Wiz's Computer and Website Security Blog

May 6, 2018

On May 2, 2018, after receiving two requests for removal of legitimate IP addresses, I began removing all IP addresses and CIDRs from my exploited servers iptables blocklist. This was soon followed by removal of the same addresses from the .htaccess formatted blocklists. Apparently, some folks are upset by this decision.

Some people who were using this blocklist have asked me to explain why I chose to delete the blocklist rather than continue to edit it. This blog article will explain my reasons for discontinuing the Exploited Servers Blocklist, in all three formats in which is had been published. However, it was trouble arising from the iptables version that convinced me that its time had finally come.

A "blocklist" in this discussion means a text based list/sequence of IP addresses and CIDRs that are effectively blocked or denied access to a web, ftp, or email server. An IP address is a group of numbers separated by periods that are assigned to any entity that is on the Internet, or local or wide area network.

It all started a long time ago when I became a moderator in a forum that had buy and sell sections for pedal steel guitars and amplifiers, etc. Shortly after taking over the role of Moderator of the Computers section of that forum, I became aware of the fact that members selling items were being scammed by Nigerian fraudsters. Being a Webmaster myself, I felt that I might be able to do something about that. This led to the creation of the Nigerian Blocklist!

Continue reading "Why I discontinued the Exploited Servers Blocklists" »

Posted by Wiz at 1:47 PM | Permalink

back to top ^

February 21, 2015

If you own a Lenovo computer (desktop or laptop) that was purchased anytime from the summer September of 2014 through February 2015, and it is not a ThinkPad model, chances are high that it shipped from Lenovo with an adware program named Superfish preinstalled.

A list of the affected Lenovo computers can be found here.

Why would Lenovo do this?

Simple answer: more money. They sell their lower priced, non-ThinkPad models in big box retail stores and online stores. Competition in these stores drives the prices down, which means lower profit margins for the manufacturer (in this case, Lenovo). To compensate, some manufacturers (including Lenovo) strike deals with third party advertisers and ad delivery networks to deliver targeted advertising to buyers and users of these computers. Backhanded, yes; illegal, no.

I know that a lot of my readers go back more than a few years in computer technology. You folks, like me, remember when the ThinkPad brand belonged to IBM computers. The name stayed with IBM from its introduction in April 1992, until their entire computer line was purchased by Lenovo in May, 2005. In fact, Lenovo allowed IBM to continue building and delivering certain ThinkPad models for several years after the acquisition was completed. Built like tanks, these handheld and laptop computers were revered by office workers and traveling business people. They are made for offices, business and traveling telecommuters. They usually sell for big bucks. But, if you recently bought a ThinkPad, read on and assume nothing.

What is Superfish?

Superfish is a company that manages advertising delivery for it client partners. In itself, there is nothing wrong with that, if only that was the end of the story. Hang on folks, it gets uglier from here on.

Superfish is software that by design intercepts your browser based communications with the websites you visit, in real time. Its computers analyze what the content is where you are and where you could possibly click to next. It then injects ads targeted to you, based upon your browsing and clicking history.

Why should I care?

Because Superfish also installs what is known as a self-signed security certificate into your Windows Trusted Certificates Store (on your computer), which are also trusted by Chrome and Internet Explorer browsers, and into Firefox browsers which have their own trusted cert storage. It allegedly does this to allow its injected ads to not trigger a security warning from the browser you are using. It gets even worse...

Continue reading "How to detect Superfish and remove it from your Lenovo computer." »

Posted by Wiz at 7:56 PM | Permalink

back to top ^

Lately, much ado has been made about the Google Street View vehicles doing more than photographing houses and businesses. Apparently, the Google vans have also been intercepting and storing wireless data from *unsecured* wireless routers, as they drive along the streets of our great nation.

Does this worry you? It should if you are one of the people operating an unsecured wireless router. Not because of what Google was doing with this openly transmitted data, but because if a Google van can read your unencrypted data, so can a neighbor's hacker kid, or somebody with bad intentions driving down your street, looking for wireless connections to piggyback on, or data to steal (a.k.a: War-driving).

Here is what the FCC determined about Google Street View vans intercepting wireless data as they dove down streets:

The FCC has been investigating, and recently fined Google $25,000 [details] for the incident. In its report, the FCC concludes, "For more than two years, Google's Street View cars collected names, addresses, telephone numbers, URLs, passwords, e-mail, text messages, medical records, video and audio files, and other information from Internet users in the United States."

In its findings, the FCC has concluded that Google's wireless data collection was not illegal because the information the company gleaned was not encrypted. The $25,000 fine against Google was actually for interfering with the investigation by stonewalling at searching employee records to find out why this happened and what was done with the purloined data. It turned out to be an experiment by what Google referred to as a rogue employee.

So, how can you make sure that something like this doesn't happen to your wireless connections? Secure your wireless routers, or hotspots! Here's how...

Continue reading "How to prevent unauthorized people or vehicles from intercepting your wireless data" »

Posted by Wiz at 11:39 AM | Permalink

back to top ^

On February 14, 2012, I wrote a blog article alerting my readers about the pending cutoff date of March 8, 2012, for Internet access for computers infected with the DNSChanger malware. The title told it all: "PCs infected with DNS Changer to lose Internet connections on March 8, 2012." I learned today (March 6) that a Federal Court has granted the FBI's request to extend the cutoff date until July 9, 2012 (Read PDF of Court Order).

When I published my article there were still an estimated 400,000 PCs in the USA infected with this malware. Many of these infected PCs belong to Fortune 500 companies and even parts of the US Federal Government, Millions more are still infected around the World. This extension of the cutoff date is to allow more time for the large entities in business and Government circles to search for and disinfect their compromised computers. It is a monumental task and many companies have already stretched the IT personnel and budgets to the limit, sniffing out any infected machines on their premises.

It was back in early November, 2011, that the FBI filed an indictment against an Estonian crime gang whose members were accused of creating and operating the "DNS Changer" malware and botnet. Search and seize warrants were obtained and the servers being used by the criminals running this enterprise were seized and taken offline. The named suspects have been arrested and are awaiting extradition, or have already been extradited to the USA, to face charges in a US Federal Court.

But, there was a downside to this victory. Innocent victims were unknowingly having all of their Internet connectivity routed though those "rogue" DNS servers that were taken down by the FBI and DOJ.

Continue reading "Deadline for cutoff of DNS Changer infected PCs extended until July 9, 2012" »

Posted by Wiz at 12:37 PM | Permalink

back to top ^

According to a Microsoft Technet Blog article published on June 14, 2011, Malware infections resulting from exploits involving Autorun (like when you plug in a USB memory device and it runs a program or setup automatically) have dropped by 82% from the numbers recorded during the same period in 2010.

The percentage of decline varied with the operating system and service pack installed. Windows XP users who have Service Pack 3 installed saw a 62% drop in Autorun installed malware, after accepting the optional patch issued on Feb 8, 2011, or the forced installation of the reissued patch, pushed out on February 24, 2011.

If you are operating a Windows XP computer with any service pack older that SP 3, your version of Windows is now out of support and you are no longer receiving any critical patches. Thus, your computer is not protected against this, or any other recently patched vulnerabilities. If it is connected to the Internet, or if you plug in an infected USB device, unless you have manually edited your computer's Registry to disable Autorun, or it is running industrial strength anti-malware protection, it will eventually become infected and probably botted.

Computers running on Windows Vista with SP1 saw a 68% decline, while those with SP2 installed had a whopping 82% drop in malware installations.

Note! Microsoft will stop supporting Windows Vista Service Pack 1 on July 12, 2011. From that date onward, Microsoft will no longer provide support or free security updates for Windows Vista Service Pack 1 (SP1). You folks need to upgrade to Vista SP 2 by July 12, 2011, or you will not receive any more updates or patches.

Why have Autorun infection rates dropped so dramatically?

The drop in malware infections from Autorun exploits is attributable to patch KB971029 that Microsoft released optionally, with the Windows Updates of February 8, 2011, which turned OFF Autorun for "non-shiny" media (e.g. CDs, DVDs) and two weeks later, as a non-optional update. Before then, if you plugged a USB stick (a.k.a. thumbdrive, flash drive) into your Windows XP or Vista computer and there was a setup file on that memory device, it would run automatically. With the update installed, flash drives inserted into a PC running XP (SP3), or Vista no longer offer the option to run programs. However, the demise of AutoRun does not affect CDs or DVDs (just USB devices or shared network drives).

Some notorious infections went so far as spoofing the wording of options on the dialog box that usually opens when you plug in a USB device. The wording was crafted to induce unwary users into choosing the spoofed option, which was rewritten to appear that if clicked upon, it would open the drive as a folder, for them to look at. In fact, that option was still there, as the next option down! The first one executed a hidden file on the device, named "autorun.inf" - which triggered a hidden executable file on the drive, which was a malware/spyware setup file. Because of its being the first choice and the craftiness of the wording, many thousands of intelligent people were fooled into clicking it and installing the malware contained on those devices.

It was by means of infected thumb-drives that allowed the Conficker Worm to spread so widely and quickly in late 2009 and early 2010.

Continue reading "Windows malware infections from Autorun exploits down by 82% from 2010" »

Posted by Wiz at 12:00 PM | Permalink

back to top ^

The last two weeks of December 2010 saw fewer vulnerability reports than some previous weeks in the last quarter of the year. This doesn't mean that criminals are sitting still, just that they are laying low to try to avoid attracting the attention of local authorities. Lately, Police in such far away places as The Ukraine and Russia have been arresting cyber criminals for unlawful online activities. Many of those arrested thought they were safe in the former USSR, but they were mistaken.

Here is a rundown of the security alerts issued and patched software released by the vendors of exploitable software, from December 14, through 31, 2010.

Son Of Storm Worm
Shadowserver Foundation has uncovered a new spam campaign that they think is the work of a new botnet based on a new generation of the Storm or Waledac Bot executables. One of the main characteristics of this new botnet is its large scale e-card spam campaigns, sending out scam e-mails with links to exploit pages hosted on a Fast-Flux network of botnetted PCs. It also shares some code used in the original Storm Worm and Waledec Bot. ShadowServer is temporarily referring to this new Botnet as Storm 3.0 or Waledac 2.0.

The original Storm Worm Botnet was most active in 2007. Millions of spam messages were sent by zombie computers, all containing links to fellow zombies, with numeric IP URLs in the spam emails. Most featured a fake e-card, or love message, or fake news about a storm than swept across parts of Europe in early 2007. The destination pages had a fake, non-functional video, with an Adobe Flash player that "needed to be updated" with their version. That player was the Storm Worm, which made those computers members of the then largest Botnet on Earth, at the time.

Storm declined in late 2007, but made a big resurgence in the summer of 2008. Because of the sheer number of Windows PCs infected with the Storm Worm, it attracted the attention of the code writers working on the Microsoft Malicious Software Removal Tool. The September 2008 Windows Updates featured code routines that detected both variants of the Storm Worm and completely eradicated it from hundreds of thousands of computers on Patch Tuesday, September 18, 2008. Days later, authorities forced rogue ISP Atrivo off the Internet, severing 3 of the 4 Command and Control servers used by the Russian or Ukranian gang running the Storm Botnet.

I have already warned my readers of my weekly spam analysis to be on the lookout for fake e-card greetings this Winter. They have links to compromised websites, with instant refreshes to fake Flash Player updates and other exploits, hosted on compromised personal computers. The IP addresses change with every connection request (Fast-Flux Domains); rotating the payload among the thousands of zombie PCs in the new Botnet.

Each of these Fast-Flux domains also appears to be hosted on a single Ukrainian IP address at 91.204.48.50. I would recommend blocking access to this IP address. It is already included in my published Russian Blocklist, but you can add it to your Windows computer by opening your HOSTS file and adding this line of code, then saving the file again as HOSTS (no extension):

127.0.0.1 91.204.48.50
_____________________

Wordpress Critical Update
Next up, there was a critical flaw discovered in the base code of the Wordpress PHP files. Therefore, Wordpress.org has released a patched version: 3.0.4 of WordPress, available immediately through the update page in your Wordpress dashboard, or for download here. It is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as "critical."

Note: if your websites, like mine, are hosted on Bluehost, or certain other hosting companies associated with Bluehost, you can use the custom script installers found in the Simple Scripts section of your cPanel control panel. These commonly deployed scripts are kept up to date with security patches and are easy to install with a few mouse clicks. Wordpress is included as it is so commonly probed and exploited. Any out-dated version of Wordpress will be owned by hackers and used to infiltrate your website with hostile redirection scripts, spam comments, or phishing pages.

Zero Day IE Exploit
There is a new zero day exploit for Internet Explorer browsers in the wild. Imagine that! See this page on PCMag for the details.

Microsoft WMI Administrative Tool ActiveX Control Vulnerability
US-CERT is aware of a vulnerability affecting the WBEMSingleView.ocx ActiveX control. This control is part of the Microsoft WMI Administrative Tools package. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to set the kill bit for CLSID 2745E5F5-D234-11D0-847A00C04FD7BB08 to help mitigate the risks until a fix is available from the vendor. Information on how to set a kill bit can be found in Microsoft knowledge-base article KB240797. Users and administrators are also encouraged to implement best security practices defined in the Securing Your Web Browser document to reduce the risk of this and similar vulnerabilities.

That's all I have for you tonight. I'll post more security updates news next week, or sooner if necessary.

Posted by Wiz at 3:47 PM | Permalink

back to top ^

It has taken the Microsoft code writers 15 weeks to patch just half of the insecure library loading vulnerabilities they announced on August 23, 2010. These patches were released with the December 14, 2010 Windows Updates.

I first wrote about the insecure library loading vulnerabilities back on October 10, 2010. At that time there were 176 programs, 20 of which belong to Microsoft, that were affected by the underlying vulnerability in how applications can call on a .dll file (Dynamic Link Library) when a program loads in Windows (this is a Windows flaw). Now, there are 239 exploitable programs on list of vulnerable programs, maintained by the security firm Secunia.

It was revealed on August 23, in Microsoft Security Advisory 2269637, that Windows itself allowed for a wider range of actual paths to be searched when a ".dll" file was requested than most thought was the case. These paths allowed a software program to specify a remote location for a required dll file, which could include the Internet! Many commonly used programs could be exploited by adding a line of code that changed the path to their dll files. This made it possible for malware writers to infect Windows PCs by tricking users into opening their own installed vulnerable applications, that they had exploited to request remote mal-crafted dll files, instead of the legitimate files installed by the program.

Here is what I wrote about this remote vulnerability:

the security firm Secunia has identified 176 programs that can be exploited by directing one of these applications to load a remotely hosted hostile file, when the targeted program opens, or opens an associated file. The exploited files are .dll libraries, which just about every Windows program uses as includes to add functionality to the main program executable. The .dll files are actually executable files, but only when called by another executable.

On November 9, 2010, Microsoft released critical patches for several of its newer MS Office applications, one of which plugged a security issue involving .dll path hijacking. It took an additional 5 weeks for them to patch another 9 programs, on December 14, 2010. This brings their new total for MS programs affected by the insecure library loading issue to 10. Unfortunately, three of these unpatched programs include Windows XP Home, XP Professional and Windows Live Mail. Millions of people are using those operating systems and that email client!

Since there are still 10 Microsoft programs, include operating systems remaining exploitable, plus 229 from other very popular software companies, I recommend that technically adept PC users read the information on this Microsoft Support Article 2264107 and apply the Fix It Tool about half way down the page. You must first apply a Registry change, in the beginning of that article, before the Fix It Tool will work.

In the meantime, apply all available Microsoft patches, especially those for MS Office programs, and read the Secunia list of vulnerable programs, and apply the Fix It recommendations from Microsoft. As the other software companies released patched versions of their programs, you should install those new versions.

Posted by Wiz at 12:01 PM | Permalink

back to top ^

There have been some very important security updates issued over the last 3 weeks, for commonly used and exploitable programs. Also, critical patches are due to be released by Microsoft, on Dec 14, via Windows Updates. Patching vulnerable software will help you protect your computers from hostile takeover, and/or having them drafted into spam botnets.

Here's the rundown of the latest updates that affect millions of computer users, the World over.

Update!
Google Releases Chrome 8.0.552.224
added December 14, 2010

Google has released Chrome 8.0.552.224 to address multiple vulnerabilities, just 11 days after their previous security update. Apparently, they missed fixing something on Dec 3. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Google Chrome 8.0.552.215
On December 3, 2010, Google released an updated Chrome browser,version 8.0.552.215, to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information or bypass security restrictions. Use the built-in updater to download the latest version of Chrome. Alternately, visit the Chrome download page and get the newest version there.

Apple QuickTime 7.6.9
On December 8, 2010, Apple released QuickTime 7.6.9 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information. You can use the updater in the Windows Control Panel icon, or your start menu Apple Softeare Updates shortcuts to download the latest version of QuickTime, or the previous link. Mac users can use the Apple Software Updater.

WordPress Version 3.0.3
On December 9, 2010, WordPress has released WordPress 3.0.3 to address a critical vulnerability. Execution of this vulnerability may allow an attacker to operate with elevated privileges. You can review the information about this update, and get the latest version for your websites, on the Wordpress v3.03 details page.

Firefox 3.6.13
On December 10, 2010, the Mozilla Foundation released Firefox 3.6.13 to address 11 vulnerabilities, 9 of which were rated as Critical. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, spoof the location bar, or operate with elevated privileges. The Mozilla foundation has also released Firefox 3.5.16 to address these same vulnerabilities. Some of these vulnerabilities also affect Thunderbird and SeaMonkey and are addressed in Thunderbird 3.1.7 and 3.0.11 and SeaMonkey 2.0.11.

Firefox users should receive this update automatically. If you didn't, you can download the current version of Firefox here. You can also use the Help menu Check for Updates link in Firefox browsers.

Microsoft Releases Advance Notification for December 2010 Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its December release will contain 17 bulletins, covering about 40 vulnerabilities. Two of these bulletins will have a severity rating of critical and will be for Microsoft Windows and Internet Explorer. Fourteen of the bulletins will have a severity rating of important and will be for Microsoft Windows, Office, and SharePoint. The remaining bulletin will have a severity rating of moderate and will be for Microsoft Exchange. Release of these bulletins is scheduled for Tuesday, December 14, 2010.

A simple step you can take to keep your exploitable software up to date.

You can use the Secunia Online Software Inspector to check for any out-dated software you may be running, along with links to get the newest versions of same. The report also shows any missing Windows Updates. I run it once a week and recommend you all do the same. They also have a downloadable version, called the PSI, that lives on your PC and checks for a much larger number of out-dated or end-of-life software programs.

Finally, the Windows Applications Insecure Library Loading list has now grown to 337 applications, including 19 from the Microsoft Mothership itself. In all, 97 different vendors have at least one, if not many more programs that could be exploited by a hostile script taking advantage of the dll path vulnerability described in the Microsoft Advisory of August 23, 2010.

With many of the threats targeting the vulnerabilities that were recently patched in these programs, it is imperative that you have up to date anti malware programs running on your PCs. I recommend Trend Micro Internet Security, with its in-the-cloud Smart Protection Network and instant definitions, and also Malwarebytes' Anti-Malware (licensed version for active protection and auto-updating). You may have to install Trend Micro first, then MBAM. That's because TM doesn't like competing products to be already running where it is installed.

Posted by Wiz at 3:43 PM | Permalink

back to top ^

There have been some very important security updates issued over the last 2 weeks, for commonly used and exploitable programs. Patching vulnerable software will help you protect your computers from hostile takeover, and/or having them drafted into spam botnets.

Here's the rundown of the latest updates that affect millions of computer users, the World over.

On November 9, 2010, Microsoft released critical patches for several of its newer MS Office applications. One patch plugged a security issue involving .dll path hijacking, which affects 20 top Microsoft programs, including Windows itself. Unfortunately, this vulnerability was not patched for Windows XP users running Office XP. Microsoft also released its monthly update to the Malicious Software Removal Tool. The MSRT runs during your Windows Updates process and automatically removes certain malicious software, such as botnets and other crimeware it has been updated to target.

Solution: Turn on Automatic Windows Updates. Set the time to check for updates to a time when the PC is usually on. Check manually by opening going to the Start Button, then up/over to the link for Windows Update, or Microsoft Update. Clicking that link opens Internet Explorer to the Windows Update page. Note; you must be logged in as an administrator to run manual Windows Update checks and installations.

Adobe comes through with a big update!

On November 16, 2010, Adobe released the promised security updates for its ubiquitous PDF Reader and Acrobat PDF encoder. The latest version is 9.4.1 and you can download it, and future updates, by opening Adobe Reader, or Acrobat, then go to Help, then click on "Check for Updates." If an update is available, take it! Vulnerabilities in Adobe Reader can lead to takeover of your computer, should you be tricked into opening a malicious PDF file (like those delivered in spam email as fake scanned documents, or fake courier delivery labels).

You can also download Adobe Reader updates directly from www.adobe.com. Click on the button for "Adobe Reader." This also installs an online PDF creation and sharing application called Adobe Air.

On November 12, 2010, Apple Released Mac OS X v10.6.5 and Security Update 2010-007, to address multiple vulnerabilities affecting a number of packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, conduct cross-site scripting attacks, cause a denial-of-service condition, or bypass security restrictions. Use your built in Mac software updater to get these critical patches.

On November 19, 2010, Apple Released updated Safari 5.0.3 and 4.1.3 web browsers, to address multiple vulnerabilities in the Safari and WebKit packages. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

The Windows Applications Insecure Dll Library Loading vulnerability that was disclosed several months ago now has at least 222 programs on the Secunia list. Microsoft has 20 programs listed, with only one patched (on Nov 9). They have supplied a workaround and Fix It Tool that renders exploit attacks targeting these dll paths ineffective. I advise you to install the workaround and test your programs to make sure none break as a result of securing your PC from this exploit path.

That covers the most important security updates of the last two weeks. Stay tuned for more news as updates roll in. Criminals are not resting in their efforts to take over your PCs and you need to keep your guard up and your installed software updated. Also, operating your PC with reduced user privileges can render over 90% of malware ineffective and uninstallable. I have written several articles about this, including these:

Running a PC with reduced user privileges stops 92% of malware

Limited User Privileges Protect You

Windows 2000, XP, Vista & 7 User Account Privileges Explained

Posted by Wiz at 1:22 AM | Permalink

back to top ^

November 1-7, 2010 has been a busy week for security news and application updates. Several new zero day vulnerabilities have been reported and are being exploited in the wild. An entire country was taken offline by a targeted DDoS attack. Some major programs received updates to fix critical vulnerabilities.

Let's start with the DDoS attacks that took most of a country offline, on or about November 3, 2010.

In a politically motivated attack, the nation of Myanmar, formerly known as Burma, found itself cut off from the Internet by a massive denial of service attack on the country's Ministry of Post and Telecommunication (or PTT), which is the main conduit for Internet traffic in and out of the nation. Internet access was disrupted for both government agencies and private sector firms, with major disruptions to Myanmar's important tourism industry. The cyber attack crippled Myanmar's servers, just days ahead of the its first election in two decades. The attack on Myanmar could be the largest DDoS ever targeting a single country; it was far larger than the attacks on Estonia and Georgia in 2007.

According to Arbor Networks, the DDoS attack against Myanmar was attempting to push 10-15 gigabits of data through those connections, which can only support about 45 megabits per second! The attacks have actually been ongoing since October 25; getting worse as the Nov 7 election date approaches.

Next in line is a new, zero day vulnerability affecting most versions of Microsoft's Internet Explorer browser.

Microsoft Corp. has warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven't already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit. Microsoft has released Microsoft Security Advisory 2458511 to alert users of the new vulnerability affecting all supported versions of Internet Explorer (versions 6 - 8). This vulnerability may allow an attacker to execute arbitrary code.

Microsoft has released a Fix it Toolto help mitigate the risks until a security update is available. It is unlikely that the update will be ready for inclusion in this month's Windows Updates, due for release on November 9, 2010. Apparently, Microsoft has deemed this vulnerability as less critical, due to flaws in the coding of the initial attacks. One can expect that hackers will fix those problems before Microsoft plugs the vulnerable code. Look out IE users! There's no better time to switch to Mozilla's Firefox or Google Chrome (I use Firefox exclusively).

Speaking of Firefox and Google Chrome, both browsers were updated for security reasons over the past week or so. Firefox was updated to version 3.6.12, on Oct 27, and Chrome was updated to version 7.0.517.44, on Nov 4. Use the built-in check for updates links to get the latest versions of these browsers.

Adobe Releases Security Bulletin for Flash Player, Shockwave, Reader, and Acrobat.

Adobe has released a security advisory to alert users of a vulnerability affecting Adobe Flash Player 10.1.85.3 and earlier for Windows, Macintosh, Linux, and Solaris. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The advisory indicates that there are reports of active exploitation affecting Adobe Reader and Acrobat. Updates for Adobe Reader and Acrobat will be available by November 15, 2010.

On November 5, 2010, Adobe has already released Flash Player 10.1.102.64 for Windows, Macintosh, Linux, and Solaris to address multiple vulnerabilities described in the aforementioned advisory. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or bypass cross-domain policy file restrictions. The Adobe security bulletin indicates that updates for Android will be available by November 9, 2010.

On October 29, 2010, Adobe released a security update for Shockwave Player to address multiple vulnerabilities. The new version is 11.5.9.615.

Please visit http://www.adobe.com to obtain updates for their Flash and Shockwave players and for Adobe Reader and Acrobat.

Note, that for Flash and Shockwave, you will need to visit the appropriate Adobe installation page with Internet Explorer and your other browsers. This is because Microsoft uses an ActiveX version of Flash and Shockwave, while Firefox and others use a different, universal technology. Chrome, on the other hand, uses a proprietary version of Flash, made specifically for their browser. Oi!

Stay away from dangerous links leading to browse exploit pages, keep your anti-malware programs fully up to date, and always practice safe Hex.

Posted by Wiz at 3:40 PM | Permalink

back to top ^

According to a recent study, as much as 90% of all Windows 7 vulnerabilities can be mitigated by forcing users to operate their computers with Standard User privileges, rather than Administrator privileges. This is something I have been harping about for several years. The following are some of their findings after an extensive study.

From a news release published by BeyondTrust, on March 29, 2010, BeyondTrust's Analysis of 15 months of Microsoft Security Bulletins finds the vast majority of vulnerabilities can be diminished by configuring end users as Standard Users. They found that the removal of administrator rights from Windows users is a mitigating factor for 90% of Critical Windows 7 Vulnerabilities.

Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

• 90% of critical Windows 7 vulnerabilities reported to date


• 100% of Microsoft Office vulnerabilities reported in 2009


• 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009


• 64% of all Microsoft vulnerabilities reported in 2009

"Enterprises continue to face imminent danger from zero-day attacks as new vulnerabilities are exploited before patches can ever be developed and deployed," said Steve Kelley, EVP of corporate development. "Our findings reflect the critical role that restricting administrator rights, plays in protecting against these types of threats. As companies migrate to Windows 7 they need to be aware that despite enhanced security features on the new operating systems, better controls for administrative rights are still needed to provide adequate protection."

My note: The same results can be had with the Windows 2000, XP Pro and Vista operating systems. See my 2009 article titled Running a PC with reduced user privileges stops 92% of malware

For information about how to manage user account privileges, please read my web page titled Windows 2000, XP, Vista & 7 User Account Privileges Explained. Although it was originally written when Windows 2000 and XP were the mainstream OSes, updated information for Windows Vista and Windows 7 computers has been added. Besides, some of you are probably reading this on an XP computer and this information can protect that PC from malware attacks that would otherwise be successful.

That said, no Windows computer is truly safe without some form of anti-virus, anti-spyware and anti-malware protection installed and kept up to date. If you are looking for an all in one solution for complete malware protection please look into Trend Micro Internet Security. A single license allows you to install it on up to 5 computers for as long as the subscription is paid up.

Posted by Wiz at 3:14 PM | Permalink

back to top ^

Many of my readers are aware of the superior capabilities of Malwarebytes Anti-Malware when it comes to detecting and removing the latest malware and spyware threats. I write about it on my blog and in forums I frequent and use it myself, very successfully. In fact, I have dedicated an entire product page to describing how to use and update Malwarebytes Anti-Malware.

Malwarebytes Anti-Malware is affectionately known in the security trade as simply "MBAM." It is used in numerous malware removal help forums as a primary tool in the fight against Trojans, rootkits, fake security alerts and fake scanners. It also targets most keyloggers. Malwarebytes employs real researchers who capture malware in the wild, reverse engineer it, then develop and release new definitions to detect and remove it, using MBAM. These definitions are added to the database on user's computers, with out-dated definitions getting removed at the same time. This keeps the load on the computer to a minimum, as the definitions databases are relatively small.

The reason for the swapping out of old definitions for new ones has to do with the nature of the cat and mouse game being played out between security researchers and malware authors and distributors of spyware. Malware authors are constantly altering the packaging of their nefarious products, often in as little as 24 hours after initial release. They do this to avoid detection by the most common anti-virus and anti-spyware programs. By the time a standard anti-virus company has developed detection for an altered piece of malware, it may no longer be in common circulation.

MBAM is not a substitute for an anti-virus program, but is meant to run along side of one, giving you an additional layer of protection against the most recent threats in the wild. Your anti-virus program can take care of older threats that are in circulation for a long time without major alterations.

Malwarebytes is a company dedicated to detecting and removing the current threats in the wild. They are very quick to capture new variants of malware, develop definitions and release updates. I have seen at least 6 updates on a slow day, during a prolonged fight against a fake security program (PC Police I think). I had to take the fight to Safe Mode (Windows XP) with Networking to win the battle, using only MBAM to conduct the battle.

The program is available for free if you want to use it manually, as an on-demand scanner. You must check for updates before scanning, then scan manually. Or, for a one-time payment of only $24.95 US, or equivalent in other currencies (+ VAT in EU) you can have it turn on frequent scheduled updating and scanning, plus real time monitoring to prevent malware from being installed in the first place. That one-time payment is for a lifetime license, no matter what version is released!

The current version of Malwarebytes Anti-malware is 1.42, released on December 3, 2009. My product page lists the changes. You can download the latest version from that page and install it over the previous version. Reboot and you're good to go!

However, as great as the $24.95 lifetime price is, they have gone one better, as a Holiday special. From now until the end of December, 2009, Malwarebytes Anti-Malware is on sale for 15% off, if you use my affiliate coupon. You will find the coupon on my MBAM product page, along with a description of its usage and recent changes in the current version. Go there, read about the program, copy the code from the third yellow highlighted section, use a link on the page to purchase it, then paste the code into the coupon field and apply it. There is a checkbox in the shopping cart to reveal the coupon code box.

Here's hoping you have a happy and safe holiday season, wherever you are! Keep your PCs secured from malware, using Malwarebytes Anti-Malware.

Posted by Wiz at 4:13 PM | Permalink

back to top ^

According to a recent study by the BeyondTrust Corporation, titled "92 Percent of Critical Microsoft Vulnerabilities are Mitigated by Eliminating Admin Rights," most known and as yet unknown Windows exploit attacks will fail if the targeted PC is being operated with reduced user privileges. This means not running as an Administrator.

BeyondTrust's findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft's security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.

As far back as May, 2007, I have published blog articles professing the added security to be gained by operating a PC with reduced user privileges. Furthermore, I published a web page titled: User Account Privileges Explained, describing the differences between the various types of user accounts available in Windows 2000 and XP. That page also contains instructions for elevating reduced user privileges by using the Windows "Run as" right-click option, when installing, or launching a program that was built with the assumption that a member of the Administrators Group would be running it.

Some of the benefits derived by reducing your user privileges for your daily browsing account may include the following:

• Most viruses cannot be installed


• Most spyware cannot be installed


• Most adware cannot be installed or survive a reboot


• Browser BHOs that hijack your home page and search may not be fully installed, or survive a reboot


• Rootkits cannot be installed


• Mistakes you make by visiting compromised websites will probably fail to cause any damage


• Botnet executables cannot take control of your computer


• Fake anti virus or anti spyware popup alerts will not be installed, or survive a reboot


• System Restore, Windows Defender, the Windows Firewall and Automatic Windows Updates cannot be disabled


• Your HOSTS file cannot be poisoned


• Worms, like the Conficker Worm cannot be installed, even via AutoPlay/AutoRun exploits


• Changes cannot be made to the HKLM branch of the Windows Registry


• Some programs cannot be installed, unless you use "Run as"


• Files cannot be saved to, deleted from, or overwritten with fake copies, in the Windows and System32 directories and sub-directories

To achieve all of the above protection one should change their daily browsing account type from "Computer Administrator" to "User" or "Limited User." If you are using a computer with a "Business" or "Professional" version of Windows you can run as a "Standard User" (Windows Vista and Windows 7), or "Power User" (Windows 2000 and XP), depending on your operating system. The benefits also presume that the owner or user is not tricked into installing the malware by using the "Run as (Administrator)" command. If you download a Trojan Horse program that you think is something useful and it turns out to be malware in disguise, you can infect the computer by Running it as an/the Administrator. Common sense and a high level of suspicion, along with a judicious amount of Googling about unrecognized programs, before installing them, can save your butt.

Continue reading "Running a PC with reduced user privileges stops 92% of malware" »

Posted by Wiz at 7:34 PM | Permalink

back to top ^

After about 6 years of existence, long time security website Castlecops.com has shut down operations, effective December 23, 2008. This comes about 6 months after the owner of the website left it in the hands of his deputies to pursue a security based career at Microsoft. I was a member of CastleCops for a long, long time, handling anti spam solutions in the MailWasher forum. I am sorry to see this valuable resource go away.

My thinking is that somebody will step up and offer a similar place for security minded people to gather and do their good work. It will cost a lot of money for redundant, failover hosting, and the servers will have to be robust, with huge pipes to the Internet. When CastleCops closed up shop they were still in the midst of an ongoing fund raiser to buy new servers. The existing equipment was simply overloaded to the point that the site would take minutes to change pages to various forums and search results. The databases were unbelievably huge.

If and when this hopeful re-emergence occurs you can rest assured that I and thousands of other former CastleCops volunteers will gather at the new site, to resume the good work of fighting phishing, scamming, spamming and malware threats. Until then, I continue to maintain my MailWasher Pro spam filter discussions on the new Firetrust MailWasher Forum. I post new MailWasher spam filter updates on my website and in the aforementioned Firetrust forum.

In the meantime you can learn about my preferred anti-spam solution, MailWasher Pro, or learn how to protect your websites from scammers, spammers and hackers using my .htaccess blocklists, or my iptables blocklists.

Still guarding the Castle against scammers and spammers, I remain your humble Wiz.

Posted by Wiz at 4:15 PM | Permalink

back to top ^

I usually write articles about computer or website security on my blog and a lot of people seem to benefit from my articles. Security is on almost everybody's mind these days, whether it relates to your computer, website, job, car, or home. Today I would like to address the problem that I see a lot in the local news; home burglaries where the thieves gain entry by kicking in a door. One of the frequently stolen items in these crimes is a computer, so in a way this is about securing your computer - physically. It is also a plug for a local Flint, Michigan business owned by people I know personally, who are trying to make a difference.

The days of simply closing your front door and retiring for the evening have given way to deadbolt locks and chains. But today, even deadbolts and chains don't seem to offer enough security against determined home invasion burglars. A determined thief won't waste time trying to pick the lock; he'll just kick the door open, breaking through the lock jam in the wood, ripping it out by the screws, taking you by surprise in the middle of the night! If you live in a place where this kind of crime happens you need a better method of protecting your doors and your family. Enter the Taylor Brothers "NIGHTLOCK" Door Lock.

The NIGHTLOCK Door Lock is a floor mounted solution to kick-ins and forced door jams. It is made out of solid aluminum, with an anodized brass finish and matching solid brass screws and can be mounted into any type of floor, including cement floors - using the plastic anchors supplied with the kit. The NIGHTLOCK is mounted directly behind the door, on the side where it opens, which is the point of least resistance when somebody forces the door open. The NIGHTLOCK stopper bracket easily slides into the 7/16" high floor-mounted base plate and sticks up about 2 inches above the bottom of the door. This takes away the freedom of motion that burglars count on when they kick in or force the door open. Unless they are able to break it off the hinges, on the other side, they ain't getting in through that door! I have tried forcing an unlocked door open with NIGHTLOCK behind it and almost threw out my shoulder! It really works (ouch!).

There is a short video presentation demonstrating how the NIGHTLOCK protects you from door kick-ins on the NIGHTLOCK website home page. They are made in Flint, Michigan, by the Taylor Brothers, cost $29.95, plus UPS or Priority Post shipping (+ sales tax for Michigan residents). They are always in stock and are shipped fast. If you live within driving distance of Flint, Michigan, you can see them on display and buy them in person at Taylor Steel Co, on Coldwater Rd, just west of Dort Highway. Tell them Wiz sent you!

Posted by Wiz at 2:53 PM | Permalink

back to top ^

December 5, 2007:

There is big news for AVG anti-virus users. Grisoft, the makers of AVG, have just announced the acquisition of Exploit Prevention Labs, the makers of LinkScanner Pro. The deal is expected to be finalized by December 31st 2007. According to the announcement, the code for LinkScanner Pro is going to be included in all versions of AVG anti-virus.

For those who are not familiar with LinkScanner Pro, it is a security program for PCs that monitors the codes on websites you visit and looks for and removes dangerous exploit codes, as the site is downloading to your browser. It is exceptionally good at stopping iframe and redirection exploits that lead to so many infections. According to what I read, LinkScanner Pro was able to remove these dangerous exploit codes from the pages you wanted to view, delivering only the safe content. This type of exploit has recently been used against MySpace users and some major sports information web sites, not to mention the thousands of personal and business web sites that have have redirection codes injected into their home pages.

The news that this functionality is about to be rolled into AVG is fabulous. I don't know the time table for the inclusion of LinkScanner into AVG, but the news release mentions that the "Lite" version will be added to AVG Free, while the stronger version will go into the paid version of AVG Pro, and the AVG anti spyware program (formerly Ewido).

Short-term product integration plans include adding LinkScanner technology to AVG Anti-Virus Free and offering LinkScanner Online, a free on-demand URL scanning service, directly from the AVG web site. AVG also expects to maintain LinkScanner Pro, Exploit Prevention Labs’ flagship product, as a standalone offering.

Related to this announcement is the hiring of Roger Thompson, the co-founder and CTO of Exploit Prevention Labs, to become the Chief Research Officer at Grisoft, while other staff and facilities will also be absorbed into the Grisoft operation. Seems like a big win for Roger and his staff. AVG users will also be winners when this product gets included in the various AVG programs in use around the world.

In the short term, there will be no change to update deliveries or support procedures, and the websites at www.linkscanner.com and www.explabs.com will remain operational. Over time, these procedures and websites will merge with AVG’s procedures and websites;

Posted by Wiz at 12:27 PM | Permalink

back to top ^

I wanted you all to be aware (in case you don't already know) that cyber-criminals are planning all out attacks against online consumers this holiday season, and they have already begun. Everything from phishing scams, to social engineering via tricky email messages, to the outright theft of transaction databases by exploiting servers is being rolled out to try to take your money and identity. Please treat all strange email subjects and senders as potential threats, not just objects of curiosity. Also, whatever your operating system your computer uses, please keep it updated with all current patches, to reduce your chances of getting exploited by a threat in the wild.

If you intend to make an online purchase, use a credit card if you have one, as most issuers limit your liability to $50, in the event your numbers are stolen and used fraudulently. There may or may not be similar protection on your debit cards, and if a cyber-criminal wipes out your bank account, you may have to wait a long time to get the money credited back, if it is at all.

Do not fall victim to Nigerian 419 scammers, whether it is the advance fee to claim funds scam, the lottery scam, the over-payment/refund scam, the money-laundering work-at-home check cashing scam, or other variations used by the World's foremost scammers.

Do not click on links in unsolicited emails, to view cute animals, or sports trackers, or eCards, or postcards, especially numeric URL links! The Storm Trojan BotMasters use these tricks to infect your PC and make it part of the World's largest Botnet, to date. If such an email arrives from a sender you know, send them a message asking if they actually sent that email to you. Chances are that they have no knowledge of that message being sent in their name. Heck, I get spam emails supposedly from my account names to the same accounts (but the sender's name is random characters or a non-existent user name)! Spammers use forged senders and reply to addresses in all of their messages now. There is no point in replying to them to complain, because, either the sender is unaware their name was used, or the account does not actually exist on that mail server.

eBay, PayPal, bank and credit union phishing scams are being ramped up, in anticipation of huge rewards during the upcoming Christmas buying season. Ditto for probes against online credit card databases.

One of the main reasons there is such a huge increase in the amount of spam this Winter, especially a lot of nasty stuff, is because the criminals behind these messages are hiding behind compromised personal computers that they have drafted into their BotNets. They do not fear being tracked down because they have created a virtual firewall between the command centers, the zombie computers and themselves. These people usually live in countries where the law turns a blind eye to such activities, as long as they don't use the Botnet against their own people, or governments. A lot of them speak Russian as their native language.

Keep your defenses up this shopping season. Use spam filters, like MailWasher Pro (which I use), to filter out as much spam and scam email as possible, to reduce your exposure to email-borne threats. Keep regularly updated versions of anti virus and anti spyware programs on Windows based PCs (see graphic image ads on this page for reputable security products), and set your computer to receive Windows Updates automatically. Do not run as an administrator while browsing the Internet or reading email. It is dangerous, whether your operating system is Windows, Mac or Linux. Use Limited User, Power User or User privileges instead, and learn how to escalate to administrator level only as and when needed. I have an entire article about creating limited user accounts here. Read it and learn to protect your PC.

Each well secured computer is one less zombie in a Botnet, and hopefully, one less identity theft victim. Have a safe and happy holiday season!

Posted by Wiz at 1:08 PM | Permalink

back to top ^

From the I don't believe it department comes this news...

Grisoft, the maker of AVG anti virus and anti spyware products has just announced that the cutoff of support for AVG Free 7.1 has been extended one month, to February 18, 2007. Last fall they had announced that all updates and support for AVG Free 7.1 would end on January 15, 2007. Many AVG Free users, including me, have already upgraded to the new version 7.5 as a result and are enjoying the improved interface.

Yesterday, on a service call, I checked for and obtained updates for AVG Free on a computer. After the update completed I decided to open the interface to see if it was the new version and was surprised to discover it to be 7.1. I upgraded it anyhow, but pondered why there was a definition update on January 17, when support was to have ended 2 days earlier. Now I know why.

Anyway, if you are still using AVG Free 7.1 you have one more month to use it, with definition updates, before they pull the plug (unless it gets extended again!).

What's different in AVG Free 7.5?

With version 7.5, users receive improved virus detection based on better heuristics and NTFS data streams scanning, smaller update files and improved user interface. Anti-Virus Free Edition 7.5 is also Windows Vista-ready and is available via Windows Security Center as a security solution. To upgrade to free version 7.5, users can visit visit: http://free.grisoft.com.

Grisoft also offers commercial versions of AVG Anti Virus, including a Windows Server edition. The commercial versions are available from http://www.grisoft.com . They also own the former Ewido Anti Spyware program and have renamed it to AVG Anti-Spyware. It is available as a trial version, which reverts to freeware with reduced capabilities after 30 days.

Posted by Wiz at 9:38 AM | Permalink

back to top ^

I just learned that router maker Cisco Systems, Inc. is in the process of purchasing IronPort Systems, Inc, for $830 Million, US, in cash and stock options. IronPort is in the anti-spam and anti-virus and and website security fields, and is the owner of SpamCop, of which I am a reporting member. That's why this acquision interests me.

SpamCop started out in 1998 as the property of Julian Haight, and is a website where members can paste the contents of spam and scam email messages to have them reported to the ISPs and web hosts involved in the delivery of those messages. SpamCop processes over a million spam reports a day and maintains a list of the ISPs through who these spam/scam messages are being sent. Referred to as the SpamCop Blocklist (SBL), that list of spammers and the unsecured computers they also use to relay their garbage is used by email systems around the World to identify and flag much of the incoming spam that floods the Internet everyday.

I use MailWasher Pro to screen and filter all incoming email and it consults the SBL to see if a message has already been identified and flagged by SpamCop, and adds it's own flag to the Status column to warn me about it. When I see a message flagged by the SBL and I bother to investigate, I find that it is spam, 100% of the time. MailWasher Pro also has a place to input your SpamCop login id and includes a checkbox to report spam via that account. You must respond to an automatic reply from SpamCop and go to your report manually to finish submitting it, but you are saved the hassle of reading the source code and copying and pasting it into the SpamCop reporting field yourself.

In June 2003, SpamCop became a wholly-owned subsidiary of IronPort Systems, Inc, which is a security software and solutions company. IronPort Systems, founded in 2000, is the leading email and Web security products provider for organizations ranging from small businesses to the Global 2000. And now, both become a division of the leading router manufacturer in the entire World, Cisco Systems. In case you didn't know it, the Internet runs on Cisco routers. This acquision will add a lot of financial backing to IronPort and SpamCop, to help them in their fight against the scourge of spam that inundates inboxes every hour.

Continue reading "Cisco Systems to buy IronPort Systems, which owns SpamCop" »

Posted by Wiz at 11:55 AM | Permalink

back to top ^

If you receive a popup message similar to this:

INTERNET SECURITY CENTER: "YOUR MACHINE MAY BE INFECTED BY THE BLOODHOUND VIRUS,"

advising you to download WinAntiVirusPro2006, or WinAntiVirusPro2007, you are already infected. The program is fraudulant and uses bogus detections to goad the gullible into purchasing it to remove the "infections" it claims to have found. See the Spyware Warrior Rogue Anti-Spyware list for more details about this bogus program.

WinAntiVirusPro2006/2007 is part of the infection that popped up the notice in the first place. While your computer may indeed be infected with viruses and/or spyware, that program will not remove them. Get an authentic anti virus program to remove real threats (see list below).

To remove this threat you should download and install a spyware removal program, like Spyware Doctor, or Spybot Search and Destroy. Search for and download all available updates, then scan for and fix any problems found. You may probably have to reboot and let the anti spyware program run again before the Windows Desktop loads, to finish the removal process, or even have to reboot into Safe Mode. These sleazeware infections do not let go easily.

If you try removing the WinAntiVirusPro2006/2007 infection with Spybot S & D, and it is unsuccessful in removing this or other threats from your PC, visit the Spybot Search & Destroy Malware Removal Forum for help.

Some Legitimate Anti Virus and Anti Spyware Programs:

PC Tools Spyware Doctor

Webroot Spy Sweeper

Kaspersky Anti Virus

Trend Micro PC-cillin Internet Security

If you lack an anti virus program and cannot afford to purcase one, Grisoft makes the excellent AVG Free anti virus program, that you can download.

Updated on April 7, 2007, to include WinAntiVirusPro2007 parasite in details.

Posted by Wiz at 11:53 AM | Permalink

back to top ^

If you use AOL Instant Messenger, or another IM client that is capable of connecting to the AIM network and downloading files, you should read this security alert.

A computer worm that spreads via instant messaging is being used to build an extensive "botnet" of remote-controlled PCs, a US security firm has warned.

Security experts at US company FaceTime identified the worm as "W32.pipeline" and warned that it spreads via AOL's instant messenger program.

The worm disguises a malicious executable program as a jpeg image, which is attached to an instant message that appears to come from someone on the recipient's AOL "buddy list".

Typically, the picture is accompanied by the message, "hey would it be ok if I upload this picture of you to my blog?" although another similar message may also be used.

Ultimate goal

If the recipient tries to open the image, the executable installs a program on their PC. This forwards the executable on to other contacts on their buddy list and also enables connections to several remote computers. It then tries to download another program that allows an
outsider control the infected machine.

FaceTime's director of malware research Chris Boyd says the goal appears to be creating a huge network of remote-controlled machines, known as a "botnet". As of Thursday, Boyd estimates W32.pipeline had amassed botnet between 1000 and 2000 machines.

Botnets may be used to send out huge quantities of junk e-mail or attack business websites with an avalanche of data, in a so-called distributed "denial-of-service" attack, which may be linked to extortion.

Click fraud

Botnets can also be used to commit "click fraud", which involves ordering the zombie machines to repeatedly click internet advertisements, to generate money for a company's that is paid per click.

"The ultimate goal of the W32.pipeline is to create a sophisticated botnet that can be used for a range of malicious purposes," FaceTime said in a security alert issued on Tuesday.

Boyd and other researchers posted details of the worm, including screenshots and "attack scenarios" to the company's blog – http://blog.spywareguide.com.

They note that the botnet created using the worm, which is controlled via Internet Relay Chat (IRC) servers, is particularly sophisticated and uses a complicated "install chain" to schedule file uploads to infected machines.

Posted by Wiz at 10:35 AM | Permalink

back to top ^

"Microsoft executives love telling stories against each other. Here's
one that platforms vice-president Jim Allchin told at a recent Windows
Vista reviewers conference about chief executive Steve Ballmer," David
Frith reports for Australian IT. "It seems Steve was at a friend's
wedding reception when the bride's father complained that his PC had
slowed to a crawl and would Steve mind taking a look."

"Allchin says Ballmer, the world's 13th wealthiest man with a fortune
of about $18 billion, spent almost two days trying to rid the PC of
worms, viruses, spyware, malware and severe fragmentation without
success," Frith reports. "He lumped the thing back to Microsoft's
headquarters and turned it over to a team of top engineers, who spent
several days on the machine, finding it infected with more than 100
pieces of malware, some of which were nearly impossible to eradicate."

Frith reports, "Among the problems was a program that automatically
disabled any antivirus software. 'This really opened our eyes to what
goes on in the real world,' Allchin told the audience. If the man at
the top and a team of Microsoft's best engineers faced defeat, what
chance do ordinary punters have of keeping their Windows PCs virus-free?"

Full article is here

Posted by Wiz at 10:21 PM | Permalink

back to top ^

Spyware and adware is on the mind of most web surfers these days. As well it should be! These types of infections cause popup ads to appear out of nowhere, hijack your home and search pages in Internet Explorer, and phone home with specific details about your web usage, and sometimes with your user names and passwords to financial websites.

With all kinds of spyware, adware, sleazeware and other malware threats in the wild, people are constantly searching for solutions to rid their computers of these pests and security threats. The more prudent folks visit the well known and respected spyware fighting organizations, websites, blogs and forums to get the skinny on which programs work and which don't work as claimed, and what the latest threats are.

On the other hand, those who don't know about the support forums and websites wait for the first popup ad to come along that offers them a solution to their spyware concerns. The popup notice may look like a system message and warn the user that their computer is infected with critical system infections that it can remove - for a fee. They click on it, download and purchase the product, allow it to remove the threats it claims to have found, only to discover later on that it removed nothing at all, because those threats did not exist on their computer, but did not remove the threats that actually were on that computer.

This variety of spyware that pretends to be a spyware removal program, but isn't, is known in the spyware fighting community as "Rogue Anti-Spyware Programs." These programs use false positives to goad you into purchasing them. Programs that fit this description include SpySheriff, Spyware Sheriff, SpyTrooper, SpywareKilla, SpywareNo!, Spyware Quake, SpyAxe, SpyFalcon, SpywareStrike, and almost three hundred more programs just like these.

Eric L. Howes maintains a comprehensive listing of all known rogue anti-spyware programs on his website - SpywareWarrior.com - on the Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites web page. There are currently 289 Rogue anti-spyware programs on his list! If you get a mysterious popup alerting you that your computer is infected, check his list before downloading that program.

Continue reading "Rogue/Suspect Anti-Spyware Products and Web Sites" »

Posted by Wiz at 3:21 PM | Permalink

back to top ^

May 8, 2006

A 21-year-old California man was sentenced today to 57 months in prison for hacking into hundreds of thousands of computers and renting the network of hacked PCs out to spyware companies and to people who used the network to send spam and launch crippling attacks against Web sites.

Jeanson James Ancheta of Downey, Calif., admitted that he used Internet worms to seize control over a massive numbers of PCs running the Windows OS. He used those computers as an install base for online ad-serving software that netted him more than $61,000 and a BMW sports car.

Ancheta also pleaded guilty to breaking into computers at the weapons division of the U.S. Naval Air Warfare Center in China Lake and the Defense Information Systems Agency, causing roughly $15,000 worth of damage.

According to the indictment, Ancheta made about $3,000 renting out portions of his zombie network to spammers and other criminals, usually in increments of 10,000 hacked machines at a time.

James Aquilina, the assistant US attorney who prosecuted Ancheta on behalf of the federal government, called it the longest sentence ever handed down for a case involving the spreading of computer viruses, and said he hopes the unprecedented sentencing sends a strong message to other botmasters and malicious young hackers.

Aquilina said. "My hope is that this sentence will deter others from using botnets to commit crimes, especially the youthful ones who commit these crimes and think they're immune from prosecution, that they'll never get caught."

Posted by Wiz at 11:20 PM | Permalink

back to top ^

Starting Tuesday, April 25, Microsoft has been pushing out a test tool that checks whether the copy of Windows a PC is using is properly licensed. It will be sent to millions of people in the United States, United Kingdom, Malaysia, Australia and New Zealand. It will extend its 'Windows Genuine Advantage' program to send alerts directly to users of pirated software, the company said yesterday.

Starting April 26, 2006, however, Windows XP users in the United States who have set up automatic security updates will receive the anti-piracy tool. After installation and reboot, they may find their computers popping up an alert that reads: 'This copy of Windows is not genuine; you may be a victim of software counterfeiting.' These popup notices will occur as they logon and while they are working with their computers. The popups will continue to occur until such time as the computer owner installs a valid license code, which may require a phone call to Microsoft support.

You can obtain a legal, license-able copy of Windows XP from Tiger Direct, or Newegg. at a much lower price than Microsoft charges for just a license.

At this time the new validation system is optional - you may choose to opt-out, but only if you have set Automatic Updates to notify only, not install without review, or if they perform manual Windows Updates, where there is a checkbox that can be unchecked to remove that item from the download items. It is expected that this will change to be non-optional after the pilot program has been tested for a short time.

Continue reading "Microsoft Steps Up Windows XP Piracy Check For Counterfeit Software" »

Posted by Wiz at 11:03 AM | Permalink

back to top ^

Brno, Czech Republic and Millburn, N.J. - April 19, 2006 -

GRISOFT,
the maker of award-winning AVG Anti-Virus, today announced the acquisition of Ewido Networks, a leading provider of innovative
anti-malware solutions. This acquisition expands GRISOFT's AVG
antivirus and firewall offerings to include comprehensive malware
protection, and provide its customers with the highest level of
security against growing types of malicious software spreading across the Internet

Full Press-Release:
http://www.grisoft.com/doc/29396/lng/us/tpl/tpl01

Posted by Wiz at 3:51 PM | Permalink

back to top ^

This blog covers computer and website security issues. It is updated as news becomes available that affects the security of computers users or webmasters.

As a webmaster myself I keep informed about vulnerabilities that might be exploited against my websites and will share them with you all.

As a computer user I believe that securing my PC is of paramount importance. I study various sources of security information and will post news here if I feel it will be of benefit to my friends, who know about this blog, and visitors who discover it in a search.

Thanks for visiting Wizcrafts Computer Services "Security Blog" and welcome!

Continue reading "Security News for April 2006" »

Posted by Wiz at 12:06 PM | Permalink

back to top ^