May 2006 Archives | Wiz's Computer and Website Security Blog

May 27, 2006

Spybot S&D definitions update

2006-05-26

Hijacker
+ Lagos + AproposMedia + CoolWWWSearch.Feat2Installer +
CoolWWWSearch.Service + CoolWWWSearch.Feat2DLL
Keylogger
+ Desktop Snooper + SpyArsenal.Family Keylogger
Malware
+ Win32.Delf.KD + Smitfraud-C. + SysProtect + SpyOnThis +
Vcodec.eMedia + SpywareSheriff + Win32.Rbot.gen + Spy Sheriff
Popups
+ MalwareWipe
Security
+ Windows.RedirectedHosts
Spyware
+ SpyArsenal.AIM Logger + SpyArsenal.ICQ Logger + SpyArsenal.Yahoo
Logger + SpyArsenal.IRC Logger + SpyArsenal.Personal Desktop Spy +
SpyArsenal.Print Monitor Pro + SpyArsenal.Watcher +
180Solutions.SearchAssistant + Huntbar
Trojan
+ BraveSentry + SpywareSheriff.FakeAlert + SpywareQuake.FakeAlert +
Zlob.Downloader + Win32.Agent.xv + Win32.Small.aoi + Win32.AdvertMen +
SpyiBlock + Dloader.WL1934

Total: 324662 fingerprints in 41627 rules for 1973 products

http://www.safer-networking.org/en/home/index.html

Be sure to download the new definitions manually and install them. The most reliable download locations are the ones from Safer Networks. The current definitions update is 1.5 Mb.

After downloading the new definitions Immunize, then check for problems.

Posted by Wiz at 11:04 AM | Permalink

May 23, 2006

Ad-Aware Definitions Update

Ad-Aware SE1R109 22.05.2006

Lavasoft.de has updated the spyware and adware diefinions of it's flagship Ad-Aware SE program, including 3 brand new detections and 40 updated (changed) detections. See my extended comments for a complete list of new definitions.

You can use Webupdate to install the new reference file, or download
it manually from:
http://download.lavasoft.de.edgesuite.net/public/defs.zip

Here are the new and changed Ad-aware detection definitions:

New Definitions:
========================
Adware.AdNow
Adware.DesktopMedia +4
Yok Toolbar +2

Updated Definitions:
========================
ABetterInternet.Aurora +4
ABetterInternet.Nail +2
Adintelligence.AproposToolbar
Adware.DollarRevenue +4
Adware.DuDu
Adware.Henbang +6
Adware.HuaCiSou +4
Adware.Look2Me +3
Adware.NaviPromo +21
Adware.Yazzle +4
AltnetBDE +2
Aureate
BlazeFind +2
BookedSpace
ClearSearch +9
CometSystems +24
Cydoor
Dialer +2
Elitum.ElitebarBHO +3
Gain +3
istbar +5
Malware.Azesearch +3
NavExcel +2
OurXin +5
PurityScan +21
Softomate Toolbar
SpywareNo +2
Starware Toolbar +3
UCmore
Win32.Generic.PWS
Win32.Harnig.Trojan
Win32.Trojan.downloader +9
Win32.Trojan.Hexdoor
Win32.TrojanClicker
Win32.Trojandownloader.Zlob +43
Win32.TrojanProxy.Agent.dl
WinAD +15
WinFixer
WinPopup
VX2

The MD5 checksum for the defs.ref file is 7de537cd57bd910ee9d1781721064d65

Posted by Wiz at 5:01 PM | Permalink

May 22, 2006

Yahoo messaging worm installs bogus browser

May 22, 2006: Malware writers have created a new worm that installs a new browser and plays screeching music.

The trouble starts with a link apparently sent by a friend in Yahoo's instant messaging program.

Instant messaging security company FaceTime Communications Inc. described the malware, which it called yhoo32.explr, as "insidious" in a security advisory Friday.

When the link is clicked, a worm installs the so-called Safety Browser, a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.

Malware spread through instant messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user's permission.

The bug also hijacks Internet Explorer's home page, directing users to the Safety Browser's Web site.

After it is launched, the worm sends itself to others on the user's instant messaging contact list.

The malware is engineered to overwrite instant messages typed by a user, FaceTime said. The infected message can also be changed on the fly, it noted.

The screeching music, however, is blocked by Microsoft Corp.'s Windows XP Service Pack 2, FaceTime said.

Posted by Wiz at 3:46 PM | Permalink

May 21, 2006

Is SpywareGuard 2.2 still useful for computer protection?

SpywareGuard is a freeware program from Javacool Software, the makers of SpywareBlaster, MRU-Blaster, Doc Scrubber, and EULAlyzer.

The last version of SpywareGuard that has been released to date is version 2.2, dated January 22, 2004. There have been no further developments made to either the program or it's definitions since that time. Yet, there are people in the anti-spyware community who stand by the program. Why is that, you ask?

The reason that this senior citizen spyware fighter still has a following is due to the fact that it relies upon heuristic detection of known hostile behaviour, in addition to the installed (out-dated) signatures of (then) known spyware applications. So, although the signatures are way out-of-date the heuristics still work at detecting attempted changes to the Internet Explorer Home Page and other system changes.

It should be noted that the spyware business has not stood still and that many of today's tactics used to hijack your browser will slip past this old Guard. For what it is worth, if you are not using another anti-spyware program that monitors attempted changes to your browser settings, then SpywareGuard may be of use to you. It will probably stop most common threats to your browser settings, which is better than none.

That said, there is still the possibility of future develpoment of the program, according to the following Post, made on January 17, 2005, by it's maker, Javacool Software...

Posted on Broadband reports, on January 17, 2005:

Hi,

In fact some of spywareguard's strongest protection is indeed its Browser Hijacking Protection, which doesn't need any sort of definition updates.

The current real-time protection built into spywareguard 2.2 has been extended about as much as is possible - which unfortunately means a complete rewrite is in order to allow for future changes and updates. This is something I've been working on, but it hasn't been quick in coming.

This doesn't mean that the current real-time scanning is ineffective - rather that it should detect most variants of the items listed here: »www.javacoolsoftware.com/sglist.html (Note: This isn't a comprehensive listing, but it should list most of the major items.) This should include more recent variants of those items, even without database updates, but it won't detect some completely new items (i.e. completely new spyware/adware programs, as opposed to new versions of, say, "RapidBlaster"). That's the difference with the current release.

That said, again the most effective and useful protection for most users has probably been the Browser Hijacking Protection component (which alerts when various browser settings are changed in real-time), which doesn't require the database updates.

A new version of spywareguard, with some rather interesting new features, is in development. While I don't yet have a clue when it'll be ready for release, I can say that, regardless of how effective you personally consider the real-time scanning component, the current version of spywareguard provides some strong protection against Browser Hijacking - by alerting the user as soon as such activity is detected.

It isn't a catch-all or an end-all (nothing is), but it's meant to be an effective layer. The choice, as always, is left up to the user. I just give them that option (for free).

Best regards,

-Javacool

Posted by Wiz at 3:47 PM | Permalink

May 20, 2006

Spybot S&D definitions update

New detections for Spybot Search and Destroy
2006-05-19

Dialer
++ TIBS + Baciami + CoolWWWSearch.Feat2Installer +
CoolWWWSearch.Service + CoolWWWSearch.Feat2DLL
Malware
+ Vcodec.eMedia ++ MITBand ++ SpywareSheriff
Trojan
++ FServices + Kazaa.Irc.DarkIrc11.LiteStalky (7) ++ Win32.Dialer.jw
++ Win32.Lmir.atp + SpyBanker ++ SpywareScraper ++ Small.AID ++ Medbot
++ SpywareSheriff.FakeAlert

Total: 322104 fingerprints in 40909 rules for 1946 products.

Website:
http://www.safer-networking.org/en/home/index.html

Posted by Wiz at 1:42 PM | Permalink

Strider URL Tracer with Typo-Patrol

Strider URL Tracer with Typo-Patrol

When a user visits a Web site, her browser may be instructed to visit other third-party domains without her knowledge. Some of these third-party domains raise security, privacy, and safety concerns. The Strider URL Tracer, available for download, is a tool that reveals these third-party domains, and it includes a Typo-Patrol feature that generates and scans sites that capitalize on inadvertent URL misspellings, a process known as typo-squatting. The tool also enables parents to block typo-squatting domains that serve adult ads on typos of children's Web sites.

Strider URL Tracer alerts people when they are redirected to a third-party site, according to a description on Microsoft's research Web site. It can trace pop-up advertising back to the redirecting domains that supplied them. Parents can use it to block domains that may redirect their children to porn.

What is typo-squatting?

Typo-squatting refers to the practice of registering domain names that are typo variations of popular websites.

The risks posed by typo-squatter websites

Typo squatters are companies that exploit slips of the fingers by registering for mistyped versions of popular URLs. Some typo domains are parking lots for pay-per-click and syndicated advertising, according to a Microsoft research paper published alongside the tool. The group's researchers found that a mere six services have a presence on between 40 and 70 percent of active typo domains.

In addition to serving up ad links, typo squatters deliver pop-ups and pop-unders, and can redirect surfers to the intended domain. Often, the users are never even aware that they have visited a third-party site. As a result, many legitimate companies have been blamed for pop-ups advertising porn.

On top of this, companies may end up paying out for the advertising that leads customers to sites they were already aware of and trying to reach.

Consumers can be at risk with typo domains. Some are used in phishing scams, which mimic the look and layout of legitimate online businesses in an effort to dupe people out of personal information such as bank passwords.

Others use wrongly typed URLs for popular children's Web sites to lead surfers to porn sites, or to sites looking to exploit children.

Download page: http://research.microsoft.com/URLTracer/

Posted by Wiz at 11:25 AM | Permalink

May 19, 2006

E-mail attacks target unpatched Word hole

May 19, 2006
Antivirus companies and the SANS Internet Storm Center (ISC) issued a warning today about sophisticated e-mail attacks that are using a previously unknown hole in Microsoft Word 2003 to infiltrate corporate networks. Symantec raised its Internet threat rating, citing confirmation that attacks using an unknown hole in Microsoft Word are being used to compromise computers on the Internet.

Symantec warned subscribers to its DeepSight Threat Management Service that it had confirmed reports of active exploitation of a hole in Microsoft Word 2003. The attacks use Word document attachments in e-mail messages to trigger the security hole and run code that gives attackers control over vulnerable systems, Symantec said.

Currently, these attacks are coming from China and Taiwan and most are in Chinese but some are showing up in English. All are being targeted at corporate networks at this time, but that may change in the near future. Corporations typically transfer Word documents between departments and divisions, so their employees are not averse to opening .doc attachments.

Microsoft Word and other Office applications are a good target, because they are seen everywhere on corporate computers, and because companies often patch them far less frequently than the Windows operating system itself. It is for this reason the Microsoft introduced Microsoft Update Service (MUS). When you login to the Windows Updates on a Windows 2000 or XP machine you will see a link to try Microsoft Updates. I recommend that if you have Office products on that computer you should install ("Try It") the Microsoft Update Service. It will audit your computer for all Microsoft products that are installed and will make patches available as critical patches, just like it does with Windows Updates.

A word of warning, if your copy of Office is unlicensed or pirated they will eventually find out and deny any further downloads until you obtain a vaild license.

NOTE: In order to exploit this flaw in MS Word the user must be logged on with Administrator level privileges. People who log on and operate as Limited Users are immune to this vulnerability. This applies to spyware and virus acquisions as well. Virtually every known type of malware requires Administrator privileges to infect a PC. By simply running your daily browsing and email activities as a Limited User you mitigate the possibility that you will unknowingly acquire a malware infection from being online.

Caution still must be exercised because it is possible for downloaded viruses and malware to become active if you logon to an administrative account and inadvertantly allow them, or be tricked into allowing them to be installed.

Microsoft Security Advisory (919637)
Vulnerability in Word Could Allow Remote Code Execution
Published: May 22, 2006

Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.

Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.

Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

There are several possible workarounds listed on the Microsoft Advisory page. If these workarounds are applied users will not be able to use Word as their Email-Editor or use Rich Text by default to read their e-mail.

Using Word in Safe Mode helps protect the affected system from attempts to exploit this vulnerability.

All versions of Word have an application recovery feature that allows running Word in Safe mode. Safe mode disables the functionality and prevents vulnerable code from being exploited. Full set of limitations can be found at: http://office.microsoft.com/en-us/assistance/HP030823931033.aspx

Posted by Wiz at 1:47 PM | Permalink

Beware of DROA Domain Name Expiration Notice Postal Mailings

This is a heads-up warning to my fellow Domain owners to watch out if you get a letter in the mail from Domain Registry Of America, or some other Domain Registrar with whom you are not already affiliated as a customer.

Today I got a letter from Domain Registry Of America, addressed to my master account name used in the Whois Directory. The letter proclaims in large bold text:
Domain Name Expiration Notice
It then displays one of my Domain names that is due for renewal in 6 months and "As a courtesy to Domain name holders, we are sending you this notification ....."

Upon carefully reading the details they do make it clear that they are not your current Registrar, and want you to switch from you Registrar to DROA. They brag about only charging $30 for a one year renewal fee, and a bargain rate of only $50 for two years. There are checkboxes to place your order and a place to input your credit card numbers, which you would then mail in. There is a huge amount of information and disclaimers on the back of the letter that are in such a small font I had to get a magnifying glass to read it. I wouldn't transfer to these people if they were the last Registrar on earth.

If I was paying $35.00 a year for a Domain that would sound like a bargain, but I am a Dotster customer (see below), and only pay $14.95 per year for TLD Domains (or less if there is a special deal or Happy Hour Sale). If I was fooled into transferring to those people it would double the cost of renewing my Domains. Luckily I wasn't born yesterday.

Many Domains are owned by companies that have different people who know different details about the business, but not everything. These people are probably hoping that this letter will end up at Accounts Payable, where the secretary will call somebody to ask if they have a Domain that might need to be renewed, to which that person may say I think so. The Accounts Payable will pay the invoice by credit card and the company will have their Domain name transferred away from their current chosen Registrar by trickery, probably at increased expense.

I have seen other letters from other Registrars that never mentioned that they are not my current Registrar, asking for x amount of dollars to renew my expiring Domains. This is pure fraud, trying to get me to pay an invoice to a company with whom I have absolutely no relationship. If you do make the mistake of transferring your Domain to such a company you will probably never be able to get them to let you change back. Once a company like that gets your Domain name they make it almost impossible to transfer away from them. Legitimate Registrars have a simple method of locking and unlocking Domain transfers, with no fees (see below about Dotster).

As a Domain owner make it your business to know with whom your Domains are registered and what the renewal dates are for each Domain. Most Registrars with whom you are a customer will attempt to contact you by email first, to let you know 60 days in advance of a renewal date. Always check carefully when you receive a Domain renewal notcie to be sure it is from the Registrar who holds that Domain for you.

My Recommended Registrar:

If you are paying more than $14.95 a year for your Domains take my recommendation and check out Dotster.com. Dotster is an ICAAN Accredited Registrar and is above board all the way. They will not try to scam or trick you into unwittingly transferring a Domain to them. In fact, if you do transfer an existing Domain to Dotster they only charge $8.95 for the transfer and first year Registration, plus they extend your expiration date by an additional year. I have a lot more info about this on my Dotster web page. I have been a Dotster customer since the year 2000 and have never had a complaint about their services or methods of communications.

The consequences of transferring your Domain's Registrar

The consequences of knowingly or unknowingly changing your Domain Registrar are dire. Your Domain Registrar holds the Name Server (NS) routing information that sends requests for your website to the location in cyberspace where it is hosted and "served up," which is probably with a website hosting company. When you change Registrars the new Registrar usually does not import any of your Name Server settings from the previous Registrar. Therefore, say you were a Dotster customer, like me, and were fooled into renewing your Domain with a different Registrar, like DROA, via one of their clever Postal solicitations.

Here's what would occur:

First of all, DROA would file a transfer request with Dotster. If I had not locked transfers Dotster would acknowledge the request and allow the Domain to be transferred to DROA and remove it from their Name Server records. Within 2 to 24 hours Dotster would flush it's Name Servers cache to update it and your Domain's routing would not be present anymore, since you allowed your Domain to be transferred to another Registrar. Sometime within a week of signing up with the new Registrar you would receive an email containing the login instructions. You would have to go to that website and create a new account, with login name and password. Once there you could access your account information where your Domain would be listed as parked on the new Registrar.

I say parked because the only Name Servers listed for a new Domain are those belonging to the Registrar itself. They do not host your website; it is still hosted elsewhere, where you left it a week ago. All requests for your website will go to a Parked Domain notice on the new Registrar, not to your Domain where it is hosted, because the routing information has been deleted from the old Registrar and has not yet been updated in the new one. Your actual website will be unreachable from a browser.

In order to update the Name Servers at the new Registrar you'll need the details from your web hosting company. If you're really organized you printed this out when you first signed up with that hosting company. If not, and if you can't find the original hosting agreement confirmation email, you will have to contact the web host and ask them for the Name Server details.

Now, you have to log into the new Registrar and go to your account, find the Change Name Servers page and copy/paste in the two main Name Servers used by your web host. After applying the changes you will have to sit and wait for the new routing information to filter down through the Master Name Servers until they have updated your Domain through your new Registrar. It is conceivable that your website can be offline for up to a week or more while all of these steps are undertaken. That is assuming the new Registrar processes your application quickly and contacts you with your new account details in a hurry, and that you go there quickly and update the Name Servers. If there is a delay in their processing after they obtain the transfer authorization from your old Registrar, and how long you wait to update the NS details, your Domain could be offline even longer.

How can you protect your Domain against unplanned transfers?

Login to your account with your Domain Registrar and Lock the Domain against Transfers. Each Registrar has a different link or icon to do this and all offer the service, usually for free. Once locked nobody can transfer your Domain unless you login to your account there and unlock transfers.

Posted by Wiz at 12:59 PM | Permalink

May 16, 2006

Serious New Flaws in Apple Quicktime | 7.1 Patch Details

The new version of Quicktime, v. 7.1, is available for both Microsoft Windows and Mac systems, and is downloadable here. Apple said the older versions contain security holes that attackers could use to break into both Windows and Mac machines running the software.

On May 11 Apple Computers released a patched version of it's Quicktime media player, fixing vulnerabilities affecting both the Mac and Windows versions of the player. A total of 43 serious flaws were patched with the release of Quicktime 7.1 (read about them in the extended comments). The company's Security Update 2006-003 patches 31 flaws in the Mac OS X, most of them serious enough to cause "arbitrary code execution attacks." Quicktime security release 7.1 also corrects 12 code execution and denial-of-service flaws.

The QuickTime bugs can allow a malicious hacker to launch successful attacks using different vectors; a specially crafted JPEG image; rigged QuickTime movies; specially created Flash, MPEG4 or H.264 movies; or maliciously crafted FlashPiX or BMP images.

The Mac OS X update also fixes code execution vulnerabilities in AppKit, ImageIO, BOM, CFNetwork, ClamAV, CoreFoundation, Finder, FTPServer, FlashPlayer, LaunchServices, libcurl, Preview, QuickDraw and QuickTime Streaming Server.

If you are looking for the Standalone version of QuickTime that does not include Apple iTunes you can download the newest version (with this latest security patch included) from this Apple link.

QuickTime 7.1 Update patches the following flaws:

QuickTime

CVE-ID: CVE-2006-1458