 | Read the Sept 6 Spyware Weekly |  |
|
Spyware Weekly Newsletter > June 10, 2003
RapidBlaster Alert RapidBlaster is an advertising parasite whose very nature demonstrates all that is wrong with online advertising today. It is installed using activex driveby methods from affiliate web sites or silently by a browser hijacker called ISTbar. It sets itself to run hidden in the background when Windows starts, then pops up pornographic ads. As with several other advertising parasites loose on the internet today, RapidBlaster actively works to evade removal by antispyware software. Other parasites mutate their filenames and CLSID identifiers randomly as they are installed, but this is not how RapidBlaster evades removal. The software connects to a server at 209.47.15.73 to download a list of words. Then it creates a folder and a file with names based on those words, loads the new file, and exits. It then watches to see if anyone tampers with its registry settings. As soon as you use HijackThis or another tool to remove any part of the software or its settings, it takes a word from that list to create another anonymous version of itself, and then it disappears from view. That makes it extremely difficult to remove the bugger, because its authors designed it to watch for that and to defend itself. I mentioned in a private security forum that we need to kill it from memory before attempting removal, and Javacool Software came to the rescue with a small program that specifically targets RapidBlaster. RBKiller will identify all known variants of RapidBlaster and remove it from memory, then delete the associated startup entry from the registry. It doesn't delete the actual file or folder currently, but most likely it soon will. Those of you helping people out with HijackThis log files on message boards and newsgroups, you are looking for an entry similar to this: Notice the part in bold. Current versions of RapidBlaster include that in all startup entries, although I can't imagine why considering how that makes it stand out. A future version will probably remove that to make it harder to find. If you spot that in someone's log, it is a clear sign of a RapidBlaster infection. Have them download and run RBKiller and that will solve their problem. http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe Links:
http://www.doxdesk.com/parasite/ISTBar.html ISTbar Webroot Software's Window Washer
This is a product that I own myself, and it is very impressive. You could spend an hour rummaging through your computer deleting your browser cache, cookies, temp files, address bar history, and even those nearly impossible to delete index.dat files. With Windows Washer, you don't have to waste all that time and energy. Window Washer makes doing these tasks quick and easy. There are several people that I consider to be experts in the area of internet privacy that use and recommend Window Washer to newbies. What you do online is nobody's business. Take control with Window Washer. Protect your privacy, clean unwanted files and boost PC performance. Window Washer is the original and most advanced privacy and PC cleaning tool. Webroot invented this software category more than four years ago and since then more than one million customers worldwide have installed Window Washer on their PCs! Buy Window Washer today and save $10. Normally $29.95, Windows Washer is available to SpywareInfo readers for only $19.95! Your purchase is risk-free - satisfaction guaranteed - AND your purchase includes 1 year of technical support and product updates. DON'T WAIT! - See what more than a million savvy Internet users already know! Every week, SpywareInfo arranges a discount on the programs best suited to keep your private life private. This arrangement lets us pay the bills to keep SpywareInfo running without having to sell ads to the likes of DoubleClick and X-10. We do need your help, as the discount is for your benefit. What commercial privacy software would you like to see featured here at a discount? Drop us a note and let us know. Links:
http://www.spywareinfo.com/rd/webroot/ Purchase Window Washer Internet Explorer Exposes Sensitive Information
Incredible. After all the time that some of us have spent wishing Ad-aware would stop targeting that "Related Sites" feature because it was neither spyware nor a component of Alexa's Toolbar, something like this comes out...
Links:
http://www.secunia.com/advisories/8955/ Full security advisory Cookies - What they are and how they are used
Cookies are text files stored on your computer that web sites use to keep track of information their site requires. This can be as simple as a placeholder that indicates for you what you have already seen on that page (usually by changing the text color) or remembers your preferences. These cookies have no contact with anyone since the info they contain is meant solely for your benefit. However, some companies use those cookies to track where you have been and what you have done. The difference depends on whether the cookie is first party or a third party cookie. Third party cookies are set not by the web site you are viewing, but rather by a site located elsewhere. This is the case with most advertising banners. Of course, there are also companies that outright abuse the technology in order to track web surfers all over the internet. One such company is advertising giant DoubleClick. Cookies, by design, are meant to be accessible only by the site that sets them. This is to keep one web site from reading the cookies set while a person is on another site. DoubleClick exploits a loophole by running ad banners from its own servers, and using those servers to set and read cookies. DoubleClick has ads on thousands of web sites and can read any cookie set by any of them. In this manner, DoubleClick uses these cookies to track web surfers from one web site to the next the same way a rancher brands his cattle and tracks their movement across on the plains. DoubleClick is most at fault for the misconception that cookies are spyware. How to stop third party tracking cookies It is a simple matter to disallow cookies from servers not located on the site that you are currently loading. Mozilla and Netscape In Mozilla and Netscape, go to Edit > Preferences. In the dialog go to Privacy & Security > Cookies and select "Enable cookies for the originating web site only". We are uncertain about older versions of these browsers. (example) Internet Explorer In Internet Explorer 6, go to Tools > Internet Options. Click the privacy tab and press the "Advanced" button. Check "Override automatic cookie handling" and "Block" under Third-party cookies. Your setting for First-party cookies is up to you, but we suggest selecting "Prompt" as well as "Always allow session cookies". Be warned, the prompts will quickly drive you nuts. See the next item. (example) Internet Explorer 5 and lower does not have the ability to block third party cookies. An excellent tool for controlling cookies that is compatible with IE 5 and IE 6 is AnalogX's CookieWall. CookieWall will ask you just once what to do with a particular cookie. It will apply that decision every time it encounters that cookie in the future. (example) Many people say that Internet Explorer 6's cookie handling makes the use of CookieWall unnecessary. I disagree with that opinion. There are a lot of sites run by arrogant fools who will refuse to allow you access until you agree to accept their cookies. Internet Explorer (and indeed, all browsers) will reject a cookie immediately if it is set to do that, and the web site will know it happened. Until you change the settings, you will not be able to access some sites. That is why I prefer CookieWall, because your browser accepts the cookie and the web site is satisfied. What the site doesn't realize is that CookieWall has deleted their precious cookie the instant the cookie is detected. Opera In the Opera browser, these settings are located in File > Preferences > Privacy Preferences. In the second drop box under Cookies, set it to Do Not Accept Third Party Cookies. (example) Viewing and editing your cookies Opera Opera is an incredible browser. It has a very large number of features and it's fast as hell. One feature that is very inadequate is the built-in cookie manager. Among its other flaws, Opera's cookie manager fails to give you the ability to delete, or even to view existing cookies. Thankfully, there is a third party program called Opera File Explorer that allows users of Opera 4.0 and later to view and maintain Opera's Cache, Cookies, Global History, and Visited Links. The program is pretty crude. It is 16-bit software that probably would be more at home on Windows 3.1 than XP, but it seems to work fine on all versions of Windows. Internet Explorer While CookieWall does a fine job of managing Internet Explorer cookies as they are being set, it is very awkward to use for browsing and deleting existing cookies. For that, Karen Kenworthy's Cookie Viewer does a much better job. In fact, Cookie Viewer is nearly identical to Mozilla's built-in cookie manager, with the exception that it can't block permanently the cookies you tell it to delete. Mozilla and Netscape Mozilla has a very sensible cookie manager built right into it. Go to Edit > Preferences. In the dialog, go to Privacy & Security > Cookies and click the "Manage stored cookies" button. From Mozilla's cookie manager, you can scroll through every cookie present and view the contents, expiration date, the web site that set it, and much more. You can selectively delete cookies, decide whether to permanently block cookies from those sites, and even remove all cookies with one button. Conclusion Cookies are not spyware, but they do present a privacy problem because of the behavior of companies such as DoubleClick. Despite that behavior, cookies are more useful than they are harmful. With the tools and methods mentioned above, you can deal with cookies on your terms, not on the terms of those who would use them to violate your privacy. Links:
http://mozilla.org/ Mozilla Whazit.com
Two weeks ago, I wrote about a new malware making the rounds that was hijacking browsers to whazit.com. For a while there I thought they were determined to update every time we found a way to detect and remove it. Every time I published instructions to find and remove it, it did something new. Now I believe they were just updating new software that they didn't spend enough time finishing before releasing. There have been no significant updates for a while now. At the time, no software targeted it. Later, Ad-aware began to target it, but didn't remove everything and missed an updated version of nCase, which Whazit's software had just started to bundle. Another update to Ad-aware seems to be able to do the job properly. Full description and removal instructions will remain at http://www.spywareinfo.com/articles/whazit/. Try Ad-aware first, and then follow up with those instructions to be sure all of it is gone. Links:
http://www.spywareinfo.com/articles/whazit/ Whazit article Finally, some common sense!
Senator wants limits on copy protection
By Declan McCullagh
This bill is very timely. Verizon has been fighting a demand by the RIAA to turn over the names of four customers of its internet access service. Tragically, Verizon has lost that fight after the U.S. Court of Appeals for the District of Columbia refused to uphold the Fourth Amendment of the Constitution. After two centuries of constitutional protection from such measures, the DMCA has given anyone the power to demand - and receive - the names of an internet service provider's customers. Unlike the Constitution that has just been shredded in federal court, the DMCA does not require a single piece of evidence that the customer whose name they are demanding has done anything illegal. Lord help us when advertising companies and chat room pedophiles realize they can now demand the names of customers of an ISP simply by claiming copyright infringement. No proof of wrongdoing is required to demand the names and an ISP is required legally to turn the names over. For the sake of the entire nation, I sincerely hope that Senator Brownback's bill is passed. Links:
http://news.com.com/2100-1028-1013037.html Cnet article about Brownback's bill DogReader
If you live with one or more dogs, then definitely you will like the new project that I am doing. My best friend and SWI partner in crime, Catherine (AKA Noggie), has started her own web site for dog lovers. She writes the articles, I manage the site. DogReader exists because we love dogs. DogReader's goal is to further our understanding of our best friends and to enhance our relationship with them. The underlying, fundamental philosophy of DogReader is that we will use understanding instead of pain to deal with our dogs. We are hoping to make it a very valuable resource for you and your four-legged friends. We have just opened the site, so there's only a few articles up. There will be a new article every Monday through Friday. For a small fee, she will also consult with you "one on one" to help you with any particular problem you've run into while taking care of your dog. As I said, we just opened the site. There will be more features and services added later and the number of articles will continue to grow. I am doing my best to sweet talk her into letting me install a bulletin board. We're also discussing starting a newsletter and a few other things. The site is at http://www.dogreader.com. Go check us out, tell a few friends, and most importantly, go to tell the neighbor with the dog that never stops yapping. ;-) Links:
http://www.dogreader.com DogReader site Recommend SpywareInfo to a friend
Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter. Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000. The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459 Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick. Links:
http://www.scotsnewsletter.com Scot Finnie's Newsletter |
Site Navigation
About SpywareInfo Spyware Search
All material on this web site is copyrighted SpywareInfo banner designed by mockie |
