Spyware Weekly Newsletter :· July 29, 2003
The Spyware Weekly Newsletter is distributed every week to 19,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. To unsubscribe from this newsletter, click the link provided at the bottom of the newsletter. Please read our Terms of Use for quoting guidelines. Old issues are available online. This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/july29,2003.
Nasty New Security Flaw Discovered
Members of the SWI support forums have uncovered a very nasty flaw, already being exploited by malicious hackers, that allows trojans and other malicious software to be introduced onto a machine via Internet Explorer despite security settings.
A file is dropped onto the infected system using ActiveX drive by, the file is run, and then immediately loads the Windows application MSHTA.EXE from the Windows folder. MSHTA.EXE is put into "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as if it were a program. In other words, this flaw makes it possible for a malicious website to embed trojans, worms and/or viruses directly into a web page and infect visitors using Internet Explorer.
Kevin McLeavy, developer of the BOClean anti-trojan program, has long regarded MSHTA as a serious security threat. "While Microsoft has, since our 'big stink' back in 2001, disconnected MSHTA from being INVOKED by Internet Explorer, it will STILL run what is presented to it when started on a local machine in the 'local machine' or 'my computer zone' since this is done on some corporate networks for the convenience of the glass room geeks.
"In other words, this completely bypasses the security zone structures and patches of Internet Explorer BECAUSE MSHTA is ALREADY RUNNING in the 'local' zone ... therefore, when presented with [an HTA] script, it will parse it and run it, despite firewall, and IE restrictions...."
This is a severe security risk, and it is recommended that MSHTA be disabled entirely unless you specifically need it to run. Privacy Software Corporation has developed HTAStop, a small program that allows you to quickly disable or enable Windows' ability to run HTA scripting. That program is located at http://www.nsclean.com/htastop.html.
The flaw cannot be exploited until after the original trojan has been installed, whether by ActiveX drive by or other methods. It is recommended that you verify that your security settings for the "Internet Zone" are set to prompt or disable for ActiveX that is signed and marked as safe. ActiveX that is unsigned or not marked as safe for scripting should be blocked entirely. If the author cannot be bothered to certify their software, you should not trust it to run on your hardware.
My personal advice is to stop using that Microsoft browser that is bundled into every version of Windows. It doesn't work as well as other browsers, it lacks many basic features available in every competing browser, and it is inherently unsafe and targeted by all known browser hijackers. Lock it away behind the firewall and use a real browser.
Links:
http://www.nsclean.com/psc-htas.html :: Privacy Software Corporation Security Advisory
http://www.mozilla.org/products/firebird/ :: Mozilla Firebird, a REAL browser
Evidence Terminator
 |
Everything you do on your computer leaves a trail behind. When you surf to a web site, you leave behind internet cache, address bar history, web site visit history, and cookies. When you open a document, Windows saves the filename into the registry. When you run certain programs, Windows saves a file into a temporary folder, and often doesn't delete it afterward.
Evidence Terminator is made by the authors of Spycop anti-spyware software. It cleans up the trail that Windows leaves behind.
Evidence Terminator optionally cleans:- Recycle bins on every drive in your system
- Internet history logs stored on your hard drive
- Internet cookies
- Temporary Internet Files (caches and other media files)
- Temporary program files
- Recent documents list
- Backup files
- LOG files
- CD burner software temp files
- Program temp files not in the system temp folder
- Those evil index.dat files no matter how many of them you have
- Overwrites files to help prevent recovery
- The drop down URL list from IE
- The run list, find computers list, and recently searched file list
- And much more
Evidence Terminator is available to SpywareInfo visitors for 20% off until August 6, 2003
Please note that this is Evidence Terminator and not Evidence Eliminator, which would never be featured here. Read why not.
Every week, SpywareInfo offers solid software at a discount. You save money on expensive software, and we avoid having to run DoubleClick banners and pop ups to pay for hosting. Unfortunately, there was a problem with the software we intended to run this week, so we are extending last week's offer on Evidence Terminator for another week. We won't be offering Evidence Terminator at this price again for some time, so don't miss out.
If you have a suggestion for software that we could feature here, or are a developer that would like to see your product here, drop us a line. Submissions will have to be reviewed beforehand.
Links:
http://www.spywareinfo.com/downloads/spycop/eterminate.php More informationFBI Wants A Direct Line To Your ISP
There is an interesting article published today at ZDNet. The FBI wants internet service providers (ISPs) to maintain a central hub for the purpose of carrying out surveillance of internet users. The specific reason is the fear that terrorists and other organized crime figures may avoid traditional telephone wiretapping by using Voice Over IP (VOIP).
In the United States, telephone providers are required to operate their systems in a way that guarantees law enforcement have access to it if they need to begin a wiretap. Traditionally, the FCC has applied this requirement only to telephone providers. That may change if the FBI has its way.
Those in communications industry are baffled by the FBI's proposals. As it now stands, a provider already can reroute a particular data stream to any server in use by law enforcement for the purposes of surveillance. They merely have to produce a valid wiretap order, as has always been the case when law enforcement needs to eavesdrop on a person's phone calls.
Civil liberties groups fear there may be an ulterior motive behind the FBI's proposals. By requiring ISPs to reroute internet traffic through hubs controlled by police, they can tap into other data passing though it (such as email, web surfing traffic, and instant messaging) more easily.
A side effect of this would be to allow them to tap into traffic without a valid order, because no one would have to reroute traffic physically. Instead, the traffic would already be there. The FBI would have the physical capability to tap into internet traffic with no one knowing they were doing it, thus avoiding proper oversight.
Before anyone dismisses that as paranoia, it should be pointed out that police already do this on a regular basis. Police are, in fact, infamous for running unauthorized wiretaps. Although that information is not admissible in court the information collected illegally often leads to other legitimate sources of information that can be used in court, and this could be behind the FBI's new proposals.
I have much respect for the FBI and cops in general. There are a few abusive bad apples that give all cops a bad name, but for the most part, cops are good, honest people who consider it beneath them to violate the law to catch other lawbreakers. Those in charge, however, are often people better suited to politics and the pursuit of power, not the pursuit of justice. Those people often see civil liberties as an annoying hindrance to enforcing the law, and forget that they are also a necessary hindrance.
These protections exist, because without them, we become a police state. As I have stated before, I don't fear the FBI tapping my phone. What I fear is the FBI tapping my phone, and not being required to report it.
Related:
http://zdnet.com.com/2100-1105_2-5056424.html :: ZDNet article - FBI wants to tap Net phones
Group Vows to Boycott English Merchants
Retailers, take notice. A row is brewing in England over the use of Radio Frequency Identification (RFID) tags embedded in consumer products, and a consumer advocacy group is planning to launch a boycott against prominent retail outlets in London.
RFID tags are microchip-sized radio transceivers that are designed to be tracked by larger, hand-held transceivers. The main application of these tags is inventory control. Everything from massive storage warehouses to small retail outlets will be able to track the physical location of every single object within range that has a RFID tag attached or embedded. Michelin uses the technology to allow an automobile's onboard computer to track tire pressure in realtime.
Many people fear that these tiny tracking chips will be misused. It doesn't take much imagination to invision reader transceivers installed everywhere, tracking where people are going and what trackable merchandise they may have with them. The technology already is being used in a questionable manner in some places.
Stores have been caught snapping pictures of people picking up a package of Gillette razors, then comparing that to pictures taken later at the checkout counter. Anyone that picked up a package of razors but was not photographed later purchasing them is marked as likely being a thief by store security.
If that same person returns to the store on a later occasion, they are watched closely by security. No distinction is made between those who really may have stolen the package and those who simply picked it up to read the labeling before putting it right back on the shelf.
Consumers Against Supermarket Privacy Invasion And Numbering (CASPIAN) threatened a boycott of Gillette and clothing design firm Benneton over their adoption of RFID technology. Benneton later backed away from their plans to use the tracking devices, but Gillette has not.
CASPIAN is opening a new branch in England for the purpose of organizing boycotts of firms in the United Kingdom that use this technology. The expensive High Street shopping district of London is considered to be high on CASPIAN's target list. High Street retailers who use RFID technology and might be targets of a boycott include Tesco, Marks & Spencer and Asda.
The technology does have obvious legitimate uses. Having worked in a warehouse for years, I would have loved to have been able to use technology like this to make my job easier. If it lowers the cost of warehouse maintenance and keeps popular merchandise in stock so that retailers can lower prices, then I'm all for it.
However, before these devices become mainstream, I would like to see federal legislation forcing all retailers to disable the devices as they are purchased. The privacy issues aside, this technology would allow criminals using RFID readers to look for victims wearing expensive merchandise that contain the tracking devices. Once they spot a victim, they could follow that person to their home. It would be a mistake to allow this technology to enter the marketplace without strict limits placed on it.
Related:
http://www.nocards.org/ :: CASPIAN web site
http://www.spywareinfo.com/rd/michelinrfid/ :: Michelin uses RFID tags to track tire pressure
http://www.aimglobal.org/technologies/rfid/what_is_rfid.htm :: What is RFID?
http://www.google.com/search?q=site:www.spywareinfo.com+rfid :: Previous discussion of RFID at SWI
http://www.thisismoney.com/20030727/nm65897.html :: Boycott threat to High Street retailers
Many thanks to Spyware Weekly reader Brian for mailing the above link
PestPatrol Deploys New Activex Scanner
PestPatrol, maker of the antispyware program of the same name, has developed and deployed an ActiveX spyware scanner that is free for public use. The scanner even has its own web site, located at http://www.pestscan.com.
From the Pestscan web site:
PestScan is a free online tool that scans your PC files for spyware and other types of unwanted software that you probably did not intentionally invite onto your PC. It will generally take less than two minutes to download the necessary scanning components, and run the scan.
John Leyden of The Register reviewed Pestscan recently. One thing in this review that jumped out at me was the following statement: "A free online spyware detection service, which its developers claim is the first of its kind, was launched yesterday." This is incorrect, as SpywareInfo has long had a page with a similar ActiveX spyware scanner developed and hosted by X-Block.
Unlike the X-Scan software available at SpywareInfo, Pestscan does not remove what it detects. Instead, it tells you to remove the spyware manually by digging around in the Windows registry, or by purchasing the desktop version of PestPatrol. Their rationale is that it is unsafe to remove these components online.
I have to disagree with this opinion. An ActiveX application is no different from a desktop application, other than the fact that it is invoked by Internet Explorer. It is still a software application. In fact, the X-Scan program can even be downloaded and double clicked to run like any other program. Installing or uninstalling software does not become magically more dangerous just because you are online. X-Scan offers to remove whatever it finds, using the same detection and removal process as found in X-Cleaner's free spyware scanner.
I ran Pestscan to try it out.
Upon loading pestscan.com with Internet Explorer, I see a large form asking for registration, and a very small link for those who prefer not to provide personal information. Points lost for turning it into a survey.
Upon clicking the link to the scanner, no less than seven separate security warnings popped up to warn me of ActiveX components wanting to install. One was the flash logo on the page itself, while the other six belonged to Pestscan. X-Scan needs only one component to install. More points deducted for being overly annoying.
Once it had scanned my system, I had to do a double take at what it found. A quick and lazy way to test a spyware scanner is to install some file sharing programs beforehand. Most such programs install so much spyware and other parasites that you are guaranteed to have something for your spyware scanner to find. While Pestscan did find the spyware installed by the file swappers, it also detected the file swappers themselves!
PestPatrol is known for detecting perfectly legitimate software. For instance, it will detect port scanners and other network tools as "hacker tools" or even "Remote Access Trojans". It's one of the reasons why I don't recommend PestPatrol. The developers of file sharing software may be unethical for selling out their users to spyware companies, but that doesn't make file sharing software worthy targets of a spyware detection program.
If Pestscan finds something, it will link to information about that software published in PestPatrol's online database of spyware, or "pests" as they call them. X-Scan also does this, although it links to the more extensive spyware database available at SpywareGuide.com.
All-in-all, I say X-Scan is the better software. They are both free, so go see for yourself if you're curious.
http://www.pestscan.com :: Pestscan
http://www.spywareinfo.com/xscan.php :: X-Scan
Links:
http://www.xblock.com :: XBlock's web site
http://www.pestpatrol.com :: PestPatrol's web site
http://www.theregister.co.uk/content/55/31945.html :: John Leyden's review of Pestscan
http://www.spywareguide.com/product_list_full.php :: SpywareGuide.com spyware database
DogReader
Remember the DogReader web site that I'm part of? It has received more attention recently. Lockergnome is featuring it today in their Windows Daily newsletter, and the server logs are spinning like pinwheels.
This is a great site, and if you own a dog, it definitely should be in your bookmarks. I can't take credit for the priceless information and advice. The articles are written by my best friend Catherine, while I host and maintain the web site.
Go check it out. Browse through the old articles. Submit a picture of your own dog! If it's the right size (or can be resized to fit), I'll put it in the rotation for display on the home page. http://www.dogreader.com
Links:
http://www.lockergnome.com/issues/daily/20030725.html :: July 25 Lockergnome
RIAA Article
I promised everyone an article on the RIAA situation last week. That article is still being written.
Several other articles came out every hour last week on the whole fiasco, and I believe I've read most of them. I want to make sure I don't just rehash what someone else is saying.
I'm doing my research, reading what other people have written, and have a basic outline of what I want to put into it. It will be a rather large article, and I will be doing quite a bit of ranting. I hope to have that ready by the end of the week (no promises).
Recommend SpywareInfo to a friend
Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.
Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.
The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459
Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.
Links:
http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist
RSS Feed (30 items)
