :: Milly's Googlejack page
http://www.simtel.net/pub/pd/67031.html :: HTAStop
http://news.com.com/2100-7349-5083234.html :: IE holes lead to AIM, dial-up attacks
http://www.spywareinfoforum.info/newlsetter/sept9,2003#secunia :: Microsoft patch doesn't work
http://www3.ca.com/virusinfo/virus.aspx?ID=36725 :: Java.ByteVerify.exploit
http://www.spywareinfoforum.info/~merijn/cwschronicles.html :: Coolwebsearch Chronicles
http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe :: Hosts File Reader
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp :: Microsoft Security Advisory
OneMX in Violation of Privacy Statement
I have added a new program to the list of clean and infected file sharing programs. The program's name is OneMX and, unfortunately, it has been added to "infected" list, not the "clean" list.
This program is particularly galling. It not only bundles three spyware programs, it also lies about it. OneMX's privacy policy states boldly that "OneMX does not come bundled with any advertising or data collection technologies, sometimes known as adware or spyware". That statement is a blatant lie.
In fact, OneMX's installer bundles three separate spyware programs. The piggyback programs are Bookedspace, IPInsight, and a new one called SideSearch.
SideSearch is spyware put out by Lycos, of all people. According to Andrew Clover, SideSearch installs without the knowledge or consent of the victim, opens a backdoor for future software installation, shows advertisements, and leaks information on searches conducted on other search sites with a trackable ID. You would think an otherwise respectable company such as Lycos would know better than to distribute this sort of garbage.
I have to wonder about the judgement of OneMX's developers. Most companies, Kazaa for instance, dance around the edges of honesty by trotting out whichever unofficial definition of "spyware" best fits their needs. They quietly will admit to bundling software that displays ads, but pretend not to realize that some of the "adware" is in fact "spyware". OneMX just lies about it, denying that it installs either spyware or adware.
OneMX has set itself up for some nasty problems. Anyone that has installed the program probably has grounds to sue the company for violating its privacy policy if I understand the law correctly. Even if you want to argue whether the piggyback programs are spyware or not, there is no arguing that they are adware.
At any rate, despite the false statements in its privacy policy, OneMX does install spyware and it should be avoided.
Links:
http://www.spywareinfoforum.info/articles/p2p/ :: The clean and infected list
http://doxdesk.com/parasite/IPInsight.html :: IPInsight information
http://doxdesk.com/parasite/BookedSpace.html :: BookedSpace information
http://forums.spywareinfoforum.info/index.php?showtopic=12164 :: Discuss this piece
Do Not Call roller coaster
Were you following the Do Not Call roller coaster last week? Just to recap, telemarketers sued in US Federal Court to block the Do Not Call list from being enforced. Amazingly, Judge Lee West ruled that the Federal Trade Commission (FTC) did not did not have authorization to enforce the Do Not Call list.
In making this ruling, West disregarded the fact that Congress specifically authorized the FTC to do just that, earmarked taxpayer dollars to fund the enforcement and passed the legislation to President Bush (who signed it into law).
Outraged that this judge would defy an act of Congress, the authorization of the President and the wishes of 50 million Americans, Congress acted with near unprecedented speed to pass new legislation. The new bill spells out in clear language that the FTC is to enforce the Do Not Call list.
Unbelievably, at nearly the same time the new bill was being voted upon, yet another judge issued a ruling blocking enforcement of the Do Not Call registry. Judge Edward W. Nottingham ruled that telemarketers have a Constitutional right to intrude into the homes of people who have specifically requested not to receive telemarketing calls. According to Nottingham, the Do Not Call list infringes upon that Constitutional right.
You may be interested to know that Judge Nottingham's own telephone number is on that Do Not Call registry. Correct me if I'm wrong, but isn't it a violation of professional ethics for a sitting judge to enter into an agreement that he believes to be illegal? For that matter, if he was signed up to the registry himself, shouldn't he have recused himself instead of hearing the case?
A question that keeps popping up in every debate asks why telemarketers would fight this at all. Surely they would love to have a list of people guaranteed to not be interested in their sales pitch, right? If they know these people aren't interested, they could move on to those who might be more receptive. The telemarketers should be all for the list, right?
Bzzt, sorry, nah ah, incorrect. Telemarketers do not make money selling to people interested in receiving sales pitches over the phone. Telemarketers make money selling to people who are too polite and too timid to tell them to go to Hell.
My ex-girlfriend is a perfect example of this. She refused to answer her own telephone unless she was paged first because she could not bring herself to hang up on a telemarketer. It drove me nuts. This is the type of person the telemarketers want. They don't want the Do Not Call list to stop them from calling people like this.
Throughout this entire debate, I keep seeing people state that two million telemarketers could be put out of work if the list goes into effect. You know what? Frankly, I don't give a damn if all two million of them end up on the street. Telemarketers are scum; their business is scum; and I hope the entire industry goes bankrupt.
There are thousands of people who would love to make a living scamming old ladies out of their pensions. There are people who would love to make a living selling crack. There are people who would love to make a living mugging people. Too bad there are laws against doing any of these things. It's just tragic as hell that several million people are out of work and unable to make a living doing these things because of these unfair laws.
My message to telemarketers is this: Screw you. Get an honest job. Anyone who makes a living browbeating money out of people too timid to tell them to go to Hell is scum. No one deserves a job selling crack. No one deserves a job mugging old ladies. No one deserves a job spamming our telephones.
Update!
This is an update that was just posted at The Boston Globe's web site.
The federal government, aided by an order yesterday by Supreme Court Justice Stephen G. Breyer, plans to put into effect tomorrow a national do-not-call list that is designed to shield homes from telephone sales pitches.
The action by Breyer, however, allows another agency -- the Federal Communications Commission -- to stand in for the FTC and begin enforcing the do-not-call mandate.
The FCC, which regulates telephone service, has no list of its own, but it has written rules that will enforce the one amassed by its sister agency, which regulates unfair marketing tactics.
Michael K. Powell, FCC chairman, noted that his agency could move forward because it was not affected by the court orders keeping the FTC from implementing the registry.
Links:
http://www.brokennewz.com/reports/dmaebay.asp :: One person's theory about Judge West's ruling
http://news.google.com/news?hl=en&edition=us&q=do+not+call :: Latest Do Not Call headlines
http://www.boston.com/news/nation/washington/articles/2003/09/30/do_not_call_list_active_tomorrow/ :: Do-not-call list active tomorrow
Anti-Terror Laws Reexamined
The US Congress has started to reign in the broad powers it granted to federal law enforcement agencies to investigate acts of terrorism in the wake of the September 11 attacks. Recently, the dreaded Total Information Awareness project was killed when Congress denied it the funding necessary to operate effectively.
Congress also ordered the CAPPS II project to be delayed until after an independent review is made to determine what impact it would have on privacy rights and whether or not it would be effective in combatting terrorism.
This is a trend that I hope continues. These so called "anti-terror" laws are being applied not only to terrorism investigations, but also to common domestic crimes for which they were not intended to be used.
For instance, crimes such as drug smuggling, money laundering, and certain white-collar crimes are being investigated using special provisions of the Patriot Act. In addition, the FBI is ignoring the Constitution to investigate a computer hacker.
I realize it may come as a shock, but governments really do abuse the powers given to them. Even relatively nice governments such as that in the USA are not above perverting well-intentioned laws for their own ends.
I hope the Congress continues to reexamine the faulty laws passed while the nation was in fear. I would like to grow old in the same America I live in now, not a futuristic facsimile of the old Soviet Empire.
Links:
http://dc.internet.com/news/article.php/3084671 :: Congress Kills TIA Program
http://www.theregister.co.uk/content/55/33106.html :: FBI bypasses First Amendment to nail a hacker
http://www.wired.com/news/politics/0,1283,60600,00.html :: Congress Puts Brakes on CAPPS II
http://www.tribnet.com/news/story/4029795p-4050772c.html :: U.S. Uses Terror Law to Pursue Crimes From Drugs to Swindling
Scumbag of the Week
We have another winner of the Scumbag of the Week award. This one goes out to a Spamcop user who falsely reported a newsletter as spam. Spamcop itself gets a dishonorable mention.
Remember my mention last week of Kim Komando linking to my site in an article she wrote about spyware? Well, she wrote a small section about it in her own newsletter the other day and again she linked to SpywareInfo. Unfortunately, some idiot on her mailing list reported her newsletter as spam. My web site was nearly suspended as a result!
There is a phrase used by anti-spammers to describe web sites that are advertised in spam mailings. Those sites are said to be "spamvertised" and many blacklists operators consider those sites to be no different from the sender of the spam. Kim's subscriber reported her newsletter as spam to Spamcop and Spamcop reported SpywareInfo to the company that sells bandwidth to my web host as a "spamvertised" site.
Most companies would have suspended the site right on the spot. Thankfully, my web host is run by people with a little more common sense than that and wrote back saying that I had nothing to do with any spam mailing.
This is not our first run in with Spamcop. Last year, some SOB signed up to the newsletter for the express purpose of reporting it as spam. Spamcop played along with the prank by listing my site's mail server on its blacklist and I had to threaten them with a lawsuit to have the server delisted.
Just like the incident last year, the complaint against Kim Komando's newsletter is bull. I went to her site today to sign up for her newsletter. Her newsletter is managed by Lyris, a respected newsletter hosting service that does not tolerate any form of spam. To be placed on Kim's mailing list, it was necessary to give a valid email address and then reply to a confirmation message.
The person that reported Kim's newsletter as spam libeled her. I hope she takes legal action against that person. I may have to take legal action myself against Spamcop. That letter they sent yesterday might have caused my site to be shut down at any other web host. This makes the second time that their incompetence has put my web site at risk. I don't think I want to wait around to see if the third time is the charm.
Links:
http://www.dixiesys.com/ :: Dixie Internet Systems
http://www.bcentral.com/articles/komando/140.asp :: Danger, danger: 5 tips for using a public PC
http://www.spywareinfoforum.info/newsletter/archives/june-2002/06142002.html#rant :: Spamcop blacklists SpywareInfo
Interesting Articles
Here are links to a couple of stories you might find interesting.
The first is an article that I wrote and forgot to mention last week. An Alabama State Trooper took control of a traffic surveillance camera to ogle inebriated teenage girls walking away from a number of nearby bars. Supposedly, all of this was witnessed on a local cable channel set up to display the footage from the surveillance cameras.
The Alabama State Police refuse to discipline or even to name the officer. http://www.mikehealan.com/articles/spycams/tuscaloosa.php
The next story is not mine. It was written by Richard Stallman several years ago. Despite its age, I believe the article makes a strong and valid point in the context of today's current events. http://www.mikehealan.com/articles/right_to_read/
Links:
http://www.stallman.org/ :: Richard Stallman's Site
http://www.mikehealan.com/ :: Shameless Plug
Recommend SpywareInfo to a friend
Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.
Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.
The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459
Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.
Links:
http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist
