Re: 030 igetnet ignkeywords

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 11/16/02

  • Next message: Greg S. Wirth: "Compromised FBSD/Apache" 
    Date: Sun, 17 Nov 2002 11:34:46 +1300
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: incidents@securityfocus.com

    "Waitman C. Gobble" <waitman@emkdesign.com> wrote:

    > Couple of things to note. The file is signed by IGetNet, LLC using a
    > Verisign cert. I suppose that signed applications are always
    > trustworthy?

    No. By default IE ships with no "trust always" certificates and the
    "Internet zone" is set to enable download of signed ActiveX controls
    but not of unsigned ones (that's a mal-description too -- it has to
    "downlaod" the control to find out if it is signed or not... What
    they mean is consider offering the control for execution once it is
    downloaded). Further, the default config for the Internet zone is to
    run ActiveX controls. In practice this means once a control is
    downloaded and determined to be properly signed, IE will prompt you
    for whether you trust the signer in this instance _and_ it gives you
    an option to automatically (i.e. without prompting you again) trust
    anything else signed with the same certificate (note that is not the
    same thing as trusting anything esle signed by the same developers
    _or claiming to be signed by the same developer_ -- a developer with
    two different product lines could easily have two certificates, using
    one for each and permanently accepting one would still cause prompts
    for the other, even though the name on the certs might be identical).

    I know MS likes making its products easy to use, and heaven knows MS
    understands that is a large part of its relative success, but
    offering the "always accept" option, _at least on software running on
    "corporate quality" OSes such as Win2K and XP Pro is a bad design
    choice. You'd have thought something inside MS would have learnt
    something from the Office macro virus holocaust which raged
    incessantly _despite_ MS giving user options to disable macros in
    documents, but it seems not. Perhaps in the new, enlightened age of
    "Trustworthy Computing" in which MS product designers and developers
    now work, this will change?

    Of course, committed system admins have had the "only allow admin-
    approved controls" options for a little while now, but I suspect that
    few actually use it.

    > I realize the obvious painful answer is that it was installed by
    > clicking on a link on a web site, and allowing it to install HOWEVER -
    > everyone I have heard from has NO recollection of doing such a thing.

    Rule number one -- never believe your users _denials_ of doing
    soemthing. "How did this keyboard get full of coffee?" "I don't
    know" Like, you expect they are going to say "I'm a klutz and
    spilled it" or "I deliberately sabotaged it"??

    Get real.

    As someone else has posted, users are far too accustomed to answering
    "Yes", "OK" or "Accept" to mumbo-jumbo tech/geek speak they do not
    understand as part of their normal use of this wonderful new
    technology. Further, far too many of them have had too many
    experisnces of saying "No" or "Cancel" and then things not working
    properly that they are _conditioned_ to accepting things.

    We have just seen the "Friend Greetings" "eCard viewer" issue, where
    right up front, right at the top of the EULA screen when installing
    the "viewer" the user is told that installing the s/w will cause it
    to send Email to all the addresses in their Outlook address books.
    Do they click the "Accept" button or do they click "Don't Accept"
    and/or do they call their internal tech suipport/helpdesk/IT staff/
    etc?? Well, we don't know how many click "Don't Accept" but few have
    called their IT folk and we know thousands are clicking "Accept".

    Why?

    Are they stupid? Well, a few surely are, but most have been
    conditioned to accepting whatever their machine throws at them
    because historically not doing so has interfered with their
    "successful" use of the machines.

    Facing this self-evident truth, what are vaguely sane system admins
    to do? Well, first, they should find an OS and/or application set
    that allows them to prevent the users shooting themselves in the
    feet. Unfortunately, no popular OS and application set that allows
    this has been prodcued. Why? Because the designers of the popular
    OSes and applications, who have been rewarded with apparently never-
    ending sales and upgrade orders (though they are now showing signs of
    recognizing there is a final carriage on the gravy train and they are
    closer to it than they originally projected) have not produced
    products that allow admins to take such control, or if they do, the
    overhead of obatining nad maintaining that control is prohibitive.

    > IMO This thing behaves like a sticky virus, it mysteriously gets
    > installed on the machine, ...

    Well, you don't know that for sure. You have users who say they did
    not install it, but if you actually ahd serial screen shots of their
    machines from each window redraw, I suspect you'd have a different
    "picture"...

    > ... and seems to be difficult to remove. Chris
    > Wagner kindly posted a link on this ng to removal instructions that seem
    > to work, however one person telephoned me last night and indicated that
    > the conditions persist even after following the instructions.

    I have not tried removing it on a machine with an active Internet
    connection, so my experience may be different, but the uninstaller
    IGetNet provide did appear to "sufficiently" remove the thing from my
    test machine (it left an unregistered DLL, but got rid of the rest).

    > I haven't heard anyone making the claim that the "browser upgrade" from
    > IGetNet is useful, in fact everyone I have heard from is upset about it
    > and from wants it permanently removed from their system as quickly as
    > possible.

    Same here...

    > It brings to my mind the term "viral marketing".

    Yep, and although not technically a virus, it is the sort of thing
    that the antivirus, anti-Trojan and anti-adware/spyware folks are
    increasingly being pressured to detect and provide rfeliable removal
    of. I suspect the more "aggressive" viral marketeers have badly
    misjudged userland's acceptance or tolerance for such things.

    > In my opinion IGetNet wants to come into the picture, apparently through
    > the back door, as a replacement for RealNames. I am not sure that
    > enough, if any, people would actually buy keywords from them. After
    > losing close to $1200 US when RealNames got its plug pulled, I wouldn't
    > touch IGetNet with a ten foot pole.

    8-)

    And the more bad publicity like this you can generate for them the
    better...

    > I have a hunch that this is coming in through a program that does
    > unattended (or attended for that matter) automatic updates, or a program
    > that routinely gets stuff off the Internet, like a music player.

    This is, of course, quite possible and what got some of the other
    "adware" folk in trouble. I forget precisely who now, but one of teh
    adware company's "products" was supposed to always ask permission and
    display a list of actions the software took, the company's privacy
    policy and so on. However, some of their clients who bundled it with
    their own software took the basic installer script and after
    displaying just their own EULAs, etc (which did not mention the
    specifics of the adware, or in some cases even that the adware was
    included) then installed their own s/w and the adware. The IGetNet
    "add-in" could easily be installed "silently" in such a way.

    > Additionally, I imagine any day now the phone will start ringing off the
    > hook from our clients that have mysteriously contracted the virus and
    > seek removal.

    Caveat emptor.

    Their stupidity is a further marketing opportunity for you. (Of
    course, if you find that distasteful, you shouuld be recommedning
    they overheaul their systems so that better administrative control is
    available and such "abuse" prevented, rather than needing continual
    clean up after the fact...).

    > My guess is that this is the tip of the iceberg - bigger better faster
    > harder is certain to come.

    Such is the way of things, it appears... 

    -- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com