Spyware Weekly Newsletter :· November 24, 2004

The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/nov24,2004.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

Security researchers are warning of a new method of installing unwanted parasitic software onto the computers of unsuspecting victims who use Microsoft Internet Explorer (MSIE).

How It Works

Most of the following information is based upon a detailed write-up of the process which is available at vitalsecurity.org.

The process starts with a flaw in the OpenSSL module which is installed alongside most Apache web servers. Apache is the software that serves up web pages on most of the world's web sites. By exploiting this flaw, an attacker can install a rootkit on the web server. The rootkit allows the attacker to take over the server completely. It has been modified to avoid detection by most available rootkit detectors.

Once installed, the compromised web server will attach a javascript to every HTTP packet sent to a browser used to surf the site. This javascript causes the surfer's browser to open an IFrame, a small inline window which loads a page different from the one in the surfer's address bar.

The IFrame loads a page from one of three sites. One of the sites hosting these pages is owned by someone using an email address associated with CoolWebSearch (coolsearch.biz).

The pages which are loaded in the IFrame causes the browser to load several additional pages, each of which tries a different method of installing parasitic software. Once the browser encounters an exploit for which it is not patched, the browser will download and execute a variety of parasite installers. Any of the following parasitic software may be installed on the victim's computer:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar

The installers for each of these have been modified to make them harder to detect with antivirus and antispyware software. At no time is the user presented with a EULA ( End User Licencing Agreement), privacy policy or any other disclosure or the ability to opt out of installing these parasites.

There is evidence to suggest that an infected PC could be used by an attacker to participate in a distributed denial of service attack.

Protect Yourself

There is no complete defense for MSIE users. There is no patch for the IFrame vulnerability. However, you can set Internet Explorer to disable IFrames.

Go to your control panel and double-click on the Internet Options icon. Click the Security tab. Click on the Internet icon to highlight it, then click the Custom Level button near the bottom. On the next screen, scroll about 2/3 down until you find the following options: "Launching programs and files in an IFRAME" and "Navigate sub-frames across different domains". Set both of these options to Disable and click OK. On the Security tab, click Apply.

This advice is untested so I cannot guarantee that it will protect you. However, it should work just fine. It will not protect you if your browser directly loads one of the pages that start the infection process.

Non-MSIE browsers are safe from this attack. I recommend either FireFox or Opera. However, these browsers still may experience pop-ups on infected web sites. There is evidence to suggest that these pop-up windows somehow may infect MSIE. Immediately close any pop-up windows that slip past the pop-up blocking features of these browsers. Do not click any links or buttons within the pop-up window.

If you are using Windows XP, install Service Pack 2 if you have not already done so. This will protect you from most of the exploits involved but not all.

I don't know what is being done about the people responsible for this situation. It is illegal to break into a web server. Unfortunately, it currently is not illegal to use a security hole to install parasitic software in most places. This is a strong argument for the need to pass antispyware legislation that would punish behavior such as this.

The US Congress wants to pass such legislation. The Federal Trade Commission opposes the idea. It might be a good idea to contact your Congressperson or Senator and urge them to pass the antispyware bills now under consideration. Feel free to point them here for a good example of the need for it.

Permalink | Top

There is the sort of spyware that comes from installing programs like Kazaa and Imesh. This kind of spyware will track your web usage to produce more relevant pop-up ads. This is an annoying and unfair invasion of privacy. However, other than the aggravation of dealing with pop-up ads and spam, this kind of spyware usually is not dangerous. These can be cleaned up relatively easily with Ad-aware and Spybot.

More dangerous are the surveillance and monitoring programs. These programs are used to steal passwords to bank and credit card accounts. A business rival can bribe an employee to install spyware on the company network. Further, the company itself might install spyware to watch you while you work. These commercial spyware programs cost money to buy for testing and not all antispyware companies can afford to keep up with each new version.

SpyCop is the leading solution for finding computer monitoring spy programs, keyloggers and commercially available software designed specifically to record your screen, email and passwords. SpyCop will detect the spy, tell you when it was installed and disable it. SpyCop claims to have the largest database of surveillance spyware, over 400 targets in all.

Spycop is discounted 20% for SpywareInfo readers for this week.

If you have any problems with the purchase page or with the coupon code (SPYC-YB5E-SCAN), please email my partner Catherine.

Permalink | Top

Many people believe that Mac computers are immune to the spyware problems which plague Windows PCs. As it turns out, this is incorrect.

In January 2004, a version of LimeWire was released for the Mac OS which included an advertising spyware application known as LimeShop. The developers coded the spyware in such a way that it hooked into the Java executable.

Java is a programming language in which much software is written. Most web browsers include a plug in that allows them to run Java programs. Because LimeShop hooked Java, any firewall alerts about outbound connections would show that Java was trying to connect to the internet without mention of LimeShop. This is a sneaky trick used by many trojans and spyware programs.

After the inclusion of LimeShop became publicized on some message boards, the spyware was removed by the LimeWire developers.

This just goes to show you that even a Mac is not immune to becoming infected by unwanted parasites. To my knowledge, there is only one spyware scanner for the Mac OS. It is called MacScan.

I don't have a Mac so I have no way to test how effective this program is. If anyone has any experience with it, please let me know what you think of the program.

Update:

Reader Sarah Millin has just written to say that MacScan is no longer available.

Hi there!

Mac Scan is no longer available. You cannot download it from their web site. Even if you find a copy and install it, the software says it is expired (I checked versiontracker.com).

There is a commercial mac spyware cleaner available from www.allume.com for about $30 U.S.

You might want to post a correction in the next newsletter.

Sorry about that. Thanks for the letter Sarah.

Permalink | Top

I wrote a few weeks ago about Aluria Software becoming a partner with the WhenU adware company. Aluria considers WhenU to have reformed their behavior and no longer considers their software to be spyware. They have even become a business partner with WhenU, to the point that they are developing software together. Beyond the obvious, another more interesting conflict of interest has arisen as a result of this cozy arrangement between Aluria and WhenU.

AOL provides a branded version of Aluria's Spyware Eliminator to AOL members. AOL seems to be concerned about the partnership between Aluria and WhenU. Andrew Weinstein of AOL states that AOL will require that WhenU remains targeted by definition files used by their version of Spyware Eliminator. Weinstein says that AOL will take steps to ensure that the definition updates they receive from Aluria include detection of WhenU.

Castlecops has published an interview on the subject on their site.

Permalink | Top

A federal judge has thrown out charges against a man who used a keylogging device on his boss's computer. Larry Ropp was discovered last year to have installed a small piece of hardware to his supervisor's computer which recorded all keystrokes entered on that machine.

Ropp wanted to collect evidence that his supervisor was committing wrongdoing so that he could report him to authorities. All he received for his efforts was a pink slip and a pair of handcuffs. He was charged with violation of federal wiretapping law.

The judge concluded that since the keylogging device only captured data traveling between the keyboard and the computer's CPU, no interstate network activity was involved. This means that the federal wiretapping laws cannot apply to this case. Ropp still may be held in violation of California state wiretapping laws if any such laws exist.

The judge's decision was based partly on an incident involving the FBI in 2001. Agents installed keylogging software onto a mafioso's computer in order to capture the password to his encryption program. This allowed them to read encrypted files on his computer. Since the keylogger was configured to end capturing data whenever the computer was connected to the internet, no interstate wiretapping laws were broken by the FBI.

The prosecutor in the Ropp case has filed a motion asking the court to reconsider the ruling. The motion has not been ruled on at the time of this writing.

Permalink | Top

I do not intentionally link to web sites that require registration before allowing visitors to read the article. At the time I read these articles, I was not required to register. If one of these sites requires that you register before allowing you to read the article, please let me know and I will blacklist that site.

http://news.com.com/Trojan+horse+spies+on+Web+banking/2100-7349_3-5448622.html :: Trojan horse spies on Web banking

http://news.com.com/Police+arrest+phishing+mob+suspect/2100-7349_3-5448712.html :: Police arrest phishing mob suspect

http://www.pcmag.com/article2/0,1759,1710338,00.asp :: Bill Sends Spyware, Adware Purveyors Down Divided Paths

http://www.eweek.com/article2/0,1759,1706659,00.asp :: Anti-Spyware Vendor Takes Heat Over Adware Deal

http://www.technewsworld.com/story/Spyware-Attack-Part-of-Coordinated-Campaign-Against-IE-38393.html :: Spyware Attack Part of 'Coordinated Campaign' Against IE

http://www.expatica.com/source/site_article.asp?subchannel_id=48&story_id=14270&name=Belgium+invaded+by+spyware :: Belgium invaded by spyware

http://www.eweek.com/article2/0,1759,1731474,00.asp :: Study: Tools Let Spyware Slip Through Cracks

http://www.smh.com.au/news/Next/Virus-writers-catch-adware-bug/2004/11/22/1100972317109.html?oneclick=true :: Virus writers catch adware bug

http://www.wired.com/news/privacy/0,1848,65703,00.html :: Court Documents Not Fit for Web?

http://www.net-security.org/article.php?id=746 :: The Spyware Threat And How To Deal With It