Fox Says Web Bugs = Virus Risk

Bonker writes: "Fox News is printing an expose on 'Web Bugs' used in concerto with HTML-mail spam. Along with outlining the dangers and the methods that Web bugs use to gather information, CERT's Jeff Havrilla is quoted as saying that these are pretty much ripe for illegally malicious activities, such as virus propagation. Harvilla says that Web Bugs would allow malicious virus creators to 'target' systems. Scary, wot?" *sigh* I can't even begin to describe how much the story irritates me - yes, there's truth to it. But it's more then just simple Web bugs - it's any sort of URL, given that you could create a unique URL for each spam. Take out the scare portion of the article, and just use the bottom line - don't click on spam URLs.

Re:URLS and advertising

Advertisers brought us magazines, daily newspapers, radio theater

That's because they were paid by advertisers. With spam, nobody is paid to carry the ad, thus nothing is funded by the advertiser. Magazine advertisers pay magazine publishers who give us magazines, television advertisers pay television companies who give us television, spammers pay nobody so we get nothing. Spam isn't going to bring us anything, because spammers don't pay anyone.

Why web bugs are particularly evil

Web bugs are more evil than your average URL link because you have to click on the link, whereas a web bug (and the potential attached evil code) gets loaded automatically if you have an HTML-enabled mail viewer. Stuff like this is why I have intentionally avoided HTML-enabled mail clients. Automatically executing code from a remote, untrusted source is bad, kids.

Why Hemos went on a rant, I don't know. Yes, the article doesn't mention URLs in spam, but that's because they're less insidious than web bugs. Presumably, if you click a spam link, you get what you deserve.

URLS and advertising

Consider for a moment that, when perusing most media-- be it a magazine or your snail mail- you are accustomed to advertising in many forms. As a matter of fact, many new media are created for the very purpose of bringing ads to your eyes and ears.

They created 3-d vision and smellovision in the movies because movie theaters, at that time, were major purveyors of advertising. Radio shows were sponsored by advertisers and all of their content was, in that sense, a form of spam.

Why do we get angry when an ingenious marketer slips in an intrusive, but fundamentally harmless, web-bug? If the spam were a virus and crashed a system or deleted data, it would be counterproductive to the spammer's purpose, marketing.

The freedom of advertising IS the freedom of the press. Advertisers brought us magazines, daily newspapers, radio theater, and many other aspects of our culture that have become highbrow, in some way BEYOND advertising. Give spammers respect- and a bit of freedom-- don't threaten them with punishing lawsuits and jail time! Otherwise, very few people without previously existing monolithic web presences will choose to do business on the Web. Remember, spam is the tool of the small business, the underdog- he who cannot afford the banner ads and other less obtrusive forms of advertising.

Not always the case...

You say that HTML-snabled mail clients automatically download the web bug in question.

Eudora for the Mac (but not for PC) has an option to not download remote HTML graphics. All HTML will be displayed, and all images sent with the message are displayed, but no remote server is accessed.

This is A Very Good Thing. (tm)

There are other possibilities out there.

GetUserInfoEx?

For example, the Love Bug was a widespread virus sent via e-mail. But it was dumb -- it had no way to tell if the machine it sent itself to would be a good target for infection. It just crossed its viral fingers and sent itself along. Some computers fell for it; others didn't. Whether a computer got infected or not depended on the configuration of that machine.

A virus that used the Web bug technique could essentially conduct a poll of potential victims to determine whether or not they would be good targets.

Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.

(No matter how good your security is, you can't stop users from hurting themselves by running untrusted code. Scare tactics stories "virus threats" only make the problem worse.)

But email bugs ARE a serious risk

While Hemos says "just use the bottom line - don't click on spam URLs", he misses the point. The insidious nature of these emailed "web bugs" is that they DON'T requre any clicking. Spammers hide the information in the URL of an invisible image which is automatically loaded by (stupid) HTML-based mail readers. Every time you open the message, the sender is notified and generally logs the time, location (IP) and email address of the person reading the email. They also frequently set an HTTP cookie so they can cross reference future browsing activity with your email address (which they know because they sent you the spam).

Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.

While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.

Unfortunately pressuring application vendors to respect our privacy is not always fruitful. And with closed-souce applications, you often have no idea what they are up to. I was glad to see that some of the Windows "personal firewall" programs such as ZoneAlarm [zonelabs.com] offer features that alert users to unexpected outgoing connections made by applications. Users can define notification policies based on their own privacy concerns. I haven't run across similar software for Linux, although it wouldn't be hard to write. And it isn't quite as important on Linux since fewer users download/buy untrusted binary-only programs.

Cheers,
Fyodor

Concerned about your network security? Try the Free Nmap Security Scanner [insecure.org].

How this happened

Normally, the "tag" (informative|offtopic|flamebait|etc) is set to whatever the last moderator modded the comment. However, Overrated and Underrated do not change the tag. What may have happened in this case is that Klerck posted his crap at 1, somebody gave it +1, Informative, then three different moderators gave it Overrated.

Why overrated and not Flamebait, Troll, or Offtopic? Because the moderators are all cowards, and we don't want to lose karma in meta-moderation to some rogue meta-moderator. Moderation, meta-moderation, etc, only work if the majority of users are not trolls. Unfortunately, they are mostly trolls on Slashdot...

Truly elegant

Web bugs are real and easily spread for some purposes. I received a chain email that had a funny story about winter. I am forced to use MS outlook, and even in the preview window, the email appeared with all it's cute anitmated gifs. All the gifs were off a remote server. So whoever runs that server has a hit log of everyone this chain letter went to.

Talk about power. Instead of a virus, it's a way to find out the architecture of people's networks. Sure, lots will be blocked by firewalls, but lots won't. There's also the potential to load large images (500k) off a taget website. If the email spreads fast enough, it will be a distributed DOS.