7th February 2005 ::

We interrupt our regular programme of complaining and weak jokes for a Public Service Announcement.

Warning: Microsoft AntiSpyware spam ::

Well, the Microsoft AntiSpyware beta may still have a few rough edges, but they must be doing something right: you know you’ve ‘made it’ when the scammers try to exploit your reputation.

Currently doing the rounds via spam is an apparent promotion for Microsoft AntiSpyware (“Download the new beta software from Microsoft today”) comprising a copy of Microsoft’s spyware index page with the AntiSpyware download links redirected to the attacker’s server—ftp.pisem.net in the sample I received, but this most likely changes.

Should you be unfortunate enough to download and run the linked executable, you’ll be getting a downloader trojan controlled by 1.dns10.peterhost.ru, installing a password sniffer that sends sensitive network traffic to publically-accessible web sites that are currently happily filling up with Hotmail and internet banking passwords.

So just to re-iterate what every security site says in this situation: Microsoft does not send e-mail promoting its downloads like this, and one should not generally click through links in e-mail, especially not to downloadable programs.

There’s actually a worse version going around under the guise of a BBC World news link titled “Attention !!! George W Bush is dead”, which if clicked through goes straight to an Internet Explorer security hole exploit. So should you be unlucky enough to click the link with IE as your default browser (pre-IE6 Service Pack 2, as it’s the good old ms-its/CHM exploit) you get the same password-stealing trojan installed from bflog.net. (Do not visit this site in IE; even the index page currently contains an exploit.)

This trojan is of a type categorised by Symantec as PWSteal-Tarno, but a number of the domains involved are in the same areas of the Internet as some well-known CoolWebSearch exploits. Is this the CWS affiliate gang in action again? Certainly they have been installing worse and worse software including at least one password sniffer and several botnet clients recently.

Or it could just be that the likes of Esthost/Atrivo have become first choice hosts for any old Russian black-hat activity.

Back the bid? Balls to that. ::

For a contrary old misanthrope like me, it’s good to see the London 2012 Olympic bid floundering.

On the way through London recently I was irritated by the ubiquitous posters telling me to support London’s pointless attempt to waste all its money on sporting nonsense. I’m a geeky computer git (so I must hate sport on principle; it’s the law) and don’t appreciate being cajoled to support an Olympic bid I consider a complete waste of money.

But in any case, what good would my support—or the support of the London taxpayers who finance the campaign—do? It is the IOC you have to convince, and I’m pretty sure they don’t read web sites like mine. At least I’ve never had an e-mail from juanantoniosamaranch@olympic.org commenting on my use of JavaScript and CSS, which is terribly remiss I know but not entirely surprising.

So I would like to take the opportunity to ask Ken Livingstone to stop wasting Londoners’ money on promoting his pet scheme to themselves and random bloggers who happen to be passing through on the way to Japan.

Unfortunately, of course, the Samaranch problem rears its head again here: busy men like Red Ken probably don’t read pointless sites like DOXdesk—at most he probably just flicks through it for the pictures.

So I phoned Livingstone’s office to draw his attention to the issue, and was pleased to find that Ken is actually a dedicated reader of this site, or at least he can be persuaded to say so for a very reasonable bribe level of a pie and a can of Irn Bru.

“I love DOXdesk”, lied Ken enthusiastically, “It’s my favourite web-blog on the inter-cyber.”

“Furthermore, having read Mr. Clover’s opinion, I have come to the conclusion that my advertising is a bit silly, and really the Olympics aren’t that good anyway. So I have decided to abandon the Games in favour of building an enormous Millennium Bouncy-castle over the whole of Putney, and pouring perfume into the Thames, to make it smell all nicer.”

So—hooray!—for democracy, and pie-based lobbying. It’s the future of politics, for sure.

COASTing to a halt ::

After 180solutions (producers of the nCase parasite) joined supposed anti-spyware group COAST, I posted:

Just wow. COAST is done, guys. It can go no further downhill.

It is time to plan its replacement, and poke fun at PestPatrol and Webroot until they leave.

Well, Webroot are now gone, and even Aluria—who famously thought partnering with WhenU (SaveNow) was a great idea—were too embarrassed to stay in an organisation with 180.

And they’ve got a point. WhenU was and still is a wholly unsuitable partner for an anti-parasite software company, but at least they have improved their standards slightly. 180 have not made even a token gesture towards fixing any of nCase’s problems, and are still being bundled by a huge variety of other parasites, including CWS and 2ndThought security hole exploits.

So who on earth thought it was a good idea to let them into COAST? Obviously not Webroot or Aluria (judging by their subsequent actions). And it doesn’t benefit WeatherBug or NewDotNet to let them in: these companies may be involved in unsolicited commercial software, but their transgressions are really minor compared with nCase. Being in the same club as 180 just makes them look bad.

There is one party that benefits though: Threat Sense Information Services (threatsense.com), who are contracted to evaluate COAST member wannabees, and who somehow decided that nCase was now kosher.

Threat Sense used to be known as Internet Privacy Conservation Council (ipccouncil.com), whose business model was to charge adware companies for certification as ‘honest’. Looks like this fantastic conflict-of-interest-ridden idea is alive and well at Threat Sense/COAST.

IPCC also made an enlightening submission to the FTC’s Spyware Workshop [PDF], making it pretty clear where their loyalties lie: with “legitimate, fair-dealing adware companies, or companies that enable the developers of freeware applications to defer software development costs through advertising”, and against the “websites dedicated to ‘spyware information’ containing nothing but blind speculation and mudslinging”. Cheers chaps. Nice to see your own ‘Privacy Offender Database’ so full of original research then, not simply cribbed from those evil mudslinging information sites at all. Ahem. Give my regards to those fair-dealing adware companies, whoever they’re supposed to be.

This is all a bit of a disappointing departure from how Threat Sense’s staff (Jay Cross Jr. and Christopher Carlino) started out, courting publicity for their now-quietly-abandoned plans to sue the makers of the Xupiter parasite. Whatever happened to you guys?

Well anyway, just PestPatrol left in there now, plus NoAdware, who no-one really cares about anyway due to some horrible marketing abuses committed in their name by affiliates in the past. There are more parasite-vendor companies than anti-parasite vendors in COAST now; it really is ‘done’. The fun-poking is almost over too.

I hope to be able to write about a more legitimate successor soon.

COASTing to a halt—update ::

Well, just as I was uploading this, PestPatrol just left too so that’s that then. This quote from CA’s Sam Curry is really questionable though:

The goal [of COAST] was to certify vendors that reformed their product. 180solutions went to great pains to make major changes.

This is absolute bull. COAST was originally supposed to be an anti-parasite software industry group (you know, hence the name “Coalition Of Anti-Spyware Technology Vendors”). It has never had ‘certifiying spyware vendors as reformed’ as a stated goal.

Out here in the real world 180solutions have not improved their behaviour one bit, never mind taking ‘great pains’. Even if 180 did fix all the awful abusive aspects of their software’s behaviour, it would be inappropriate to immediately call them ‘reformed’, as they would still be operating a millions-strong advertising network they obtained through fraud. As it is they have yet to take even the first step.

One hopes Curry is just a CA corporate management fool, rather than someone who actually has anything to do with their PestPatrol software (which rightly continues to detect and remove nCase).

More parasite updates ::

New parasites listed in today’s update: FreshBar, GrandStreet, SCAgent, SearchRelevancy, SRE, SvcMM, VistaBar, WareOut, WebDir and WhileYouSurf, plus new variants of CrackedEarth (CamGirlsLive), CoolWebSearch (BlankFilter, RndFilter, ResFilter, msbho, DownCom), DailyToolbar (too many to list), FavoriteMan (MMView), NetPal (N2), MediaTickets (CC, GC), PurityScan (NRnd), SearchSquire (v33), Transponder (Pynix, DLMax) and UCSearch (Install).

Also it’s very disappointing to have to announce that UCmore is back in the ‘bad’ box. Its new variant UCmore/IEMenuExtension (v4.5) has been installing though bundles with other parasites, often using IE security holes to install. Since Effective-i have failed to respond on this issue, I have no choice but to retract the ‘non-parasite’ endorsement I gave to UCmore when the v4 (XP) variant of the software was released. Shame. I guess the new ‘non-abusive’ business wasn’t making enough money for them.

Oh, and I’ve added pages to detail the largely-inoffensive Cydoor and only-slightly-offensive WeatherBug, since they’re both controversial cases. And also rewritten all the general-purpose information, since the old parasite index page was far too long and getting rather out of date. Oh, and it’s all available under a Creative Commons licence now, though everyone was already just copying it anyway.

Unfortunately when I put together the new parasite glossary I forgot to include definitions for several of the adware industry’s favourite terms. So here to help you understand the complicated and often confusing language marketing companies use to describe their software, a Marketese-to-English phrasebook:

No Spyware!
we have redefined spyware to mean ‘haddock’. Our software contains no haddock.
keeping the Internet free
writing more pointless trivial shitty clock-setting and weather programs
installed using browser security holes
aggregated non-personally-identifying information
your e-mail address, URLs of every page you visit, and anything you type into a form
carefully selected sponsors’ promotional information messages
full-screen flashing animated pornography
2-3 additional relevant web sites per day
a porn pop-up every five seconds
highly targeted search results
casinos and porn on every page
precisely tailored to your needs
there’s porn and casinos
your privacy is important to us
damn right it’s important—our business depends on violating it
easy uninstall process
yes, simply reinstall Windows
earn valuable points on web purchases
all your commission fee are belong to us
you must be 18 or over to agree to these terms
Hey kids! We know you won’t read this. Look at all the cutesy cartoon smiley faces and keep clicking Yes!
third-party enhancement technologies
other people’s spyware we get paid to foist on you
optimized search assistant utility
free advertising-supported software
consumer-friendly non-intrusive contextual marketing
anything at all but what we do, mate
innovative business model
criminal fraud

And so on.

* Current business model: zzz laziness ::

Another favourite is the phrase “this download is certified safe by Microsoft Authenticode”, which is not what Authenticode means at all. It merely offers the ability to identify the distributor of the code—and even then in reality it does no such thing, thanks to the incredible uselessness of Verisign/Thawte, the company that performs code-signing for all current malware.

It needn’t be this way, as Ben Edelman discusses. If Verithawte’s CAs weren’t so lazy they could monitor some of the egregious abuses of certificates, such as:

  • fraudulent company names like ‘MSN Technologies’ (not Microsoft, but a dialler company) and ‘Impro Corporation’ (not improcorp.com, but a CoolWebSearch affiliate);
  • nonsense company names like ‘click yes to continue’, ‘page access’, ‘age verifier’, ‘view video codec’ and ‘news player’;
  • highly misleading program descriptions;
  • having backdoor trojans secretly insert certain certificates into IE’s Trusted Publishers list so that their code installs without asking (many dialler companies)

...and revoke the certificates of publishers caught doing it. At the very least, they should have to publish the legal contact details of any company they issue a certificate to, so that there’s someone to sue if the software proves to be malicious; at the moment all you have to go on is a worthless text string which may or may not have anything to do with a real company.

Instead, Verithawte prefer the business model of sitting on their arses getting money for owning the root CA certificates, without actually doing anything to earn it. Nice for them, but kind of sucks for the IE user.

* Current music: Christophe Héral, Beyond Good & Evil OST ::

Yeah, pretty sad’n’geeky, I know, listening to computer game soundtracks. But the impeccably trendy new RJD2 album I just finally got hold of turned out to be a bit disappointing IMO, so I’m listening to this instead. And hip be damned, it’s really quite good. Stands up well enough outside the (also dead good) game it comes from. In fact it’s better that way, as you aren’t having to let the end-of-level bosses live a bit longer just to hear the music.

(You can download the raw tracks from Nintendo Insider: 1 2 3. This is missing a lot of the cut-scene music with dialogue over it, unfortunately, and isn’t really mixed together to be listened to as a standalone soundtrack, so I might be persuaded to upload my version if the copyright issue isn’t too hairy.)

What’s even worse than listening to computer game soundtracks? Listening to soundtracks for computer games that were never even released, of course! Babylon 5 Combat Simulator soundtrack (Christopher Franke). Top effort. Unfortunately the download has disappeared from his site and the MP3 file quality was not brilliant. CD release please.

Blimey. I’ve made myself look really geeky now. Must do something to counter image damage. Er. I was out extreme-snowboarding recently, and got into a fight with a mountain bear!!! Only it wasn’t snowboarding, it was skiing. And not especially extreme, more like kind of medium. And there was no bear. Ah, sod it.

11th January 2005 ::

Ahh, 2004. A good year for spyware. Did you enjoy it?

If you had to spend hours cleaning the stuff off your own computer, then possibly not. But for parasite collectors like me, a vintage year. And so much mainstream news coverage of parasite issues too.

...most recently of course, all the kerfuffle over DRM-protected Windows Media files doing the rounds on the file-sharing networks, that try to install parasites when they are opened in Windows Media Player. I’ve been researching these behind the scenes for a few weeks now. Sadly this has been going on for months—at least since June 2004, probably longer—but I guess us security lot were too busy looking at spyware on the web to keep an eye on the filesharing networks too.

There are (at least) two groups operating the parasite-poisoned files, and since they work similarly there is some confusion between them.

Culprit A: Overpeer ::

The first to be revealed in public, in this PC World article. Overpeer are infamous for flooding file-sharing networks with fake music files at the behest of the recording industry, but the DRM files are apparently the work of their ‘promotion services’ department, who claim to:

  • Leverage highly targeted and qualified search results and activity across millions of peer-to-peer users worldwide to drive the legitimate sale of digital media

In reality, the files they are seeding to the P2P networks seem to be entirely untargeted, camping out on any old popular keyword. They’re not just targeting RIAA members’ music files (like the Alicia Keys track mentioned in the PC World article) but also video files, in particular porn. The site content delivered to people who open the files is aimed not at driving the sale of related digital media, but simply getting as much cash as possible for sending traffic. And who pays most for traffic? Why, spyware installers and porn-pushers, of course.

Inspired by Ben Edelman’s great work demonstrating and publicising some of the practices of the parasite vendors through video, I’ve made a brief clip of what happens when you open a Windows Media file with DRM-poisoning provided by Overpeer. This particular file, and the others I have found so far, redirect from Overpeer’s Windows Media licensing server (licenses.overpeer.com) to its partner Alcena Corporation (alcena.com).

[You’ll need a codec that can play XviD MPEG-4 AVIs (I suggest XviD, but DivX, 3ivX and ffdshow can probably cope too), and you’ll need not to be offended by porn. Researching parasites I see this sort of stuff every day, so it’s easy to forget how unpleasant some of it actually is.]

Amongst the rubbish demonstrated in the clip:

  • spyware ActiveX drive-by downloaders that are ‘aggressive’—that is, if you turn them down they keep popping up again, making IE unusable until you or they give up, or you hit ctrl-alt-delete and kill IE completely;
  • full-screen chromeless browser windows that offer no way to close them—here you have to know to press Alt+F4 to close the window, or, again, ctrl-alt-delete and kill IE;
  • endless exit-pop-up loops, again only escapable by banging Alt+F4 fast enough or killing IE;
  • beastiality. Alcena are redirecting Overpeer file users to a site operated by Lexitrans (associated with dialler exploit scams and connected to organised crime). This spawns different affiliate porn site ads depending on where one is based: me, I got the horse sex. Nice.

Of course this clip only shows what happens if you manage to correctly refuse all the installations and get rid of the popups. Had I fallen for the agressive installers, I would now have the ISTbar/XXXToolbar, FastVideoPlayer, Transponder and FavoriteMan parasites. FastVideoPlayer would then load Wink, and FavoriteMan and ISTbar would install pretty much every major parasite going. I would be surprised if the computer was at all usable at the end of the day.

And that’s not the worst of it either. Some commentators have been asking, “but what would happen if hackers used this to open security hole exploits?”. Bad news, boys: it has already happened, and the ‘hackers’ are Overpeer.

I’ve gone through the other redirects in Alcena’s DRM-advertising database and found lots of other parasite downloaders, including many for EasySearchBar, which is written by Alcena themselves. But worst offender is the redirect to the page zon.html at www.ntsearch.com, which is a CoolWebSearch site you should absolutely not visit (unless you really like malware and that).

This page spawns many, many Internet Explorer exploits including at least one which affects IE6 Service Pack 2. [Note: Microsoft finally released a patch for the bug in question as I was writing this. Go update!.]

The end result is the loading of CoolWebSearch/Filter, an additional CWS desktop background hijacker and backdoor downloader trojan, two TIBS diallers and Pugi.Yuups, and then MediaTickets, TopConverting and ISTbar/XXXToolbar, all of which will proceed to load hefty bundles of further parasites.

I knew [Overpeer owner] Loudeye’s finances were in a desparate state, but is this really called for?

Oh, and just a thought here: this here is the company you’re funding if you buy music from MSN Music, Virgin Downloads, or any of [Loudeye subsidiary] OD2’s other online music outlets. Quite apart from the fact that you’re receiving DRM-afflicted files that you have to ask permission to play and will probably stop working when you least expect it.

And just for the sake of a fun headline, though I know that of course they aren’t really responsible, no no, it’s just their affiliates, and the affiliates’ affiliates and in fact no-one is to blame for anything, no guv’nor... RIAA contractor endorses security hole exploits and horse porn!!

To add insult to injury, I never even got the Overpeer video files to actually play. Ah well.

Culprit B: ProtectedMedia and friends ::

I happened on this one just before the PC World article came out; Ben then did a good report on it (with video) which was followed up by Eric Howes and, just now, by eWeek*.

ProtectedMedia’s MO is a little different: whereas Overpeer’s files tried to raise funds by redirecting traffic to whoever would pay most, ProtectedMedia’s strategy is to trick the user into accepting parasite downloads by giving them misleading names, such as “Required: Media Player Version 9 Browser Update”.

Since this occurs at the same point Windows Media Player might ask you to accept a download for a video codec or licensing system update, it is all the more plausible. Should you fall for it, you’ll get the Pugi.iSearch and ILookup.Hot parasites (both of which hijack the browser to isearch.com); the latter will also install a bucketload of other parasites (as seen in Ben’s video).

Since January 2005 the ‘whois’ information for the ILookup domain spidersearch.com gives ProtectedMedia as an owner, and ProtectedMedia’s listed address (a mail drop, natch) matches some of the other ILookup domains. Previously, protectedmedia.com was registered to Jason Tucker, a lovely picture of whom you can see at DRMdaily, a site affiliated to playasolutions.com, who seem to behind the DRM server system itself, and ideafoundry.net, who appear to have created a bunch of other DRM-based businesses based on this system, similar in MO and website design to ProtectedMedia.

There’s instantdrm.com and tagteamdrm.com, affiliated to dncstudios.com, whose files (which can found on the web as well as being bait on the file-sharing networks) try to install the ISTbar and WindUpdates parasites. Then there’s webairdrm.com (affiliated to webair.com—also ProtectedMedia’s ISP) and playadrm.com, whose files I have not yet had the ‘pleasure’ of meeting.

Culprit C: Windows Media Player ::

Ah, Microsoft, you shoulda seen it coming. It happened when ASF files (WMA, WMV) were permitted to open pop-ups as events during playback, and it was obviously going to happen again when DRM allows a pop-up at the beginning.

As the Panda AV representative in the eWeek article commented, “the more bells and whistles you add to the technology, the more you open doors for the bad guys”. And IE and WMP these days, they’re almost entirely bells and whistles.

[I’m not quite sure there’s a lot of utility in Panda and Kaspersky detecting the known media files as trojans though. I mean there are probably hundreds if not thousands of the things, more churned out every time a porn site gets more content. You’re onto a loser trying to track that.]

The problem is not fully fixable either. If MS were to disable scripting in license acquisition it would thoroughly break existing licensing servers’ DRM functionality.*

Still, Windows Media Player 10 makes a try, by applying the ‘infobar’ pop-up and download blocking behaviour from XP Service Pack 2. You have to have WMP10 and SP2 for this to work; non-XP users are stuck again. Even with the fix media files aren’t completely safe, since there are still unpatched IE vulnerabilities that could probably be included in the acquisition page itself (rather than as a pop up), but, as with the SP2 infobar fixes in general, it’s a definite improvement.

Many of the parasite vendors who use similar aggressive installers are trying to get around the infobar’s download-blocking behaviour by instructing the user to turn it off (left: a typical example, this one from the ProtectedMedia files), but this is rather laborious and much less compelling than the aggressive-installer “I’m going to keep asking you until you say yes” behaviour pre-SP2.

There has been some argument about just who can make Windows Media files with DRM. In theory, to make a WMP+DRM file you need to sign it with a public key, a certificate for which you have to get from a Microsoft-approved licensing service provider. That is, rather than letting just anyone sign and protect their own content, one has to get Microsoft’s permission, by paying one of its partners. There is no technical, cryptographic reason for this, it’s just a nice little scam for MS and its partners to make money for doing nothing but owning some root certificates.

Anyway, so the theory goes, this limitation would limit the capability of “hackers” to create “malicious” files that “infect” their users. Though you have to wonder just how much more malicious it can get than installing spyware by exploitation of IE security holes, as Microsoft’s ‘approved’ friends are already doing. [Overpeer’s keys comes from the Loudeye/OD2 provider. I think ProtectedMedia’s keys might be coming from the provider DRMNetworks, as they’re the only one in the list on the above page with any connection (they host the server for one of the ILookup parasites), but it’s a bit tenuous, could be someone else.]

Anyway, for license-acquisition-security purposes this stuff is not an issue. Just by fiddling with the contents of the existing WMP+DRM files in a hex editor, I (or any common or garden “hacker”) can change the licence-acquisition page that pops up to point to any old server; this part of the file doesn’t seem to have anything to do with the signature. Now of course if I change the file to point to my attacking server, the actual video or audio in it isn’t going to play back properly. But if all I want to do is install parasites that’s not much of a concern, is it?

So what’s my advice after all that? Erm. Not so easy. It’s not as if you can easily uninstall Windows Media Player, oh no; Microsoft have ensured it is an unremovable, nay essential, operating system component. (Cheers guys. Roll on the European WMP-free Windows XP Antitrust Edition, I say.) Ah well, If you are using XP, Service Pack 2 combined with WMP 10 is a good start, anyway.

Or just use Media Player Classic instead? A much nicer interface than the increasingly flashy, decreasingly usable WMP since version 7, for my money*, and some handy extra features too. It doesn’t support DRM, which is good for security*, but unfortunate for you if you are unlucky enough to have bought any protected WMA files from an online music store.

GIANT becomes micro ::

Also making headlines is Microsoft’s first ‘beta’ release of its forthcoming AntiSpyware product based on GIANT.

GIANT were somewhat of a latecomer to the parasite removal game, but quickly picked up a reputation for being able to remove some of the tricky newer parasites. The MS release definitely is a beta at the moment though, with what looks like the same kind of LSP removal problem that plagued early Ad-Aware releases, and sundry other odd behaviours. Not ready for userland yet, but it will be interesting to see what MS can do with it.

Interesting too to see how they plan to market it. Will it be free? Free for home use? Sold as part of a service? Fully commercial? I don’t know and, it seems, neither does Microsoft yet.

Unfortunately, they’re damned either way. If they make it free, they’ll be castigated for “leveraging their monopoly into another market”, competing unfairly with the other parasite removal software companies. If they try to charge for it, they’ll be “demanding money to solve a problem they caused in the first place”.

Meanwhile, some people will be cautious of giving Microsoft even more control over what is allowed to run on a Windows box, and the parasite vendors are going to be very cross (bless ’em). When it was just XYZ Tinpot Spyware Remover Company calling your software crap you might let it fly. When it’s Microsoft, that’s a different matter.

Already WeatherBug have whinged* and got off AntiSpyware’s target list. WeatherBug may not be spyware (by my definition, anyway: it doesn’t leak information to its controlling server), but its commercial purpose and bundling with Blubster and AIM would seem to qualify it as Unsolicited Commercial Software (a parasite) just as much as AntiSpyware’s preferred term Potentially Unwanted Software. (...mmm, PUS...) Plus of course WeatherBug bundled SaveNow in the past, and still bundles MySearch, albeit it with opt-out dialog.

So that’s a borderline decision at best. There’ll be many more to come. Will Microsoft give in when WhenU come knocking and claiming to have completely reformed (ahem)? What about new.net? Gator? And then there’s the really bad ones...

Another point of criticism levelled at MS AntiSpyware is that they’re tackling the parasite problem as an afterthought, by tacking a spyware remover onto the top of Windows, rather than solving the issues that cause spyware to get installed in the first place. There is is some truth in this. It is certainly a Microsoft characteristic to try to work around problems by adding new code, instead of fixing or removing the old stuff.

...applications incorrectly replacing system DLLs? Well, let’s have something that runs in the background and puts the old ones back if that happens [Windows File Protection]. It’s easier than coming up with a versioned DLL repository. What’s that, this still doesn’t stop the system getting confused with DLLs and gone-wrong registry settings? Well then, let’s add another process that makes backups of the entire system so you can go back to an old setup if it goes wrong [System Restore]. Never mind that you’ve now got four copies of all the system files eating up half the hard disc, and it all goes a bit slower, and viruses keep hiding in the System Restore folders. It’s all good. What’s that, the Local Machine Zone is an enormous source of IE vulnerabilities? Well, much easier to add an extra security lockdown layer with different settings that almost but don’t quite fully protect the machine, than to just get rid of the silly feature of a Local Machine Zone in the first place...

And so on. But in this case the criticism is really not justified, because—aside from the trivial issues of fixing the holes and poor design choices in Internet Explorer—solving the malware problem is hard. No other operating system has done it either. Not Mac OS X, and certainly not Linux, whose X Window System exhibits the same weaknesses as the MS Windows desktop, and then some.

Linux and other modern platforms have an advantage over Windows in that it is normal to run as a restricted user. This is of course possible in Windows ever since NT, but so much poorly-written software breaks if you do that most people don’t bother try, and because no-one bothers run restricted, software authors don’t bother to make it work. Argh.

But running without admin privileges does not in itself solve the problem. If you download and run a program, it can still do anything you can do as a user, including deleting all your documents, stealing any personal info you have stored, and protecting itself so you can’t remove it as a user. That’s still pretty comprehensive lossage right there; the only advantage is that without admin (root) access it can’t burrow itself deeper in such a way that even the admin wouldn’t easily be able to kill it (as happens with r00tkits and increasingly in newer parasites). And even then, once it has user-level access it can spoof the user interface enough that it could theoretically fool you into revealing the root password.

What we actually need is per-program privileges, not merely per-user. When a program is first started it should run in a sandbox with essentially no permissions to do anything except maybe open a window, and write to its own private file/settings space. If it needs to access any user document, system setting or data from another program, or if it wants to use the network, or take a screenshot, or access some hardware or whatever, it should jolly well have to ask nicely first (and if the user didn’t have that permission themselves it should be possible to bounce the request up to an admin). Malware would stand little chance if everything it did was transparently approved by the user.

Of course there are lots of checks and UI design issues you would need to implement this sort of thing, to isolate each program and keep it from compromising the security of the system itself whilst still allowing the user to do what they like with their computer, and not overwhelming them with silly trivial permissions requests. It’s a damned hard job, and as far as I know no-one is working on it.

Tiny Firewall has some features approaching this sort of thing, but it’s currently rather clunky to use, because applications just aren’t designed to expect permissions to be denied or delayed. And naturally it is still not totally secure, as any other program on the system running with the same privileges can tamper with the firewall software itself. Ideally the operating system and applications need to be rejigged from the ground up to do this sort of thing properly, and that’s just not going to happen.

A protected unspoofable environment for security management interfaces is the first step, and that’s what Trusted Computing and Microsoft’s Next Generation Secure Computing Base should have been about. Instead you're getting a load of DRM unpleasantness, more to ensure content providers’ security from and control over you than your own security from attackers. Sorry about that. But the content industry has more money than you, you dirty little pirate.

Spy vs. Spy ::

Another recent source of fun spyware headlines was Avenue Media (InternetOptimizer)’s legal action against Direct Revenue (Transponder and various other related parasites).

Avenue claim Revenue’s software has been uninstalling theirs and, yeah, it has happened, though I haven’t seen it happen in a while now. The culprit is the ‘Thinstaller’ downloader used to install or update Revenue’s Transponder or FavoriteMan parasites; it can and has been used to delete reg keys and kill running processes, disabling InternetOptimizer.

“DirectRevenue, knowingly and with intent to defraud, exceeded its authorized access to users’ computers” say Avenue, and the problem is they’re right. But both parties have ‘exceeded their authorised access’ by having their software bundle on zero-notice installation methods such as IE security hole exploits; now they arguing as if two thieves over who stole whose stolen goods. What’s a court supposed to do with a crock of a case like that?

But this is nothing new. The infected desktop is a very competitive ecosystem, and killing competitor parasites is a popular tactic. I think the earliest one I encountered was nCase’s attack on FlashTrack.

All variants going back to the first one I met, nCase/nc, sniff for the existance of the FlashTrack files C:\Program Files\flt\flt.dll (Flt variant) and C:\Program Files\FtApp\ftapp.dll (FtApp variant). If it finds them, it deregisters them, leaving them disabled.

I don’t know why 180solutions (nCase) dislike Flashpoint Media (FlashTrack) so much in particular. Maybe it was done as a test and then forgotten. Certainly the same code is still there in all of the many subsequent nCase variants to this day, but it has never been updated to look for any of the newer variants of FlashTrack.

Then there was the original version of ClearSearch (IECS), whose installer tried to disable the then-widespread Xupiter (Xupiter and Sqwire variants), HuntBar/MSLink, a little-known address bar search hijacker for WorldSearch, NewDotNet (though here the code would likely fail), eAnthology, iWon (not considered a parasite at the time, but which eventually became MySearch) and Netword, a keywords competitor that is not known to be parasitic at all.

It also removed IGetNet quite thoroughly, which is odd since it was originally written in an IGetNet style and launched through IGetNet’s self-update mechanism (leading us to believe it was a replacement for the previous IGetNet rather than a competitor, at the time). Never did find out what happened there.

And then there’s MediaUpdate, which also tries to stop an older version of InternetOptimizer running. Not a popular parasite, that InternetOptimizer.

But as usual, CoolWebSearch takes the biscuit. The thing about CWS is that it’s not just one hijacker, but a network of competing affiliates. Quite commonly once a CWS affiliate has exploited an IE security hole, the first thing the installed software will do is remove another affiliate’s known trojan filenames, drop zero-byte hidden locked files with known trojan names to ‘inoculate’ against a competitor, or put a bunch of a competitor’s domain names in the Hosts file with the wrong address, to block access to them.

After that, it’ll take care of loading all those parasites we know and love. Some CWS exploits, after having earned their money by installing parasites, then actually try to remove some of it, or load a pop-up blocker to mitigate some of the effects! By reducing the ill-effects of what it installs, this might prolong the install time of the CWS trojan before it is discovered and deleted. Yes, CoolWebSearch affiliates are quite happy to cheat the parasite vendors too.

Arnold’s law ::

So the first anti-spyware law passed in California last September in a rush of headlines. But I can only agree with Ben’s analysis: rather a waste of time. Now here comes Mary Bono’s second attempt at a federal anti-spyware law. It’s better than the California law, sure, but so much depends on its interpretation of ‘authorization’ it’s difficult to judge so far. That troublesome section 5(c) looks like it might contain a few loopholes too.

It also focuses quite heavily on actual ‘spyware’: that is, information-leaking software with possible privacy implications. In doing so, it has much less to say about parasites—unsolicited commercial software—in general. Spying is one of the worse behaviours parasites get up to, but it’s by no means the only important one.

More importantly in my opinion, it fails to offer remedy against spyware vendors to anyone but the FTC, who have thus far been slow to act. All we have up to now is a slap on the wrist for Sanford Wallace, the reformed ex-spammer. (Who sadly was reformed into a security hole-exploiting spyware installer—not really much of an improvement.) This is evidently not enough; one can only hope that his is to act as a test case pending much wider proceedings.

It’s tempting to shrug and say “any law is better than none”, but there is a potential danger here: any wishy-washy Act with loopholes or a non-useful definition of ‘spyware’ will give the vendors who can claim to comply with it a false legitimacy. In short, I fear a CAN-SPY Act.

The problem with the current legal situation is not primarily a lack of legislation. It is a lack of enforcement. It is already illegal to install software on a computer without the owner’s consent (at least in the UK and US, and probably elsewhere too) as it would be ‘unauthorised access to a computer system’.

When CoolWebSearch affiliates hacked mainstream web servers to put their exploits on, that was illegal. When they used those exploits to run their trojans on page visitors’ computers, that was illegal. When major US (and Canadian) parasite companies paid them to load software such as ISTbar, MediaTickets, nCase and diallers onto the compromised machines, that was damned well illegal too. But while there’s no law enforcement involvement they will continue to get away with it.

Whilst it would be nice to have some laws especially taylored to parasites, and legislation of some sort is needed to ascertain what constitutes authorisation and what, if any, legal force click-through licences (especially the misleading ones) have. But we’re still at the point where even the worst, most obviously illegal exploits go unpunished, here. Until we start handing down the same criminal sentences to directors of companies involved in traditionally-illegal unauthorised access as we have to spotty teenagers caught breaking into company systems, there will be no change.

Anyway... ::

...what I actually meant to say today, before I started all that rambling, was that I’d updated the parasite detector script to release 3.6, and documented some more lucky winners: AdultBox, BroadcastPC, EasySearchBar, FastVideoPlayer, GogoTools, Hyperlinker, Keywords, Naupoint, NetShagg, Searchfst, SpecialOffers, TargetSaver and WinPL. Plus, new variants of ClearSearch (CTIE), CoolWebSearch (mshelp, svnhost, InternetMgr), FlashTrack (Fen, RegFe), ILookup (too many to mention), Pugi (also too many to mention), SaveNow (VVSN), TVMedia (SSK), Tubby (spm1316) and Wink (dlux, HotTarts). Whew.

PS. Oh, and I found a few more old mailing list posts too.

PPS. And great to see more pressure from MEPs against the European Patent Office’s potentially disastrous attempts to make software patents legal. But where are the signatories from the UK? Disgraceful. Come on you guys, sort it out. Or just do nothing and let the small-to-medium IT business sector go completely to pot, if you think that’s better. What’s wrong with you? Are you stupid or something, or what?