Wiz's Computer and Website Security Blog

August 29, 2012

Over the last few days I have learned about a brand new vulnerability in Oracle's Java virtual machine. This is an unpatched zero day exploit and it has just been added to the infamous BlackHole Exploit Kit. The next scheduled Java update is in mid-October! If you have Java installed, you're in danger right now.

The version of Java that is targeted by this new exploit is the latest: Java 7 (actually, 1.7, 1.7.0). Interestingly, there is another current version of Java in the old series 6: Java/JRE 6 Update 34 - which is not vulnerable to this particular attack vector! So, if you check your installed programs and plug-ins, and find the you do have Java 6 Update 34 and no other older or newer version or series, you can probably slide by for a little while (until the next patches are released in October).

But, if you do have Java 7 (1.7.1.7.0), you are vulnerable and need to take some preventative action. First of all, the exploit affects all browsers and all operating systems. It doesn't matter if you browse with Google Chrome on Linux; you can be exploited if you encounter a server targeting Linux computers in the exploit kit. Ditto for Macs. Windows users are the primary fish in the malware ocean and are always at risk.

What you can do now.

Two word answer: UNINSTALL JAVA

If you use a productivity program like Open Office, or a custom application which requires Java, but is not run inside a web browser, you can at least disable any Java "plug-ins" for all of your installed browsers. Every browser has a means of enabling, disabling, installing and uninstalling plug-ins. Search your browsers' options, or read the instructions on this page.

If you must keep Java enabled to run important programs, try to keep those computers off the Internet. If no can do, consider reducing their accounts to least privileged accounts (e.g. Limited User). I have published several blog articles and web pages about operating with reduced user privileges. Use my blog's search box, or see the popular posts section for this info.

It is hoped that Oracle will hurry up and release a patch before October. If and when they do, you can decide if you still want to use Java and install the newer version. I have uninstalled Java and Java plug-ins from all of my computers and have not had anything important fail to run. Each brand of browser has its own system for managing add-ons, extensions and plug-ins, like Java.

Another way you can protect your computers from Java exploit kits is by disabling "JavaScript." The NoScript plug-in for Firefox and ScriptNo for Chrome are the foremost JavaScript and Java blockers. They are available from the add-ons repository accessible from the Firefox "Tools" > "Add-Ons" page, or Google Chrome's "Settings" > "Extensions." Both block these technologies by default, unless you allow them on a per page or per website basis.

Java and JavaScript are two entirely different technologies, not to be confused. JavaScript is written in plain text commands that are interpreted by web browsers. They create drop down navigation menus and mouse over effects, among other neat functions and popup boxes and alerts. Java is a compiled program, typically served as an "applet" that can run in a browser, or on your computer desktop. It is a mini program.

FYI: Java exploits are usually delivered via spam email, using obfuscated links that lead to compromised websites. These websites are either hosting or redirecting victims to other remote servers that contain the exploit code, which runs on JavaScript. If you are lured there and have JavaScript disabled (by NoScript, or restricted browser settings), nothing will happen. So, although Java and JavaScript are different, they are used together by criminals to take over computers and make them members of spam and DDoS attack botnets. Most also get a banking Trojan installed, to empty their owner's bank accounts if they do online banking.

Recap:

Protect your computers from Java exploit attack kits by using the NoScript or ScriptNo add-ons, operate as a less privileged user, not an administrator, disable Java plug-ins for your browsers, or ... uninstall Java completely (all versions)!

For Windows computer users, uninstall Java via Start > (Settings) Control Panel > "Add/Remove Programs" - or - "Programs > Uninstall a program". Uninstall all versions shown in the list, then reboot.

Posted by Wiz at 2:04 AM | Permalink

back to top ^

This is a short blog post to point out a trick being used by blog spammers to test to see if their comments have been published or not. It has been appearing in my blog's activity log for at least a half year, or longer.

Most comment and trackback spam is in the form of links to fake online drugstores (selling counterfeit prescription medicine and lifestyle drugs without a prescription), or bogus weight-loss remedies, or counterfeit watches, or work at home - money mule scams. My solution to that type of junk was simple: I turned off Comments and Trackbacks on my blog!

Despite these features being turned off, online spammers routinely search my blog for the same two numbers in sequence. These numbers and characters are: 1 and -1'. The code I see in my raw access logs is actually the following:

GET /cgi-bin/mt/mt-search.cgi?includeblogs=-1%27&search=1&
GET /cgi-bin/mt/mt-search.cgi?includeblogs=1&search=-1%27&

These two searches always appear after a GET for one of my blog article pages, or categories or dates. These searches never lead to a results page. Still, they keep searching, in vain. Blog spammers are a dumb lot of morons, usually based in Latvia, Russia, the Ukraine, or some other former Soviet Union country. English is not their main language and in fact, they may not read it at all. But, most can recognize the number 1, or -1'.

If you run a blog and allow comments and trackbacks, moderate them before allowing them to appear. Google is cracking down hard on blogs and forums that contain lots of spam comments and trackbacks. If you have a lot on your blogs, delete them and set all future comments to be moderated. Install an anti-spam module also, to reduce your workload. Or, if like me you don't want user feedback, just disable Comments and Trackbacks!

Posted by Wiz at 9:47 PM | Permalink

back to top ^

August 22, 2012

August has been a busy month for both cyber criminals and security patches from software vendors targeted by malware distributors. Microsoft released 9 security patches through its monthly Patch Tuesday, on August 14, 2012. The same day, Adobe released a new version of its Flash Player, to plug a vulnerability being exploited in the wild. Earlier today, Adobe released yet another version of Flash Player, fixing six more vulnerabilities.

These updates are all rated either "critical," or "Important" by their owners. You are strongly advised to update your Windows computers, via the links on your Start Menu for Windows or Microsoft Update, plus all installed Adobe programs, but especially Flash and AIR. Today's updates bring Flash to version 11.4.402.265 for most browsers, except for Google Chrome. Its new version is bundled into a newly released version of Chrome and holds version number 11.3.31.230. This applies to Windows and Mac computers.

To find out if you are running the current version, or an out-dated version of Flash, go to the Adobe "About Flash" page.

Adobe AIR has just been updated to version 3.4.0.2540. This cloud based application is exploitable if not kept updated. Also, some applications (after being updated themselves) will fail to load if you continue using an outdated version of AIR. You can download the latest version of Adobe AIR here.

Cyber criminals deliver their exploit attacks via multiple methods. Most arrive as .DOC, .PDF, or .ZIP attachments in spam emails spoofing a legitimate company's correspondence with its users (i.e: Intuit scams, Scan from an HP OfficeJet, UPS failed delivery scams). Others use disguised links in similar emails to send victims to poisoned websites that either host, or redirect one to the BlackHole Exploit Kit.

Several months ago Microsoft fixed a vulnerability in its Remote Desktop Protocol, which allowed criminals to obtain remote control of desktop and server PCs over the Internet, by sending a specially crafted RDP request. Unpatched computers running Remote Desktop Connection would respond, do the handshake, then allow distant attackers to take remote control as though they were sitting in front of those computers or servers.

Until this very week, there was a constant flood of malware link or attachment spam emails that contained exploits targeting Java, Flash Player, AIR and Windows components. Unpatched systems are at serious risk of takeover via exploitable versions of Windows, Mac, or third party plug-ins for their browsers. Accidentally launching a malware attachment, clicking on a poisoned link, or being tricked into visiting a web page containing a hidden iframe usually results in your computer becoming members of a spam spewing botnet, or being used to participate in denial of service attacks, or having a banking Trojan, or fake security program installed.

Please keep up to date with all updates for your Mac and Windows PCs, as well as third party plug-ins, such as Java, Flash, AIR, Reader, Quicktime, RealPlayer, etc. Windows users have a couple of methods of checking for Windows Updates. These include a link on your All Programs Start Menu, a link in Internet Explorer, under Safety, a link in the Security Center in Control Panel, as well as the Control Panel applet for configuring Automatic Windows Updates.

Adobe programs also have optional automatic updaters, which you should search for and enable. Flash, Quicktime and Java all install Control Panel icons, through which automatic checking for updates on your chosen schedule should be enabled.

Operating an outdated operating system that no longer qualifies for vendor support is online suicide. That PC will be owned and used by cyber criminals for bad purposes. Ditto for running a pirated operating system. You won't be entitled to most critical and any "important" updates, leaving that computer exposed to hundreds of attack vectors.

If your computer is running outdated anti-virus, consider purchasing a subscription to Trend Micro Internet Security, or a lifetime license for Malwarebytes Anti-Malware, or a subscription for one of several Norton security programs. I use the first two! Plus, I use MailWasher Pro to screen all of my incoming email for spam, scams, threats, or multiple forwarded silliness.

Posted by Wiz at 12:31 PM | Permalink

back to top ^

August 9, 2012

I decided to compile some statistics tonight to see where most spam links are leading at this point in time. It is no surprise that of 126 spam messages deleted over the last 7 days, 89 had links to Russian domains (.RU websites). This equals 70.6% of all spam I received.

So, what is being spamvertised by those 89 spam messages? Fake pharmacies! Every single email spam message in my deleted items (MailWasher Pro Recycle Bin) that contains a link to a Russian domain is promoting counterfeit prescription drugs, sold without a prescription. Some claim to be "From" Canadian Pharmacy. Others claim to be "From" Viagra or Cialis. That's funny; I didn't know that little blue pills could use computers, type and send email messages!

In case anybody reading this isn't already clued in, these pharmacies being spammed are totally bogus. The domains (website names) are all registered in Russian, by Russian citizens, or persons living and doing business in Russia, who can show a valid Russian ID. (That is a legal requirement to obtain a .RU domain name). Russian criminals run affiliate programs for fake pharmacies, that are open to spammers from various countries.

If you receive an email that touts Viagra, Cialis, male enhancement or weight loss drugs, containing a link to a .ru domain, it is a scam. The drugs are counterfeit and made in Asia. The factories producing them are not monitored for quality control and correct dosages. These drugs can harm or kill you, or do nothing at all.

Of the remaining 37 spam emails, 18 had links leading to the BlackHole malware exploit kit. 14 were promoting work at home and money mule scams, 1 was a fake casino and 4 were for fake diplomas. The BlackHole kit exploits vulnerable, unpatched plug-ins for your browser, such as Java, Flash, Adobe Reader and some recently patched Microsoft components. The fake diplomas may not help you get hired, but will certainly get you fired, once it is discovered that you submitted a forged document.

As for the fake casino; a fool and his money soon will part!

Finally, the money mule and work at home scams are as nasty as the BlackHole, in that they steal from you. Work at home scams get you to pay up front for worthless information that brings you nothing but a charge on your credit or debit card. The money Mule scams recruit hapless people into money laundering and stolen goods schemes that can land them in jail.

My statistics were obtained from MailWasher Pro, which is a spam filtering email program that sits between your email servers and your desktop email client (a fancy word for a stand-alone email program). I write custom spam filters that can be imported directly into MailWasher Pro. The combination of my filters and the ones built into the program usually auto-delete 95% of incoming spam, or more. I have to look through the program's Recycle Bin to see what has been deleted and see the links, come-ons and source codes used in the various scams employed by professional and novice spammers.

If you aren't using MailWasher Pro, or some other spam filter, just hover your pointer over links, or look at what they say, before clicking on them. If a link goes to a .RU domain and the Subject, or From, or Body text promotes any kind of drugs, enhancers, or weight loss, the message is junk-mail and should be deleted without further ado. If you hover over a link that claims to go to an invoice or transaction report from some named company, or government agency, hovering over the links should reveal the actual destination in a status bar on the bottom of the browser or email client.

BlackHole exploit links always go to a domain totally unassociated with the one being spoofed in the message body. Some exploit links go to numeric domains, rather than ones having names. No matter which, don't click if the plain text domain link doesn't match the actual destination revealed when you hover! Any brand name can be spoofed by email scammers looking to deploy more spam-bots and banking Trojans.

Posted by Wiz at 1:27 AM | Permalink

back to top ^