Andrew Clover adds a comment to my original post with some interesting observations. Worth reading.

One correction to Andrew’s note. He writes:

I did get one ActiveX download box from MS for the DRM stuff immediately prior to the two bogus downloaders, which looked almost identical.

That’s not an ActiveX download. That’s an automatic update from Windows Media Player. It’s not served up as HTML, and it looks completely different. Yes, a user (even a sophisticated one like Andrew) may be confused into thinking this is the same thing. But ultimately, IMO, this is the saving grace for Microsoft.

Because Windows Media Player has an auto-update feature, Microsoft should release a WMP patch that disables all ActiveX functionality in the instance of Internet Explorer that is hosted by the License Acquisition dialog box. They should then push this patch out as a required update via Critical Updates and through the auto-update feature in Windows Media Player. That step would go a long way toward solving this problem.

Update: In a comment, Andrew insists that the DRM update looks exactly like the spyware installers. I went back and snapped some screens so you can compare. I’ve got the details in the extended portion of this post.

Continue reading “Still more on WMA and spyware” →

In a comment posted to my earlier post on “poisoned” Windows Media files, Ben Edelman offers the sort of excellent counterpoint you’d expect from someone who is not only attending Harvard Law School but also studying for a PhD in economics at Harvard:

I don’t think it’s right to say the license agreement is “quite clear on what [users] would get.” Certainly the license never says anything like “this program will install 30+ other programs from third parties, and clog your registry with tens of thousands of new entries.”

Fair enough. My comments were not in any way meant to let the scummy purveyors of this crapware off the hook. My intent was to indicate that a security-conscious individual who follows the links in the installation dialog boxes will see plenty of stuff to raise red flags.

Update: I went back and read the terms of service for iSearch and iLookup, which was the second module installed using this file. The terms of service specifically say: “…you understand and agree that the Software may, without any further prior notice to you … automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction.” (This doesn’t excuse the actions of the purveyors of this crapware, but any aware user will know exactly what he or she is getting.)

Ben’s absolutely right that the people who are behind these add-ins are preying on ordinary users with a wide range of tricks. Sadly, I’ve seen all these tricks used before, but that doesn’t make them any more acceptable here. I agree completely with Ben when he writes:

I think Ed gives too little weight to the especially deceptive circumstances of a software installation prompt shown when users try to watch a video. For one, legitimate media players actually do use these prompts to install necessary updates (i.e. the latest version of Macromedia Flash). In addition, the unusually misleading (purported) product name and company name make it particularly easy to be led astray here. Users deserve better.

I can end this post on a positive note, by the way. After I read the most recent update to Ben’s test report (including a link to this post and a discussion of my findings), I decided to carry the test one step further. I took a deep breath and did what a naive, foolish user would do: I clicked Install when presented with the first deceptive spyware prompt. And then for good measure I clicked Install when prompted to install the second spyware program as well.

How bad was it? Surprise! My test PC is running GIANT AntiSpyware, which promptly blocked the nasty program from installing with a stern warning.

I clicked Remove, and a subsequent scan showed that no spyware — zero — was installed on this computer. I had no unexplained pop-ups, my searches went to the place they were supposed to go, my home page was unchanged, and a scan of the firewall logs showed no suspicious activity. (Curiously, the SpiderSearch program was apparently not installed at all, and the iLookup module was blocked. I don’t know if this is the one that so throughly polluted Ben’s test computer.)

Last month, Microsoft purchased the company that makes GIANT AntiSpyware and announced plans to release a free public beta of the Microsoft-branded version of this program later this month. They also announced a new set of strategic initiatives to reduce the spyware threat. Based on my experience, they’re going in the right direction.

Update: Suzi at Spyware Warrior has some comments on her blog as well. Some interesting food for thought, but this line struck me more than anything:

I installed the same WMA file on an old Win ME box with no protection except AVG free and the free version of Zone Alarm.

She goes on to describe the disaster that befell that computer. But really, isn’t that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? Spyware is an epidemic now precisely because it is trivially easy to install it on that type of computer.

Don’t misunderstand what I’m saying. Microsoft can and should patch Windows Media Player (9 and 10) so that it rejects all ActiveX controls. Period. It should push that patch out as a Critical Update. But how likely is it that the type of user Suzi is describing will download and install that patch?

In an earlier post, I pointed to the fast-spreading but suspicious story alleging that a flaw in WMA files can plant spyware on your computer. This is a follow-up.

In the extended portion of this post, I provide details and screen grabs. I’m indebted to Eric L. Howes for his assistance. Thanks to Ben Edelman for posting a detailed report on his experiences with earlier operating systems and to Andrew Clover who provided a sample file that ultimately made its way to me.

Here’s a quick summary of what you need to know:

• The PC World story contained several errors and some misleading statements.
• I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware.
• The programs in question are digitally signed and are from known companies. The terms of service make it clear what you’re getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.
• The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware.
• You are most likely to acquire one of these “poisoned” WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get.
• If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected.
• If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn’t test this scenario.
• Clearing the option to acquire software licenses automatically seems to have no effect on this exploit. [Update: A later update to WMP 10 changed this setting so that it now provides an extra warning before displaying the license acquisition dialog box.]

Continue reading ““Poisoned” Windows Media files: more details” →

This first-person account of a reporter’s struggle with spyware is amusing and surprisingly accurate:

I can trace the decline of my computer’s performance to an ill-advised download over the summer. In a pop-music-induced frenzy, I am embarrassed to admit, I went to http://www.kazaa.com, downloaded and installed the free file-sharing service, then proceeded to download (a k a steal) Britney Spears’s and Madonna’s collaborative effort, “Me Against the Music.”

I was about to get my karmic retribution.

In downloading Kazaa, I had inadvertently opened the floodgates to all manner of spyware. By the end of the summer, even after I had deleted Kazaa and installed Norton AntiVirus 2004 – which took care of the virus-related part of the problem – I was unable to open Internet Explorer without being deluged with pop-ups enticing me to buy everything from herbal weight-loss pills to obscure business publications.

My home page would mysteriously try to redirect itself to a site called badgurl.grandstreetinteractive.com. Little gray dialog boxes would pop up in the center of my screen to inform me, shockingly, that my computer might be infected with spyware. Then it would crash.

I really couldn’t relate to the melodramatic descriptions of how intimidating the process of wiping and restoring a hard drive is, however. But I guess for people who don’t do this for a living, that’s a big deal.

The normally reliable Techdirt admits that the following story raises many more questions than it answers:

Is The Recording Industry Hiding spyware In Windows Media Files?

When the recording industry first tried to get politicians to shut down file sharing networks, they went with the “it’s stealing music” line, which generated some interest, but most people didn’t seem to pay attention. Then, the industry suddenly became oh-so-concerned about the fact that child porn was on these systems, and tried to convince politicians they needed to stop file sharing for the “sake of the children.” Lately, it seems the industry will do whatever it takes to make file sharing systems look bad. With that in mind, it makes you wonder if they’d go so far as to specifically hide spyware on file sharing networks just to upset users. It’s not entirely clear if that’s what happened, but it seems like the most obvious explanation for the following story, which was found on Broadband Reports.

Overpeer, a subsidiary of Loudeye, has been caught hiding adware and spyware within Windows Media files. Overpeer is the same company that the recording industry has hired in the past to dump fake versions of songs on file sharing networks. What the article doesn’t answer is whether or not the industry hired Overpeer to dump spyware on the network as well, but it’s likely they’re pleased either way. Overpeer defends their actions by saying that anyone obviously deserves what they get because, obviously, they were looking for unauthorized files. It’s not clear that everyone would agree. Sneaking malicious files onto someone’s computer because “they deserved it!” doesn’t seem like a very good justification.

What may be even more important to this story, however, is the revelation of just how easy it is, thanks to a huge loophole in Microsoft’s copy protection technology, to include a malicious file with an audio or video file. Basically, because Windows DRM needs to look for a license, all anyone needs to do is point that license to a website that loads malicious content and off you go. Thank you Microsoft, for creating a huge loophole that will probably make sure millions of new computers are loaded with spamming, DDOSing trojans shortly. Thank goodness for that Microsoft DRM, huh? Not only does it not protect any actual property while making things more expensive, it opens up plenty more people to malicious attacks.

OK, first of all, folks have been making similar allegations about Overpeer since 2002, as a quick search will reveal. I don’t know if it’s true, but if so then they should be prosecuted. Period.

However, I am always very suspicious of stories like this, where the underlying facts are impossible to replicate. I know enough about the way SP2 works to know that what is being described here shouldn’t happen on a system with SP2 installed, and I’ve read enough bad journalism from PC World and similar mainstream sites to be suspicious of the underlying facts. In particular, there is no way that Windows Media Player should be able to load an ActiveX control, because of the security zone it runs in. So color me skeptical…

And no, I do not agree that if you use Kazaa you deserve whatever you get. But if you use Kazaa or any underground file-sharing system to randomly troll for files from a worldwide network of untrusted services, you should expect to be attacked often, by the state of the art in malware. Likewise, if you spend enough time trolling in the porn underground you should expect to fight off a steady stream of pop-ups and attempts to load spyware. Is it right? No. Is it real? Absolutely. This is why I refuse to provide support for any friend or family member who uses Kazaa unless they agree to remove it from their system and keep it off. And you know what? It works.

Update: I see this story has now been picked up by Boing Boing, which means it will get a lot of publicity. That’s unfortunate, because the original story is just so murky.

Further update: I’ve received a sample file and have done some tests. Read the results here.

Maybe because they read articles like the one in this morning’s Washington Post, entitled Trouble Can Be Downloaded Along With Music. The competition is pretty fierce, but I rate this as a strong contender for the worst piece of computer journalism of 2004. The author clearly understands nothing about music downloading, viruses, adware, spyware, and related technologies. But that doesn’t stop him from delivering eleven paragraphs of pure confusion.

Here’s a sample:

[T]echnology security experts warn that many of this holiday season’s millions of newbie MP3 player owners don’t know what dangers lurk behind some music.

“The risk has skyrocketed,” says Kraig Lane, group product manager at the computer-security products manufacturer Symantec. “The bad guys are putting evil agents into music files and even videos that we are downloading. Music files especially. And you don’t know it’s there.”

The big problem is that some music services — particularly the free and legally questionable peer-to-peer (P2P), file-swapping networks like Kazaa, BearShare and LimeWire that connect millions of home-computer users — deliver something in addition to free software and music. They sneak in adware — or, even worse, viruses and spyware.

Even reputable online music stores sometimes install adware….

The author then goes on, just a few sentences later, to mention iTunes, eMusic, and Wal-Mart’s music store. Do any of those services deliver viruses? No. Do any of those services bundle adware or spyware with their software? I don’t think so. But anyone who reads this story is bound to be thoroughly confused, and alarmed for no good reason. My goodness, they better not download any music, and they better buy some software to protect themselves from all that evil adware and spyware. Hmmm. Which software to buy? Well, the only “expert” quoted in the story is some guy from Symantec, and the author approvingly mentions not only Symantec’s online spyware-scanning service but also its Norton Internet Security.

And what’s this crap about “evil agents” in music and video files? You mean downloaded files that claim to be music files might actually be executable programs? Or does “evil agents” mean something else? We simply don’t know. But if the guy from Symantec says to be afraid, well, we should be afraid. Oh, and we should buy Symantec’s software, right?

Good lord, no wonder people get confused by this stuff.

Here’s a disturbing report of a Cross-Site Scripting Vulnerability in Internet Explorer, from Secunia. Note that installing SP2 alone will not protect you from this problem, although it does offer a useful tool to fix it temporarily.

Clicking the test link on their page opens an IE window that contains their own content, with “https://www.paypal.com/” displayed in the Address bar and an authentic-looking SSL padlock icon in the status bar. (Clicking the test link in Firefox does nothing.)

This test page, of course, does nothing. But if it were an actual phishing attack, it would be possible for a bad guy to convince you to give up personal information like a password or a credit card number in the mistaken belief you were actually at a Web site belonging to your bank, PayPal, Ebay, or another trusted site.

To protect yourself until a patch is released, do the following.

1. From Internet Explorer, choose Tools, Manage Add-ons. (If you don’t see this menu choice, you don’t have SP2 installed, and you have bigger problems!)
2. Scroll down the list and select DHTML Edit Control Safe for Scripting for IE5.
3. Click Disable.
4. Click OK to close the dialog box, and then restart IE.

Even if you normally use Firefox, I recommend that you take this precaution until a patch is available.

If you have an application that needs to use the DHTML Edit control, there’s a fix that allows this ActiveX control to be used safely, but it’s too complicated to list the instructions here. Leave a comment if you are in this situation.

If you use an earlier version of Windows, you should disable ActiveX.

Update: The DHTML Edit Control is in every version of Windows XP, but it won’t appear in your list of add-ons until it’s actually loaded by a page. Go to the Secunia test site and click the link to their test. After you do that, you can disable this control.

CNN reports that Microsoft may charge extra for security software:

Microsoft Corp. disclosed plans Thursday to offer frustrated users of its Windows software new tools within 30 days to remove spyware programs secretly running on computers. But it might cost extra in coming months.

In a shift from past practice, the world’s largest software manufacturer said it may charge consumers for future versions of the new protective technology, which Microsoft acquired by buying a small New York software firm. Terms of the sale of Giant Company Software Inc. weren’t disclosed.

No, no, no! Security features in the operating system should be free. Period. Anyone running Windows should get the code that prevents their computer from being compromised. The goal should be 100% adoption, and charging extra for security features means settling for significantly less than that goal.

Just ran across this comprehensive Feature Comparison of popular anti-spyware programs.

As spyware and adware have become increasingly powerful and difficult to remove, developers of anti-spyware programs have added a wider range of functionality to their applications to give users more powerful tools as well as greater control over those tools. Moreover, although anti-spyware applications have long resembled standard anti-virus applications in many way, they have also started to acquire their own distinctive set of features in order to help users deal with the unique problems posed by spyware and adware. Given the bewildering array of programs and features available to users looking for anti-spyware applications, users may find it difficult to usefully compare anti-spyware programs and their feature sets.

Giant Anti-Spyware, which Microsoft just purchased, gets particularly high marks. Unfortunately, the product was pulled from Giant’s Web site as soon as the acquisition becamse official. It’ll be interesting to see what it looks like when it returns in January.