As this problem has mushroomed, and many of the web sites and programs involved have started behaving - for all practical purposes - just like computer viruses, I have been amazed that:
- No one has brought a class-action lawsuit against the proprietors of these web sites - or their sponsors.
- Most popular anti-virus programs have, until very recently, refused to identify and remove the software and browser modifications, resulting in a new class of spyware removal products such as Spybot Search & Destroy, Ad-Aware, and PestPatrol (which was recently purchased by CA, and so will probably show up in the next version of their eTrust anti-virus software.)
(Many of the URLs in this post are not clickable, and have been slightly mangled as well. If you feel compelled to fix the links and open them, I strongly recommend that you don't open them in Internet Explorer on Windows - unless you are very confident in your popup blocker, your antivirus software, and your spyware removal software - and are also sure that your Windows service pack and security updates are absolutely current. Don't blame me if you fill your computer up with crap!)
The 'Passthison' web site apparently used to pass itself off as "A collection of the greatest fun sites to pass on to your friends." It was featured on the BBC's Essex Web Site of the Day, and on quite a few 'Cool Links' and 'My Favorites' web pages.
A quick Google search, however, also turned up several 'Passthison' removal tools and spyware discussions. There was apparently once even a Microsoft knowledge base "Q" article - Q309313 PassThisOn.com Home Page Unexpectedly Appears When You Start Your Computer - but it has since been removed.
The 'Passthison' site also features in a 'browser hijacking' complaint filed with the FTC by the CDT. (Good!)
And it turns out that the person behind 'Passthison' is none other than Sanford Wallace, the allegedly 'reformed' Spam King, who has also been involved in some litigation.
The current home page at www.passthison.con is just a text file, which reads:
"Due to new laws being enacted and controversy surrounding our business model, we have voluntarily decided to implement the cease of all current business practices by the end of June 2004."Uh-huh. But the if you load the page (from the same site) that had hijacked my client's browser, it will:
- Open three popup ads from adserver.con - with no toolbar, location bar, status bar, or close box. Nice.
- Open a popup ad for Secret Keeper software, which promises it "will allow you to protect your privacy, clear your history, and block unethical websites from changing your homepage or spying on you with cookies." Do you suppose it will block the unethical website which changed your homepage to pop up this ad? I don't think so. No toolbar or close box on this one, either.
- Open a page titled 'preexploit.htm' from a server at 18.104.22.168. Pre-exploit, get it? Subtle, they aren't. They also aren't kidding, because the page in question will attempt to exploit a flaw with Internet Explorer's handling of iframes, web archives and help files. Have a look in the directory - just don't click on anything! If they do manage to exploit your browser, they'll go on to inject trojan software and other assorted garbage onto your PC - at which point, your computer is under the control of the spammers, not you.
But wait - there's more! There are also several popup ads from www.lovemynet.con, including one which features a schmaltzy "Friends Are Like Angels" poem, and encourages you to "Click HERE or click on the angel to send this special page to the people you want watched over..."
More like people you want taken over! Guess where that link will take you? Not-so-reformed Spam King Stanford Wallace's smartbotpro.not, where he'll be happy to harvest you and your friend's email addresses to use himself and sell to other spammers, and generate a few more popup ads, too.
As a final insult, the page generates one more popup, positions it way off the screen so that it's effectively invisible, and continues to generate more popups from that! If you can see the window, it claims:
"If your computer will NOT hide this big white window, you may have spyware on your system which is interfering with your ability to control hidden windows. Spyware also sends you unsolicited advertising, slows down your computer and could capture private information like credit card numbers and social security numbers, etc.(You almost have to admire the audacity. Perhaps this fellow will run for office the next time he 'quits' the spamming business.)
I recommend that you install a "spyware removal" program so you can rid your computer of these parasites."
It then recommends www.spydeleter.con as a source for effective syware removal. It wouldn't surprise me if it does clean out all the other spyware - so that your machine can be completely controlled by theirs. I've seen trojan programs do the same thing.
SO WHAT'S THE SOLUTION? There isn't a simple one. If you lock down Internet Explorer in 'paranoid mode,' with scripting and other advanced features completely disabled, you'll be able to avoid a lot of these issues - but you'll also discover that quite a few popular web sites won't work properly. Several industry pundits have begun recommending Firefox as an alternative browser, and it does have a lot to recommend it - but it's not free of security issues either, and like it or not, most popular web sites are formatted to work best with Internet Explorer.
Keep as current as possible with Windows updates.
Even if you're completely up to date, you may still be vulnerable, but you will certainly be vulnerable if you don't apply the updates. This is probably the single most important thing you can do.
Install an Antivirus program, and make sure that its updates are working.
Some block spyware as well - I've seen good results from McAfee VirusScan, and Trend's PC-Cillin 2005 is in beta test until September 30th - you might be able to participate.
If your Antivirus program does not also block spyware, then use an anti-spyware program.
And make sure that it is updated regularly, as well.
Don't send people 'cute' e-cards from unfamiliar sites.
If it isn't Hallmark, or American Greetings, or anyone you've heard of, don't hand them you and your friend's email address, no matter how cute the little bunnies and angels are. If you have a friend or office mate who sends these things on a weekly basis, encourage them to stop. And to have their machine examined. And maybe their head, too.