Sunbelt Software, one of the leading developers of security software and hardware, has found large amounts of websites that are there only to stuff malware onto your computer, and these websites are listed high on search terms for search engines like Google, Yahoo and Live. A user whose patches are not up to date that clicks on one of these websites, will be force fed a diet of malware that could cause their machine to just die, or worse, monitor and track everything they do online.
The good news is, if you are fully patched, you shouldn’t have much to worry about, also, if you actually look at the websites you are going to visit before you click them, you can tell if they are good results or not. All of the websites I have seen listed are nonsense name, .cn domain names, etc. Check out this image that I grabbed from the Sunbelt site.
See all of the domain names that are in the highlighted red boxes? Those are the types of domains they are using, as an example, lkasjdfkjt.com, so don’t click on any of those links, also be careful of the .cn domain names, as they are using many of those. Google has been notified of the problem and have already removed some, but I can still find some of the sites right now, so there is more work to be done.
As the guy from Hill Street Blues used to say, “Hey, lets be careful out there.”
Here are some mentions about this problem on the Sunbelt and other sites.
BREAKING: Massive amounts of malware redirects in searches The original post about this problem from Sunbelt Software, here is a follow up post from them, Malware redirects: The aftermath.
Update: Subverted search sites lead to massive malware attack in progress Trojans, rootkits, password stealers hit users who click on a bad link after a search.
Malware Poisoning Results for Innocent Searches Tens of thousands of malware-serving pages, crafted to reach a high search engine ranking, are showing up in the first page of returns from Google, Yahoo and Live.
Microsoft patents the mother of all adware systems Instead of quoting the whole article or trying to re-write it here, click the link and read for yourself some of the information unearthed in a patent filing by Microsoft which Ars Technica says would be the mother of all adware. But that?s a good thing because the patent says so. “It would inspect “user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),” and more. How could we have been so blind as to not see the marketing value in computer status messages?” Sounds great……not.
Ransomware… Holding Corporate America Ransom! Have you been targeted by ransomware? Did you get a message similar to this one?
“Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: email@example.com and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data — Glamorous team.”
Prevx.com says hold up before you pay anything, they already have a decryptor for the files. They have a good program, it has removed some stuff on computers I have scanned that nothing else would, Spybot, Adaware, Ewido, etc.
How Good Are You at Recognizing Fake Websites and Spam Emails ? Think you are good at spotting phishing websites and emails? Take the test from McAfee and see for yourself.
Just wanted to post a quick comment on those damn third parties that companies like Direct Revenue and Zango/180solutions always seem to blame.
If it wasn’t for those third parties they blame, no one would have their crapware/adware installed on their pc’s, and these companies know it, that is why they use them. Let others do it, and blame them when they get caught. Lather, Rinse and Repeat. It’s win win for adware companies, they get their “software” installed on millions of pc’s and make boatloads of money doing it, all the while blaming these damn third parties. Apparently it has worked very well for Direct Revenue, after bringing in 23 million by installing their adware on millions of computers using security holes, drive by downloads and however else they could get it installed, they have just hit with a fine from the FTC for 1.5 million dollars.
According to the FTC’s charges, Direct Revenue and its affiliates installed adware, including programs that produced pop-up ads, on users’ machines without properly disclosing what the software would do. In some cases, Direct Revenue affiliates exploited browser security flaws to install adware. The result, said the FTC, was “unfair and deceptive methods to download adware onto consumers’ computers and then obstruct them from removing it.”
Under the agreement, New York-based Direct Revenue will pay $1.5 million as “ill-gotten gains.” The marketing company is also barred from delivering ads to anyone who installed its software before Oct. 1, 2005, unless they respond to specific opt-in messages.
“Direct Revenue is pleased with today’s settlement,” the company said in a brief statement posted to its Web site. Source: Adware maker settles with FTC for $1.5M
Of course they are pleased with the deal, who wouldn’t be happy they could make over 20 million after fines. Jon Leibowitz criticized the size of the settlement, glad someone did, he said in his dissent that he would rather go to trial and risk losing than allow these losers to line their pockets with 20 million. We still have some hope that the State of New York will do the right thing and hit them really hard.
Oh, and all of those new articles talking about the settlement that talk about it being popup ads, like this one from the LATimes, Marketer behind pop-up ads to pay $1.5-million penalty, really do the whole thing a dis-service, in my opinion.
Thought I would do a wrap-up of today?s spyware and adware stories, combine all of these slack jaws in one post of kicking their ass goodness. Ben Edelman posted his findings on Zango today, and surprise, surprise, Zango is still not compliant with the FTC requirements of the settlement. But who really thought they would be, I mean, the business model is eventually going to go away, if merchants who advertise through spyware or adware would actually start to care about their customers, and affiliates who actually force this stuff on users computers would get cut off by Google and other search engines, like normal webmasters do all the time, the money would dry up and they would blow away.
Ben and Eric Howes did all the testing this month, so this is not old stuff, this is stuff they found in about ten hours of work, something any merchant or official could find by just surfing some of these sites. Things like not having proper disclosure, or showing the disclosure after installation, or no disclosure whatsoever, legacy programs without the proper installation or un-installation tools, deceptive practices leading to installs and unlabeled advertising, all of which violate the terms of the settlement with the FTC.
More broadly, we believe intensive ongoing monitoring will be required to assure that Zango actually complies with the settlement. We have spent 3+ years following Zango’s repeated promises of “reform,” and we have first-hand experience with the wide variety of techniques Zango and its partners have used to place software onto users’ PCs. Testing these methods requires more than black-letter contracts and agreements; it requires hands-on testing of actual infected PCs and the scores of diverse infection mechanisms Zango’s partners devise. To assure that Zango actually complies with the agreement, we think the FTC will need to allocate its investigatory resources accordingly. We’ve spent approximately roughly 10 hours on the investigations leading to the results above, and we’ve uncovered these examples as well as various others. With dozens or hundreds of hours, we think we could find many more surviving Zango installations in violation of the proposed settlement’s requirements. We think the FTC ought to find these installations, or require that Zango do so, and then ought to see that the associated files are entirely removed from the web. Source: Ben Edleman
Zango doesn’t care, I believe everything they do is just to delay the inevitable and to soak up more money while they still can, if the fines imposed in the future are anything like this last one, then they will have plenty of money left to retire on I am sure, or to start some other shady means of making money. Nothing they say comes true, as far as I have seen, in their reply to the settlement they have said they have been compliant since January 1, 2006, which, as you can see from this article is not true at all. The FTC needs to take a look for themselves, it’s out there and is sure easy to find.
Speaking of the FTC, they announced last week that a U.S. district court has shut down a Web operation that is accused of secretly loading spyware and other malevolent software onto millions of computers after promising users free screen savers and video files. Now where have we heard of this before?
The FTC accused ERG Ventures and an affiliate with tricking consumers into downloading a piece of spyware called Media Motor, which installs itself and downloads other malware.
The malware was difficult for consumers to remove, the FTC said. The malware installed by Media Motor:
- Changed consumers’ home pages
- Added difficult-to-remove toolbars that display disruptive pop-up ads in consumers’ Internet browsers
- Tracked Internet activity
- Generated disruptive pop-up ads that were occasionally sexually explicit
- Added advertising icons to consumers’ Windows desktop
- Degraded computer performance
- Disabled antispyware and antivirus software
Source: PC World
the complaint names ERG Ventures, doing business as ERG Ventures LLC2, Media Motor, Joysticksavers.com, and PrivateinPublic.com, and its principal operators, Elliott S. Cameron, Robert A. Davidson II, and Gary E. Hill, as well as Taylor. They ask that anyone who has had any experience with them to email them at firstname.lastname@example.org.
So, looks like it’s going to be another good day for the good guys.
Zango, formerly 180Solutions, and the poster child for denying obvious stuff, have agreed to settle Federal Trade Commission charges that they used unfair and deceptive methods to download adware and obstruct consumers from removing it, in violation of federal law. The settlement bars future drive by installs, and most any other way of forcing this crap on users computers. they must actually provide a way to uninstall the crapware, and requires them to give up $3 million in “ill-gotten gains”, which is straight from the FTC site. I wonder if they actually figured out how much they made in “ill-gotten gains” and why it was only a $3 million dollar fine, they have always been shady, all one has to do is search for their names on Google to see it, and I remember reading they used to have a counter that counted how much money they made that day, so why just $3 million?
Here are some quotes from the agreement,
According to the FTC, Zango often used third parties to install adware on consumers? computers. The adware, including programs named Zango Search Assistant, 180Search Assistant, Seekmo, and n-CASE, monitors consumers? Internet use in order to display targeted pop-up ads. It has been installed on U.S. consumers? computers more than 70 million times and has displayed more than 6.9 billion pop-up ads. The FTC alleges that Zango?s distributors ? third-party affiliates who often contracted with numerous sub-affiliates ? frequently offered consumers free content and software, such as screensavers, peer-to-peer file sharing software, games, and utilities, without disclosing that downloading them would result in installation of the adware. In other instances, Zango?s third-party distributors exploited security vulnerabilities in Web browsers to install the adware via ?drive-by? downloads. As a result, millions of consumers received pop-up ads without knowing why, and had their Internet use monitored without their knowledge.
In addition, the agency alleges that Zango deliberately made it difficult to identify, locate, and remove the adware once it was installed. For example, Zango failed to label its pop-up ads to identify their origin, named its adware files with names resembling those of core systems software, provided uninstall tools that failed to uninstall the adware, gave confusing labels to those uninstall tools, and installed code on consumers? computers that would enable the adware to be reinstalled secretly when consumers attempted to remove it.
The settlement bars Zango from using its adware to communicate with consumers? computers ? either by monitoring consumers? Web surfing activities or delivering pop-up ads ?
without verifying that consumers consented to installation of the adware. It bars Zango, directly or through others, from exploiting security vulnerabilities to download software, and requires that it give clear and prominent disclosures and obtain consumers? express consent before downloading software onto consumers? computers. It requires that Zango identify its ads and establish, implement, and maintain user-friendly mechanisms consumers can use to complain, stop its pop-ups, and uninstall its adware. It also requires that Zango monitor its third-party distributors to assure that its affiliates and their sub-affiliates comply with the FTC order. Finally, Zango will give up $3 million in ill-gotten gains to settle the charges. The settlement contains standard record keeping provisions to allow the FTC to monitor compliance. Source: FTC
I wonder how this will work out. As Hoyt is fond of saying, NOT TOO GOOD! This is more of a moral victory than anything, and it does include a PDF, here, which defines express consent, and it excludes burying the information that the user is getting additional software with their download in the user agreement.
I talked in an earlier post, Microsoft MVP Pushes Adware, about a software developer who pushes the LOP adware program in his software. Looks like Microsoft has removed him as his personal profile returns an invalid profile page. Glad to see Microsoft step up and look at his admission again.
I always thought I would like to be considered a Microsoft MVP, I thought it was a great way to recognize people who go out of their way to help people, for those who don’t know what it is, this is from the Microsoft site,
Microsoft?s Most Valuable Professionals (MVPs) are recognized, credible and accessible individuals with expertise in one or more Microsoft products who actively participate in online and offline communities to share their knowledge and expertise with other Microsoft customers. Customers want an enriched pool of knowledge and real-life experience to tap for advice and feedback. MVPs are helping to satisfy this need by independently enabling customers in both online and offline technical communities. Customer feedback is vital to product development and R&D. The MVPs represent an important part of this feedback loop by providing another link for Microsoft to listen to the customer.
The Most Valuable Professional Program is the way that Microsoft formally acknowledges the accomplishments of these individuals for their contributions to community. It is focused on fostering a vibrant global community where Microsoft and customers learn about each other through valued ongoing relationships. The key strategies the program employs are:
Recognize and engage with MVPs worldwide?Identify, enable and empower community influencers through a consistent quality customer relationship with Microsoft that spans product groups, services, and field organizations.
Improve customer connection and satisfaction?Recognize more customers for their efforts and improve the quality of the experience on their turf and in their language.
Drive program excellence?Professionalize services, customer offerings and worldwide roles and responsibilities to become more predictable and accountable to both internal and external Microsoft community customers.
The MVP Program, in existence for over eleven years, is represented by over 2,600 MVPs in 81 countries. Source: Microsoft
Well, apparently I was wrong, as they have recently awarded MVP status to a software developer, named Patchou AKA Cyril Paciullo, creator of Messenger Plus!, who pushes adware in his software, and not just any adware, its a hijacking, change your browsers homepage and add icons to your desktop love fest. LOP. LOP? Can you believe that? LOP has been causing people trouble forever. Microsoft’s own program, Virustotal detects this guys program, Windows Messenger Plus!. I wonder if the person responsible for selecting the MVP’s is actually doing his homework?
Recently, Microsoft blocked the spreading of Trojans on the Messenger network by blocking .pif files, two out of the three viruses at the time were using .pif files to spread themselves. How did that work?
Not too Good!
Apparently, all the hackers had to do was change the extension to .PIF, or .Pif or .pIf, and the filters let the messages flow on through.
Each of the links lead to a different Trojan-downloader. The downloaders download a variety of adware and adware-related Trojans.
Moreover, IM-Worm.Win32.Licat.c is also downloaded, which in turn launches a new mass mailing of the original message. Nothing unusual, right?
Wrong! Both worms spread using links to .PIF files. But some of you might remember that Microsoft blocked messages containing “.pif”?
Yes they have, but… the MS block is case sensitive!
So the criminals used capital letters, “.PIF” and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.
One of the best solutions for all instant messaging users is to only allow people on your buddy list to send you messages, while this wont block the viruses that your friends contract, it will at least block the ones from EVERYONE else. Then you still have to decide whether you really want to click on these links at all, it would probably be safest to message them back real quick and ask what it is, if they don’t know what link you are talking about, then they probably have a virus. As always, update your anti-virus, scan for spyware frequently and lets be careful out there.
Update: According to their weblog, here, MSN has fixed the problem with the different pid extensions working.
Trying to make sure I have pages for what people search for on this site, another term that has been searched for frequently of late is free spyware removal. So here are a bunch of links to the best free spyware removal programs. You can’t really be protected without using multiple programs, so I recommend you do all of these at one time or another, if you are having trouble with something, then I recommend doing them all.
Ewido Anti Spyware Ewido Security Suite supplements existing safety systems and becomes a complete solution, because only a complete safety system is effective. We offer protection in real time against more than 67,000 threats and our malware database is updated daily. Used to be Ewido anti-malware, this program removes a lot of stuff the other programs can’t. I had some malware for a couple weeks once until I found this program. Run it first.
Spybot Search and Destroy Spybot – Search & Destroy can detect and remove a multitude of adware files and modules from your computer. Spybot also can clean program and Web-usage tracks from your system, which is especially useful if you share your computer.
Lavasoft Adaware With the ability to scan your RAM, Registry, hard drives, and external storage devices for known data-mining, advertising, and tracking components, Ad-Aware SE easily can clean your system, allowing you to maintain a higher degree of privacy while you surf the Web.
Spywareguide Online Scan Free scan, can’t remove the really complicated stuff, but it’s quick and free. Definitely worth a shot.
Are screensavers really a problem? Asks a siteadvisor blog entry, and according to their results, they are, big time.
We counted 318 children?s television programs currently airing on English language networks in the United States. We decided to search for screensavers for each of these shows to see how risky it is to put a Rugrat, a Powerpuff Girl or a Flintstone on a desktop.
Each of the three aforementioned programs all returned 50% or more risky sites on Google’s first page of search results. And that’s just the tip of the iceberg. A staggering 85% of all kids TV show screensavers searches returned at least one dangerous site on the first page. 20% of all shows returned search results where half or more of the sites were risky. A child or parent who searches for a Gilmore Girl or Kenny the Shark screensaver and clicks randomly on the results has a 60% chance of landing at a risky site.
The Power Rangers were number one with 81.8% of sites in the results leading to sites with red links and yellow links.
Some adults may take the time to learn about these programs. But children are especially vulnerable to blindly clicking yes at each prompt & then the family PC is infected with adware and worse.
And thats how lots of adware gets on pcs at home, kids don;t know any better and blindly click yes to prompts that pop up, just because they want whatever they were searching for.
This article references an article that I wrote at Realtechnews.com called Warner Bros Partners with 180Solutions, that I followed up at Revenews.com called More on WarnerBros and 180Solutions. One of these years, we may be able to get rid of adware and spyware, if more merchants, like WarnerBros, will end their relationship with them.