Wiz's Computer and Website Security Blog

Christmas Eve, 2012

I want to alert my readers to a spam run I saw over the last couple of days and also explain what the purpose of the scam really is. This is a new variation of a long-running scam spoofing both your Post Office and a major brand courier service, leading directly to a malware attack.

This particular variant may well become the template for ongoing spam campaigns, if the success rate is high enough. Right now, 'tis the season to receive gifts and the bait in this email scam may well trap a lot of eager folks who just may be waiting for a promised delivery of a present or online purchase.

It starts with a message claiming to be from either "Worldwide Express Mail," or "Shipping Service," or "Postal Service," with an incomprehensible "tracking" or ID number as the subject. Most have this body text, or something almost the same as this:

Your parcel has arrived at the post office at December 20.Our courier
was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show
this receipt.

DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

Here is where wisdom and suspicion are your best friends. The message text contains horrible grammar, and both a reference to a "POSTAL RECEIPT" and to "FedEx." I hope that most of you are aware that FedEx is a courier service and is NOT associated with the "Postal Service," nor do they issue "Postal Receipts." You Country's official Postal Service does that. Yet, almost every email courier scam I have seen over the last year confuses at least two, if not three services: the US Postal Service (USPS), FedEx (a private company) and UPS (United Parcel Service).

If you receive one of these failed delivery scams and you see any sign of confusion about who was supposedly delivering the package, usually accompanied by bad grammar and sentence structure, delete it immediately.

So, if this is a scam, what is the payload and what is its purpose?

In some of the courier scams you are presented with an attachment (attached file). In others you are given a clickable link. Both of these methods are used to deliver malicious executables to your computer. But, in these current scams there is a link that downloads what would usually be an attached "Zipfile," which contains a concealed executable with the same name as the Zip file. In the current scam, the carrier file is named: "PostalReceipt.zip" and the unzipped executable payload is named "PostalReceipt.exe."

These files are not hosted by the Post Office, Postal Service, FedEx, or UPS, but are hosted on infected computers. Their job is to present you with a pop-up download box, offering the options to Open/Run or Save the Zip file. The payload is disguised as a printable receipt that one needs to claim their undelivered package, so it is understandable that many unwary people might choose to open or run that file.

What is inside PostalReceipt.zip and PostalReceipt.exe?

The Win32/Kuluoz.B Backdoor Downloader Trojan.

Once activated, this malware silently proceeds to download other malware, such as bank account stealing Trojans, or fake anti-virus, like the current crop of rogues called "Microsoft Antivirus 2013." This malware begins to scan your computer and displays an alarming number of fake detections of bad software, then tries to scam you into paying about a hundred bucks to remove the alleged threats. Other payloads may be a type of malware that locks your PC until you pay a (Police, FBI, etc.) ransom, which they call a "Fine."

If you read this before you encounter one of these scams, you will save yourself the trouble or expense of disinfecting your computers. If you fall for one that delivers a banking Trojan, you may not have any money left in your bank account to pay anybody to disinfect the PC!

These threats morph every few days, or on a weekly basis, as does the file names in the attachments, or at the end of poisoned links. Don't assume that your anti-virus already knows about these new files. It may or may not. It really takes about a day before all of the major anti-malware companies identify these variants and push out definitions to block them. You are the first line of defense! Stay alert now and forever! The bad guys really are out to get us. Chance favors the prepared mind.

If you did click on a poisoned link, you need to disinfect your computer. Here are some options for you to employ:

• Trend Micro Titanium (AntiVirus+, Internet Security, Maximum Security, Premium Security, etc)
• Malwarebytes' Anti-Malware (MBAM)
• Norton 360 all-in-one security
• Microsoft Safety Scanner (download and use offline)
• Trend Micro Housecall online or offline scanner
• Kaspersky Security Scan

Have a safe, virus-free and very Merry Christmas!

Posted by Wiz at 12:10 AM | Permalink

back to top ^

December 13, 2012

I first noticed the category assignment problem in November, 2012. I published an article on my MovableType blog and was annoyed when I didn't see the category I checked appear below the category box. I thought I was imagining things and saved the article. The same thing happened with several more articles. Yesterday I published another article and had the same problem of not being able to assign the entry to a category and it got my goat.

Late tonight I got really curious as to why I couldn't assign categories to my entries anymore and set out to discover whether anybody else had the same problem. At 2AM tonight, I found the cause and a solution.

I use Firefox as my default web browser and always upgrade when a new version comes down the stable release channel. Right now I am typing this in Firefox 17.0.1. The version I was using a month ago was 16.x, and I was using Firefox 15.x when I published my last article that I could assign a category to. Something has changed in Firefox, not MovableType!

After a brief Google search for "MovableType can't select categories for entries" I came across a MovableType Community forum topic about this very problem. All affected users were using Firefox 16 and newer, just like me. Fortunately for all of us, MovableType support figured out what had gone wrong in Firefox and has provided us with a patch. Actually, they provided 4 patches, for versions 4.28, 5.07, 5.14 and 5.2. People using any sub-version of MT 4.x should download the patch for MT 4.28. It is backwards compatible across most of v4.

The patch links are found on the community support page titled: Patch file for Firefox 16 users. Choose the file that most closely matches your installation of MovableType.

The patch and its contents

The patches are inside zipfiles. Most computers have the ability to decode zipfiles. Otherwise, you can download 7Zip, or Winzip to decompress the files. There are exactly two (2) files inside the zipfiles. They need to be uploaded to your server to the location where you have installed the mt-static directory. They go into two different subdirectories under mt-static, as follows.

mt_core_compact.js replaces the original file in: mt-static/js/mt_core_compact.js

List.js replaces the original file located in: mt-static/js/common/List.js

I renamed my original files as mt_core_compact-orig.js and List-orig.js, just in case something was wrong with the replacements (Which was not the case. They worked fine).

Before you can see this patch take effect, close Firefox if you were logged into your MovableType editor. Upload the files in ASCII mode to the specified mt-static directory, to the /js and js/common subdirectories, as listed above. When I opened Firefox and logged into MovableType, as I managed entries that previously refused to be assigned a category, the function now worked as expected and I was able to assign any categories I wanted them in, then save the entries. The changes took immediately, as expected.

I don't know what exact change in Firefox caused this crap and am not about to change browsers over it. I am very grateful to the author of the patch! I hope this helps other Firefox and MovableType users. If the same thing reoccurs in a future Firefox upgrade, go to the MovableType Community forum and search for a new patch in the list on the landing page.

Posted by Wiz at 1:53 AM | Permalink

back to top ^

December 12, 2012

Today there is a new email scam run making the rounds, spoofing an Adobe order number and download link. The links are malicious, leading to the Blackhole Exploit Kit.

Details:

The email messages in question claim to come from [email protected]. But, so far, the sender's name is usually a capitalized first and sometimes also last name. This is not standard business practice and should be a dead giveaway that something is amiss. Nobody working at a major software company will spell their name with a caps!

The subjects thus-far have been: Order N(5 numbers)

The message body text begins with: "Good (day|morning),You can download your Adobe CS4 License here" - with a link around the word "here." If you read email on your computer you can hover your pointer over links to display the actual destination URL in a status bar that appears on the bottom of the email client. These poisoned links end with: /redirecting.htm - which is a commonly used page name for the Blackhole Exploit Kit. The landing page has the title: "Please wait" and the H1 heading: "Please wait a moment ... You will be forwarded... "

From that point onward, your browser is attacked with obfuscated JavaScript functions, probing for an exploitable version of Oracle Java or Adobe Flash, at the very least, and sometimes other vulnerable software. If you browse with Firefox, with the NoScript Add-on installed and active, set to its default security to disallow Java and JavaScript, unless you specifically allow it, you will not be exploited automatically. But, some attack kits also contain a manual link option that appears when people arrive with JavaScript disabled. If you are offered a manual link (on the page titled "Please wait" ... you will be forwarded) to install a "missing plug-in" (usually Java or Flash), refuse and close the page, then close the browser. Then update your security program and scan for threats that might have slipped in during the attack.

Unfortunately, many mobile phone users don't usually have this hover function that would alert them to poisoned links. You would have to be using a mobile browser or email reader that contains a hover to display function, or else pray that your device is not targeted by the exploit kit at the other end of the click.

Attack Vectors

The primary attack vector is to probe for a vulnerable version of Oracle's Java virtual machine, which according to Oracle is installed World-wide on over 3 billion devices. That means that there's a good chance it is also installed on the device you are using to send and receive your email and browse the Interwebs. I strongly advise you to check your installed software, or apps, to see if you do have Java installed. If so, it may not be the most current version, meaning it IS targeted by the Blackhole exploit kit.

Note, that sometimes a brand new vulnerability is discovered and published by black or gray hat security researchers and is quickly absorbed by cybercriminals who publish attack kits. When this happens, Oracle and other software companies targeted by exploit kits have very little time to analyze the vulnerabilities and create a patched version of the software, then release it via their update channels. Oracle in particular has been very slow to respond to "zero day exploits" targeting Java, leaving millions, or billions of devices at risk for weeks or even months at a time.

If you find that you do have Java installed, use its built in update checker to see if a newer version is available, then upgrade immediately. Otherwise, go to www.java.com and use the link labeled "Do I have Java?" to see if it is installed and if so, what version it is. If not the current version, upgrade via the link to download Java for your various affected devices. Better still, if you don't absolutely know that you need Java (most do not), uninstall it (all versions present) from your computers and smart devices.

Posted by Wiz at 12:14 PM | Permalink

back to top ^

December 11, 2012

On Patch Tuesday, December 11, 2012, Adobe and Microsoft released critical updates to some of their software. Adobe Flash has been updated to version 11.5.502.135, fixing a critical vulnerability and Microsoft released 8 critical or important updates. You are strongly advised to update your Windows computers now to protect against exploit kits targeting the patched vulnerabilities.

Windows Updates almost always require a reboot to complete the installing of new system files. This is because such files are in use when the operating system is running and can only be replaced when it is shut down temporarily.

I found out that sometimes Adobe Flash acts the same way as Windows Updates, in not letting go while Windows is running. On my Windows 7 computer, I found it necessary to reboot after upgrading Flash today. This was after I logged into my Administrator level account to run these updates. After the Windows Updates completed and I had rebooted, I upgraded to the new version of Adobe Flash. The "About Flash" results page showed the new version was installed. So, I logged out of the Admin account and into my Standard User account.

But, when I opened Firefox, something caused it to hang repeatedly, making the browser unusable. I Grokked that since the browser was fine when I went to fetch the new version of Flash, but was unstable after upgrading it, the old version must still be lingering, either in the Registry, or as an active file in use. So, I force-closed the browser and rebooted. After logging in again, the problem was fixed. Files in use people...

There is another way to update Flash without rebooting, which I applied to my XP computer, on a hunch. I simply uninstalled Adobe Flash with my browsers closed. This is done via Control Panel, Add/Remove Programs. Once Flash was uninstalled, I opened Firefox, went to Adobe.com and downloaded a new copy of Flash Player. When the download completed, I opened the download location, closed the browser, then ran the Flash installer. After the installation completed I opened my browser and everything worked normally. So, you can use this method to flush out an old version of a browser plug-in, rather than rebooting.

By the way, Adobe provides a Flash uninstaller, as a stand alone Windows executable that you can run from your downloads folder. It gets rid of both the Firefox and Internet Exploder versions of Flash at the same time.

UPDATE:
December 13, 2012

I neglected to mention in my original article that Adobe also publishes an updated version of Adobe AIR when Flash is updated. AIR is an online collaboration interface where documents, like .pdfs can be composed, edited and shared. You should check your list of installed software to see if you already have Adobe AIR and if so, go to the Adobe AIR download page and get the latest version, which patches any vulnerabilities found in that software.

Furthermore, Google Chrome was updated to include its own custom version of Flash. If you use the Chrome browser, open it while you're online and go to the settings icon on the upper right corner, then select About Google Chrome from the options list. If the browser hasn't already been updated automatically, it will begin downloading the new version in the About Chrome info box. When the new version is downloaded it will install over the previous version and ask you to close the browser. This completes the upgrade. Chrome will reopen in a minute or so, as the new, patched version. Other vulnerabilities may have been patched as well during the Flash update process.

Posted by Wiz at 11:50 PM | Permalink

back to top ^

December 6, 2012

This article is for Firefox version 17+ users who open many tabs at a time in one browser window. If you regularly reposition some tabs and are aggravated with the changes to the way tabs now move to the center of the tab bar when you drag them, I found a solution to revert to the old behavior.

Firefox web browsers are known as tabbed browsers because they allow you to open multiple web pages inside one browser window, each in its own separate clickable tab. Clicking on a tab brings that web page into view, hiding all others behind their clickable tabs. These tabs contain the title of the document, as is displayed in the "Title Bar" that one normally sees on top of a browser window.

When one opens multiple websites, or HTML pages in separate tabs, inside one browser, the tabs line up next to each other, to the right of the previous tab, in the order in which they are launched. Normally, they are launched by the same code that used to cause a new browser window to appear. That HTML code is: target="_blank". If one clicks a hyperlink in an email message from their desktop email client, the web link will open in a new tab all the way to the right side of all previously opened tabs.

The location of the open tabs in the Firefox browser is called the "Tab Bar." By design, users have always been able to drag any tab to a different position in the tab bar. This allows one to position the most important tabs to one side or the other. I usually group my always opened tabs towards the left side of the tab bar, then open or move new tabs to the right of my primary tabs.

Let me describe what I am referring to. In previous versions of Firefox, when one had a lot of tabs open in the tab bar and wanted to relocate one or more tabs, you dragged one tab to the new position and dropped it there. Sometimes, when more than 10 or 12 tabs are open, this required us to move that tab beyond the entire visible row of open tabs. One could see the other tabs move to the right or left at whatever speed you moved the dragged tab at. When you found the desired new location, you let go and there it stayed. If you needed to move a group of related tabs to a new location, you dragged one all the way to the right or left edge and dropped it off. Then, you began dragging the rest next to it and each other, forming a little freight train of tabs. One could do this until the entire group was fully relocated in the tab bar.

The new behavior has made moving ones tabs into a game of chance. The wise guys at Mozilla have animated the tabs that are being dragged so that they remain basically centered in the tab bar, as you drag them around! Move it three browser widths and it is still apparently in the middle of the tab bar. Want to gather other related tabs to the same location? Good luck! Go find them using the right/left arrows, or the master tab finder button at the right edge of the tab bar. Then, you have to drag each one, one at a time to the new location, next to the first one you moved. Each time you drag a tab, it appears stationary and centered, even though it is flying past other tabs. This is most frustrating!

I found a fix that can be added to the browser's configuration page. It is one line of code, with one switch.

The code that disables the new animation of moving tabs is as follows:

extensions.tabutils.disableTabMoveAnimation

That line does not exist in Firefox by default. It needs to be added, then you must set it to "true." Here's how.

1. Click on the browser's title bar and press the Ctrl and T keys together.


2. A new tab opens on the right.


3. Click in the Location Bar and type this address: about:config then press the "Enter" key


4. Right click inside the lower secion of the configuration section, amid all of the listed settings.


5. From the flyout options, select New > String (click on String)


6. Type in, or copy and paste this string into the input box labeled "Enter the preferrence name": extensions.tabutils.disableTabMoveAnimation


7. Click the Okay button. to save the name and close the first box.


8. A second box will now open asking for a value. Type in the word "true" and press Enter or the Okay button.


9. Restart (close, then open) the browser for the change to take effect. Check your File menu list to see if Restart is one of the options. Mine has it, but I may have added it as an Add-on.

After adding this change I see that as I move a tab around, the ones next to it move out of the way in an animated motion, but the dragged tab moves laterally past the other tabs in the direction I am dragging it. If I drag it past the end of a window full of tabs, the new one still moves whichever way I am dragging it, past a new window full of tabs, until I find its new home. I can then go back and gather related tabs and easily drag them into a group in the new location, just like I could in previous versions of Firefox. Problem solved!

I don't know if Mozilla has any plans to reverse the action of dragged tabs, or leave this new system in place. Some may think it is a cool Web 3.0 feature, but I disagree as do many others. I like the way tabs were moved in previous versions and have had to take matters into my own hands to get that action back.

Update; 12/6/2012:

My profound thanks to the author of Tab Utilities extension for Firefox for contacting me about the solution. You can install the TabUtilities Add-on and it will allow you to revert your tabs to the previous versions' behavior, without manually editing your about:config file..

Posted by Wiz at 12:47 AM | Permalink

back to top ^

December 5, 2012

I am posting this article for other Webmasters who are having problems with Russian based access log, blog, forum, contact form, or guestbook spammers. Any website that allows the public to post anything to its pages, or to contact the owner or Webmaster, is eventually going to attract the attention of Russian speaking spammers.

I know this from my own experiences running several domains as both the owner and as a Webmaster for other people. If you have any forms that allow others to post to them, the spammers will come. They sometimes just spam the "Referer" field in our website access logs, by posting links to shady websites promoting illicit drugs, counterfeit goods, phony product reviews, etc. They do this just in case your server is configured to publish your raw access logs to the public (a really bad idea!). This is known as "Referer Spam" and it is meant to post links to these often bad websites inside access logs that anybody might be reviewing.

Referrer spam has little chance of success, so website spammers prefer to post spam links and comments on blogs, forums, guestbooks and feedback forms. Since many websites provide some or all of these contact options, it's no surprise that they are often overrun by comment spammers. My access logs reveal that most of the comment spam sources are Russian speaking persons or bots, often emanating from IP addresses in the former Soviet Union.

I have nothing to sell to anybody in the former Soviet Union and have no use for Russian spammers, so I block access to traffic coming from there. Here are some of the ways I do this.

Blocking Russian Spammers from Apache hosted Websites

Note: Before applying the following tactics, please check with your web host's support, or administrator, or your Webmaster, to ensure that you are allowed to use Mod_AuthZ_Host and Mod_Rewrite directives in a custom .htaccess file.

My first line of defense against Russian based spammers and hackers is my Russian Blocklist. This is an IP address based access restriction compilation of CIDRs that are added to the .htaccess file in the public web root of a website that is hosted on an Apache web server. Instructions for adding my blocklist or other blocklists I publish are found on the blocklist page. You'll have to copy and paste the portions starting with "<Files *>" and ending at "# End of file" into your .htaccess file, preferably near the top, before any more server intensive Mod-Rewrite rules.

Note to server administrators. If you have root access to your server and its operating system, you can deny access to Russian traffic to the entire server and all running services, not just the http portion, by employing my Russian iptables blocklist to your server's Linux firewall.

When placed in the web root .htaccess file, the Russian Blocklist denies access to IP addresses covered by the CIDRs in that blocklist, to all publicly viewable pages in your Apache hosted websites. This includes subdomains, forums, folders and forms. I add new CIDRs to the blocklist as I discover them.

My next line of defense against Russian website spammers is by the use of special Mod_Rewrite rules in my .htaccess file that deny access to particular user agent strings used by default by these folks. The following are three of the most effective Russian user agent blocking rules I currently use:

RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} \ \[?(pl|ru)\]?\ |\ (pl|ru);\ |.+\.ru\)|\ ru\)|Ukraine\ Local; [NC,OR]
RewriteCond %{HTTP_USER_AGENT} MRA|MRSPUTNIK [OR]
RewriteCond %{HTTP_USER_AGENT} \ Y[EI]$

RewriteRule .* - [F]

If you want to use these directives, be my guest. If you have a custom 403 page in use, you will need to modify the RewriteRule to allow that file to be served, as in this example:

RewriteRule !^403\.shtml$ - [F]

The example uses a file in the web root, named 403.shtml to issue a Server 403 Forbidden response. If you have a differently named file or path, substitute it for the one in my example. Contact your Webmaster or hosting support desk if in doubt!

Always backup your previous .htaccess before uploading any alterations. Sometimes a misplaced, incorrect, or missing character can cause a Server 500 Error, which locks everybody out of http access to the website! Test after each change and revert to the last known good copy until you debug what caused a 500 error. The Apache Web Server section of Webmaster World is a good place to learn about these things.

These solutions are not the only ones I employ, but they are the best ones I have for the general public. Adding my Russian Blocklist and the three listed Mod_Rewrite directives can block access to the majority of typical Russian based spam attempts on your website blog, forum, guestbook or contact form. By reviewing your raw access logs, or blog activity reports for apparent spam attempts, you can create your own personal set of rules that will block them from posting anything to your website.

I am available to personally assist you with applying my .htaccess blocklists to your .htaccess file, and/or to create additional custom rules based upon what software you have running on your website. I have reasonable hourly rates for my services. Contact me via my Webmaster contact form.

Posted by Wiz at 3:03 PM | Permalink

back to top ^