So you have two choices — fix the problem or stop using the web. The latter being impractical, we’ll go for fixing the problem and the solution is a utility — and a free utility at that — called Proxomitron, the creation of Scott Lemmon. You can find this fantastic tool (do you think we’re a little excited?) at the wonderfully named computerstuff.net or from the March free PC World Plus CD.
Proxomitron is a simple idea: it’s a proxy server that can parse web pages and match patterns in the text of the retrieved HTML code to look for code that will do something you don’t like.
Here’s how it works: when a web browser requests a URL from the proxy (which runs on your PC or any machine you please), the proxy retrieves the URL contents and attempts to match the text in the contents with rules defined in Proxomitron.
When a pattern match is found (say, for a pop-under ad) Proxomitron changes the code into a comment that doesn’t get displayed by the browser. Optionally, new code can be added based on the original code.
How it works
Before we get into how the tool is configured and how it works with your browser, we should first cover how it matches text patterns. The tool has its own text-matching language that is a lot like regular expressions but with some additional wrinkles. The rules are in several parts, the most important of which are the matching expression and the replacement text. For example, if the matching expression is:
\1 <body> \2 </body> \3
And the replacement text is:
\1 <body><b>All gone!</b> </body> \3
Then the page contents as defined between the body tags would be replaced with “All gone!” in bold text. The specifications “\1” etc are variables that store the text that follows the start of the input text or the last matched text to the next matched string.
Thus, if in our last example the requested web page read:
The output will be:
<body><b>All gone!</b></body> </html>
The \1 variable held the text “<html><head><title>My page</title></head>”, the \2 held “<body>Howdy!</body>” and so on. Actually, this is a very primitive rule because the <body> tag could contain an attribute such as <bodybackground= “mybg.gif”>, which would cause the rule to fail. We can solve that by doing this:
\1 <body (*|)> \2 </body> \3
Here the string “(*|)” in the matching expression means that any sequence of characters (that’s the “*”) or (that’s what the “|” character means) no characters can precede the closing “>”. You can’t use “*” by itself to match any character because the rule will fail — obviously not what we want.
So consider a page that contains the dreaded blinking HTML text (to be distinguished from animated GIFs and DHTML tricks that do the same thing). Under Proxomitron, the following rule will find both the opening and closing blink tags (note that a rule will be applied repeatedly to the incoming text):
Proxomitron’s Replacement Text would be:
Thus, “<blink>Isn’t this annoying?</blink>” would become “<b>Isn’t this annoying?</b>”.
When you configure your browser to use a proxy (including Proxomitron), the browser knows that it needs to include the full URL in an HTTP request instead of just the tail as the browser would normally do. Without the server name (or its IP address), the proxy wouldn’t know where to direct the request.
When the proxy receives the full URL, it forwards the tail to the target server and receives the response (an error or the requested content). The proxy then relays the response (possibly modified as in the case of Proxomitron) back to the original requesting browser.
Proxomitron can be configured to listen for HTTP requests on any port you like, and can listen in “promiscuous” mode — the latter feature letting you run a copy of Proxomitron on a PC that will provide proxy services to a group of PCs (normally Proxomitron will only accept connections to “localhost” or 127.0.0.1).
Proxomitron can’t distinguish between internal and external nets. If you’re thinking of using Proxomitron as a gateway between your LAN and the internet you will have to front Proxomitron with a tool such as Zone Alarm (the latest version of which is also available on our cover CD).
If you don’t do something to restrict access, people on the net can use your Proxomitron as an anonymous proxy to hide their IP address while surfing. One of the biggest consequences of this would be the erosion of your bandwidth. You can configure Proxomitron to filter web page content, both incoming and outgoing HTTP headers and freeze GIF animation. You can even kill any given connection on the basis of the requested URL — so if you have a centrally shared Proxomitron server it will be easy to block requests for “naughty” sites.
The supplied filters are extensive and include such gems as “Banner Blaster”, which “takes any image that looks like an advertisement and replaces it with a plain text link”.
One of the neat features of Proxomitron is an HTTP message logger. This is launched from Proxomitron’s main window, which is accessed from the system tray. The logger displays the headers of HTTP requests and responses proxied by Proxomitron, and for each response lists the rules that are applied to the content. Oddly, we noticed that every few minutes, the Proxomitron logger would show HTTP exchanges between our PC and a couple of websites.
This is what we saw in the logger for a request to one of the mysterious sites:
GET /un?2130212 HTTP/1.0
User-Agent: SpaceBison/0.01 [fu] (Win67; X; SK)
In the above case, the target site is “ps1.streamingcash.com” and the GET request is “/un?2130212”. (The User-Agent header string “SpaceBison” is the ID of Proxomitron and, no, we have no idea why.)
When we browsed the sites — ps1. streamingcash.com and bis.180solutions. com — we found nothing intelligible. The chase was on.
To make a long story short, it came down to spyware. The streamingcash.com access is the action of a piece of spyware called SVAPlayer from QuickFlicks. We installed this software when we were checking out another application called WeatherBug. SVAPlayer, which delivers headlines and other “stuff”, was an installation option. Little did we realise that SVAPlayer would be so impolite.
The other website that was being deviously accessed — bis.180solutions.com — is the goal of a nasty piece of software called msbb.exe (which, despite what you might assume, has nothing to do with Microsoft — it is apparently from a company called Web3000).
Msbb.exe seems to live (at least on our system) in the subdirectory “c:/program files/n-case”. We were gifted this piece of spyware by installing a screensaver called “Fireworks” that we downloaded from Galt Technology.
This swinish software records all the URLs you request for, we believe, the previous 24 hours and stores them in a file called “fiz1” which, we further believe, is regularly uploaded to the target server.
Worst of all, we are even further led to believe that msbb.exe will hang on to your PC with the tenacity of a terrier worrying a bone. Not only are there registry entries that try to start the program at bootup but we have also read that there is a helper application that attempts to replace msbb.exe and its registry entries if you should delete them.
Anyway, it turns out that the Lavasoft Ad-Aware spyware blocking system rather disappointingly can’t detect either of these versions of spyware. We finally got rid of SVAPlayer by deleting everything associated with it (interestingly, despite having deleted its companion, Weatherbug, there was still a registry entry to run one of Weatherbug’s background processes that wasn’t removed).
A similar exercise was required to get rid of msbb.exe. To find all of the registry entries that run the components of these vile pieces of software, we recommend an excellent, neat and free utility called Startup Control Panel by Mike Lin (and check out his StartupMonitor — a tool that monitors and manages applications that try to install themselves to run at startup).
So the moral is start checking your networks now to see how much spyware is running and how it got installed.
Twenty-three million homes will be networked by the end of 2006, according to a new study by the Strategis Group. “Global Home Networking: Wireless LANs & Wired Alternatives” says price reductions, and hardware and software advances will spur adoption. Home networks will become a mainstream technology that enables the distribution of entertainment,
telephony, data, security and automation to any device in the home.