Spyware Weekly Newsletter :· June 8, 2004

The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/june8,2004.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

At the risk of setting off a million spam filters, I want to warn everyone about an old email scam that is going around once again.

The subject line of the spam is usually similar to "A user on our web site has submitted information about you" or "Someone is looking into your background". The spam goes on to say that an anonymous user has submitted information or an opinion about you on the spammer's web site. A link is provided so you can view the information.

This is where the scam begins. In order to view the information, you have to subscribe. Unfortunately, people fooled into subscribing find that there is no real information that has been submitted about them. It's a scam. Or it even could be a spammer looking to confirm live email addresses. Don't be surprised if you click their link and find your address sold to a hundred spammers.

For more information about this scam, please visit Snopes.com: http://www.snopes.com/computer/internet/wordofmouth.asp

Permalink | Top

In general, I don't approve of blocking advertisements on a web site. Just by loading an ad banner, you help a web site make money to pay for itself without having to spend a dime. It seems selfish to read the content on a free web site and then block the ads that help keep the site online. I make an exception for pop-up ads.

A pop-up ad is a vile, intrusive thing that should be blocked. Just as you should never ever buy anything from spam, you should never ever buy anything from a pop-up ad. Don't even click it if you see one.

If you asked the average internet user what they considered to be the most annoying thing about the internet today, spam and pop-up ads would be neck and neck for the top complaint.

There is a huge market for software that suppresses both of these annoyances (Including this week's featured product). That should be a clue right there that advertisers are harming their brands by using these technologies, the fact that people find them to be so annoying that they will pay money to avoid them. Unfortunately, some people just don't get it. C|Net has published an article saying that some web advertisers are trying out new ways to circumvent pop-up blocking software.

Some are experimenting with using a javascript command known as "onmouseover" that creates a "user initiated" event when the mouse cursor is placed over a certain part of the page. This "user initiated event" fools most pop-up blockers into thinking the user clicked a link to initiate the pop-up window and then it will allow the window to open.

Others are trying to detect blocking software and then serving an even more annoying "slide over" or "overlay" ad in the place of a pop-up. An overlay is a javascript object that creates an advertisement embedded in the page, right on top of what the user is trying to read. Most pop-up blockers don't stop overlays.

I don't understand this at all. If someone is using a pop-up blocker, then they obviously are not interested in seeing a pop-up ad. Why go to all of this trouble and expense just to alienate those people further?

My browser (FireFox) blocks pop-up ads for me. If I found a site that went to the trouble of circumventing the blocker or using an overlay ad, I simply wouldn't go back to that site. The product being spammed goes into a little blacklist to ensure that I never buy it in the future. It damages that company's brand and it damages the reputation of the web site allowing that sort of advertisement.

Advertisers, get a clue. People using pop-up blockers are not interested in what those pop-ups have to say. If you try to circumvent their blocking software, the software will be updated anyway and you will damage your brand further in the eyes of the people you are trying to reach.

Webmasters, you also need to get a clue. If you allow pop-up advertising, you are damaging the relationship with your visitors. If you allow advertisements which circumvent blocking software, you only guarantee the loss of those visitors using it. Not only will they refuse to click the stubborn pop-up ad, they will stop visiting your site altogether and then they won't see your normal banner ads. You will lose more money than you hope to gain and steadily you will lose your readership.

Permalink | Top

Program: Companion
Author: Panicware
Platform: Internet Explorer 5.x - 6 and Windows 95, 98, 98SE, ME, NT, 2000 and XP
License: $39.95 35% off for SpywareInfo readers (Applies to all Panicware software. Ends June 15). Use coupon code SPYWARE when you purchase.
Click here to purchase

Panicware Companion toolbar eliminates the traces of your web surfing and blocks cookies, web bugs and pop-up ads. With Hot Links, Companion allows you to keep a list of your "Hot Links" for quick access at any time. No need to search through Favorites or Browser History to find your favorite sites. Other sites can't add their links to your Hot Links as they do to your Internet Explorer Favorites.

Web Evidence Eliminator

• Clean url-history, browser history, cookies, cache and more!
• Remove all traces of your recent surfing activity!
• Keep cookies from user selected sites for email logins, etc.
• Eliminate tracking cookies and web-bugs
• All done automatically, no user intervention required!

Custom Pop-Up Stopper Sounds

Personalize your experience! Play a fun sound when a pop-up window is blocked. Choose from over 25 sounds, including cartoon, comedy and war sounds! Select a sound and play it right from your browser toolbar, it's easy!

Advanced Ad Blocking Technology

• Block pop-up and pop-under ads including X10 and Casino windows
• Allow pop-ups from sites YOU choose
• Preserve bandwidth by blocking pop-ups before they load!
• View the number of pop-ups blocked, and from which site!
• Play a sound when a pop-up is blocked

Permalink | Top

Last month, I warned about a nasty new parasite that had been discovered. This parasite hides itself from Windows, is nearly impossible to detect and nearly impossible to remove.

It turns out our new parasite is protected by an open source NT rootkit called Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks. Anything protected by Hacker Defender is a real pain to find and remove.

There is a possible method for removing this thing easily. This information is from a member of our message board who prefers to remain nameless. No guarantees that this will work.

In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip

If you are infected you can try the following: If your system drive (usually C:) is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt.

If your system drive is formatted with the NTFS file system, download Bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a pre installed environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.

You can read more on HackDefender here: http://bagpuss.swan.ac.uk/comms/hxdef.htm

It's also worth mentioning that if the computer in question boots more than one operating system and your other OS has access to that hard drive, then you can simply boot to the other OS and delete the directory and files with no interference.

Permalink | Top

If you are thinking about buying a wireless router or accesspoint for your home network, you might be interested in this. It seems that Netgear is selling a wireless accesspoint with a backdoor built into it. This backdoor is installed by default and cannot be disabled, allowing access to the device to anyone who knows the user name and password.

This backdoor became public over the Bugtraq security list recently. Rather than removing the backdoor, the vendor simply changed the user name and password after this became public. The new information also was made public.

I would avoid buying this product based on this information. It's bad enough they put in a backdoor. Their response to its disclosure is sheer stupidity and borders on negligence. Some versions of the firmware include the older log-in information, some versions include the new one. Presumably some versions have a different log-in and some might not have one at all.

This is the sort of thing that shows the strength of open source software and security and the weakness of closed source "security by obscurity". An open source product would not have a backdoor like this one. There would be no way to hide it. Closed source products allow this sort of thing to happen with the hope that no one ever discovers it.

Permalink | Top

Spam

As anyone with an email address knows, spam now outnumbers legitimate email. In fact, some analysts are saying that 3 out of every 4 emails sent today are spam. Combine that with email viruses and stupid antivirus programs that bounce viruses and email is becoming nearly unusable. I, personally, am receiving close to 1,000 spam and virus emails every day at this point.

As a matter of fact, spywareinfo.com is being dictionary attacked by several spammers. A dictionary attack is where a spammer chooses a domain and sends the same spam to a large number of common user names at that domain. The idea is that some of those addresses will be valid. Unfortunately, in my case, they are *all* valid.

I have a catchall forwarder set up to forward email sent to non valid accounts to my main account. The reason I do this, ironically, is to avoid spam. When I sign up for something at a web site and have no choice but to provide an email address, I usually use that web site's name as the user name. If I am signed up at gator.com, then my address would be gator@spywareinfo.com or gatordotcom@spywareinfo.com. I still receive the email even though I haven't set that up as an email account. If I start receiving spam at that address, I can make the server block the address and I know whom to blame for selling it to spammers.

I have registered another domain, which I will never mention publicly, and soon will be using that for email. I'll set up a forwarder for each spywareinfo.com email address I'm using currently, then I will shut off the catchall feature at spywareinfo.com. Emails to non valid addresses then will bounce instead of being forwarded to me. I simply cannot keep up with all the spam and viruses coming in at spywareinfo.com, even with my spam filter catching 90-95% of it. It literally comes in faster than I can delete them from my inbox.

AOL

As I mentioned back in March, I will no longer be sending this newsletter out to aol.com addresses. AOL's newest email software has made it extremely easy to report an email accidently as spam and I'm not willing to take the chance of my server being blocked.

Since I purged the database of aol.com addresses in March, a few new AOL people signed up. Predictably, one of them reported the newsletter as spam (accidently I assume) and I received a notice from my web host about it. I've purged the addresses again and put up a notice on the subscription sign-up page (something I should have done in March). I don't understand the coding of the newsletter sign-up form, so I can't stop them from signing up. So, from this point on, I'll be purging any new aol.com email addresses from the database just before sending out the newsletter.

Autoreplies

Another change that's coming is that I will be removing any address that sends an autoreply to this newsletter. Please understand that it is extremely rude to sign up for a newsletter or mailing list at an address that uses an autoreply. Every time I send this newsletter out, my inbox fills up with them. I assure you, I realize that you are out of your office at 3 o'clock in the morning and don't need to be told.

Later this week I will be sending a short message to this list to look for autoreplies. Every address that sends one will be removed from the database. If your address is one that does this and there is a reason why you cannot turn it off, please go ahead and unsubscribe and then sign up at another address that doesn't use an autoreply. I will make an exception for autoreplies from people who are on vacation.

I would like to point out a problem with the unsubscribe links at the bottom of the newsletter. Some email programs screw up long links. I've had more than one person email saying they couldn't unsubscribe because their program messed up the very long link at the bottom. If this happens to you (and only if this happens), send an email to unsubscribe@spywareinfo.com and I will remove your address manually. Be sure to specify whether you are subscribed to the text or html version.

Short newsletter option coming

Several months ago, I asked your opinion of a new newsletter option, an update alert version. Basically, subscribers to the update alert newsletter would receive only a notification that a new newsletter is ready and would include a link to read it online. The newsletter itself would not be sent.

Quite a few people wrote saying they would like that option. I was preparing to set that up when the denial of service attacks hit the site. In all the excitement I forgot about it. However, I will be adding that option soon and might have it ready by next week. I'll let everyone know when that is ready.

Permalink | Top

I do not intentionally link to web sites that require registration before allowing visitors to read the article. At the time I read these articles, I was not required to register. If one of these sites requires that you register before allowing you to read the article, please let me know and I will blacklist that site.

http://www.presstelegram.com/Stories/0,1413,204~21474~2173868,00.html :: Online? Someone may be watching

http://www.computerworld.com.au/index.php/id;1214542063;fp;16;fpid;0 :: Spyware annoys, not threatens, IT managers

http://www.pcworld.com/news/article/0,aid,116356,00.asp :: Striking Back at Spyware

http://uk.gsmbox.com/news/mobile_news/all/98638.gsmbox :: When your computer spies on you...

http://www.technewsworld.com/story/34228.html :: Experts See Sharp Rise in Malware Attack Probability

http://www.pcmag.com/article2/0,1759,1602208,00.asp :: Spyware or Slyware?

http://www.newsday.com/technology/ny-txdolinar3835449jun06,0,3736776.column :: Microsoft wakes up to worm and virus blight with Windows XP shield