Wiz's Computer and Website Security Blog

News Flash!
Mozilla has just released a security update to it's flagship Firefox browser; Firefox 2.0.0.6

The news here is that this sudden release patches a critical vulnerability known as "Firefox URI-Handling Bugs," which could leave a Firefox equipped computer open to hijacking.

Mozilla Security Chief Window Snyder announced on July 23 that Mozilla had found a new scenario over the preceding weekend in which Firefox could be used as an attack entry point in various ways, via URI exploits. Specifically, while browsing with Firefox, Snyder said, a malicious URL could be used to pass along bad data to another application.

The problems arise from an input-validation error that can allow remote attackers to execute arbitrary commands on a victim system, through processes such as "cmd.exe," by employing various URI handlers.

In a Deepsight alert to its customers July 31, Symantec, of Cupertino, Calif., outlined this possible attack scenario: First, an attacker constructs malicious links to pass arguments or parameters for an external application that will run when the URI is loaded. The attacker then plants the malicious link on a Web site or sends it through HTML e-mail or by other means.

If successful, the attacker then executes an arbitrary application. First, an attacker would launch the command line, then could pass arbitrary arguments to the command shell that would then launch other applications.

An additional bug has been patched in version 2.0.0.6. Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways (including implicit "about:blank" document creation through data: or javascript: URLs in a new window).

One add-on known to be affected is the Web Developer Toolbar, which is used by webmasters to analyze web pages, which was safe in its default configuration but potentially vulnerable to malicious web content if informational windows were opened as separate windows instead of tabs.

Synopsis:
Fixed in Firefox 2.0.0.6
MFSA 2007-27: Unescaped URIs passed to external programs
MFSA 2007-26: Privilege escalation through chrome-loaded about:blank windows

Firefox Version 2.0.0.6, is available here for Windows, Mac and Linux. Users on Firefox 2.0.0.x will be getting an automated update notification within 24 to 48 hours, or the update can be manually downloaded by selecting "check for updates" in Firefox's Help menu. Do so immediately for your own protection!

Posted by Wiz at 7:04 PM | Permalink

back to top ^

For those you don't know, MailWasher Pro is a renowned email screening, spam detection/deletion program, designed for people who use a POP3 email client to send and receive their email (Outlook, Outlook Express, Windows Mail, Thunderbird, Eudora, etc). It can be set to automatically check all of your POP3 email accounts at any whole-minutes interval you choose and contains built-in tools to detect spam messages and viruses, then deal with them in the manner you define. MailWasher Pro uses a variety of spam detection techniques including a Bayesian learning filter (with user overrides), configurable blacklists and whitelists, a database of known/reported spam, domain name server (DNS) blocklists, and user configurable custom filter rules to block various types of spam, or other unwanted email. Once incoming spam has been deleted from your email servers you can download legitimate messages to your email program, which should be set to manual mode when used with MailWasher as the front-end screener.

The custom filters are very powerful tools that many people don't fully understand, hence they often go unused by less technical users. Fortunately for them, I am part of a group of technically advanced MailWasher Pro users who have learned to develop and use these custom spam filters. In fact I am the author of many of the filters now in common use by MailWasher Pro users around the World.

I use MailWasher Pro, every day, all day long, to screen all of my incoming email for spam, scams and malware, across two dozen POP3 accounts and my custom filter rules usually block almost all incoming spam, scams and malware embedded or attached to email messages. This includes image spam promoting pump and dump stocks or counterfeit drugs, and fraudulent e-card/postcard messages with links to hostile scripts that might turn your PC into a member of a Zombie BotNet. However, as spammers tend to alter their codes occasionally, from one spam run to another, sometimes a previously effective rule will to fail to block a known type of spam. I usually detect these changes and apply them to existing or new filter rules within minutes of discovering a failure to detect and delete that type of spam. I then publish these alterations and/or additions to copies of my filters that are available for copying and pasting into your own MWP filters.txt file. See my extended comments for more information about the location of the Filters.txt file.

The gist of all this is that since I hate spam and spammers I have been updating and fine-tuning my MailWasher Pro filters quite often these days, sometimes more than once per day, to respond to changes in spam runs. You can find my most recently updated/uploaded filter sets on my MailWasher Pro Filters page. Since this is time consuming work I am not too proud to accept PayPal donations from any of you who are benefiting from my ongoing filters work and can afford to make a contribution to the cause. Thanks in advance!

See my MailWasher Pro product details page for complete information about this spam screening tool, with links to download a trial version, or to purchase a permanent license (pay once, get upgrades for life). I am also available for hire to write custom MailWasher filter rules for individuals or organizations. Contact me with your requirements and I'll send you an estimate.

MailWasher Pro stores user information in the logged on user's personal profile folder. If you use Windows 2000 or XP that location is at:

C:\Documents and Settings\(Your_User_Name)\Application Data\MailWasherPro

For Windows Vista computers the default application data location is at:

C:\Users\(Your_User_Name)\AppData\Roaming\MailWasher Pro\

If you experience "access denied" error messages when trying to save custom filter rules or blacklist entries on a Windows Vista PC, some users have reported that simply changing the security permissions on the "Roaming" folder has allowed them to use MailWasher Pro with no other changes. If that doesn't work read the workarounds listed on this forum entry.

If you cannot see the application data folders when browsing for them in My Computer they are probably hidden (by default as system folders). To unhide them go to any open folder Window, like My Computer, and click on this sequence:

Tools > Folder Options > View:
Place a checkmark in: Display the contents of system folders
Place a dot in: Show hidden files and folders
Uncheck: Hide extensions for known file types
Click APPLY, then click OK. Hit F5 to refresh your view and you should now see the Application or AppData folder and it's sub-directories and their contents.

Posted by Wiz at 12:28 AM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-07-25

Adware
+ RooGoo
+ Stud.A (3)
+ WSearch (2)

Keylogger
+ Ardamax

Malware
+ Contra-Virus
+ HB.RichMedia (2)
+ MicroBillingSystem
+ Nous-Tech.UCleaner
+ Nous-Tech.UFixer
+ Nous-Tech.Ultimate-Fake-Security-Center
+ Sogou
+ Smitfraud-C. (2)
+ Win32.Agent.VB.aoh
+ Winsoftware.WinAntiSpyware2006
+ Winsoftware.WinAntiVirusPro2006

PUPS (Potentially Unwanted Programs)
+ DriveCleaner 2006
+ Yazzle
+ Zango.WindUpdates

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Win32.Bancos.zm

Trojan
+ Agobot.Backdoor
+ Banker.phb
+ BraveSentry
+ Clicker.BWJob
+ Crypt.XPACK (2)
+ Hupigon
+ ISearchTech.ISTBar
+ Maran.J
+ Nous-Tech.UDefender (2)
+ Rootkit.Dayoff.Process
+ Smitfraud-C.KooWo
+ SystemDoctor2006
+ Tisemabana
+ Virtumonde (6)
+ Win32.Agent.aix
+ Win32.Agent.bbb
+ Win32.Agent.bid
+ Win32.Atmamds
+ Win32.Bobic.n
+ Win32.MicroJoin
+ Win32.Murlo.ff
+ Xorpix.a
+ Zlob.DNSChanger (5)
+ Zlob.VideoActiveXAccess (3)

Worm
+ Win32.Viking.le

Total: 409918 fingerprints in 74787 rules for 3119 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions. A new version, 1.5, will soon be released that will carry the Works With Windows Vista Logo. Stay tuned for more information about version 1.5.

See links to and more information about using Spybot Search and Destroy in my extended comments...

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 9:38 PM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-07-18 (also contains July 11 updates)

Hijacker
+ SearchCentrix
+ Munga_Bunga

Keylogger
+ Perfect Keylogger

Malware
+ Contra-Virus
+ MicroBillingSystem
+ Mirar
+ Nous-Tech.UCleaner (2)
+ Smitfraud-C. (3)
+ Smitfraud-C.FakeAlert
+ Spyblocs
+ SpyCrush
+ SpyLocked.FakeAlert
+ SpywareBot
+ Vario.AntiVirus (22)
+ VirusProtectPro
+ Win32.Bomka.r
+ Win32.Delf.cc
+ Win32.Obfuscated.en
+ Win32.OnLineGames.dz

PUPS (Potentially Unwanted Programs)
+ MalwareWipe (2)
+ DriveCleaner 2006

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Torpig

Trojan
+ 3wPlayer
+ CiD.IEPop
+ Crypt.PCMM (2)
+ Delf.DDOS.fi
+ Fakealert.BraveSentry
+ Fraud.ProtectionBar
+ Hupigon
+ Nurech
+ Psyme
+ RBot.IRC
+ Tibiabot
+ Virtumonde
+ Win32.Agent.aah
+ Win32.Agent.bid
+ Win32.Agent.pz
+ Win32.Atmamds
+ Win32.Banbra.gi
+ Win32.Banker.anv
+ Win32.ConHook.ah
+ Win32.Delf.C
+ Win32.Ezula.cc
+ Win32.FlashyBot
+ Win32.Hupigon.FB
+ Win32.Inject.bw
+ Win32.Mediket.cz
+ Win32.OnLineGames
+ Win32.Small.rc
+ Win32.Vixup.b
+ Virtumonde (3)
+ Virtumonde.Winpop
+ Zlob.PPlayer (2)
+ Zlob.SiteEntry
+ Zlob.VideoActiveXObject (2)

Total: 407374 fingerprints in 74116 rules for 3098 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions. A new version, 1.5, will soon be released that will carry the Works With Windows Vista Logo. Stay tuned for more information about version 1.5.

See links to and more information about using Spybot Search and Destroy in my extended comments.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 5:03 PM | Permalink

back to top ^

Today is my 59th birthday and I want you all to have a beer on me! Bottoms Up! Had I known I was going to live this long I would have taken better care of myself! Not really ;-)

Posted by Wiz at 12:32 PM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-07-03

Hijacker
+ SearchCentrix

Malware
+ CoolWWWSearch.am
+ Kalmarte
+ Vario.AntiVirus
+ Win32.Banload.bfo

Security
+ Microsoft.Windows.Security.FirewallOpenPorts
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Orvell-Monitoring 2007

Trojan
+ Agobot.Backdoor
+ Banker.Winload
+ Exploit.Anifile
+ Fake.Wget
+ Poison.Ivy
+ Psyme
+ QQ-Pass
+ RBot.IRC
+ ServU.Boo.ce
+ Virtumonde.WinPop
+ Win32.Agent.APN
+ Win32.Agent.brs
+ Win32.Agent.pz
+ Win32.ConHook.ah
+ Win32.Delf.ado
+ Win32.Dluca.CC
+ Win32.Poison.k
+ Win32.Rbot.gen
+ WinBot.IRC
+ XPreload
+ ZLob.PPlayer
+ Zlob.SiteEntry
+ Zlob.VideoActiveXObject

Total: 399684 fingerprints in 72167 rules for 3055 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions. A new version, 1.5, will soon be released that will carry the Works With Windows Vista Logo. Stay tuned for more information about version 1.5.

See links to and more information about using Spybot Search and Destroy in my extended comments.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 10:09 PM | Permalink

back to top ^

If (rather, when) you receive an email with a subject line that matches or closely matches this:

You've received a greeting postcard from a family member!
or
You've received a postcard from a family member!

DELETE IT! These messages are sent from infected computers and contain links to go to a web page that is hosted on some poor schmuck's personal computer, on a broadband ISP connection, possibly with a static IP address. That web page contains exploit code that is used to download a Trojan Horse remote control program onto your computer. The bait is that a "family member" has just sent you a (greeting) postcard and there is a link to copy and paste into your browser's address bar (or to click on). If you mouse over that link you will see the numeric IP address in it. I have analyzed several of these recent spam messages and learned that they either point to a .hk (Hong Kong) domain, or a numeric IP address, followed by a question mark and a long group of hexidecimal characters (referred to as your card's claim number). The destinations are usually US based broadband customers' home computers that have had a (proxy) server surreptitiously installed, without the owner's knowledge. The one's I have looked at use a freeware server called "nginx." The web page they serve up contains a link to a copy of the Trojan program and deals with both people lacking and people having JavaScript enabled browsers. If you visit the link without JavaScript you will see a message that if you don't see your card you should click on a link. That link goes directly to an infected file on the hijacked computer. If you visit the page with JavaScript enabled you will be in danger of becoming infected by the JavaScript exploit that is encoded into a huge line of hostile code.

My advise, other than not even opening messages with the above mentioned subject lines, is to keep updated anti virus (and anti Trojan) and anti spyware programs running at all times on your computers. If you use Outlook (Express) or a similar stand alone email client you should add a spam/virus screening front-end program, like MailWasher Pro, which I use. MailWasher Pro uses a combination of an intelligent learning filter, blacklists of known spam, a virus detector, plain text display of messages and source codes, and best of all - user configurable filter rules. I have authored two sets of custom MailWasher filter rules. My filter rules are updated frequently to respond to the latest spam and scam threats and are available online, on my MailWasher Filters page. It was the ability to read incoming email source codes in MailWasher Pro that allowed me to discover the nature of these greeting postcard threats.

I hope this saves somebody from the misery of having their computer taken over due to ignorance and unpreparedness. Stay alert and keep your anti malware defenses running and up to date at all times. Assume that "they" are out to get you, because they are! If you receive a notice from your ISP that they suspect that your computers are sending out harmful messages - have the computers checked for proxy servers. Stay off-line until all vestiges of such programs have been completely removed, then equip your computers with the best security programs you can afford. There are links all over this page and others of mine for Spy Sweeper, Spyware Doctor, Norton Anti Virus and other similar products. Some offer a free trila, so use it, then purchase a subscription. Don't let your computers become unwitting members of zombie BotNets for use as spam/virus relays, or hosts for spamvertised websites.

The viewable text on the zombie computer's web page is, or is similar to:

We are currently testing a new browser feature. If you are not able to view this ecard, please click here (link codes removed) to view in its original format. That link would go directly to a file that has been placed onto the compromised computer and it will probably infect your computer unless your defenses are among the best in the industry.

One of the simplest ways to protect against getting infected in the first place is to not run as a computer administrator on your daily browsing account. The impact of any virus, or Trojan, or any malware threat is limited in scope by the privileges of the logged in user. Users running with reduced privileges will be less impacted, if at all. See my blog article about using reduced user privileges to protect against malware threats.

Posted by Wiz at 4:57 PM | Permalink

back to top ^