Anyone who downloaded the Vietnamese language pack for Firefox 2 needs to run an anti-spyware and anti-virus scan, then disable the pack for now. Mozilla warned yesterday that all versions of that language pack downloaded from its servers since Feb. 18, 2008, were infected with pop-up ad serving software.

Window Snyder, Mozilla's chief security officer, said the Vietnamese language pack was contaminated as the result of a virus infection. "This usually results in the user seeing unwanted ads, but may be used for more malicious actions."

Snyder said Mozilla doesn't know how many people downloaded the compromised language pack, but said there have been 16,667 downloads of the pack since November 2007.

Mozilla is working on getting a replacement language pack up on the site soon. Snyder said that while Mozilla does virus scans when add-ons are uploaded to its servers, the scanner for whatever reason didn't catch this nasty until several months after the upload. Mozilla is now adding post-upload scans to everything on its download servers, she said.

Language packs are add-ons in Firefox. Add-ons can be removed by clicking "Tools" and then "Add-ons." According to the discussion on this in the Bugzilla database, the culprit here is something called "Trojan.Win32.Xorer," which disables security software on the infected PC and spreads by infecting files, programs and removable drives. Instructions for manually removing Xorer are online here.

There is an interesting discussion about this going on today at news-for-geeks site Slashdot, which "highlights the risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."

Anyone who doubts that Internet click fraud has become a big money maker should take a look at a Russian Web site called Robotraff.com, which bills itself as "the first stock exchange of Web traffic."

Set up a free account at Robotraff and you're ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer.

Or maybe you're just getting started and you can't be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need.

So let's have a look at the transactions Robotraff is handling today: User #704 is selling "search mix" traffic from Google.com for $13 per 1,000 hits. Not close to making your quarterly traffic stats or ad traffic quotas? No sweat: $130 buys you 10,000 hits that look like they came from Google searches.

The details page for each item on the exchange shows the traffic speed, total traffic available, price, and a breakdown by country and Web browser. Different sellers have specialties, such as non-IE traffic and traffic exclusively from specific countries.

The terms and services that all Robotraff users must agree to in order to use the site's services plainly state (well, in poorly translated English) that buying traffic to send people to malicious Web sites is not allowed, nor is redirecting people to porn sites ... or maybe not. I couldn't help but chuckle when I read the porno ban, because directly to the left of that notice, under a section labeled "Top 5 Wanted Traffic," is a buyer offering $5.20 per 1,000 visits destined for a mix of Russia-based adult Web sites.

Mike LaPilla, director of malicious code operations for iDefense, a unit of Verisign, said those disclaimers are common on all kinds of sites that facilitate cyber crime.

"It's to dart responsibility against breaking any laws," LaPilla said. "If someone ever reported [Robotraff to the authorities], they could simply say a user broke their terms of service, and then delete them to avoid any legal trouble."

LaPilla said the brains behind Robotraff is a guy who goes by the online nickname "Bryaks," and that this individual is thought to be one of the original founders of a similar distribution network called "IFramecash" (pronounced eye-frame). IFramecash pays "affiliates" to drive traffic to their network of sites, which launch a volley of Web browser exploits in an attempt to install malicious software on the visitor's machine. IFramecash's download sites were at one time hosted off of the same Web space as the infamous Russian Business Network, and the site's operators are thought to have close ties to RBN.

Lawrence Baldwin, founder of Atlanta-based security company myNetWatchman.com, said that in the process of monitoring hacker networks he has witnessed cyber crooks logging into their accounts at Robotraff to set up deals to distribute the "Zeus" Trojan, a nasty bugger most often used to download malware designed to swipe passwords and other data from infected PCs.

"They call it a traffic distribution system, but it's more like a 'pay-per-compromise' network," Baldwin said.

While many Robotraff customers may be using the exchange to help distribute their malicious software, the exchange also would be a great way to conduct click fraud, an expensive and confounding plague in the Internet advertising space. According to the most recent stats from Click Forensics, more than 16 percent of all online ad clicks in the fourth quarter of 2007 were fraudulent.

A request for comment has been sent to multiple addresses associated with Robotraff.com. This post will be updated if they respond.

Microsoft today finally released Service Pack 3 for Windows XP users. The update should now be offered via both Windows Update or Automatic Updates. The company was expected to release it last week, but pulled the plug at the last minute due to a compatibility problem with an obscure product they offer.

Many readers have asked me whether this update is really necessary, given that there isn't a whole lot new in Service Pack 3 aside from all of the security and non-security updates Microsoft has ever released for the operating system.

The following are some of the things you should know about installing Service Pack 3 for Windows XP.

Microsoft says it is not adding any significant Windows Vista technology into XP with Service Pack 3. No surprise there, given that Microsoft has said Service Pack 3 will be XP's swan song: The company currently plans to stop issuing new licenses for the operating system this summer. However, some consumers and PC manufacturers are starting to make a big fuss about this. I'm sort of in agreement with them: XP isn't perfect, but I've grown used to it, known it like the back of my hand, and it is very stable. I cannot say any of those things for the machine I have that's powered by Windows Vista (Ultimate).

In addition to all the previously released security updates and hotfixes (some of which users may not have, even if they have been keeping up with security patches), SP3 includes "a small number of enhancements, which do not significantly change customers' experience with the operating system," Microsoft said.

So what gives? Most of the security and non-security additions contained in SP3 are features more likely to be used by businesses, not average consumers. So why install this, when there's a chance it could bork my machine, you ask?

I believe that chance is minimal: XP3 was offered to one of my machines via Automatic Updates today. After a short time, the Automatic Update icon disappeared and I began to wonder what was up, so I decided to reboot. Then it told me there were patches ready to install, and did I want to install them and then reboot? After clicking "yes" and waiting for about 15 minutes, the system rebooted. My machine seems to be no worse for the wear after making room for SP3, but then again your mileage may vary.

I think it's fine for people to wait a few days or weeks to install this service pack. Smart money is on the notion that some users with some class of hardware or software installations will have problems, some of them perhaps irreparable or difficult-to-fix.

However, if you were already planning to rebuild an XP system from scratch anyway, Service Pack 3 would be ideal for that task, as it would streamline the process considerably. Even if you install XP without any prior service packs, installing Service Pack 3 brings your system up to date on all security updates.

To minimize the slim chances that this update might brick your PC, it's probably a good idea to follow these steps that Microsoft recommends before installing SP3.

As the SANS Internet Storm Center notes, people who for whatever reason are still using Internet Explorer 6 will NOT be upgraded to IE7 after installing this service pack. However, if you already have IE7 on your system when you install Service Pack 3, you will not be able to migrate back to IE6.

Finally, Microsoft hasn't so much as fixed the incompatibility problem that prompted it to delay pushing out Service Pack 3 last week. Instead it put filters in place so that customers running the incompatible software installed won't be offered the update.

If your small to mid-sized business is running Microsoft Dynamics RMS, definitely hold off installing this service pack for now.

A broad coalition of technology groups today told a federal appeals court to toss out a lawsuit that adware maker Zango is continuing to pursue against computer security vendor Kaspersky Lab, arguing that to do otherwise would harm consumers and the future of the security software market.

In May 2007, Bellvue, Wash.-based Zango -- a company that makes software to serve pop-up ads and tracks users' activities on behalf of online marketers -- sued Kaspersky, charging that the company interfered with its business by removing its "adware" without first alerting the user.

In August, the judge assigned to the case dismissed Zango's suit, saying Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable (portions of the CDA have been struck down by the courts as unconstitutional, but this particular section is not one of them).

Earlier this year, Zango took its case up to the 9th Circuit Court of Appeals, saying Kaspersky's software should be labeled "badware" because it disabled Zango's software "without the customer's consent and without the customer's ability to override Kaspersky's invasive actions."

Interestingly, Zango's appeal is being supported by the National Business Coalition on E-Commerce and Privacy, an entity formed in 2000 that counts as members some of the largest corporations in America, including Bank of America, Charles Schwab & Co., Eastman Kodak, Fidelity Investments, General Motors, JP Morgan Chase, and the Vanguard Group. Update, May 6, 11:15 a.m: Removed UPS from this list, as it is no longer a member of this coalition.

Thomas M. Boyd, a partner at DLA Piper US LLP and counsel to the organization, said member companies are concerned that the judge's decision to toss out the suit last year could pave the way for security companies to block things like "cookies" and "Web beacons".

"The district court's decision is such that under the judges interpretation of CDA, a security software company has unreviewable power to decide that any content is objectionable and to deny user access to that content without any accountability for any damages that action may cause," Boyd said.

In a "friend of the court" brief filed with the appeals court today, a diverse collection of technology groups rallied behind Kaspersky in support of preserving the lower court ruling. Signatories to the brief include the Business Software Alliance, the Electronic Frontier Foundation (it's not often the BSA and EFF see eye-to-eye on tech issues), McAfee, Sunbelt Software and the Center for Democracy & Technology (CDT). Their brief is available here (PDF).

While this isn't the first case in which an adware company has sued an anti-spyware or security vendor, Ari Schwartz, CDT's vice president and chief operating officer, said the lower court's ruling is the strongest wording yet in support of protecting security companies from these types of strong-arm lawsuits.

"This is an extremely important case for consumers as to how security software protects them going forward, and whether the onus is put on the security company or [the adware vendor]," Schwartz said. "Congress clearly wanted to take the burden away from the security companies in this respect."

Read Brian Krebs's latest story on washingtonpost.com: "White House Plans Proactive Cyber-Security Role for Spy Agencies."

America's spy agencies for the first time would be tasked with gathering intelligence on threats to the nation's computer networks under a policy set to be detailed by the White House next week, a senior administration official said Wednesday.

Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community's offensive capabilities in defense of government and civilian computer systems. Continue reading...

Security Fix is launching a new feature today called Cyber Justice Chronicles, which will periodically provide short snippets of news about individuals who have been arrested or convicted of computer crime offenses.

Law enforcement takes its share of lumps for not doing enough to go after cyber crooks, and while the victories on that front may be few and far between, it seems worthwhile to highlight some of the successes:

* On Wednesday, Justice Department officials said they had worked with officials from NASA and Nigerian law enforcement to win the conviction of Akeem Adejumo, a 22-year-old Nigerian man who pled guilty to hacking into a NASA employee's computer.

Turns out, Adejumo and an unnamed NASA employee met via an online dating Web site. Adejumo admitted sending the woman an e-mail attachment that contained a keystroke logger, which allowed him to steal her personal information including bank account and Social Security numbers, address and various passwords. Adejumo will serve 18 months in a Nigerian prison. I've never seen the inside of a Nigerian prison (and hope I never do), but my guess is Adejumo may soon be wishing he'd been extradited to the United States.

* Edward "Eddie" Davidson, a 35-year-old Colorado man, was sentenced this week to 21 months in federal prison for blasting out hundreds of thousands of junk e-mails touting everything from penny stocks to cheap watches and jewelry.

Prosecutors say Davidson and his company Power Promoters falsified e-mail headers to disguise the source of the spam, in violation of the CAN-SPAM Act. Davidson also was found guilty of tax evasion, and ordered to pay $714,139 to the Internal Revenue Service. Authorities say Davidson made at least $3.5 million sending junk e-mail for 19 different companies.

Davidson has been working the spam business for quite some time. More than a decade ago, AOL sued Davidson and his then companies Web Communications and Sex Web Inc., for sending porn spam to AOL users.

Last week, Security Fix examined new research suggesting that some major Internet service providers are exposing their customers to security flaws when they redirect wayward Web surfers to ad-filled pages. I'm revisiting this controversial practice because another major provider of these services (for one of the nation's largest ISPs) was found to be similarly vulnerable.

As noted here last week, Earthlink and a few other ISPs are using a service from a U.K. company called BareFruit, which helps ISPs redirect users to ad-filled pages when they either request a Web site that does not exist or when they mistype a real domain, e.g., ww.example.com (notice the missing "w"). Researcher Dan Kaminsky found that BareFruit's servers contained a security flaw that would have made it easy for hackers and scammers to trick the ISP's customers into visiting phishing sites or downloading malicious software.

Kaminsky presented evidence that Verizon was among the companies quietly using BareFruit services, but that turned out not to be true. In fact, Verizon is using the DNS redirection services of a company based in Sterling, Va., called Paxfire. Shortly after Kaminsky was informed of this, he found that Paxfire's service was similarly vulnerable to attacks that could be used against Verizon's customers.

Paxfire's CEO Mark Lewyn declined to comment on the record for this story. Kaminsky said Paxfire corrected the security vulnerability not long after hearing from him about it.

But the vulnerabilities Kaminsky found in both Paxfire and BareFruit -- known as cross-site scripting flaws -- are some of the most common in almost all types of software. And experts say customers will continue to be at risk from other such flaws when ISPs outsource this portion of their network to third parties.

"These ISPs are treating something that used to be someone else's property or common property held in trust by the community and they are corporatizing it," said Paul Vixie, president of the Internet Software Consortium, which publishes BIND, the software that powers 90 percent of the world's domain name system (DNS) servers (DNS is what translates Web site names like example.com into numeric Internet addresses).

Vixie said that roughly six weeks ago Paxfire's Lewyn approached him with a revenue-sharing proposal to bundle Paxfire's technology into BIND.

"He told me because of the size of the eyeball footprint we'd have together that I'd be getting such a sizeable [amount of revenue] to fund my entire operation at ISC, and all I'd have to do is ship binaries that has his code in it," Vixie told Security Fix.

Vixie said he politely declined, but was privately stunned at the audacity of the request. Lewyn declined to comment about Vixie's statement.

Hijacking errant DNS requests -- particularly those in which a Web browser user asks to see a non-existent page on a legitimate, active domain -- "hurts trademark owners, and consumers, and must not be done," Vixie said. "I think something is going to have to be done to stop this, but it will be done by rules and laws, by various industries getting together to say if you do this the [Federal Trade Commission] or someone else can come along and say this is fraud. I don't think this is going to be solved by the business community."

Kaminsky casts all of this activity as the latest battlefront in the policy debate over "net neutrality," a concept that in policy terms has come to mean enforcement of open access online, so that cable and telecom operators cannot block or delay content that travels over their networks. At the center of this battleground are efforts by major ISPs to make it harder for customers to use services that can suck up huge amounts of Internet bandwidth, such as peer-to-peer (P2P) file-sharing networks like BitTorrent and Limewire.

Interestingly, I learned Monday that RoadRunner -- the high-speed cable Internet company owned by media giant Time Warner -- also is serving up ad pages when customers request an non-existent domain, or a subdomain that does not exist, such as subdomain.example.com. The company providing that service is Ontario-based Sandvine, an entity whose products also include a number of hardware devices designed to help ISPs monitor P2P activity and interfere with downloads from customers found to be exceeding a certain bandwidth threshold set by the ISP.

Microsoft is delaying the release of Service Pack 3 for Windows XP users due to a "compatibility issue" with the bundle of updates and a supply-chain solution the company markets to small- and medium-sized businesses. The software giant had previously said SP3 would be released to XP customers today via Windows Update and its software download center.

In a written statement, Microsoft said:

"In order to make sure customers have the best possible experience we have decided to delay releasing Windows XP SP3 to Windows Update and Microsoft Download Center.

"To help protect our customers, we plan to put filtering in place shortly to prevent Windows Update from offering both service packs to systems running Microsoft Dynamics RMS. Once filtering is in place, we expect to release Windows XP SP3 to Windows Update and Download Center."

Security Fix will post another update when Microsoft makes Service Pack 3 available for download, along with a brief summary of what users can expect from installing this update.

Digital real estate leased to one of the Internet's oldest landholders appears to have been quietly seized by e-mail marketers closely associated with an individual once tagged by anti-spam groups as one of the world's most notorious spammers.

What's remarkable about this case study is that it pits a vocal spammer against the American Registry for Internet Numbers, which has yet to take action. ARIN is one of five regional Internet registries worldwide that is responsible for allocating IP addresses (ARIN handles this process for the United States, Canada and 22 Caribbean countries).

The real estate in question is Internet address space long ago issued to San Francisco Bay Packet Radio, an organization that was involved way back in the 1970s in testing ARPANET, a predecessor to the global commercial Internet that we all use today. That organization was given the rights to do whatever it wanted with any numeric Internet addresses that begin with 134.17 (an allocation that is known in the industry as a "slash 16" or "/16," or enough Web space to accommodate up to 65,536 unique Internet addresses).

Back in the 1970s, blocks of IP addresses were given away like cotton candy to pretty much anyone who asked, and many entities that were awarded the stuff didn't use most of what they were given. The San Francisco Packet Radio group was no exception, which was probably why e-mail marketers figured that nobody would notice if they moved into that space and set up shop.

That entire swath of Internet space is now registered to an entity in Westminster, Colo., called SF Bay Packet Radio LLC, but except for a similar name, this company has no relation to San Francisco Bay Packet Radio.

The name on SF Bay Packet Radio LLC's business records lists a Trudy DeBell as the registered agent. DeBell also is the chief financial officer for a company called Media Breakaway, an online marketing company which lists as its president an attorney named Steven Richter. Richter says Media Breakaway has 70 employees and generates more than $100 million in annual revenue.

As it happens, Steven is father to one Scott Richter, an e-mail marketer who has been sued by a number of the Internet's biggest players -- including Microsoft, Myspace and former New York Attorney General Eliot Spitzer, for sending spam. In 2005, Scott Richter agreed to pay $7 million in damages to Microsoft. He is now CEO of Media Breakaway.

A trace through the global Internet routing tables conducted by Security Fix indicates that traffic destined for the Internet addresses previously owned by the original San Francisco Bay Packet Radio entity is now being routed through servers controlled by a San Diego based e-mail marketing company called JKS Media LLC.

Who owns JKS Media? When Security Fix tried connecting to the site over an FTP (file transfer protocol) connection, the greeting displayed by the site read "wholesalebandwidth.com," a company owned by Media Breakaway. Anti-spam activists have implicated wholesalebandwidth.com in multiple spam operations. Steve Richter confirmed that JKS Media also is owned by Media Breakaway.

So what about spam seen currently sent through networks now controlled by JKS Media? A review of records posted by both Spamhaus.org and e-mail provider Outblaze.com shows that a large number of Internet addresses on the company's Internet space have been blacklisted for sending junk e-mail.

A spokesperson for Spamhaus said that JKS Media/Media Breakaway had indeed hijacked the IP space from its previous owner, and that the IP space should be revoked under the rules set out by ARIN.

For his part, Steve Richter claims Media Breakaway obtained the IP space after purchasing SF Bay Packet Radio LLC (the company whose registered agent is Trudy DeBell, the current CFO of Media Breakaway). In an interview with Security Fix, Richter said the IP addresses are "legacy space," in that they were issued prior to ARIN's creation in 1997. As such, Richter maintains that ARIN has no control over the space.

"It's not controlled by ARIN, so there's no hijacking," Richter said. "It's not under ARIN's jurisdiction and we purchased a company that had that space. ARIN has nothing to say about it, it's not under their control. We haven't taken anything from anybody, haven't done anything that wasn't proper."

The makers of Foxit Reader -- a free alternative application to Adobe's software for viewing portable document format (PDF) files -- has issued an update that plugs several security holes.

Hats off to Foxit Software, which turned around a patched version of its program about 24 hours after a security researcher published information about the vulnerabilities. The latest build, available from this link, brings the current, patched version to 2.3 Build 2825.

The "what's new?" page describing the new features in Foxit 2.3 is largely devoid of any information about security updates. But a post to the Foxit user forum indicates the security flaws disclosed last week have indeed been addressed in this latest version.