The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/aug12,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

1. ID Theft Keylogger Examined
2. Feature - Window Washer
3. Shades Of Minority Report
4. Genetic Discrimination
5. FTC Settles Action Against Advertising.com

Permalink | Top

I have had email conversations with a number of people at Sunbelt Software about the ID theft ring they discovered recently. They were kind enough to provide a HijackThis log entry that identifies the keylogger. I promised not to publish it but said I would warn the helpers at the message board to keep an eye out for any victims. Unfortunately, we discovered that dozens of people had been infected. We set about trying to contact them all privately.

Since the HijackThis log entry now has been published elsewhere, including on Sunbelt's web site, I will go ahead and reveal it. Download HijackThis and scan the computer. If the following entry is present in the results, then the computer is infected with this spyware and the user(s) of that computer might be victims of identity theft:
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe

Sunbelt has created a free tool to remove this trojan safely. If that entry is found on any computer that you are examining or fixing, visit this page (http://research.sunbelt-software.com/ssaclean.cfm). Download the program linked there, then unplug that computer's modem from the internet. Leave it unplugged until after the trojan has been removed. I've submitted the keylogger to several antispyware and antivirus vendors, so they should be detecting it shortly, if they don't already.

Sunbelt has named this trojan Srv.SSA-KeyLogger.

After that has been done, you then have the sad duty to inform the owner of the machine that they may be the victim of identity theft. From an uninfected machine, they need to log into any web site where they have an account and change their passwords. They also should contact their banks and credit card lenders and inform them of the situation.

Based on that HijackThis entry, some of the spyware gurus at the message board obtained a copy of the keylogger and set about examining it detail. Compared to the browser hijackers and spyware that we see normally, this keylogger is extraordinarily sophisticated.

This keylogger is downloaded and installed by a browser hijacker identified widely as CWS. The computer first has to be infected with a particular variant of this hijacker. After that variant is installed, it downloads this keylogger and then installs it.

At this point, it still is unclear why the hijacker software is installing the keylogger. The person responsible for it might have been paid by a third party to install this file without an explanation of what it does. In that case, then the people responsible for the hijacker are unwitting accomplices in this identity theft operation. It is a common practice for one browser hijacker to download and install several others.

CoolWebSearch.com has released a statement denying any involvement with this situation. The statement says that if anyone has evidence that one of their affiliates is involved, they will contact the FBI with information about the affiliate and immediately suspend their account. I have taken them up on their offer and contacted them to find out if the web sites involved in the browser hijacker belong to one of their affiliates. As much as I personally dislike CoolWebSearch, I would hate to finger them for something like this if they are not responsible.

The keylogger also can be installed separately from the browser hijacker by visiting certain web sites. The main page of these web sites are pay-per-click search portals and have a design very similar to that of coolwebsearch.com and their affiliates.

Once the keylogger is installed, a surprising number of things happen to the infected computer.

Several web sites owned by antivirus and antispyware companies are blocked by modifying the HOSTS file. Mike Burgess of MVPS speculates that since legitimate antimalware web sites are blocked, an infected victim will begin clicking links on the hijacker's web site to find an antispyware program. When that happens, the hijacker ends up being paid for the link referral plus a commission if the victim buys the antispyware program.

I should point out that any antispyware companies advertising on such web sites nearly always are found in the Rogue Antispyware list and are not recommended.

The keylogger itself is set up to run every time the computer restarts. A registry key is written which loads the keylogger even before any user logs into their account. Again, that entry can be identified in a HijackThis scan as O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe

This spyware also performs another very cute trick. Just in case someone has discovered that malware has been installed and tries to clean it off, a PE virus infects a harmless program set to load at startup. The program that is infected is chosen at random from the list of start up entries found in the registry. Once this is done, the computer is reinfected with this trojan when it restarts.

This keylogger appears to be designed specifically to capture passwords and user names. It captures chat sessions, collects passwords from various programs such as FTP clients. It reads information from the Windows Clipboard. It also captures data from Internet Explorer's "Protected Storage". This information is dumped into a log file. Once the log file reaches a certain size, the information is uploaded to a remote web server.

After some research, several people have found indications that an older version of this trojan has been infecting people for several months, possibly as far back as December 2004.

A web server is installed on the computer, along with a PHP scripting engine, allowing PHP scripts to be run on the infected computer. PHP is a scripting language used on millions of web sites, including Spywareinfo.com. Some of the PHP scripts included with this trojan allow a person to run programs on the infected computer from a remote location. We are still studying this web server.

Both SMTP and POP3 email servers are installed. Shortly thereafter, the computer begins spewing out spam.

Part of a rootkit is installed, which has been identified as Haxdoor.

The Windows Task Manager is replaced with an altered version.

Internet Explorer itself is infected. A DLL library file hooks into Iexplore.exe using process injection. This means that a firewall might not prevent this trojan from accessing the internet.

The Windows Security Center, installed as part of Windows XP SP2, is disabled. The Windows Firewall and the Automatic Updates services are disabled. If the computer is running Windows XP and does not have Service Pack 2 installed already, the registry is altered in a way that would cause installation of this service pack to fail.

One person reported that files from the program Total Uninstall 3 had been modified to render it inoperable.

The trojan connects to a certain page of a certain web site every five seconds. From this web page, with no password needed, someone can send commands to every infected machine still connected to the internet.

This very clearly is one of the worst malware infections I have ever seen. This whole newsletter is two days late because every time I thought I'd finished this article, we discovered something new about the trojan.

Again, running this tool from Sunbelt (http://research.sunbelt-software.com/ssaclean.cfm) should remove this particular trojan. Other antispyware and antivirus products should begin detecting it very shortly.

Credit for all of the analysis that I have tried to explain here goes to a large number of people: Patrick Jordan (aka Webhelper), Eric Sites and Alex Eckleberry of Sunbelt Software. There are a couple of researchers from Microsoft that I probably shouldn't name. Eric Howes and Suzi from spywarewarrior.com. Paul Laudaski (aka Zhen-Xjell) from Castlecops. From the online antispyware community; Tuxedo_jack, JackB, Avohir, Grinler, Mike Burgess (aka WinHelp2002), Merijn, Metallica, Didom, TheJoker, cnm, jedi, miekiemoes, Swandog46, Atribune, WaRHaWK, Bobbi_Flekman. If I left anyone out, I apologize. There literally were dozens of people picking this thing apart over the last few days.

We are continuing to post news stories related to this ID theft ring in our news section.

Permalink | Top

Program: Window Washer 6.0 (New Version Release, now with Mozilla / Firefox support)
Author: Webroot Software
Platform: Windows 95, 98, ME, NT, 2000, XP
License: $29.95 (Only $19.95 until August 18, 2005 when you use our special page)
Purchase: Click here to purchase

Window Washer is a very cool, very useful program. You could spend an hour rummaging through your computer deleting your browser cache, cookies, temp files, address bar history, and even those nearly impossible to delete index.dat files. With Windows Washer, you don't have to waste all that time and energy. Window Washer makes doing these tasks quick and easy.

New in Version 6.0

* Deeper cleaning power to cover even more areas of your PC
* Free space cleaner to free up more of your PC's resources
* Protection for more browsers including Mozilla and Firefox

When I tested Window Washer for the first time, it cleared out an amazing 700MB worth of garbage files, most of it temporary files left over from programs that hadn't cleaned up after themselves. It deleted all of these files very quickly. Since then, it has deleted over 10 GB of trash files through regular cleanings.

Window Washer also deleted the index.dat file in my browser cache, a file that Windows normally refuses to let you alter. It reduced it from 1.8MB all the way down to 32KB. There is an optional setting to clean out the browser cache, address bar history, cookies and other internet usage traces every time the browser is closed.

There is an option to overwrite "slack space". "Slack space" refers to areas of the hard drive that show as empty to the system, but might contain data that was deleted previously. Another option adds "bleach to the washing". That is Window Washer's way of saying that it overwrites data with gibberish several times to prevent data recovery programs from putting deleted files back together. The number of times it will overwrite these files can be configured to NSA (7 passes), DoD (3 passes), and Gutmann standards (35 passes). You can set it to whatever number you want.

If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php.

Permalink | Top

I can't decide what disturbed me more about the movie Minority Report. Was it that people were being imprisoned for crimes they hadn't committed or that people couldn't move about the city without a massive network of computers taking note of their location?

I don't know whether or not someone is working out a way to read the future and catch murderers before they commit the act. I do know that people are working on ideas to track people everywhere they go. In England, they will be embedding RFID transceivers into automobile license plates. Now there is talk of doing the same thing here in the US.

It usually is at this point where someone issues the shrill battle cry "RFID only works within a few feet!". To which the obvious response is "Today it does. What about tomorrow?". Well, tomorrow has arrived. At this year's Defcon hackers convention, someone managed to transmit to and receive data from an RFID transceiver 69 feet away. Supposedly, the chips being planned for automobiles in the UK can be read at a distance of 300 feet.

When you need to be within half a meter to read these chips, they are of little concern. When they have range enough that I can sit right here at my desk and detect every chip inside of every house for two blocks in every direction, I begin to worry.

If London can afford to install half a million video cameras on its streets, Houston or New York can afford to put an RFID reader into every fourth traffic light. With a range of 300 feet, even that would be overkill. If and when that happens, your car's position can be tracked throughout every square inch of your home town.

Welcome to the future.

Permalink | Top

Since I am on the subject of movies, who remembers Gattaca? This was a movie set about 20 or 30 years in the future. Before people are born, their genes are altered to edit out any imperfections. They are stronger, smarter and faster than their natural-born counterparts and are highly unlikely ever to develop a disease.

People begin to discriminate against natural-borns, those people conceived and born without the benefit of genetic enhancement. Simply hand in a job application and the skin cells you leave on the paper will be examined to determine if you have any genetic imperfections. It is illegal, of course, but it happens anyway. Natural-borns are relegated to the low-income labor class, sweeping floors or slinging burgers.

Gattaca was an interesting, if not particularly good movie. And, like Minority Report, it predicts a problem that we may have to deal with soon out here in the real world. A few years ago, the Burlington Northern Santa Fe Railway tested the genes of workers injured on the job. This was done completely without their permission. They were looking for indications that these employees might be genetically predisposed to developing Carpal Tunnel Syndrome. The railroad was trying to find a way to avoid their obligation to pay Worker's Compensation benefits to those employees.

That may well be one of the worst ways possible in which to invade someone's privacy. I think even the "I have nothing to hide" crowd will be nervous about the idea of someone stealing parts of their body to run genetic tests. Even if they have absolutely nothing they would want to hide about their private lives, their genes are a different story. What if their boss lifts a skin cell for testing, then discovers a genetic predisposition for alcoholism left over from some distant ancestor? Will they continue heckling privacy advocates after an invasion of privacy leaves them walking home with a pink slip?

The US Senate has passed a bill which forbids employers and health insurers to discriminate against people based on information found in their genes. It is called the "Genetic Information Nondiscrimination Act of 2005". This bill now is awaiting action from the House of Representatives. The President already has indicated that he would sign it once it crosses his desk.

Unless you want your health insurance premiums to double because your family has been passing along an undesirable recessive gene since the founding of the Roman Empire, you should write to your Congressman or Congresswoman and ask him or her to vote for this bill.

Permalink | Top

This is an older story but I completely forgot to mention it in a previous newsletter, so here it is.

Advertising.com has reached an agreement to settle a lawsuit brought by the Federal Trade Commission. In 2003, Advertising.com began distributing Spyblast, a program they labeled as an antihacker program. As it turned out, the program itself delivered annoying pop-up ads and tracked the browsing behavior of the user.

Advertising.com failed to point out that the program was going to do that. Also, the program was distributed through an ActiveX drive-by installer. Predictably, people started to complain and the FTC later took action.

The terms of the settlement say that Advertising.com must "clearly and prominently" provide notice that Spyblast will create pop-up advertising. As far as I can see, there is no mention of a monetary fine.

I could be wrong, but I think development of Spyblast ended nearly two years ago anyway. That makes this settlement pretty ridiculous. Their only punishment is that they are required to include a disclosure in a program they no longer make? This is nothing more than a stern talking-to and a few minutes standing in the corner.

Ok, so there is one good thing about this. There now is the precedent of the FTC bringing a successful lawsuit against a company for distributing software designed to pop up ads without adequate disclosure. That should give other adware makers something to worry about.