Clean and Infected File Sharing Programs

March 8, 2008 – 4:08 PM

Wondering if your favorite peer-to-peer file-swapping program has spyware bundled into it? Chances are good that it does.

The information on this page is believed to be accurate. However, if any program is listed under the wrong section, please let me know immediately. If you know of a file sharing program not listed here, let me know about that as well and I will test it out.

Infected

The following file-swappers are confirmed to have spyware or other unwanted parasites bundled into them:

  • KaZaa (offers a paid version without spyware)
  • Limewire (Older versions only, see below)
  • Audiogalaxy
  • Bearshare (offers a paid version without spyware)
  • Imesh
  • Morpheus
  • Grokster (offers a paid version without spyware)
  • Xolox
  • Blubster 2.x aka Piolet (Blubster 2.0 and higher and Piolet are adware and bundle other adware)
  • OneMX
  • FreeWire
  • Exeem
  • BitTorrent Ultra
  • FileCroc
  • Kiwi Alpha
  • RockItNet
  • Warez P2P
  • MediaSeek (MediaSeek Lite from the same company does not bundle any spyware or adware)
  • E-Donkey AKA Overnet (Claims to provide a spyware free paid version)
  • Computwin AKA FileNavigator (While it doesn’t bundle adware or spyware, this product is itself adware, pops up a full page ad in Internet Explorer upon loading and claims to track computer usage in its license)
  • Ares (Official site offers a “Lite” version without the adware bundles)
  • Various BitTorrent Clients (See warning below about open source clients)

Also see this page which details what most of the above programs bundle. This page has a similar list of clean/not clean programs.

Clean

The following file-swappers have been found not to have any spyware or other advertising parasites bundled into them:

Regarding EarthStation5

Earth Station 5 once contained code that would allow an attacker to delete any file off of your computer’s hard drive. Whether it was placed there intentionally or was a bug left in the code by accident is unclear. For now, we recommend against using it.

Untested

Believed to be clean

The following programs are reported to be clean but have not yet been tested by me.

  • XBC (Can’t find an installer for this one)

Unknown

The following are P2P programs for which no reports are available. They eventually will be tested to see if they are clean or not.

  • Aimster (Can’t test. Possibly no longer available)
  • AudioSwap (Can’t test. Installer corrupted)
  • Carracho (Can’t test. Appears to be a Mac OS client?)

Regarding Open Source File Sharing Programs

Be very careful when installing an open source file sharing program. Open source programs are distributed under a license that allows for repackaging and redistribution. Unfortunately, many fine open source file sharing programs are repackaged to bundle various adware, spyware and other malware. Some examples of this are BitTorrent and KCEasy, both of which are clean, open source programs that have been repackaged by others to include malware.

If you see on this page that an open source program is free of spyware, that does not mean that some unscrupulous person hasn’t repackaged a version that does bundle spyware and is passing it off as the real thing, on his own web site. Be very careful that you download file sharing programs ONLY from the official web site of the program’s developer.

Cracks

There are two programs, Kazaalite and Groksterlite, about which you be wondering. Both programs are spyware-free versions of those file-swappers. Some people believe that they are alternative versions put out by the makers of KaZaa and Grokster.

Let’s kill that myth right here. Neither of these are distributed by the owners of Kazaa or Grokster. They are cracks, meaning that the people distributing them violated their End User License Agreements to decompile them and remove the embedded spyware.

You may think that by using these products, you are giving the proverbial finger to the makers of spyware-ridden software. I’m sorry to say, this is not true. You merely show them that their software is so popular that you will go to any lengths to use it. This tells them that it is safe to keep selling out their millions and millions of users to the parasitical spyware companies. It also lets them point to the size of their network when spyware companies come sniffing around. By using these products, cracked or not, you contribute to the problem of advertising spyware.

It is recommended that you not use any version of a product that uses spyware, whether it is a spyware-free crack, or the normal version. Spyware companies pay good money to the developers who sell out their users. The only way to discourage developers from including spyware into their products is to show them that his/her users will go elsewhere. No users equals no sponsors equals no money. It’s as simple as that.

http://www.spywareinfo.com/articles/p2p/

I Love The Smell Of Spyware Burning In The Morning

March 8, 2008 – 4:07 PM

I now have even greater sympathy for people suffering a spyware infection than ever before. I spent the better part of Tuesday night fighting off the worst spyware infection I have ever seen or heard of.

Someone was kind enough to donate a copy of VMWare for me to use for testing. VMWare is software that pretends to be an entire computer and lets you install operating systems on it inside of a window. It makes it much faster and easier to test things than using a whole test PC. If I destroy the operating system, I can just shut down VMWare, restore a back up and have it up and running again within seconds.

I have spent the last two days playing with VMWare and decided Tuesday to go visit a certain wrestling fan site, a site infamous for installing all manner of spyware. I was told that this site was guaranteed to be a rich hunting ground for spyware. The person who said that sure wasn’t kidding.

Let me begin this next part with an important note. Nothing at all happened until I said “Yes” to an ActiveX prompt. As bad as the infection is that I am about to describe, nothing would have happened if I had said “No” to that first prompt. Keep that in mind the next time you see an ActiveX prompt. NEVER SAY “YES” TO ACTIVEX PROMPTS THAT POP UP OUT OF NOWHERE!

There. Now that I’ve set off every spam filter in the world….

Warning! Geekspeak ahead.

By clicking “Yes” to the security warning, one spyware was installed. That first spyware downloaded and installed three other spywares. Those installed three new spywares each. Spyware was procreating on my computer at a geometric rate!

Six new toolbars showed up in Internet Explorer. Something deleted the Google Toolbar entirely. Three new icons appeared in the system tray. Three internet shortcuts appeared on the desktop and well over a hundred more showed up in my “Favorites” folder. Dozens of processes were loaded into memory. 200 new files appeared on the hard drive as well as over 400 new registry entries. And pop-ups were appearing at a rate of five per minute.

Within half an hour, my virtual computer was as infested with malware as anything I have ever seen at the message board.

I believe my favorite was the AdDestroyer program. That one sat in my system tray popping up ad windows, then declaring that “Your trial has expired. Click here to block pop-ups like that one.”. It made a very obnoxious squealing noise every time it did it.

Verrry nice. I believe the Federal Trade Commission sued a company last year for doing that.

Once I had decided that all the spyware that was going to be installed was installed, I set about trying to remove it all.

Oh boy.

First, I tried three different antispyware scanners. No help there. If they didn’t crash, anything they removed came right back. It took me over an hour to determine that this was a lost cause.

Giving up on the automated scanners, I fired up HijackThis. If you’ve never heard of that one, it is a small program created by Merijn (Dutch spelling of Merlin), a university student in The Netherlands. Based on my original Browser Hijacking article and expanded upon continuously ever since, this program finds, lists and optionally deletes most of the start up locations, registry entries, browser helper objects, toolbars, services and other things installed by malware.

I scanned with HijackThis, selected several dozen entries to remove and clicked “Fix”. That killed most of it. Unfortunately, more than a dozen entries were reinstalled immediately. I rebooted and tried several more times with the same result. These particular malware programs had companion files loaded into memory watching for attempts at removal. Delete something and they immediately replace it. One of them even started to place randomly named start up entries for randomly named files placed in random locations on the hard drive. Sheesh!

The next thing I tried was the process killer bundled into HijackThis. I killed the memory processes that I suspected were protecting the malwares. Doing that allowed me to disable at least two more malwares. Still, a half dozen entries remained no matter how many times I tried to remove them.

After figuring out which processes were responsible for replacing these last few entries, I tried to kill them out of memory. That didn’t go so well. Every time I killed one process, another process would reload it. Kill that one and the other reloaded it. When I tried killing them all at once, it nearly crashed the computer, so I stopped trying that.

The next thing I tried was Killbox. Killbox is a program for deleting stubborn files. It can delete files immediately, delete them on reboot, replace a file with a dummy file on reboot, force explorer.exe to exit while it deletes a file, unregisters DLL files, kills processes and even lets you delete a whole raft of files at once.

I told Killbox to delete the offending malware files on reboot and then restarted the computer. Nothing. Not a single one of those files was missing after Windows loaded again. Clearly, these little critters weren’t going to give up without a fight.

I restarted the computer in safe mode next. That didn’t help things very much at first as the spyware loaded even in safe mode. At this point, I realized that I had overlooked something. Some of the remaining malware was loading as NT services. I might have shaved an hour or two from this whole exercise if I had noticed that in the beginning. Chalk that up to my being a little rusty at killing hijackers.

I opened the Management Console to stop and disable those two services and things became a little easier. Still in safe mode, I had Killbox kill explorer.exe and delete the malware files one at a time. Then I ran HijackThis again and removed all of the entries. This time, they stayed gone.

I restarted normal Windows and scanned again with HijackThis. Nothing. Every single entry was gone. Then I scanned with Ad-aware to clean up the remaining trash and …. well …. take a look for yourself:
http://www.spywareinfo.com/stuff/aawscanofcrap.jpg
http://www.spywareinfo.com/stuff/aawscanofcrap2.jpg

Remember, HijackThis is not a spyware remover. It only allows you to *disable* hijacks and spyware while leaving the inactive files and nonfunctioning registry entries for other cleaners to tidy up. What you see in those screenshots is what was left behind, after I finally disabled all the garbage on the computer. Or rather, after I *thought* I had disabled everything.

While Ad-Aware was right in the middle of removing those hundreds of entries, one last stubborn malware managed to load from nowhere (I mean that literally, keep reading) and started spawning pop-up ads.

I have absolutely no idea what loaded this file or how. There was no start up entry for it. There were no suspicious looking memory processes or services running. It wasn’t hooked into Explorer. When it was in memory, you could see the file. When it wasn’t in memory, the file did not exist anywhere on the hard drive. It simply appeared out of nowhere, popped up a few ads and then vanished right back into nowhere. That’s a nice trick. I intend to figure out how it did that.

During one of its appearances, I dumped its memory to a text file. Inside were the names of six other files scattered throughout the Windows folder. I had Killbox delete every one of those files as well as the Houdini file and that was the end of that (I think). I left the VM window open all night when I went to bed just to be sure. There were no more pop-ups and no malware present when I woke up.

I am fairly sure there were inactive remnants of this massive infection littered all over my virtual computer after I was done. Ad-aware cleaned up nearly 600 items. Spybot found several dozen more. X-Cleaner, SpySweeper and PestPatrol all found bits and pieces scattered all over the place. Finally I just gave it up as a lost cause and shut off the virtual computer. The important thing was that the active infection had been killed.

It took five hours to clean up a hijacked PC that was right in front of me. Someone just tooling around on their first computer, with no real knowledge of how a computer works, either would have given up and set the computer on fire or taken it to a PC repair shop. Most repair shops would just throw their hands in the air, format the hard drive and be done with it. Those that stuck with it as long as I did would have charged roughly $350 (assuming five hours at $70 per hour at a fairly cheap repair shop).

All of that because I clicked the “Yes” button on a security warning. Think about that the next time you see an ActiveX warning.

For those of you geeky enough (or masochistic enough) to think that all of this sounds like fun, I have something for you. Thousands upon thousands of people show up at SpywareInfo’s message board every single day with infected PCs screaming for help. We have literally hundreds of experts, developers, advisors and other helpful members who do their best to walk these people through the steps necessary to fix their computers. Still, so many people show up that it often takes days for someone to receive any assistance.

If you would like to take a shot at helping some of these people, we would be happy to show you exactly how to do it. It’s a little different to fix a computer when it’s not in front of you and all you have to go by are text logs. We have a “boot camp” where all the tricks of the trade for fixing a malware infection over a message board are taught. Consider it a crash course in remote computer repair. If you are interested, read this page and follow the instructions.

http://www.spywareinfo.net/june2,2005#diespywarediediedie

The six dumbest ways to secure a wireless LAN

March 8, 2008 – 4:06 PM

For the last three years, I?ve been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths. If that weren?t bad enough, many “so called” security experts propagated these myths through speaking engagements and publications and many continue to this day. Many wireless LAN equipment makers continue to recommend many of these schemes to this day. One would think that the fact that none of these schemes made it in to the official IEEE 802.11i security standard would give a clue to their effectiveness, but time and time again that theory is proven wrong. To help you avoid the these schemes, I?ve created the following list of the six dumbest ways to secure your wireless LAN.Wireless LAN security hall of shame

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person?s name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person?s name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as “SSID hiding”. You?re only hiding SSID beckoning on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You dont need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

LEAP authentication: The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack. Cisco still tells their customers that LEAP is fine so long as strong passwords are used. The problem is that strong passwords are an impossibility for humans to deal with. If you doubt this, try a password audit of all the users in your organization and see how long it takes to crack 99% of all passwords. 99% of organizations will flunk any password audit for most of their users within hours. Any attempt to enforce strong passwords will result in passwords written on sticky notes. Since Joshua Wright released a toolthat can crackLEAP with lighting speed, Cisco was forced to come out with a better alternative to LEAP and they came up with an upgradeto LEAP calledEAP-FAST. Unfortunately, EAP-FAST still falls short in security with its default installation. Although Cisco makes LEAP and EAP-FAST freely available to partners for the client end, the same is not true for Access Points.LEAP and EAP-FAST are essentially two proprietary protocolsthat Cisco employs as a strategy to monopolize the Access Point market. There are open standards based EAP mechanisms like EAP-TLS, EAP-TTLS, and PEAP which are all much more secure than either LEAP or EAP-FAST and they work on all Access Points and client adapters, not just Cisco. Cisco does support open standard EAPs just like everyone else so you should always use open EAP standards to get better security and avoid the hardware lock-in.

Disable DHCP: This is much more of waste of time than it is a security break. DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn?t know what they?re talking about.

Antenna placement: I?ve heard the craziest thing from so called security experts that actually tell people to only put their Access Points in the center of their building and put them at minimal power. Antenna placement does nothing to deter hackers. Remember, the hacker will always have a bigger antenna than you which can home in on you from a mile away. Making a wireless LAN so weak only serves to make the wireless LAN useless. Antenna placement and power output should be designed for maximum coverage and minimum interference. It should never be used as a security mechanism.

Just use 802.11a or Bluetooth: Fortunately, I haven?t heard this one for a while. There were so called security experts that went around telling people that they simply needed to switch to 802.11a or Bluetooth to secure their wireless LAN. 802.11a refers to a physical transport mechanism of wireless LAN signals over the air, it does not refer to a security mechanism in any way.

Dishonorable mention:? Some of you might be wondering why I didn?t put WEP in as one of the six dumbest ways to secure a wireless LAN. In light of recent developments within the last 6 months, it takes only a few minutes to break a WEP based network which makes WEPcompletely ineffective and a good potential future candidate for the wireless LAN security hall of shame.? Where it currently fails to be in the hall of shame is that it still holds up for a few minutes, requires a little skill to launch the packet injection attacks, and isn?t propagated as an urban legend for a secure wireless LAN.? The top six require no skills, takes less than a?minute to crack, and are propagated asurban legend.? However, that doesn?t mean you should use WEP in any form or shape.

This blog wasn?t just meant to be funny, it?s serious business that so many organizations waste their time and money on worthless security schemes that give them a dangerous false sense of security.? If you fall in to any of these six categories, it?s time to wake up and implement some real wireless LAN security.? For those interestested in some simple advice for their homes and small offices, check out my last blog.

http://blogs.zdnet.com/Ou/index.php?p=43

Media Files that Spread Spyware

March 8, 2008 – 4:05 PM

Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there’s yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters a file with certain “rights management” features enabled, it opens the web page specified by the file’s creator. This page is intended to help a content providers promote its products — perhaps other music by the same artist or label. However, the specified web page can show deceptive messages, including pop-ups that try to install software on users’ PCs. User with all the latest updates (Windows XP Service Pack 2 plus Windows Media Player 10) won’t get these popups. But with older software, confusing and misleading messages can trick users into installing software they don’t want and don’t need — potentially so many programs that otherwise-satisfactory computers become slow and unreliable.

I recently tested a WindowsMedia video file, reportedly circulating through P2P networks, that displays a misleading pop-up which in turn attempts to install unwanted software onto users’ computers. I consider the installation misleading for at least three reasons.

1) The pop-up fails to name the software to be installed or the company providing the software, and it fails to give even a general description of the function of the software.

2) The pop-up claims “You must agree to our terms and conditions” — falsely suggesting that accepting the installation is necessary to view the requested WindowsMedia video. (It’s not.)

3) Even when a user specifically requests more information about the program to be installed, the pop-up does not provide the requested information — not even in euphemisms or in provisions hidden mid-way through a long license. Clicking the pop-up’s hyperlink opens SpiderSearch’s Terms and Conditions — a page that mentions “receiving ads of adult nature” and that disclaims warranty over any third-party software “accessed in conjunction with or through” SpiderSearch, but that does not disclose installation of any third-party software.

On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (Direct Revenue). (Most product names are as detected by Lavasoft Ad-Aware.) All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer.

I retained video, packet log, registry, and file system logs of what occurred. As in my prior video of spyware installing through security holes, my records make it possible to track down who’s behind the installations — just follow the money trail, as captured by the “partner IDs” within the various software installation procedures. When one program installs another, the second generally pays the first a commission, using a partner ID number to track who to pay. These numbers make it possible to figure out who’s profiting from the unwanted installations and, ultimately, where the money is going.

http://www.benedelman.org/news/010205-1.html

DNS Attacks Expose Key Flaws

March 8, 2008 – 4:04 PM

The steady rise in phishing attacks in the last year, coupled with increasingly sophisticated scams such as “pharming” attacks, is driving interest in technology to lock down critical components such as e-mail and Domain Name System.

But bigger changes to the underlying Internet infrastructure may be needed, according to interviews with industry experts who will be addressing the issue at the Interop show in Las Vegas this week.

Reports of phishing attacks grew an average of 26 percent each month between July of last year and February of this year, according to the Anti-Phishing Working Group, an industry association.

In recent weeks, APWG and The SANS Institute’s Internet Storm Center warned of new attacks such as “pharming,” or “phishing without a lure,” that attack DNS servers and silently route unsuspecting Web surfers to phishing Web sites, or sites that download malicious code.

The new attacks expose weaknesses in critical Internet infrastructure such as DNS, said Mike Hyatt, president and CEO of BlueCat Networks Inc., which makes secure hardware appliances for DNS and DHCP (Dynamic Host Configuration Protocol).

http://www.eweek.com/article2/0,1759,1790658,00.asp