Wiz's Computer and Website Security Blog

July 30, 2012

Almost everybody who sends and receives email has to deal with spam, scams and security threats that are delivered by spammers and their botnetted computers, every day. Manually sorting through email subjects to detect and delete spam is time consuming and not always effective at first glance. It is more efficient to let my spam filters do the work for you.

Many people choose to use their web browsers to "do" email, which leaves them at the mercy of their email provider to filter out spam. Countless others prefer to use a real, desktop email client to compose, send and receive email, using the POP3 or IMAP email protocols. If you are in the second group and are using a real email client, like Windows Live Mail, adding MailWasher Pro and my custom MailWasher spam filters can reduce the amount of spam, scams and malware threats getting through to a few percentage points.

I currently have published almost 150 spam filters for MailWasher Pro users to download freely and apply to their copy of the program. These spam filters cover both the old version 6.x (last version is 6.5.4) and the new XML versions starting with v 2010. Only the new version is under development now. MailWasher Pro is currently at version 2012 - 1.20.1

Although I have created and published about 150 filters, in reality, only a few are needed nowadays to block most of the current crop of junk email. I shall list these filters below, along with the types of spam that they are able to detect and delete. Note, that in the new version of MailWasher Pro, automatic deletion occurs when a certain spam rating number has been reached, or, if you decide to set one or more filters to automatically delete messages matched by those filters. Some of my filters are set to what I call "Judge Dredd, Murder - Death - Kill" settings; meaning they auto-delete anything matching their conditions. The MailWasher spam filters can include both plain text and regular expressions matches and are very powerful.

The following are my best performing spam filters, during most of 2012 (up to today, July 31).

1. Russian Domain Link: This matches at least 80% of all pharmaceutical, male enhancement and counterfeit watches spam emails!
2. Known Spam Subjects #4: This detects about 5% of my spam, including most current "work at home processing email" scams.
3. Known Spam Domains: This filter contains rules that detect the presence of domain names typically used in spam runs, both in the headers and in the body text. I update it when necessary, which happened just yesterday.
4. African Sender: This is but one of seven filters that detect Nigerian 419 scams, as well as many other criminal acts carried out from botted computers in AfriNIC territories, which includes all of Nigerian.
5. Diploma Spam [Subject or Body): These detect the fake diploma scams that are always making the rounds.
6. Fake Query String In Link: These messages spoof well known organizations and financial institutions, as well as Facebook, but have huge "query strings" appended to flat files ending in .htm. The query strings are meaningless, meant to fool spam filters. All lead to the BlackHole Exploit Kit.
7. From India: Sadly, India has the dishonor of being ranked as the #1 spam sending Country in the inhabited World. They have more botnetted computers spewing spam than even South Korea, who held the #1 spammer position in 2011.
8. Work At Home #1 and #2: These filters detect money mule - money laundering scams targeting unemployed people seeking work at home jobs that do not exist in the legitimate sphere. People who participate in these schemes are subject to arrest and imprisonment for acting as accomplices in money laundering operations run out of the former Soviet Union. These crimes are usually tied to purveyors of the ZeuS banking Trojan, who are based in the former Soviet Union.
9. URL Shortener Link: Many links are sent through what are called URL Shortener websites. Many of those shortened URLs are used by spammers trying to get past spam filters by using such short links. My filter detect all shortened links and dfoes not auto-delete them. Instead, it uses a gray background to bring the fact that shortened links are present to your attention. You decide if they are spammy or legit.
10. .BR or .CN Domain Link: Unless you routinely exchange email with persons in Brazil and China, 100% of the emails matching this filter are sending spam.

These 10 filters, along with 6 more Nigerian 419 scam, 3 Diploma, 4 Work At Home-Money Mule scam, and several "courier spam" filters can eliminate almost 99% of today's incoming email spam, scams and malware threats before you download them into your email client. All you need is a licensed copy of MailWasher Pro, with my custom filters installed as per the instructions on my MailWasher Filters page. You can also block a few more spam messages by applying my published MailWasher Pro Blacklist, which deletes email from regular sources of spam and scams. However, since the blacklist contains country extensions that only send spam to me, you may need to edit out any rules that would delete messages that you deem legitimate, from such locations.

If anybody reading this would like to have my assistance developing a set of spam filters best suited to their situation, please contact me via my Webmaster contact form. My rates are competitive and reasonable and are payable through PayPal.

Posted by Wiz at 7:56 PM | Permalink

back to top ^

July 19, 2012

For the last few weeks I have been reading security bulletins warning us to turn off the Windows Gadgets sidebar, which is a feature introduced on Windows Vista and continued on 7. Two security researchers, Mickey Shkatov and Toby Kohlenberg, have announced that the Gadgets Platform is basically exploitable and are going to present their evidence in a keynote presentation at the upcoming Black Hat Convention, on July 26, 2012, at Caesars Palace, Las Vegas, Nevada.

According to Black Hat USA 2012 briefings page, here is what these guys are going to reveal: "We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets." Once their findings go public, hackers and cybercriminals will begin adding the published exploits to attack kits already in use (like the BlackHole, or Phoenix Exploit Kits). That is when it is going to hit the fan!

The Gadget sidebar is actually the Windows Gadget Platform. Misters Shkatov and Kohlenberg have notified Microsoft about their findings and in response, and without going into any meaningful details, Microsoft has issued a security advisory calling on concerned people everywhere to disable their (Windows Vista and Windows 7) Gadgets and Sidebars!

Here is the warning on the Microsoft Security Advisory (2719662) page:

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The following paragraphs show two methods of disabling, or re-enabling your Windows Gadgets and Sidebar.

Automated Fix It Solution:
Microsoft has published another security page containing two Fix It buttons. The buttons download files with a .msi extension. The button on the left (50906) fixes the problem by disabling the Windows Sidebar and Gadgets entirely. The button on the right (50907) reverses the changes and enables the Sidebar and Gadgets. Running either requires you to reboot the computer to complete the action.

Manual Fix:
I also discovered that you can take matters into your own hands and disable or enable the Windows Gadget Platform by yourself. Simply open "Control Panel" > "Programs" > "Turn Windows features on or off" (acknowledge UAC prompt or type admin password) > "Windows Gadget Platform" and uncheck its checkbox and click OK. You will be told to restart the computer for the change to take affect. Reverse this procedure if you choose to enable the Gadgets after the details of the exploit are made public and you have assessed your exposure and exploitability.

Keep in mind that the Microsoft Advisory makes it clear that the danger of takeover is directly related to the privileges of the logged in user. If you, like me, operate with reduced user privileges, you are less likely to be exploited without any notification. You could, however, be tricked into installing a malicious gadget, just like any other kind of malware or Trojan Horse. This is referred to as the weakest link lies between the keyboard and chair. If you read my security alerts and those of other professionals in the computer security field, you should have enough street smarts to not fall for social engineering tactics meant to self-infect the clueless. Beware of Gadgets bearing gifts!

Yet to be revealed:
It still is unclear if Microsoft has any intentions of patching this vulnerability, or if hiding the Sidebar and Gadgets like ostrich heads in the sand is their best solution. Once the details of this exploit have been made public and Microsoft decides if a patch is to be issued, we'll all be able decide that it is safe or unsafe to re-enable the use of Windows Gadgets. I will wait and see, but have them turned off for now. I will publish a follow up article outlining the danger that is posed by using Windows Gadgets in the Windows Sidebar, once that information has been vetted.

Posted by Wiz at 1:32 PM | Permalink

back to top ^

July 18, 2012

After a week where spam for pharmaceuticals, fake diplomas and replica watches dominated inboxes and junk folders, malware scams have resumed with a vengeance. These are spam email messages that either contain malware in an attached zip file, or a link to a malware server.

The recent email malware scams I saw, over the last 7 days, are spoofing the following brands or senders with these subjects:

UPS: "UPS Tracking Number H8087145257" - "UPS Tracking Number H1284336147"
UPS and USPS together: "Your Tracking Number H6497226598"
Sprint: "Your Sprint bill is now available online"
LinkedIn: "Join My Network on LinkedIn"
US Air: "Fwd: Your Flight US 896-119520"
Bank Account Operator: "Fwd: Wire Transfer Confirmation (FED_2732L45075)"
LiveJournal.com (UPS spoof): "Your Tracking Number H6302300603"
Post Express: "Delivery status is required urgent confirmation"
LinkedIn (UPS and USPS): "United Postal Service Tracking Nr. H9486128170"
Customer Support ups: "UPS Tracking Number H7383353854"
Habbo Hotel: "UPS: Your Package H4869590295"

As you can see, scams spoofing UPS and the USPS are the most common at this time. All of the above scams either contain malware exploit codes in an attachment (e.g. "MYUPS_N230250.zip"), or at the end of a redirected link to a BlackHole Exploit Kit server. Both methods use JavaScript codes to probe your web browser or email client for vulnerabilities, or exploitable plug-ins/extensions, or basic components. The ones being targeted the most this week are: Windows Help Center URL Validation Vulnerability, which was patched on July 13, 2010, as well as numerous vulnerabilities in the Java Virtual Machine, all of which have been patched by Oracle Java updates, plus the Microsoft XML Core Services Vulnerability just patched on July 10, 2012. Finally, some versions of the BlackHole Exploit Kit also probe for a vulnerable and exploitable version of Adobe's Reader. Acrobat and Flash software. Previous versions also sought to exploit Adobe Shockwave and Air.

Let's analyze one of the LinkedIn malware scams I received just today.

Email scam spoofing a LinkedIn invitation:

Subject: Join my network on LinkedIn
From: LinkedIn <[email protected]>
Body text come-ons:

Keeley Holbrook has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn
- Keeley Holbrook
Accept (link)
View invitation from Keeley Holbrook (link)

Examining this email with the source code displayed is the safest way to see the fact that the sender is spoofed and any links are hostile. Starting with the top-most Received from line, instead of seeing a linkedin.com server, we find this:

Received: from [201.230.150.182] (port=21901 helo=client-201.230.150.182.speedy.net.pe)

Which is a customer of an ISP named Speedy.net, in Peru.

Also, the Return Path doesn't go to linkedin.com either. Rather, it goes to: [email protected]

While each and every image is pulled from LinkedIn (by using img src codes to LinkedIn.com), the critical links go elsewhere. We can also detect this by hovering over the links with our pointer, but not clicking. Most actual web browsers, or email clients, will display the actual destination URL in a status bar on the bottom, as you hover over a clickable link. Android users can now download a brand new Firefox mobile browser that will display the URL in a status bar that appears when needed. Using the built-in Android browsers and email readers leaves most users blind to actual link URLs.

In this case, the links surrounding the words "Accept" and "View invitation from Keeley Holbrook" open your web browser to (deactivated for your safety): h**p://www.falkirk.scotpool.net/cvdym.htm, where the BlackHole Exploit code lies in wait. The web page is on a server belonging to: server55.donhost.co.uk, who have yet to act on complaints filed via SpamCop.

The script on the landing page tricks victims with this large bold (H1) text: "Please wait a moment. You will be forwarded..." In the background a huge string of obscured JavaScript code probes your browser for various unpatched software and plug-ins, such as Oracle's Java, Windows Help Center, Adobe Flash, Windows XML Core Services, and more. If your browser is running any of the vulnerable versions of the targeted software, add-ons or plug-ins, the exploit will launch an installer in the background. In order to fool you, should a UAC Administrator permission prompt be anticipated, the program will lie about what is being installed.

Make it a point to be aware of what add-ons, extensions, plug-ins, toolbars and helper objects are incorporated into all of your web browsers. It is your job to secure your computers. You should especially be aware if you have Java installed. If so, make sure it is fully up to date, at www.java.com. Java is the #1 exploited browser plug-in in the World. Always set your Windows PC to automatically receive and install "Recommended" Windows Updates, which are usually released on the second Tuesday of every month (but sometimes on other days, when required to halt a 0-day exploit in progress). If you have Adobe Flash, Reader, Acrobat, or Shockwave plug-ins, set them for automatic checking for and installing of updates. Set the check for schedule to every day, sometime in the afternoon, when the computer is normally powered on.

If you have any old versions of Java on your computer, uninstall them. Malware is sometimes written to look for these previous versions, by their default installation path, then launch them by name, with hostile .jar files downloaded from malware servers.

Make sure you have legitimate anti-malware protection installed and running a real time module to scan files as they are downloaded and opened. Back that up with a modern anti-virus and anti-spyware program that uses definitions in the cloud. Make sure you have a firewall operating.

Posted by Wiz at 2:43 PM | Permalink

back to top ^

July 10, 2012

UPS, USPS and other courier name email scams are nothing new. We've seen UPS, DHL and FedEx spoofed for several years in various malware campaigns. The payloads are usually delivered via malware laden attachments, disguised as invoices, shipping labels, or pickup instructions, which the victim is supposed to open and print out. This week there is a new twist to the courier scams: clickable images containing a message and instructions to click to "print a shipping label."

The scams I have intercepted over the last two weeks or so spoof two services in the same message: UPS (United Parcel Service) and USPS (United States Postal Service). Either the spammers who write the text for these scams aren't aware that these are two different entities, or are counting on recipients overlooking this fact and falling for the bait due to recognizing the names.

In either case, the purpose of these messages, like those before them, is to infect unwary email recipients with Trojans, like the ZeuS bank account stealing malware, a botnet installer, a backdoor remote controller, and sometimes, fake security programs that demand money to fix non-existent problems (the pop-up desktop alerts are fake and themselves are the problem!), or fake FBI or other Police notices which hold the computer hostage until a ransom is paid for alleged bad behavior.

The courier scams are sent in bulk to everybody (via botnetted PCs), but are really targeting businesses and people who frequently send or receive goods via UPS or USPS, like eBay buyers and sellers. The criminals responsible (in Russia) are hoping that a busy secretary or shipper will open the attachment, or click on the link without thinking it through, or reading all of the text carefully (for giveaway typos or mixed up brand names).

Next, let's take a look at the image being used in the latest incarnation of the UPS/USPS email scams.

In order to get past spam filters, spammers frequently change the templates they use to compose their messages. They have gone to great effort to hide these current USPS image scams from detection, by adding hidden text that is styled to be white, against the standard white background of the email message window. The text, although plainly readable if highlighted by one's pointer, is an excerpt from the book titled: War-Time Silhouettes, but looks like possibly normal correspondence to an anti-spam program.

Why, you ask, do they do this? To confuse spam filtering programs looking for image spam.

Around 2008, in an effort to get past spam filters looking for certain keywords, spammers began blasting out email messages with nothing but images containing embedded text, promoting counterfeit drugs and pump and dump stocks. Most didn't even provide a clickable link, but embedded a website address in the spam text in the image, which the gullible were suppose to type into their browser's address bar. This embedding of text into an image is done using a graphics editor, like Adobe Photoshop.

As a result, spam filtering programs were retrained to look for just an image sent with or without a link, then flag them with the word "{SPAM} or {POSSIBLE SPAM} in the subject. The recipients are then alerted and will be wary of anything contained in those messages.

By using "Salad Words" or excerpts from publications, along with images containing an embedded textual message, spammers have a better chance of getting their emails past spam filters, to be viewed by many potential victims.

So, what does the image look like in the current USPS/UPS email spam campaign? Behold!

Notice how, despite most of the wording and photos are for the United States Postal Service (USPS.com), the bottom left says "Thank You" "United Parcel Service?" A mixup by offshore writers, or deliberate subterfuge? Also, it is impossible to miss the button labeled: "Print a Shipping Label." In fact, you don't need to click on that (fake) button, because the entire image is wrapped inside a clickable link. Anybody clicking on the link in the spam message is taken to a website controlled by these spammers and presented with the following JavaScript function: window.location="USPSLabel.zip"

That code causes a Save or Run box to pop-up, with "USPSLabel.zip" as the file name. If the zip file is opened the malware code will be unleashed. If it cannot autorun, due to your computer's OS or security settings, you will be presented with a prompt to click to display the contents. This causes the Trojan installer to run. If you are a Limited or Standard User, you will be shown a UAC prompt in Windows Vista or 7. If you proceed, your computer will be pwned by a botmaster, the ZeuS banking Trojan will be installed and bad things will happen to your financial accounts, other malware will be downloaded to your PC, your computer will send out spam and may be used in DDoS attacks on innocent websites or Governments.

Spam reporters and alert email recipients will recognize the text message that has been embedded in the scam image, from previous scams for USPS and UPS (Which begins with a copy of actual US Post Office logo and USPS.COM and stack of boxes on right, with US Post Office tags and labels).

DEAR CUSTOMER;

THE PARCEL WAS SENT TO YOUR HOME ADDRESS AND IT WILL ARRIVE WITHIN 7 BUSINESS DAYS.
FOR MORE INFORMATION AND THE TRACKING NUMBER
PLEASE DOWNLOAD SHIPPING LABEL

(Fake button labeled: "Print a Shipping Label")

THANK YOU
UNITED PARCEL SERVICE

I hope this heads-up keeps my busy friends and readers from accidentally clicking on this malware scam. The ZeuS and the botnet installer that comes with it are hard to irradicate. You'll need top-notch anti-malware program to remove these bad boys. If you get infected with this Trojan package and you are running an anti virus program, it failed you. Please check out a free trial of one of the Trend Micro Internet Security programs, which I use and recommend.

Keep in mind that malware purveyors pay people to frequently alter their codes and repack malware delivery packages to elude anti-virus definitions for a day or two. That's all the time they need to infect hundreds of thousands of unsuspecting Netizens. You not only need a modern anti-virus and anti-malware program , or programs, but a good dose of suspicion, user account protection (less than administrator privileges and UAC enabled) and common sense! A lot of these courier scams depend upon people lacking one or more of these attributes, as well as them not being fully up to date with their security program or its definitions.

Spammers send out millions of messages, via botnets, in the Chance that enough people will be gullible enough to fall for their carefully engineered come-ons. To avoid becoming one of their victims, remember that Chance favors the prepared mind. Learn to spot the tricks used by spammers and Chance will favor you.

Posted by Wiz at 11:05 AM | Permalink

back to top ^

July 8, 2012

On March 6, 2012, I wrote an article explaining the extended cutoff date of July 9, 2012, for computers that had been infected with the "DNSChanger" malware, during 2011. That date arrives tomorrow! Are you sure that your computers and routers are not still using the temporary DNS servers soon to be disconnected? If they are, your DNS Server settings are pointing to a temporary Court Ordered interim server that will be disconnected sometime on July 9, 2012.

The reason I am posting this is due to the fact that there are still about 270,000 unique IP addresses using the DNS Server IP addresses that were changed in computers and routers infected by the DNSChanger malware. They are all being rerouted to the temporary DNS Server arranged for by a Court Order obtained by the US FBI, after they took down the servers being used by the Rove Digital criminal enterprise, based in Estonia and had the people involved arrested. The statistic about infected IP addresses is logged by the DNS Changer Working Group (DCWG) and is obtained from access logs from the temporary DNS Servers.

The DCWG website also supplies links to websites around the World where people can go to test their computers and routers in their own languages for evidence of the DNSChanger infection. They also have a page listing numerous free legitimate online security scanners and downloadable security software to identify and remove the DNSChanger malware.

The first thing anybody reading this should do is verify that their own computers and routers are not infected. You can do this by visiting this page at the DCWG. If the results are in green, your connection is not using the so-called "Rogue DNS Servers" setup by the Rove Digital crime gang in Estonia. But, if you see RED, either your computer is still infected, or if disinfected, has not had the proper DNS Server settings restored, or your router has been altered by the malware and needs to be changed to use the DNS Servers belonging to your ISP, or some other preferred DNS provider (e.g. OpenDns, which I use).

What can I do if the test at DCWG says I am infected?

If you see red at the test site, your PC may be infected with the DNSChanger malware. This suggests that you are not using an up-to-date and updated anti-virus program. Virtually every known legitimate security program company has released definitions that detect this malware, since late 2011. The program you are using has apparently let you down. You need to have your computer scanned for this and other malware using a current version of a legitimate anti-virus and anti-malware program, with current malware definitions.

Your first thought might be to just go to one of the known security websites that offer a free online scan and downloadable repair software. That would be a prudent thing to do, except for the fact that on July 9, 2012, if your PC is infected with the DNSChanger, you are going to lose the ability to browse to websites! This will happen because the malware has altered the DNS Server settings in your computer's networking adapter settings, and/or in your router, if you use one.

You have to restore normal DNS Server settings to your computers and possibly your router, in order to use the Internet after the temporary DNS Servers are disconnected on July 9, 2012.

How to reset normal DNS Server settings in a Windows computer.

These instructions either require you to operate from an Administrator level account (Windows XP), or use the Windows Vista or Windows 7 User Account Control box to elevate your privileges to perform administrative tasks.

A list of hostile IP address ranges, belong to the DNSChanger malware, is shown at the end of this article. If your computer or router is set to use any IP within those ranges, it must be changed ASAP.

What to look for in Control Panel:
To restore your computer's DNS Server settings, click on the Start button or orb, then on (Settings) Control Panel. In Control Panel, locate the Networking icon, which may be labeled as "Network Connections" (in XP), or "Networking," or Network and Internet," or "Network Sharing Center." Click (or double-click) on that link or icon to open your network connections details. Look for a link or button that contains the words "Adapter," or "(Change) Adapter settings," or shows icons for each installed networking connection (e.g. Local Area Connection, Wireless Network Connection) and proceed as follows, based on your operating system, or displayed options.

For Windows XP:
In Windows XP, for each network adapter (wired and wireless), right-click on the icon or link, move your pointer down the list of options and (left) click on Properties. This will open the networking protocols page for that adapter. Look in the list of Protocols for "Internet Protocol (TCP/IP)" and double-click to open its properties sheet. There are two sections with two radio selection options each. Unless you are part of a business network, with specific IP addresses normally required (contact your tech support or networking admin before making these changes), there should not be any numeric IPs in either section. If there are and they are within any range shown in the list below, please change the radio option in the upper section to: "Obtain an IP address automatically." In the lower section, change it to: "Obtain DNS Server address automatically." If you see a tab for "Alternate Configuration" click on it and make sure that the option for "Automatic IP Address" is selected. If it isn't, click that option to change it. Click OK twice, then move on to any other adapter properties and do the same things, making changes if necessary.

For Windows 7 (and Vista):
In Windows 7 you need to drill down through various Networking options until you find the advanced settings and TCP/IP properties for the "Network Adapter or Adapters)" you are using to connect to a router and/or a modem, which may include both hardwired and wireless hardware. Assume that if infected, all onboard networking adapters have been altered, including any used by a dial-up modem, if you have one.

On my Windows 7 PC, the path is as follows from Control Panel:

1. Click on the "Network and Internet" icon


2. Click on the "Network And Sharing Center" link


3. In the left side pane, click on the link labeled "Change adapter settings"


4. If you only have a hard wired adapter, Local Area Connection is my only icon, double click on it. If you also have a Wireless Connection, do the same afterwards.


5. A (Local Area) connection "Status" box opens with some details and buttons.


6. Click on the "Properties" button. A UAC box opens and asks for the administrator password. Type it in if you have an Administrator password (I hope you do!), or else leave it blank and click "Yes" to authorize this activity.


7. The connection's properties box now opens. find Internet Protocol Version 4 (TCP/IP) and double-click on it.


8. Follow the same instructions a given to XP users to ensure that you obtain IP addresses automatically, unless you are part of a business network. If you are, consult the list below to see if the IP addresses in your Networking TCP/IP settings are within any of the ranges shown in the DNSChanger list. If they are, you need to change them immediately. Either set them to automatically obtain an IP, or contact your networking specialist to get the correct IPs for the business network you are part of.


9. Click OK three times, then close the Control Panel and networking windows

Open a Command Prompt window. To do this, go to Start > Run and type CMD into the input field, then press Enter. When the Command box opens, type these commands in sequence, pressing the ENTER key after each command, noting the results in parenthesis on the screen:

1. IPCONFIG /RELEASE


2. IPCONFIG /FLUSHDNS


3. IPCONFIG /RENEW


4. IPCONFIG /ALL

After releasing the IP, flushing the DNS, then renewing the IP addresses, when you type IPCONFIG /ALL, you should not see the hostile IP addresses listed for the "DNS Servers, at the bottom of the readout. You should see IP addresses belong to your ISP. Verify this by browsing to the DCWG Detection page. If it is still red, check the IPCONFIG /ALL results again to ensure that the computer is properly set. If it is, the router was probably modified by the DNSChanger malware and will need to have its DNS Server settings changed as well. You'll need to be able to log into the router's administration web interface and find the page that has input fields and options for obtaining an IP address and change them back to automatically obtain those addresses. Save the changes, then check again on the detector web page. If it now shows green, it's time to secure the router with a very secure password, disable remote administration, then thoroughly disinfect all or your computers that have acquired this or any other malware. I use Trend Micro Internet Security to keep my computers and laptops secure.

List of IP address ranges used by DNSChanger malware

If you find that your router or computers have a DNS Server setting within any of these ranges, it is pointing to the DNSChanger servers that are set to be disconnected on July 9, 2012.

• 85.255.112.0 through 85.255.127.255


• 67.210.0.0 through 67.210.15.255


• 93.188.160.0 through 93.188.167.255


• 77.67.83.0 through 77.67.83.255


• 213.109.64.0 through 213.109.79.255


• 64.28.176.0 through 64.28.191.255

If you read this from an infected system before the interim servers are disconnected, you should save this article to your computer, or print it our, as a reference after you lose the ability to surf the Web.

Posted by Wiz at 11:32 AM | Permalink

back to top ^

July 6, 2012

On July 2, 2012, I published an article detailing a vulnerability in Microsoft's XML Core Services that is being exploited in the wild. A Fix It Tool link was given to use as a workaround until an official patch can be released. That patch is to be released through Windows Update Services on Patch Tuesday, July 10, 2012.

The exact details are yet to be announced, as to any additional files or Registry settings that will be changed when the official patch is released, compared to the Fit It Tool modifications. If you have applied the Fix It Tool, continue to use it until Tuesday afternoon at the equivalent of about 2 PM Eastern Time, July 10. If you downloaded the second, unFix It Tool, run it on the 10th to reverse the changes. If you did not download the unFix It tool, go to the Microsoft Advisory KB2719615 page and see if they left the two Fix It buttons on the page. If so, use the button on the right, under "Disable" (#50898), to download and run the Fix It Tool that reverses the changes.

Note: The Fix It Tools are .msi files which require Administrator level credentials. You will have to answer a UAC challenge (under Windows 7, Server 2008+ and Vista) to proceed and you may need to provide an Administrator password, depending on what type of user account you are logged into. XP users will need to log into an Administrator level account, because "Run As" doesn't usually appear for .msi file types (unless you have hacked your Registry).

After running the aforementioned unFix Tool, go directly to Windows Updates and download all applicable patches for your Windows computers. Doing this immediately minimizes your exposure to an attacks targeting the XML Core Services. This is especially so because many people use Internet Explorer to visit the Windows Update site and Internet Explorer is the main conduit for the XML vulnerability being exploited in the BlackHole Exploit Kit.

Posted by Wiz at 9:52 AM | Permalink

back to top ^

July 2, 2012

On June 12, 2012 (Patch Tuesday), Microsoft published Security Advisory 2719615 that revealed an exploitable vulnerability in their XML Core Services, which are used by various Windows programs. Less than three weeks have passed since that Advisory and cyber-criminals have already added this vulnerability to the latest update of the BlackHole Exploit Kit.

Here is an excerpt form the Microsoft Techcenter article defining this vulnerability:

Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

The Advisory goes on to note the following details:

1. An attacker would have to trick users into visiting the BlackHole equipped website in order to run the exploit attack.
2. This is usually done by social engineering tactics used to trick victims into clicking on a hostile link, in an email message, or Instant Messenger, or Facebook or Twitter message, that redirects them to the attack code website.
3. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.
4. The MSXML vulnerability inherits the privileges of the logged-in user. Less privileged accounts would be less likely to be infected, without further user interaction (like agreeing to a UAC challenge and allowing unknown, unexpected code to run with Administrator Privileges! DOH!)

What the Microsoft Advisory doesn't tell you is that this vulnerability also exists in some out-of-support versions of Windows and MS Office programs and other applications by Microsoft or third party software companies.

Until Microsoft releases an actual patch for the vulnerable components, they have issued a temporary workaround in the form of a Fix It page. If you go to http://support.microsoft.com/kb/2719615 you will find two clickable buttons, labeled: "Fix It." The button on your left, under the word "Enable" (#50897), applies the workaround to the Windows Registry and patches some files. The button on the right, under "Disable" (#50898), reverses the changes.

Clicking the buttons either "runs" or downloads the files, which have a .msi extension. I recommend downloading and saving the files, then running them as needed. Sometimes Microsoft removes the Fit It pages or buttons after an official patch has been released. Having the Fix It and unFix It files on your hard drive or USB stitch makes them available to you whenever they are needed (e.g. after a repair reinstallation of Windows). The Fix It file type, .msi, is a Windows Installer file and requires Administrator credentials or privileges to run it.

I recommend applying the Fix It workaround until Microsoft releases an official patch. When they do, you should run the other Fix It (unFix It) to reverse the changes, before checking for Windows Updates (on Patch Tuesday, or out-of-cycle).

Why do I need to unfix a patch applied with a Fix It button?

This is not obvious, but some Microsoft official patches check if certain Registry key values and file versions exist before a patch is offered to you. If you apply a Fix It and later on check for the official patch for that vulnerability, the Windows Updater may think that the patch was already applied and skip it. This can be a critical problem if the official patch does more than the Fix It did, as is usually the case. This means that you may have locked down the primary exploit vector, but will not receive the secondary fixes that ship in the official patch.

You reverse the changes by running Fix It Tool #50898. I strongly advise you to download both files to your computers, naming the second one "UnFix It," then run them as needed, with Administrator credentials, Better yet, log off your "Standard" or "Limited" user account, then log into the or an Administrator account, run the Fix It or UnFix It, then reboot. This ensures that no affected programs are still open when you apply these changes and that the fixes run with full Administrator privileges, from start to finish.

Hopefully, Microsoft will release an official comprehensive fix for the XML vulnerability on this coming Patch Tuesday, which falls on July 10, 2012. Otherwise, they could release an out-of-cycle patch later in the month. If you have Windows Updates set to check and download automatically, the patch should be pushed to you when it is released. If you operate as a less privileged user, the patch will be applied the next time you turn off the computer (before it fully shuts down).

One more thought: just because the Microsoft Advisory says that this affects Internet Explorer users, don't assume that you are totally safe by using Firefox or Chrome. You could still trigger an exploit via a third party add-on or plug-in. Plus, since this affects MS Office, if you open an infected office document file, you can be exploited.

Action Recap:
Apply the XML Fix It tool, then reverse it and apply the official patch when it becomes available through Windows Update Services.

Epilogue:
The vulnerability having been added to the BlackHole Exploit Kit means that the criminals running the show can use one more method to try to infect the PCs of people drawn to their servers. You may have disabled or updated Java, Flash and Quicktime, only to be exploited via the MSXML vulnerability! If you aren't aware of what the BlackHole Exploit is or does, search my Blog for "BlackHole Exploit."

Posted by Wiz at 2:07 PM | Permalink

back to top ^