The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/jan17,2006.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• Surf The Web In COMPLETE Safety
• Spycop Antispyware and Evidence Terminator
• iTunes Becomes Adware
• Programmer Claims The WMF Flaw Was Deliberate
• Is The End Near For Cell Phone Data Brokers?
• Unfair Competition By Symantec?
• Bellsouth Customer Service Needs Work
• The Best Laid Plans...

Permalink | Top

Stop cleaning your glasses - you read that title right. There is a way now to surf the web with absolute, unbreakable safety. It is very simple to do.

A few months ago, VMware Inc. decided to release a free virtual machine player. What this program does is pretend to be a computer. The program emulates the hardware of a regular computer, inside of a window. Inside that window, you can run any operating system supported by the player. I have been using a similar product, VMware Workstation, to test spyware and spyware removal tools.

VMware also released a free Browser Appliance. The Browser Appliance is a virtual computer, running the Ubuntu Linux operating system and includes a copy of the Firefox web browser.

You download and install the virtual machine player, then download the Browser Appliance. After you download the Browser Appliance, be sure to save the zip file somewhere, in case you need an unaltered copy of it.

Both of these are very large downloads. If you connect to the internet over dialup, it is going to take hours to download them. Trust me, it is worth the wait.

The Browser Appliance is set to use 256MB of RAM by default. If you don't have at least twice that amount of memory in your computer, then you need to reduce the memory setting. You can change the amount of memory it uses by clicking on the "Player" button and going to the "Troubleshooting" menu. There is a slider where you can change the setting.

You also can open the Browser-Appliance.vmx file in Notepad to adjust the memory that way. The line you want to change is memsize = "256". Whatever number you put must be a multiple of "4" and cannot be lower than "32". I would suggest setting it to no higher than half the amount of memory installed in your computer. There is no performance gain to be had by increasing the memory setting beyond 256MB, so don't waste the RAM.

The Browser Appliance comes in a zip file. Unzip the folder that is inside and save it somewhere. Open the vm player, navigate to where you saved the unzipped folder and load the Browser Appliance. Ubuntu Linux boots up and the VMware player automatically connects it to the internet, assuming your real computer also is online.

Surfing the web with the Browser Appliance, you have absolute and total safety from any browser-based spyware installer. First of all, it is Linux. To my knowledge, no malware infects Linux through any sort of browser exploit.

More importantly, even if, by some miracle, something bad did infect the Browser Appliance, you can just delete it and start over. Your computer is not effected by what goes on with the virtual machine. The Browser Appliance also can be made to discard all changes made between sessions. If you screw it up, just turn it off and back on.

The first time you run the Browser Appliance, it will take a few minutes for Ubuntu to boot up. After that, you can just click the VMware player's X button to close the window. It will minimize itself long enough to suspend Ubuntu, then close. The next time you open the Browser Appliance, it will start much faster.

The only real drawback is that it takes a little work to share files between the virtual machine and the real machine. The virtual computer and the real computer are completely separate from each other, by design. There are some ways around that problem. I don't have space enough to go into that here, so I will save it for an article that I plan to write about the Browser Appliance.

Since you have the player anyway, go ahead and download some more virtual machines. VMware has put together several virtual machines for free. They also link to several other VMs, put together by members of their online community. My favorite was the one labeled "KDE on SUSE". If you ever wanted to play around with Linux but were too scared to install it, this is your chance to take a look at it without risking anything.

Permalink | Top

Program: Spycop Antispyware
Price: $49.95 $39.96 [20% off until Jan 27, 2006]
Purchase Spycop [Use coupon code SPYC-4XL4-INFO]

Program: Evidence Terminator
Price: $49.95 $39.96 [20% off until Jan 27, 2006]
Purchase Evidence Terminator [Use coupon code EVTM-OQ67-INFO]

Spycop + ET Bundle: $79.90 $69.93
Purchase Spycop + ET Bundle [Discount is applied automatically until Jan 27, 2006]

There is the sort of spyware that comes from installing programs like Kazaa and Imesh. This kind of spyware will track your web usage to produce more relevant pop-up ads. This is an annoying and unfair invasion of privacy. However, other than the aggravation of dealing with pop-up ads and spam, this kind of spyware usually is not dangerous (well, except to your blood pressure). These usually can be cleaned up with products such as Ad-aware and Spybot.

More dangerous are the surveillance and monitoring programs. These programs are used to gather all of the information necessary to steal your identity and ruin your credit. A business rival can bribe an employee to install spyware on the company network. Or the company itself might install spyware to watch you while you work. These programs cost money to buy for testing and not all antispyware companies can afford to keep up with each new version.

SpyCop is the leading solution for finding computer monitoring spy programs, keyloggers, and commercially available software designed specifically to record your screen, email and passwords. SpyCop will detect the spy, tell you when it was installed, and disable it. SpyCop claims to have the largest database of surveillance spyware.

SpyCop also makes Evidence Terminator, a program that cleans out the traces of computer usage that Windows leaves lying around. This includes browser cache, temp files and recently opened documents among other things. You should shred paper documents at home and in the office, if you don't want people reading them. The same goes for your PC.

More information about Spycop http://www.spywareinfoforum.info/downloads/spycop/
More information about Evidence Terminator http://www.spywareinfoforum.info/downloads/spycop/eterminate.php

Don't forget, even if you catch all the spyware on your computer, someone can still sneak up behind you and peek over your shoulder. Spycop won't help with that, so you might think about buying yourself one of these monitors. ;-)

Permalink | Top

You may have read earlier this week, on any number of sites, that Apple's iTunes jukebox suddenly has become adware. A new component was added which transmits information about the songs to which the user is listening. As a result of this transmission, the program begins to show ads for similar music.

The new component, called the iTunes MiniStore, displays advertisements for songs near the bottom of the iTunes program. People quickly became suspicious of the fact that the songs being advertised were related closely to the music being played by iTunes.

One person decided to look at the data packets leaving his computer. He discovered that every time he selected a song in iTunes, it transmitted the name of the artist over the internet. Shortly thereafter, advertisements for other songs performed by that same artist would appear in the MiniStore.

[Edit: This behavior seems to be limited to the Macintosh version of iTunes. People testing the Windows version do not see this behavior.]

It is important to note that this transmission occurs for any song selected in the iTunes playlist, not just the songs purchased from the iTunes Store. If you have MP3 or OGG music files, obtained from any source, the artist's name is transmitted, if the file is tagged properly.

Many of the people who commented on the various blogs discussing this issue wonder why anyone would complain about this, since Apple already knows which songs you have purchased from them. They are overlooking the fact that not every song a person listens to has been purchased from iTunes.

After exhaustively poring over license agreements and privacy statements, no one seems to be able to find any mention of this activity. If there is a disclosure somewhere, it is well hidden.

Apple has made a statement about this. They acknowledge that iTunes transmits the name of the artist, in order to display relevant ads in the MiniStore. Apple states that the collected information is discarded immediately and is used only to decide which advertisements to display. If you turn off the MiniStore, no information is transmitted and you can listen to your music in peace.

This does not seem to present much of a privacy problem. Assuming that Apple is being truthful, the information that is transmitted is discarded as soon as their servers decide which advertisement to display. Calling this spyware probably is inappropriate, as the information is not recorded anywhere (according to Apple anyway).

However, iTunes can be considered to be adware now. In fact, don't be surprised if the seedier adware makers begin comparing their products with iTunes in the near future.

People who purchase music from the iTunes Store on a regular basis probably will find this feature to be useful. This isn't all that bad a feature, really. It just has a creepy feel to it. The real problem is that Apple included it without telling anyone and turned it on by default.

You would think that in this day and age, a company such as Apple would know better. Adware, spyware and all such related software are a sore subject for internet users today. Without notice, a routine software update transformed one of Apple's most popular products into adware. Could Apple really have been so naive as to think people wouldn't spot this and cry foul?

On a related note, it seems that a large percentage of people with iTunes on their computer do not want it. The reason for this is that Apple has bundled it with QuickTime. Numerous web sites embed movies or trailers on their pages in QuickTime format. If you want to watch them, you must have a media player that can handle QuickTime movies.

Apple's QuickTime download page features an enormous download button, which links to the QuickTime/iTunes bundle. On the other side of the page, a much smaller, plain-text link will take you to another page, where you can download QuickTime without iTunes. You also can skip QuickTime altogether, if you like. A program called QuickTime Alternative can play all QuickTime files, without QuickTime itself being installed.

Editor: Link to Quicktime Alternative fixed. Sorry about that.

Permalink | Top

Steve Gibson, owner of Gibson Research Corporation (GRC.com), has announced a bizarre theory. He believes that the Windows Metafile flaw was a deliberate backdoor, planted inside the Windows operating system by someone at Microsoft.

I only understood every tenth part of what he was saying. Since I don't understand it myself, I am not going to try to explain what he was talking about. Listen to the podcast or read the transcript if you want to take a crack at it.

Gibson claims that this cannot be an accidental flaw. He says that the way this is set up, it can only be deliberate. Gibson believes that this so-called flaw actually is an intentional backdoor planted in Windows.

If this was a backdoor, it was a beautiful job. I am still hazy on the details, so I probably will explain this incorrectly. As I understand it, you can embed an executable file inside of an image file, then deliberately force the Windows Metafile rendering engine to abort, so that it doesn't draw an image. Once it has aborted, the rendering engine will execute the code which is embedded within the file. Before its public discovery, it was a perfect method for secretly running software on a remote computer, because it bypassed every imaginable safeguard.

A Microsoft programmer has responded to the theory, saying that Gibson is incorrect. He says that the code in question has been recycled into every version of Windows since before version 3.0, over fifteen years ago. The original purpose of the function being used to exploit this flaw was to allow a user to cancel a print job. Back then, in the days before the World Wide Web existed, it never occurred to anyone that there would be a reason not to trust a WMF metafile.

Gibson believes this function was planted within Windows to serve as a backdoor and to allow code to be run on a computer silently. Microsoft says that it simply is long-recycled code, left over from a time when computers did not need to be secure against malicious files.

I am inclined to believe Microsoft on this one. Their explanation makes far more sense. I can believe that many of the things Microsoft does have non-innocent motives. I cannot quite make myself believe that Microsoft would plant a backdoor in Windows deliberately. It is possible that a rogue programmer would do something like this, working without Microsoft's knowledge. However, if the code has been around for fifteen years, I think that it is extremely unlikely.

Permalink | Top

Did you know that you can purchase a record of phone calls made to and from almost any cell phone for about $100? Several companies offer this service these days.

This may not be the case for long, however. Everyone from cell phone owners to cell phone providers all the way up to the US Congress is thinking of ways to kill this relatively new industry.

None of the companies disclose how they go about gathering these records. Certainly the cell phone service providers are not providing the information, at least not officially.

Most people suspect that the information is gathered in one of two ways. One theory is that someone from the data broker company calls the cell service provider and pretends to be a customer. Another theory is that these data brokers simply bribe employees of the cell phone company.

Cell phone companies are outraged. Several companies are vowing to sue any such data brokers out of existence, if they sell any information about their customers. Congressmen and Senators are vowing to make it illegal to impersonate a customer, while talking to a cell phone company.

If I were you, I would avoid buying any stock in a company that offers this service. I don't think it is going to be worth very much in the near future.

I also would avoid using these services yourself. What they are doing probably is illegal or will be soon. It doesn't make any difference to a federal prosecutor whether you committed a crime yourself or are just an accessory. They will haul you before a judge either way.

Permalink | Top

Patrick Kolla is claiming that Symantec is publishing false information about his antispyware program, Spybot S&D.

In a news posting on his web site, Kolla says that Symantec has been telling customers that Spybot S&D will corrupt disk image files created by Norton Ghost. He also says that a knowledge base article, published presumably at Symantec's web site, makes the same statement (I have not been able to find that article).

Kolla asked Symantec to produce any evidence that Spybot interferes with Norton Ghost. A week went by without Symantec producing evidence, so he made a public announcement about the situation. He also states his theory that Symantec is making false claims about Spybot because Symantec makes a competing antispyware product.

Symantec has made no public statement about this situation.

Permalink | Top

Yesterday, my email program started behaving strangely. Email was coming in but none would go out. Every time I tried to send an email, my email program kept popping up an error message.

At first, I thought my antivirus had crashed. The email program connects to the mail server through the antivirus program, instead of connecting directly. If the antivirus email service crashes, it will act as if the email server is offline. (Off Topic: The first time the antivirus program checked my email and detected an incoming virus, it made a sound like an air raid siren. Scared the hell out of me).

That couldn't be the problem, I realized after a few minutes. Email still was coming in, so obviously the email service was running. After thinking about it for a minute, I guessed what was happening.

I opened a CMD window (similar to a DOS prompt window, for those of you still using Win 98 and ME) and tried to open a telnet connection over port 25 to the email server at SpywareInfo. It didn't work. Then I used a different port, one that my web host has bound to the email servers on all of their hosting boxes. That connection worked just fine and my suspicions were confirmed: Bellsouth had firewalled port 25.

Now don't get me wrong - this is not a bad thing. When a residential ISP blocks port 25 connections, it means that a virus-infected customer cannot be used as a relay for spam. The problem is that Bellsouth gave no warning about this. I logged into my Bellsouth email account, for the first time in a year, and discovered no notice or warning about this.

Another problem is that there seems to be no way to request that the port be unblocked for my account. I pay quite a bit of money each month to rent my web servers and I intend to make full use of them. Bellsouth's only solution to this problem is to demand that you send email through their servers. Email sent through a large ISP's overworked servers may not arrive at their destination for hours. That is unacceptable to me.

This is not really a problem for me. My web host, realizing that more and more ISPs were beginning to do this, long ago bound a second port to the mail servers. You send email over one port, it arrives at the hosting box and is routed to the email server, then is sent out to the recipient on port 25. That lets customers bypass this sort of block. My email is working again, after setting the email program to use the other port. That doesn't help any other Bellsouth customer, unless they also use my web host.

So, good on Bellsouth, for blocking the port to reduce spam. Bad on Bellsouth for not warning anyone they were going to do it and for not offering to unblock the port, for customers who want it accessible. It serves them right if their call centers are overwhelmed with confused customers, all wondering why their email suddenly stopped working yesterday.

Permalink | Top

I have killed another hard drive. I mentioned this in a brief mailing several days ago. An astonishing number of emails arrived, concerning my little misfortune. First of all, thank you for the messages of support. Second, I've decided to explain the whole situation, since so many people were interested in it.

I really don't know what happened. I rebooted to apply a software update. While the PC was booting, it displayed a message saying that S.M.A.R.T. (Self-Monitoring Analysis and Reporting Technology) had detected a massive hard drive failure and that I should replace the drive immediately. Since the drive was working perfectly 30 seconds earlier, I ignored it.

Take my advice - when S.M.A.R.T. tells you that your hard drive is toast, you better believe it's telling the truth.

It took an abnormally long time for Windows to load. When it finally loaded my account, a number of problems became obvious. Most importantly, the drivers for my network card failed to load. I had no internet! Several other programs and drivers also failed to load properly. Every time I tried to open a folder, a file or a program, it took FOREVER. The drive seemed to be spinning at about 1RPM, instead of its normal 7,200RPM.

Thinking (hoping desperately) that this was merely a software problem, I tried to restore a backed up disk image that I had made three days earlier. I had another hard drive failure in December 2004, so I had learned my lesson about making backups. I have two separate external hard drives - one for storing miscellaneous files, the other for storing backups of all my web sites and of my computer.

Unfortunately, I couldn't make the backup program work. Every time I tried to load the program - Acronis True Image - Windows told me that "the disk in drive C: is unformatted". Since that obviously wasn't true, I can only assume that the part of the hard drive holding the Acronis files is damaged.

Still, this wasn't a disaster (I thought at the time). I had the same program installed on my laptop, so I used that copy to create some emergency boot floppies. I booted the computer to the floppies and tried to restore my backup. True Image refused to believe that the backup archive file was valid. It absolutely refused to work with it. grrrr........

It probably wouldn't have worked anyway, so no big loss there.

It just so happened that I had a brand new, never-used-before hard drive sitting on my couch. I had intended to install the drive weeks earlier but just never got around to doing it. I stuck it into the computer and rebooted. Windows, very slowly, realized that a new drive was present and let me format it. After that was done, I booted again to True Image. I was going to use it to copy the old hard drive to the new hard drive. I had hoped to avoid having to reinstall Windows all over again.

It was at this point that True Image demonstrated a whole new level of incompetence. I went through the program's wizard and told it to copy the contents of the old drive to the new drive. It wouldn't do it. It kept telling me that the new hard drive was "read-only". GRRRRRRRRR...............

Ok.... I'm not defeated yet. I still have some options here. I theorized (incorrectly) that maybe my damaged copy of Windows had formatted the new hard drive badly and that this was the reason True Image thought it was "read-only". I still had two other hard drives to try.

I plugged both external drives into my laptop and transferred every single file from one to the other, leaving one of them empty. Then I plugged the empty drive back into the PC and booted, once again, to True Image. Again, True Image thought the drive was read-only and refused to let me use it. I plugged in the other drive and, sure enough, it thought that one also was read-only. My neighbors can tell you what I thought of that. I'm surprised they didn't call the police.

So, I gave up on trying to copy an image of the hard drive. I booted into Windows again, transferred every file I thought I might need to the empty USB drive and smoldered angrily. I was just going to have to reinstall Windows on the new hard drive and abandon the old one. Windows had absolutely no trouble copying to any of the hard drives, although it did so very slowly. The drive still works, barely, so any files I need should still be available, if I forgot to copy them.

While the files were copying, someone slipped me a copy of GRC's SpinRite program (sorry Steve). SpinRite is a program that can repair damaged hard drives. Once I had all the files from the old drive copied, I booted the computer into SpinRite. After clicking through several apocalyptic-sounding warnings about all the things it said were wrong with the drive, I set it loose in an attempt to repair the damage.

SpinRite clicked and whirred and displayed odd-looking statistics for three straight days. It took so long that I had time to watch all four seasons of Star Trek: Enterprise on DVD (too bad that show was canceled). Unfortunately, the hard drive is so damaged that SpinRite is unable to fix it.

When I finally gave up on it, SpinRite seemed to be stuck on a particular portion of the drive. Don't ever say that I can't be patient when I have to be - I let it run for 18 hours in exactly the same spot before I quit.

At this point, I admitted defeat. The drive cannot be repaired and I cannot copy an image from it. I had to reinstall a fresh copy of Windows and I hope that I saved all the files I need.

I have to say that I am extremely angry at Acronis. I went through a similar hard drive failure a year earlier and I thought that I was prepared for another one. And I was. What I wasn't prepared for was a failure of the program I expected to use to see me through another hard drive failure.

It probably wouldn't have worked anyway, because the hard drive is so damaged. Still, the stupid program didn't even try. I can't imagine what is wrong with True Image that it thinks all of my hard drives are read-only.

I fought with this problem for days - literally. And nearly everything I tried to do was made useless by the fact that Acronis True Image failed to do what it was designed to do. Honestly, I have no idea what happened with that. It always has worked just fine in the past. When I absolutely, positively needed it to work, it wasn't there for me. I won't be replacing my damaged copy, since obviously it cannot be trusted to work.

I have replaced True Image with a similar program called "Image for Windows". All the reviews for it speak in glowing terms and it seems to be exactly what I need. Plus, it was cheaper than True Image and Norton Ghost.

And so, that is the sordid tale of my borked hard drive. Those of you who fell asleep during all of that, you can wake up now.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.

Running SpywareInfo has become an expensive thing to do. We are using three separate servers to display the site and to protect it from denial of service attacks. This is not a cheap web site to host.

If you would like to help with the costs, there are three options. There is PayPal for those who have a Paypal account or don't mind signing up for one (it is free).

There is a snail mail address if you do not like Paypal or have no means of sending money online. Please make sure to make checks (in US Dollars) or money orders (in American currency) out to James Healan and not Mike Healan so I am not hassled at the bank. Please note that contributions to SpywareInfo are not tax deductible.

The address is:
James Healan
PO Box 71
Vidalia, GA USA 30475

Thank you very much for your contributions.

You can also purchase t-shirts, hats, bumper stickers and other items from our CafePress storefront ( http://www.cafepress.com/spywareinfo ). We'll have more designs to offer soon.