Thursday, September 09, 2004

Don't Click That!

I recently had to clean up a client computer that was infected with spyware. Or if you prefer, malware. I like crapware, personally.

As this problem has mushroomed, and many of the web sites and programs involved have started behaving - for all practical purposes - just like computer viruses, I have been amazed that:

  • No one has brought a class-action lawsuit against the proprietors of these web sites - or their sponsors.

  • Most popular anti-virus programs have, until very recently, refused to identify and remove the software and browser modifications, resulting in a new class of spyware removal products such as Spybot Search & Destroy, Ad-Aware, and PestPatrol (which was recently purchased by CA, and so will probably show up in the next version of their eTrust anti-virus software.)
On the infected computer, the user's home page had been set to www.passthison.con/r4/?s43.

(Many of the URLs in this post are not clickable, and have been slightly mangled as well. If you feel compelled to fix the links and open them, I strongly recommend that you don't open them in Internet Explorer on Windows - unless you are very confident in your popup blocker, your antivirus software, and your spyware removal software - and are also sure that your Windows service pack and security updates are absolutely current. Don't blame me if you fill your computer up with crap!)

The 'Passthison' web site apparently used to pass itself off as "A collection of the greatest fun sites to pass on to your friends." It was featured on the BBC's Essex Web Site of the Day, and on quite a few 'Cool Links' and 'My Favorites' web pages.

A quick Google search, however, also turned up several 'Passthison' removal tools and spyware discussions. There was apparently once even a Microsoft knowledge base "Q" article - Q309313 Home Page Unexpectedly Appears When You Start Your Computer - but it has since been removed.

The 'Passthison' site also features in a 'browser hijacking' complaint filed with the FTC by the CDT. (Good!)

And it turns out that the person behind 'Passthison' is none other than Sanford Wallace, the allegedly 'reformed' Spam King, who has also been involved in some litigation.

The current home page at www.passthison.con is just a text file, which reads:

"Due to new laws being enacted and controversy surrounding our business model, we have voluntarily decided to implement the cease of all current business practices by the end of June 2004."
Uh-huh. But the if you load the page (from the same site) that had hijacked my client's browser, it will:

  • Open three popup ads from adserver.con - with no toolbar, location bar, status bar, or close box. Nice.

  • Open a popup ad for Secret Keeper software, which promises it "will allow you to protect your privacy, clear your history, and block unethical websites from changing your homepage or spying on you with cookies." Do you suppose it will block the unethical website which changed your homepage to pop up this ad? I don't think so. No toolbar or close box on this one, either.

  • Open a page titled 'preexploit.htm' from a server at Pre-exploit, get it? Subtle, they aren't. They also aren't kidding, because the page in question will attempt to exploit a flaw with Internet Explorer's handling of iframes, web archives and help files. Have a look in the directory - just don't click on anything! If they do manage to exploit your browser, they'll go on to inject trojan software and other assorted garbage onto your PC - at which point, your computer is under the control of the spammers, not you.
(While I was researching the exploit, I ran across an article titled "Follow the Bouncing Malware" on SANS - one of the best general Internet security sites. The author, Tom Liston, attempts to determine how an unpatched Windows XP Home computer could be compromised, and ends up discovering the exact same exploit on the exact same web server - and follows the ugly results farther than I did.)

But wait - there's more! There are also several popup ads from www.lovemynet.con, including one which features a schmaltzy "Friends Are Like Angels" poem, and encourages you to "Click HERE or click on the angel to send this special page to the people you want watched over..."

More like people you want taken over! Guess where that link will take you? Not-so-reformed Spam King Stanford Wallace's smartbotpro.not, where he'll be happy to harvest you and your friend's email addresses to use himself and sell to other spammers, and generate a few more popup ads, too.

As a final insult, the page generates one more popup, positions it way off the screen so that it's effectively invisible, and continues to generate more popups from that! If you can see the window, it claims:

"If your computer will NOT hide this big white window, you may have spyware on your system which is interfering with your ability to control hidden windows. Spyware also sends you unsolicited advertising, slows down your computer and could capture private information like credit card numbers and social security numbers, etc.

I recommend that you install a "spyware removal" program so you can rid your computer of these parasites."
(You almost have to admire the audacity. Perhaps this fellow will run for office the next time he 'quits' the spamming business.)

It then recommends www.spydeleter.con as a source for effective syware removal. It wouldn't surprise me if it does clean out all the other spyware - so that your machine can be completely controlled by theirs. I've seen trojan programs do the same thing.

SO WHAT'S THE SOLUTION? There isn't a simple one. If you lock down Internet Explorer in 'paranoid mode,' with scripting and other advanced features completely disabled, you'll be able to avoid a lot of these issues - but you'll also discover that quite a few popular web sites won't work properly. Several industry pundits have begun recommending Firefox as an alternative browser, and it does have a lot to recommend it - but it's not free of security issues either, and like it or not, most popular web sites are formatted to work best with Internet Explorer.

Keep as current as possible with Windows updates.
Even if you're completely up to date, you may still be vulnerable, but you will certainly be vulnerable if you don't apply the updates. This is probably the single most important thing you can do.

Install an Antivirus program, and make sure that its updates are working.
Some block spyware as well - I've seen good results from McAfee VirusScan, and Trend's PC-Cillin 2005 is in beta test until September 30th - you might be able to participate.

If your Antivirus program does not also block spyware, then use an anti-spyware program.
And make sure that it is updated regularly, as well.

Don't send people 'cute' e-cards from unfamiliar sites.
If it isn't Hallmark, or American Greetings, or anyone you've heard of, don't hand them you and your friend's email address, no matter how cute the little bunnies and angels are. If you have a friend or office mate who sends these things on a weekly basis, encourage them to stop. And to have their machine examined. And maybe their head, too.


Anonymous said...

"but it's not free of security issues either, and like it or not, most popular web sites are formatted to work best with Internet Explorer."

This is a little misleading. The fact that you say that it's not free of security issues implies that you are still vulnerable to all of the spyware out there. And the truth of the matter is you won't be vulnerable to it (unless you physicall download and install something).

Also, when you say that most popular websites are formatted to work best in Internet Explorer, you imply that they won't look right in firefox. On the contrary, I've yet to find a site that does not come up properly in firefox. This isn't in the olden days of early netscape where many pages wouldn't render properly at all. Essentially, if it conforms to the standards(or even most of the time if it doesn't), it WILL look just fine in firefox.

Anonymous said...

I have to agree with the above comment re firefox. If the website you want to view wil not work in firefox then email the company and ask them to make it so. If its an online banking site then the same applies email them and ask them to their site cross browser friendly, if they refuse just simply move banks to one who is cross friendly. The power of your money / visitors to the site will work to get sites properly formatted.

With the current trend of firefox now estimated at 18% of the browser market these companies will have to listen. Now if only odeon cinema (UK) would listen. They even ignored a /. post about it and the countless emails received since. Still UCI now gets my money, so its there loss.

Chuck Cook said...

Well, I didn't intend to imply that FireFox was 'vulnerable to all the spyware out there.' FireFox is, in that respect, considerably less vulnerable than IE.

However, I stand by my comment that FireFox is not free of security issues either - just today, Secunia announced multiple vulnerabilities in Firefox, several of which can "lead to execution of arbitrary code." This is the same kind of thing that led to the hijack of my client's home page in IE, and subsequent spyware and trojan infection.

(And yes, the patches are already available, and turnaround time on the fixes is generally much better than Microsoft's track record, but it doesn't invalidate my original statement.)

"I've yet to find a site that does not come up properly in firefox."Have you tried browsing in Arabic, or Hebrew? Or tried using Outlook Web Access?

And the second poster is making my point for me. He even gave an example - Odeon Cinema (UK). The inconsistent formatting may be rare, and it may be subtle, but it does happen.

I can't tell my clients to just pick another vendor when the web site is an online tax law service, for example. A 'solution' which substitutes one problem for another is not acceptable.

All that said and considered, I am currently evaluating FireFox for pilot deployment at certain clients. It's fast and stable, but I'm not ready to recommend it to everyone yet.

Anonymous said...

One of the biggest issues I have with firefox displaying websites is that you cannot run windows update through it. admittedly this makes a great deal of sense, but it's still annoying.