Fox Says Web Bugs = Virus Risk

Bonker writes: "Fox News is printing an expose on 'Web Bugs' used in concerto with HTML-mail spam. Along with outlining the dangers and the methods that Web bugs use to gather information, CERT's Jeff Havrilla is quoted as saying that these are pretty much ripe for illegally malicious activities, such as virus propagation. Harvilla says that Web Bugs would allow malicious virus creators to 'target' systems. Scary, wot?" *sigh* I can't even begin to describe how much the story irritates me - yes, there's truth to it. But it's more then just simple Web bugs - it's any sort of URL, given that you could create a unique URL for each spam. Take out the scare portion of the article, and just use the bottom line - don't click on spam URLs.

Re:Yup.

[jridley]

Well, as far as privacy goes, there you don't have to "fall for" web bugs. If you are set to view HTML mail with graphics, and you display the message, they've got you. That's because it goes to the server to get that GIF that's in the HTML, giving a unique URL, and the server says "Ahh, I see from the URL that joeblow@anycomp.com got the email!" and issues a 1x1 pixel transparent gif.
The only way to not "fall for it" is to not display HTML mail. Either that or the reader could not display outside embedded stuff.

Re:URLS and advertising

[Coward,+Anonymous]

Advertisers brought us magazines, daily newspapers, radio theater

That's because they were paid by advertisers. With spam, nobody is paid to carry the ad, thus nothing is funded by the advertiser. Magazine advertisers pay magazine publishers who give us magazines, television advertisers pay television companies who give us television, spammers pay nobody so we get nothing. Spam isn't going to bring us anything, because spammers don't pay anyone.

Re:URLS and advertising

[orangesquid]

Hmm... embedded HTML/images security risks, endless Java security alerts, 1x1 invisible tracking GIFs, the recent Flash plug-in security alert, all the problems with javascript...
God, I'm glad I use lynx and pine. It's a shame though, when a site is inaccessible for those without javascrapt... what ever happened to "Click Here to see a Text-Only Version of this Page" ?

Re:GetUserInfoEx?

[_xeno_]

Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.

I'm way too late, but the answer is simple: Set the log to record the User-Agent: header. Presto, a list of all users who read the e-mail, what e-mail client they used, and for most clients, the OS they are running.

This information can be invaluable:
grep IE /var/log/httpd/access_log

Presto, a nice list of everyone who accessed using some version of IE (I don't know what Outlook sets the User-Agent to). If you set it up to have a query string with the e-mail address recorded (ie, http://www.example.com/bug.gif?user@example.net - generated through your spam-script) your log suddenly includes the e-mail address too. This is how much information you can record and why this can be a threat - especially coupled with the fact that the most insecure clients download the images without user-option.

Re:Why web bugs are NOT EVIL!

[Cannonball]

But is that in fact legitimate use at all? I don't always read what I get in the regular mail, yet there's no way for someone to tell, remotely, if I did read it. Why should there be in the email world?

Someone who has time ought to code this...

[cswiii]

I dunno if this will be any use to anyone, but here goes...

Those web-bugs are so small that you can't easily right-click and block image from server. I started to put a page together a while ago where I take the webbug, as I find it, put it on a page where i've expanded height and width to 50x50, in order to be able to right-click and block em.

I was thinking about writing a cgi that would allow people to enter an URL and offending page/company name and add to the page, but I've not had time to do it.

If you want to see the page, click here. If anyone wants to help throw together the cgi for such a page, or even gets one going, contact me.

Why web bugs are particularly evil

[tbo]

Web bugs are more evil than your average URL link because you have to click on the link, whereas a web bug (and the potential attached evil code) gets loaded automatically if you have an HTML-enabled mail viewer. Stuff like this is why I have intentionally avoided HTML-enabled mail clients. Automatically executing code from a remote, untrusted source is bad, kids.

Why Hemos went on a rant, I don't know. Yes, the article doesn't mention URLs in spam, but that's because they're less insidious than web bugs. Presumably, if you click a spam link, you get what you deserve.

Re:Why web bugs are particularly evil

[ftobin]

Web bugs are more evil than your average URL link because you have to click on the link, whereas a web bug (and the potential attached evil code) gets loaded automatically if you have an HTML-enabled mail viewer. Stuff like this is why I have intentionally avoided HTML-enabled mail clients. Automatically executing code from a remote, untrusted source is bad, kids.

HTML email gets a bad wrap. The thing people forget about HTML is that it is, at its core, a semantic markup language. HTML provides meaning to otherwise flat text. Flat text forces the author of an email to use how an email will look to get across meaning. On the other hand, HTML clients, done properly, allow the reader to decide how something will look.

My dream is to have an HTML-aware client that accepts everything that is in the XHTML-Basic specification. XHTML-Basic allows basic semantic markup, disallowing presentational elements such as <font>, and uses CSS to provide presentation. However, the client can choose to ignore the CSS, if the user wants, leaving all presentational items up to the reader.

In summary, plain, flat text for mail is one of the worst things we are plagued with. It mixes meaning with presentation. The author is forced to decide presentation, which is one of the biggest evils of communication. Presentation should be decided on the reader's end, with the message only containing semantic meaning; HTML allows this.

Slashdot still has its own webbugs, of course

[Chuck+Flynn]

Load slashdot and check your source. Scroll down and look for this:

<!--
now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?/ article.pl,");
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1 BORDER=0>");
document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/art icle.pl,");
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1 BORDER=0><BR>");
//-->
</SCRIPT>
<NOSCRIPT>
<IMG SRC="http://images2.slashdot.org/Slashdot/pc.gif?/ article.pl,978666575" WIDTH=1 HEIGHT=1 BORDER=0>
<IMG SRC="http://images.slashdot.org/pagecount.gif?/art icle.pl,978666575" WIDTH=1 HEIGHT=1 BORDER=0>

The latter is clearly a page-counting mechanism (or so it appears), but wouldn't the non-hypocritical thing to do still be to remove one's own webbugs before posting yet another exposé on the dangers of others' webbugs? At least for appearances' sake?

URLS and advertising

[perdida]

Consider for a moment that, when perusing most media-- be it a magazine or your snail mail- you are accustomed to advertising in many forms. As a matter of fact, many new media are created for the very purpose of bringing ads to your eyes and ears.

They created 3-d vision and smellovision in the movies because movie theaters, at that time, were major purveyors of advertising. Radio shows were sponsored by advertisers and all of their content was, in that sense, a form of spam.

Why do we get angry when an ingenious marketer slips in an intrusive, but fundamentally harmless, web-bug? If the spam were a virus and crashed a system or deleted data, it would be counterproductive to the spammer's purpose, marketing.

The freedom of advertising IS the freedom of the press. Advertisers brought us magazines, daily newspapers, radio theater, and many other aspects of our culture that have become highbrow, in some way BEYOND advertising. Give spammers respect- and a bit of freedom-- don't threaten them with punishing lawsuits and jail time! Otherwise, very few people without previously existing monolithic web presences will choose to do business on the Web. Remember, spam is the tool of the small business, the underdog- he who cannot afford the banner ads and other less obtrusive forms of advertising.

Re:URLS and advertising

[Mojojojo+Monkey+Inc.]

You're going to find that most people's problem with spam isn't the advertisement itself.. I would have no problem if a spam email actually LISTED the read address it came from, and a subject line that indicated it was an advertisement. Most spam used to be this way even a year or two ago. Now nearly every single piece of spam I get comes from a bogus email address, with a phony subject line trying to trick you into thinking it comes from someone you might know, and just reeks of being some kind of scam.

It also annoys me when I have to delete 50-100 spam messages a week, and hope that I don't delete anything important along with it. In the "old days" of advertising, getting your product out required some sort of cost to the advertiser. Now any idiot with an AOL account, a spam program, and a large list of email addresses can spew out junk messages non-stop, with virtually no cost to themselves, and at a high cost of annoyance to the receivers.

Re:URLS and advertising

[jrcamp]

Slashdot has an ad on the top of each page. I choose to come to this site even though there is an ad. I understand that it is required to fund the site. This is my choice.

I check my e-mail. I expect to be sent something that I requested. Be it by somebody asking my e-mail address or filling out a form, knowing that I would be contacted for a specific reason that I knowingly requested.

Spam is typically not requested by individuals. Well, unless they are a masochist. I always have the option to see the Slashdot ad. I can simply avoid it by not visiting the site. I *requested* to see the site, and thus the add. When one gets spam when checking their e-mail, they did not request that advertisement. Personally, I see it as intrusion onto my privacy, and do not appreciate it one bit, and I wish it were illegal.

Re:URLS and advertising

[stinkydog]

For someone who holds spam in such high opinion why try to block it from you own inbox "journaSPAMlist.com".

Who's to say that "an ingenious marketer" is going to stop at just knowning your IP. Why not load a keystroke monitor or some other spyware? Then they could skip that annoying "attract the customer" and start charging your credit card directly (no fair patenting my idea either).

Marketing is an offensive weapon used against the consumer. If companies provided a good product at a fair price, the would inspire more brand loyalty than millons of marketing dollars. To often companies use marketing to foist unneeded and unwanted products on consumers (to say nothing of 'get rich quick' and other scams).

Re:Yup.

[Lover's+Arrival,+The]

Hi. Isn't this a bit elitist? Just because someone doesn't have a good knowledge of computers is no reason to sneer at them at all! People who know nothing about computers use them every day, and that means that we need to make sure that these tricks just do not exist at all.

It seems only fair to me ;)

the trick is web bugs are usually images

[drenehtsral]

The trick is that if somebody views the spam, as a convenience the browser loads the images specified in the tags, and most web bugs are 1x1 pixel images that the user doesn't notice, but still generate a get request, often with a cookie sent along with it. The average user is not oging to find browsing/etc... with "auto load images" turned off a tolerable functional browsing experience.
my solution is not to run an HTML-aware mail program. I delete anything that is not text/plain unless i'm _very_ sure of the source...

Not always the case...

[singularity]

You say that HTML-snabled mail clients automatically download the web bug in question.

Eudora for the Mac (but not for PC) has an option to not download remote HTML graphics. All HTML will be displayed, and all images sent with the message are displayed, but no remote server is accessed.

This is A Very Good Thing. (tm)

There are other possibilities out there.

GetUserInfoEx?

[kaphka]

For example, the Love Bug was a widespread virus sent via e-mail. But it was dumb -- it had no way to tell if the machine it sent itself to would be a good target for infection. It just crossed its viral fingers and sent itself along. Some computers fell for it; others didn't. Whether a computer got infected or not depended on the configuration of that machine.

A virus that used the Web bug technique could essentially conduct a poll of potential victims to determine whether or not they would be good targets.

Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.

(No matter how good your security is, you can't stop users from hurting themselves by running untrusted code. Scare tactics stories "virus threats" only make the problem worse.)

But email bugs ARE a serious risk

[fv]

While Hemos says "just use the bottom line - don't click on spam URLs", he misses the point. The insidious nature of these emailed "web bugs" is that they DON'T requre any clicking. Spammers hide the information in the URL of an invisible image which is automatically loaded by (stupid) HTML-based mail readers. Every time you open the message, the sender is notified and generally logs the time, location (IP) and email address of the person reading the email. They also frequently set an HTTP cookie so they can cross reference future browsing activity with your email address (which they know because they sent you the spam).

Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.

While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.

Unfortunately pressuring application vendors to respect our privacy is not always fruitful. And with closed-souce applications, you often have no idea what they are up to. I was glad to see that some of the Windows "personal firewall" programs such as ZoneAlarm offer features that alert users to unexpected outgoing connections made by applications. Users can define notification policies based on their own privacy concerns. I haven't run across similar software for Linux, although it wouldn't be hard to write. And it isn't quite as important on Linux since fewer users download/buy untrusted binary-only programs.

Cheers,
Fyodor

Concerned about your network security? Try the Free Nmap Security Scanner.

How this happened

[tbo]

Normally, the "tag" (informative|offtopic|flamebait|etc) is set to whatever the last moderator modded the comment. However, Overrated and Underrated do not change the tag. What may have happened in this case is that Klerck posted his crap at 1, somebody gave it +1, Informative, then three different moderators gave it Overrated.

Why overrated and not Flamebait, Troll, or Offtopic? Because the moderators are all cowards, and we don't want to lose karma in meta-moderation to some rogue meta-moderator. Moderation, meta-moderation, etc, only work if the majority of users are not trolls. Unfortunately, they are mostly trolls on Slashdot...

UserIsIdiot()

[tbo]

Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.


Easy, you just check to see if they're running Windows. :-)

(That was a requirement for the virus, so this isn't totally flamebait...)

I predict

[Travoltus]

that these webbug things are nothing compared to what is coming.

Spammers will pay big money to backbone providers and then they will be given the right to spam as they please. Of course blasting the backbone provider would be like pounding on your spinal cord out of spite.

I also predict there will be an explosion of free ISPs. If the figures concerning profits from data profiling aren't as exaggerated as I think they are, the free ISPs will make good money from feeding customers to these spammers. They may very well push a few normal dialups out. Mix in a TOS which says you WILL not circumvent data profiling activity in the free ISP connect software, add a dash of DMCA, and you are no longer watching your monitor, it is watching you.

The more likely scenario is the big fish ISPs will mutate into a gruesome hybrid of highly reduced priced unlimited service plans, with the TOS requiring you submit unconditionally to the data profiling behavior in their software.

Need I suggest what horrors await if the free DSL thing takes off? Simply put the data profiling will be even faster and more efficient and more transparent.

Like I said, the web bug thing is nothing. They can do far worse to you with a lower priced service with a diabolical TOS and proprietary DMCA-protected ISP connect protocol software (pppoe-freeDSL-8.0.dll, anyone?).

Only the small time spammers will be still using web bugs after that.
========================
63,000 bugs in the code, 63,000 bugs,
ya get 1 whacked with a service pack,

Truly elegant

[Le+Pillsbury+Du+Bois]

Web bugs are real and easily spread for some purposes. I received a chain email that had a funny story about winter. I am forced to use MS outlook, and even in the preview window, the email appeared with all it's cute anitmated gifs. All the gifs were off a remote server. So whoever runs that server has a hit log of everyone this chain letter went to.

Talk about power. Instead of a virus, it's a way to find out the architecture of people's networks. Sure, lots will be blocked by firewalls, but lots won't. There's also the potential to load large images (500k) off a taget website. If the email spreads fast enough, it will be a distributed DOS.

"...you could create a unique URL for each spam."

[supine]

...you could create a unique URL for each spam.

well you could, but that would defeat the main benefit spammers utilise, which is the ability to send a single body with multiple (ie. hundreds if not millions) of RCPT TO addresses.

the current methodology makes the relay do all the work by making it contact all the smtp hosts of the people being spammed. by adding a unique web bug (and hence a unique body) for each receiver you would create an immense amount of load on the spammer's own system and network connection.

just my 2 cents
marty

One of the cool things about Konqueror ...

[taniwha]

(the KDE browser) is that it often shows web bugs (like the one at the top of every slashdot page ...)

Not until you change the world

[jandrese]

Frankly, the smantic + markup concept gets a lot of lip service from all corners of the world, but in practice I have yet to see a system that is both "correct" and actually used in the correct way.

HTML was designed from day 1 just as you described, and what do we see? People spending days and days writing convoluted code to get the formatting "just right."[1] This is especially true when you are presenting something with no content[2]. Too many people are control freaks as well, there is no way they are ever going to let someone else see the presentation when they could have just any font, point size, or color selected (just to name a few). These people shutter at the idea of a webbrowser without the FONT tag, or those people who click "override document fonts". There is no way they are going to let their formatting be dictated by the reader!

Maybe it's a good thing to make these people let go of their control issues, but in reality anything that tries is either not going to catch on, or is going to be mutilated into something else (HTML).

[1] At least on Windows with IE
[2] 75% of all web pages, and 100% of all flash presentations

for the time being there is a solution

[Travoltus]

unix based email software (XFmail, Pine, Balsa), none of which yet render HTML or activeX & java/script.

This'll work for now.
========================
63,000 bugs in the code, 63,000 bugs,
ya get 1 whacked with a service pack,