From today’s mail, slightly sanitized enough to protect the companies whose names or contact data are being abused:

Hello, We want to place an order for 500 units new Western Digital Caviar Blue 500GB SATA/600 (WD5000AAKX) 7200RPM 16MB Hard Drive (OEM).
Do get back to us with your price quote which should include FedEx next day A.M shipping to our I.T location in Deerfield Beach, FL ____.
Method of Payment would be net 10 terms. We look forward to your immediate response.
Thanks,
Kevin Douglas
Puchase Manager
The Twister Group
________
Glenview, IL 60025
Phone: 855-_________ext 374 Fax: 877._______
Email: _______

Yeah, right. 500 hard drives, net 10 terms, shipped to Florida by early-day overnight delivery–hot rush, but billed to Illinois on credit terms to an unknown company, when your web site looks like this:

The fax number provided goes to a real electronics distributor in Indiana, no relation.

So I’m just wondering…. Are there companies stupid enough to ship this order?

For anyone selling computer hardware on the internet, expect orders for hardware to fall from the ‘net, and expect them to be fake. I had one last year that needed 6 notebook computers and 3 network routers with VPN support, drop-shipped to Florida, with a credit-card billing address in Georgia, and would you please bill it to these three credit cards in equal amounts? What? The numbers are consecutive? Really?

I called the bank on that one, after looking up the first 4 digits of the card numbers to identify them, and had a chat with their fraud department. They told me, short version, “Unbelievable. Impossible. Felons.” Words to that effect.

Fraud on the Internet goes both ways. It’s not just shady Internet vendors–every possible opportunity to have a transaction is being attacked.

OR: Creating Avatars with Toolbars and Search Hooks

by Jerry Stern
Webmaster, Startupware.com

OK, I look like this now.

Well, maybe only kinda.

This project started out with a web ad. It told me that I could look like a character from the movie ‘Avatar.’ I’ve seen the ads before, clicked through to see what it was, and then shut down the page fast when I saw that there was a Flash plug-in and a membership form to agree to. This time, I said, well, let’s check it out. On my test machine, not the production box. With extreme caution.

OK, off to the XP test box. At the moment, it’s running XP Pro, Service Pack 3, fully-patched, and Microsoft Security Essentials Anti-Virus, and has no other security in place, no data, and no significant software other than patched versions of Adobe Flash and Sun Java.

The link from the ad was to mycartoon(dot)info, which immediately redirected to imakemoolah(dot)com, which then immediately redirected to home(dot)zwinky(dot)com. Note the past tense; as I write this, a week later, the link has changed, and the final step now goes to home(dot)mywebface(dot)com.

Neither of these sites contains the promised ‘Avatar’ look. The ad also implies that I can convert a photo. That’s not there, either. What was there is Zwinky, apparently an online ‘community’ using cartoon avatars. It invited me to create my Zwinky character. OK, so I did. There is a required sign-up for a membership in the online Zwinky site, and an email address is required (I used one of my temporary emails, and it has not been spammed, so far). Here’s what I found along the way, in case you find this on a computer during a cleanup.

First off, Internet Explorer 8 warned me of an Active X control installation. There is a basic warning that I’m installing the MyWebSearch toolbar. Note that the page is from Zwinky, but the download is from imgfarm(dot)com, while the source of the download is from their SmileyCentral project. It’s all very spread out over multiple sites.

Next, there is a clue that multiple products are included. The Internet Explorer Security Warning identifies the download as being from Fun Web Products, and includes “Zwinky, My Web Search, Search Assistant, and Easy…” The line is cut off; could go on for a ways yet.

Finally, my screen begins to show something that’s closer to what I clicked on:

And done:

OK, I UNCHECK both boxes, and click finish. The mywebsearch toolbar appears anyway, and I’m taken to the Zwinky page to create a character.

OK, now let’s look at what else is happening in the background.
I ran HijackThis, and checked the log; and it’s immediately apparent that this product is startupware–all these items are new:

R3 – URLSearchHook: (no name) – {00A6FAF6-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D} – C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 – BHO: mwsBar BHO – {07B18EA1-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 – Toolbar: My Web Search – {07B18EA9-A523-4961-B6BB-170DE4475CCA} – C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
-runkey
O4 – HKLM\..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe” /m=2 /w /h
O4 – HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 – HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 – Extra context menu item: &Search – http://tbedits.mywebsearch.com/one-toolbaredits/menusearch.jhtml?s=100000338&p=ZJxdm3802MUS&si=40699&a=..bh6qJGzk7dFMyFxzxTDA&n=2010061710
O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O23 – Service: My Web Search Service (MyWebSearchService) – MyWebSearch.com – C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe

In order, note the URL search hook in group R3, the two toolbars (group O2, Browser Helper Objects), and the installed service in group 23. Big product, by any measure.

Next, I took a look at the C: drive. Under Program Files, there’s 6Mb of files under ‘MyWebSearch’ and ‘0.6 Mb’ under ‘FunWebProducts’ that contains 4 folders and only 1 file. Over in Control Panel, there is one new entry, for “My Web Search (Zwinky)”, listed as 6.29 Mb. I’ll run that later.

Next, I go back into Internet Explorer. It opens to my usual home page of ‘about:blank’, so that’s OK–remember, I did decline the home page change earlier. I tried to turn off the toolbar, and here’s the result–I chose to disable :

OK, back to Control Panel. Ran the uninstaller. There’s one confirmation screen, and I chose to remove all features. A reboot is needed, OK. There’s a file left behind in c:\Program Files, so I delete ‘Uninstall Fun Web Products.dll’. A second pass through HijackThis shows one straggler autostart item–I removed it manually:

O16 – DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} – http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab

Now, as invasive as this product is, their online drawing program does work easily. In case my readers are tempted to go there, and create an avatar, like I did–be warned. The avatar can’t be saved or exported, it’s only usable on Zwinky, and you can create only one, so it’s pretty limited overall. The images I’ve created were done using creative and major browser zooming on the page, then screen captures, imports of the captures into Corel Draw! X4 for a bitmap-to-vector conversion, more tweaking and editing, isolation of the head for some versions, and so on. I invested 90 minutes, and someone with less familiarity with drawing software would not end up with a usable avatar.

So what is all this? It looks like a URL search grabber, with a major content delivery system of cute drawing programs that can’t save files. Zwinky.com does, at least, have a visible means of financial support in the ads on their site, but they also have a link on the footer to their affiliate program, where they claim no spyware (right, just a search hook), no adware, high industry payouts, and association with webfetti, CursorMania, and “in partnership with neverblue”.

Let’s make this clear–these items are misleading, invasive, and possibly not quite fraudulent (in the legal sense), but they are clearly not drive-by downloads, except in one sense: The names are all mismatched. I click on mycartoon(dot)info, and pass through imakemoolah, to zwinky, download from imgfarm, and end up with FunWebProducts and MyWebSearch. Many end users aren’t watching that closely.

As far as cleanups go, when I have an infected PC on my desk, the usual situation is that there is some malware that was of unknown origin (didn’t see any on these sites, as of June 2010), so I go looking, and I find there are 10 autostart entries for one web application that my customer doesn’t remember installing, plus a variety of other items of similar unknown origin, so they all come out. For me to leave them alone would require that the install did not include a search hook, a toolbar, or an installed Windows service, and this combination of mismatched web sites delivers all three, and there is no need for a web page to run 10 autoplays. Delete that.

And that’s a shame, too. If these programs ran without the toolbars and autostarts, with no associated search hook baggage, and could save images easily, they would be worth paying for. Oh, well.

Sun Microsystems sent their CEO, and he’s clearly the best CEO speaker I’ve heard at a long series of these events. He speaks, teaches, amuses, and of course, sells pretty much continuously, and keeps to a schedule. Scott McNealy is clearly in touch with the real world. And he has made the transition to open source, completely and emphatically. He’s giving away Sun’s intellectual property, online, in-person, everywhere. Just before FOSE, he returned from a trip to China, where he told the Chinese government that he would provide, free, Solaris and Java software, and development help, and the Ultrasparc high-end processor plans, so that China could build their own hardware systems and provide automation services to their economy. He has made a similar proposal to Germany and some other countries–not all countries are ready for such a proposal, he says, with skills, but not enough technology already in place. Free.

His talk was all about Open Source; it would have worked just as well at a developer’s event as at government talk. His main point: Sun makes money giving away all their intellectual property, and then selling services and contracts. There are five public reasons he pushes open source. A sixth, unmentioned, is surely that expanding markets for open source expands markets for Sun Microsystems–they’re clearly a large enough player to benefit from that type of marketing.

1. There is no barrier to entry for users of open source products. Selling a prototype project to a corporate purchasing department shouldn’t start with requests for funding for software, just to see if what’s needed is possible. Just download it, and get started.

2. Increased interoperability. The source is out there, so there are no proprietary formats; every competitor is free to copy how you’ve done processes, and link into them, or add functionality.

3. More Research & Development. A closed source development project might have 5 programmers, or 30, working on it, he says. In open source, testing and bug fixing is open to a world of interested parties. It’s all extra help for the R&D staff.

4. More Secure. For the same reasons, open source is tested and hacked by the world before being declared as ‘done.’ There are no hidden secrets, it’s all out there to see, before deployment.

5. No barrier to Exit. There are no service-level agreements forcing years of product upgrades to future versions, site-unseen, and no site licenses in open source; there are no contracts to tie down a corporation or a government to continue using a product that’s last year’s bad news.

Sun is making money, lots of it. McNealy’ opening joke was that he stopped by Washington DC to pickup his $600 tax rebate check, and to deposit a few million $ for his 2007 tax bill. Open Source is clearly working for Sun–they claim to be the world’s largest provider of it, and they’re profitable even after spending huge amounts to defend themselves and their clients against software patent claims. They don’t start law suites over intellectual property, but they do defend, vigorously, and half their winnings go back to an open source legal defense fund.

Sun competes on the basis of providing service to clients. Their model sounds closer to that of a service company than to a software publisher. Scaling their model down to the level of a microISP is clearly challenging; some software developers are already working on the basis of custom installations and ‘whatever-you-need for a fee’ service. More will clearly have to work that way in the future.

McNealy closed by giving away a large stack of software CDs to every attendee, but remember that this is to a US Government audience that can’t accept gifts valued above $20. “It’s worth $8 for all the plastic. The content is available for free at developers.sun.com. I’m just saving you download time.” He doesn’t stop selling. Ever.