Spyware Weekly Newsletter :· September 9, 2003
The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/sept9,2003.
Microsoft Patch Doesn't Work
Critical Flaw Still Exists and is Being Exploited
http://www.secunia.com/advisories/9580/
Internet Explorer determines whether an object is safe when it interprets the file extension specified in the "Object Data" tag. This allows a malicious person to specify a "safe" file with eg. a ".html" extension in "Object Data", which causes Internet Explorer to interpret it as a "safe" file. However, when the file is retrieved by Internet Explorer the "Content-Type" header determines how the file will be treated. This allows an executable file like a ".hta" file to be treated as a "safe" file and be executed silently without restrictions.
NOTE: Further information has been released by http-equiv, proving that the patch from Microsoft is not adequate. Refer to solution section.
Secunia has constructed a vulnerability test, which can be used to check if you are affected by this issue: http://www.secunia.com/MS03-032/
My God, it just never ends.
This unending parade of security flaws will never stop. Between ActiveX, Microsoft-hacked Java, and HTA scripting, Internet Explorer is nothing but a collection of security flaws that loads web pages as an afterthought. Now they can't even do a proper job of patching the vulnerabilities they know that exist.
Remember Surferbar which I discussed last week? Security experts have discovered that Surferbar is exploiting one of the flaws discussed in Secunia's article to install itself. We have reason to believe that two other malware distributors also might be using, or at least testing it.
If you are using Internet Explorer as your primary browser, you are most likely vulnerable to this flaw. You can find out for sure by taking this test.
Do you want to know how to be completely safe from these security flaws? Do you want to know how to be 100% safe from driveby malware that installs right through the browser? The answer is very simple: use a real browser, not a web browsing extension tied to a Microsoft operating system.
http://texturizer.net/firebird/
http://www.opera.com/
I'm not being sarcastic. I am dead serious. Internet Explorer is not safe, except for when the most draconian precautions are taken. It is a bare bones, featureless browser that doesn't even provide tabbed browsing. I guarantee you, if you switch to Mozilla Firebird and use it for a while you will never want to use Internet Explorer again. Read all about Firebird at the official help site and decide for yourself.
Update
You can give yourself some protection against this flaw with a freeware program from NSClean called HTAStop2003. You can download this program from Simtel: http://www.simtel.net/pub/pd/67031.html
Links:
http://www.secunia.com/MS03-032/ :: Secunia's vulnerability test
http://www.spywareinfoforum.info/newlsetter/sep3,2003#surferbar :: Surferbar: A Nasty New Hijacker
Featured Product ::: Spycop Antispyware
|
SpyCop is the leading solution for finding computer monitoring spy programs, keyloggers, and commercially available software designed specifically to record your screen, email, passwords and much more!
SpyCop will detect the spy, tell you when it was installed, and optionally disable it! SpyCop can find over 385 surveillance spyware programs!
Once you are their customer, you can update the spyware database with a simple click of the mouse. This will ensure SpyCop has the latest releases of spyware to search for and eliminate.
Order today and received free software and database updates for life!
SpyCop is available to SpywareInfo visitors for 20% off the regular price! This is a time limited offer, as are all products featured weekly in this space.
More information about Spycop http://www.spywareinfoforum.info/downloads/spycop/
Every week, SpywareInfo arranges a discount on the programs best suited to keep your private life private. This arrangement lets us pay the bills to keep SpywareInfo running without having to sell ads to the likes of DoubleClick and X-10.
We do need your input, as the discount is for your benefit. What commercial privacy software would you like to see featured here at a discount? Drop us a note and let us know.
Links:
http://www.spywareinfoforum.info/downloads/spycop/ More information about Spycop
http://www.spywareinfoforum.info/email2.php Suggest a product
Langa Slams Lavasoft
Technology writer Fred Langa had some harsh criticism for Lavasoft in his September 4 newsletter. I feel the criticsm was incorrect, and have written an article to respond to Langa's newsletter.
That article is located at http://www.spywareinfoforum.info/articles/langa_lavasoft/
Parasitic Advertising Declared Legal
U.S. District Judge Gerald Bruce Lee has ruled that WhenU's SaveNow adware program is not violating the law when it pops up an ad that competes directly with the web site a consumer is viewing.
WhenU SaveNow is an unwanted advertising parasite. According to Andrew Clover of DoxDesk.com, "as well as downloading the pop-up ads, SaveNow connects to WhenU's servers to log the ad impression. It passes the name of the affiliate software which installed the software, the ID of the advert being shown, and the site URL or term that caused the pop-up to be triggered."
Moving truck rental company U Haul had sued WhenU in US Federal Court claiming the company's software violated its copyright and trademark. When consumers running WhenU's software visited U Haul's web site, the software would detect that and spawn a pop up window that advertised a competing service. Last year, several publishers, including The New York Times, sued Gator Corporation for the exact same reason.
Judge Lee ruled that WhenU was not violating the law because users agreed to install the software and users have the right to run whatever software they please.
I believe that Judge Lee missed the point. I agree that users have the right to run whatever software they want, even if it alters the intended appearance or functionality of a web site. If this wasn't the case, then my browser would be illegal because it doesn't allow web sites to display pop up windows, resize or move my window, or alter my status bar text.
If these issues were about nothing more than user software somehow altering U Haul's web site, then Judge Lee's ruling would be correct. However, there is one glaring difference between my use of Firebird to block pop ups at a web site and SaveNow popping up ads based on the same web site. The difference is, I chose to install Firebird. Few people, if any, choose to install SaveNow.
SaveNow, along with most other advertising parasites, usually are installed without the complete knowledge of the computer owner. Depending on the ethics (or lack thereof) of the company bundling adware into their own software, there may not be any disclosure that the adware will be installed. More likely, there will be disclosure, but it will be 50,000 words into a 150,000 word End User License Agreement.
Few people read those click-through licenses far enough to read the disclosure of any spyware or adware. WhenU counts on that to install as many copies of its software as possible. SaveNow and other advertising parasites suddenly appear on a person's machine; they rarely are installed deliberately. If you want proof of that, consider this quote by WhenU's CEO, Avi Naider:
"'Naider said users had the right to decide for themselves whether to see pop-up advertisements', noting that 70 percent of the 100 million who have downloaded SaveNow have uninstalled it."
Take the spin off that and you are left with the fact that 70 million people, who didn't want SaveNow, found it installed on their computers. I'll wager that most of the remaining 30 million simply haven't figured out what's causing all the pop ups.
Naider is quoted as saying that "this is a victory for consumer choice -- it ultimately protects consumers' right to control what they see on their computer screens." If people were downloading SaveNow knowingly because they want to know when something they are shopping for is discounted somewhere else, then I would agree with the judge's ruling.
The fact of the matter is that these people are not users of SaveNow. They are victims. Their computers are infected with a parasite which most of them do not want.
Judge Lee dropped the ball on this. This was not a case of consumers choosing to see ads based on keywords found on U Haul's web site. This was a case of a parasite exploiting the hard work of U Haul in attracting visitors and using it to create pop up ads that people did not want. U Haul was robbed, and Judge Lee let the thief go free.
Links:
http://www.mozilla.org/products/firebird/ :: Mozilla Firebird
http://www.doxdesk.com/parasite/SaveNow.html :: DoxDesk article on SaveNow parasite
http://www.internetnews.com/IAR/article.php/3073741 :: Judge Says AdWare Is Legal
http://news.com.com/2100-1024_3-1022791.html :: Court says Gator-style ads are legal
http://www.wired.com/news/politics/0,1283,60347,00.html :: Judge Rules in Favor of Pop-Ups
http://www.siliconvalley.com/mld/siliconvalley/4196581.htm :: UPS sues Internet ad company
http://www.mediainfo.com/editorandpublisher/headlines/article_display.jsp?vnu_content_id=1971753 :: Judge Rejects Lawsuit Against Pop-Up Ads
Hundreds of Log Spammers Blacklisted
I have a gift for all the webmasters and bloggers out there who are sick and tired of finding porn sites all over their referer logs. I have a blacklist of 120 web sites (mostly porn) that have been spamming my referer logs mercilessly. It was so bad that 6 of the top 10 referers for August were log spammers. On a site that receives the kind of traffic SWI does, that's quite an achievement.
When you visit one web site by clicking a link from another, your browser passes the name of the web page you were just on to the next site. That information is logged by the next site's webserver, and site owners use that to see what sites are linking to them.
Some site owners have started spamming those referer logs by sending bogus traffic to the victim site. The bogus traffic causes the victim site to log hundreds or even thousands of hits with a referer showing the spammer's site. If you own a web site and have been wondering why so many X-rated web sites show up in your logs even though they aren't linking to you, it because they are spamming your logs.
I have written a detailed article to explain how to block those sites from spamming your logs. It's a little boring, but it should explain everything you need to do to block these spammers, assuming you are hosted on an Apache webserver.
The article and links to the blacklist are at http://www.spywareinfoforum.info/articles/referer_spam/. Enjoy =)
Microtution.org Spammers
This week's scumbag award goes out to microtution.org. For the past three days, I have received something on the order of 3,000 spam emails from promiseman@promiseman.com to random addresses at my spam trap domain. Every single spam advertises a link to microtution.org, which is some sort of political web site.
My web host shown me how to blacklist these scumbags at the email server, so the daily mail bomb should be over for the moment. I also sent complaints to this site's webmaster address at webmaster@responsibilityera.com and to the abuse@ address of their web host. My own web host has done the same and hopefully these spammers will be shut down.
Yesterday, this spam was relayed through a server registered in Yugoslavia. Today, the IP address (211.181.194.245) shows that it was relayed through Korea. Tomorrow they will probably use Outer Mongolia or Lower Patagonia to relay their garbage.
All I have to say is, God bless Mailwasher.
Links:
http://www.spywareinfoforum.info/rd/mailwasher/ :: Mailwasher link
Correction, Clarifications, Goofs
Some quick words about last week's issue.
First, this stupid newsletter software stripped out the backslashes from the surfer bar registry entries I included. That made them look really odd in the emailed version. Normally, I write a backslash using special HTML characters to avoid that, but I forgot to do it last week.
Second, in my Kazaa story, I meant to link to my list of file sharing programs. That is at http://www.spywareinfoforum.info/articles/p2p/
Finally, let me clarify what I meant when I mentioned how far over my bandwidth I had gone in August. Many people interpreted that as a complaint, which it surely wasn't.
I love having so many visitors to the site and can afford whatever bandwidth overages I have. One quarter of a million people visited the site last month, and that is just awesome. The more visitors, the merrier - tell your friends to drop by and visit Spywareinfo. Come visit me at The Soap Box, too!
Several people were worried about my hosting bill and a few even suggested I start some premium services, like a premium section of the message board or a paid version of this newsletter. I appreciate the concern, but I can afford the hosting bill. If you want to help out, there is Paypal, or you can contact me for a mailing address. I also plan to sell a few items from Cafeshops.com at some point in the future.
Just to clarify, I wasn't complaining, and I'm not in eminent danger of losing my hosting. Everything is going smoothly at SpywareInfo and I hope it continues.
See y'all next week.
Links:
http://www.mikehealan.com/ :: The Soap Box
http://www.spywareinfoforum.info/newlsetter/sep3,2003 :: Last week's issue
http://www.spywareinfoforum.info/support.php :: Paypal donation page
Recommend SpywareInfo to a friend
Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.
Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.
The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459
Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.
Links:
http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist
