Re: Spyware becomes increasingly malicious

2004-07-16 Thread Valdis . Kletnieks
On Wed, 14 Jul 2004 22:52:07 PDT, Alexei Roudnev <[EMAIL PROTECTED]>  said:

> O, noo. You click a button 'I agree' which means nothing for 99.99% of
> people over the world. Here is a difference. Do not expect people to 'agree'
> if you do not enforce them to follow this (and if your system do not violate
> 'common sense'). Do you saw any idiot who read this licenses (I never seen
> any)? It became (many years ago) some kind of ritual, like indian dances
> before going to the war.

It's rare that the user actually even TRIES to read the license...

http://www.cypherpunks.ca/dell.html


pgpLeqNh6DnfM.pgp
Description: PGP signature


Re: Spyware becomes increasingly malicious

2004-07-16 Thread Valdis . Kletnieks
On Thu, 15 Jul 2004 09:00:16 PDT, Jeff Shultz <[EMAIL PROTECTED]>  said:

> Such dangerous file attachments included .jpg, .pdf and music files. 

Once bitten, twice shy:

http://cert.uni-stuttgart.de/archive/bugtraq/2001/02/msg00168.html

.JPG's are HTML, didn't you know? :)


pgpLhDo1FDrRe.pgp
Description: PGP signature


Re: Spyware becomes increasingly malicious (let's return to reality)

2004-07-15 Thread Alexei Roudnev

Did you try to run Windoze as 'not admin user'? Ok, try, then install, say,
harmless user-level (not a server at all) Visio package...

They run as admin, because Windoze (1) have not easy (temporary) switching
between User and Admin, and (2) 99.99% applications require user privilege
to be installed or configured (and they are not sevice applcaitions).

>
> Not necessarily true.  Security/permissions plays a major part in the
> effectiveness of adware and spyware.  A majority of consumer Windows
> OS's run with the default login as an admin user.  When a user chooses
> to install "Cool-Search", their user rights allow for registry changes
> and alterations of system libraries, which cause ads to display when
> using IE.
>
> Can this be prevented by running Windows as a non-privileged user,
> yes.  But people want to install their "Cool-Search" and
> non-privileged users can't install anything.
If I am in Unix, I can install Cool-Search when I am a normal 'user', BUT
these will not be a system-wide application. I need root privileges to
install a service, and I do not neeed it to install something which is
client only (can not run by itself).

// I am not advice for Unix here.

These is a difference - in a very old, ansient Unix system there is simple
and effective privilege segregation (and everyone understands it). No one
application writes into /bin and /usr/bin, and only very few badly designed
applications try to write anything into /etc; user's directory have simple
'-rwxrwxr-x- (or other) access list (easy to understand), etc etc... As a
result, 99% of this _old_ OS are more secure than99% of  Windoze
installations (through Windoze can be made much more secure than Unix).
There is all result of 'hidden complexity'.


Install 'Osiris' (or Tripwire) IDS and try to configure rules for Unix and
Windoze, then compare. Tremedows difference!

> When using OS's other than Windows, users can install their own
> binaries, but they do not have access to modify the system binaries.
> Then can still browse with the system wide Mozilla/whatever, but their
> actions will not have the ability to alter anything that will allow
> for ads to be served when browsing, or for browsing habits to be sent
> to a third party.
Technically they can run some startup script, but even if they do it, it is
_very_ easy to get rid of such thing. And (what is most important) usesr can
do 100% tasks when logining as a 'user' not as an 'admin' (if they need
temporary permission change, they can got it).



Re: Spyware becomes increasingly malicious (let's return to reality)

2004-07-15 Thread Curtis Maurand

The problem is Active-X, not the OS.  Anything running from the browser 
should be in a sandbox as it is with Java applications, the same is true 
for the email client.  Active-X gives scripts running from the browser 
and the email client access to the entire machine in the name of 
functionality.  In some cases users are prompte to authorize the 
installation of software when they get to a web page.  Even when they 
choose "No," the software continues to install.  Its a security hole big 
enough to drive a tank through.  Mozilla is your friend.

Curtis
--
Curtis Maurand
mailto:[EMAIL PROTECTED]
http://www.maurand.com
On Thu, 15 Jul 2004, Brett wrote:
-
First of all, even if OS have not any caveats, it will not protect it from
spyware/adware. if I want to install my 'Cool-Search' into million of
computers, all I need to do is to write fancy game, and offer it 'free of
change' in exchange of 'Allow to show you ads once / day'.
That's all - you will have everything installed explicitly.
-
Not necessarily true.  Security/permissions plays a major part in the
effectiveness of adware and spyware.  A majority of consumer Windows
OS's run with the default login as an admin user.  When a user chooses
to install "Cool-Search", their user rights allow for registry changes
and alterations of system libraries, which cause ads to display when
using IE.
Can this be prevented by running Windows as a non-privileged user,
yes.  But people want to install their "Cool-Search" and
non-privileged users can't install anything.
When using OS's other than Windows, users can install their own
binaries, but they do not have access to modify the system binaries.
Then can still browse with the system wide Mozilla/whatever, but their
actions will not have the ability to alter anything that will allow
for ads to be served when browsing, or for browsing habits to be sent
to a third party.
User information is still vulnerable, and the potential is still
there, but a single user's infection/installation will generally not
have the same impact on the system.
-b
On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev <[EMAIL PROTECTED]> wrote:
Ok, let.s return to reality (sorry for moving this thread into the OS
related flame).
First of all, even if OS have not any caveats, it will not protect it from
spyware/adware. if I want to install my 'Cool-Search' into million of
computers, all I need to do is to write fancy game, and offer it 'free of
change' in exchange of 'Allow to show you ads once / day'.
That's all - you will have everything installed explicitly.
But 'hidden' installation makes it much more easy for spyware, and is (in
general) a very big evil. System must distinguish between 'USER' mode (use
applications but do not change system behavior) and 'INSTALL' mode
(install/delete/add software, processes and so on). In many cases, system
must ask password to do any such action. (If you know MS, you can image
which nightmare is to implement it -- I worked with IDS such as Osiris and
had a fun, guessing what system decide to change today. But it is not a
problem in most other OS).
Second, but even worst, problem is absense of ANY system interface showing
you, what is starting, stopping and running. It is not any problem to remove
spyware, from common point of view - just open 'list of running processes'
and 'Startup list' and uncheck everything you do not want to see. Problem -
such interface does not exist, is not possible because of complexity (there
are milluions ways of starting anything) and can not trace a history of
processes (because of, again, extra complexity, unlimited usage of 'classes'
and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change
history' system could easily revert such changes back so that instead of
very complex 'adaware' scaners we will have just 'change history, revert ?'
button.
Third is more easy for ISP - if we can not fight with bad software, fight
whith those who got a profit using it. For SPAM - ok, there is not ANY way
to stop sending spam (fort now), but any SPAM advertices someone, and this
someone is always 100% identified - so fight (limit, flood by calls,
overload by false information, etc) SPAM benefitiants, learn them do not
purchase 'We will send your advertice to 10M people over the world'. The
same in case of adaware. For spyware, fight those who receive information
back - by any way.
- Original Message -
From: "John Underhill" <[EMAIL PROTECTED]>
To: "Niels Bakker" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, July 14, 2004 1:12 PM
Subject: Re: Spyware becomes increasingly malicious
Ok.. but has BSD been attacked on the scale that MS code has? I would
argu

Re: Spyware becomes increasingly malicious (let's return to reality)

2004-07-15 Thread Brett

-
First of all, even if OS have not any caveats, it will not protect it from
spyware/adware. if I want to install my 'Cool-Search' into million of
computers, all I need to do is to write fancy game, and offer it 'free of
change' in exchange of 'Allow to show you ads once / day'.
That's all - you will have everything installed explicitly.
-

Not necessarily true.  Security/permissions plays a major part in the
effectiveness of adware and spyware.  A majority of consumer Windows
OS's run with the default login as an admin user.  When a user chooses
to install "Cool-Search", their user rights allow for registry changes
and alterations of system libraries, which cause ads to display when
using IE.

Can this be prevented by running Windows as a non-privileged user,
yes.  But people want to install their "Cool-Search" and
non-privileged users can't install anything.

When using OS's other than Windows, users can install their own
binaries, but they do not have access to modify the system binaries. 
Then can still browse with the system wide Mozilla/whatever, but their
actions will not have the ability to alter anything that will allow
for ads to be served when browsing, or for browsing habits to be sent
to a third party.

User information is still vulnerable, and the potential is still
there, but a single user's infection/installation will generally not
have the same impact on the system.

-b

On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev <[EMAIL PROTECTED]> wrote:
> 
> Ok, let.s return to reality (sorry for moving this thread into the OS
> related flame).
> 
> First of all, even if OS have not any caveats, it will not protect it from
> spyware/adware. if I want to install my 'Cool-Search' into million of
> computers, all I need to do is to write fancy game, and offer it 'free of
> change' in exchange of 'Allow to show you ads once / day'.
> That's all - you will have everything installed explicitly.
> 
> But 'hidden' installation makes it much more easy for spyware, and is (in
> general) a very big evil. System must distinguish between 'USER' mode (use
> applications but do not change system behavior) and 'INSTALL' mode
> (install/delete/add software, processes and so on). In many cases, system
> must ask password to do any such action. (If you know MS, you can image
> which nightmare is to implement it -- I worked with IDS such as Osiris and
> had a fun, guessing what system decide to change today. But it is not a
> problem in most other OS).
> 
> Second, but even worst, problem is absense of ANY system interface showing
> you, what is starting, stopping and running. It is not any problem to remove
> spyware, from common point of view - just open 'list of running processes'
> and 'Startup list' and uncheck everything you do not want to see. Problem -
> such interface does not exist, is not possible because of complexity (there
> are milluions ways of starting anything) and can not trace a history of
> processes (because of, again, extra complexity, unlimited usage of 'classes'
> and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change
> history' system could easily revert such changes back so that instead of
> very complex 'adaware' scaners we will have just 'change history, revert ?'
> button.
> 
> Third is more easy for ISP - if we can not fight with bad software, fight
> whith those who got a profit using it. For SPAM - ok, there is not ANY way
> to stop sending spam (fort now), but any SPAM advertices someone, and this
> someone is always 100% identified - so fight (limit, flood by calls,
> overload by false information, etc) SPAM benefitiants, learn them do not
> purchase 'We will send your advertice to 10M people over the world'. The
> same in case of adaware. For spyware, fight those who receive information
> back - by any way.
> 
> - Original Message -
> From: "John Underhill" <[EMAIL PROTECTED]>
> To: "Niels Bakker" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Wednesday, July 14, 2004 1:12 PM
> Subject: Re: Spyware becomes increasingly malicious
> 
> >
> > Ok.. but has BSD been attacked on the scale that MS code has? I would
> argue
> > no, not even close. Do you believe BSD is invulnerable to attack? Hardly..
> > Unless you want to go back to text based browsers and kernals that fit on
> a
> > floppy, it is extermely difficult to eliminate all vulnerabilities in the
> > code of a sophisticated OS. The more complex the system, the easier it is
> to
> > break, and with the level of automat

Re: Spyware becomes increasingly malicious

2004-07-15 Thread Jeff Shultz

** Reply to message from "Alexei Roudnev" <[EMAIL PROTECTED]> on Wed, 14
Jul 2004 22:52:07 -0700
> 
> May be, idea was that people read 'license', click button (I agree) and
> follow it - never write a code which violates this license? But it is not
> true - 99.99% people do not read it  and behave as a common sense is saying
> not as [EMAIL PROTECTED] MS lawers fictioned... They see a wall wih a gates - and 
> they go
> thru this gates, no matter what is written on the posters around (except, as
> I said, if they see an angry dog next to the gate). /On the other hand, they
> knows that coffee is hot and waterfall is dangerous and dogs can bite -:)/.
> You must design yous system for this behavior, not for people who _read a
> license_. This licenses are good only for 2 goals - (1) use them as a toalet
> tissue; (2) in case of serious violation allows to suite user if he is in
> USA... -- they do not change people behavior even a bit. Unfortunately,
> Internet is not in USA, so even if we will have 100 strict laws prohibiting
> spyware, it will not help to fight this pests and pets...  System must
> defend itself.
> 

For awhile there, one of the top tech support issues we had to deal
with was new - and automatically implemented - "feature" in Outlook
Express that blocked a person from running or saving something that
Microsoft considered a "dangerous file attachment." 

Such dangerous file attachments included .jpg, .pdf and music files. 

Oddly enough, it didn't seem to include .doc or .xls files.  You know,
the ones that actually can contain macro viruses.

Because of Microsoft's ham-handed and "all or nothing" attempt at
security many people now don't trust or ignore any warning messages
they may receive - they simply want to view their file attachments.

-- 
Jeff Shultz
A railfan pulls up to a RR crossing hoping that
there will be a train. 



Re: Spyware becomes increasingly malicious (let's return to reality)

2004-07-14 Thread Alexei Roudnev

Ok, let.s return to reality (sorry for moving this thread into the OS
related flame).

First of all, even if OS have not any caveats, it will not protect it from
spyware/adware. if I want to install my 'Cool-Search' into million of
computers, all I need to do is to write fancy game, and offer it 'free of
change' in exchange of 'Allow to show you ads once / day'.
That's all - you will have everything installed explicitly.

But 'hidden' installation makes it much more easy for spyware, and is (in
general) a very big evil. System must distinguish between 'USER' mode (use
applications but do not change system behavior) and 'INSTALL' mode
(install/delete/add software, processes and so on). In many cases, system
must ask password to do any such action. (If you know MS, you can image
which nightmare is to implement it -- I worked with IDS such as Osiris and
had a fun, guessing what system decide to change today. But it is not a
problem in most other OS).

Second, but even worst, problem is absense of ANY system interface showing
you, what is starting, stopping and running. It is not any problem to remove
spyware, from common point of view - just open 'list of running processes'
and 'Startup list' and uncheck everything you do not want to see. Problem -
such interface does not exist, is not possible because of complexity (there
are milluions ways of starting anything) and can not trace a history of
processes (because of, again, extra complexity, unlimited usage of 'classes'
and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change
history' system could easily revert such changes back so that instead of
very complex 'adaware' scaners we will have just 'change history, revert ?'
button.

Third is more easy for ISP - if we can not fight with bad software, fight
whith those who got a profit using it. For SPAM - ok, there is not ANY way
to stop sending spam (fort now), but any SPAM advertices someone, and this
someone is always 100% identified - so fight (limit, flood by calls,
overload by false information, etc) SPAM benefitiants, learn them do not
purchase 'We will send your advertice to 10M people over the world'. The
same in case of adaware. For spyware, fight those who receive information
back - by any way.


- Original Message - 
From: "John Underhill" <[EMAIL PROTECTED]>
To: "Niels Bakker" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, July 14, 2004 1:12 PM
Subject: Re: Spyware becomes increasingly malicious


>
> Ok.. but has BSD been attacked on the scale that MS code has? I would
argue
> no, not even close. Do you believe BSD is invulnerable to attack? Hardly..
> Unless you want to go back to text based browsers and kernals that fit on
a
> floppy, it is extermely difficult to eliminate all vulnerabilities in the
> code of a sophisticated OS. The more complex the system, the easier it is
to
> break, and with the level of automation currently expected by most users,
> this requires a very complex build.
> Could MS be made more secure, of course. Do I think they are actively
> working on the problem, yes. If Novell or Mac had risen to the top of the
OS
> heap, would they be catching all the viruses now? I think they would.
> Really, my point was not to argue this, but that there is no justification
> for malicious code, that you can't simply pawn it off on MS as being the
> real problem. By doing that, you are saying that people creating spyware
and
> viruses are not culpable for their actions, that they should be allowed to
> create havoc and destroy systems, because really they are only leveraging
> 'features' built into the operating system.
>
>
> - Original Message - 
> From: "Niels Bakker" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, July 14, 2004 3:31 PM
> Subject: Re: Spyware becomes increasingly malicious
>
>
> >
> > >> Sorry, it was a _technical_ question - is MAC OS known as having
pests
> > >> and ad-ware in the comparable numbers (if any)?
> >
> > * [EMAIL PROTECTED] (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
> > > This is spurious logic. You are suggesting that Mac is a more secure
> > > operating system, and I would suggest that it is probably far less
> > > secure, because it has not had to withstand years of unearthing
> > > vulnerabilities in the code.
> >
> > It has.  Darwin is based on years of development in BSD code.
> >
> >
> > -- Niels.
> >
> > -- 
> > Today's subliminal thought is:
>



Re: Spyware becomes increasingly malicious

2004-07-14 Thread Adrian Chadd

On Wed, Jul 14, 2004, Michel Py wrote:

> - In exchange for his life, appoint Saddam Hussein to rid us of spyware
> writers. As he's on a roll, let's put spammers in the deal, too. The guy
> has a proven track record, problem is most of us live in a society that
> oppose his methods, so this does not fly.

Can we call Godwin out on this comment?

Guys, girls, etc. This whole "MacOS is based on BSD which has been looked at
for years" discussion is actaully quite silly. Why? Because the majority of the
code in MacOS X which would be abused is not going to be BSD based.
A bug in cat? tar? sed? No. It'll be a bug in Mail.app, how it ties into
the Helper app, possibly Finder.app and Applescript. It'll be some image overflow
in Safari, via Khtml and Aqua's rendering engine. It'll be something that
Is Very Not Going To Ever Have Been A Part of What You Call BSD.

So, I call crapola on that argument, and invoke a Godwin-for-21st-century based on
the above comment. Lets move on.




Adrian


-- 
Adrian ChaddI'm only a fanboy if
<[EMAIL PROTECTED]> I emailed Wesley Crusher.





Re: Spyware becomes increasingly malicious

2004-07-14 Thread Alexei Roudnev

-:)
Excellent!

==
- Declare that using IE is illegal. This literally takes an act of
congress. And, it would be almost impossible to enforce. Anyway, let's
pretend for a moment that congress does outlaw IE _and_ can enforce it,
it still does not do us much good: whoever will replace Microsoft on the
marketplace will quickly become very much like Microsoft because the
market demands it. We (citizens of the world) have Microsoft because,
short of wanting Microsoft itself we collectively wanted what Microsoft
makes the way they make it, which comes at a price.

- Make IE safe. The nature of the beast is that it can't be: it would
require a tremendous reduction in features, which in turn will drive the
market towards a more featured browser, which will be unsafe. Kind of
the same argument as above.

- In exchange for his life, appoint Saddam Hussein to rid us of spyware
writers. As he's on a roll, let's put spammers in the deal, too. The guy
has a proven track record, problem is most of us live in a society that
oppose his methods, so this does not fly.

- Hire a large number of the brilliant minds that read this list to
write a counter-spyware solution that target the spyware writers. This
does not fly either, because the battlefield is not level: we would
target a limited and hard-to-find group of hijacking experts, that in
turn have the entire world population of dumb users and unsecure
browsers to play with.


So, as it appears to me we can't solve for good hunger in the world,
peace in the middle east, and the spyware problem.

> John Underhill wrote:
> So the question remains, what do we do about it?

Save for legislative and/or legal action (that we do not do here), I'm
afraid that the only thing we can do in here is to blackhole, and do it
right. I don't like it much, but I have not heard any other suggestions
so far.

Michel.



Re: Spyware becomes increasingly malicious

2004-07-14 Thread Alexei Roudnev

>
> So MS has undocumented 'features', so what? When you install their
software
> you agree to a licence, and that you are using their software bound by
their
O, noo. You click a button 'I agree' which means nothing for 99.99% of
people over the world. Here is a difference. Do not expect people to 'agree'
if you do not enforce them to follow this (and if your system do not violate
'common sense'). Do you saw any idiot who read this licenses (I never seen
any)? It became (many years ago) some kind of ritual, like indian dances
before going to the war.

> terms and conditions. Am I afraid big brother is watching, that MS is
spying
> on me? Not really, nothing to see. Do I think that some of these practices
> are unethical? Yes, they probably are, but when I agreed to that licence I
> gave up my right to complain.
> Arguably, the internet would not be where it is today without MS, and that
Of couse, you are correct here.

> this design principle of automating as many processes as possible is what
> has made the internet a universally accessable medium, and that this
And which makes it a good dinner table for the pests, viruses and so on...

May be, idea was that people read 'license', click button (I agree) and
follow it - never write a code which violates this license? But it is not
true - 99.99% people do not read it  and behave as a common sense is saying
not as [EMAIL PROTECTED] MS lawers fictioned... They see a wall wih a gates - and they 
go
thru this gates, no matter what is written on the posters around (except, as
I said, if they see an angry dog next to the gate). /On the other hand, they
knows that coffee is hot and waterfall is dangerous and dogs can bite -:)/.
You must design yous system for this behavior, not for people who _read a
license_. This licenses are good only for 2 goals - (1) use them as a toalet
tissue; (2) in case of serious violation allows to suite user if he is in
USA... -- they do not change people behavior even a bit. Unfortunately,
Internet is not in USA, so even if we will have 100 strict laws prohibiting
spyware, it will not help to fight this pests and pets...  System must
defend itself.


> automation creates security vulnerabilities is simply the trade off made
for
> that accessability.

I agree, in general. yes, it is trade off of _easy to use_, but not only.
Many of this things are trade off of _MS do not want competition so they
keep many undocumented backholes allowing them to have a benefits vs
competitors. IE which makes search instead of reporting 'Name not found' is
a good example.

Yes, I agree, I see a distinction too. I just want to show, that it is not
so simple to determine (distinction) and it is not very productive even to
try doing it - it is much more important to (1) protect the system, and (2)
increase competition having more different systems, and (3) use standards,
instead of proprietary extentions...


>
> MS has a monopoly, it's true, but the reason for that monopoly is not
> entirely because of unfair business practices, it also has a lot to do
with
> their original design mission. That was and still is, to make their OS as
> easy to use as possible. You and I may know how to use linux, but up until
a
Yes, and they did it 'too easy to use' so they have a drawbackl in form of
viruses, vorms, pests and pets - what a surprise... If it was 5 years ago,
they already went out of the  market because of competition (from others who
did not dop it so easy to use but kept systems without a pets and pests).
Unfortunately, thie years are over.


> couple of years ago, this was just too complex an operating system for the
> average home user. That much of the MS code is undocumented, is probably a
I am not talking about the code; I am talking about API's.


>
> This is spurious logic. You are suggesting that Mac is a more secure
I do not know - it was a question.


> of choice, there are innumerable flaws that beg exploitation. The only
> reason MS is consistantly the subject of attack, and not Mac, is not
because
I am not sure - new Mac OS is much more consistent inside than MS. How
script (which must run inside the sandbox) can install spyware, or change my
home page, or see my address book (except if I confirmed administrative
password after I was asked about)? Any small difference can play a dramatic
role here - when working in Unix, I always login as 'alex' with 'user'
permissions - because I can make myself admin temporary by running 'sudo -s'
or 'su -'; in Windoze, I must login as an administrator from the very
beginning, so I do it - as a result, script can install startup time
software in MS but can not in my Unix (just a simple example). And so on. I
am not trying to analyze MS vs Unix vs MAC here, but it is obvious that MS
have a very serious design caveats, and there is a chance (a chance only)
that other systems have not.


>
> Again I think it comes down to choice. I have navigated to a website
because
> I have made a choice to view its content a

RE: Spyware becomes increasingly malicious

2004-07-14 Thread Michel Py

> John Underhill wrote:
> [snip long post]

One of the best posts I have seen in a long time; thanks, John.

> So the question remains, what do we do about it?

That's where it gets tough. Let's begin with what we can't do about it:

- Declare that using IE is illegal. This literally takes an act of
congress. And, it would be almost impossible to enforce. Anyway, let's
pretend for a moment that congress does outlaw IE _and_ can enforce it,
it still does not do us much good: whoever will replace Microsoft on the
marketplace will quickly become very much like Microsoft because the
market demands it. We (citizens of the world) have Microsoft because,
short of wanting Microsoft itself we collectively wanted what Microsoft
makes the way they make it, which comes at a price.

- Make IE safe. The nature of the beast is that it can't be: it would
require a tremendous reduction in features, which in turn will drive the
market towards a more featured browser, which will be unsafe. Kind of
the same argument as above.

- In exchange for his life, appoint Saddam Hussein to rid us of spyware
writers. As he's on a roll, let's put spammers in the deal, too. The guy
has a proven track record, problem is most of us live in a society that
oppose his methods, so this does not fly.

- Hire a large number of the brilliant minds that read this list to
write a counter-spyware solution that target the spyware writers. This
does not fly either, because the battlefield is not level: we would
target a limited and hard-to-find group of hijacking experts, that in
turn have the entire world population of dumb users and unsecure
browsers to play with.


So, as it appears to me we can't solve for good hunger in the world,
peace in the middle east, and the spyware problem.

> John Underhill wrote:
> So the question remains, what do we do about it?

Save for legislative and/or legal action (that we do not do here), I'm
afraid that the only thing we can do in here is to blackhole, and do it
right. I don't like it much, but I have not heard any other suggestions
so far.

Michel.



Re: Spyware becomes increasingly malicious

2004-07-14 Thread sthaug

> Ok.. but has BSD been attacked on the scale that MS code has? I would argue
> no, not even close. Do you believe BSD is invulnerable to attack? Hardly..

I don't believe anybody is claiming that. However, the BSD code has been
out *and* has been publicly scrutinized for quite a bit longer than
Windows.

> Unless you want to go back to text based browsers and kernals that fit on a
> floppy, it is extermely difficult to eliminate all vulnerabilities in the
> code of a sophisticated OS. The more complex the system, the easier it is to
> break, and with the level of automation currently expected by most users,
> this requires a very complex build.

However, Microsoft creates complexity by design, because they integrate
more and more stuff into the basic OS, and because all the various
applications gain more features with each new release.

> Could MS be made more secure, of course. Do I think they are actively
> working on the problem, yes.

Looks to me like they are actively working in two directions:

- Trying to make the systems more secure by teaching developers to think
about security, etc.

- Trying to make the systems less secure, by making them steadily more
complex. (And please don't try to tell me the *users* are demanding all
the new features that MS put into the systems.)

It will be interesting to see which direction wins out in the long run.

> If Novell or Mac had risen to the top of the OS
> heap, would they be catching all the viruses now? I think they would.

They would certainly be catching viruses. Would they be catching *as
many* viruses as MS? We don't know.

> Really, my point was not to argue this, but that there is no justification
> for malicious code, that you can't simply pawn it off on MS as being the
> real problem.

However, you can certainly argue that MS is *part of* the problem, or
that they have *created* a large part of the problem themselves.

Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]


Re: Spyware becomes increasingly malicious

2004-07-14 Thread John Underhill

Ok.. but has BSD been attacked on the scale that MS code has? I would argue
no, not even close. Do you believe BSD is invulnerable to attack? Hardly..
Unless you want to go back to text based browsers and kernals that fit on a
floppy, it is extermely difficult to eliminate all vulnerabilities in the
code of a sophisticated OS. The more complex the system, the easier it is to
break, and with the level of automation currently expected by most users,
this requires a very complex build.
Could MS be made more secure, of course. Do I think they are actively
working on the problem, yes. If Novell or Mac had risen to the top of the OS
heap, would they be catching all the viruses now? I think they would.
Really, my point was not to argue this, but that there is no justification
for malicious code, that you can't simply pawn it off on MS as being the
real problem. By doing that, you are saying that people creating spyware and
viruses are not culpable for their actions, that they should be allowed to
create havoc and destroy systems, because really they are only leveraging
'features' built into the operating system.


- Original Message - 
From: "Niels Bakker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 14, 2004 3:31 PM
Subject: Re: Spyware becomes increasingly malicious


>
> >> Sorry, it was a _technical_ question - is MAC OS known as having pests
> >> and ad-ware in the comparable numbers (if any)?
>
> * [EMAIL PROTECTED] (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
> > This is spurious logic. You are suggesting that Mac is a more secure
> > operating system, and I would suggest that it is probably far less
> > secure, because it has not had to withstand years of unearthing
> > vulnerabilities in the code.
>
> It has.  Darwin is based on years of development in BSD code.
>
>
> -- Niels.
>
> -- 
> Today's subliminal thought is:



Re: Spyware becomes increasingly malicious

2004-07-14 Thread Niels Bakker

>> Sorry, it was a _technical_ question - is MAC OS known as having pests
>> and ad-ware in the comparable numbers (if any)?

* [EMAIL PROTECTED] (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]:
> This is spurious logic. You are suggesting that Mac is a more secure
> operating system, and I would suggest that it is probably far less
> secure, because it has not had to withstand years of unearthing
> vulnerabilities in the code.

It has.  Darwin is based on years of development in BSD code.


-- Niels.

-- 
Today's subliminal thought is: 


Re: Spyware becomes increasingly malicious

2004-07-14 Thread John Underhill


> MS do not publish full system specs, and they use undocumented features
> themself.


Ok, say MS puplished their code tomorow, what do you think would happen? All
the crackers and virus writers of the world would join hands and sing 'joy
to the world' and forgive MS for their tresspasses? I suggest that many of
these virus writers are not motivated by an elitist ideaology, but rather by
financial gain, and the sense of empowerment borne of damaging a global
system. I agree that MS, like many large companies, have not always behaved
in an ethical manner, and have been driven largely by bottom line economics,
but what is done is done, and that doesn't absolve virus and spyware writers
of the damage they are doing to the internet community.


> So, what other companies are doing? Yes, correct, they are experimenting,
> searching for  the undocumented features.
> They found it, and no one can separate bugs and undocumented features.
> These are all results of MS approach _I am doing everything myself and do
> not want others to compete with me_.
> Ok, so please do not complain on those who uses your undocumented
features,
> undocumented API (and ohh, it is not my API, it is a bug... as they are
> saying now). Are you sure that it is a bug, but not a backhole created by
MS
> for themself? I am not.


So MS has undocumented 'features', so what? When you install their software
you agree to a licence, and that you are using their software bound by their
terms and conditions. Am I afraid big brother is watching, that MS is spying
on me? Not really, nothing to see. Do I think that some of these practices
are unethical? Yes, they probably are, but when I agreed to that licence I
gave up my right to complain.
Arguably, the internet would not be where it is today without MS, and that
this design principle of automating as many processes as possible is what
has made the internet a universally accessable medium, and that this
automation creates security vulnerabilities is simply the trade off made for
that accessability.


> Or - after others found this backhole, they decided to seal it. You can
not
> prove that it is a bug, as I can not prove that it was a feature.
>
> Any undocumented API is not different from a bug - it is just something
> which is not documented but exists.
> Just as MS is working on new undocumented API's. Of course, they are -
> hackers, spyware designers and MS developers... I do not see a difference.


I see a very distinct difference, and that is that I have made a choice to
use the MS product, that I have given my consent to them by way of a licence
agreement, if they clearly abuse that trust, I will choose an alternative
product, that is free enterprise in action. But I did not give the hacker
and spyware writer permission to invade my privacy and damage my systems.
Using MS products is not an open invitation to criminals to disrupt my
networks, or absolution for criminal acts.


> Please, specify a difference between 'flaw in the code' and 'backhole
> created for their own purposes'. If they claim 'our developers use only
> specified API' and 'we specify and document every system call and every
> function which can be used legally, from technical point of view', then I
> agree. But they never did and never would. if they do it, they lost their
> monopoly. Result - full zoo of pets, pests, and other animals in every
home
> computer running Windoze.
>
> May be, this particular feature was a bug, I can agree - but I do not see
a
> difference (still).


MS has a monopoly, it's true, but the reason for that monopoly is not
entirely because of unfair business practices, it also has a lot to do with
their original design mission. That was and still is, to make their OS as
easy to use as possible. You and I may know how to use linux, but up until a
couple of years ago, this was just too complex an operating system for the
average home user. That much of the MS code is undocumented, is probably a
good thing, because it makes the virus writers work more difficult. Do I
think that these undocumented features serve some devious purpose? If
someone can come up with hard evidence of that, I will change operating
systems.


> Sorry, it was a _technical_ question - is MAC OS known as having pests and
> ad-ware in the comparable numbers (if any)?


This is spurious logic. You are suggesting that Mac is a more secure
operating system, and I would suggest that it is probably far less secure,
because it has not had to withstand years of unearthing vulnerabilities in
the code.
I have heard an OS compared to a sphere, the larger the sphere the more
surface area: the larger the OS, the more area to protect. The last time I
installed Red Hat, it weighed in at nearly 2 gigs, Mac around the same. Now,
you can fit a 1000 page novel in a 3 meg file, so consider, there are
millions of pages of code in an OS, and regardless of your operating system
of choice, there are innumerable flaws that beg exploitation. The only

Re: Spyware becomes increasingly malicious

2004-07-14 Thread Alexei Roudnev


> Most of the lastest versions appear to install themselves using the
> ByteCode Verifier vulnerability in the Microsoft Virtual Machine.
MS do not publish full system specs, and they use undocumented features
themself.

So, what other companies are doing? Yes, correct, they are experimenting,
searching for  the undocumented features.
They found it, and no one can separate bugs and undocumented features.

These are all results of MS approach _I am doing everything myself and do
not want others to compete with me_.
Ok, so please do not complain on those who uses your undocumented features,
undocumented API (and ohh, it is not my API, it is a bug... as they are
saying now). Are you sure that it is a bug, but not a backhole created by MS
for themself? I am not.

> Fully patched systems don't get the stuff installed.
Or - after others found this backhole, they decided to seal it. You can not
prove that it is a bug, as I can not prove that it was a feature.

Any undocumented API is not different from a bug - it is just something
which is not documented but exists.

> I'm sure the authors are working on newer injection methods
Just as MS is working on new undocumented API's. Of course, they are -
hackers, spyware designers and MS developers... I do not see a difference.

> Though the blame might be placed on Microsoft for having a flaw in
> their code, this wasn't part of any IE feature.
Please, specify a difference between 'flaw in the code' and 'backhole
created for their own purposes'. If they claim 'our developers use only
specified API' and 'we specify and document every system call and every
function which can be used legally, from technical point of view', then I
agree. But they never did and never would. if they do it, they lost their
monopoly. Result - full zoo of pets, pests, and other animals in every home
computer running Windoze.

May be, this particular feature was a bug, I can agree - but I do not see a
difference (still).

> >I do not blame MS, but what about spyware on MAC-s - is it so easy
> >to write and install spyware there?
>
> I don't really want to get into the argument of why people choose
Sorry, it was a _technical_ question - is MAC OS known as having pests and
ad-ware in the comparable numbers (if any)?

> microsoft products to attack, but if someone was going to choose
> a product to attack, from which they were going to try and make
> the most money/impact off of, do you think they would choose the
> product with the largest user base?  I think that's the case here.
> It would be a poor business decision not to, and these people are
> definetly out to make as much money as they can off of these
> exploits.
>
> >This is 100% legal at this point (and even if it is not legal,
> >who bored about it outside of USA? No anyone!).
>
> It really shouldn't be legal.  It is someone gaining unauthorized

Hmm. Is it legal for MS developers (for example, office developers) to use
undocumented APIs? What's a difference? What does it mean 'access' - you
open my web page, and your IE download my GIF file - is it authorised (my
GIF is installed into your computer)? You allow Active X to run, even if
ActiveX can install software - it is enough to be authorised. These is
common sense  - if there is a road, it is authoruised to hike it (except if
there is a closed gate or an angry dog on the way). At least, it is common
sence on 90% of the world.

Of course, we can create many laws making common sense useless, but do not
expect anyone outside to follow it. Internet is not located inside, so - you
can make a conclusion. MS provoked people to search for undocumented
things - it is common sense which say me that it results in my home computer
making unpredicted actions - and I can not blame spyware writers, I should
blame MS writers... (I do not like spywriters, anyway, but they are making
their business..)

> access to computer systems and altering data on those machines.
> Not to mention that people are profiting from these intrusions.
Of course, they are. MS is profited from undocumented API's, as well. Where
is a difference?

>
> -Brian



RE: Spyware becomes increasingly malicious

2004-07-13 Thread Brian Battle


Alexei Roudnev wrote:

>It is not a bug; it is specially designed IE feature. MS always was proud
of
>their full automation - install on demand,
>update automatically, add new software to start at a startup without need
to
>be system admin, etc etc... As a result, we have a field full of bugs,
>pests, pets, spiders, spies and so on... They have _exactly_ what they
>designed. No one even bored to ask me 'do you want to allow this registry
>change' , because 'MS believe that their users are lamers so everything
must
>be automated from the beginning to the end'...

Most of the lastest versions appear to install themselves using the 
ByteCode Verifier vulnerability in the Microsoft Virtual Machine.
Fully patched systems don't get the stuff installed.  
I'm sure the authors are working on newer injection methods
Though the blame might be placed on Microsoft for having a flaw in 
their code, this wasn't part of any IE feature.

You can read more about this exploitable bug (not feature) at
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

>I do not blame MS, but what about spyware on MAC-s - is it so easy
>to write and install spyware there?

I don't really want to get into the argument of why people choose
microsoft products to attack, but if someone was going to choose 
a product to attack, from which they were going to try and make
the most money/impact off of, do you think they would choose the
product with the largest user base?  I think that's the case here.
It would be a poor business decision not to, and these people are
definetly out to make as much money as they can off of these 
exploits.

>This is 100% legal at this point (and even if it is not legal,
>who bored about it outside of USA? No anyone!).

It really shouldn't be legal.  It is someone gaining unauthorized
access to computer systems and altering data on those machines.
Not to mention that people are profiting from these intrusions.

-Brian


Re: Spyware becomes increasingly malicious

2004-07-13 Thread Petri Helenius
Brian Battle wrote:
For another hastily-thought-out analogy, it's like someone
breaking into your house and reprogramming your cable box
to keep changing the channel to the home shopping club
every 30 seconds.
 

That would be the result of the "broadcast bit".
Pete


Re: Spyware becomes increasingly malicious

2004-07-13 Thread Valdis . Kletnieks
On Mon, 12 Jul 2004 12:37:37 EDT, "Hannigan, Martin" <[EMAIL PROTECTED]>  said:
alt with at the browser level
> in MS Security Bulletin MS03-011.
> 
> I have a hard time blaming MS for everything since in most cases
> of these things they do react. How do they force the users to update?
> Could they implement a switch that says "no update, no working browser"?
> At least for IE?
> 
> Scob was dealt with via the hammer, this could be too.

At some point, one needs to say "I've pounded enough nails, it's time to
look at alternate fasteners..."



pgpqqRbzw4Pd4.pgp
Description: PGP signature


Re: Spyware becomes increasingly malicious

2004-07-13 Thread Alexei Roudnev

>
> The authors of these coolwebsearch variants are extremely
> intelligent programmers with far more understanding of
> the bowels of the windows platform than your average
> script kiddies.  If you get hit with the version I saw,
> it's no 10 minute piece of cake.

It makes spywire more dangerous than viruses, which are written (in 99.99%
cases) by more younger and less experienced persons (and without good QA,
good project management etc).

>
> What I don't understand is how exploiting bugs in a
> program (internet explorer) to install software without
> the consent or even acknowledgement from the owner/user
> is legal behavior.  To me, it's just like someone abusing


It is not a bug; it is specially designed IE feature. MS always was proud of
their full automation - install on demand,
update automatically, add new software to start at a startup without need to
be system admin, etc etc... As a result, we have a field full of bugs,
pests, pets, spiders, spies and so on... They have _exactly_ what they
designed. No one even bored to ask me 'do you want to allow this registry
change' , because 'MS believe that their users are lamers so everything must
be automated from the beginning to the end'...

It is another weak side of MS design (first one is complexity) and other
side of MS agriculture (first one is monoculture
easily infected by mortal infection). I do not blame MS, but what about
spyware on MAC-s - is it so easy to write and install spyware there?


> a bug in bind, and installing a rootkit, which last time

It is a difference. This was a bug. Bind have not undocumented features.

MS have millions of undocumented features, and (because they never opened
their OS and never published full specs) every developer play a game 'find a
feature before competitors and use it'. As a result, someone finds features
which was not designed but just 'happened' -:). Anyway, this are a features,
not a bugs. This is 100% legal at this point (and even if it is not legal,
who bored about it outside of USA? No anyone!).

> I checked, could end up getting someone in legal troubles.
>
> For another hastily-thought-out analogy, it's like someone
> breaking into your house and reprogramming your cable box
> to keep changing the channel to the home shopping club
> every 30 seconds.
>
> -Brian
>



Re: Problems with private justice (was Re: Spyware becomes increasingly malicious)

2004-07-13 Thread William Warren
LOL..not a problem..:)
Michel Py wrote:

I just realized that I incorrectly quoted William Warren instead of
Brian Battle in my previous post. Sorry guys, cut/paste casualty.

Sean Donelan wrote:
Could this be a Joe job by someone who doesn't like the
owners of Cool Web Search? The owners of the Cool Web
Search company deny they are the creators nor affiliated
with the creaters of the CWS trojans. Maybe they are
lying. Maybe other Joe jobs have lied too.

Good points.

I don't have all the facts.  Maybe someone else does.

Yep, the guys that write the Trojans :-D
As Brian says:

Brian Battle wrote:
The authors of these coolwebsearch variants are
extremely intelligent programmers with far more
understanding of the bowels of the windows
platform than your average script kiddies. 

The problem I have is not with understanding of the bowels, but with the
ability to produce bowel movements.
Michel.

--
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; 
and every tongue that shall rise against thee in judgment thou 
shalt condemn. This is the heritage of the servants of the LORD, 
and their righteousness is of me, saith the LORD.

-- carpe ductum -- "Grab the tape"


RE: Problems with private justice (was Re: Spyware becomes increasingly malicious)

2004-07-13 Thread Michel Py


I just realized that I incorrectly quoted William Warren instead of
Brian Battle in my previous post. Sorry guys, cut/paste casualty.


> Sean Donelan wrote:
> Could this be a Joe job by someone who doesn't like the
> owners of Cool Web Search? The owners of the Cool Web
> Search company deny they are the creators nor affiliated
> with the creaters of the CWS trojans. Maybe they are
> lying. Maybe other Joe jobs have lied too.

Good points.

> I don't have all the facts.  Maybe someone else does.

Yep, the guys that write the Trojans :-D

As Brian says:

> Brian Battle wrote:
> The authors of these coolwebsearch variants are
> extremely intelligent programmers with far more
> understanding of the bowels of the windows
> platform than your average script kiddies. 

The problem I have is not with understanding of the bowels, but with the
ability to produce bowel movements.

Michel.



RE: Spyware becomes increasingly malicious

2004-07-13 Thread Michel Py

> David Schwartz
> One wrong turn probing it can render a machine
> unusable until it's reloaded.

Ah, I'm not the only one it appears.

> In the meantime, let's at least blackhole all
> their IPs on our networks.

Does any of the regular lists keeps try of this and already blacklists?

Michel.



RE: Spyware becomes increasingly malicious

2004-07-13 Thread Michel Py

> William Warren wrote:
> I second that.  The version I saw required a third
> party registry editor and booting up into the
> recovery console from an XP cd (safe mode didn't cut
> it) just to remove a hidden dll.

Which is why I made the executive decision to re-image instead of trying
to fix, as unfortunately a new variant requires spending more time
learning it, which is not worth it. :-(


> What I don't understand is how exploiting bugs in a 
> program (internet explorer) to install software without
> the consent or even acknowledgement from the owner/user
> is legal behavior.


There is a grey area between being legal and not being illegal. Compare
to the junk fax issue: it was not legal either (as it spent the
recipient's money without authorization) but it did take special
legislation to make it specifically illegal. If you were to go to court
it would not be a slam dunk by any means; it is going to take more
nuisance that there has been so far for the legal system to do something
about it. Trouble is, it does not prevent you from using the computer,
mostly.

Michel.



Problems with private justice (was Re: Spyware becomes increasingly malicious)

2004-07-13 Thread Sean Donelan

> > I guess the big question is, is there anyone (other than those profiting
> > directly from CWS) that would complain if a provider were to do such a
> > thing...
>
> looks like a psi-net "pink contract" inherited by cogent.  but since the
> psi->cogent rollup was an asset sale rather than a corporate merger, cogent
> probably isn't bound by that contract.  somebody needs to get on the phone,
> i guess.

This is a problem with implementing private justice.  Do you have all the
facts?

The CWS trojans are not downloaded from the Cool Web Search site.

Could this be a Joe job by someone who doesn't like the owners of Cool Web
Search? The owners of the Cool Web Search company deny they are the
creators nor affiliated with the creaters of the CWS trojans.  Maybe they
are lying.  Maybe other Joe jobs have lied too.

Blocking or de-peering the service provider for Cool Web Search will not
prevent you from being infected with CWS trojans any more than blocking or
de-peering the service provider for Google will prevent you from being
infected with Google trojans, or blocking and de-peering the service
provider of Paypal will prevent people from sending you mail offering
to update your Paypal account information, or blocking and de-peering SCO
would prevent people from being infected with viruses which attacked the
SCO web site.

I don't have all the facts.  Maybe someone else does.


RE: Spyware becomes increasingly malicious

2004-07-12 Thread Brian Battle

William Warren wrote:

>not all the variants are that easy..how about doing a google on 
>coolwebsearch..scumware.com has a good writeup as well as 
>spywareinfo.com...the newer variants are not that easy

I second that.  The version I saw required a third party
registry editor and booting up into the recovery console
from an XP cd (safe mode didn't cut it) just to remove
a hidden dll.  Had it not been for the forums out there
at http://forums.spywareinfo.com and the cwsshredder, 
which got most, but not all, of the cruft installed by 
this piece of bastard software, my grandmother's computer
would still be popping up those tens of pages of garbage
randomly.

The authors of these coolwebsearch variants are extremely
intelligent programmers with far more understanding of
the bowels of the windows platform than your average
script kiddies.  If you get hit with the version I saw,
it's no 10 minute piece of cake.

What I don't understand is how exploiting bugs in a 
program (internet explorer) to install software without
the consent or even acknowledgement from the owner/user
is legal behavior.  To me, it's just like someone abusing
a bug in bind, and installing a rootkit, which last time
I checked, could end up getting someone in legal troubles.

For another hastily-thought-out analogy, it's like someone
breaking into your house and reprogramming your cable box
to keep changing the channel to the home shopping club
every 30 seconds.

-Brian



Re: Spyware becomes increasingly malicious

2004-07-12 Thread William Warren
not all the variants are that easy..how about doing a google on 
coolwebsearch..scumware.com has a good writeup as well as 
spywareinfo.com...the newer variants are not that easy

Gregh wrote:
- Original Message - 
From: "Michel Py" <[EMAIL PROTECTED]>
To: "Gregh" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, July 13, 2004 12:41 AM
Subject: RE: Spyware becomes increasingly malicious



Gregh wrote:
Are you honestly serious? I came up against it for
the first time only about 3 days ago and I got rid
of it in 10 minutes! I can see how it would be a
problem for a newbie but it shouldn't be anything
more than 10 minutes work for anyone here with
Windows experience.

There are dozen of variants, obviously you've seen only one.

Obviously. If I can get rid of it easily *I* am the one who is wrong!
All I did was the job. How about you read what I wrote. It really IS that
easy.
Greg.

--
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; 
and every tongue that shall rise against thee in judgment thou 
shalt condemn. This is the heritage of the servants of the LORD, 
and their righteousness is of me, saith the LORD.

-- carpe ductum -- "Grab the tape"


Re: Spyware becomes increasingly malicious

2004-07-12 Thread Gregh


- Original Message - 
From: "Michel Py" <[EMAIL PROTECTED]>
To: "Gregh" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, July 13, 2004 12:41 AM
Subject: RE: Spyware becomes increasingly malicious



> > Gregh wrote:
> > Are you honestly serious? I came up against it for
> > the first time only about 3 days ago and I got rid
> > of it in 10 minutes! I can see how it would be a
> > problem for a newbie but it shouldn't be anything
> > more than 10 minutes work for anyone here with
> > Windows experience.

> There are dozen of variants, obviously you've seen only one.

Obviously. If I can get rid of it easily *I* am the one who is wrong!

All I did was the job. How about you read what I wrote. It really IS that
easy.

Greg.



Re: Spyware becomes increasingly malicious

2004-07-12 Thread Paul Vixie

> I think depeering is a bit over the top for this situation, ...

if their customer was sucking blood from your customer, and if your peer
was taking a cut of the proceeds, would the issues be any clearer?

> I guess the big question is, is there anyone (other than those profiting
> directly from CWS) that would complain if a provider were to do such a
> thing...

looks like a psi-net "pink contract" inherited by cogent.  but since the
psi->cogent rollup was an asset sale rather than a corporate merger, cogent
probably isn't bound by that contract.  somebody needs to get on the phone,
i guess.


Re: Spyware becomes increasingly malicious

2004-07-12 Thread David A . Ulevitch

On Jul 12, 2004, at 11:20 AM, Christopher Woodfield wrote:
I think depeering is a bit over the top for this situation, but I 
wouldn't blink at nullrouting the prefix in question at my cores... :)

I guess the big question is, is there anyone (other than those 
profiting directly from CWS) that would complain if a provider were to 
do such a thing...
If (your network == your organization) then maybe it's okay, otherwise 
I wouldn't consider it.

If your customers demand it then that's something different and as a 
provider you can choose to provide this sort of filtering for your 
customer.

It's the old: "I don't want some plumber deciding what can come down my 
pipe" argument.

-davidu


Re: Spyware becomes increasingly malicious

2004-07-12 Thread Dan Hollis

On Mon, 12 Jul 2004, Richard A Steenbergen wrote:
> http://www.webhelper4u.com/CWS/cwsoriginial.html
> These folks? Looks like it's all Cogent. Surely someone has contacted 
> Cogent about this?

I'm sure someone has.

The real question should be, does cogent care?

http://www.spamhaus.org/sbl/listings.lasso?isp=cogentco.com

Magic 8-ball: "all signs point to no"



Re: Spyware becomes increasingly malicious

2004-07-12 Thread Christopher Woodfield
I think depeering is a bit over the top for this situation, but I 
wouldn't blink at nullrouting the prefix in question at my cores... :)

I guess the big question is, is there anyone (other than those 
profiting directly from CWS) that would complain if a provider were to 
do such a thing...

-C
On Jul 12, 2004, at 1:34 PM, Daniel Golding wrote:
On 7/12/04 12:33 PM, "Michel Py" <[EMAIL PROTECTED]> 
wrote:


Paul Vixie wrote:
or, to put it in terms you can all understand:
"why does that provider's upstream still have bgp peers?"
Maybe said upstream does not want to deal with TROs and legal issues?
CWS is not illegal as of today.

CWS isn't illegal. On the other hand, there is no legal exposure from
depeering providers who take on these customers. TRO's and such would 
only
come into effect if the provider's peers failed to observe the 
contractually
obligated notice period (30-60 days, normally).

Some peering contracts specify that behaviors that endanger a network 
or its
users allow for immediate disconnection. Its a bit of a stretch to 
invoke
this for a spyware site.

Depeering has been threatened as an anti-spam measure - it is 
reasonable
effective. This hasn't been extended to spyware, as it doesn't get the 
same
level of press.

If you contact a provider who is hosting malware, and they refuse to 
remove
it or disconnect the hoster, you could always try contacting their 
peers and
cc:ing the offending provider. End-user networks (DSL, Cable, 
dial-up), are
particularly sensitive to software that might harm their users.


if you give people the means to hurt you, and they do it,
and you take no action except to continue giving them the
means to hurt you, and they take no action except to keep
hurting you, then one of the ways you can describe the
situation is "it isn't scaling well."
Could not agree more.
Michel.
--
Daniel Golding
Network and Telecommunications Strategies
Burton Group



PGP.sig
Description: This is a digitally signed message part


RE: Spyware becomes increasingly malicious

2004-07-12 Thread David Schwartz


> On 7/12/04 12:33 PM, "Michel Py"
> <[EMAIL PROTECTED]> wrote:

> Some peering contracts specify that behaviors that endanger a
> network or its
> users allow for immediate disconnection. Its a bit of a stretch to invoke
> this for a spyware site.

I think you could find a few experts that could argue that malware in
general, and CWS in specific, has no reached the point where it is entirely
reasonable to classify it as endangering the users of the network. Anyone
who has dealt with a variant of CWS for which a remover was not available
will tell you how much trouble it causes, rendering systems unusable until
you find the magic combination, reimage the system, or wait until someone
else figures out the variant. One wrong turn probing it can render a machine
unusable until it's reloaded.

In the meantime, let's at least blackhole all their IPs on our networks.
One way to reduce malware is to reduce the benefits of creating and
distributing it. Another way is to find the people benefiting and stringing
them up in the town square.

DS




Re: Spyware becomes increasingly malicious

2004-07-12 Thread Daniel Golding

On 7/12/04 12:33 PM, "Michel Py" <[EMAIL PROTECTED]> wrote:

> 
>> Paul Vixie wrote:
>> or, to put it in terms you can all understand:
>> "why does that provider's upstream still have bgp peers?"
> 
> Maybe said upstream does not want to deal with TROs and legal issues?
> CWS is not illegal as of today.


CWS isn't illegal. On the other hand, there is no legal exposure from
depeering providers who take on these customers. TRO's and such would only
come into effect if the provider's peers failed to observe the contractually
obligated notice period (30-60 days, normally).

Some peering contracts specify that behaviors that endanger a network or its
users allow for immediate disconnection. Its a bit of a stretch to invoke
this for a spyware site.

Depeering has been threatened as an anti-spam measure - it is reasonable
effective. This hasn't been extended to spyware, as it doesn't get the same
level of press. 

If you contact a provider who is hosting malware, and they refuse to remove
it or disconnect the hoster, you could always try contacting their peers and
cc:ing the offending provider. End-user networks (DSL, Cable, dial-up), are
particularly sensitive to software that might harm their users.

> 
>> if you give people the means to hurt you, and they do it,
>> and you take no action except to continue giving them the
>> means to hurt you, and they take no action except to keep
>> hurting you, then one of the ways you can describe the
>> situation is "it isn't scaling well."
> 
> Could not agree more.
> 
> Michel.
> 

-- 
Daniel Golding
Network and Telecommunications Strategies
Burton Group




RE: Spyware becomes increasingly malicious

2004-07-12 Thread Hannigan, Martin



This appears to have been dealt with at the browser level
in MS Security Bulletin MS03-011.

I have a hard time blaming MS for everything since in most cases
of these things they do react. How do they force the users to update?
Could they implement a switch that says "no update, no working browser"?
At least for IE?


Scob was dealt with via the hammer, this could be too.


There's 39 variants at the moment:

http://www.spywareinfo.com/~merijn/cwschronicles.html

The difficulty in cleaning is due to the variants:

http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

Disclaimer: That site "looks/feels" credible, but I did just a little
correlation. Thanks.



ARIN:

The IP number for their website is allocated to cogent, but not SWIP'd.

Apparent last mile:

16  p6-0.core01.jfk02.atlas.cogentco.com (66.28.4.82)  107.092 ms  104.713
ms  107.080 ms
17  p5-0.core01.jfk01.atlas.cogentco.com (66.28.4.9)  108.177 ms  108.023 ms
109.115 ms
18  g49.ba01.b001362-1.jfk01.atlas.cogentco.com (66.28.66.42)  106.147 ms
105.769 ms  109.537 ms
19  HyperSpace_Communications.demarc.cogentco.com (66.250.5.30)  110.872 ms
108.745 ms  106.978 ms
20  66.250.74.150 (66.250.74.150)  107.939 ms  108.364 ms  104.599 ms

Apparent Registration:

domain:   coolwebsearch.com
status:   production
organization: InterWeb Solutions Inc
owner:InterWeb Solutions Inc
email:[EMAIL PROTECTED]
address:  P.O. Box 362
address:  Road Town
city: Tortola
postal-code:  65113
country:  IO
admin-c:  [EMAIL PROTECTED]
tech-c:   [EMAIL PROTECTED]
billing-c:[EMAIL PROTECTED]
nserver:  ns1.maximumhost.com   
nserver:  ns2.rosexxxgarden.com 
registrar:JORE-1
created:  2001-06-01 04:51:34 UTC JORE-1
modified: 2004-03-17 14:59:02 UTC JORE-1
expires:  2007-05-31 22:51:23 UTC 
source:   joker.com


-M




--
Martin Hannigan (c) 617-388-2663
VeriSign, Inc.  (w) 703-948-7018
Network Engineer IV   Operations & Infrastructure
[EMAIL PROTECTED]


coolwebsearch:




> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Paul Vixie
> Sent: Monday, July 12, 2004 12:19 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Spyware becomes increasingly malicious
> 
> 
> 
> somebody, probably sean, mentioned scaling earlier in this thread.
> 
> > >> coolwebsearch has become more and more sneaky.. so bad that
> > >> development of cws shredder has been abandoned by its developer..
> ...
> > > the first time only about 3 days ago and I got rid of it 
> in 10 minutes!
> > > I can see how it would be a problem for a newbie but it 
> shouldn't be
> > > anything more than 10 minutes work for anyone here with Windows
> > > experience.
> ...
> > There are dozen of variants, obviously you've seen only one.
> 
> so, this bit of spyware (which was resistant to ad-aware as 
> of last week,
> though ad-aware seems to publish a new definition file every 
> day now) relies
> on a web site, and that web site relies on the spyware for 
> its traffic and
> eyeballs, and the spyware and website are 
> owned/operated/"published" by the
> same company.  the website does not move around, it's at a 
> fixed location.
> 
> the scaling issue, please:
> 
> "why does that company still have an internet connection?"
> 
> or, to put it less mildly:
> 
> "why does that company's provider still have an upstream?"
> 
> or, to put it in terms you can all understand:
> 
> "why does that provider's upstream still have bgp peers?"
> 
> if you give people the means to hurt you, and they do it, and 
> you take no
> action except to continue giving them the means to hurt you, 
> and they take
> no action except to keep hurting you, then one of the ways 
> you can describe
> the situation is "it isn't scaling well."
> -- 
> Paul Vixie
> 


RE: Spyware becomes increasingly malicious

2004-07-12 Thread Michel Py

> Paul Vixie wrote:
> or, to put it in terms you can all understand:
> "why does that provider's upstream still have bgp peers?"

Maybe said upstream does not want to deal with TROs and legal issues?
CWS is not illegal as of today.

> if you give people the means to hurt you, and they do it,
> and you take no action except to continue giving them the
> means to hurt you, and they take no action except to keep
> hurting you, then one of the ways you can describe the
> situation is "it isn't scaling well."

Could not agree more.

Michel.



Re: Spyware becomes increasingly malicious

2004-07-12 Thread Richard A Steenbergen

On Mon, Jul 12, 2004 at 04:18:34PM +, Paul Vixie wrote:
> 
> somebody, probably sean, mentioned scaling earlier in this thread.
> 
> > >> coolwebsearch has become more and more sneaky.. so bad that
> > >> development of cws shredder has been abandoned by its developer..
> ...
> > > the first time only about 3 days ago and I got rid of it in 10 minutes!
> > > I can see how it would be a problem for a newbie but it shouldn't be
> > > anything more than 10 minutes work for anyone here with Windows
> > > experience.
> ...
> > There are dozen of variants, obviously you've seen only one.
> 
> so, this bit of spyware (which was resistant to ad-aware as of last week,
> though ad-aware seems to publish a new definition file every day now) relies
> on a web site, and that web site relies on the spyware for its traffic and
> eyeballs, and the spyware and website are owned/operated/"published" by the
> same company.  the website does not move around, it's at a fixed location.
> 
> the scaling issue, please:
> 
> "why does that company still have an internet connection?"
> 
> or, to put it less mildly:
> 
> "why does that company's provider still have an upstream?"
> 
> or, to put it in terms you can all understand:
> 
> "why does that provider's upstream still have bgp peers?"
> 
> if you give people the means to hurt you, and they do it, and you take no
> action except to continue giving them the means to hurt you, and they take
> no action except to keep hurting you, then one of the ways you can describe
> the situation is "it isn't scaling well."

http://www.webhelper4u.com/CWS/cwsoriginial.html

These folks? Looks like it's all Cogent. Surely someone has contacted 
Cogent about this?

network:ID:NET-42FA4A8019
network:Network-Name:NET-42FA4A8019
network:IP-Network:66.250.74.128/25
network:Org-Name:HyperSpace Communications
network:Street-Address: 74 West Street
network:City:Waltham
network:State:MA
network:Postal-Code:02451
network:Country-Code:US
network:Tech-Contact:ZC108-ARIN

-- 
Richard A Steenbergen <[EMAIL PROTECTED]>   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


Re: Spyware becomes increasingly malicious

2004-07-12 Thread Paul Vixie

somebody, probably sean, mentioned scaling earlier in this thread.

> >> coolwebsearch has become more and more sneaky.. so bad that
> >> development of cws shredder has been abandoned by its developer..
...
> > the first time only about 3 days ago and I got rid of it in 10 minutes!
> > I can see how it would be a problem for a newbie but it shouldn't be
> > anything more than 10 minutes work for anyone here with Windows
> > experience.
...
> There are dozen of variants, obviously you've seen only one.

so, this bit of spyware (which was resistant to ad-aware as of last week,
though ad-aware seems to publish a new definition file every day now) relies
on a web site, and that web site relies on the spyware for its traffic and
eyeballs, and the spyware and website are owned/operated/"published" by the
same company.  the website does not move around, it's at a fixed location.

the scaling issue, please:

"why does that company still have an internet connection?"

or, to put it less mildly:

"why does that company's provider still have an upstream?"

or, to put it in terms you can all understand:

"why does that provider's upstream still have bgp peers?"

if you give people the means to hurt you, and they do it, and you take no
action except to continue giving them the means to hurt you, and they take
no action except to keep hurting you, then one of the ways you can describe
the situation is "it isn't scaling well."
-- 
Paul Vixie


RE: Spyware becomes increasingly malicious

2004-07-12 Thread Michel Py

>> William Warren wrote:
>> coolwebsearch has become more and more sneaky..so
>> bad that development of cws shredder has been
>> abandoned by its developer

The smart computer does not exist (if it did, we would not have a job,
would we? ;-)

>> Either serious lock down you ie (which with CWS is
>> not going to help) or use something other than ie.

No argument here.


> Gregh wrote:
> Are you honestly serious? I came up against it for
> the first time only about 3 days ago and I got rid
> of it in 10 minutes! I can see how it would be a
> problem for a newbie but it shouldn't be anything
> more than 10 minutes work for anyone here with
> Windows experience.

There are dozen of variants, obviously you've seen only one.

Michel.



Re: Spyware becomes increasingly malicious

2004-07-12 Thread william(at)elan.net


On Mon, 12 Jul 2004, William Warren wrote:

> coolwebsearch has become more and more sneaky..so bad that 
> development of cws shredder has been abandoned by its 
> developerEither serious lock down you ie(which with CWS is 
> not going to help) or use something other than ie.

http://www.securityfocus.com/news/8998
"Jun 28 2004 7:38AM

 US CERT (the US Computer Emergency Readiness Team), is advising people to 
 ditch Internet Explorer and use a different browser after the latest 
 security vulnerability in the software was exposed"

http://www.eweek.com/article2/0,1759,1622344,00.asp
"July 12, 2004 

 In the wake of last week's revelation of a security hole in Mozilla that 
 allows the execution of arbitrary programs on the client system a 
 philosophical debate has emerged: Is this a bug in Mozilla or a bug in 
 Windows?"

-- 
William Leibzon
Elan Networks
[EMAIL PROTECTED]



Re: Spyware becomes increasingly malicious

2004-07-12 Thread Gregh


- Original Message - 
From: "Michel Py" <[EMAIL PROTECTED]>
To: "Sean Donelan" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, July 12, 2004 1:24 PM
Subject: RE: Spyware becomes increasingly malicious



> Indeed. Lately, I have not been able to clean a very annoying piece of
crud named "CoolWebSearch".

Look I am not attempting to be flippant but do yourself a favour and
download HiJackThis and check out the registry entries that show up. It is
quite obvious how to remove it the moment you do that. As I said in my last
letter, it is all of 10 minutes' work if that. I cant even remember what the
damned registry entries were, now but it all comes in via SmilyeyCentral
(possibly other progs) so anyone annoyed by CoolWebSearch has to block
installation of that program.

Greg.



Re: Spyware becomes increasingly malicious

2004-07-12 Thread Gregh


- Original Message - 
From: "William Warren" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 12, 2004 10:04 PM
Subject: Re: Spyware becomes increasingly malicious


>
> coolwebsearch has become more and more sneaky..so bad that
> development of cws shredder has been abandoned by its
> developerEither serious lock down you ie(which with CWS is
> not going to help) or use something other than ie.
>

Are you honestly serious? I came up against it for the first time only about
3 days ago and I got rid of it in 10 minutes! I can see how it would be a
problem for a newbie but it shouldn't be anything more than 10 minutes work
for anyone here with Windows experience.

Greg.



Re: Spyware becomes increasingly malicious

2004-07-12 Thread William Warren
coolwebsearch has become more and more sneaky..so bad that 
development of cws shredder has been abandoned by its 
developerEither serious lock down you ie(which with CWS is 
not going to help) or use something other than ie.

Edward B. Dreger wrote:
RKJ> Date: Mon, 12 Jul 2004 01:43:50 -0300
RKJ> From: Rubens Kuhl Jr.
RKJ> Try booting into safe mode before running software to detect
RKJ> or remove spyware; some of them fight to survive if they are
Also use msconfig to disable non-critical extras.  Some of us
have manually ripped out ActiveX controls and BHOs care of
regedit... but, alas, malware often has made enough registry and
other system changes that the system is left unstable or
inoperable.
CVs archives of { { system file MD5/SHA1 hashes } and { registry
dumps } }, anyone?
Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
DO NOT send mail to the following addresses:
[EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.

--
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; 
and every tongue that shall rise against thee in judgment thou 
shalt condemn. This is the heritage of the servants of the LORD, 
and their righteousness is of me, saith the LORD.

-- carpe ductum -- "Grab the tape"


Re: Spyware becomes increasingly malicious

2004-07-11 Thread Edward B. Dreger

RKJ> Date: Mon, 12 Jul 2004 01:43:50 -0300
RKJ> From: Rubens Kuhl Jr.

RKJ> Try booting into safe mode before running software to detect
RKJ> or remove spyware; some of them fight to survive if they are

Also use msconfig to disable non-critical extras.  Some of us
have manually ripped out ActiveX controls and BHOs care of
regedit... but, alas, malware often has made enough registry and
other system changes that the system is left unstable or
inoperable.

CVs archives of { { system file MD5/SHA1 hashes } and { registry
dumps } }, anyone?


Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
DO NOT send mail to the following addresses:
[EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.



RE: Spyware becomes increasingly malicious

2004-07-11 Thread Michel Py

> Rubens Kuhl Jr. wrote:
> Try booting into safe mode before running software to detect
> or remove spyware; some of them fight to survive if they are
> running, dunno if it is the case with CoolWebSearch.

Tried that too, does not help with CWS.

Michel.



Re: Spyware becomes increasingly malicious

2004-07-11 Thread Rubens Kuhl Jr.


Try booting into safe mode before running software to detect or remove
spyware; some of them fight to survive if they are running, dunno if it is
the case with CoolWebSearch.


Rubens


- Original Message - 
From: "Michel Py" <[EMAIL PROTECTED]>
To: "Sean Donelan" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, July 12, 2004 12:24 AM
Subject: RE: Spyware becomes increasingly malicious



> Sean Donelan wrote:
> Spyware isn't the best term for what is happening, but it
> is quickly exceeding (or contributing) to all the other
> problems associated with the online (not just Internet) world.

Indeed. Lately, I have not been able to clean a very annoying piece of
crud named "CoolWebSearch". Spybot will not always detect and never
remove; Ad-aware will likely detect but not remove either. None of the
other crapware removers I have tried could clean the machine either.

I have instructed helpdesk not to waste any time with it and
systematically re-image the infected PC :-(
Fortunately, re-imaging a PC is now a matter of minutes.

Michel.




RE: Spyware becomes increasingly malicious

2004-07-11 Thread Michel Py

> Michael Painter wrote:
> You're right...it can be a sob to remove. CWShredder
> has worked well for me.
> http://www.spywareinfo.com/~merijn/cwschronicles.html

First thing I tried after Ad-aware and Spybot, no go :-(
In some cases, the only way out of it is HiJackthis
(http://www.spychecker.com/program/hijackthis.html) which unfortunately
requires a somehow skilled tech and lots of time, with no guarantee.

I ruled it out for financial reasons: eventually a skilled tech will
indeed be able to clean the machine, but the bottom line is not
favorable in a mid-size or large corporate environment: it takes a lot
less time and money to send a grease monkey reload the machine and send
L2 tech to put back user settings. Not elegant nor smart, but works.

Michel.



Re: Spyware becomes increasingly malicious

2004-07-11 Thread Michael Painter

- Original Message - 
From: "Michel Py" <[EMAIL PROTECTED]>
To: "Sean Donelan" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, July 11, 2004 5:24 PM
Subject: RE: Spyware becomes increasingly malicious

> Indeed. Lately, I have not been able to clean a very annoying piece of
> crud named "CoolWebSearch". Spybot will not always detect and never
> remove; Ad-aware will likely detect but not remove either. None of the
> other crapware removers I have tried could clean the machine either.

You're right...it can be a sob to remove.  CWShredder has worked well for me.

http://www.spywareinfo.com/~merijn/cwschronicles.html

--Michael
 


RE: Spyware becomes increasingly malicious

2004-07-11 Thread Dr. Jeffrey Race

On Sun, 11 Jul 2004 20:24:19 -0700, Michel Py wrote:

> None of the
>other crapware removers I have tried could clean the machine either.

Try  Bazooka spyware detector from .   This
detected for me a bunch of malware neither Spybot nor Adaware caught.

Jeffrey Race




RE: Spyware becomes increasingly malicious

2004-07-11 Thread Michel Py

> Sean Donelan wrote:
> Spyware isn't the best term for what is happening, but it
> is quickly exceeding (or contributing) to all the other
> problems associated with the online (not just Internet) world.

Indeed. Lately, I have not been able to clean a very annoying piece of
crud named "CoolWebSearch". Spybot will not always detect and never
remove; Ad-aware will likely detect but not remove either. None of the
other crapware removers I have tried could clean the machine either.

I have instructed helpdesk not to waste any time with it and
systematically re-image the infected PC :-(
Fortunately, re-imaging a PC is now a matter of minutes.

Michel.