More on Macs and viruses

Remember the old Melissa virus from Word 97? It was one of the first truly widespread macro viruses, appearing for the first time in March 1999. It did the usual stuff you expect from a mass-mailing worm, with one mildly amusing twist:

The virus activates if it is executed when the minutes of the hour match the day of the month; for example, 18:27 on the 27th day of a month. At this time the virus will insert the following phrase into the current open document in Word: “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here”. This text, as well as the alias name of the author of the virus, “Kwyjibo”, are all references to the popular cartoon TV series called “The Simpsons”.

In the course of updating the chapter of Windows Security Inside Out that covers viruses and other hostile software, I ran across this reference and decided to Google that particular snippet of text. Of course, I found plenty of references to the Melissa virus. But I also found lots of Word documents and PDF files that were inadvertently Simpson-ized by the virus and then posted to the Web, where they remain as a sort of memorial to this long-vanquished bit of hostile code.

Or at least I thought it was long-dead. Imagine my surprise to find this post on a Macintosh-oriented discussion board, dated December 28, 2004.

Strange message in MS Word

This is strange, some times the following shows up for no apparent reason:

“Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.”

I could be writing or saving and then poof! there it is…

Is this a programmers joke of some sort? I have to be careful not to send this off to a client embedded in a doc. This happens in the OSX version as well as earlier ones.

Any ideas? Any one else see this b4?

A little more Googling revealed that this particular virus was WM97/Melissa-X:

Melissa-X is an infected Microsoft Office 2001 file (Office 2000 for Macintosh). It appears that this virus variant came about when a Macintosh user who had a file infected with WM97/Melissa-X, saved it using Office 2001. The file (ANNIV.DOC) was then sent to a colleague running Microsoft Office 97 or 2000. When the file was opened the viral macro code ran (even though the file format was still Office 2001), and the mass-mailing part of the virus code executed.

[…]

The mass-mailing payload of Melissa-X does not work on Macintosh computers, although the virus can still replicate.

Apparently this particular strain appeared in early 2001. Viruses on a Mac. Who knew? For what it’s worth, the architectural changes in Office 2000 (Windows) and later versions completely eliminated macro viruses. And that poor Mac Melissa victim needs to get some security updates, too!

Firefox spyware to show up this year?

The Linux/open source publication NewsForge interviewed several security experts who believe that Firefox spyware will show up this year:

Webroot Vice President of Threat Research Richard Stiennon said he expects there will be spyware for Firefox this year, adding that while the browser was designed to be immune from the spyware infecting IE, Firefox will face a new breed of spyware tailored specifically for it.

[…]

Stu Sjouwerman — founder and COO of Counterspy maker Sunbelt Software — agreed that Firefox spyware is likely in 2005.

“I’m pretty sure you can expect one or two Firefox (spyware) exploits before the end of the year,” Sjouwerman said. “The more popular a platform gets, the more likely it is to come under attack. Firefox — which I use myself — I don’t think is going to be immune from that. If you go wide like this, you have to expect that your product will be exposed to a trial by fire.”

Sjouwerman reported that his company’s research on Firefox revealed some Explorer-like situations that may draw spyware.

“We looked into it and found that the security of Firefox had similar openings or vectors where spyware can be utilized to exploit or bypass protection,” he said.

Take all these predictions with a grain of salt, of course. The people quoted in the story have avested interest in keeping computer users in a state of fear and anxiety.

A workaround for the Firefox IDN vulnerability

Update: The fix that is documented in the original advisory and recommended by Mozilla doesn’t work reliably. As soon as you restart Firefox, you;re vulnerable again. Worse, the about:config file continues to show that you’ve properly disabled the setting. This issue is throughly discussed in this thread on the MozillaZine Forums, and the behavior itself is documented in Bugzilla as bug 281365 (you may also see it referenced as bug 281377, but that one is a duplicate).

Thanks to John Walkenbach for pointing out this problem.

~~I’ve had a chance to work a little more with the vulnerability that affects Firefox and other non-Microsoft browsers. This fix, which was documented in the original advisory, worked for me.~~

Open Firefox, click in the Address bar, type about:config, and press Enter.

Scroll through the alphabetical list to the entry labeled network.enableIDN.

Double-click that entry to change its value to False.

You don’t need to close or restart Firefox. The change is immediate. Note that any changes you make to default Firefox settings appear in bold in this list. I also expect that a Firefox patch will appear in short order.

Presumably, other Mozilla-based browsers work the same way. At this point there is no known solution for Macintosh Safari users, and the response from Opera (as quoted in the original Shmoo advisory) is that they believe the feature is working properly and plan no changes. Something tells me they’ll change that tune very soon!

Oops! This Firefox security exploit is a doozy

Last month, I predicted that as Firefox became more popular it would face more and more attacks from the Internet’s dark side. A security bulletin issued today appears to identify the first widespread security exploit aimed at non-Microsoft browsers. Ironically, you’re protected if you use Internet Explorer, but you’re vulnerable if you use most Mozilla-based browsers, including Firefox 1.0; this vulnerability also affects Safari 1.2.5 (Macintosh) and Opera 7.54, and perhaps other versions of those browsers as well. Here’s how it works:

You visit an innocent-looking Web page or receive a seemingly authentic e-mail. You click a link that appears to take you to a trusted site (the security advisory uses PayPal as an example) using your default browser, Firefox. The URL in the Address bar says you’re at PayPal’s site, and the locked padlock icon in the lower right corner indicated that you’re on a secure site.

The only trouble is, you’re not at PayPal’s site. You’ve just landed at a site owned by someone who wants to steal your information, and even a careful and suspicious visitor can be fooled by this exploit. The exploit happens because of a flaw in the way these browsers handle “punycode” – links that use codepages and scripts that are similar to Latin-based characters. And the same technique could be used for any site.

A demonstration of the exploit appears here:

http://www.shmoo.com/idn/

Don’t worry, the demo is harmless. But a scam artist who can cut and paste HTML source code can turn the landing page into an exact duplicate of PayPal’s site, or your online banking portal, or a shopping site, or anything they want. This sort of scam will fool a lot of people.

The only indication that you’re not at the correct site appears if you choose the option to use a secure logon and check the security certificate. Even then, you have to dig carefully and look past the opening page of the security dialog box, which appears to display a legitimate security dialog box.

The official security advisory is here. According to one site, there’s a manual fix you can apply to a Firefox configuration file that can block this vulnerability, but I can’t confirm that it works.

(Via Boing Boing and Discourse.net.)

Update: Edited opening paragraph to prevent confusion. See comments for details.

Test your antivirus software

So, you want to show one of your kids or co-workers how your anti-virus software works. You don’t need a live virus to trigger a virus alert. Instead, download a copy of the official antivirus test file from the European Institute for Computer Anti-Virus Research (EICAR). This is a simple text file consisting of a unique string of 68 ASCII characters that you can embed in a file to trigger a reaction from their programs. Note: This is a completely harmless file. The text string doesn’t do anything, and you would never type it by accident, I guarantee!

I won’t post the string here (to avoid setting off warning bells in virus scanners that are set with a hair trigger). But you can find details for creating this file on the EICAR page, along with links to download four different versions of the file. Be sure to download the Zip version of the file to demonstrate what happens when a virus is embedded in a compressed file.

It’s a great educational tool

Anyone out there using Prevx?

I ran across Prevx while researching software to protect Windows users from viruses, adware, and spyware. It promises to “prevent attacks on your computer that other security products don’t even see.”

I plan to test it, of course, but am curious whether anyone out there has personal experience they’d like to share. Add a comment here or send me a note.

Update: Several people sent links to this review of intrusion detection software at Tech Support Alert, which calls Prevx, “Best Free Software Product of 2004.” It’s a pretty thorough evaluation from a site I had never seen before. Gizmo, why not add an RSS feed?

Next week’s security updates

Yesterday, Microsoft published its advance notification of the security bulletins scheduled to be released next Tuesday. In all, the list contains 13 updates, some of which will be listed as Critical. If you’re set up to receive Automatic Updates, you’ll get them without any extra steps. (And if you’re not set up for Automatic Updates, change your settings!)

The most interesting item on the list, at least to me, was a single Critical Update that affects Windows Media Player and MSN Messenger. I’m hoping this update will fix the problem with “poisoned” Windows Media files (see the discussion here, here, here, and here), but we won’t know until the patch is officially released.

The national digital identity card

This ominous news comes from a new blog called The Identity Corner. The author is Stefan Brands, one of the top applied cryptographers in the world and author of Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy:

The Belgian State Secretary and Microsoft yesterday jointly announced an alliance to integrate Belgium’s national identity chipcard (the “eID card”) with MSN Messenger. Belgium is the first European country to have started distributing a national identity chipcard to all its citizens. The Belgian ID chipcards authenticate themselves on the basis of an X.509 digital identity certificate. This certificate is in effect a globally unique inescapable identifier that can be used to automatically trace and profile all citizen actions, possibly in real time. Perhaps even more dangerously, the current generation of national ID chipcards is based on the same kind of identity management architecture as that of enterprise employee chipcard systems for protecting access to physical areas and network use within the enterprise. Architectures for identity management that create all-powerful central parties may be perfectly suitable for enterprise needs, but for government the situation is (or at least should be …) drastically different. The central capability to lock misbehaving employees in real time out of internal corporate services is one thing, it is quite another for the government to be able to do so for citizens.

I shudder to think what the current government of the United States would do with similar technology. It’s one thing to have an immigration officer inspect your physical papers as you enter the country. It’s quite another to have a digital key that can be used to monitor and control access to the Internet, or to resources that are supposed to be public. Thankfully, the infrastructure isn’t available to support this sort of centralized on-line identity management. Yet.

Thanks to Prof. Froomkin for the pointer.

A bold suggestion to stop spyware and adware

Ben Edelman explains How VeriSign Could Stop Drive-By Downloads. VeriSign, in case you don’t recognize the name, is the company that controls 95% of the digital certificates used on the Internet today. These certificates are passed out like bubble gum cards to any company that has an address and a check (typically between $200 and $600) for the certificate registration fee. When you visit a Web site that wants to install an ActiveX control on your computer to extend the capabilities of Internet Explorer, VeriSign gets involved by displaying information contained in the official record for the company’s digital signature.

There are countless legitimate and ethical companies that use ActiveX technology for good purposes. Unfortunately, there’s also a disproportionately active community of scammers and charlatans intent on exploiting the trust that is implicit in a digital signature. An enormous amount of crapware has been dumped onto countless computers by this latter group, who use ActiveX permission dialog boxes to sucker unwitting users into “agreeing” to install software that they invariably regret later.

If VeriSign chose to enforce its license agreements, it could revoke the certificates of those companies that misuse the trust they inherit through a digital certificate. And without a certificate, virtually all versions of Windows will reject the proposed software cold, without subjecting the user to a misleading prompt. Ben explains:

Through existing software systems, already built into Internet Explorer and already implemented by VeriSign servers, VeriSign has the ability to revoke any certificate it has previously issued, disabling ActiveX installations that use that certificate. See VeriSign’s Certificate Revocation List server (crl.verisign.com) and Microsoft Certificates documentation of the revocation system.

I suggest that VeriSign can and should use its existing certificate revocation system to disable those certificates issued or used in violation of applicable VeriSign rules.

Ben documents three products that clearly violate the VeriSign contract. After presenting the proof, he writes:

Each of these misleading installations is contrary to VeriSign contract, contrary to VeriSign’s duty to its users, and contrary to VeriSign’s many promises of trustworthiness. In the first installer, VeriSign affirmatively certified the “click yes to continue” company name — although it seems that there exists no company by that name, and although that company name is facially misleading as to the purpose of the installation prompt. In the second and third examples, VeriSign certified companies that subsequently used VeriSign’s certification as a necessary step in deceiving users as to the function of and (alleged) need for their programs.

Given VeriSign’s claims (such as its old motto, “the value of trust”), VeriSign should want to put an end to these practices. When VeriSign certificates are issued wrongfully (as in the first example) or are used deceptively (as in the second and third), VeriSign should take action to protect users from being tricked. In particular, when an application offers a facially invalid and misleading company name, VeriSign should refuse to issue the requested certificate. When an applicant violates basic standards of truth-telling and fair dealing, VeriSign should revoke any certificates previously issued to that applicant.

Read Ben’s article. If you think VeriSign should follow through on its responsibility to you and me as users of their digital signature technology, why not give CEO Stratton Sclavos a call at 650-961-7500? If he’s not there, ask for Judy Lin, Executive Vice President, Security Services. (If anyone has a good e-mail address for either of these individuals, let me know and I’ll update this post.) Update: Send your e-mail to stratton@verisign.com.

And spread the link to this post and to Ben’s article. There’s nothing like a little publicity to help big companies like VeriSign understand their responsibilities to their ultimate customers – us.

How often do you need to scan for spyware?

Last week, in “Ten things you need to know about spyware,” I got some vigorous disagreement with two items on my list. It was good feedback, so I wanted to revisit both issues. In item #4, I wrote: “If you have to scan your system for spyware every week, you’re doing something wrong. … Running a weekly scan is probably not a bad idea, from a belt-and-suspenders point of view. But it shouldn’t be necessary…”

Suzi at Spyware Warrior took issue with that statement:

Well, perhaps for knowledgable users who understand how to protect their computers, that might be true. Truth be told, I don’t scan my computer very often, but that’s because I know exactly what’s going into and and leaving it all the time. How many users can say that? A very small percentage of current internet users, I’d say. Pehaps Ed’s blog is targeted to savvy users, I don’t know. For the average user, I’d certainly recommend scanning at least few days, maybe every day for frequent web flyers. An exception would be for users surfing with an alternative browser such as Firefox or Opera.

I think we’re closer to agreeing on this issue than it might sound at first. Suzi doesn’t need to scan her computer regularly, because she knows exactly what’s going into and leaving her computer at any time. So do I. So does my co-author Carl. So do friends and clients of mine who have asked for my help in keeping their systems free of spyware and viruses. And so can anyone who is willing to learn about the problem of spyware. If you incorporate some basic technological solutions and modify your behavior using common-sense guidelines, you can keep your PC spyware-free. (See “Six steps you can take to block unwanted software” for more details.)

But simply installing an anti-spyware program (or two or three) on an average user’s computer and telling them to scan daily or weekly isn’t enough unless you also train them in effective techniques for keeping crapware at bay. If you do that job right, the clean spyware scan becomes the weekly report card that proves they learned the lesson.

I have Microsoft AntiSpyware Beta 1 installed here and I allow it to do its nightly scan. It’s unobtrusive and the only real side effect is a dialog box that I need to dismiss each morning. It never finds anything. Over the past few months, during the course of researching the upcoming Windows Networking and Security Inside Out, I’ve experimented with just about every available anti-spyware program. They never find anything except cookies (which are not spyware and can easily be managed) and false positives.

Look, I have antivirus software on my computer. It’s constantly intercepting and quarantining infected attachments that arrive via e-mail. Every week, the antivirus program scans my system to verify that I am not infected with any viruses. It never finds anything. If it does, I know I have a serious problem and that I need to figure out how the unwanted software slipped past my defenses. The same is true with spyware. If your weekly scan reveals that you’ve picked up an unwanted and potentially hostile program, you need to remove it. And then you need to figure out how it got there and fix your defenses so it doesn’t happen again.

So, based on Suzi’s feedback, I’m changing item #4 to read: “If you have to scan your system for spyware and remove unwanted programs every week, you’re doing something wrong.”

In a follow-up post, I’ll address the controversy over how many spyware scanners you should use. One, two, as many as it takes?