Wiz's Computer and Website Security Blog

For a couple of days I have been seeing a new round of nasty Trojan attachments in emails posing as FedEx invoices. This scam is not new. It has been ongoing for months now. The payload, in an attached zipfile, has been either the Bredolab or Zeus Trojan in the recent past. The Bredolab makes a PC a member of a spam and DDoS Botnet. The Zeus (Zbot) plants and info stealing keylogger on your system, then protects it wilh a rootkit. The Zeus monitors logins to a long list of popular banks, payment processors and online game sites, then captures the key strokes as you log in, and soon, most of your money is gone to Russia.

Although the scam is not new, the method of delivering the convincing con has changed. This week has seen the arrival of the con being embedded in an inline image, in the .jpg format. The message I am looking at right now has the following text embedded as its content:

"Dear,
Unfortunately we failed to deliver the postal package you sent on the 27th of July in time because the recipient's address is erroneous. Please print out the invoice copy attached and collect the package at our office."

The message then screws its own pooch by displaying this odd text: "'Spiderman' climbs again in Sydney ." However, I'm sure that will disappear, as spam filters around the world tune in to that phrase.

The attachment, which claims to be a FedEx document (invoice) is inside a .zip file and is in fact a very dangerous Trojan. If you open the zip file and launch the embedded executable, your PC will become a zombie member of a spam and attack Botnet, and or will have the Zeus Trojan installed, to steal your logins and money.

If you may have already fallen for this scam, please scan your computer with the Trend Micro online Housecall malware scanner. Then, if at all possible, update your existing anti-virus program and scan with it. If your anti-virus is old and the subscription is expired, download a free, fully functional trial of Trend Micro Internet Security. Install it, update it, then scan the entire computer.

Further, I recommend downloading and installing/scanning with Malwarebytes Anti-malware (MBAM). Both of these security applications will detect the threats contained in the fake FedEx scams attachments and will halt their hidden processes and delete their files. You will have to restart the PC and scan again and may have to disable System Restore. Many types of malware hide as backups in the hidden system restore folder and are restored after you clean the machine, then reboot. Turning off System Restore kills the malware backups. Don't forget to turn it back on after cleaning has completed!

If the malware prevents you from updating, or installing, or running a real security program, go to Bleeping Computers malware removal forum, sign up for an account, read the instructions, then open a new topic requesting personal help. A trained, volunteer malware removal expert will assist you as soon as he or she is able to. They will recommend free tools you can use to restore your PC to normal working condition. Read every word carefully and only do what you are asked to do.

Malwarebytes also has an expert malware removal assistance forum. Their forums are meant for people attempting to use MBAM to remove malware.

Both of the aforementioned programs will protect you from getting infected in the first place! Trend Micro Internet Security not only has regularly updated onboard malware definitions and behavioral analysis engines, but also consults a definitions server referred to as a "Cloud Server." As new releases of malware are captured (by security company honeypots), they are rapidly examined and new definitions are published to the Cloud servers, before they are pushed to client computers. Further, the destination websites are instantly blocked by the "Trend Micro Smart Protection Network." All subscribers to Trend Micro security programs are instantly protected from visiting those hostile websites and servers. You can learn more, download and purchase a subscription here.

Malwarebytes Anti-Malware is free to use in purely manual mode, but this won't protect you against reinfection. You can get realtime protection and automatic updating and scanning by paying $24.95 US dollars or equivalent in your currency, for a lifetime license. Read the details and download or purchase a license for MBAM here.

Posted by Wiz at 12:58 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 11 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 29 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include 2 variants of the infamous Zbot, a.k.a Zeus, banking Trojan.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 03/17/2010

Adware
++ Ulineguide

Malware
++ Fraud.Antivirus7
++ Fraud.CleanUpAntivirus
++ Fraud.ContentCleaner
++ Fraud.ErrorWiz
++ Fraud.MyComGuard
+ Fraud.MySecurityWall
+ Fraud.PCSecurity2009
++ Fraud.PrivacyOn
++ Fraud.SmartSecurity
+ Fraud.Sysguard
++ Fraud.XPInternetSecurity2010
+ Lop
++ Win32.Downloader.aafm
+ Win32.FraudLoad.edt

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ddod
++ Win32.Agent.fla
++ Win32.Agent.shi
+ Win32.Allaple.ab
+ Win32.Ambler
++ Win32.AutoRun.fw
++ Win32.Banker.ju
+ Win32.Banload.up
++ Win32.Clicker.ad
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
++ Win32.IRCBot.sys
+ Win32.Koobface
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfbh
++ Win32.OnLineGames.mfeg
++ Win32.OnLineGames.mffa
++ Win32.OnLineGames.mffh
++ Win32.OnLineGames.mfgr
++ Win32.Rbot.mum
++ Win32.SdBot.wch
+ Win32.Swisyn
+ Win32.TDSS.rtk (rootkit)
+ Win32.ZBot (a.k.a.: Zeus)
+ Win32.ZBot.rtk (Zeus rootkit)
++ XPInternetSecurity2010.FakeAlert
+ Zlob.PornPassManager

Worm
+ Win32.Amburadul

Total: 2161084 checksums in 812212 rules for 5267 products.

Continue reading "Spybot Search & Destroy updates for March 17, 2010" »

Posted by Wiz at 5:08 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Here is a summary of this week's vulnerabilities and exploits in the wild, as reported by Secunia, Websense and other security firms. Actually, this has been a quieter week than most.

Websense has been following a website code injection event they named the "Nine Ball Mass Injection," which is a follow-up to the "Beladen" and "Gumblar" mass injection attacks last month This is a situation where cyber criminals exploit vulnerable web application scripts that have not been secured by the webmasters who operate those websites. Too many webmasters use free scripts that are rarely, if ever updated to patch announced vulnerabilities. Hackers send out automatic scripts (a.k.a. robots, spiders) that try to upload hostile files to any website they come across. Once they find an unpatched point of entry they are able to alter the codes on any web pages (usually the home page) they want. In the past, hackers would deface home pages with gibberish or slogans for their causes. Now, it is criminals who sneak in dangerous hidden codes that redirect innocent visitors to hostile websites, where malware is attempted to be downloaded to the victims' computers. Most are successful, because most people do not, or cannot keep up with patches released by every vendor of the add-ons and plug-ins used by their browsers.

Most of the malware being downloaded by the Nine Ball and similar exploits is fake security applications that pretend to scan you computer, announce so many threats found, then demand payment to remove those threats. These are tandem malware programs, with part one being the fake alerts and part two being the fake remover. After you pay to unlock the remover, it only removes the alerts its sister placed there in the first place. You will have submitted your credit or debit card information to cyber criminals in the Former Soviet Union and can expect to have your accounts drained shortly.

The rest of this weeks vulnerabilities and exploits are in my extended comments.

Continue reading "Weekly roundup of vulnerabilities and exploits in the wild" »

Posted by Wiz at 2:42 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.

1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.


2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.


3. Right-click on the file named HOSTS and choose (left click) Properties


4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked


5. Click Apply and OK to close the Properties window.


6. Right-click on HOSTS while holding down the Shift key and select "Open With"


7. Scroll through the programs list until you find "Notepad" and double-click on it


8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.


9. With HOSTS open for editing go to the last line in the file and hit ENTER


10. Add these lines, with a tab after each 127.0.0.1:
    
    
    
    • 127.0.0.1       tojandglow.com
    
    
    • 127.0.0.1       91.212.65.138
    
    
    • 127.0.0.1       91.212.65.0/24
    
    


11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.


12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Continue reading "Block Ukrainian Malware Server on Eurohost" »

Posted by Wiz at 5:10 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

The newest version of the Conficker Worm, a.k.a. Downadup, said to have already infected over 10 million PCs, is programmed to begin contacting a huge list of new domain names, beginning on April 1, 2009. Each PC that is currently infected with the most recent variant of this Worm will begin generating a list of 50,000 domain names, many of which might be registered by the criminals behind this Worm. It will then pick names it generates on each infected computer and try to contact that domain, for further instructions, or program updates. If those domains are in fact active and under the control of the Botmasters running the Conficker Worm, updates will be sent to all of the PCs making contact on, or after April 1. Those updates are probably going to make it more difficult to disinfect these PCs, or to contact any security websites for malware removal tools.

If you are not already infected it is because you took the proper preventative measures last October 23, 2008. That was the date that Microsoft released a sudden, out-of-cycle critical update, in security bulletin MS08-067 and Windows Update patch kb958644, which plugged a vulnerability in the Windows Server Service. That vulnerability is what was exploited by the first two releases of the Conficker Worm (Conficker.A and .B). Since most Windows users who run legitimate copies of Windows have set their computers to receive and apply Automatic Windows Updates, they were protected when the Worm was first released in the wild, in November, 2008.

However, people who turned off Automatic Updates because they don't trust Microsoft updates, or because they are using pirated copies of Windows and don't want to get nagged about it, probably got hit by this Worm, soon after its release. The highest percentages of Conficker infections occurred in countries with the highest numbers of pirated Windows operating systems. These nations include China, Russia, Argentina, and Brazil.

I would like to point out that there is another group of vulnerable people, who may not realize that they are critically exposed to the Conficker Worm (and the likes). These are legitimately licensed users of Windows XP, or newer, who had to reinstall their operating systems to fix other problems or malware infections, any time after the MS08-067 patch was released. If you let any significant time elapse between reinstalling Windows and then obtaining all available patches, especially MS08-067, you could have been exposed to a Conficker attack and possibly been infected and don't know it yet (not likely - the Worm causes noticeable trouble on a PC). This is why I always make my first Internet connection after validation to Windows Updates (repeatedly, until all patches have been installed)!

If you want to know if your Windows PC is infected just try to go to Windows Updates, either via the link in your Start Menu, or using the link in Internet Explorer, under Tools. If you can't open Windows Updates at all, but can visit other non-security related websites (Yahoo, MSN, CNN, etc), you just may be Confickered. To find out for sure you should run scans with any anti virus software you have installed. Try to update it first, before scanning. If you are already infected with Conficker.B, or Conficker.C, you will not be able to update most anti virus definitions at all. This is caused by the Worm denying access to any website run by any major security vendor.

If this is the case for your PC(s) there is a downloadable Conficker Removal Tool available from Bit Defender, that removes Conficker A, B and C variants. The removal tool is available here. There is also an online scanner on the landing page, which you can run to see if you are indeed infected. If the Bit Defender page is inaccessible, here is the URL for the online scanner: http://91.199.104.31

Note, that licensed users of Trend Micro Internet Security products are already protected against the Conficker threats.

I will have more to tell you about this Worm after tomorrow comes and goes. We will see what we shall see!

Posted by Wiz at 7:08 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

All Bots work in stealth mode, so as to prolong their useful lifetime on each computer they infect. Because Bots operate behind the scenes, sometimes as rootkits, special anti-malware tools are often needed to detect and remove them. Some Bots may even uninstall themselves if the computer or its Internet connection don't meet the minimum requirements set by the person running them.

When a Bot is installed onto a computer that computer will not only be remotely controlled, but will become an unwitting member of a network of similar Bots, known as a "Botnet." Bots are accumulated into Botnets by "Bot Herders" who rent the use of their remote controlled networks to spammers, scammers, phishers, political anarchists, hackers and even terrorists. A Botnet in action is under the remote command and control of a criminal known as a "Bot Master."

When a computer is first infected by a Bot it will perform certain pre-programmed routines, including "phoning home" to register itself on the Botnet it belongs to and to supply details about the computer onto which it is installed. Some of these details are about the operating system and amount of memory installed, the infected user's identity on the computer, the password for the Administrator account, what, if any security programs are installed, the type of Internet connection used and the IP address of both the computer and the modem (if different). It will then receive files to be consulted and used as it operates. It may also be given some means of protecting its own executables and auxiliary support files, to ensure its continued existence if it is detected by the owner.

Unless you are an expert in securing your computer and operate with reduced user privileges, you should be asking yourself: "am I botted?" Don't leave this question unanswered! Find out now! There are a variety of new, specialized security tools available that will detect and remove modern Bot infections. Some really good Bot detection tools are listed in my extended comments.

Continue reading "About computer Bots and how to detect and remove them" »

Posted by Wiz at 4:36 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

The authors of the Storm, Srizbi, Pushdo and Rustock botnets (and others) are ramping up their individual efforts to assemble the largest collective botnet the World has ever seen, using fake news headlines in the subject and body of spammed emails. The latest fake news about the Olympics is sent from the Storm Botnet. Almost all of the BotMasters are purported to be based in Russia and are members, or former members of the notorious Russian Business Network. The purpose of this rush to acquire more and more zombie computers in a short time is undisclosed right now, but may be in preparation for a cyber war, in which the zombie computers will be used in denial of service attacks against other governments, anti-Russian websites, universities, or military installations.

Or, the purpose may just be to have more power to send gazillions of spam messages hawking male enhancement pills, fake pharmaceuticals, shady loans, or counterfeit watches and shoes, but I think they already have enough zombie computers to do that work.

I don't want any of my readers to fall into these traps and have their PCs drafted into these hostile robotic armies. Therefore, you need to know that the authors of the tens of millions of spam messages that are spewing out of hundreds of thousands of zombie computers, some at the rate of up to 10,000 spam emails per day - per PC, are using every social engineering trick they can come up with to fool you into clicking on a link in just one of these scam messages.

The fake news alerts I referred to earlier usually have sensational subjects and short descriptions in the body, some of which match the subject, but some of which are totally unrelated. There may or may not be links to a real news website, but there is always one or more to a compromised computer or website, or directly to a hostile file. These hostile links may have the text "Read More," or "Watch Video," or "Play," etc. If you mouse over the links you will see the real destination in the status bar of your browser, for browser-based email, or your email client. They will not lead to CNN, or the news agency they claim to represent, but to a strange web site, or numeric IP, where you will be attacked by all manner of exploit codes.

If these automatic exploits fail to infect your computer you will be offered a manual link to do it to yourself. This is usually in the form of a pop-up about your needing to download a new version of ActiveX Object, or Flash Player, or Video Codec. Some of the most recent spam messages I have seen this week have direct links to download Trojan files. They are disguised by words like Play, Movie, Watch(it), Video, etc, to make you think you are going to see a movie clip about the news in the spam message. Instead, you will become instantly infected with whatever Trojan is being hosted on the destination web server, or zombie PC.

If you want to read the news online just go to cnn.com, or abc.com, etc, and read it. If you subscribe to breaking news alerts you could be fooled into opening a scam message that uses a subject and body text and images stolen from CNN, MSNBC, Reuters, or the BBC. Because of these scams being in the wild right now, and being so hard to authenticate, you are best to download a news widget from the organization to which you wish to subscribe. CNN has a breaking news widget that sits in the Windows System Tray until a news alert comes through. Then, it opens a balloon message above the System Tray with the headline displayed. If you click on the story it will open in your default browser. Other news organizations may offer a similar widget. Just be sure you go directly to the news website to look for it. Do not click on links in unsolicited email messages.

The volume of these messages is increasing, not decreasing and the subjects, body text and link anchor text is morphing on a daily, or bi-daily basis. Learn to spot these scams and delete them from your inboxes. If you have a real email client that allows you to create filter rules, just add the subjects to your blacklist. If you use MailWasher Pro to screen your incoming email for spam or link threats you can download and install my custom MailWasher Pro filters, which are updated frequently to detect these ever changing scams. Since the Trojan video link spams began pumping out a couple of weeks ago I have sometimes been updating my published MailWasher filters on a daily basis. Contact me if you wish to consult with me about anti spam solutions.

Continue reading "Botnets ramping up efforts using news headlines and video links" »

Posted by Wiz at 1:51 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

For the last week I have been seeing a lot of people visiting my blog looking for information about a program called SpyBoss Pro. Apparently, they have discovered it on their computers and don't know how to get rid of it. Let's learn a few things about the program and how it can be removed.

First of all, this is not your typical piece of malware. It is a commercial keylogging application, selling for $25 and up, requiring a license to use it after 30 days. It is distributed by a company in Ohio and is actually targeted at company security departments, to track employees' use of the Internet, or to allow concerned parents to track where their children go and what they type in chats and IMs. According to the manufacturer, here is what it is designed to do.

Records chats, instant messages, emails, web sites visited, what is searched for, what is done on MySpace.com, pictures posted and looked at, keystrokes typed, the programs run and more.

How to remove SpyBoss Pro.

You're gonna hate it when I tell you that since this is a legitimate program, albeit misused by hackers and overzealous affiliates, it comes with a standard Windows Uninstaller. Go to Start > Settings > Control Panel > Add/Remove Programs. Look through the list of programs until you find SpyBoss Pro and uninstall it using the "Remove" button, then reboot. This is assuming that the program hasn't been tampered with (cracked), but in case it has been altered by hackers, you should download, install and update Spybot Search and Destroy, then "immunize," then "check for problems." If the uninstaller failed to remove all or any of SpyBoss Pro - Spybot will finish the job for you. Best of all, Spybot S&D is free, supported totally by donations from grateful users. The latest definitions already detect and will remove this keylogger.

It is good practice to turn off Windows System Restore when disinfecting a PC, because many infectors hide their components by modifying critical system files, or registering their files as system files. Those files are backed up in the System Restore folder and tend to be reinstalled if fond to be missing, on the next reboot. That's why some viruses and spyware keep coming back; they were backed up in your System Restore folder. If the uninstaller does remove SpyBoss Pro and Spybot doesn't find any further instance of it, you're probably good to go. But, if it still lurks after running the uninstaller, turn off System Restore, disinfect the computer, scan again, then turn on System Restore, when all is clear.

Follow-up actions

Since you know that there was an unwanted keylogger on your computer you need to change the login passwords to any banking, payments companies, auction sites, or online store accounts that you may have used while the keylogger was active. Check all balances and report any discrepancies to the fraud departments of these companies you do business with. You may have to cancel your debit or credit card and have a new one issued. If you cannot login to an account which you could before, go to the home page and search for contact information. They probably have a phone number you can call to report that you have become the victim of a keylogger. Many banks and payment portals will reverse any fraudulent transfers and get your money back, after you prove you are really you.

Continue reading "How to remove SpyBoss Pro from your computer" »

Posted by Wiz at 3:08 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

There is a new malware threat in the wild circulating among various file sharing networks. The threat is spread by duping file sharing users into downloading fake mp3 audio and mpeg movie files, which have very enticing filenames (some listed below in extended comments). All of these fake files have very small file sizes, which should be a giveaway that something is wrong with them. Despite that fact, almost 400,000 PCs are now infected in just a few days, after their users downloaded and opened some of these rigged files.

When a file sharing user double-clicks to play one of these files they get a surprise. Instead of seeing a movie or hearing a music file they are presented with a browser page that displays a EULA consisting of about 4800 words. The scam tells them that they must install a special media player, from fastmp3player.com - to playback the file they are trying to hear/see. Upon agreeing to the EULA the user is redirected to fastmp3player.com where a file download box appears, for a file named (at this time) "PLAY_MP3.exe." This file will install two separate adware and spyware applications; "FBrowsingAdvisor" and "SurfingEnhancer."

Apparently, in samples that have been analyzed in the last two days, these attacks are specifically designed to work in the Firefox browser. If Firefox is not found on the victim's computer, they will get a Windows error message and will be urged to download and install Firefox.

Most major anti virus and anti spyware companies can already detect and remove this threat, which has been elevated to a "medium threat" status by McAfee, for home users.

People who like to obtain copyrighted music or movies without paying a fair price for a licensed copy are left at risk from botmasters looking to increase their botnets, and criminals using affiliate programs to earn commissions for installing spyware and adware onto as many computers as possible.

What you can do to protect your computer from this threat.

1. Stop using file sharing programs like Limewire or Kaaza, or others, that allow people to distribute (share) copyrighted works illegally. They are riddled with malware files of all sorts. Instead, use one of the legitimate music or movie websites, like Apple's iTunes, Real Rhapsody, or Napster.


2. Install a modern, legitimate anti virus program that offers multiple daily updates and set it to receive automatic updates every hour. If you can't set it to an hourly schedule then run a manual check for updates as often as you think about it. Or, use Windows Task Scheduler to run the updater executable every hour. Reputable anti virus companies include Trend Micro, Symantec, McAfee, NOD32 and AVG.


3. Install a reputable anti spyware program and keep it updated as often as possible. Recommended companies include PCTools Spyware Doctor, Webroot's Spy Sweeper, Trend Micro PC-cillin, Lavasoft's Ad-Aware and anti-virus, and Spybot Search and Destroy.


4. Scan for threats every day, before you get busy online, or every night, before you turn off the computer for the night.

Posted by Wiz at 11:30 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

The infamous Storm Trojan Botnet has reawakened again, after a brief sleep. It last made it's appearance towards the end of January, stayed active until Valentines' Day, then disappeared. Since July of 2007 the Storm Botnet is most well known for sending out spam messages containing links to view e-cards, or postcards. All of the resulting web pages are hosted on other storm infected botnetted computers and all of the links lead to your PC being infected with the same Trojan.

One of the things that made Storm Trojan links stand out last year was that most of them were numeric IP addresses, rather than domain names, in their links. These links resemble this example: ht*p://123.123.123.123/(some garbage characters may follow). During the last quarter of 2007 the Botnet began using actual registered domain names to reach the target host computers, which are managed on what is known as a Fast-Flux DNS network. Most of these domain names were registered within a few days of the spam run and are usually allowed to die shortly thereafter.

The Storm has become active again and is once again spamming out email messages about e-cards and postcards, most containing the good old numeric IP links. All of the targets are infected PCs and if you are duped into clicking on a link to such a target, exploits await you, including an automatic download of the Trojan. Should this fail, you will be enticed to click on a link, or an image to begin your download, supposedly to view your e-card/postcard. At this point, if you are running a Windows based computer, with Administrator level privileges, your PC is about to become a zombie member of the Storm Botnet.

When, not if, you receive one of these e-card/postcard notices delete it immediately. If the sender looks like a name you know, check the email address to see if it matches that name. If in doubt, contact that person to see if they knowingly sent you an e-card, from that particular e-card company. Chances are they won't know anything about it. You see, the names and addresses used in the From fields are all harvested from infected computer contact lists and address books. All spam email messages since late 2006 have totally forged From and Reply to email addresses. The people whose names and addresses are being used have no idea this is happening and cannot stop it. If you have sent an email to somebody whose computer gets infected with an email harvesting trojan or Worm, your email address will not only receive spam, but will be used in forged From and Reply To fields of spam messages. There is nothing you can do about this. Even my accounts have been harvested from computers of customers and friends and I see spam coming to me, supposedly From me!

Unwanted E-Card/Postcard = DELETE! Leave the curious George stuff to professionals like me and the anti-exploitation labs.

Posted by Wiz at 3:08 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Most experienced Windows PC owners know by now that their computers are the primary targets of every type of malware exploit that can be conceived by man or machine. Prudent PC owners take extra precautions and ensure that their computers are protected and scanned regularly, with up-to-date anti virus and anti spyware programs. The also tend to use more secure browser settings, or switch to Firefox for their Internet browsing, instead of Internet Explorer. Yet, millions of PCs are infected every day, with all manner of spyware and viruses, with many of them belonging to fairly new computer users (Newbies). Why is this?

A lot of the reason for the constant increase in infected computers is due to inexperienced, or unaware Windows PC owners operating without proper and active security protection onboard. I have disinfected lots of computers that had either no virus protection at all, or had expired anti virus applications on them. An expired product is as useless as if it wasn't there, and gives a false sense of security to untrained PC users. Most of these products ship with new computers and offer a free 3 or 6 month trial period, after which they become inert, unless a subscription is paid for to keep them updated with new threat definitions.

This background information leads into the subject about which I am posting today. It has to do with a brand new malware threat that is in the Wild, calling itself: "MonaDonaRona." This is a malware "Trojan" that is acquired by downloading and installing a fake software program called RegistryCleaner 2008, although there may also be other means of delivering the infection. Once MonaDonaRona is installed on the victim's PC it pops up an ominous alert, identifying itself by name, and proudly proclaiming its intention to cause harm to your computer, currently using this text:

“Welcome to MonaRonaDona. I am a Virus & I am here to wreck your PC. If you observe strange behavior with your PC, like program Windows disappearing, etc., it’s me who’s doing this.”

This pop-up alert and strong language is meant to panic unsuspecting victims into paying to have it removed by a fraudulent anti virus program, which is a companion to this threat. People who are duped by this two handed ploy will have the MonaRonaDona alerts turned off by the companion malware application, which they had to pay for to use. This is also known as extortion-ware. The MonRonaDona component is only there as bait for the fake anti virus program, which the perpetrators of this fraud want to sell, for about $40 US. The fake anti virus product may be called "Unigray," or other names. It is apparently not linked to directly at this point in time, but the victim is expected to search for anti virus programs that specifically target it.

False information about the fake anti virus program has already been spammed to Google and other search engines, through phoney blogs and spam blog postings, poisoning the results pages. If the victim searches for help removing MonaRonaDona, they will most likely see the fake products listed at the top of the results. This is a new method of delivering fraud-ware, by gaming search results and panicking users into searching for the spammed, fake removal tool.

The fake removal program will tell MonaRonaDona to shut itself down, making the victim believe that the anti virus program actually removed it legitimately. But, this is merely a ploy. Most free anti virus and anti spyware programs will detect and remove this threat within a few hours of its discovery, if you check for updates every day, several times a day.

Early credit for this discovery goes to Eugene Kaspersky and his famous, commercial Kaspersky Anti Virus products. They are often first to intercept malware that comes from certain regions of Russia where much of the World's malware is written and launched.

If you don't have any up-to-date anti virus protection on your Windows PC, give Kaspersky a try, or TrendMicro, or Norton Anti-Virus products. If you can't afford to buy commercial anti virus protection there are various free programs available. I would unhesitatingly recommend AVG Free, although Avast! is also very good.

Continue reading "Watch out for a new fraudulent anti-virus ploy named MonaDonaRona" »

Posted by Wiz at 3:38 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

All of the above mentioned malware types are threats to anybody running a Windows based operating system, especially when they are connected to the Internet. There are malware threats that are specifically targeted at other operating systems, like MacIntosh and Linux, but they are less prevalent, mostly due to the smaller installed base of those OS's. Some come to you over the wires, so to speak, via TCP/IP attacks against open "ports." A router between you and your external broadband modem can stop those attack vectors (unless you have poked holes in the router's firewall). However, no common router has the means of protecting you against malware threats that come in as you read email, or use your Internet browser. Unless you have an advanced router, that receives regular updates to it's malware detections, you will need to keep a software firewall running on your computer, to protect it against hostile incoming TCP threats.

Malware threats do not just come from the Internet. I got into computer troubleshooting before I was connected to the Internet, due to an infected floppy disk. Floppies are mostly gone nowadays, but there are still some CD's, DVD's and plug-in memory devices that are somehow infected before going to, or during production. Then, you have certain music companies who knowingly install programs onto their CD's, which install rootkits onto the computers of legitimate buyers, to prevent copying those CD's (DRM protection). This was done a couple of years ago by Sony-BMG. Those DRM rootkits were then exploited by cyber-criminals to install other, much more dangerous types of malware.

Every week or two there seems to be a new type of malware attack method discovered, as well as constant variations of existing methods of infection. This article will review the latest methods of delivering viruses, spyware, rootkits, backdoors, keyloggers and Trojans to your PC. All of the threats listed are already "in the wild." Most of them are being used to draft unprotected, or insufficiently secured Windows PC's into Botnets. Others are used to steal login information to websites control panels, servers, banks, eBay, PayPal, or similar institutions. Then there are the pop-up ad windows that can render a computer unusable, and rogue anti-spyware programs that trick you into paying to remove the threats that the program itself invented, or installed. Your best defense against all of these threats is to keep a firewall running at all times, keep the most current version of anti-virus and anti-spyware programs working and updated, and keep fully current with Windows or MacIntosh security patches and updates (yes, Apple releases security patches too).

The most prevalent malware threats, in the Wild, include the following (The Dirty Dozen):

• Lunar eclipse video scam - link leads to Trojan and Botnetting if clicked


• IRS rebates and refunds phishing scams - targets US citizens by mail or phone


• Bank Of America phishing scam


• Hillary Clinton video download scam - link downloads a Trojan if clicked


• Britney Spears and Paris Hilton video scams - link downloads a Trojan if clicked


• Storm Trojan numeric links in spam emails continue, but are reduced.


• Thousaands of compromised web servers are still allowing JavaScript redirection exploits to occur, leading to stealth download infection attacks to many visitors of the web sites hosted on those servers.


• Compromised individual web sites have had hidden iframes installed, by criminal hackers, leading to instant infection of insufficiently secured PC's visiting those web sites.


• Adobe Reader had a vulnerability that, if exploited, allowed complete computer takeover. Everybody using Adobe Reader or Acrobat should be sure they update to the latest, patched version. Use the program's Help menu to check for updates and install them.


• Apple QuickTime exploits are in the wild. Make sure you update to the current version.


• There are Java virtual machine exploits on compromised web pages. Make sure you computer has the latest version of Sun's Java.


• Finally, rounding out the Dirty Dozen, certain brands of wired and wireless routers are being targeted with DNS redirect attacks. This involves sending code, from simply opening a hostile spam email message, to the targeted router, which reprograms the router to send users to a phishing banking website, or other financial institution, if you try to logon to that institution. Router exploits that are in the wild were recently successful against millions of Mexican DSL routers, many of whose owners used the bank that the redirect was aimed at. All of these router attacks depended on the users not setting a personal Administrator password! Those with a password were not affected.

If you have a Mac OS PC, make sure you check for updates at least once a month, or turn on automatic checking for security updates. Mac's "Finder" has a link to check for Apple Updates. If you have iTunes installed, it may need updates occasionally as well.

If you have a Windows PC, the quickest method you can use to check the security level is to visit the security website, Secunia.com, and run their online Secunia Software Inspector (requires Java). After you read the instructions and click on Start, a second page will load, then click on Start on that page and it will scan your PC for vulnerable software in it's database, and missing Windows Updates. If the Software Inspector finds out dated versions of software it will highlight them with a red mark and expand their details to tell you what vulnerability exists. It will also provide a direct link to the applicable page where you can download the patched version. Sometimes, Secunia will locate an older version of Flash, or Java, that has been left behind after updating to the current version. It will show the locations of those still-vulnerable files, which you should manually delete, or uninstall (Control Panel > Add/Remove Programs).

To protect your router from code exploits, establish a unique Administrator password (do not use the word "password"), disable remote administration and turn off UPnP. If you have a wireless router, setup the best level of encryption your receiving computers can work with. Most broadband routers come with a firewall, with configurable rules and a means of "poking holes" in them. Make sure your router's firewall is turned on and do not allow any port holes unless they are necessary for your personal or business use (e.g: filesharing, VPN, remote desktop, ftp. etc). Routers use "NAT" to hide your personal network computers from the public Internet. This makes them a less visible target for TCP/IP exploits.

Finally, if your PC shipped with a free trial version of a security program and it has expired, and you have not paid to renew it, you had better either pay for it, pay to upgrade it, or uninstall it and get a different security program. An expired anti-virus or anti-spyware program is totally useless and it's only current affect is to eat up valuable system resources! There are many fine security programs available, both in retail stores and online. I have ads for several brands on this blog and on my other web pages, all of them reputable. However, I have my eye on one in particular that seems to be pulling ahead of the others, especially in the area of intercepting web site borne malware threats. That company is Trend Micro. They have a technology that is included in the Trend Micro Internet Security 2008, also known as "PC-cillin," that analyzes the content of web pages you visit, screening them for either known hostile codes, or potentially hostile embedded exploits, based on heuristics. If such codes are discovered Trend Micro's web threat protection will block the harmful content, while allowing safe content to be delivered. Or, it can block the entire web site from downloading anything, if you prefer. This type of defense is invaluable when you consider that much of today's malware is being delivered through website exploits and hidden redirects.

The Trend Micro Security Suite 2008 also comes with a two way firewall, anti-virus, anti-spyware and anti-phishing protection, with multiple daily automatic updates, all for a reasonable subscription price and allowing you to protect up to three PC's under one license. Get 10% Off a 1 year subscription to Trend Micro Internet Security 2008, using Coupon Code: TrendIS08.

Posted by Wiz at 1:17 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

First, some background information about the Storm Trojan.

Since July 1, 2007, I have written several blog articles warning people to be on the lookout for email scams that contain links that cause Windows computers to become infected with the Storm Trojan. This malware threat has already infected more PCs than any other in the history of personal computing. In August of 2007 estimates put the total number of infected computers at anywhere from 1 million to over 5 million! All of the infected computers acquired the Storm Trojan through social engineering trickery of their human owners.

Early varieties of the Storm Trojan, which began circulating widely in January, 2007, used catchy news headlines (some true, some false), such as news of hundreds of people killed by storms raging across Europe. Early payloads were carried in hostile attachments, offering more information or the full story, but were rigged with the Storm Trojan malware. Later, in mid-2007, the authors began shifting away from using attachments and started providing links to the already infected computers, which were now used to host web pages that carried exploit codes and copies of the Trojan itself. The owners of these computers had no idea that their machines were being used for this purpose, and other purposes even more sinister.

It was in June 2007 that I began to notice suspicious numeric links in email spam messages, that characterized the new breed of the Storm Trojan. There were several phases where different techniques were employed, all designed to appeal to human curiosity and which snared more and more unsuspecting victims into the ever-growing Storm Botnet. There were e-cards, postcards, verification messages, free music, free games, funny cats, dancing skeletons, Naughty Christmas cards and now, New Years greetings postcards. All of these scams contain a link which the person reading the email must click on. If you are running a windows computer that has not been fully patched against all known vulnerabilities in the wild, and you clicked on one of those links, chances are good that your computer has become a "zombie" member of the Storm Botnet.

Most of the time, the owners of these compromised machines don't know what is happening behind the scenes, as all of this activity is hidden from the user interface. The only give-away that something is amiss would be occasional unexplainable computer and Internet slowdowns, along with periods of high activity on their (external or broadband) modem "activity" lights, as thousands of spam emails, or DDoS attacks are launched from their computer. So, aside from flickering modem lights, how can you tell if your Windows computer has been infected with the Storm Trojan?

Since the Storm Trojan has been around for about a year now, it is safe to say that all anti virus and anti spyware programs have definitions to detect and eliminate this threat. If you have an anti virus and/or spyware program, make sure your scanning engine is fully current, and the definitions are up to date, then reboot into Safe Mode and scan all files. Safe Mode scanning is recommended, because, although the Storm Trojan installs its "service" as a hidden "rootkit," it still has supporting processes and files that can be stopped and deleted from Safe Mode. After the support files and registry entries are terminated the rootkit infector will be vulnerable. With any luck your security program will find and remove the files and services associated with this Trojan.

If you don't have an anti virus or anti spyware program on your Windows computer you are probably already infected with all manner of malware. There is a manual method that you can use to determine if your computer has/might have the Storm Trojan. A rootkit keeps its own main operational files from being viewed in Windows Explorer, or in Command Windows, by intercepting attempts to find those file names, or slight variations of their names and sending a null result to the screen. These are known as "super hidden" files. So, if your computer does have a rootkit infector and you were to look for their presence using a Windows Search, or a "Dir" command in a DOS Command window, the rootkit file(s) would not reveal themselves to you. Interestingly, if you were to create a new text file on your Windows desktop, with the same prefix as the rootkit's files, that file would instantly disappear from view, or would not appear in a DOS Window directory listing.

While the Windows desktop file may or may not work as described, a Command Window can be used to reveal the presence of the Storm Trojan's rootkit.

Since Windows Explorer refuses to display super hidden rootkit files and services, a good old DOS window and some special commands might do the trick, by hiding a specially named file that you just created. Here's what you need to do to check for the presence of the Storm Trojan rootkit component.

1. Go to Start > Run and type in: CMD and press Enter


2. A "Command" Window will open, with a blinking cursor, waiting for text input from you.


3. Case doesn't matter with these commands.


4. In the Command Window type this: copy con spooldr.txt


5. Press Enter. The blinking cursor should move down to a blank line.


6. Type a few words to create some filesize, then press F6. You should see a ^Z, after the last character that you typed.


7. Now, press Enter. You should see "1 file(s) copied" and the cursor will blink again on a new command line.


8. At the blinking cursor, type: DIR spooldr.txt and press Enter.


9. If you see a report showing 1 file(s) and a filesize in bytes and the file name, you have passed the first test.


10. Repeat rules 4-8, substituting these filenames each time: noskrnl.txt, wincom.txt, clean.txt, bldy.txt


11. If all of these files are listed in the DIR results, you're probably ok (the file names are now being changed frequently), but, if the DIR command shows 0 files found for any of these files, you are infected with the Storm Trojan and it's rootkit.


12. If all of these files show in a DIR listing, you should delete them by typing: DEL filename.txt (substituting the actual filenames) and press Enter and the named file will be deleted.

If I come up with some effective manual removal instructions, that can be used by the average computer owner, I will post them in a follow-up blog article.

Posted by Wiz at 5:40 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

This is a heads up to you all to beware of a new round of Storm Trojan email threats, now making the rounds. They contain a New Year subject and one line of body text and a link on the second line that contains the word postcard, or a variation thereof. Do not click on this link. Delete the message. The destination is a Storm Worm Trojan infected computer, running an Nginx small web server, with but one page. The page contains code to instantly redirect you to an automatic download location, where you will receive your very own copy of the Storm Trojan. If you visit the first page with JavaScript disabled, you will be presented with an enticement to manually install the Trojan; to view your "postcard." Not! The three spammed email messages I analyzed this morning all contained variations of the following two lines of deactivated text:

As the new year...
h**p://uhavepostcard.***/

That URL was spammed out on Christmas day, three days ago. The current Storm Trojan spam messages now have links to happycards2008.com, or newyearcards2008.com, or familypostcards2008.com, which are different URLs than in the attacks that began on Christmas Day and more changes are expected over this weekend.

The emails I have analyzed so far today led to infected computers, with web pages containing a clickable link to a locally hosted file named "happy-2008.exe," or "happynewyear.exe," which is the Storm Trojan itself. The infected host computers are zombie members of the Storm Botnet and are all over the World. The redirects in them lead to exploited servers, similarly all over the World. These servers have been compromised over the year in anticipation of serving up payloads on demand. They are zombie servers in that no unusual activity would be noticed from them until people start arriving from redirects on infected PCs. Unless people report these infected servers they will remain online long enough to do a lot of damage. One way to report them is to become a reporting member of SpamCop.

If, like me, you use an anti spam front end for your email client, such as MailWasher Pro, and it allows you to create regular expression spam filters, try adding these rules to detect the Storm Postcard threats:

UPDATED 12/30/2007 to add new target domain names and shorter RegExpr.
The subject contains any of these words: "(e-) card, or greeting, or postcard, or New Year, or New 2008 Year"
AND, The body contains any of the same words; AND
The body contains a hyperlink containing this regular expression:

http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)

Here is that entire updated rule, in MailWasher Pro format, for use in the MailWasher filters.txt file (This code should be on one long line):

[enabled],"Postcard Trojan Scam","Postcard Scam",16711680,AND,Delete,Automatic,Subject,containsRE,"\b(e-?)?(card|greeting|postcard|new\ year|Happy\ 2008!|New\ Hope\ and\ New\ Beginnings|new\s.*year)",Body,containsRE,"\b((e-?)?(post|greeting\s)?card)|new\ year\b",Body,containsRE,"\bhttp://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)"

I am posting updates as I detect changes to the target domain name or subject/body text. Remember, the authors of the Storm Trojan are constantly altering the text and payload URLs, to fool spam filters and people. If you are not screening your incoming POP email you leave your computer at risk, should one of these threats fool you into clicking on a link to an infected computer, or server. I have a full page describing the email screening program - MailWasher Pro, with links where you can download it for a free trial. It is very inexpensive to license, for the life of the product. You don't have to pay for version updates like you do with most security programs these days. The only recurring charge associated with MailWasher Pro is voluntary membership in their managed spam reporting group, called FirstAlert.

MailWasher Pro is free to try for 30 days, and still costs only $37.00 to register, which includes a one year, renewable subscription to the FirstAlert! spam reporting system, plus, FREE Mailwasher program updates for life.

Posted by Wiz at 10:36 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

The so-called Storm (Worm) Trojan has been continuously changing the subject and body text used to trick victims into clicking on links which cause their computers to become part of the "Storm" Botnet. Previously, all Storm scam messages came in with numeric links to compromised Windows computers, on broadband connections, which were a clear giveaway to even the most casual recipient that something was not right. Then, at the beginning of September I began to see Storm scams that had the numeric IP destinations wrapped inside a fake domain name. The true, numeric destination was revealed by mousing-over the link, so it was still relatively easy to detect that the message was most likely as scam.

It is extremely unusual for hyperlinks to be numeric, but not totally unseen. Most websites use a "friendly name" for the domain; like example.com. On very rare occasions a website may not use a friendly name, usually when it is in transit from one server to another, and DNS changes need time to propagate throughout the name servers system. In the case of the webpages hosted on Storm Trojan infected computers the URLs had to be numeric. This was because the zombie computers did not have registered domain names. Instead, they have a small web server, called NginX, installed by the Storm Trojan, and are usually always connected to broadband Cable or DSL Internet Services, with infrequently changing IP addresses. Since the IP addresses of these zombie computers do occasionally change, due to rebooting the modem, or forced IP renewals by their ISP, the authors of the Storm Trojan had to come up with a new way to keep them available through changes in IP addresses, and they have done just that.

In a new twist to the previous numeric IP scam, the authors of the new scam are using free DNS services to point their parked domain name servers to always on cable Internet computers that are part of the BotNet. Thus, if the intended victim mouses-over the link it still displays the friendly domain name (e.g: example.com). If they are fooled by the scam pitch into clicking on that link, they will arrive at what looks like a standard, large web page all about the subject of the scam message. There will be lots of links on that page, just like you would find on a real web page. But, in this instance, what you don't know can and will hurt you!

See my extended comments for a more technical description about this new NFL Tracker threat.

Your best defense against the Storm (Worm) Trojan, in all of its incarnations, is to use common sense and not click on links in unexpected emails, featuring dubious text sales pitches. If you use anti-spam software you should train it to recognize what you recognize as spam, or scams.

I use MailWasher Pro to screen all of my incoming email. It uses a variety of methods to identify and deal with known, or suspected spam email, including custom filter rules that define the kinds of spam that are most common. I happen to write and publish three sets of custom filters for MailWasher. They are in direct response to the daily variations in email spam and scam threats that I see as I check my numerous accounts on 12 minute intervals. While my filters admittedly slow down the processing of your incoming messages, they provide a defined warning in the Status field, indicating what types of spam filters have been matched. The first two sets of filters only flag spam that is matched by my rules, leaving you to decide if they are truly spam, or legitimate - false positives.

filters.txt is the largest set with rules going back several years, including the most current rules.

filters2.txt uses a reduced set of the most current filters, which I use a more potent version of.

filters3.txt is what I call my Judge Dread rules, because they, like my personal filters, are set to automatically hide and/or delete anything that is identified as spam. I describe them as my "Murder-Death-Kill rules," as borrowed from the movie "Judge Dread." In the rare instances where a legitimate email is automatically deleted by a filter, I can review and restore that message from the MailWasher Pro Recycle Bin.

To recap, the authors of the Storm Trojan are constantly changing the subject and body text, in an effort to deceive more and more people and to accumulate the largest BotNet in the history of distributed computing. As of this week, it is estimated that the Storm BotNet has more computer and CPU power than all five of the World's top 5 Super Computers put together. The damage that has been, is and may come from this BotNet is beyond anything ever seen on the Internet, until now. If all of these machines are used in DDoS attacks there is very little that would be able to stand up to them. That includes websites, governments, even entire countries (The country of Estonia was effectively taken offline by a huge DDoS attack, earlier this year).

I strongly urge every reader of my blog to install the best anti virus and anti spyware software that you can afford, keep it completely updated and scan for threats every night.

Continue reading "Storm Trojan now using real domain links in NFL Tracker scams" »

Posted by Wiz at 5:07 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

The authors and promulgators of the Storm Trojan are very devious and criminally clever people. Every month they seem to completely change the nature of the scams used in the spam emails sent from already infected computers. Each new scam uses a different type of social engineering to deceive spam recipients into clicking on the (numeric) link embedded in those messages. Usually the links are shown as numeric, but lately some are concealing the destination until you hold the mouse over the link, at which time you will see a numeric URL. An example of a numeric URL would be: http://127.0.0.1/. The same link wrapped inside a friendly name cover might resemble this: devious words, which leads to the same numeric destination, when you mouse-over the link. The destinations in my examples go to your own computer, at 127.0.0.1 (local machine), for safety sake.

Earlier this summer the trick most widely used was the postcard scam. Now they are kicking it up a notch and appealing to sports fans' curiousity; to fool them into infecting themselves. With the US professional football season kicking off this month (pun intended), the criminal minds authoring the Storm Trojan email scams have unleashed a series of new messages all aimed at enticing football fans into downloading a so-called "game tracker." As with all of the previous Storm Trojan payloads this one resides inside infected computers onto which a web server has been installed. If you click on the link in the scam email you will see a real web page containing all kinds of descriptions and links to features and information. There is even an image map that is one huge link. Every single one of the links on these pages go to one and only one place: "tracker.exe." Click on that and what you thought was a game tracker program will in reality turn your computer into another zombie member of the Storm Trojan BotNet.

Another trick being employed by the Storm Trojan is a link supposedly to a program that prevents the RIAA from tracking files shared illegally over peer to peer networks. Again, this is the Storm Trojan at the other end of those links.

If you use MailWasher Pro to screen your incoming email and are not already using my custom spam filters, what are you waiting for? They are free for you to use! They are my gift to the World. I hate spam and want to help others detect and delete it, before threats like the Storm Trojan can fool them into becoming unwitting victims. You can even discuss my filters in my own topic labeled: Wizcrafts Custom MailWasher Pro Filters discussed here, on the Firetrust.com forums.

Please use caution with any links arriving in email messages from senders you don't know, or even those you do know. Do not click blindly on links in emails, especially if they are numeric! Those IP addresses are infected home or office computers, on DSL or Cable Internet services.

Continue reading "New Storm Trojan tactic uses football game tracker as bait" »

Posted by Wiz at 10:59 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

This is a follow-up to an article I wrote about the Storm Worm, in my blog a couple of days ago. That entry was meant to warn you about the new variations in the subjects and body text, designed to trick you into getting your computer infected. This article presents a brief history and analysis of the methods used to infect computers, as well as a description of the actual payload, of the so-called "Storm Worm" Trojan downloader.

History of the Storm Worm Trojan

Distributed through massive blasts of spam emails, the threat now known as the "Storm Worm" Trojan-Downloader was first noticed in the wild in November, 2006 and has gone through many external alterations since then, although the payload has remained basically the same. Various anti virus companies have labeled the variants with such names as: Win32/Nuwar, Trojan.Peacomm, Trojan-Downloader.Win32.Small.DAM, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Win32.Zhelatin, and of course: "Storm Worm."

The Trojan now called the "Storm Worm" got it's name after a huge spam run on Friday, January 19, 2007, which used the subject line "230 dead as storm batters Europe," to trick people into clicking on links to supposedly read news articles and emergency bulletins about the terrible storms that ravaged Europe during that week. By the following Monday the Storm Worm accounted for 8% of all spam, on a global basis. It received even more notoriety when it was used by infected zombie computers, all members of a BotNet using the eDonkey/Overnet P2P protocol, to launch DDoS attacks against several well known anti spam websites, from January through June, 2007. In fact, some of those attacks are still ongoing against Spamhaus and CastleCops.

How the Storm Worm is able to carry out such large scale attacks is directly related to it's success in getting a huge installed base of zombie computers, with different security sources giving varying numbers of infected machines ranging from 2 to 20 million. Either number is too many. There are enough members of the Storm Worm Botnets to bring down an entire country! This has been done entirely by using social engineering tricks to deceive people into clicking on links in spam emails, which lead the victim to other infected computers, where they become infected and join the largest peer-to-peer Botnet ever assembled in the history of Botnets. Each new member of this network receives copies of the Storm Worm Trojan Downloader, a copy of the Nginx web server, an email address collection program, a spam sending program (SMTP Server), a DDoS tool, and connection scripts related to the P2P node in which it has been enlisted. All of these machines are remote controlled by criminal masterminds, known as "BotMasters." The owners of this Botnet are suspected of residing in various parts of the Former Soviet Union and are the most prolific spammers in the World.

Method of Infection

As I said in the previous paragraph, the Storm Worm spreads by tricking people into clicking on links to a web page hosted on an already infected computer, where they are then infected and zombified into the Botnet. There, they await remote control orders to do the bidding of the BotMaster. So how are these computers infected with the Worm/Trojan itself?

When a person using any version of Windows arrives at the fraudulant web page being hosted on a Storm Worm infected computer there are two things that can occur, depending on whether or not the visitor's browser has JavaScript enabled (most do, by default).

1. If JavaScript is disabled they will see a plain text message claiming that the website they want is undergoing some tests, or that an additional plug in or applet is needed to view the content they were enticed with, followed by a text link to click to manually get or see the needed file, or applet. Now, what should I do? It says to click here, but I don't know if I should or not... Oh well, I'll just try it real fast to see what it does and back out if it doesn't look right -> "Click" ... They just infected themselves with the Storm Worm! Idiots!


2. If JavaScript is enabled a script will instantly redirect them to a foreign server which is acting as a Worm host for their Botnet node. Once there their browser will be subjected to at least three attempts to exploit different known vulnerabilities in unpatched Windows computers. Chances are very good that one of these attempts will be successful, unless the computer is very well protected and completely up to date with all available Windows Patches and Internet Explorer 7 with all patches installed. Older versions of Firefox may also be at risk (prior to 2.0.0.6), if JavaScript is enabled, because the script initiates a file download. If the victim arrives using an older, unsupported version of Windows (9x, M.E, 2000 before SP4, or XP with SP1), or is running an invalid pirated copy of Windows XP, they will NOT be up to date with critical patches and WILL probably be infected immediately (except for Limited User or Power User accounts).
   

Subjects recently used in the Storm Worm e-mail messages include:
Postcard scams:
You've received a (postcard, ecard, greeting card) from a (Friend, Worshipper, Mate, Class-Mate, Family Member, etc).

Newest scam subjects as of mid-August, 2007:
Cat Lovers, Dated Confirmation, Internal Support, Internal Verification, Login Info, Login Information, Login Verification, Member Confirm, Member Details, Member Registration, Membership Details, Membership Support, New Member Confirmation, New User Confirmation, New User Details, New User Letter, New User Support, Poker World, Registration Confirmation, Registration Details, Secure Registration, Tech Department, Thank You For Joining, User Info, User Verification, Your Member Info, Welcome New Member

And the senders aliases have been:

Bartenders guide, Bartenders Guide, Coolpics, Dog lovers, Entertaining pics, Entertaining pros, Fun World, Free ringtones, Free web tools, Game Connect, Internet Dating, Job search pros, Joke-a-day, Mobile Fun, MP3 world, Net gambler, Net-jokes, Online hook-up, Poker world, Resume Hunters, Ringtone heaven, Web, Web cooking, Web connects, Webtunes, Wine Lovers

To learn more about the payload delivered when a PC is infected with the Storm Worm, read my extended comments...

Continue reading "Email Threat - Trojan-Downloader "Storm Worm" - It's History, Payload and Variants" »

Posted by Wiz at 12:35 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

On July 1, 2007, I wrote a blog article titled "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" For well over a month my various email accounts were inundated with a constant daily flow of these Postcard scams. There is now an entirely new variation of these threats, in circulation World wide. For those who for some reason don't know what this is about (what rock have you been hiding under?), read the next paragraph. If you understand the basic nature of this threat you can skip to my extended comments.

Since sometime in June this year a Trojan Horse threat, called the "Storm Worm Trojan," has been circulating across the Internet, infecting millions of Windows PCs along it's path. At first the subject and message body text referred to ecards, or (greeting) postcards supposedly sent to you from a "Friend," or "Worshipper," or "Class-Mate," or "Mate." They all provided a link (with a numeric IP address in the URL), to visit a website where you could view your card, which would remain viable for "the next 30 days." If you've been on the Internet for a long enough time you are probably aware that URLs are not usually numeric, but are in the form of named websites. Seeing a link that is numeric usually sets off alarm bells! A person would either have to be a total newbie to the Internet, or not accustomed to looking at the destination of links in their email client's status bar, or are using browser based email that does not reveal the destination of links found in emails. Maybe the person receiving that email is a young child who isn't aware of the danger of such links and was excited to think they had received a greeting card.

Anybody who was tricked into clicking on the link was transported to a web page hosted on a compromised zombie computer on a home or business broadband network, located at the numeric IP found in the link they clicked on. This computer is already infected with the Storm Worm and has had a micro Web Server installed on it and is hosting a single web page. That web page contains JavaScript redirection codes and a plain text link to a copy of the Worm that has been placed on that computer. People going to that hostile web page with JavaScript disabled will see the link and the text will urge them to click on it to see their (ecard/message). If the victim arrived using a browser with JavaScript enabled, as most are, a hidden script on that page would send their browser to yet another website, where an image of a fake greeting card, or text about it is displayed. What the victim didn't know is that while they were looking at the fake ecard a hidden download was occurring that was automatically infecting their computer with the Storm Worm Trojan. This turned their computer into both a host of a similar redirection web page and as a sender of spam emails containing a link to their hostile web page, but sent through another compromised computer somewhere else in the World.

Judging by the millions of infected computers hosting these hostile web pages and sending spam links out, there are a lot of folks who have not been practicing "safe hex" (computing). They have not been keeping their Windows computers thoroughly updated and patched, and are not running up-to-date security software (both definitions and program updates). Read the tips in my extended comments about securing your PCs against this and other modern threats to your security.

Continue reading "Beware of new variations of Storm Worm Trojan email threats" »

Posted by Wiz at 2:28 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

If (rather, when) you receive an email with a subject line that matches or closely matches this:

You've received a greeting postcard from a family member!
or
You've received a postcard from a family member!

DELETE IT! These messages are sent from infected computers and contain links to go to a web page that is hosted on some poor schmuck's personal computer, on a broadband ISP connection, possibly with a static IP address. That web page contains exploit code that is used to download a Trojan Horse remote control program onto your computer. The bait is that a "family member" has just sent you a (greeting) postcard and there is a link to copy and paste into your browser's address bar (or to click on). If you mouse over that link you will see the numeric IP address in it. I have analyzed several of these recent spam messages and learned that they either point to a .hk (Hong Kong) domain, or a numeric IP address, followed by a question mark and a long group of hexidecimal characters (referred to as your card's claim number). The destinations are usually US based broadband customers' home computers that have had a (proxy) server surreptitiously installed, without the owner's knowledge. The one's I have looked at use a freeware server called "nginx." The web page they serve up contains a link to a copy of the Trojan program and deals with both people lacking and people having JavaScript enabled browsers. If you visit the link without JavaScript you will see a message that if you don't see your card you should click on a link. That link goes directly to an infected file on the hijacked computer. If you visit the page with JavaScript enabled you will be in danger of becoming infected by the JavaScript exploit that is encoded into a huge line of hostile code.

My advise, other than not even opening messages with the above mentioned subject lines, is to keep updated anti virus (and anti Trojan) and anti spyware programs running at all times on your computers. If you use Outlook (Express) or a similar stand alone email client you should add a spam/virus screening front-end program, like MailWasher Pro, which I use. MailWasher Pro uses a combination of an intelligent learning filter, blacklists of known spam, a virus detector, plain text display of messages and source codes, and best of all - user configurable filter rules. I have authored two sets of custom MailWasher filter rules. My filter rules are updated frequently to respond to the latest spam and scam threats and are available online, on my MailWasher Filters page. It was the ability to read incoming email source codes in MailWasher Pro that allowed me to discover the nature of these greeting postcard threats.

I hope this saves somebody from the misery of having their computer taken over due to ignorance and unpreparedness. Stay alert and keep your anti malware defenses running and up to date at all times. Assume that "they" are out to get you, because they are! If you receive a notice from your ISP that they suspect that your computers are sending out harmful messages - have the computers checked for proxy servers. Stay off-line until all vestiges of such programs have been completely removed, then equip your computers with the best security programs you can afford. There are links all over this page and others of mine for Spy Sweeper, Spyware Doctor, Norton Anti Virus and other similar products. Some offer a free trila, so use it, then purchase a subscription. Don't let your computers become unwitting members of zombie BotNets for use as spam/virus relays, or hosts for spamvertised websites.

Continue reading "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" »

Posted by Wiz at 4:57 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.