Spyware Weekly Newsletter :· July 9, 2003

The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/july9,2003.

Permlink | Top

Do you have a Paypal account? If so, then you need to be aware that, once again, someone is trying to steal your password.

These scams are usually easy to spot because Paypal always logs you into your account using a secure page (https:// means secure). In this case, however, the con artist has registered a certificate for use on a secure connection. He has also disguised his web address to make it appear as if it led to Paypal's web site.

Occasionally you may have come across a page on a web site that asks you to log in using a network password (example). You type in your user name and password and click OK to gain entry. There is a way to avoid having to enter your user name and password. You add your user name and password to the beginning of the internet address. http://my_name:my_password@www.example.com/passwd_protected/ is a good example of this.

The scammer's email gives you a link to ki54ft.worldispnetwork.com/i.cgi, but it includes a user name and password for a password protected directory, and the user name happens to be www.paypal.com. This is the same cute trick used recently by a browser hijacker to fool people into thinking they were loading msn.com.

At the web page linked in the email, there is a login form. If the victim fills in their password, they give this scammer their Paypal password, and his script combines that with their email address. After submitting the form, the cgi script redirects the user to the real Paypal login page. This is done in hopes that the victim doesn't notice anything suspicious. The victim may not realize that anything is wrong until they get the email receipt of the scammer cleaning out their account.

Please, pass this warning along. Too many people fall victim to these scams, and this one is very convincing.

This warning is located at http://www.spywareinfoforum.info/articles/paypal/july8,2003.php

Credit to message board member APlusWebMaster for spotting this.

Links:

http://isc.sans.org/diary.html?date=2003-07-07 :: Internet Storm Center
http://www.spywareinfoforum.info/images/misc/auth.png :: Screenshot of password prompt

Permlink | Top

Author: Aluria software
Platform: Windows 98, ME, NT 4.0, 2K, XP
License: $59.98 $29.99
Download

Aluria's Spyware Eliminator is an excellent program. It cleans out computer usage history that someone snooping around on your computer might use to piece together your computing activity. It detects and removes advertising spyware, porn dialers, and browser hijackers.

Unlike the free spyware detectors that are so popular, it also detects and removes most surveillance spyware and keyloggers such as Spectorsoft's e-blaster and Spector Pro. Commercial surveillance spyware is expensive stuff, and the developers of free spyware detectors simply can't afford to buy it for testing.

Spyware Eliminator has just been updated to version 3.0, and it sports a lot of new features.

Spyware Eliminator now protects against ActiveX drive by installations. ActiveX installers are one of the most common sources of parasite infections. If you download something that bundles with and installs spyware, Spyware Eliminator will alert you instantly that it has been installed. No waiting for the next scan. It also blacklists IP addresses and web sites known to be malicious.

If you are an advanced user, the scanning options are far more flexible than they were previously. You can even set it to scan your system on a schedule you set. If you are newbie and can barely work with your computer, it has easy-to-understand wizards to help you use it.

Aluria's developers also receive the mailing list I send out when a new or updated spyware program is discovered and it is always kept up-to-date. When false positives or bugs are reported, they have always updated to fix the problem. This is a program that definitely has my recommendation, and with a thirty dollar reduction in price, it is a huge bargain!

Click here for more information about the new Aluria Spyware Eliminator

Link:

http://www.spywareinfoforum.info/rd/aluria/ :: Aluria Information Page

Permlink | Top

A new malware is being distributed that hijacks Internet Explorer start and search settings to one of several different web sites, including coolwwwsearch.com, coolwebsearch.com, youfindall.net, ok-search.com, and white-pages.ws. All of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. There could be other domains involved in the future.

This hijack is similar to the datanotary.com hijack discovered last month. As with that older hijack, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the malware involved with CWS is an updated version of the same malware involved with datanotary.

The start and search settings are changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also makes it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker's web site.

An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

Finally, the malware lists the hijacker's web site in Internet Explorer's trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer's file system.

We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

Full removal instructions are located at http://www.spywareinfoforum.info/articles/cws/

Links:

http://www.spywareinfoforum.info/articles/cws/ :: Full version of this article
http://www.spywareinfoforum.info/articles/datanotary/ :: Datanotary article at SWI

Permlink | Top

Remember TIA, known formerly as Total Information Awareness and now as Terrorist Information Awareness? TIA is a new project by the United States Department of Defense. TIA's purpose is to amass a colossal database of information about American citizens and visitors to the country.

The stated goal of this project is to help protect America from terrorists. However, many fear that TIA will be abused by the US government to monitor US citizens who have nothing to do with terrorism or any other crime. This fear is exacerbated by the fact that the head of the project is Admiral John Poindexter, a man known for his contemptuous disregard for privacy rights and citizen oversight of government. Poindexter was once convicted of committing purgery before the US congress (a federal crime in the United States), although the conviction was later overturned.

Massachusetts Institute of Technology's Media Lab has opened its own database, a database of information on government employees. The database, located at http://opengov.media.mit.edu, will be updated constantly with information and documents submitted by the visitors of the web site. The idea is to build a community of citizen watchdogs keeping an ever watchful eye on the same people keeping an eye on them.

Personally, I like it. I like it a lot. I don't want to deny the government the ability to monitor suspected terrorists. On the other hand, I don't want the government abusing its tools by monitoring citizens who have nothing to do with terrorism.

I have noticed two trends ever since the Al Quaeda attacks of 9-11. One trend shows itself in the laws that have been passed since that horrible day, laws that give the government ever greater powers of surveillance and authority. The other trend is that certain key officials in positions of great power are obstructing the citizen oversight of government activities that is required by law. In my view, it is the latter trend that is more dangerous.

Like it or not, the US government and its agents have the ability to track nearly every detail of any person's life in which they take an interest. That in itself is not dangerous to our liberty. The danger lies in a government that feels that it is not accountable to those it governs and does not feel compelled to report its activities to them.

I don't fear the FBI tapping my telephone. What I fear is the FBI tapping my telephone, and not being required to tell someone they're doing it.

Links:

http://www.spywareinfoforum.info/articles/gia/ :: This article
http://opengov.media.mit.edu :: Government Information Awareness web site

Permlink | Top

If you pay any attention to news about software or PC security, you've no doubt heard of a severe flaw discovered recently in the popular ZoneAlarm personal firewall. You may have heard that Zone Labs initially refused to fix this flaw in the free version of their software, saying that users would need to upgrade to the expensive Pro version to fix this issue. You may also have heard that Zone Labs has back pedaled and decided to address the issue after all.

Here is something that you may not have heard. Most of that is not true. Zone Labs is not telling people to upgrade to the pro version to fix this flaw. In fact, there is no flaw to be fixed.

This all started when someone posted a hypothetical password theft exploit to Bugtraq. In his hypothetical exploit, the person speaks of a rogue application running and stealing the user's passwords or credit card information. This application sends a command to Windows to start the user's web browser and load an internet address. In the poster's example, the rogue application sends the information that it had stolen as part of the request to the server. The person claimed that this constituted a bug in the core design of ZoneAlarm that allows software to bypass it and access the internet.

In fact, all the person had found was a feature of Windows that is commonly known and well documented. If a program gives the Windows shell a command, and the command starts with http://, Windows determines correctly that the program wants the user's web browser to load a web page. Windows checks the registry to see which web browser the user has configured to handle web surfing, then loads the web page in that browser. If the user has set their firewall to allow their web browser to access the internet, then obviously there will be no alert.

This is not a flaw in ZoneAlarm by any conceivable stretch of the imagination. Does Zone Labs write Windows? No, Microsoft does, and yet ZoneAlarm has been singled out as being responsible for this issue.

Read the rest of this article at SpywareInfo

Links:

http://www.securityfocus.com/archive/1/326371 :: Bugtraq posting
http://www.spywareinfoforum.info/articles/zonelabs/exploit_hoax.php :: The full version of this article

Permlink | Top

I mentioned several weeks ago that I was involved in a new web site with my best friend. The web site, DogReader, is a valuable resource for anyone with a dog in the family. I wrote an article for it myself a few weeks ago.

The site is already getting a lot of attention. It was featured in a recent issue of the straight-poop.com newsletter and has even been named one of the top-12 writing sites on the Web by writewritewrite.com.

If you haven't checked the site out yet, you definitely should today. The July 8 article is a republication of a story written by Holly Manon Moore and published in the book, Chicken Soup for the Cat & Dog Lover's Soul. This is a very, very good story, and you definitely should check it out. The older, archived articles there are also an excellent read.

Links:

http://www.dogreader.com/ :: DogReader Web site
http://www.dogreader.com/archives/000018.php :: My article at DogReader

Permlink | Top

To the guy that emailed asking for permission to quote part of my last newsletter for a Mozilla article, the email address you gave me doesn't work. ;-)

Go right ahead and use that quote you asked about.

Anyone else that would like to quote something that I have written, please read SpywareInfo's Terms of Use policies.

Link:

http://www.spywareinfoforum.info/terms.php :: Terms of Use policies

Permlink | Top

I have redesigned both the downloads page and the links page on the web site. Rather than one long page that takes forever to load (on dialup at least), both of these pages now allow you to pick which categories you want to look at. You can also choose to view all categories at once and to close all of them.

I have also updated links for both the articles located on the site and also put together an archive of every past issue of this newsletter. I warn you though, the first several issues of the newsletter are horrible looking. I *will* be switching all of those old issue to the new design.

Links:

http://www.spywareinfoforum.info/downloads.php :: Software page
http://www.spywareinfoforum.info/links.php :: Articles and links page

Permlink | Top

Sorry for this issue being late. Normally, this newsletter is released on Tuesday. However, I have been dodging thunderstorms nearly every day for weeks now. Several times over the past week, my power has gone out, leaving me with no way to write or research my articles.

If Mother Nature will leave me alone this week, the newsletter will be on time next Tuesday.

Permlink | Top

Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.

Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.

The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459

Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.

http://www.scotsnewsletter.com :: Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm :: The Langalist