OMG, I just checked my referrers.
Loads of people accessing my PR storm for sale post.
Turns out they’re searching for Webattacker, that SEW was talking about in a comment.
I THINK the reason is an article in PCmag a few hours ago.
I just hope all those people searching for it are just curious, and don’t intend to USE it!
I got a request via e-mail, and am quoting it verbatim here:
I am a third-year student at Stanford Law School. Stanford University’s Center for Internet and Society and the Stanford Cyberlaw Clinic want stories about how spyware and adware affects personal computers. We hope to help enact dramatic and much-needed reforms in the ways in which spyware and adware companies operate and contract with Internet users. We regularly file lawsuits as well as amicus briefs in other lawyers’ lawsuits, testify before governmental bodies and advocate for legislation, assist civil liberties organizations, and author white papers. We are a high-profile catalyst for change and the spyware industry is our major
focus at the moment. Stanford’s Center for Internet and Society, of which the Stanford cyberlaw Clinic is a part, is directed by Lawrence Lessig. The Cyberlaw Clinic is run by Jennifer Granick, Wired columnist and renowned San Francisco cyberdefense attorney.In particular, we are curious about your experiences with these programs:
PacerD: also referred to as Exfol
180solutions: also known as 180 Search Assistant, BlazeFind
EliteBar: also known as YupSearch, Search Miracle, Elite Toolbar,
Enternet Media Toolbar, EM Bar, 3D DesktopPlease fill out (or forward on) our very brief spyware questionnaire at:
http://cyberlaw.stanford.edu/spyware/Pacer D and Exfol, two drive-by download programs taking advantage of Windows exploits, are of mysterious origin and not easily traceable to a distinct responsible party. It is all too easy for “companies” like those to mess up people’s computers and get away scot-free because of their hidden nature. Enternet and 180solutions are already the target of litigation by private parties
and the FTC. We want to do our part to hold these companies accountable for their deceptive practices and reform the spyware/adware landscape. Given our goals, it is imperative that we
speak to consumers who have been harmed by these particular products, as well as any other spyware-impacted consumers that would like to share their stories with us. And while our goals
necessitate that we gather personally identifiable information, at least during this initial phase of our project, it will not be shared with anyone outside the Stanford Cyberlaw Clinic and only
shared with the faculty and students involved in this particular project.Your help is sincerely appreciated. Thanks so much!
Sincerely,
John Eden and the Stanford Cyberlaw Clinic
NY Times had a story about people throwing away computers because they got infected with malware.
And that may shock some computer people.
But as one who has been in the trenches, helping people get rid of viruses, it actually makes sense in some cases.
One computer was so old and underspecced, we couldn’t install anti-virus on it. It just wouldn’t run on it. I wish the owner would have bought a new one.
Many of the thrown away computers in the story were around 4 years old. Correct me if I’m wrong, but didn’t many computers ship with Windows 2000 around that time? It makes absolute sense to buy a new low end computer with Windows XP, then have it patched immediately and anti-virus installed, rather than battle with a leaky win2k computer! New computer are almost down to 500 $ these days, so it’s easier to buy a new one with OEM winxp, rather than buy a new windows version retail.
But please, if you do throw out a computer - back up your user files on CD, DVD or USB drive. And consider donating the old one to a school that uses old computers for SkoleLinux (School Linux, it’s a Debian based operating system developed for schools). Unless you have geek offspring that could use it for a Linux server or some other interesting purpose?
*I* wouldn’t throw out a computer as recent as that. I’ve always got uses for it (not including running win2000!). I’ve been known to butcher one computer to get parts for another. I’ll usually only throw away an old computer if I get a newer one and don’t have space or use for the oldest. Oh, and whiny fans are an abomination.
But then I gave away my old 300MHz P2 to my aunt, who won’t take it on the internet. She needs a glorified typewriter. I can’t read her hand writing, so I’m really looking forward to her letters now… Win98 is the best operating system for an old typewriter computer (win 95 is OK for those older than 300MHz). It can handle memory down to around 64 MB (though mine had way more) when it’s newly reinstalled. I also need to clean out the basement of the crud that has accumulated - old this and that…
Some vocal webspammers have claimed recently that webspam isn’t illegal.
It’s true that there are no laws that spell it out per se. But that doesn’t mean it’s legal.
Laws are struggling to keep up with our technological world, and it’s quite common for older laws to be stretched by presedence to encompass newer crimes.
And there are laws that could (and probably will be) be used against techniques often used by webspammers.
I’ve been thinking about this for some time, and meant to blog on it. And maybe I have mentioned it before too, here and there.
Gadi Evron has written a post where he’s talking about the same topics.
SecuriTeam Blogs » Comment spam: drive-by sites, domains and spyware - analysis, samples and facts
I was reading up on SANS, and found this gem:
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
Basically, they advocate blocking all of Intercage due to a large number of wmf exploits.
Since Microsoft released the patch, those might be harmless by now (if you’re running a patched XP computer).
But the point is, when there’s a new exploit, Intercage (and it seems Inhoster), are likely to have a lot of exploits hidden in their IP range. Until they find and disable them. But considering ESThost is on Intercage, and the regular recruitment of badasses from there, the problem is they first have to find the exploits and shut them down.
So, I guess blocking those ranges might be a good idea in general.
I’ve made a proof of concept page for Yahoo groups.
The hope is that Yahoo groups will see it, and realize how badly insecure the homepages for the groups are:
http://groups.yahoo.com/group/proofofconcept/
And no, it’s not dangerous. I’m not a bad guy. But had I been a bad guy, I could have basically done anything with that vulnerability. And because it’s a trusted site, people wouldn’t have thought they could be infected.
I added a pop-up, and a redirect (thanks for the suggestion, Joe).
What I found while setting up the group, was that if I only included the iframe in the description field, they substituted my tags for lookalike characters. But if I had other tags first, the tags were delivered as I wrote them.
Update:
Proof of concept that iframes work in message as well:
Joe’s proof of concept message (Joe got it to work too, and this one’s ready for scrutiny).
I had to remove the redirect here, because it crashed Thunderbird when I tried to send the message. But with a spam mailer, or software with other features, that wouldn’t be a problem. Incidentally, the iframe worked in Thunderbird as well, which I totally didn’t like! Update: Joe’s version of Thunderbird was different, and he had to work a bit more to get the iframe to work. His post about the issue here.
For contrast, eBay talks openly about iframes not being allowed. Looks like they have some kind of automated way of blocking it. As Joe pointed out, it’s a thorny story, because Google Adsense actually uses iframes to work. The point isn’t that iframes should not exist. The point is that trusted services should not allow strangers who open an account to use unsafe code. Iframes basically import foreign content into their sites. In other words, if you go into unsafe neighborhoods with an unsafe browser, it’s your neck. But if you go to a trusted service and get a trojan, it’s an embarassment for said service, and a shock for the infectee.
Update December 30, 2005:
I got two new responses from Yahoo. One for the specific use of ads via iframe on a specific Yahoo group (which is still up), and one for reporting the iframe vulnerability. I got the same stock response for both reports:
While we investigate all reported violations against the Yahoo! Terms of
Service (TOS), Yahoo! has no control over activities outside its
service, and therefore if messages are being sent directly to your
address outside of the Yahoo! Groups service, we cannot take action.You may try contacting the sender’s email provider, by identifying the
sender’s domain and contacting the administrator of that domain.
This demonstrates a total inability to even understand the problem, on the part of the responding abuse person. And if I get this type of response, it’s very unlikely it will be sent up the pipe to someone who can do anything about it. Which means we need to make a public stink to get the attention of someone higher up.
What other services allow or disallow:
* Livejournal, xanga and myspace from July 2005
* Browsers - it’s possible to block iframes in your browser. If anyone knows how, please let me know.
* Ebay doesn’t allow iframes
Update: Proof of concept
Since discovering the iframe on Yahoo Groups, I’ve been thinking about the possible ill uses of that technique.
Basically, those that have interactive services: You need to disable iframes from working.
Iframes can be used to drop parasites, as well as ads, into services that never intended to become a vehicle for such.
So Yahoo Groups, now’s the time to act!
And any software - forums, guestbooks, wikis, classified - anything out there that allows contributions by people whose character you don’t know, make sure iframes can’t be used!
As I wrote below, Microsoft purposely infected a machine, turning it into a zombie.
But they assured us they’d fixed it so it didn’t ACTUALLY send out any spam.
So, how did they do that? Any guesses?
I’ve got one guess, but I’m sure there are other methods.
Let’s say they use a router. Disable NAT (to make it easier for those controlling the zombies), but instruct the router to drop connections on port 25. Put a packet logger on either the same machine or another machine hooked up so it can log promiscuously. The packet logger gets all the data the machine tries to send.
Any other ideas?
Another idea may be to do some fancy dns or port manipulation. Any request to port 25 gets sent to a mail server that does all the handshakes necessary, but doesn’t actually send out any messages. Rigging a mail server to receive but not send messages is easy.
I’m continuing the coverage on trojans/zombies and similar problems.
One machine was caught sending spam. Obviously a zombie. Except it turns out that wasn’t a regular machine. It was a server set up as a router. A very secure system, set up in such a way that I don’t see how it could have been hijacked.
But wait, it could have been used as a proxy. I tested it myself, and it was not an open proxy. It was however set up to be a proxy for machines on the inside of that network. So, if a machine on the inside of said proxy had somehow gotten infected with a trojan, this very secure server would happily ferry requests back and forth between the infected machine and the internet at large.
How?
Basically, a good firewall is usually doing stateful inspection. Which means if someone on the outside is sending you a request, it’s denied unless the router is configured to send on requests on a specific port to a specific machine. But an infected machine will send out a request FIRST, and the connections from the bad guys are responses. So a previously infected machine will cut through any firewall relying on NAT and stateful inspection.
But many firewalls are set to block many dangerous ports. Enter the new breed of trojans. They configure the trojans on the infected machines to be working on random high ports. Ports that apparently weren’t blocked in this case, and probably aren’t in most cases.
So system administrators may have mysteries on their hands - routers that are reported to be spamming, yet the real culprit is one of the users inside the network. To the outside world, the machine on the inside is never visible, except in some cases the headers will show a private network IP address.
And how can a computer on the inside of a corporate network be “previously infected”?
How many laptops are used on a typical network? How many of those laptops are wielded by clueless users, who connect anywhere and everywhere they can find a connection to the internet? I’d say quite a few. And if some of those laptops are slightly older, chances are they’re running Windows 2000, or even unpatched versions of Windows XP. Parasite city…
Some of you remember how I’ve been ranting about open proxies, and my desire to have them shut down to make it harder for linkspammers to misuse them.
But spammers are always on the move. Towards new techniques, always trying to stay one step ahead of spam hunters and the receivers of their spam.
So now using zombies as a delivery mechanism is getting more and more common. We saw one spam run at the beginning of my spam hunting. Alexander Morozov/Dyakon appears to have rented a botnet to do a vile trackback spam campaign. That was probably the noisiest spam campaign ever. More bloggers complained about it than ever, because of the content of the sites he was spamvertizing. It also provoked my first real blog spam post.
But since that campaign, we seldom saw zombies used by linkspammers. That’s changing right now. More and more, we see machines that seem to be zombies used in linkspamming.
Lately I’ve noticed how some zombies also appear to end up on free open proxy lists. They have proxies on random high ports.
What this means, is that the focus of this blog is changing - again. Not only do I want to make people aware of the danger of open proxies and how they are misused. I also want to make sure regular people are aware of the danger of trojans and spyware.
If you practice unsafe computing, you’re a sitting duck for trojans that make you into a zombie.
And your machine will be riddled by Adware and Spyware. I was shocked when I watched the the video made by Ben Edelman, of how a computer was more or less trashed by visiting only ONE website! Found through Spywareblog. The video may seem a bit slow at times. He’s waiting for more stuff to be installed before he checks. And since this is an “evidence video” he doesn’t cut the dead air out.
When you watch that video, imagine how easy it would be to sneak a backdoor trojan into your machine… In fact, I almost got one myself a few months ago (my antivirus caught it in time), just because I had java enabled in Firefox. I suggest you disable java, and only enable it when you need it, for specific websites. Then disable it afterwards.