Comments on: Spyware hitting blogs

Spyware hitting blogs

mathowie — Mon, 21 Feb 2005 22:15:19 -0800

I often say that blogs are currently where the web was in 1998, with history repeating itself only this time with blogs. The latest sign: spyware and viruses are now being transmitted via blogs, specifically, random blogs on blogspot.com, found via the "Next Blog" button. Remember, just because a delightful purple gorilla wants to read blog entries to you doesn't mean you should click on him.

By: riffola

riffola — Mon, 21 Feb 2005 22:31:24 -0800

It's still ok to input my credit number in the banner ad so that they can check and make sure it's not stolen right?

By: bobo123

bobo123 — Mon, 21 Feb 2005 22:43:25 -0800

So how is this nana294 installing spyware exactly? Which platforms/browsers? ActiveX exploit, javascript, some type of overflow exploit? Should I stop clicking links?

By: mathowie

mathowie — Mon, 21 Feb 2005 22:54:08 -0800

I suspect the exploits are all IE/windows only.

By: teece

teece — Mon, 21 Feb 2005 22:58:15 -0800

I'm curious about that, too, bobo123. Me, I use either Safari on OS X or Konqueror on Linux. Neither of which makes me "safe," but I am curious what the infection vector would be. I strongly suspect ActiveX and IE on Windows, but what do I know (not much)? It's a bummer though -- I like the "Next Blog" button. If for nothing else, you can see just how bad some people's design sense is.

By: Samizdata

Samizdata — Mon, 21 Feb 2005 23:02:44 -0800

Although, opendiary.com is a good source also. EliteBar is a pain to clean. I am so glad I self-host.

By: DrJohnEvans

DrJohnEvans — Mon, 21 Feb 2005 23:08:27 -0800

Okay, I bit and visited. The culprit weblog looks pretty normal to me (Moz 1.7). Badly written, overdone design, the usual fare. A quick skim through the code didn't reveal anything extraordinarily suspicious. Strange.

By: DrJohnEvans

DrJohnEvans — Mon, 21 Feb 2005 23:09:56 -0800

Note: I use Mozilla variants via either Linux or Win98, so my spyware defence is based on a strategy of being in the obscure minority.

By: keswick

keswick — Mon, 21 Feb 2005 23:28:05 -0800

Oh, scumbags, is there any part of the Internet you won't ruin? First it was e-mail... Then it was Usenet... Then it was web ads & cookies... And IMs... Ah well, there's always Bittorrent.

By: skallas

skallas — Mon, 21 Feb 2005 23:40:19 -0800

This is ridiculous. First off, the author wont even mention the site in question so I can't test it and he keeps using terms like "my browser" instead of IE or Mozilla. Someone should tell this guy that there's no such thing as security through obscurity and he should try writing some damn details as this just feeds into "the web is unsafe" nonsense. IE may be unsafe, but I would be very surprised to see a cross-browser exploit which installed spyware. Not to mention, someone this technically clueless may just not understand the fact that he may have been infected previously. Who knows. Details, people. They're good for you.

By: DaShiv

DaShiv — Mon, 21 Feb 2005 23:41:51 -0800

Thanks for giving those "scumbags" new ideas, keswick. And for Christ's sake, don't mention Meta----- ######## NO CARRIER

By: DrJohnEvans

DrJohnEvans — Mon, 21 Feb 2005 23:44:21 -0800

skallas, the site in question is mentioned in the "now being transitted" link, in the email copy. It's quoted by the Blogger people in their reply: nana294.blogspot.com.

By: salmacis

salmacis — Tue, 22 Feb 2005 00:05:27 -0800

Er, I don't see a "next blog" button in the top right corner... (Linux/Firefox)

By: DrJohnEvans

DrJohnEvans — Tue, 22 Feb 2005 00:11:33 -0800

salmacis, the MT Law blog moved to their own domain and turned off the Blogger bar. You can still see it at their old domain, complete with zealous warning message.

By: salmacis

salmacis — Tue, 22 Feb 2005 00:12:28 -0800

BTW - I went to the nana294 blog and I got a Javascript popup saying "Sorry, you are not using a WIN32 computer".

By: juv3nal

juv3nal — Tue, 22 Feb 2005 00:12:33 -0800

in firefox i see a "additional plugins are required to display all the media on this page" thingy. likely it's IE only.

By: teece

teece — Tue, 22 Feb 2005 00:17:16 -0800

I think I see what it is doing -- in a very general sense. I am neither a Windows Guru nor has my clean programming mind been sullied with the vagaries of Javascript. But the page gets a remote jscript that is ostensibly to play music (iWebTunes), but it also downloads another jscript which gets a file called v3cab.cab from searchmiracle.com/cab. I don't know from a cursory glance how that little file does anything to your machine, but I would guess that is the entry point. It is certainly Windows specific -- they are even kind enough to tell you in the jscript and in a browser pop-up. Scum-bags. But it also makes me wonder: some people might just see a bit of javascript to play music on their blog, and think, yippee!, and install the code, and then infect people unknowingly. But then again, who can install a bit of Javascript on their web page and not understand such simple things? Gee, I hope it can't infect wget on my mac ... :-)

By: DrJohnEvans

DrJohnEvans — Tue, 22 Feb 2005 00:20:24 -0800

Hey, I opened about eight "next blogs" in new tabs, and one of 'em did manage to sneak a pop-up window through. Nice bit of work, teece. I imagine that if it was voluntarily installed (and I maintain that that particular blog looks too involved to be only a spyware front), then the installation instructions just called for a strategic copy-and-paste. Okay, enough playing for tonight. I'm going to bed.

By: teece

teece — Tue, 22 Feb 2005 00:31:19 -0800

I bet you're right, DrJohnEvans -- it is only 4 lines of JavaScript that appears to be getting the trojan. I wouldn't be at all surprised if the owner of that Blogger page simply Copy-n-Pasted that code into his/her blog, wanting it to play a tune. It does appear to actually play music (or at least try to), but I don't have a Windows IE platform to test it -- and if I did I wouldn't. Sigh. Must everything turn into a sewer?

By: skallas

skallas — Tue, 22 Feb 2005 02:34:53 -0800

>quoted by the Blogger people in their reply: nana294.blogspot.com. Thanks doc. Okay, I tested this on a winxp box with the following browsers: Firefox: No effect. Not even the javascript pop-up boxes. IESP2: I get two javascript pop-up boxes asking me to "upgrade my browser." The activeX handler showed me that software signed by "Enternet Media Inc" was asking to be installed. Summary: There is no exploit here. This is ActiveX. ActiveX is Microsoft's web installer. If you click Yes then you are installing software, software which may be spyware. If you click no, you are not. Its that simple. The javascript pop-ups are misleading, but are not an exploit at all. Just a nag box to install this ActiveX control. Suggestions: Windows 2000 and XP SP1 users should double check their ActiveX settings. ActiveX download should never be set to "Enable." It should be set to either "Prompt" or "Disable." Users in general should avoid all ActiveX as it is a well known vector for spyware, with the exception of WindowsUpdate. XP SP1 users should move to SP2 as soon as possible as it doesn't allow "drive by" ActiveX installs. Ideally, users should try a non-Microsoft browser if they want to avoid this and other security problems.

By: dabitch

dabitch — Tue, 22 Feb 2005 03:10:29 -0800

For anyone still worried, search miracle elitebar is IE on native systems only. Now you know how to avoid it. ;)

By: salmacis

salmacis — Tue, 22 Feb 2005 03:13:07 -0800

So how long before an XPI equivalent is in the wild for Firefox users?

By: BobInce

BobInce — Tue, 22 Feb 2005 03:30:44 -0800

There is no exploit here. But: - EliteBar uses massively misleading software descriptions. The one I got was: "YOU have an OUT OF DATE browser which can cause you to get infected with viruses, spam and spyware. To prevent this press YES now." - EliteBar has installed through IE exploits before (typically MS JVM exploits). What *could* cause this software to install automatically would be a Trusted Publishers or Trusted Zone hack. Many of the recent very commonplace IE exploits categorised at "CoolWebSearch" add software providers including Enternet Media (EliteBar) to trusted lists, causing their software to get installed instantly without prompting. Typically they later open a web page from that publisher with their own affiliate code in. Anyway, if there was a previous infection, that would cause EliteBar to install without prompting again in the future. Problems like these are all over the web now, including 'mainstream' sites. "Don't visit untrustworthy sites or porn" just doesn't cut it any more. Turn up all your security settings or don't use IE.

By: srboisvert

srboisvert — Tue, 22 Feb 2005 03:38:53 -0800

Problems like these are all over the web now, including 'mainstream' sites. "Don't visit untrustworthy sites or porn" just doesn't cut it any more. Turn up all your security settings or don't use IE. I've seen a couple of threads about popups hitting firefox on slashdot. They get around the blocker via flash or by dynamicaly linking to javascripts. Serious exploits are only a matter of time and popularity.

By: fenriq

fenriq — Tue, 22 Feb 2005 08:33:55 -0800

What I've learned from this post is that the search bar and next blog thing on top of Blogger blogs is no longer voluntary. If you have a Blogger blog, you have the search bar on your blogs. Unless I just missed the switch off for it. And a quick check shows that almost 70% of my site's visitors are still using IE, which is just sad.

By: hank

hank — Tue, 22 Feb 2005 08:48:15 -0800

Crap. I reported this trick to the Blogger management six months ago -- same sort of thing, installed SearchMiracle on Windows IE (hit a machine where I work, even with AdAware current and running). It infected immediately if you clicked 'next blog' and landed on the infected page. I thought they'd rooted it out. They certainly have been aware it's possible for a long time. It was then a chunk of code that supposedly played music, that the naive weblog page owner had copied and pasted in -- and it installed a really nasty piece of adware that came in two pieces, each of which could recreate the other if you tried manually deleting it. I've fortunately forgotten the details but a search at AdAware for "blogger" ought to turn up the gory story.

By: mygothlaundry

mygothlaundry — Tue, 22 Feb 2005 18:17:53 -0800

That bites, and I'm glad it hasn't happened to me; this news is ruining my evening. I love the next blog button, I've spent many useless wasted hours just clicking along through it all.

By: teece

teece — Tue, 22 Feb 2005 18:38:07 -0800

mygothlaundry, just don't use IE and you will be fine -- the exploit relies upon ActiveX (and your clicking 'yes' to a "browser upgrade.") If you aren't using Windows, then this is not a problem at all. Hank -- you just describe exactly what the Javascripts I look at do, on the Blogger web page I saw. So apparently Blogger has had no luck figuring out what to do about it.

By: DrJohnEvans

DrJohnEvans — Tue, 22 Feb 2005 20:16:24 -0800

Yeah, this is not an exploit of the "next blog" button. This could be an unsuspected part of any personal website. Heck, you could be visiting your little sister's Geocities website, and if she had decided that she wanted background music from iWebTunes, you'd be attacked. It's an IE vulnerability, not a Blogger one.

By: DrJohnEvans

DrJohnEvans — Tue, 22 Feb 2005 20:21:31 -0800

I couldn't find her email, so I left her a message on her Doodle Board. I feel like I just turned on a hair dryer and pointed it at the rain.