Spyware Weekly Newsletter :· July 22, 2003
The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/july22,2003.
The Cost of Spyware
I have read a couple of stories in the news recently that illustrates perfectly the dangers involved in a spyware infection. I'm not talking about advertising programs or browser hijackers mislabeled as spyware. I'm talking about real spyware, the sort of thing that logs your keystrokes and steals your passwords.
In two separate cases recently, thieves have been using spyware programs to steal several hundred thousand dollars from unwary computer users.
Hacker cleans out bank accounts
A HACKER is targeting clients of South Africa's largest bank and has managed to steal hundreds of thousands of rands by breaching their accounts over the Internet.
The Police Commercial Crimes Unit confirmed this week it was investigating nine cases involving thefts from Absa accounts. Absa is the leading South African Internet banker with about 35% of the market and about 300 000 online clients.
Police and bank officials say it appears the perpetrator used "spyware" to gain access to the personal computers of the victims, and, having found out their Internet banking information, had transferred money out of their accounts.
Read this article at the South Africa Sunday Times
Guilty Plea in Kinko's Keystroke Caper
If you used a computer at a Kinko's in New York City last year, or the year before, there's a good chance that JuJu Jiang was watching.
The 25-year-old Queens resident pleaded guilty in federal court in New York last week to two counts of computer fraud and one charge of unauthorized possession of access codes for a scheme in which he planted a copy of the commercial keyboard sniffing program Invisible KeyLogger Stealth on computers at thirteen Kinko's stores sprinkled around Manhattan.
For nearly two years ending last December, Jiang's makeshift surveillance net raked in over 450 online banking passwords and user names from hapless Kinko's customers, according to the plea. He would use victims' financial information to open new accounts under their names, and then siphon money from their legitimate accounts into the new, fraudulent ones.
Now, if that doesn't chill your blood, you must have ice water running through your veins. It's that easy to be ripped off and lose your entire life's savings. I don't want to spread a bogus line of FUD, but here we have what police suspect is only two people robbing hundred of people blind, to the tune of several hundred thousand dollars.
The Kinko's incidents are especially chilling. People really should know better than to log into any sort of private account from a public internet terminal, but they do it anyway. The idea of law enforcement monitoring a public terminal may enter your thoughts briefly, but who would imagine a public machine would be infested with spyware installed by a hacker and left that way for two years? Two years!?
That could have been prevented, if just one customer or employee had scanned any of those computers with a spyware detector. Don't let something like this happen to you. If you are going to be using a computer that doesn't belong to you, especially a public terminal, you should inspect that machine for spyware before doing anything else. You don't have to download Spybot and install it on every machine you use. In fact, on most public machines, you can't install anything at all.
For these situations where you expect to be using a computer on which you cannot, or prohibited from, installing programs such as a spyware detector, you can still check it for spyware. X-Cleaner Spyware Remover will fit onto a floppy disk, in both the free and deluxe versions. There is no need to install it, you just insert the floppy and start scanning.
You can read more about X-Cleaner at SpywareInfo. You can download the free version here.
Links:
http://www.sundaytimes.co.za/2003/07/20/news/news01.asp :: Hacker cleans out bank accounts
http://www.securityfocus.com/news/6447 :: Guilty Plea in Kinko's Keystroke Caper
http://www.spywareinfoforum.info/downloads/x/ :: X-Cleaner information
http://www.xblock.com/cgi-bin/download.pl/-13232-/xcleaner_free.exe :: X-Cleaner free download
Evidence Terminator
 |
Everything you do on your computer leaves a trail behind. When you surf to a web site, you leave behind internet cache, address bar history, web site visit history, and cookies. When you open a document, Windows saves the filename into the registry. When you run certain programs, Windows saves a file into a temporary folder, and often doesn't delete it afterward.
Evidence Terminator is made by the authors of Spycop anti-spyware software. It cleans up the trail that Windows leaves behind.
Evidence Terminator optionally cleans:- Recycle bins on every drive in your system
- Internet history logs stored on your hard drive
- Internet cookies
- Temporary Internet Files (caches and other media files)
- Temporary program files
- Recent documents list
- Backup files
- LOG files
- CD burner software temp files
- Program temp files not in the system temp folder
- Those evil index.dat files no matter how many of them you have
- Overwrites files to help prevent recovery
- The drop down URL list from IE
- The run list, find computers list, and recently searched file list
- And much more
Evidence Terminator is available to SpywareInfo visitors for 20% off until July 31, 2003
Please note that this is Evidence Terminator and not Evidence Eliminator, which would never be featured here. Read why not.
Links:
http://www.spywareinfoforum.info/downloads/spycop/eterminate.php More informationMorpheus Now Spyware Free?
The Recording Industry Association of America (RIAA) has declared full-scale war against file swappers. They are filing hundreds, possibly thousands of subpoenas to serve on ISPs to force them to reveal the names of their file sharing customers. About 75 of these subpoenas are being approved every day. RIAA jackals lawyers are filing them in such numbers that the US District Court Washington D.C. can't keep up with them all. The clerk's office is finding it necessary to bring in extra employees, with taxpayers footing the bill.
I will be writing a separate article about the RIAA's actions sometime later in the week. Keep an eye on the newsfeed for that.
In response to this escalation by the RIAA, StreamCast Networks, maker of the Morpheus file sharing program, has released a new version of Morpheus which they say will hinder the RIAA's ability to snoop on their users. The new Morpheus allows users to connect to public proxy servers in order to hide their IP addresses. In addition, Morpheus now allows users to connect to public blacklists of IP addresses suspected to belonging to RIAA snoops.
StreamCast Networks also claims that the new version is now free of spyware, saying that they don't want the privacy of their users being violated. I downloaded Morpheus to test this claim. Sorry, but it's not true.
Before last week, it had been a year since I installed Morpheus to test what third party adware it bundled. Perhaps they had some sponsor programs that qualify as spyware (according to their definition) that were left out of this new version. What has not been removed is an add-on component that installs as a brower helper object (BHO) called Wurld Media.
According to Andrew Clover of Doxdesk.com, "WurldMedia will be informed of visits to any of their targeted sites with referring site information and user-tracking through a unique ID built into the software." More information is available on Andrew's site: http://www.doxdesk.com/parasite/WurldMedia.html.
That's bad enough on its own. What makes Wurld Media even more insidious is the fact that it allows its controllers to steal from web site owners all over the internet. Let's say you visit a web site looking to order a video game for your kid. You find what you are looking for and click the link to purchase the game.
Normally, the web master would have linked to the game maker's web site with a specially formed link that allows the maker to know who referred the sale to them, allowing that web site to make a commission on the sale. Wurld has been caught overwriting those affiliate links, replacing them with its own link to steal the commission from the web site that actually made the sale.
Wurld is among the worst of the worst of the scumware floating around the internet these days. Not only does it allow its maker to track your web usage, it also threatens to bankrupt your favorite web sites by stealing the commissions that keep them online.
Commissions on software linked and reviewed on the site are what keeps SpywareInfo online and free, despite the hosting costs associated with 200,000 visitors every month and a newsletter with well over 7,000 subscribed readers. Would you want it going under or turning to a fee-based site because someone was stealing the commissions?
Do me and every other web site owner on Earth a favor please. If you insist on using Morpheus, please uninstall the Wurld components. Morpheus works just fine without it. It should be listed in Control Panel > Add/Remove as "Shopping Community". Use Spybot to clean up anything it leaves behind.
In addition to Wurld Media, there is also a search bar that attaches itself to Internet Explorer called My Search. Other than being a non-optional install, there is really nothing wrong with this toolbar. There are no ads and it doesn't hijack browser settings like other search bar add-ons do. My Search can also be removed from Add/Remove.
Links:
http://security.kolla.de/ :: Spybot
http://rss.spywareinfoforum.info/15.rdf :: SWI RSS news feed
http://www.spywareinfoforum.info/newlsetter/june14,2002#wurld :: June 14, 2002 newsletter
http://www.doxdesk.com/parasite/WurldMedia.html :: Wurld Media article at Doxdesk
KaZaA Tampers With System File
A posting on SpywareInfo's antispyware developer's mailing list caught my eye recently. It seems that the latest version of KaZaA is tampering with a Windows system file.
The HOSTS file is the first place Windows goes to look up the IP address of a remote server that your computer wants to connect to, such as a web site or a gaming server. If it is not listed in the HOSTS file, then it will send a request to your ISP's DNS servers to look up the IP address of the server.
A common trick is to use the HOSTS file to make Windows think that a dedicated advertising server is located at the IP address 127.0.0.1. That is the internal IP address of your own computer. When something wants to contact the advertiser's web server to load an ad, Windows believes that the server is located on your own machine, the real server is never contacted, and the ad is never loaded.
As of the latest version (2.5) of KaZaA, if certain entries are present in the HOSTS file, KaZaA will not load. Instead KaZaA pops up a notice stating that the installation is "faulty". The "More Info" button on the notice leads to http://www.certifiedkazaa.com/certified.htm, which has this to say:
When KaZaA Media Desktop runs, if we detect some known changes that non-certified products make to your system, we will inform you that we have detected this and ask that you make some changes before running KaZaA.
- Simple: If it is a simple change then we will offer to fix the problem for you automatically. An example of this is when your 'HOSTS' file has been changed to prevent your computer reaching KaZaA.com or one of the other important domains that are required for KaZaA to function correctly. In this case we will comment the problem entries if you agree to let us fix the problem. If not, you will need to close KaZaA.
If you click the "Fix and Continue" button, KaZaA will alter the HOSTS files by disabling any entries relating to web sites owned by Sharman Networks or by their sponsors.
After some testing, I found that if the NTFS security settings are changed to restrict read access to the c:\windows\system32\drivers\etc\ folder by users (see next picture), KaZaA is unable to read this system file or tamper with it. It will still load however, although, for some reason, it takes about 20 seconds (on my system) to load.
If you are using Windows 2000 Pro or Server with the NTFS file system, you can simply right-click the folder while logged in as an administrator, select properties, and then click the security tab. Click the box to deny "Read" permissions and click OK. (screenshot)
If you are using Windows XP Pro with the NTFS file system, Microsoft forces you to boot the computer into safe mode before showing the security options for some unknown reason. I don't know whether XP Home allows access to these security options or not.
If you are using Windows 95, 98, or ME, or are using 2000 or XP with the FAT32 file system, then I'm afraid that you are out of luck. These security features do not exist on the FAT32 file system.
If you are not sure whether you are using NTFS or FAT32, open your My Computer folder, right-click on your hard drive icon, and select properties and your type of file system will be listed. (screenshot)
Links:
http://accs-net.com/hosts/ More information about HOSTS file usage
http://www.spywareinfoforum.info/articles/kazaa/ :: This article
http://www.spywareinfoforum.info/articles/p2p/ List of spyware-infected and spyware-clean file sharing programs
http://www.spywareinfoforum.info/articles/kazaa/permissions.png :: screenshot - folder permissions
http://www.spywareinfoforum.info/articles/kazaa/driveproperties.png :: screenshot - drive properties
Australian Cops Want To Ban Free Email?
The Australian Federal Police is seeking an arrangement with the major free email providers such as Hotmail to make it easier to track down criminals using those services. That in itself is nothing to worry about. However, it seems that a former member of the National Crime Authority (NCA) is proposing an outright ban on all free email services.
That is, of course, ridiculous, and I won't waste your time making the case for this blatantly obvious fact. What disturbs me very much is the tone of some of Australia's law enforcement officials who agree with the idea. Alastair MacGibbon, director of the Australian High Tech Crime Centre, is one of those officials. Alarmingly, MacGibbon and others have chosen to present the issue in adversarial terms.
MacGibbon has been quoted as saying "How do we use our powers to compell that (Non Australian) ISP to give information?" He states that "we are in discussions with the major (Non Australian) ISPs commonly used to see if we can apply Australian laws," and follows that up with "Microsoft and others who provide these services have to be brought to heel". According to MacGibbon, "there will always be rogue states that will provide an internet haven in the same way they provide a banking haven. This has to be seriously raised at an international level."
It is puzzling that MacGibbon and certain other important officials believe it necessary to resort to such rhetoric and to allude to the United States and other important allies of Australia as being "rogue states". I can just imagine the damage to the career of any American FBI official careless enough to refer to an allied nation as a "rogue state" once his or her superiors discovered it.
While I have no sympathy for true criminals such as pedophiles and terrorists, these police officials should realize that they have no authority or rights on US soil, and nor should they. They should not and will not be "bringing Microsoft to heel" by "compelling" them or other companies located in "rogue states" to provide information about users who may or may not have committed crimes in Australia.
Australians are very nice people generally and have a reasonably sensible government. I am sure that most laws there are fair and humane. Unfortunately, the laws of many other nations are harsh and barbaric. For this reason, many citizens of other nations use internet services in America and other free nations to exercise their natural Human right to free speech without fear of reprisal by their native governments. If we were to start handing out information on people accused of crimes in foreign lands, we risk becoming accomplices to the suppression of free speech.
Sorry Mr. MacGibbon, but you're going to have to gather your evidence elsewhere.
Related:
http://australianit.news.com.au/articles/0,7204,6786644%5E15306%5E%5Enbv%5E,00.html :: Police target free email
Recommend SpywareInfo to a friend
Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.
Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.
The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459
Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.
Links:
http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist
