Early last week the FTC took aim at Antivirus XP and the people behind it. This kind of scareware is a well known scam. My colleague Joe Stewart had previously investigated a similar scam, run by the Russian Bakasoftware group. From the court filings, the group the FTC is pursuing is run by American and Canadian citizens. The FTC sought and was granted a temporary restraining order (TRO) that requires the entities and people behind Antivirus XP to stop claiming they are performing AV scanning, concealing their identities (including to cease use of any domains registered using false information), and to not spend, hide or transfer any of their ill-gotten gains.

The TRO also extends to the defendants’ web hosting providers and banks. They are respectively ordered to take down and preserve web properties and to freeze assets owned by the defendants.

These scareware products have been marketed under a wide variety of names, those listed in the FTC’s complaint include: WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and XP Antivirus 2008. These are remarkably similar to the names used by the Bakasoftware group that Joe reported on: Easy Spyware Cleaner, SpyRid, InfeStop, WinIFixer, Advanced XP Defender, Advanced XP Fixer, Malware Protector 2008, Antivirus XP 2008. We do not believe these groups are related, but rather that this is another example of successful tactics being copied by other malicious actors.

These scareware products have defrauded millions of dollars from consumers and left them vulnerable to other malware. It’s great to see the FTC take action against them. The order also requires the defendants to supply the FTC with business records, including affiliate data.

Hopefully the FTC will also be able to go after the affiliates as well. As we previously disclosed, affiliates can earn big money from this kind of scam. A hacker known as NeoN, broke into the Bakasoftware affiliate website and found that some affiliates were earning in excess of a hundred thousand dollars a week installing Antivirus scareware.
The hearing for this issue is scheduled for this (Friday, December 12, 2008) afternoon. The defendants are ordered to appear, but personally I don’t have terribly much confidence they will be there. The complaint, restraining order, and press release can be found at the FTC’s website. Even if not, I’d like to see the FTC follow the paper trail and seize assets. Good job FTC, and good luck chasing the money trail.

We all get phishing emails. Some of us more than others, so it’s no surprise that sometimes people take out their frustrations on the phishing form, letting the phisher know just what they think of him or her.

While it might make you feel better, it isn’t always a good idea. For instance, if you were to do this on a phishing page hosted by the Asprox botnet, you might get more than you bargained for. The Asprox phishing form backend has a bit of extra logic added to it. If the form looks like it has been filled out with legitimate data, you get redirected to the main page of the bank website.

However, fill it out incompletely or use certain words like “phish” or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language, and your browser will be subjected to a number of exploits. If you are running Windows and haven’t recently installed your security updates and patched all your browser plugins/ActiveX controls, you might find yourself infected with your very own copy of Asprox.

Not only do you then get the opportunity to unknowingly send phishing emails on behalf of the botnet, you will likely get some extra goodies, since Asprox is also a downloader trojan. You won’t notice it running, but you might notice some of the things it downloads and installs.

For instance, you might find your desktop wallpaper changed to a “spyware alert” type of message, and now all your screensaver shows is scary blue-screens-of-death. Of course, if you’re familiar with the Windows desktop properties dialog, you can change all that back, right?

Oops. the rogue antivirus program has removed that functionality for you. But hey, at least it gives you a chance to look over the license agreement, right?

Except you’ll notice the lack of a “I disagree” or even a “close window” button at the top of the dialog (which can’t be minimized, and stays on top of all your other windows). So there’s no easy way to continue using your computer without clicking on the “Agree and install” button. But don’t worry, Antivirus XP 08 has already installed itself, whether you click through the license agreement or not. Eventually you will see this:

Of course, you’re not infected with everything this program says you are - it’s scareware, designed to get you to fork over $50 or $100 in order to clean your system of all these nasty threats. But it doesn’t actually detect or clean anything, especially not the Asprox bot you’re hosting now.

And at any time, Asprox might deliver another malicious payload and install it for you - and it could be much worse: we’ve seen the Zbot banking trojan installed by Asprox in the past. So instead of a dealing with a nuisance program, you might be silently sending your banking and credit card information to the botnet owners. Something to think about before venting your frustrations on the bad guys. Sometimes phish bite back.

On Thursday August 14th, 2008, there was another hearing in the dispute between the group of MIT students and the Massachusetts Bay Transportation Authority (MBTA). Judge O’Toole decided to allow the temporary restraining order which prevented the students from giving their presentation titled “Anatomy of a Subway Hack” or to discuss related information to stand without modification. The next hearing will be on Tuesday when the temporary restraining order expires. It seems likely that the MBTA will then ask for a more permanent injunction.

During the emergency hearing on Saturday, August 9th, the Electronic Frontier Foundation (EFF) providing counsel for the students argued that a temporary restraining order of this kind imposed prior restraint upon their speech. A party seeking prior restraint of another’s speech is considered to have a very high burden to prove that they are not unduly burdening the other parties freedom of speech. The most famous case involving prior restraint is New York Times Co. v. United States, better known as the Pentagon Papers. In this case the Supreme Court found that the Government’s interest in restricting the publication of classified material was not sufficient to trump the New York Time’s 1st Amedment rights. The material in question described the Government’s actions in Vietnam, while American soldiers were still fighting in the region. Subsequently the courts have stated that only the most important of government needs, such as revealing the location of our troops in the field, would allow prior restraint. It would not seem that the possible harm of informing people how to get a free ride on the subway would rise to that level.

How is it then that the MBTA was able to obtain a temporary restraining order preventing the students from speaking? Judge Woodlock, the judge who presided over the emergency hearing on August 9th, interpreted the Computer Fraud and Abuse Act (CFAA) to mean that the students, while giving a talk at Defcon and/or making software available for download, could be in violation of the CFAA. Specificly the clause that criminalizes anyone who “knowingly causes the transmission of a program, information, code, or command and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”. The Judge’s interpretation is that the talk constitutes transmitting information and that if after the talk any of the attendees then damage the MBTA by bypassing the fare system, this counts as damage.

The EFF, needless to say, disagrees. The EFF argued that in the CFAA transmission means transmitting information to a computer, not a person (otherwise the statue would infringe upon the 1st Amendment and in other paragraphs uses the term communicate to refer to giving information to a person). The EFF also argues that the damage must occur as a direct result of the transmission of the information / code. They say that if someone else later commits a crime based upon information you transmitted to them, the link between the action and the damage is too attenuated to be combined into a violation of the statute. It also seems that according to the EFF the damage must be to the computer system, or damages associated with downtime or cleaning up after an incident. There are other provisions of the CFAA that cover stealing information and unauthorized access with intent to defraud. However they do not seem to apply in this case and are not the provisions the judge relied upon when he granted the temporary restraining order. The CFAA, although a criminal statute, allows people to bring civil action to recover damages incurred from violating the statute and to ask the court to enjoin continued violation of the statue.

The free speech issues the EFF raised at the emergency hearing on Saturday, August 9th were not addressed at that time, but the MBTA did mention them in their brief for the August 14th hearing. The MBTA first called the MIT students’ speech an incitement to a crime, and second stated that: “The Individual Defendants’ DEFCON presentation constitutes commercial speech. Commercial speech is any speech that proposes a commercial transaction. As commercial speech advertising illegal activity, it receives no First Amendment protection. Here, the Presentation is full of marketing, and self-promotional statements. It is not a research paper. [Plaintiff's Opposition to Cross Motion for Reconsideration of Defendants]

I have not heard a recording of the hearing on the 14th, however I’m sure the EFF would take the position that the students’ paper was academic research, which is fully protected by the 1st Amendment. The paper was written while the students were attending one of the most prestigious engineering schools in the world, it was written (and turned into a talk) under the guidance of the extremely well known and respected Professor Rivest (the R in RSA) and then was intended to be presented at a computer security conference. The EFF also submitted as evidence a letter from 11 professors and industry professionals detailing the dangers of preventing this kind of research from being made public.

The other interesting aspect about this is that the MIT students provided a confidential vulnerability assessment of the fare system to the MBTA. The students stated that this document contained more detailed and potentially damaging information then they intended to give at their Defcon talk. The MBTA submitted this document as evidence in the court hearing and in doing so it became part of the public record. The EFF advised the MBTA of the dangers of this, and suggested that they take emergency action in sealing the information so as to prevent it from becoming public. It does not appear the MBTA took any action to prevent this from happening.

This raises many questions in my mind. If we were to look at the MIT students’ conduct in the worst possible light, it is that they wanted to provide details of security flaws to a large group of hackers with either the intent or reckless disregard to the fact that some of the attendees would use this information to evade paying fares at the T. The MBTA calls this commercial speech and an incitement to a crime.

According to the MIT students, the MBTA provided substantially the same or more information to the public in the form of a court filing. What is the difference between these two? What makes one actionable under the law and not the other? Is it the substantiative information about the security flaws? Is it the location and audience that makes the difference? There was a presentation on the Mifare card (the same card used by the T) security at Blackhat that went on without a legal challenge. There was a legal action brought against a university in the Netherlands to attempt to prevent them from publishing similar Mifare research, but a Dutch court ruled in favor of the university.

If the students had presented this same information in an academic journal or a more academic sounding (as opposed to the scary sounding, hacker infested Defcon) conference would that have been ok? Or was it the provocative language in the students presentation? They did use phrases like “Want free subway rides for life?”, “This is illegal - for educational use only” (the judge in the emergency hearing found this phrase to be tongue in cheek and offensive), and “Is this hackable? Yes!”. Or is it motive that makes this speech possibly unprotected? Is the difference that the MIT students wanted to encourage others to break the law and that the MBTA is just trying to educate the court? Can the aforementioned choice of venue, audience, and tone of their speech be seen as sufficient to indicate that their motive is to incite others to violate the law?

I’m not a lawyer, so I can’t speak authoritatively on what speech is protected under the First Amendment. However, it seems that it is the tone of the students speech more than the technical content that is causing (or exacerbating) their legal problems. Unfortunately I’ve found in looking into other caes that it seems that when faced with complex questions of technology and law, sometimes judges will fall back to one of the more classical elements of crime - motive.

If the defendant seems to have had malicious intent, then he likely violated a law. For example, in the David Ritz case I blogged about earlier, one of the findings was that, “The Court finds by clear and convincing evidence that Ritz is guilty of actual malice. Sierra is entitled to an award of exemplary damages for the sake of example and by way of punishing Ritz.” Ritz may have harbored malicious intent towards Sierra (Ritz alleges that Sierra is a spam house), but is that the key point that should make his DNS zone transfer unlawful? Is it right to punish one person but not another for obtaining the same publicly available information simply because their motives differed? Likewise, should the MIT students be stopped from sharing their research because of the admittedly juvenile and offensive manner in which it was presented. I don’t agree, but instead of suggesting a way to deal with these questions, I’ll end with a quote from Justice Black’s opinion in the Pentagon Papers case “The word ’security’ is a broad, vague generality whose contours should not be invoked to abrogate the fundamental law embodied in the 1st Amendment.” [New York Times Co. v. United States]

SecureWorks follows a responsible disclosure policy when discovering a vulnerability. It can be found at http://www.secureworks.com/research/disclosure.html