How Much Harm Can One Web Site Do?

Ben Edelman has written extensively on issues including censorship and spyware. He's got a very interesting piece on his site now about who profits from spyware, and how much spyware can be installed on a Windows XP machine when the user simply visits a single Web site using Internet Explorer.

not much...

[domenic+v1.0]

if you use another browser like Firefox?

Re:not much...

[Moridineas]

not much, if you are decently patched (he mentions at the very end the exploit installs don't work if you are running SP2)

Re:not much...

[narcc]

Not all of us can run SP2 -- It just breaks too many things.

Re:not much...

[willy134]

That would be pretty secure I think.

No network, no spyware!!!

Re:not much...

[robslimo]

You guys on the "don't install SP2!" bandwagon need to wise up.

I am personally responsible for the software on 67 windows computers at a university. I am jointly responsible for almost 400 of same.

On the image I created and support, there are 93 applications loaded on top of a base XP install. These range from silly stuff like DivX player to Pro/Engineer. I had to test each and every one of them for SP2 compatibility.

A grand total of 4 applications wouldn't work at all. 2 or 3 more had minor problems. Every one of those with problems were corrected by getting updated versions of said app.

Any other usability problems are strictly a function of the firewall and if you (being a /.er) can't deal with that, then you don't need to be using a computer or posting in this forum.

Re:not much...

[cob666]

But you now have a neat little feature for all the network connections called repair which pretty much does the same thing but behind the scenes.

I know it's a pain to have to click on the icon tray and then select 'Repair' but it's a small price to pay. Also, I don't usually switch my network connection more than once if I move my laptop.

Re:not much...

[davesplace1]

You would think Microsoft would at least fix AvitiveX for starters. One of the many reasons to run, don't walk to install Firefox.

Re:not much...

[Rombuu]

Current common wisdom if you are an idiot I guess.

Re:not much...

[laughing+rabbit]

Sounds exactly like my Linux loaded laptop!

Re:not much...

[Deekin_Scalesinger]

<<< Granted most of the sites are not mainstream, and probably warez/mp3/p2p/porn... >>>

Jeese, I though warez/mp3/p2p/Pr0n WAS mainstream on the Internet these days...

Re:not much...

[afidel]

Guess you haven't installed SP2 on a spyware infested PC then. Because MS specifically doesn't (and can't) support spyware infected PC's they failed to test with a computer as it exists in the real world. So about 10-20% of pc's upgraded to XP SP2 just fail to come up at boot time, and another 10% or so fail to connect to the network after login. That's a really high failure rate, and unlike a university situation where you just make a new image and push it out to the machines in most small and medium businesses that's just not an option as the users scream bloody murder if they have to reinstall stuff.

Re:not much...

[aetherspoon]

Then.... clean the machine?

It isn't a real hard thing to do most times as long as you know what you are looking for and the machine doesn't touch any form of a network during cleaning.

Yes, it takes awhile. Then again, would you upgrade an OS on a virus infested machine? Of course not!

Re:not much...

[Johnny+Mnemonic]

You guys on the "don't install SP2!" bandwagon need to wise up.

You straight up office/cube/lab support guys need to wise up. There's more to life than IE/Outlook/Office. Where I work, we use PCs to analyze genomic data and communicate and control robotic devices that gather DNA information. Often, esp the control software, is written specifically for a version of Win2K, let alone be able to update to XP S2. You heard me right--there's still lots of instances of NT, and even some Mac OS 7.5.3. In many cases, the original vendor is non-existent, hard to reach, or they specifically recommend against updating to a newer version. Often, security updates will break functionality that these applications depend on.

So thanks for the info. I'm sure XP SP2 makes a good kiosk. However, the guy that decided to run a $300K sequencer off a $700 Dell using some bastardized version of Java, and also can't be upgraded to XP or anything reasonably secure needs to have their head examined. I'm looking at you, ABI.

Re:not much...

[edxwelch]

If you're running Windows 2000 there is no patch available for the latest iframe exploit.
See here:
http://search.linuxsecurity.com/articles/ha ckscrac ks_article-10204.html

I'm not sure if sp2 fixes this problem

Re:not much...

[sadler121]

Not all of us can run SP2 -- It just breaks too many things.

I'm running SP2 and nothing has broken thus far. Normally when people complain about SP2 breaking stuff (like a game that will not play online after patching to SP2) it has to do with the upgraded firewall. Tweaking the firewall is all that is needed to get your game (and 9 times out of 10 X app)running agian.

All in all, I think Microsoft did a good job with SP2. The security center is something that should have been in the control panel to begin with. Its good to have some centralized location.

But yeah, SP2 fixed a lot of things in Windows and it really didn't *break* things, it just tighten some bolts that then required the user to go and loosen what he/she wanted to use. (instead of leaving the whole damn computer open)

Re:not much...

[Rasta+Prefect]

There's got to be more to it besides your browser. If you're getting 80-160 pieces of spyware you must be visiting some pretty sketchy sites and have your security settings set to minimal. I use IE almost exclusively and the worst I get is a couple of tracking cookies when I run AdAware.

/me laughs maniacally. Oh, the naivette...I do desktop support in an University setting for students and faculty. Amongst my duties is supporting the students XP laptops (we don't technically support other windows versions). I've seen Adaware remove well over a 1000 items from laptops, and my supervisor has seen over 3000. One laptop brought in (by somebody who I'll guarantee wasn't searching for warez and pr0n) had 256MB of Ram and was using an additional 350 MB of swap by the time it finished booting. The hard drive light wasn't flashing. It was just _on_.
These people don't do anything but browse the web and use office. It's all comin in through IE. :) Just as dangerous as the w4r3z and pr0n is that inspirational link Mom sent you that requries you turn all your additional browser crap...

Re:not much...

[Westech]

Yeah, SP2 broke my SuperShopper HappySmiley E-Deals toolbar! Luckily, once I uninstalled it everything went back to normal.

Re:not much...

[Lordrashmi]

Specialized machines should be locked down, no internet access, no right to install anything or run anything other the the specific programs they need. They could only read from and write to a specific network drive. Anything else is nuts.

Re:not much...

[crawling_chaos]

Um, Microsoft's own CRM program breaks under SP2 as does at least one version of Great Plains Dynamics. There are registry hacks that re-enable the software, but they undo some of the protections provided by SP2.

That said, we'll be going to SP2 where I work when all of the testing is finished, but there are non-game business critical software packages that do break under SP2. I recommend it for home users, but I'm far more hesitant in the business environment, particularly if some custom or very old software is being used.

Re:not much...

[RollingThunder]

No, it decidedly does NOT have to do with the firewall.

I work as 2nd level UNIX support for a major telco. Our sister team that handles the Windows boxes did tests on a wide variety of systems (and these are all Dells - not noname grayboxes). At least one third died with the installation of SP2. Not "couldn't run a given game or app", but "went
apeshit on reboot".

Keep in mind this was not Joe Average installing SP2. These were very capable, highly skilled people, who know what they're doing, and it still left multiple systems virtually unusable. Joe Average has REASON to be concerned.

You are very lucky you didn't get to experience this.

Re:not much...

[deaddeng]

There are at least two other IE exploits out there that MS has not patched, and SP2 won't protect you. see: http://isc.sans.org/diary.php?date=2004-11-20 Quote: Two More IE Vulnerabilities Exploit code has been released for two more Internet Explorer vulnerabilities that were released on Wednesday (Nov. 17). This code would enable an attacker to trick users into executing malware. These vulnerabilities affect Microsoft Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2. The original advisory is here: http://secunia.com/advisories/13203/ The proof of concept exploit: http://www.k-otik.com/exploits/2041119.IESP2disclo sure.php While on the topic, it is interesting to note some statistics that Secunia has been compiling about Internet Explorer vulnerabilities: IE 5.01 - 42 advisories (7 unpatched) http://secunia.com/product/9/ IE 5.5 - 55 advisories (8 unpatched) http://secunia.com/product/10/ IE 6.0 - 69 advisories (18 unpatched) http://secunia.com/product/11/ If you still think SP2 has mystical properties: http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/

Re:not much...

[innocent_white_lamb]

I was setting up a dial-up user for the largest ISP in our province the other day and noticed that the list of supported operating systems in the ISP's setup guide stated "Windows XP (does not include SP2)". This makes no difference to you or me, but nobody who has SP2 installed can whine to the ISP's tech support because it's "not supported".

And this is not a small ISP -- I'd guess that their number of subscribers would be in the high tens of thousands.

Re:not much...

[thetoastman]

Some of us don't install SP2 because we're not using Win/XP or Win/XP Professional. I am currently running Win/2000 Professional when I am on the Windows side of this machine.

Unfortunately, Windows/2000 Professional is vunerable to these exploits and there is no patch available. I have a fully patched system, run the latest version of Norton's, and sit behind a Linksys router/switch. If I use IE or Outlook I run the risk of getting spyware, viruses, and trojan horses. There are no patches.

Fortunately, I do not use IE on Windows/2000 except to check my web authoring. I do not use Outlook in any form. In fact, I do not read mail on my Windows/2000 side.

However, I have real problems with all of this. As far as I know, Windows/2000 Professional has not reached end of life. I didn't find any information on the Microsoft web site, but you never know. Until Windows/2000 Professional hits end of life, I expect to have at least the same level of security that the latest patched Windows/XP Professional has.

I am comfortable using alternate tools, and in fact I prefer them (Firefox, Thunderbird, OpenOffice, etc.). However, I do not think that having my computer exposed to malware that I can do nothing about is reasonable, esepcially when the same fixes are available for Windows/XP Professional.

I know that one solution is to upgrade to Windows/XP Professional. There are really no advantages to me in upgrading to Windows/XP Professional. I can test ASP.NET, develop C#, run Tomcat/Apache, write Perl, and use MySQL or PostgreSQL quite nicely on Windows/2000 Professional. For my $200 retail price I get an OS with a bigger footprint, menus that purposely hide non-Microsoft software, and a host of other impediments to computer usage.

Ah . . . but I do get the latest security upgrades from Microsoft, many of which are not available for Windows/2000. This is true even though Windows/2000 Professional is a fully supported product.

An average user is not going to be aware of these considerations when using a computer. An average user will not be aware that while Windows/XP SP2 is patched properly, the same diligence will not suffice for Windows/2000.

A lot more can be said about Microsoft's marketing, planned obselence, and deceptive business practices, but that would probably be off-topic.

Re:not much...

[Phragmen-Lindelof]

You are correct. I believe Linux is relatively secure and Windows is relatively insecure. I have never met (in person) anyone who had such a poorly configured Linux machine that it had security holes like those of Windows. The statement A poorly configured Linux box can be just as insecure as Windows does not seem to reflect actual experience. Certainly one could always run as root in Linux but I know of no one who does this; it would be really stupid.

On the other hand, requiring absolute security is not an appropriate standard. This standard does not apply anywhere else; your home insurance probably does not cover you for some "acts of nature or God". You cannot say that a meteorite will not fall on you and kill you; you have no absolute security in your daily life. I agree that "Security is a process, not a product." However, experience so far suggests that runing Linux would be much more secure than running Windows.

Re:not much...

[narcc]

didja get rid of spyware trojans and viruses first? or bother to read the readme? No, you were too busy recompiling the kernel and whining about Microsoft to RTFM.

Wow, you really don't have a clue, do you?
http://www.newsfactor.com/story.xhtml?story_id=263 44

http://news.com.com/Microsoft+lists+SP2+conflicts/ 2100-1016_3-5311280.html?tag=nl

http://news.com.com/Microsoft+tackles+AMD+conflict +in+SP2/2100-1016_3-5326707.html
From this article: Microsoft had advised AMD users to remove SP2 altogether.

There are pleanty of others.
And lets not forget problems with legacy applications. (Which many people need.)

How much harm?

Well, if it's Slashdot, it can leave your server a smoldering wreck.

Re:How much harm?

[Vicsun]

And if it's goatse it can leave your eyes a smoldering wreck.

I just compared slashdot to goatse. God help me.

In Case It Gets Slashdotted...

From the site.

I've written before about unwanted software installed on users' computers via security holes. For example, in July I mentioned that 180solutions software was being installed through Internet Explorer vulnerabilities. (See also 1, 2, 3) More recently, researchers Andrew Clover and Eric Howes (among others: 1, 2) have described increasing amounts of unwanted software being installed through security holes.

How bad is this problem? How much junk can get installed on a user's PC by merely visiting a single site? I set out to see for myself -- by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still -- with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC.

In my testing, at least the following programs were installed through the security hole exploit: 180solutions, BlazeFind, BookedSpace, CashBack by BargainBuddy, ClickSpring, CoolWebSearch, DyFuca, Hoost, IBIS Toolbar, ISTbar, Power Scan, SideFind, TIB Browser, WebRebates (a TopMoxie distributor), WinAD, and WindUpdates. (All programs are as detected by Ad-Aware.)

See a video of the installations (WindowsMedia format, view in full screen mode when prompted). The partial screen-shot at left shows some of the new directories created by the security exploit.

Other symptoms of the infection included unwanted toolbars, new desktop icons (including sexually-explicit icons), replacement desktop wallpaper ("warning! you're in danger! all you do with computer is stored forever in your hard disk ... still there and could broke your life!" (s.i.c.)), extra popup ads, nonstandard error pages upon host-not-found and page-not-found error conditions, unrequested additions to my HOSTS file, a new browser home page, and sites added to my browser's Trusted Sites zone.

I've been running similar tests on a daily basis for some time. Not shown in the video and screen-shot above, but installed in some of my other tests: Ebates Moe Money Maker, EliteToolBar, XXXtoolbar, and Your Site Bar.

Installation of 180solutions software through security holes is particularly notable because 180 specifically denies that such installations occur. 180's "privacy pledge" claims that 180 software is "permission based" and is "programs are only downloaded with user consent and opt-in." These claims are false as to the installation occuring in the video linked above, and as to other installations I have personally observed. Furthermore, 180's separate claim of "no hiding" is false when 180 software is installed into nonstandard directories (i.e. into C:\Windows rather than a designated folder within Program Files) and when 180 software is installed with a nonstandard name (i.e. sais.exe) rather than a name pertaining to 180's corporate name or product names.

What's particularly remarkable about these exploits is that the bad actors here aren't working for free. Quite the contrary, they're clearly expecting payment from the makers of the software installed, payments usually calculated on a per-install basis. (For example, see a 2003 message from 180solutions staff offering $0.07 per installation.) By reviewing my network logs, I can see the specific "partner" IDs associated with the installations. If the installers want to get paid, they must have provided accurate payment details (address, bank account number, etc.) to the makers of the programs listed above. So it should be unusually straightforward to track down who's behind the exploits -- just follow the money trail. I'm working on passing on this information to suitable authorities.

Note that the latest version of Internet Explorer, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in my video and discussed above.

Re:In Case It Gets Slashdotted...

[Hatta]

How bad is this problem? How much junk can get installed on a user's PC by merely visiting a single site?

If you can install 1 piece of spyware you can install 1000 or 1000000. Once you're pwned you're pwned, "how much" is entirely irrelevant.

Re:In Case It Gets Slashdotted...

[maximilln]

So it should be unusually straightforward to track down who's behind the exploits -- just follow the money trail

I've been saying this for years about spam, corporate fraud, political corruption, and any number of unwanted irritations in society. No one's ever going to follow the money trail. The money trail is good for the economy. Attempting to hamper business by restricting the money trail makes you a terrorist... yadda yadda yadda.

It's amazing. Get a room full of politicians and ask,"Which one of you has ever voted for a pork spending bill?" They'll all look around as if they have no idea what is being asked yet, at the end of the year, we can find billions of dollars appropriated to pet projects or to contracts which directly benefit the politician, their family, or their friends disproportionately from the benefit received by other citizens.

Follow the money trail? If you keep following that money trail, you'll find it leads to harassment and ostricision. You don't want to be a terrorist do you? Just be a good little citizen and let the proper authorities handle this sort of stuff. Microsoft has already pledged millions to crack down on security.

Umm...

[telstar]

Am I supposed to click that link? Finally, we've found the antidote to slashdotting!

Re:Umm...

[Zoop]

Well, he has writing abilities that would fit right in here:

("warning! you're in danger! all you do with computer is stored forever in your hard disk ... still there and could broke your life!" (s.i.c.))

OK, if you're going to make fun of someone's English, don't turn the Latin word sic into an acronym. Super Intelligent Comment? Sick Internet Creep? Silly Immature Cretin? Sadly Impoverished Credibility?

Re:Umm...

[BorgHunter]

Um, you're a bit...off, there...look up the definition of "sic", mmkay? And then tell me if the idiots or the author of the article wrote it.

Re:Umm...

[jrockway]

You do not get it. Sic is something an author inserts into a quote when the quote is incorrect in some way. Here, the author says "s.i.c" instead of "sic". This is the error. This error has nothing to do with the grammar error in the wallpaper.

Here's what's happening:

Wallpaper: Your computer is broked.

Author: The wallpaper says, "Your computer is broked." [s.i.c.]

The author should have written: "Your computer is broked [sic]"

See the difference and where the mistake is?

Re:Umm...

[tkw954]

Right.

So what he (Edelman) wrote was '"Your computer is broked"[s.i.c][sic]'.

Windows XP?

[cyfer2000]

how much spyware can be installed on a Windows XP machine when the user simply visits a single Web site using Internet Explorer.

Am I safe if I am on a win2k machine?

Re:Windows XP?

[bestguruever]

No, win2k is much too recent. What you need to do is get a version of windows that is old enough to no longer be targetted. You still want something with a fairly comprehensive feature set, so I'd recommend Windows ME.

Re:Windows XP?

[xsupergr0verx]

Honestly, that is the first time I have ever seen someone recommend Windows ME in a serious fashion.

Re:Windows XP?

[laughing+rabbit]

DR-DOS!

What was the actual web page?

[lxt]

I did (for once...) read the article, but didn't download the video my question might be answered in that (although if it is only answered in the video, that's pretty stupid - I'm sure many people can't view it, and it's WMV, so I wouldn't actually want to...) but does he actually say what the website visited was?

I mean, I'm guessing most people would visit a reputable search engine, or the default MSN page when they first installed Windows and opened up IE, instead of what I'm guessing must be a fairly dodgy site in order to install so much spyware.

That's not to discredit what he's done - I'm sure novice users would easily get onto these sort of spyware laden pages by mistake pretty quickly...I'm just interested, that's all.

Re:What was the actual web page?

[AnotherScratchMonkey]

Here's what he types into the browser:
http://xpire.info/fa/?d=get Entering this in Mozilla 1.8a4 gives me an authentication dialog. Hitting Cancel pops up a Moz file save dialog for a file containing an authentication error message.

Re:What was the actual web page?

[crimoid]

He used xpire.info/fa?d=get which then redirects to a series of other pages on the same site, eventually landing at www.sp2fucked.biz/user28/2DimensionOfExploitsEnc.p hp which in turn prompts him with an error and a dialoge box asking if he wants to continue executing scripts, to which he clicks "yes" after which all hell breaks loose.

Re:What was the actual web page?

[terraformer]

I'm sure many people can't view it

Your right. If you did download the video you likely would not have been able to play it. It uses a non-standard codec and every player I have, including MS Media Player for Mac, could not play it...

Re:What was the actual web page?

[neko9]

just saw it... the best video in ages... i cried... i laughed... never seen anything so funny and scary... maybe because i don't use window$ and ie for net anymore :-)

btw video stream is Windows Media Video 9 Screen
and audio is Windows Media Audio 9

You could always use a Mac.

[TheKidWho]

And get no spyware at all.

Re:You could always use a Mac.

[Everach]

The reason Mac OSX and Linux are immune to spyware isn't because it's a superior operating system.

It's because there's no money in it. Someone is getting paid to bombard you with spyware installations. They want to hit as many workstations as possible. And that means aiming for Windows users.

Your post suggests everyone should use OS X or Linux. The day Windows looses majority share of the desktop market is the day spyware and viruses will start to pop up on your OS X and Linux workstations.

The solution isn't to get rid of windows. It's to educate users, fortify the OS against spyware and viruses by closing security holes, and by legislating unathorized software install as a punishable offense.

Just my 2 coppers.

Re:You could always use a Mac.

[CdBee]

Maybe that's why 6% of iPod users want to buy Macs. Nothing to do with iTunes, iPods and OSX, they just want to be free of pop-up ads.....

Re:You could always use a Mac.

[gmuslera]

They are not "immune", but at the very least is a lot harder to install spyware/virus/etc, and the no-monoculture effect helps too.

The main defense is their structural strenght, i.e. being thinked from the basis as multiuser, where you have very separated the system admin (the one that have some permission over i.e. what programs are installed) over the user that browses internet.

And dont forget that here the blame goes both for the operating system author (Microsoft) and the browser author (Microsoft again), both good examples of what happens when security is the least priority.

Re:You could always use a Mac.

[happyemoticon]

You think for a second that if windows had that, Bonzai Buddy and that stupid temperature tray thingy wouldn't end up on windows workstations? Dream on.

I think we're actually talking about two different things. You seem to be referring to things a user is stupid enough to say yes to. RTFA. These are things that the user never even gets a prompt for.

Big fucking deal.

IE runs under a user with administrator privileges (press ctrl-alt-delete and see who's running what) and has the ability to run active-x controls; there's your vector. IE lets the site run a control, and the system lets an administrator-level program write to the hard drive and the registry. It's not even a real hacker worthy exploit (buffer overflows, etc), just telling the computer to do something stupid and watching as it complies.

By contrast, Java (the only real code Firefox can excute) is much more paranoid than IE - that is, I've seen it throw security exceptions. You'd have to not only find a way to get root privs, but get past Java as well.

The GP is correct -> windows is targeted becuase of two reasons: 1) Market Share, 2) Lowest average IQ of users.

Absolutely correct. But that does not mean that not-windows users are not-targeted because of their not-dominent market share. That's a logical fallacy. Linux contributors should not become complacent, yes, but I am of the opinion that users have every right to be stupid, and that their computers should not make it easier for others to exploit that perfectly human condition - that is, that their computers should be well-designed. If XP needs all of these security patches just to keep going, where a mac or linux box could stand like a column of basalt for years, clearly something is deeply wrong with it; hell, that probably qualifies under the lemon law.

Re:You could always use a Mac.

[rainman_bc]

IE runs under a user with administrator privileges

No, IE runs under whatever user you are logged in as. One should definately learn to manage users. No argument there.

, but I am of the opinion that users have every right to be stupid,

Yet we all own cars... If you are too stupid to add oil to your car and you burn out your engine... It's not the manufacturers fault. There's a certain level of responsibility the users should bear as well. Users have a right to be stupid, but should pay up when they screw their computers up the same way car owners should pay if they don't maintain their vehicle or use it correctly.

. If XP needs all of these security patches just to keep going, where a mac or linux box could stand like a column of basalt for years

Again, Bullshit! There's security holes in Linux and FreeBSD. That's why we have utilities in Fedora like up2date, portupgrade, etc. So you can automate the patching of those security holes.

Re:You could always use a Mac.

[Sporkinum]

By contrast, Java (the only real code Firefox can excute) is much more paranoid than IE - that is, I've seen it throw security exceptions. You'd have to not only find a way to get root privs, but get past Java as well.

November 23, 2004 (1:39 PM EST)
Java Bug Makes IE, Firefox Vulnerable

By TechWeb News

A flaw in Sun's Java Virtual Machine can open up the two most popular browsers, Microsoft's Internet Explorer and Mozilla's Firefox, to attack, security researchers said Tuesday.

How much damage can one web site do?

[Sensible+Clod]

Certain .cx sites are all the evidence needed. I rest my case.

How much harm can ONE site do?!!

[RiscIt]

I LOVE the headline

Apparently we're forgetting the word "slashdot" as a verb.

No surpises here.

[RatBastard]

None of this is a surprise to me. I've been dealing with this crap at work for years now. Spyware is teh single biggest headache the ITS department I work for has to deal with. We spend more time cleaning spyware out than viruses. XP Service Pack 2 has helped a lot, and so has encourgaing the use of FireFox, however, at least 55% of our systems still run Windows 2000 and a lot of the resources we need to access online only work in IE.

s.i.c.

From TFA:

"warning! you're in danger! all you do with computer is stored forever in your hard disk ... still there and could broke your life!" (s.i.c.)

Anyone else find the improper spelling of "sic" (used by an editor to mark improper spelling or usage in a quoted piece of text) to be humorous, or is it just me?

Re:s.i.c.

[JohnGrahamCumming]

Me, but then I'm the sort of person who likes to use semicolons when writing English; I find that the semicolon is a fun way to join two related sentences without using a period.

Perhaps we should club together and buy the author of this little article a copy of Eats, Shoots and Leaves.

John.

Re:s.i.c.

[Daniel+Dvorkin]

I didn't realize that there were people who believed "sic" was an acronym. I've heard "i.e." explained as "in eexample" -- which may account for how often people use "i.e." when they really mean "e.g." -- but "spelling incorrect" is a new one. Human ignorance knows no bounds.

Here's a good rule of thumb: if any term is older than a century or so, it's very unlikely to be an acronym. Port outbound, starboard home? For unlawful carnal knowledge, or fornication under consent of the king? To insure promptness? No, no, no. Acronyms are almost entirely modern, and folk etymology is almost entirely wrong.

Re:s.i.c.

[tsg]

Do you lie awake at night wondering if anal retentive is hyphenated?

Why not a site "death sentence"

[mc6809e]

A site that willfully becomes a source of trojans, exploits, and malware deserves to have all it's packets blocked at a high level or black holed.

Why can't this be done?

Just cut them off entirely.

The big players need to get together on this.

Re:Why not a site "death sentence"

[ChrisPee]

And when *.microsoft.com is blocked for hosting the IE installer, where will you download your OS patches?

Not impressed

[digrieze]

Okay, let's see, this guy loads up an OS ("fresh", as he writes) that has been targeted by the net scum since it came out, so we know it's vulnerable to every exploit designed for it. Goes to a troll site for 180 and then complains about how awful it is when during installation/first net logon he should have gone straight into the patching process that would have prevented it (in other words, he had to cancel critical patching out intentionally).

This is akin to throwing matches at a tub of gasoline and writing an expose' when it catches fire. Either this guy had too little to write about, had too much time on his hands, or had to win a bet and is trying to slip this one by someone.

Even he admitted his lousy methodology in his last sentence.

This isn't news. It's just a bone thrown out to keep the resident "gotta flame microsofties" happy with a fix for the day.

Re:Not impressed

[Yankel]

I think that says something about Microsoft's installation process.

My last Linux install included an automatic upgrade of the latest packages that had been upgraded for security reasons - even before X was started for the first time.

How are the first round of patches applied when you install XP? My guess is after you finish the installation, you must:

1. Start Windows Updater

Which, I imagine is where we lose pretty much everybody because:

a) users just want to get going already - not install secuirty patches

b) as an article about counterfeit copies of XP in Asia put it, "Windows Update wouldn't work, so they gave up."

Yankel

Re:Not impressed

[Phayyde]

This is correct. Win Update does NOT automatically start on a fresh install. The user is forced through a few reboots and repeat visits to Win Update before even having an option to download SP2.

Obvious to anyone who has dealt with end users: they will stop performing maintenance work the very moment they are capable of surfing the web. As soon as an installation is "good enough", they stop.

Obvious to anyone who has ever actually performed this sort of work: Digrieze is an astroturfing liar.

Re:Not impressed

[Sabalon]

And that would be great - yet tomorrow at thanksgiving I'll be doing god knows what to my aunts computer that is probably infected 200 ways. She doesnt' know about patching, is on a dial-up and downloading a 10-20MB patch from MS is not something she is likely to do.

Basically, the guy was loading and emulating what is probably 80% of the internet users out there (think AOLers :)

Gnome + spyware?

[k4_pacific]

Particularly amusing was that the article mentioned a proposal to bundle spyware into Gnome 2.0. I bet that went over like a strip club in the Vatican.

Re:Gnome + spyware?

[FuzzyBad-Mofo]

Wow, the cajones on that guy..

Rhetorical?

[zx75]

How much harm can one website do? This is slashdot. We blow up poor people's servers for fun!

Again, sensationalism trumps truth

[Swamii]

I RTFA, and hidden away deep in the article, we find this gem:

Note that the latest version of Internet Explorer, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown...

In other words, he's running all this on an unpatched XP machine.

Now, before the Slashdot horde stabs me repeatedly with a big sharp knife for being a Microsoft apologist, consider this situation. I've got an old version of Firefox with a few exploits in it. I report the exploit, and the response I get is that these exploits are already patched. Yet I decide to write a story about the horrific exploits, post it to Slashdot, and stir up a raucus about how bad FireFox's security is.

What I'm proposing is that Slashdot report it's stories with less sensationalism and more professionalism. Put in the story that all this was run on an unpatched machine, and that the said security holes have already been fixed.

Thank you.

Re:Again, sensationalism trumps truth

[zulux]

In other words, he's running all this on an unpatched XP machine.


The same problem happens on:

A patched Windows 2000 Machine
A patched Windows XP SP1 Machine
A patched Windows XP Machine
A patched Windows 98 Machine

To get browser security from Microsoft requirs a user of Windows 98 to spend $100 to get XP and then spend the next two days trying to install it and getting it to work right with his scanner/fax/printer.

Or our Winodws 98 friend could just download Firefox.

Why Microsoft wont realease a standaline Internet Explorer for its old systems is obvious: The want to suck more money out of people. And they suck.

If Slakware can update thier browser - why in the fuck cant one of the largest companies in the world do the same?

Re:Again, sensationalism trumps truth

[CyberHippyRedux]

His test is very real-world, for the reasons you mention plus one. Most normal users don't know about updating, and don't care until the Spyware hits the fan.

Like many Slashdotters, I spend a lot of my time helping less computer-savvy friends clean up their messes. About half of the time is spent cleaning, the other half patching. Even after I've explained the necessisity of checking Windows Update, updating and running SpyBot & AdAware, most of them just can't be bothered - they'd rather have me do it for them.

Every time I get a new client whose computer has slowed to a crawl, I find the same situation.

To put it simply, we are the exception. These exploits exist and persist because the normal user is ignorant of the existence and persistence of Spyware.

It's like welfare for Geeks...

Re:Again, sensationalism trumps truth

[M.+Silver]

A patched Windows 2000 Machine
A patched Windows XP SP1 Machine
A patched Windows XP Machine
A patched Windows 98 Machine


What about Win95, you insensitive clod? Hmph.

(Note that I'm *not* volunteering to try it out, though I'm typing this on a 95 box. With Firefox, mind.)

Regarding the Video...

...may I point out that it is NOT worksafe? Thanks, Ben! Appreciate that.

Glad I didn't have the boss watch it with me in an attempt to convince her of the need to take better anti-spyware measures.

Another good write-up here:

[Saint+Aardvark]

The "Follow the Bouncing Malware" series at ISC's Internet Storm Center has been quite good, too; it looks at what happened to Ordinary Joe's Windows computer when he surfs:

• Part 1
• Part 2
• Part 3

Part 4 is coming Real Soon Now (tm). The ISC handler's diary is required daily reading; always a lot of good stuff to be found. (And every now and then, there's a tale that'll make your blood run cold...)

Does he have a lawyer?

[serutan]

I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC.

I would love to see somebody slap some criminal charges against the site owner. Hiding behind an obfuscated EULA is bad enough, but installing software without any permission whatsoever has to be illegal, doesn't it?

Re:Does he have a lawyer?

[MrNiceguy_KS]

I would love to see somebody slap some criminal charges against the site owner. Hiding behind an obfuscated EULA is bad enough, but installing software without any permission whatsoever has to be illegal, doesn't it?

Does anyone else find this ironic considering his sig?

SP2 is immune

[the_mighty_$]

Interesting to note that Windows XP SP2 is immune. Only old Windows versions are vulnerable. I think its pretty pointless to keep pointing out that OUTDATED products have bugs.

Re:SP2 is immune

[FuzzyBad-Mofo]

Outdated products like Windows 2000 Professional?

Microsoft's own product lifecycle chart indicates "Mainstream Support" through June 30, 2005, and "Extended Support" through June 30, 2010.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Anti-anti-MS zealots

[crimson30]

Before you start whining about how the machine was unpatched, and going on about how we're picking on MS, realize that just maybe, Microsoft isn't the target here. If you would read the fucking article, you would see that Ben is attacking propagators of spyware; not MS.

Re:Now...

[digrieze]

Oh, probably the same reason I have to, all the corporate web sites that won't work with Firefox (still, yes, I have the updates). When Firefox gets plugins down we'll be able to nix IE, but till then we're stuck.

You're missing both points

[Old+Man+Kensey]

The first point, which we all know, is that Windows sucks. However, his main point has nothing to do with the vulnerabilities per se, and everything to do with the culpability of the sites and software authors that knowingly use security holes to install these programs without notice to or consent from the user, and in fact make it as hard as possible to detect them and remove them because they know full well their business depends on keeping the software there by any means necessary, ethical or not.

If I leave my door unlocked, I'm an idiot, but if you then walk in and steal my TV while I'm gone and sell it at the local pawnshop you're still just as much a criminal as if you smashed a steel door in with an APC: an unlocked door is not in itself an invitation to enter and make oneself at home. The same principle applies here: the sites and software authors are not the legitimate businesspeople they try to convince everyone they are.

Re:I never get spyware

Don't visit pr0n sites

but then what is the internet for?

simulating spyware installs

[diakka]

I was thinking, what if you could do something to simulate a spyware install on a computer to the point that they would be fooled in to paying out these per-install fees to websites. If they're paying out a lot of money for installs that will promptly be deleted, then it would hurt these companies financially and also hurt the revenue streams to the websites that use these exploits for financial gain.

My e-mail to the TwainTec Legal Dept

Twaintec is a spyware company, and upon viewing their website I read their privacy policy regarding their spyware, and they had an e-mail address to report any malicious sites (installing their spyware without customer consent) to...

My letter (to which I got no reply)

Hello there. As you can see, I have had to take steps to insure my identity remain secret.

Due possibly to an oversight on my part (leaving the security level in the internet zone in IE on Low, then going to an untrusted site), I have been infected with your adware. The uninstall procedure on your website does not work -- your software is not listed in add/remove programs. The twaintec.dll in my windows directory is currently being used, however I have removed all permissions to this file so it will not load after I reboot.
I was infected with this as well as a myriad of other spyware (toolbars, programs, browser hijackers... I didn't bother to make a list but you should see all the pornographic bookmarks I now have, it's very impressive) by simply going to an internet site. I didn't accept any requests, I didn't read any privacy policies, and now I have your program.

While your privacy policy attempts to divert responsibility by claiming not to allow this, your failure to insure in software that this actually happens makes your company morally, if not legally, complicit. In short, you could have written software that did this, but instead you put the onus on others to ensure that your software was installed on end-users' computers responsibly. Not surprisingly, many third parties do not do this, and privacy policy be damned, *you profit from it*. You acknowledge this by putting, in your privacy policy, instructions to contact your legal department if one should find examples of abuse of your software. I believe that a person of moral integrity would take steps to ensure that your software was not abused, and that by not doing so, you lack moral integrity.

But I'm not here to put you down. I would like you to stop distributing the software, shut down your servers, destroy the source, and find another job. A company that can produce this software could, instead, produce something like, say, PestPatrol, that would make peoples' lives better, not worse. But the purpose of this e-mail is not to request that.

What I want from you is simple. I want you to write me back with instructions on unregistering that DLL. I don't know who wrote this program, but this should be a simple task for someone with programming knowledge, such as must have been required to write the program. If you can do this for me, your moral obligation to me may be considered fulfilled. There is still the greater issue of this software, but one that I'll let you deal with on your own time. If you reply to help me fix what your software has broken, I will forgive you.

If you promise to take steps to ensure that your software is not abused or that you do not profit from it if it is (charitable donations?), I will applaud you.

But I will never trust you.

David

---
Protect yourself from spam,
use http://sneakemail.com

Re:My e-mail to the TwainTec Legal Dept

[clohman]

regsvr32 /u C:\DIRECTORY\twaintec.dll

Win2K is just as bad.

[John+Sokol]

I reciently installed a new win2K system and installed the latest service pack 4.

I also killed all the services. and it never ran a web browser. Just mysql. I didn't have any antivirus software on it.

So after placing it on an unfirewalled connection in a locked room, withing 2 hours there were over dozens of virus, worm and spyware installed on the system till it crashed and couldn't even boot. Coming up with 100's of DLL errors!

Again we never open a single web page.

Specificaly some of what was installed was:

alte.exe
beird.exe
c.bat
clonzips.ssc
clsobe rn.isc
cvqaikxt.apk
cult.exe
cygwin1.dll
dgssx y.yoi
dual.exp
emoti.bat
enotxa2.exe
explorx.e xe
ger.exe
gt.x
hosts was altered
knlps.exe
knlps.sys
ksat.bat
medo.dl
mirc.exe
nonzipsr.noz
ntcnsl.dll
orrl.exe
Odin -Anon.Ger
repcale.exe
riqa
scheduler.exe
sysmm s32.lla
svcshost.exe
titlex.exe
w.e
wshield.ex e
winguard.exe
ymnz.exe
unmt.exe
vnicmon.exe
zema
a qsws directory
zippedsr.piz

Re:Win2K is just as bad.

[gad_zuki!]

>installed the latest service pack 4.

You might as well have blessed it with the wave of your hand.

You must visit windows update to get the post SP4 patches or the very least enable auto-update.

You probably got all this stuff from the lsass and rpc vulnerabilities which SP4 does not address.

Re:Win2K is just as bad.

[hackstraw]

I reciently installed a new win2K system and installed the latest service pack 4.

I also killed all the services. and it never ran a web browser. Just mysql. I didn't have any antivirus software on it.

So after placing it on an unfirewalled connection in a locked room, withing 2 hours there were over dozens of virus, worm and spyware installed on the system till it crashed and couldn't even boot. Coming up with 100's of DLL errors!

Again we never open a single web page.

Specificaly some of what was installed was:

[ snip 40 executables & libraries & whatever else was here ]


W2K is still a supported product. If you have any kind of maintence or service contract with the vendor I would strongly suggest you ask them to fix the product. You may want to seek legal advice.

It kills me that people actually _pay_ for this kind of crap.

Can you envision any other single supported product that you can bring home and plug it in and have it basically self desctruct?

Sometimes I secretly wish I were greedy and ambitious enough to be a snake oil salesman and have much of the world's population give me money and respect me for it.

Unfortunately, I have too much personal pride and respect for my fellow man.

So long as people put up with this, it is only going to get worse. Every day I'm more convinced that people's IQ halves in front of a computer screen.

He's not flaming IE

[L0stm4n]

All these people talking about how he's doing this on an unpatched windows install. Complaining he should update.

The story is not about a browser. The story is about the scum companies that make money using exploits to install their crap. If the money trail is followed and the companies profiting from this got their asses handed to them this wouldn't be near as much of a problem.

His example was exactly that, an example of how many nasty things are willing to exploit you, regardless if it succeeds or not.

Reminds me of passthison.com

[Serveert]

I spent about an hour trying to figure out all the hacks that website was doing but after all was said and done it was frightening the lengths people go to in order to hack your browser, set your home page then get ad impressions and make revenue.... embeded java code with encrypted javascript with encrypted java code which printed out encrypted HTML which when decrypted had the browser load java code that used a browse helper object to set your homepage.

Re:Class Action? Small Claims?

[milkman_matt]

My mom doesn't understand why I make her click on the red globe icon instead of the blue E.

You can resort to the old standby of car analogies.

Or you can just point the blue E to the red globe's exe file and she'll never know the difference :)

-matt

Again, Slashdotter posts without RTFA

[kindbud]

Before you go off half-cocked accusing other people of going off half-cocked, you might want to RTFA, including all you mods who upped this post to 5. The article is not about Windows or IE or what Microsoft shoulda or coulda or woulda done about any flaws.

The article is about the scumbags that exploit the flaws, and the lengths they'll go to to get their crap onto your PC. It's also about the money trail that can be followed to nail these suckers. The article was trying to demonstrate that there is a way to fight back against behind-your-back-ware, aside from securing the software and making sure your updates are current.

Just because the lock on the door to your house is an old design and can be easily jimmied doesn't mean someone can come in and take your Stuff and justify it by pointing out what a lamer you are for having such an old lock.

My mom

[ff1324]

While so many are quick to point out that he used an unpatched machine, that he should know better, that he's just doing it to be difficult, that he can fix it. He know's he should install SP2, he knows he should have his firewall set up. He knows he should practice safe surfing....but my mom doesn't know this stuff.

For every computer whiz (like most of us that visit /.), there's a thousand users like my mom who know that you turn on the box, move the little mouse around, and she can type emails to the whole family every day. Then she surfs around on the internet, types something in wrong, clicks on the wrong site, and now can't send the emails to the family and can't order my Christmas presents from Amazon.

Spyware is a pain in the ass for us, but its a nightmare for the computer novices!

Stupid Spyware Companies.

[jellomizer]

You know the Spyware companies are pritty dumb. What they should do when they make the program is remove all the other pieces of spyware so only you adds are beeing seen to the User. You know if they all did this then in Theory you should only have one piece of spyware on your system and most people wouldn't notice.

virgin install

[fishdan]

At our crazy workplace, with around 60k networks PCs, It takes about 20 seconds to get infected with a virgin install. As a result, all the installers now carry flash drives with zonealarm, adaware, and our anti-virus flavor of the month. We install ALL that before connecting to the network.

It bothers me that some people still install windows while connected to the internet.

The test is not particularly valid

[Fnagaton]

The test is not particularly valid because in the video the person quite clearly clicks "Yes" to running scripts on the page even after there are errors. I have to ask myself what kind of person blindly clicks on yes and I come up with the answer "the person who gets software installed on their machine". Also the machine is not patched, which also makes the test less than meaningful.

The "test" is basically the same as saying "Hi I know that this lock is vulnerable to this method of being opened and I will now prove it is not secure by using an old lock with that vulnerability."

If I was in a really pedantic mood I could use a nice old copy of any other operating system with known and patched security problems and demonstrate how vulnerable they were in the past as well. Lets see, maybe I could make a website dedicated to the old known Irix user able to set root password to nothing exploit.

It's not scientific and it's not clever.

How people get infected

[bedelman]

Howdy folks. Sorry to take so long to respond -- was in airports and planes all afternoon. Day before Thanksgiving...

Browsing to the site I showed in my video is one way to get infected. But that's not the most typical infection method. Instead, other sites can and do point to this site (and other similar sites), typically via IFRAMES. I was recently looking at a post in a web-based threaded messaging site, which used a 1x1 pixel IFRAME (basically, hidden) to reference the site shown in my video. When a user loads the infected post in the threaded messaging site, the user's PC will be infected via the exploits shown (if the user's PC is vulnerable to such exploits), and the user will receive spyware like that shown in the video.

As to video format: I apologize for the WMV format. There's a lot to be said for this format, from the reliable free creator to the wide deployment of the player software (present in all W2K and WXP systems). But clearly it's an imperfect solution, and not great for viewers on other platforms. I'm working on finding a better alternative and/or offering the same content in other formats.