Wiz's Computer and Website Security Blog

According to a recent study by the BeyondTrust Corporation, titled "92 Percent of Critical Microsoft Vulnerabilities are Mitigated by Eliminating Admin Rights," most known and as yet unknown Windows exploit attacks will fail if the targeted PC is being operated with reduced user privileges. This means not running as an Administrator.

BeyondTrust’s findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft’s security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.

As far back as May, 2007, I have published blog articles professing the added security to be gained by operating a PC with reduced user privileges. Furthermore, I published a web page titled: User Account Privileges Explained, describing the differences between the various types of user accounts available in Windows 2000 and XP. That page also contains instructions for elevating reduced user privileges by using the Windows "Run as" right-click option, when installing, or launching a program that was built with the assumption that a member of the Administrators Group would be running it.

Some of the benefits derived by reducing your user privileges for your daily browsing account may include the following:

• Most viruses cannot be installed


• Most spyware cannot be installed


• Most adware cannot be installed or survive a reboot


• Browser BHOs that hijack your home page and search may not be fully installed, or survive a reboot


• Rootkits cannot be installed


• Mistakes you make by visiting compromised websites will probably fail to cause any damage


• Botnet executables cannot take control of your computer


• Fake anti virus or anti spyware popup alerts will not be installed, or survive a reboot


• System Restore, Windows Defender, the Windows Firewall and Automatic Windows Updates cannot be disabled


• Your HOSTS file cannot be poisoned


• Worms, like the Conficker Worm cannot be installed, even via AutoPlay/AutoRun exploits


• Changes cannot be made to the HKLM branch of the Windows Registry


• Some programs cannot be installed, unless you use "Run as"


• Files cannot be saved to, deleted from, or overwritten with fake copies, in the Windows and System32 directories and sub-directories

Continue reading "Running a PC with reduced user privileges stops 92% of malware" »

Posted by Wiz at 7:34 PM | Permalink

After about 6 years of existence, long time security website Castlecops.com has shut down operations, effective December 23, 2008. This comes about 6 months after the owner of the website left it in the hands of his deputies to pursue a security based career at Microsoft. I was a member of CastleCops for a long, long time, handling anti spam solutions in the MailWasher forum. I am sorry to see this valuable resource go away.

My thinking is that somebody will step up and offer a similar place for security minded people to gather and do their good work. It will cost a lot of money for redundant, failover hosting, and the servers will have to be robust, with huge pipes to the Internet. When CastleCops closed up shop they were still in the midst of an ongoing fund raiser to buy new servers. The existing equipment was simply overloaded to the point that the site would take minutes to change pages to various forums and search results. The databases were unbelievably huge.

If and when this hopeful re-emergence occurs you can rest assured that I and thousands of other former CastleCops volunteers will gather at the new site, to resume the good work of fighting phishing, scamming, spamming and malware threats. Until then, I continue to maintain my MailWasher Pro spam filter discussions on the new Firetrust MailWasher Forum. I post new MailWasher spam filter updates on my website and in the aforementioned Firetrust forum.

In the meantime you can learn about my preferred anti-spam solution, MailWasher Pro, or learn how to protect your websites from scammers, spammers and hackers using my .htaccess blocklists, or my iptables blocklists.

Still guarding the Castle against scammers and spammers, I remain your humble Wiz.

Posted by Wiz at 4:15 PM | Permalink

I usually write articles about computer or website security on my blog and a lot of people seem to benefit from my articles. Security is on almost everybody's mind these days, whether it relates to your computer, website, job, car, or home. Today I would like to address the problem that I see a lot in the local news; home burglaries where the thieves gain entry by kicking in a door. One of the frequently stolen items in these crimes is a computer, so in a way this is about securing your computer - physically. It is also a plug for a local Flint, Michigan business owned by people I know personally, who are trying to make a difference.

The days of simply closing your front door and retiring for the evening have given way to deadbolt locks and chains. But today, even deadbolts and chains don't seem to offer enough security against determined home invasion burglars. A determined thief won't waste time trying to pick the lock; he'll just kick the door open, breaking through the lock jam in the wood, ripping it out by the screws, taking you by surprise in the middle of the night! If you live in a place where this kind of crime happens you need a better method of protecting your doors and your family. Enter the Taylor Brothers "NIGHTLOCK" Door Lock.

The NIGHTLOCK Door Lock is a floor mounted solution to kick-ins and forced door jams. It is made out of solid aluminum, with an anodized brass finish and matching solid brass screws and can be mounted into any type of floor, including cement floors - using the plastic anchors supplied with the kit. The NIGHTLOCK is mounted directly behind the door, on the side where it opens, which is the point of least resistance when somebody forces the door open. The NIGHTLOCK stopper bracket easily slides into the 7/16" high floor-mounted base plate and sticks up about 2 inches above the bottom of the door. This takes away the freedom of motion that burglars count on when they kick in or force the door open. Unless they are able to break it off the hinges, on the other side, they ain't getting in through that door! I have tried forcing an unlocked door open with NIGHTLOCK behind it and almost threw out my shoulder! It really works (ouch!).

There is a short video presentation demonstrating how the NIGHTLOCK protects you from door kick-ins on the NIGHTLOCK website home page. They are made in Flint, Michigan, by the Taylor Brothers, cost $29.95, plus UPS or Priority Post shipping (+ sales tax for Michigan residents). They are always in stock and are shipped fast. If you live within driving distance of Flint, Michigan, you can see them on display and buy them in person at Taylor Steel Co, on Coldwater Rd, just west of Dort Highway. Tell them Wiz sent you!

Posted by Wiz at 2:53 PM | Permalink

December 5, 2007:

There is big news for AVG anti-virus users. Grisoft, the makers of AVG, have just announced the acquisition of Exploit Prevention Labs, the makers of LinkScanner Pro. The deal is expected to be finalized by December 31st 2007. According to the announcement, the code for LinkScanner Pro is going to be included in all versions of AVG anti-virus.

For those who are not familiar with LinkScanner Pro, it is a security program for PCs that monitors the codes on websites you visit and looks for and removes dangerous exploit codes, as the site is downloading to your browser. It is exceptionally good at stopping iframe and redirection exploits that lead to so many infections. According to what I read, LinkScanner Pro was able to remove these dangerous exploit codes from the pages you wanted to view, delivering only the safe content. This type of exploit has recently been used against MySpace users and some major sports information web sites, not to mention the thousands of personal and business web sites that have have redirection codes injected into their home pages.

The news that this functionality is about to be rolled into AVG is fabulous. I don't know the time table for the inclusion of LinkScanner into AVG, but the news release mentions that the "Lite" version will be added to AVG Free, while the stronger version will go into the paid version of AVG Pro, and the AVG anti spyware program (formerly Ewido).

Short-term product integration plans include adding LinkScanner technology to AVG Anti-Virus Free and offering LinkScanner Online, a free on-demand URL scanning service, directly from the AVG web site. AVG also expects to maintain LinkScanner Pro, Exploit Prevention Labs’ flagship product, as a standalone offering.

Related to this announcement is the hiring of Roger Thompson, the co-founder and CTO of Exploit Prevention Labs, to become the Chief Research Officer at Grisoft, while other staff and facilities will also be absorbed into the Grisoft operation. Seems like a big win for Roger and his staff. AVG users will also be winners when this product gets included in the various AVG programs in use around the world.

In the short term, there will be no change to update deliveries or support procedures, and the websites at www.linkscanner.com and www.explabs.com will remain operational. Over time, these procedures and websites will merge with AVG’s procedures and websites;

Posted by Wiz at 12:27 PM | Permalink

I wanted you all to be aware (in case you don't already know) that cyber-criminals are planning all out attacks against online consumers this holiday season, and they have already begun. Everything from phishing scams, to social engineering via tricky email messages, to the outright theft of transaction databases by exploiting servers is being rolled out to try to take your money and identity. Please treat all strange email subjects and senders as potential threats, not just objects of curiosity. Also, whatever your operating system your computer uses, please keep it updated with all current patches, to reduce your chances of getting exploited by a threat in the wild.

If you intend to make an online purchase, use a credit card if you have one, as most issuers limit your liability to $50, in the event your numbers are stolen and used fraudulently. There may or may not be similar protection on your debit cards, and if a cyber-criminal wipes out your bank account, you may have to wait a long time to get the money credited back, if it is at all.

Do not fall victim to Nigerian 419 scammers, whether it is the advance fee to claim funds scam, the lottery scam, the over-payment/refund scam, the money-laundering work-at-home check cashing scam, or other variations used by the World's foremost scammers.

Do not click on links in unsolicited emails, to view cute animals, or sports trackers, or eCards, or postcards, especially numeric URL links! The Storm Trojan BotMasters use these tricks to infect your PC and make it part of the World's largest Botnet, to date. If such an email arrives from a sender you know, send them a message asking if they actually sent that email to you. Chances are that they have no knowledge of that message being sent in their name. Heck, I get spam emails supposedly from my account names to the same accounts (but the sender's name is random characters or a non-existent user name)! Spammers use forged senders and reply to addresses in all of their messages now. There is no point in replying to them to complain, because, either the sender is unaware their name was used, or the account does not actually exist on that mail server.

eBay, PayPal, bank and credit union phishing scams are being ramped up, in anticipation of huge rewards during the upcoming Christmas buying season. Ditto for probes against online credit card databases.

One of the main reasons there is such a huge increase in the amount of spam this Winter, especially a lot of nasty stuff, is because the criminals behind these messages are hiding behind compromised personal computers that they have drafted into their BotNets. They do not fear being tracked down because they have created a virtual firewall between the command centers, the zombie computers and themselves. These people usually live in countries where the law turns a blind eye to such activities, as long as they don't use the Botnet against their own people, or governments. A lot of them speak Russian as their native language.

Keep your defenses up this shopping season. Use spam filters, like MailWasher Pro (which I use), to filter out as much spam and scam email as possible, to reduce your exposure to email-borne threats. Keep regularly updated versions of anti virus and anti spyware programs on Windows based PCs (see graphic image ads on this page for reputable security products), and set your computer to receive Windows Updates automatically. Do not run as an administrator while browsing the Internet or reading email. It is dangerous, whether your operating system is Windows, Mac or Linux. Use Limited User, Power User or User privileges instead, and learn how to escalate to administrator level only as and when needed. I have an entire article about creating limited user accounts here. Read it and learn to protect your PC.

Each well secured computer is one less zombie in a Botnet, and hopefully, one less identity theft victim. Have a safe and happy holiday season!

Posted by Wiz at 1:08 PM | Permalink

From the I don't believe it department comes this news...

Grisoft, the maker of AVG anti virus and anti spyware products has just announced that the cutoff of support for AVG Free 7.1 has been extended one month, to February 18, 2007. Last fall they had announced that all updates and support for AVG Free 7.1 would end on January 15, 2007. Many AVG Free users, including me, have already upgraded to the new version 7.5 as a result and are enjoying the improved interface.

Yesterday, on a service call, I checked for and obtained updates for AVG Free on a computer. After the update completed I decided to open the interface to see if it was the new version and was surprised to discover it to be 7.1. I upgraded it anyhow, but pondered why there was a definition update on January 17, when support was to have ended 2 days earlier. Now I know why.

Anyway, if you are still using AVG Free 7.1 you have one more month to use it, with definition updates, before they pull the plug (unless it gets extended again!).

What's different in AVG Free 7.5?

With version 7.5, users receive improved virus detection based on better heuristics and NTFS data streams scanning, smaller update files and improved user interface. Anti-Virus Free Edition 7.5 is also Windows Vista-ready and is available via Windows Security Center as a security solution. To upgrade to free version 7.5, users can visit visit: http://free.grisoft.com.

Grisoft also offers commercial versions of AVG Anti Virus, including a Windows Server edition. The commercial versions are available from http://www.grisoft.com . They also own the former Ewido Anti Spyware program and have renamed it to AVG Anti-Spyware. It is available as a trial version, which reverts to freeware with reduced capabilities after 30 days.

Posted by Wiz at 9:38 AM | Permalink

I just learned that router maker Cisco Systems, Inc. is in the process of purchasing IronPort Systems, Inc, for $830 Million, US, in cash and stock options. IronPort is in the anti-spam and anti-virus and and website security fields, and is the owner of SpamCop, of which I am a reporting member. That's why this acquision interests me.

SpamCop started out in 1998 as the property of Julian Haight, and is a website where members can paste the contents of spam and scam email messages to have them reported to the ISPs and web hosts involved in the delivery of those messages. SpamCop processes over a million spam reports a day and maintains a list of the ISPs through who these spam/scam messages are being sent. Referred to as the SpamCop Blocklist (SBL), that list of spammers and the unsecured computers they also use to relay their garbage is used by email systems around the World to identify and flag much of the incoming spam that floods the Internet everyday.

I use MailWasher Pro to screen and filter all incoming email and it consults the SBL to see if a message has already been identified and flagged by SpamCop, and adds it's own flag to the Status column to warn me about it. When I see a message flagged by the SBL and I bother to investigate, I find that it is spam, 100% of the time. MailWasher Pro also has a place to input your SpamCop login id and includes a checkbox to report spam via that account. You must respond to an automatic reply from SpamCop and go to your report manually to finish submitting it, but you are saved the hassle of reading the source code and copying and pasting it into the SpamCop reporting field yourself.

In June 2003, SpamCop became a wholly-owned subsidiary of IronPort Systems, Inc, which is a security software and solutions company. IronPort Systems, founded in 2000, is the leading email and Web security products provider for organizations ranging from small businesses to the Global 2000. And now, both become a division of the leading router manufacturer in the entire World, Cisco Systems. In case you didn't know it, the Internet runs on Cisco routers. This acquision will add a lot of financial backing to IronPort and SpamCop, to help them in their fight against the scourge of spam that inundates inboxes every hour.

Continue reading "Cisco Systems to buy IronPort Systems, which owns SpamCop" »

Posted by Wiz at 11:55 AM | Permalink

If you receive a popup message similar to this:

INTERNET SECURITY CENTER: "YOUR MACHINE MAY BE INFECTED BY THE BLOODHOUND VIRUS,"

WinAntiVirusPro2006/2007 is part of the infection that popped up the notice in the first place. While your computer may indeed be infected with viruses and/or spyware, that program will not remove them. Get an authentic anti virus program to remove real threats (see list below).

To remove this threat you should download and install a spyware removal program, like Spyware Doctor, or Spybot Search and Destroy. Search for and download all available updates, then scan for and fix any problems found. You may probably have to reboot and let the anti spyware program run again before the Windows Desktop loads, to finish the removal process, or even have to reboot into Safe Mode. These sleazeware infections do not let go easily.

If you try removing the WinAntiVirusPro2006/2007 infection with Spybot S & D, and it is unsuccessful in removing this or other threats from your PC, visit the Spybot Search & Destroy Malware Removal Forum for help.

Some Legitimate Anti Virus and Anti Spyware Programs:

PC Tools Spyware Doctor

Webroot Spy Sweeper

Kaspersky Anti Virus

Trend Micro PC-cillin Internet Security

Updated on April 7, 2007, to include WinAntiVirusPro2007 parasite in details.

Posted by Wiz at 11:53 AM | Permalink

If you use AOL Instant Messenger, or another IM client that is capable of connecting to the AIM network and downloading files, you should read this security alert.

A computer worm that spreads via instant messaging is being used to build an extensive "botnet" of remote-controlled PCs, a US security firm has warned.

Security experts at US company FaceTime identified the worm as "W32.pipeline" and warned that it spreads via AOL's instant messenger program.

The worm disguises a malicious executable program as a jpeg image, which is attached to an instant message that appears to come from someone on the recipient's AOL "buddy list".

Typically, the picture is accompanied by the message, "hey would it be ok if I upload this picture of you to my blog?" although another similar message may also be used.

Ultimate goal

If the recipient tries to open the image, the executable installs a program on their PC. This forwards the executable on to other contacts on their buddy list and also enables connections to several remote computers. It then tries to download another program that allows an
outsider control the infected machine.

FaceTime's director of malware research Chris Boyd says the goal appears to be creating a huge network of remote-controlled machines, known as a "botnet". As of Thursday, Boyd estimates W32.pipeline had amassed botnet between 1000 and 2000 machines.

Botnets may be used to send out huge quantities of junk e-mail or attack business websites with an avalanche of data, in a so-called distributed "denial-of-service" attack, which may be linked to extortion.

Click fraud

Botnets can also be used to commit "click fraud", which involves ordering the zombie machines to repeatedly click internet advertisements, to generate money for a company's that is paid per click.

"The ultimate goal of the W32.pipeline is to create a sophisticated botnet that can be used for a range of malicious purposes," FaceTime said in a security alert issued on Tuesday.

Boyd and other researchers posted details of the worm, including screenshots and "attack scenarios" to the company's blog � http://blog.spywareguide.com.

They note that the botnet created using the worm, which is controlled via Internet Relay Chat (IRC) servers, is particularly sophisticated and uses a complicated "install chain" to schedule file uploads to infected machines.

Posted by Wiz at 10:35 AM | Permalink

"Microsoft executives love telling stories against each other. Here's
one that platforms vice-president Jim Allchin told at a recent Windows
Vista reviewers conference about chief executive Steve Ballmer," David
Frith reports for Australian IT. "It seems Steve was at a friend's
wedding reception when the bride's father complained that his PC had
slowed to a crawl and would Steve mind taking a look."

"Allchin says Ballmer, the world's 13th wealthiest man with a fortune
of about $18 billion, spent almost two days trying to rid the PC of
worms, viruses, spyware, malware and severe fragmentation without
success," Frith reports. "He lumped the thing back to Microsoft's
headquarters and turned it over to a team of top engineers, who spent
several days on the machine, finding it infected with more than 100
pieces of malware, some of which were nearly impossible to eradicate."

Frith reports, "Among the problems was a program that automatically
disabled any antivirus software. 'This really opened our eyes to what
goes on in the real world,' Allchin told the audience. If the man at
the top and a team of Microsoft's best engineers faced defeat, what
chance do ordinary punters have of keeping their Windows PCs virus-free?"

Full article is here

Posted by Wiz at 10:21 PM | Permalink

Spyware and adware is on the mind of most web surfers these days. As well it should be! These types of infections cause popup ads to appear out of nowhere, hijack your home and search pages in Internet Explorer, and phone home with specific details about your web usage, and sometimes with your user names and passwords to financial websites.

With all kinds of spyware, adware, sleazeware and other malware threats in the wild, people are constantly searching for solutions to rid their computers of these pests and security threats. The more prudent folks visit the well known and respected spyware fighting organizations, websites, blogs and forums to get the skinny on which programs work and which don't work as claimed, and what the latest threats are.

On the other hand, those who don't know about the support forums and websites wait for the first popup ad to come along that offers them a solution to their spyware concerns. The popup notice may look like a system message and warn the user that their computer is infected with critical system infections that it can remove - for a fee. They click on it, download and purchase the product, allow it to remove the threats it claims to have found, only to discover later on that it removed nothing at all, because those threats did not exist on their computer, but did not remove the threats that actually were on that computer.

This variety of spyware that pretends to be a spyware removal program, but isn't, is known in the spyware fighting community as "Rogue Anti-Spyware Programs." These programs use false positives to goad you into purchasing them. Programs that fit this description include SpySheriff, Spyware Sheriff, SpyTrooper, SpywareKilla, SpywareNo!, Spyware Quake, SpyAxe, SpyFalcon, SpywareStrike, and almost three hundred more programs just like these.

Eric L. Howes maintains a comprehensive listing of all known rogue anti-spyware programs on his website - SpywareWarrior.com - on the Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites web page. There are currently 289 Rogue anti-spyware programs on his list! If you get a mysterious popup alerting you that your computer is infected, check his list before downloading that program.

Continue reading "Rogue/Suspect Anti-Spyware Products and Web Sites" »

Posted by Wiz at 3:21 PM | Permalink

May 8, 2006

A 21-year-old California man was sentenced today to 57 months in prison for hacking into hundreds of thousands of computers and renting the network of hacked PCs out to spyware companies and to people who used the network to send spam and launch crippling attacks against Web sites.

Jeanson James Ancheta of Downey, Calif., admitted that he used Internet worms to seize control over a massive numbers of PCs running the Windows OS. He used those computers as an install base for online ad-serving software that netted him more than $61,000 and a BMW sports car.

Ancheta also pleaded guilty to breaking into computers at the weapons division of the U.S. Naval Air Warfare Center in China Lake and the Defense Information Systems Agency, causing roughly $15,000 worth of damage.

According to the indictment, Ancheta made about $3,000 renting out portions of his zombie network to spammers and other criminals, usually in increments of 10,000 hacked machines at a time.

James Aquilina, the assistant US attorney who prosecuted Ancheta on behalf of the federal government, called it the longest sentence ever handed down for a case involving the spreading of computer viruses, and said he hopes the unprecedented sentencing sends a strong message to other botmasters and malicious young hackers.

Aquilina said. "My hope is that this sentence will deter others from using botnets to commit crimes, especially the youthful ones who commit these crimes and think they're immune from prosecution, that they'll never get caught."

Posted by Wiz at 11:20 PM | Permalink

Starting Tuesday, April 25, Microsoft has been pushing out a test tool that checks whether the copy of Windows a PC is using is properly licensed. It will be sent to millions of people in the United States, United Kingdom, Malaysia, Australia and New Zealand. It will extend its 'Windows Genuine Advantage' program to send alerts directly to users of pirated software, the company said yesterday.

Starting April 26, 2006, however, Windows XP users in the United States who have set up automatic security updates will receive the anti-piracy tool. After installation and reboot, they may find their computers popping up an alert that reads: 'This copy of Windows is not genuine; you may be a victim of software counterfeiting.' These popup notices will occur as they logon and while they are working with their computers. The popups will continue to occur until such time as the computer owner installs a valid license code, which may require a phone call to Microsoft support.

You can obtain a legal, licensable copy of Windows XP from Tiger Direct, at a much lower price than Microsoft charges for just a license. View all versions of Windows Operating Systems available from TigerDirect

At this time the new validation system is optional - you may choose to opt-out, but only if you have set Automatic Updates to notify only, not install without review, or if they perform manual Windows Updates, where there is a checkbox that can be unchecked to remove that item from the download items. It is expected that this will change to be non-optional after the pilot program has been tested for a short time.

Continue reading "Microsoft Steps Up Windows XP Piracy Check For Counterfeit Software" »

Posted by Wiz at 11:03 AM | Permalink

Brno, Czech Republic and Millburn, N.J. - April 19, 2006 -

GRISOFT,
the maker of award-winning AVG Anti-Virus, today announced the acquisition of Ewido Networks, a leading provider of innovative
anti-malware solutions. This acquisition expands GRISOFT's AVG
antivirus and firewall offerings to include comprehensive malware
protection, and provide its customers with the highest level of
security against growing types of malicious software spreading across the Internet

Full Press-Release:
http://www.grisoft.com/doc/29396/lng/us/tpl/tpl01

Posted by Wiz at 3:51 PM | Permalink

This blog covers computer and website security issues. It is updated as news becomes available that affects the security of computers users or webmasters.

As a webmaster myself I keep informed about vulnerabilities that might be exploited against my websites and will share them with you all.

As a computer user I believe that securing my PC is of paramount importance. I study various sources of security information and will post news here if I feel it will be of benefit to my friends, who know about this blog, and visitors who discover it in a search.

Thanks for visiting Wizcrafts Computer Services "Security Blog" and welcome!

Continue reading "Security News for April 2006" »

Posted by Wiz at 12:06 PM | Permalink