The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/dec30,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• Extremely Dangerous Unpatched Windows Flaw
• Webroot Spy Sweeper and Window Washer
• Top 10 Rogue Antispyware
• ISPs Blocking Access To Unapproved Software?
• Adobe Updates Acrobat Reader To Block Spyware
• My Idea For An Anti-Phishing Law

Permalink | Top

Windows XP and Server 2003 contain a flaw in the component which displays certain image files. This flaw allows software to be installed, if any Windows application attempts to open a specially-crafted image file. At least one irresponsible person has published an example of exploit code, demonstrating exactly how to take advantage of the flaw.

The flaw is classified as "Extremely Critical" by most security companies. No action is needed on the part of the user to be infected by way of this flaw. Security researchers are dubbing this "the WMF flaw", as it affects the Windows Metafile Format rendering engine. No update is available at this time to fix the flaw.

Web sites which engage in drive-by installations are going nuts. In less than 48 hours after this flaw became public knowledge, thousands of web sites are believed to have started using the exploit to install spyware. At least one adware program, which pops up advertisements on certain partner web sites, is exploiting the WMF flaw to install additional software.

This is a very dangerous problem. The Windows graphics rendering engine runs as a system process, which means that software installed through this flaw will have system-level permissions. Any piece of software, running on a vulnerable system, can execute a malicious package merely by attempting to open a specially-crafted image. This includes your email program, your web browser and image viewing software. The most likely means of exploiting this flaw will be to insert malicious images onto web pages and within spam email.

Sunbelt's president, Alex Eckleberry, has published a few workarounds that might prevent this flaw from infecting a computer, in some limited circumstances. None of these workarounds are 100% effective in securing the flaw.

I am strongly urging Microsoft to develop a patch for this vulnerability as quickly as possible. I am strongly urging Microsoft to publish the update, as soon as it is ready for release. If Microsoft holds to their normal schedule, no update will be published until January 10th. If a patch is created after that date, then it would not come out until February 14, 2006! This is one situation where the normal schedule must be ignored.

There is a bizarre footnote related to the publicity surrounding this vulnerability. Spire Security's Director of Research, Pete Lindstrom, went on record to state that this flaw is "hardly worth notice", as it "requires user interaction". Since it does not, in fact, require any sort of user interaction, Sunbelt's Eckleberry wrote to him about the quote. His reply is below:

Hi, Alex - it is my understanding that the vuln still requires an end user (target) to actually do something, like click on a link. If that is the case, then my quote is accurate. Don't worry, you'll still sell your software ;-)

So, he confuses surfing the web - which can be defined loosely as "clicking on links" - to be user interaction and, when a bona fide security expert writes to correct him, he implies that the expert is worried about selling software.

I guess this simply proves an old saying. Just because the word "security" appears in a company's name, it doesn't necessarily mean that they know anything about security.

You have to use some common sense - just a little - to distinguish between automated processes and user interaction. Interaction means agreeing to a license notice. Interaction means saying "yes" to a security warning. Interaction means doing something - anything - out of the ordinary before the process can continue.

To be ambushed by an automated malware installer while reading email or surfing the web does not constitute user interaction.

Permalink | Top

Author: Webroot Software
Platform: Windows 98, ME, 2000, XP
Spy Sweeper License (one year): $29.95 ($19.95 until Jan 5, 2006)
Window Washer License: $29.95 ($19.95 until Jan 5, 2006)

Purchase Spy Sweeper:
http://www.spywareinfo.com/rd/ss123005
Purchase Window Washer:
http://www.spywareinfo.com/rd/ww123005

"Spy Sweeper is the most effective standalone tool
for detecting, removing, and blocking spyware."
-PC Magazine, January 12, 2005

Read my review of Window Washer for more information about that program.

Webroot's Spy Sweeper is an outstanding, award winning antispyware program. The reason that it is "award winning" is very simple - it is extremely good at what it does. The latest version is fantastic.

Webroot continues to improve Spy Sweeper. Version 4.5 was released recently. I will mention a few of the newest features.

Advanced Blocking and Detection
Using new FlexDef technology, Spy Sweeper can identify and eliminate never-before-seen spyware on the fly - without the need for a specific definition.

Comprehensive Removal Technology (CRT)
Using patent-pending technology, Spy Sweeper effectively disables the most sophisticated spyware programs - ones that are designed specifically to avoid detection and removal.

Aggressive Removal of Sophisticated Spies
Spy Sweeper definitely defeats spyware programs that employ the most malicious technology today - "rootkits" - which bury and hide spyware files deep within your PC and are invisible to most anti-spyware programs.

Multiple User Protection
When you buy Spy Sweeper for your computer, its protection covers all users on that PC. Spy Sweeper is managed by a primary user, but all users can customize Spy Sweeper to their own tastes.

There are many other features as well, too many to describe. Those include:

• Internet Explorer favorites are protected from changes made by malicious web sites.
• Tracking cookies are detected and removed in real time.
• The Internet Explorer search and start pages are protected from being changed automatically.
• The HOSTS file is monitored to detect changes made to it. You also can edit the existing HOSTS file.
• A memory shield detects known spyware as it loads in memory.
• There is a "Spy Installation Shield" which blocks known spyware as it tries to install.
• Files hidden inside of Alternate Data Streams (ADS) are blocked from executed. ADS refers to metadata information that can be embedded within a folder, similar to the ID3 tag in an MP3 file.
• Pop-ups sent through the Windows Messenger service are blocked.
• There is an integrated tool for managing start up entries as well as an active shield that pops up an alert if a program suddenly shows up in a start up location.
• A new item is installed on the menu you see when you right-click on a folder in Explorer. This option allows you to scan that particular folder for spyware files inside of it.

Spy Sweeper is an excellent program. It is easy to use. It is thorough. The protective options are very good - far better than most other antispyware programs. The start up monitor and manager are fantastic features. I definitely recommend this new version of Spy Sweeper.

If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php. Anyone who needs to purchase several copies of this program, please contact Catherine.

Permalink | Top

All right, now that I have told you about one of the good guys, it is time to talk about some of the bad boys of the industry.

Spyware is big business. It is also extremely annoying, so spyware removal also is big business. A number of disreputable companies have decided to play on both teams.

It sounds ridiculous. Who would want to buy an antispyware program promoted by a spyware program or installed through a drive-by download? Evidently there is money to be made doing this. The number of rogue web sites that install the trial version of some antispyware program grows daily. A large number of spyware programs promote various antispyware programs. Do a web search for "spyaxe", "spyware bomber", "spysheriff" or "spy wiper" and you will see what I mean.

It is truly pathetic, but we're starting to spend nearly as much time at the message board removing rogue antispyware programs as we do removing spyware. For some unknown reason, people buying Spyware Bomber were writing to me to demand their license keys. I still haven't figured that one out.

Eric Howes and Suzi Turner have been keeping an updated list of such programs. These programs are an embarrassment to the antispyware community. Most likely, that is part of the reason why they were created. Sometimes these programs themselves become targets of the legitimate antispyware products.

After a year and a half of updating the list, well over 200 different programs have been added. Suzi recently put together a Top Ten List of the worst of the worst of rogue antispyware programs.

Drum roll please:

10. Spyware Bomber
9. SlimShield
8. WinAntiVirus and its companion WinAntiSpyware 2005
7. SpywareNo and its clone SpyDemolisher
6. Razespyware
5. Spy Trooper
4. WorldAntiSpy
3. PSGuard
2. SpySheriff
1. SpyAxe

(Dis)Honorable mention goes to VirtualBouncer aka AdDestoyer.

Permalink | Top

Here is a disturbing idea for you. I ran across this article the other day. The writer talks about the possibility that our ISPs might block internet access to certain software or even to certain hardware.

The justification would be that they are blocking potential malware. Who could possibly speak out against an ISP that decides to block access to a spam-spewing backdoor trojan, right? But that is only the justification, not the real reason for doing it.

It doesn't take a conspiracy nut, searching the grassy knoll for that second gunman, to see the real reason why certain ISPs would want to block certain software. VOIP telephone packets are blocked routinely in some places. What phone company wants their telephone services undercut by free internet telephone? Some ISPs might even decide to restrict all but the most basic internet functions, while charging a premium to those people who want more access.

Some control at the ISP level would be welcome. Lord knows, I have been forced to change my mind on the subject of ISPs blocking port 25. When an ISP blocks port 25, a virus-infected computer connecting through that ISP cannot be used as a spam relay, because that is the port used for sending email. I used to oppose this practice, because it causes problems for people who use email servers other than those provided by the ISP. However, as the amount of spam circulating around the net has increased, especially since Can-Spam went into effect, I have begun to wish that all ISPs would block that port. Of course, there should be an option to restore access for customers who really need it.

Still, the idea of my ISP dictating to me what software or hardware I can use galls me. I can be as stubborn as a mule about some things, especially when it comes to my computer. I wanted to buy a video game recently, but decided against it after seeing that it would install some sort of copy protection garbage on my PC.

At least that company had the ethics to disclose the copy protection before I bought the game. That is more than we can say about *some* companies these days.

What is odd, for me at least, is that Microsoft publicly opposes the idea of ISPs doing this. Microsoft's Chief Privacy Officer says that the company opposes any ISP activity which would restrict the ability of consumers to use the software of their choice. Some may joke that Microsoft is simply worried that Outlook Express and Internet Explorer will be deemed insecure and become blocked. That is nothing more than the cynics having a laugh at Microsoft's expense.

I think Microsoft understands that anyone exercising that level of control over internet traffic is a bad thing. The internet works because it is hard to sabotage. That is a deliberate design feature. Remember, the US military designed the original internet to survive a nuclear war. There is a saying about the internet: it treats censorship as damage and routes around it. With the technology that is available today, I am not sure that this is still true.

Imagine having to beg - or pay - your ISP to let you play a video game online. Or make a telephone call over Skype. Or to use FTP to operate a web site. Or to listen to internet radio with a music player not crippled with DRM software.

I think the internet can be sabotaged today. It can be sabotaged by the very companies providing access to it. The internet works because no one controls it. It might survive a nuclear war but the internet would not survive restrictive, ISP-level controls. The day when the ISPs begin exercising direct control over which software is allowed to have access will be the day that the internet dies.

Permalink | Top

Adobe has released updated versions of their Acrobat and Acrobat Reader software. The update fixes a privacy problem caused by another software company, Remote Approach.

In June 2005, Remote Approach began a service whereby document creators could tag their PDF documents, before distributing them. When someone received the file, Remote Approach's javascript tags would enable the document's creator to track when the document was opened, view the IP address of the computer used to view the file, as well as the version of Adobe Acrobat or Acrobat Reader used to view the file.

According to article at The Inquirer, it also can send an email containing any changes made to the document. I am not sure where they found that information, since I can find no mention of such a feature anywhere else. I am not sure this feature exists.

Adobe was as surprised as anyone else to learn that their software could do this. Surprised - and disturbed. They have updated Adobe Acrobat and Acrobat Reader so that, if a document has been tagged by Remote Approach's software, it will show the user a warning. If the user decides, as I would, that the fact that the file was opened is no one's business, the tagging features will fail to work.

Nice work, Adobe. Thank you very much for looking out for your users.

I did a little reading on Remote Approach's web site. The experience left me wanting to wash my hands. Read the following entry from their FAQ:

How can I track them if they're not on the Internet?

We are currently beta testing a version of Remote Approach that allows you to specify that if your reader is not connected to the Internet, then they cannot read the document.

Oooooooooh yeah. There's one of my pet peeves. Requiring an internet connection just to view a document or to run a program is guaranteed to tick me off. Even worse, in this case, their requirement for an internet connection is so that they can spy on you when you read the document. Don't want to be spied on? Then you can't read it.

If you have Adobe Acrobat or Acrobat Reader version 7, you should upgrade immediately. The newer version 7.05 will block these tracking tags from Remote Approach. Watch what you are clicking during the upgrade, because they try to push other software on you, including the Yahoo toolbar. Alternatively, you can go into the options menu, within Acrobat or Acrobat Reader, and disable javascripting. That also will disable any tracking by Remote Approach.

Permalink | Top

An idea struck me earlier tonight about a law aimed at phishing attempts. The biggest problem with phishing is not that people fall for it, but that often nothing is done about the web sites doing the phishing. Some web sites continue to operate for weeks before anyone attempts to shut it down. It occurred to me tonight this is something we can correct.

Anyone who has read this newsletter for any length of time knows that I am not a fan of the Digital Millennium Copyright Act (DMCA). The DMCA was intended to curb copyright infringement on the internet. Instead, it has been misused as a tool to restrict legitimate competition, such as Lexmark v Static Control Component or Chamberlain Group v Skylink Technologies. There are more examples of DMCA abuse on my blog.

Still, the DMCA has one useful tool: ISPs are required to disable access to materials when someone claims they infringe on copyright. Why not use this same method to shut down phishing sites?

Here is my idea. Feel free to poke holes in it.

I will not be mailing this out, because it would set off nearly all junk email filters. I will post it in the online version of this newsletter.

Proposed Anti-Phishing Legislation

Highlights:

The proposed law

- Makes it illegal to misrepresent yourself in a communication, with any member of the public, as the representative of a financial or credit-lending institution, with the intention of gathering personal information such as social security numbers, passwords or account numbers (This may be covered by Senator Leahy's proposed anti-phishing act, if that act passes).

- Makes it illegal to operate a web site, designed in such a way as to confuse visitors into believing it is operated by, or is associated with, a financial or credit-lending institution, with the intent to gather account numbers, account user names or passwords.

This law would not apply to a parody or complaint site (such as paypalsucks.com), which bears a resemblance to an actual financial institution's web site, that does not attempt to collect such information or to confuse visitors.

- Requires financial and credit-lending institutions to provide a prominent, easy-to-use method for the public to report attempts at phishing. Preferably, this would include an email address, telephone number and/or web page form.

- Requires financial and credit-lending institutions to investigate reports of phishing attempts targeting their customers. Also requires these institutions to attempt to contact the Internet Service Provider (ISP) hosting the web site/web page involved in the phishing attempt. Any financial institution who fails to do this will be held liable for any losses to their customers, caused by their failure to act.

- Requires an ISP, after being presented with evidence that a web site on their network is being used to gather personal information illegally, to disable that web site and block public access to it. If the ISP fails to do this, it will be considered to be an accomplice to the illegal acts.

- Requires the ISP to contact their customer and inform them of the complaint and the actions taken. If the customer files a counter-notice with the ISP, stating that the complaint is false, the ISP must forward that to the complaining party. It is then up to the complaining party to take further action.

If the complaining party does not inform the ISP that they have contacted law enforcement or that they have filed a lawsuit against the customer within seven days, the ISP can restore access to the web site/web page. If the web site owner informs the ISP that he or she has filed a lawsuit against the complaining party, for making a false complaint, the ISP will restore access to the web site immediately.

- Forbids any company to file a complaint, if the web site is not involved in a phishing attempt. If the complaining party knowingly files a false complaint against a web site, the complaining party will be held liable for civil penalties, payable to the owner of the web site.

If the web site owner sues the complaining party for issuing a false complaint, any judgement against the complaining party will include all legal costs and other losses incurred by the web site owner. In any civil lawsuit, it will be the complaining party's responsibility to prove that the web site is gathering personal information illegally.

The complaining party will also be guilty of perjury, for making false statements in the initial complaint.

- Requires the complaining party to provide the following information to the ISP:

• The name, address, and electronic signature of the complaining party.
• The internet location (URL) of the site and/or page being used to gather personal information illegally.
• Sufficient evidence to show that the web site/web page is misleading visitors deliberately into believing that it is associated with the complaining party. If phishing emails are involved, a copy of one such email, with source code, if possible, should provided.
• A statement of a good faith belief, under penalty of perjury, that the web site/web page being complained about is involved with an illegal phishing attempt.

Example of proper use:

• John Doe receives an email telling him that his Paypal account has been suspended and that he must log-in to correct the situation. The email is a phishing attempt.
• John Doe, realizing that the email is fraudulent, forwards it to spoof@paypal.com, one of the methods offered to the public by Paypal to report phishing attempts. Paypal examines the email and verifies that it is fraudulent.
• Paypal examines the web site linked in the email and looks to see which ISP is hosting it. Paypal forwards the fraudulent email to the ISP, along with a complaint about the illegal web site. The ISP is required to disable the web site and to block access to it.

Example of misuse:

• Monolithic Bank and Trust (MB&T) becomes aware of a web site with the address www.monolithicbankingsucks.com. The web site is intended to publish customer complaints about MB&T and in no way attempts to confuse people into believing it is associated with Monolithic Bank and Trust, nor does it attempt to solicit passwords or log-in information related to MB&T.
• MB&T dislikes this web site, so it files a false complaint with the ISP hosting monolithicbankingsucks.com and requests that the web site be disabled.
• The ISP disables the web site, then contacts the customer who owns MonolithicBankingsucks.com.
• The customer files a counter-notice with his ISP stating that MB&T's complaint is false. The ISP forwards the counter-notice to MB&T and awaits word that MB&T either has filed a complaint with law enforcement or that MB&T has filed a lawsuit against the customer.
• The customer files a lawsuit against MB&T and provides a copy of the suit to his ISP. The ISP restores access to the web site.
• Monolithic Bank and Trust is roasted over an open flame in the press and their web site is trampled into the ground by 100,000 angry Slashdot readers. MB&T loses the lawsuit, is forced to pay an exorbitant amount of money to the web site owner and their CEO is sent to federal prison for 1 year, for committing perjury (okay, so that last part's a stretch).

That is the gist of my idea. Feel free to poke holes in it and to contact me with your own ideas or criticisms, so that I can improve it. And yes, I realize that it wouldn't do anything about sites hosted overseas, so please don't write about that. It still would prevent 300 million Americans from doing it, so it is worth the effort. Besides, that is what international treaties are for.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.

Permalink | Top

Running SpywareInfo has become an expensive thing to do. We are using three separate servers to display the site and to protect it from denial of service attacks. This is not a cheap web site to host.

If you would like to help with the costs, there are three options. There is PayPal for those who have a Paypal account or don't mind signing up for one (it is free).

There is a snail mail address if you do not like Paypal or have no means of sending money online. Please make sure to make checks (in US Dollars) or money orders (in American currency) out to James Healan and not Mike Healan so I am not hassled at the bank. Please note that contributions to SpywareInfo are not tax deductible.

The address is:
James Healan
PO Box 71
Vidalia, GA USA 30475

Thank you very much for your contributions.

You can also purchase t-shirts, hats, bumper stickers and other items from our CafePress storefront.