» Scams How to Spot a Psychopath

My Adware Adventure

25 November 2006 — dan

You know what I did for, oh, about sixteen straight hours, a few days ago?

I hunted adware.

I'm so ashamed.

I ran one little program I shouldn't have. Firefox 2.0 did actually give me its "dude, I really wouldn't download stuff from here if I were you" warning about the site, but I did it anyway. I trusted the file to be harmless just because a couple of virus checkers said so. In the adventure that followed I found out about an "online malware scan" page that lets you submit any file for easy multi-checker analysis - not that that would necessarily have helped.

Anyway, that's all I did. Executed one little program, saw one brief flicker of a command prompt window, started my descent into heck.

Because one little slip like that is, of course, enough to allow the corpsefelching murderbait who make their money by frightening grandmothers into paying for things like System Doctor and WinAntiVirusPro to leap upon my computer in much the same quivering, sweaty way that I imagine they leap upon small children. And, needless to say, their own mothers.

All I got were adware pop-ups and a few dumb-ass toolbars and such desperately attempting to install themselves, but this nuisance-level problem was extraordinarily persistent.

I'm sure some of you are familiar with the symptoms. You run one or another spyware killer, and it finds various problems and gets rid of them (the mania of anti-spyware programs for describing 90% of all known cookies as a screaming-klaxon "infection" is a subject for another day...), but you know you haven't actually dealt with the problem, because weird-named DLLs and EXEs that you can't delete keep popping up in windows\system32. And crap in the registry matching those files' names, of course. You can delete the registry entries, but they always come back, as do the files, if you or your spyware-killing software manage to delete them.

I have, however, finally gotten rid of the problem, by using an excellent tool that I didn't previously know existed. This is probably the outside scoop for most of you, since my skillz are sufficiently 1337 that I haven't even had to think about installing any sort of anti-malware app since Ad-Aware was the one and only option (digression: Word, Ray!). But perhaps you haven't been keeping up with the malware/anti-malware arms race for the last couple of years either, and I've suffered The Curse of 1001 Reboots for a couple of days. So I figure you all ought to share some of the pain.

What I tried before I found the one tool that worked:

Spybot-S&D, which successfully spotted all of the crap being dropped, but did not spot the dropper, so it all kept coming back.

Ad-Aware, which doesn't seem to be much use any more.

Windows Defender, which was worthless. Windows Defender used, of course, to be GIANT AntiSpyware before Microsoft took it over, and people spoke well of that, so I can believe that it's useful for something. Didn't do dick for me, though.

The Ewido online scanner. Which found something, I think, but didn't fix the problem. I have no clear memories of it, since I was hitting my head on the desk pretty hard around then.

Oh, and the Trend Micro online spyware scan, which I gave up on after it had been running for twenty-six hours without finishing.

Avast and AVG, neither of which noticed anything. They're antivirus programs rather than spyware/adware spotters, but these categories are blurring together.

HijackThis, over whose logs I diligently pored. I knew what every single thing in there was, and not one process had anything to do with the churd-gobbling malware.

A Knoppix boot disc, which didn't help much because it can't write to NTFS disks.

A BartPE boot disc, which was more useful, but still didn't really get me anywhere. You can install anti-malware programs as plugins for BartPE, but they generally don't work very well, because they look for malware on the running system. That, of course, is the clean BartPE environment from which you just booted, rather than the dirty hard disk Windows install from which you just didn't.

If you're dedicated enough to put together a BartPE disc containing a registry editor that can load a registry other than the one it booted with, then you can boot BartPE and load the registry from your hard drive and screw around with it. But this was starting to seem like entirely unnecessary effort to me, because I was going to find the people responsible for the spyware and do something to them with, oh, I don't know, maybe a salami slicer, after which I would presumably be put somewhere where my computer would not be available anyway.

Booting BartPE or some other NTFS-capable alternative OS allows you to look at the files created by the malware when they're not multi-locked by important Windows processes (you can only unlock such files by killing those important Windows processes, and then your computer's broken and can't go on to actually do whatever it was that you wanted to do to the now-unlocked files). Looking is about all you can do, though; if you delete them they'll come back when you restart, and many of them are automatically deleted by the spyware as the system shuts down, anyway.

Various spyware uses this horrible strategy now. It's like a highly evolved version of the old Robin Hood And Friar Tuck story.

Oh, and in case you're wondering, yes, I booted into Safe Mode. Oh, boy, did I boot into Safe Mode.

I became quite intemperately angry about all this. My computer is, to a large extent, where I live. Many crapware victims are fairly mystified by even a perfectly working computer and so aren't necessarily especially irked when windows advertising fraudulent antivirus programs keep popping up, because hey, that's just one more thing they don't understand.

When you do understand and expect the correct behaviour of your computer, though, this sort of thing is like someone breaking into your house just to piss on your bed.

And this crapware may be as persistent as herpes, but apart from that it's not even well-written. One of the pop-ups I kept getting was a series of Firefox tabs (which probably wanted to be Internet Explorer windows) that were obviously getting their "URLs" from some file that wasn't being parsed properly. The result was an attempt to open this, and some other HTML header stuff that Firefox I'm Feeling Luckied into http://www.xhtml.com/en/xhtml/reference/, http://www.strict.com/ and http://www.5,.com/.

This made it feel as if the person who kept breaking into the house and pissing on the bed was doing that because he actually wanted to steal the TV, but did not know what a television looked like.

I suppose if you investigate spyware for a living you build up some tolerance for the sheer subhuman exterminability of the people responsible. But I'm not quite there yet. You strap 'em into Old Sparky, I'll throw the switch. Or, more realistically, join the queue for my chance to do so.

Anyhoo, after all this, I stumbled upon Prevx1, when I searched for the name of one of the numerous strange DLLs that kept appearing in my system32 directory.

(Malware writers don't yet, at least, seem to have figured out how to give their files misleading dates. So if you order files by Date Modified, you can easily see the ones that were created on the day when your computer got the clap.)

Prevx1 is a commercial product, but it's got a fully functional trial period - it's not one of those stingy programs that scans for ages, finds a long list of scary problems, then tells you you've got to pay if you want them fixed.

[UPDATE: At some point after I originally wrote this post, Prevx morphed their software into "Prevx CSI", which is now the same "ransomware" as many other commercial spyware killers. It finds infections, but won't kill almost any of them until you pay for a license. I have no idea whether the new version of Prevx currently works any better than the genuinely free anti-spyware options like Ad-Aware and Spybot S&D. Actually, I suspect SUPERAntiSpyware to be the best of the freeware crop, as of mid-to-late 2008.]

It brings to malware-hunting the collaborative user-network approach that's already been employed in spam-fighting. This approach only works better than the traditional kind of virus-definition-file system if you've got a well-connected network of users, but Prevx1 does.

And Prevx1, finally, worked.

It cleared that adware right up, leaving one still-mildly-locked but easily deleted file, and a few deactivated files and pointless registry entries, plus their symptoms like an unconnected Add/Remove Programs entry for some toolbar or other. Oh, and a few more of those cookies that Spybot and the rest think are such a big deal. CCleaner tidied most of the unconnected registry garbage for me.

Anyway, if I'd tried Prevx1 first, none of the other crap would have been necessary. A regular user would be happy with the unadorned result of the Prevx1 scan.

Without Prevx1, though, it would have been damn close to impossible to clean the computer from this one, single, 28-kilobyte-file-induced infestation, without formatting the boot drive and reinstalling.

Since Prevx1 managed to fix it, I presume someone with spare time, an outboard registry editor and a few Sysinternals tools could have done the same thing. That rules out most of the people who're paid to clean up spyware for others, though, and sure as hell rules out nearly every plain old user who would like to clean their own computer.

Plenty of spy/ad/whateverware infestations are less horrible than mine, but I'm willing to believe that a lot of them are a great deal worse, given the enthusiasm of ordinary users for (a) sticking with the default Windows root access and (b) installing every darn thing they see, just to see whether the little Desktop Stripper will get it on with BonziBuddy and the Crazy Frog.

In the olden days, support people who just told callers to reinstall Windows were taking the easy way out. They may have had to do it, given the number of callers they had to get through, but reinstalling was still not by a long shot the optimal recovery strategy for almost any problem.

These days, though, I think it's quite likely that many spyware infestations just can't be fixed by any means less annoying than nuking from orbit. Prevx1 fixed mine, and perhaps it'll go from strength to strength and become the go-to guy for all such problems for the foreseeable future, but I wouldn't bet on it.

Given this fact, and also given the vast amount of time wasted and pain caused by crapware of all kinds, I suppose it would still be uncharitable of me to suggest that the persons responsible could benefit greatly from, say, having a glass turkey baster jammed up their penis, which could then be struck smartly with a club hammer.

I've had a while to develop some perspective now, though, and I'm afraid I really can't see another way.

UPDATE: As I mention here, Prevx have a malware database which you can search by filename.

Herewith, a thingy to do that from here:

Posted in Scams, Software, Windows. 20 Comments »

You may already be a member

19 November 2006 — dan

More on the SpamThru botnet from eWeek. Don't miss the pretty pictures.

Slashdot discussion.

Posted in Scams, Spam. 1 Comment »

Spooky spam

19 November 2006 — dan

I've been getting huge quantities of almost identical pharmacy spams from numerous servers (Verizon, telefonica.es, home.nl, pppool.de... clearly a botnet at work, again) over the last couple of days.

The text of every one of them seems to be:

We want to present you a pharmacy bulletin dedicated to Christmas holidays!!!

We have researched different on-line pharmacy stores, which are based in United States and
sell men's health drugs such as Viagra, Cialis, Levitra, Propecia etc.

They get "excellent" rating grade and we strongly advise to use their service.

Viagra Professional - ($3.25 with Christmas discount)
Viagra Soft Tabs - ($3.28 with Christmas discount)
Cialis Soft Tabs - ($4.62 with Christmas discount)
Cialis - ($4.53 with Christmas discount)
Levitra - ($9.576 with Christmas discount)

Also we have such winners:

1. "Best Canadian on-line pharmacy store".
2. "Excellent" rating grade - "MyCanadianPharmacy" store.
3. "Best International on-line pharmacy store".
4. "Excellent" rating grade - "LegalRxMedications" store.

Sincerely yours,
American Consumer Association

So far, so unremarkable.

But every single one of these spams (well, all five that I just randomly checked) seems to be promoting a different URL for the exact same pharmacy.

There's ieeppt.rudver.net, ctbmgh.puriol.com, chfrmu.sviolnet.net, bfkang.histrayd.net and chnclm.aulferi.info in the five I checked, all of them tagged with affiliate-ish stuff like "http://ctbmgh.puriol.com/?88255812&men". They all currently lead to, I presume, the same physical server. But every one of them gets an "IP not found" error from SpamCop, so it discards them as fake URLs and doesn't even try to find who's responsible for them.

The plain non-subdomained versions of the URLs (www.rudver.net, www.puriol.com...) give you the same pharmacy site. SpamCop can't find an IP for them, either.

The domains all seem to be registered at Gandi.net, which seems to be a perfectly valid registrar that's presumably about to suspend them all. I hope Gandi didn't get paid with stolen credit cards.

I don't know what's going on with the un-look-uppable domains, though. This is a disturbing sign of competence from the botnet spammers, although they have once again hindered their message by repeating it far too many times.

Anyone got a clue about this?

Posted in Scams, Spam. 3 Comments »

Quack of the day

17 November 2006 — dan

Some fraudulent medical practitioners go to great lengths to look genuine.

And then there's Doctor Oludare Samuel Olomoshua, of Wisdomite Spiripathology Healing Mission & Music Ministry Inc, which is based in Nashville Tennessee but has a mailing address in Nigeria. Apparently their mailbox can be found at "Coconut Bus Stop", which may be the best address ever.

(Doesn't everything good seem to be coming out of Nigeria these days?)

"Spiripathology" has the cure for everything, just like all the best quacks. Even if you're afflicted with "parenthesis".

(Of the colon, presumably. Perhaps even of the semicolon.)

Don't worry - Dr Olomoshua is fully qualified.

A judge who doesn't see the funny side has now ordered Olomoshua to knock it off. Apparently he's "treated" several hundred people; I'm guessing poor immigrants (maybe African) with little education. This contrasts with the usual victims of scammers in his witch-doctor-ish league, who are poor local white folk with little education.

This isn't to say that intelligent and educated people don't, every day, give their money to other medical scoundrels. Smart folk just demand a bit more of that pretending-to-be-genuine stuff, such as is provided by delectable human beings like Hulda Clark and one Ryke Geerd Hamer.

Hamer's sterling work you can, if you have a strong stomach, and I am not kidding at all about this, see here.

Posted in Scams, Science. 2 Comments »

Phish Site Of Mystery

14 November 2006 — dan

The file at this URL...

http://0xd1130a9c/eBayISAPI.dll

...opens just fine as a fake eBay login page in Internet Explorer, but triggers a file download in Firefox.

It's not just because of the .dll suffix. EBayISAPI.dll actually is the name of the eBay login page. You normally see it followed by a question mark and then miles of login cruft, without which it redirects to a you-screwed-up page. I don't know exactly how this copy of it is broken, but it clearly is, in Firefox at least.

(The obfuscated URL is, by the way, actually http://209.19.10.156/eBayISAPI.dll. I've received many copies of this phish, though, and they probably use lots of different servers; it's just that I've only now bothered to look at one in more detail.)

I suppose it's possible that the broken Firefox behaviour is by design, to constrain this phish's audience to the drooling masses in the IE world. The integrated Google Safe Browsing phish indicator in Firefox 2 works fine with this URL, but you have to manually cut the URL out of the phish e-mail and paste it into the Safe Browsing submit box if you want to submit it. Enough people have bothered to do that that that site does indeed have the ominous darkened look that Firefox gives suspected fakes, if you manage to trick it into loading. But Firefox users normally never get to see it - they just go straight to the confusing (and, at least, harmless), download box.

If you're using a browser that's quirk-friendly enough that it recognises that this file is renderable HTML (it's the usual code cut-and-pasted from eBay's real login page, with strategic edits), you get the fake login form, which submits (in this case at least) to http://members.lycos.co.uk/ineedmoney2/dukyy.php. That, at the moment, seems to redirect to another, already-shut-down, phish page.

You'd really think that ISPs would have some basic search bots scanning their hosted sites for pages called eBayISAPI-dot-anything, or titled "Sign In" or "BankName Internet Banking". There really can't be that many of those pages, and it'd be simplicity itself to set up an arrangement that lets a human scan through fifty of them a minute, see which ones look like phish pages, and disable the accounts that're hosting said pages.

(I dare say quite a few phishes are hosted on actual discrete privately owned servers sitting in the corner of a business office. But most of them are on servers that can be cut off by a hosting company.)

Perhaps some hosts are doing that already, but it's clear that most aren't. Because, of course, it'd cost money. Most phish pages are hosted on unsuspecting servers whose administrators left security holes open, and nobody wants their hosting cut off just because some miscreant happened to host a fake Amazon login page on their server for a while. That's the kind of thing that might cause the hosts to lose customers.

So, instead, we get the current situation, where the phish pages get to hang around for at least a day or two as the ISPs receive complaints and/or notice their IPs on phish lists, then tell the unwitting phish-hosting customer, then go back and forth for a while figuring out who has to fix the problem and how.

In the meantime, people get robbed.

As Bruce Schneier's pointed out so many times (talking about software, but hosting companies are in the software business too), the way to make businesses implement security is to force them to do it, financially. If they're not liable, if it doesn't cost more to be insecure than it costs to be secure, they'll stay insecure, no matter how many other people's lives are ruined by their unconcern.

You wouldn't get far by suing HostyPlace for the security misdeeds of its clients. But if you started suing the clients, they'd probably share the joy.

Posted in Scams, Spam. 8 Comments »

E-I-E-I-O

13 November 2006 — dan

Today, I received in quick succession three boilerplate letters from one "Tim Kelly", who's proud to be in charge of the various link farms at you-name-it.clickdirectory.info.

He thought, all three times, that one or another page of dansdata.com was "fantastic", and would perfectly suit the content of three of his subdomains, and he'd already linked to me, and I could add my site to his invaluable directories at this page here, blah blah.

Even the more focussed sub-pages of clickdirectory.info contain, of course, a spray of links which struggle to even be relevant to each other. They are, as is normal for link farms, never even a tenth as useful to anybody as would be the first page of results of a Google search for the term in question.

Link farms are not just useless Web pages and sources of spam. If you actually fall for one of these e-mails and swap links with a farm, Google is quite likely to reduce your site's PageRank. Yes, link farms often manage to scrap together a bit of PageRank - but Google hate them.

It's perfectly safe to be linked to by a link farm, but if you link back to them you're declaring yourself to be part of the scam.

Posted in Scams, Shop talk, Spam. 3 Comments »

And there was much rejoicing

9 November 2006 — dan

While I wasn't looking, Leo Stoller went bankrupt.

Yay!

In case you haven't been keeping tabs on the world's more obnoxious crazy people, Leo was the operator of a company called Rentamark, whose Web site is now dead. Stoller's companies' only reason for existence was to pretend they owned the trademark rights to large lists of dictionary words, despite the facts that (a) Leo conducted no business besides suing people for using his "Famous Marks", (b) the people he sued had often been using the name before Stoller had registered it, and (c) Leo sent out scattershot legal letters to anybody who ever used one of his precious words ever in any context, business or not, on the off-chance that they were dumb enough to give him some money just 'cos he sounded scary.

Leo never won a case and indeed could never win a case if he lived to be a million; worse lawsuits have been filed, but that doesn't say anything in Leo's favour.

But some major companies actually did settle with him rather than go to court. And that kept him going, for a while.

Read all about it in my letters column here, wherein is told the tale of a poor kid scared out of his wits by legal letters from this nut on the other side of the world.

Anyway, Leo's finally broke now. Not in jail, but broke. That's a start.

But have no fear - he's still got a blog!

[2009 UPDATE: That BlogSpot blog is now dead. Leo moved to rentamark.blog.com, but that now appears to belong to someone who's pretending to be a lion. The wit and wisdom of Leo Stoller can now be found at www.rentamark.net. This other blog.com blog serves, I think, as an interesting counterpoint to Leo's own writings.]

In it, Leo applies his towering intellect to many issues, like for instance the vital importance of voting Republican, for the sake of some people he thinks are called "General MaCarthur" and "Donald Rumsfelt" (awww, he must be all cut up about that, huh?), among other well-thought-out positions.

In many of his recent posts, Leo advertises his services as a very professional and important "trademark expert" with an, um, Hotmail address. But he screws up the mailto: link so there's a trailing slash on the end of "hotmail.com". That breaks the address.

It's visible right there on the page as well as in the mailto: itself, over and over, but Leo's eagle eyes ain't spotted it yet.

I doubt there are many people who are dumb enough to want to talk to Leo, yet smart enough to remove the trailing slash before sending their message.

Posted in Scams, Strange Tales. 6 Comments »

The tell-tale string

9 November 2006 — dan

I hate to tell you this, but the international money transfer tax for legal entities (companies) versus individuals in $SCAMCOUNTRY is not, in fact, (a) what they say it is or (b) a path to rapid riches.

(My own copy of this scam came, today, from someone who mistakenly thought I was in the USA and might be interested in an Australian-flavoured version. The nonexistent company was alleged to be in the macadamia nut business.)

Sometimes these scammers do the mail merge wrong and insert their company name where the spurious country name's meant to go, which makes things especially entertaining.

This is another permutation of the situation in which one scam might work, but many near-identical attempts are more likely to fail.

Of course, the target market for these scammers is people who don't think to Google a sentence of what they've been sent. So what we could actually be seeing here is a sieve to filter out the people who wouldn't follow through with this foolishness anyway.

Posted in Scams, Spam. 1 Comment »

« Older posts

Newer posts »