Highly Critical Exploit Found In Windows

Microsoft issued a new Security Advisory on Friday, July 16th regarding an old Windows vulnerability associated with shortcut icons.

This vulnerability, which is rated as ‘Highly Critical’ by Secunia, effects every version of Windows back to and including Windows 2000. This flaw even effects Windows 7 Service Pack 1 Beta and Windows Server 2008 R2, which were only released a couple weeks ago.

The flaw has been traced back to a flaw in the way Windows Shell parses shortcut files. This can enable malicious code to be executed, normally from a USB thumb drive or external media storage device, such as a CD or DVD. However it has been found that this flaw can be ran using malicious links in email as well as from malicious websites. Network Sharing and WebDav are also viable venues to exploit this flaw.

Shortcuts are links to actual files and uses the hidden .LNK extension. A specially crafted .LNK file needs to be parsed by Explorer, in Windows, for the exploit to work. The maliciously crafted file uses AutoPlay to execute the malicious code. Even if AutoPlay is disabled at it is in Windows 7 by default, this code is still able to run on a users computer. Users who are operating as an Administrator are most vulnerable to this flaw. If the exploit is successfully ran, it can enable a hacker to take over a users computer.

Although, in a blog post, Microsoft softened the severity of this flaw by stating that only ‘limited’ attacks have been occurring. However you can be sure that malicious hackers will be jumping on this real soon and more widespread attacks will be occurring. Microsoft stated that most attacks are occurring in Iran and Indonesia, and is related to malware known as the Stuxnet worm.

Hopefully, Microsoft will issue an ‘out-of sequence’ patch for this exploit, but as of now, they have only released a work around ‘fix it’ option which, for most will be more annoying than worrying about the exploit. It works by disabling all .LNK files. By using the ‘fix it’ option, all icons on the computer will default to the white rectangular blank icon. Microsoft also offers directions for a manual fix which is aimed more at IT professionals. Recently, however, even these work arounds have been found to not be completely effective at protecting infected systems. These work arounds only work on systems that are running Windows XP SP3, Server 2003, Vista, Server 2008, 7, and Server 2008 R2.

Being that this worm also effects older versions of Windows, such as Windows 2000, Windows XP, and Windows XP SP2, this exploit is even a more dangerous threat as these computer will NEVER receive a patch. Microsoft recently discontinued support for these operating systems. Being that there are a lot of machines operating that are still utilizing these softwares, this exploit can have far reaching and longer term effects.

This exploit has been around since the early days of Windows but has, only recently, been discovered. This is regarded as a ‘Zero Day’ flaw, which means that it was only discovered after it was actively being exploited in the ‘wild’.

Hopefully Microsoft is working around the clock to permanently fix this flaw and will issue and ‘Out of Sequence’ patch soon. At the very worst, let’s hope that it will be fixed with their next scheduled update which is set for Tuesday, August 10th.

For more information on this exploit, visit Microsoft’s Security Advisory 2286198 and Support Articles.

Skimming for Dollars

A new and very dangerous method of getting your money has been devised by hackers. Known as ‘ATM Skimming’, hackers have produced a very small ‘skimming device’ which is inserted into the slot of an ATM machine in which you swipe your card. The device is designed to record all of your banking information off of the magnetic strip on your card. A very thin clear, plastic sheeting, which is capable of copying your Personal Indentification Number (PIN), is also being placed over the keypad so that these thieves now have complete access to your bank account.

The scary thing about this is that you will never even know that your banking information was just stolen. Everything will look perfectly normal to you. What’s even worse, is that technology has been developed so that this information can be sent via wi-fi or over the internet. This makes it possible for the crooks to steal the information without ever having to revisit the ATM machine. They could be in a Starbucks down the street or on the other side of the planet and be gathering you personal banking information.

Now, on the plus side, is that the financial institutions are aware of this scam, and are constantly monitoring their ATM’s. Video surveillance at ATM’s is also a somewhat efficient deterent, however these hacks are becoming more and more prevelent. Care should be especially taken when using an ATM at a convenience store, grocery store or any other location that is not a bank and are therfore less likely to be monitored as closely as an ATM at a bank.

The only real defense that you have is to be aware of this, and to constantly monitor your bank account, especially after making a transaction at an ATM. Any fraudulent activity on your account should be reported to the authorities and your financial institution as soon as they are discovered.

For Crying Out Loud….What Now???

Ransom-ware, we read about it in the past and are appalled at the concept. Similar to scareware, in which a crook tells you that your computer is infected and by buying their worthless software, it is now fixed. Ransom-ware, takes this one step further as some cyber-criminal downloads a Trojan Horse on your computer and voila, your computer is held hostage. You can do nothing until a ransom amount, normally in the $79 range is paid. However, now it seems that they have up’d the ante even more.

With copyright infringement cases gaining more coverage in the news, these criminals are now using the MPAA (Motion Picture Association of America), the RIAA (Recording Industry Association of America), and others to scam money from unsuspecting computer users. While innocently browsing the internet, a pop up will appear on your computer telling you that an “Anti-piracy foundation scanner” has detected some copyright infringed material on your computer. They actually will threaten you with court action. However, they do give you an option to settle to the tune of $399.85, for which they provide an itemized statement of the charges. Oh, and by the way, for your convenience they accept credit cards.

The scary thing is that you cannot get rid of this pop up (which is actually a screen saver), even shutting down your computer and rebooting will result in the pop up appearing again. And if you do shut down, another threatening message appears stating that by taking this action (shutting down) you are stating that you are not cooperating and that they recommend canceling this and agreeing to their settlement proposal (of course they do).You are basically dead in the water at this point. All in all, this is very realistic looking and an unsuspecting user is liable to fall for this scam.

Security companies are saying that the domain is operated out of the country of Moldova, a small landlocked nation near the Ukraine. The Ransom-ware is designed so as to adapt to the user’s computer. It will display messages in the languages of  Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, based on the specific settings on the infected computer. Although, any transactions made does not seem to actually be tied to an actual cash charge, the crooks are still able to collect pertinent credit card information, either to be sold, or for use in future scams.

Security Companies such as F-Secure have an online scanner that will remove this bug. You can get their online scanner by going HERE.

Knowing what to look for is the key in not getting trapped by one of these scams. Here is a listing of some general things to do in order to protect yourself from scare-ware/ransom-ware attacks:

1) Make sure all of your software is up to date. Secunia’s Personal Software Inspector (PSI) does a good job of letting you know whether all your programs, and plug-ins are up to date and secure. PSI is free for consumer use and can be found HERE.

2) Run with the lowest Rights that is possible. Meaning whenever you are not downloading anything and are just surfing the web, do not run with Administrator’s rights, but run under a “Limited” account.

3) Run in a sandbox using Sandboxie. This will keep you protected, should you accidentally click on a bad link or open a malicious web page or PDF, as nothing will be saved, and your computer will revert back to it’s original state, when you leave the ‘Sandbox”.
Sandboxie can be found HERE.

4) Turn off JavaScript. I know that by doing so will break most web pages, but the fact is, that JavaScript is very vulnerable. Using a plug-in like “No Script” is also a viable option. You will need to take the time to configure this so as not to break web pages. You can always turn JavaScript back on should it just become unbearably aggravating. But again, JavaScript is simply not safe.

5) And as always, make sure all of your anti-malware and anti-spyware software is up to date and turned on.

Stay Safe Out There!!!

Where Do We Go From Here?

Zero Day Vulnerabilities, Man In The Middle Attacks, Worms, Exploits, Phishing, Hacked accounts, and the list goes on and on. The fact is that computer users in today’s world are facing a growing threat from outside sources when using the internet. Most people are not aware, nor care about these threats, that is, until it is too late. But why and how is this happening? What are we doing about it? and Where do we go from here? All valid questions, that really do not have a solid, absolute answer.

We hear almost everday about new threats, either that are attacking an unknown exploit (Zero Day Attack), or of horror stories regarding account hacks and phishing scams. Windows, Adobe, Apple, and just about every other major software creator has faced this issue at least once, some many, many times. In the early days of hacking, viruses were mearly a proving ground, a gold star for a lapel, for many young and very talented software writers. No malicious intend, for the most part was ever meant. All they wanted to see, is who’s virus could propogate the fastest and to the greatest extend. It was a game to them, albeit a very annoying one. However, those days are long gone, and the occasional malicious software written by a teen with a chip on his/her shoulder are no longer of a concern. Today, these onslaughts are being carried out by large criminal organizations, who do have malicious intent, and have found out that these scams and attacks are also very lucrative. What’s worse, is the people doing this are extremely talented and savvy software creators who are constantly deriving new ways in order to get deeply into the pockets of the ordinary computer user.

For most, all that is wanted, is to turn on the computer and get email, check accounts, and do some online shopping. Security, although they care about it, is something that most users do not want to know any of the juicy details behind how it works, and what dangers to look for. They simply want a machine that works and is safe to use. Unfortunately, that is not the way of today’s computing. Even so, simple is better to most users. SSL/TLS, file encryption, WPA2, and the like are all things that the ordinary computer user does not want to know about, or even care about. And quite frankly, why should they? Computer offectionado’s thrive on this sort of stuff, but for the normal user……no!!! The casual user knows that an anti-virus software will keep them safe. Some may even use an additional anti-malware scanner, but will rarely use it to fully scan the computer. Firewall…..I know I need one, but what is it? But even with these tools, our computers are still not safe from becoming compromised.

The major anti-virus companies will all admit that this is a hurry, and catch-up game. The bad guys always seem to be one step ahead of the good guys, sometimes quite a few steps ahead actually. The AV manufacturers are always trying to lessen this lead, but like I said earlier, this is no teen with a bad attitude, these are savvy, technical, and treacherous organizations that are making our life online hell. A new bug is released into the ‘wild”, now it will take the anti-malware companies time to find it, reverse engineer it, and then launch a fix for it. Heuristics have helped in this matter, but have also created some new problems, namely false positives. Heuristics is a method of scanning your computer in which the anti-malware software is not looking for specific malware, but are only looking for malware-like activity, such as registries being changed. As a result, false positives are becoming more prevelant, in which the anti-malware falsely labels a vulnerability, when it is really a legitimate act. Holes/vulnerabilities that are found in software, and then are issued fixes through software updates, are still being exploited, due to the average user not knowing enough or caring to get the update. Time is expensive, and updating software can be time consuming, and all the user wants to do is turn the machine on, do what they need to do, and move on to the their next agenda. Look at the conficker worm, a patch and a fix for this bug was issued long ago (Oct 2008) and yet, it is still out there.

So where do we go from here?

Well, short of turning off the internet, re-working the entire infrastructure, and then turning it back on again, we have only a limited amount of tools at our luxury. However, the strongest of these is education. The word has got to be spread throughout the computer world the need to protect one’s self while on the internet. I certainly do not mean that everyone needs to become a computer security guru, but general knowledge of things to look for would definitely not make it so easy for the bad guys to get in. Even then, it is still going to be happening. Their is money to be made, and like I said earlier, these bad guys have found out that there is a ton of it to be scammed.

In the end, this is the way it is, and appears to be the way that it will remain in the immediate future. In fact, the chances are, that it is going to get more volatile out there. The one true weapon that we all have to battle this armegeddon on the internet, is our ability to use common sense. That is our most powerful weapon, without it, we are doomed. Add a small dose of knowledge, and we could vastly hamper these attempts in ruining our lives. We need to keep our critical personal data safe and secure, knowing what is OK to become public knowledge and what could hurt us is paramount. I would never post my banking information on the internet, although many people have clicked on links in emails stating that their accounts have problems, and enter banking credentials. You may as well have posted it directly to the public internet. It is things like this, that make it easier for the bad guys to successfully do what they do. A pound of common sense, coupled with a sprinkling of knowledge is out greatest weapon.

What Are Your Thoughts??

MS Out of Sequence Patch

Today, March 30th, a vulnerability effecting IE 6, IE 6 SP1, and IE 7, that could allow hackers to remotely execute arbitrary code, will be fixed via an out-of-sequence Windows Update. Microsoft says that the new patch will be released around 10 AM PDT. This vulnerability has been seen, in the wild, during the month of March 2010 and Microsoft deems this a “High Priority” update.

Even if you have upgraded from IE 6, and 7 to Internet Explorer 8, you should still get this update. The update will also address several other privately reported issues, some of which do effect IE 8.

So make sure that you have Automatic Updates turned on, or get the update manually by going to www.update.microsoft.com ,using Internet Explorer, and manually get the new patches.

For More Information:

Common Vulnerabilities and Exposures CVE-2010-0806

Microsoft Security Advisory 981374

We All Love Facebook…..but?

The big three…..Facebook, Twitter, and Friend Feed, places where we all go to network socially. But lately it seems that all of these venues for communicating with our friends and family, have come under scrutiny relating to security problems. All of the social networking sites have come under fire regarding privacy issues. Remember when Facebook changed it’s policy overnight and all of your photos and information were changed to a ‘Public’ status, which had to be reset. Bad move, hell, even Mark Zuckerberg had his photos become public, which were quickly changed, but what was going through their minds to change their terms, and not even have the CEO of the company aware of these changes. All this aside, as disturbing as it is, it is not the biggest threat that is being aimed at us through these social networking venues.

Account hacking is fast becoming a serious problem on the sites. Once only limited to email accounts, Spear Phishing is fast growing in popularity among the bad guys and is something that everyone should be aware of. Weak sign on credentials, from users, are making it even easier for these crooks to hack accounts and eventually gain access to places in which no one, in their right mind, would allow them. Check out my post HERE on setting up a more secure password.

Bad Guys are targeting individual accounts by hacking into their friend’s accounts. What happens, is that a bad guy gains control of someone’s Facebook account, and now has access to all of that person’s friends. They will then send a targeted message which states something to the effect of, “You Should See The Photo I Got Of You Last Night”. Of course, you think you know this person so you click on the link which will take you to a fake website, one that looks exactly like one that is very familiar to you, such as Fickr.com. Now keep in mind that this web page will look very much like a real Flickr page, and will ask you to click on a link to view this photo. When you click on this link, a message will display telling you that a new version of Adobe’s Flash Player, or a different Codec is needed in order to view this photo. Conveniently, a link is supplied so that you can get these new versions in order to make it easier for you to view this much anticipated photo. But what we don’t do, is look at the URL, to see where we really are. You are not at Fickr.com but are at a bad guy’s page. When you click on that link to get that new version of Flash or that new Codec, your computer is immediately infected with what will most likely be, a Trojan Horse. This Trojan will now open up your computer to all sorts of new infections, like Keyloggers, and Worms. This could open you up to identity theft, stolen personal data, such as credit card info, banking credentials, and possibly even Social Security Numbers, which could allow the bad guys to open up new credit card accounts in your name.

The point is that as long as you are aware of these issues, you can safely post and communicate with friends via these venues. However, it is critical, that whenever you click on a link, that you keep an eye on the URL (Uniform Resource Locator). For more information on URL’s you can check out my two part posts by clicking on Part 1 HERE, and Part 2 HERE.

Now I use Facebook, Twitter, and Friend Feed, however I like to keep my accounts buttoned down, and only communicate with friends, family, and some friends-of-friends, but that is it. I have seen accounts that are completely public, meaning anything that is posted is visible to everyone. More and more employers are turning to these venues to check on your back round. Imagine a potential employer seeing the photo of you at that party 2 years ago, lying on the floor drunk. That would definitely make me think twice about hiring you. Keep your most personal information PRIVATE.

Now even more devious than the above mentioned hacking of an account starts in exactly the same way. You get your account hacked. Well now you take your computer to work and connect to the network there. Well now the bad guys can see the same things that you can see on your work’s network. Keep in mind, that there is no way that you will know that this is happening.  So you say, well I don’t have any high clearance access to any critical information. No, you may or may not, but someone that you network with at work may, and your computer being infected may allow this worm to spread higher and higher up the chain. This has just happened recently. An occurrence, such as this, could cost you your job.

This is all the more reason to make sure that you keep information on all of your Social Networking accounts private. At the very least, you want to make sure that any that could cause embarrassment (or worse) is, without a doubt, kept private.

Enjoy this new technology, but keep yourself safe. Social Networking is enjoyable and is very useful, however always remember, that what you do and post today, may come back and haunt you years from now. Once it is public, it just never goes away.

Uniform Resource Locator – Part Deux

Now that we know the basic format in which all Uniform Resource Locators (URL) utilize, let’s now look into ways in which you can be fooled into going somewhere that you never intended. If you did not read Part 1, you can check it out HERE. Crooks use techniques, such as URL Spoofing, MitM (Man in the Middle) Attacks, and Browser Hijacking in order to steal your valuable personal information. The URL can, in most instances, let you know exactly where you are going when you do a search, however it is not always as intuitive as you would think. Criminals are very good at tricking you into entering sites that you never intended.

We all now know, from my last post, the basic format for URL’s.

http://www.domain.com/folder/sub-folder/page_name/

Before we get started, I would like to take the opportunity to state that the e-commerce sites used in the following examples are not being attacked in the portrayed manner. These types of attacks are not occurring on their sites and are only being used for the purpose of showing an example. Amazon.com and Paypal.com are perfectly safe venues for using e-commerce.

Here is why this information is important. Crooks will attempt to trick you into clicking on a malicious site deceiving you by manipulating the URL. In this example, I am going to use Amazon.com, but they are only being used to prove a point, this is not an actual event. Let’s say you do a search for Amazon.com. Well the true URL for their home page is http://www.amazon.com.  The search result you return is for Amazon, and may even have the Amazon logo next to it. But, by looking at the URL, you notice that it is actually taking you to” http://www.amazon.badguy.com/GetVirusHere/”.  As you now know, even though it says Amazon in the URL, you are not going to Amazon.com, but are actually going to the domain “badguy.com”. Amazon is a high profile search term and is easy to identify, as it is always the top return in a search query, however when you do a search in which the results may not be as intuitive, it is important to look at the URL to ensure you are going where you want. Other tricks that may be used:

“http://www.badguy.com/amazon.com/”……In this case, even though the last .com is from Amazon, it is after the first slash (/), which tells you that it is a folder on the badguy.com domain. (Remember the file cabinet.)

“http://www.badguy.amzon.com/getvirushere/”….Simple spelling errors are ways that the bad guys will attempt to lure you to malicious sites.

OK, these are the easier to recognize tricks that hackers will use to fool you. The next trick uses a more sophisticated method of luring you. Let’s say that you receive an email stating that you have a gift certificate for Amazon.com. Naturally, it looks official so you click on it, and within the very official looking Amazon email, you see a link that looks like this: “http://www.amazon.com/GetGiftCertificateHere/“. Well this looks good right? Yeah, you are right, it does look legitimate, however click on the link and see what happens (don’t worry, nothing bad will occur),  Just because the text in a link looks correct, it does not mean that the link is taking you where you think. You may be asking, so how can I be sure? The easiest method of making sure you are going to where you want is to hover over the link (do not click it), and right click the link and select properties. Your browser will then show you where that link is pointing.

So the browser will tell you that you are not going to “http://www.amazon.com/GetGiftCertificatHere/” but are actually going to another The Edible Earth page. Crooks will obviously not be so kind and will take you to malicious sites.

Now let’s say that you arrive at a web site and everything looks OK, including the URL, but something just does not look right. The way to be sure that you are actually where you think you are is to run a little JavaScript. By copying and pasting the script into the URL bar of the site that you are on and clicking Enter, a description of the site’s actual URL and Address URL will be displayed. If this shows that the .coms do not match you may have been spoofed and may be at a malicious site.

Copy and paste the following JavaScript in the URL bar (NOTE – When you copy and paste this, clear the URL information that is already there. This script should be the only thing in the URL bar):

javascript:alert("The actual URL is:\t\t" + location.protocol + "//" +
location.hostname + "/" + "\nThe address URL is:\t\t" + location.href +
 "\n" + "\nIf the server names do not match, this may be a spoof.");

These types of spoofs are common on nefarious websites, so make sure that you are aware of where you are going before clicking on links.

However, crooks are getting more and more clever with their tricks, and even though, the aforementioned tactics can be effective, there are some types of tricks that are even more difficult to detect. The first is browser hijacking in which you are directed to a fake website after clicking on, what appears, to be good link. These fake sites are very well built, and will look very much like a legitimate site. Let’s say you click on a link that you think will take you to Amazon.com, however you wind up at a site that looks exactly like Amazon.com, but is not. From here, the cyber criminals will attempt to get your personal information. Simply by glancing up at the URL will tell you that you are not at the correct site. The criminals are relying on, the fact, that hopefully because the site looks so genuine that you will not even question what the URL says. Always, check the URL. Again, by running that little JavaScript will tell you exactly where you are.

These hijackings may even take you to a site, that may, look nothing like Amazon.com, but will contain malware or links to malware. Should you ever think that you are going to a particular site, and wind up somewhere unexpected, do not click on anything on that site, no matter how appealing it may seem. Chances are you are going to wind up with a virus, worm, trojan horse, or spyware.

Even more dangerous are what are known as Man in the Middle (MitM) attacks. These are hacks in which the criminal will get in between your transmission and the expected website, kind of like an intercepted pass in football, and steal your personal information. This was a very simple thing for an experienced hacker to do, however e-commerce sites have become more aware of this type of attack, and have made changes to their site so as to make MitM attacks more difficult. One way that this could be accomplished is by going to a page that is asking for your personal information that is not protected by an SSL/TLS (Secure Socket Layer/Transport Layer Security) connection. Any connection that is protected be SSL/TLS is encrypted so that all that a MitM will see is gobble-d-gook. All websites that are encrypted by SSL/TLS will always begin with “https://” instead of just “http://”. The way that a MitM Attack could occur is for you to go to an e-commerce site. You would then add items in which you want to purchase. You are looking at the page with the item(s) that you are intending to buy. This page has a button that says “Purchase Now”, however this page is not protected with SSL/TLS (starts with https://). Before we go any further, I will give you the nickel explanation of how these sites expect to receive packets over the internet.

When packets of information are sent over the internet, that contain personal identifying information, most sites like Amazon.com, Paypal.com, etc. expect them to arrive at their server sent over an encrypted transmission. If they are received un-encrypted, these packets will be dropped by the site, which is a good policy as it protects you. When encrypted purchase information is received, confirmation information is then sent back to you, also through an encrypted transmission.

OK, now let’s return to that page in which you are going to purchase your items. The page was designed to be un-encrypted (http:// only), however once you enter your credit card information, and push the ‘Purchase Now’ button, the information will then be sent over SSL/TLS. What happens is that the criminals hack the site, and overlay the ‘Purchase Now’ button with an address that goes to their malicious site, over a non-encrypted transmission, where they now have all of your personal information. Now remember, the e-commerce site will not receive any information that is not encrypted, so the hacker will then cover their tracks and pass the information on to the e-commerce site over an SSL/TLS connection so that the e-commerce site receives the packets of data exactly the way that they are expecting it. Likewise, you will receive your purchase confirmation just as you expected, thus will never know that your data was intercepted. Most e-commerce sites have fixed this flaw as anytime that you enter your personal information, it will be entered on a page that is over an SSL/TLS connection as well as sent over one. This way no hacker can manipulate a page in which any personal information is entered as the page is encrypted. This is only one way that a MitM attack can occur. Most of the time you will never even know that it has occurred.

I would like to take the opportunity to thank all of the e-commerce sites used in the examples above. These types of attacks are not occurring on their sites and are only being used for the purpose of showing an example. Amazon.com and Paypal.com are perfectly safe venues for using e-commerce.

In order to safely use e-commerce and browse the web, it is essential to understand the concept behind a URL, their structure, and how they work. When browsing the web, make sure that you pay special attention to the URL address that you are actually going to so as not to get spoofed and potentially endanger your personal information.

And as always, make sure that you keep your Operating System, anti-virus, browser, and anti-spyware software updated. Never click on solicited links in an email and always use common sense. If a deal seems to be too good to be true, it probably is.

Let me know if you have experienced these types of attacks……

Leave a Comment!!!!

Finally, Chalk One Up For The Good Guys!!!!

In this day and age, we seem to read everyday about how we are losing the battle against spam, malware, and fraud while using the internet. Like the FBI’s investigation regarding allegations that Citicorp’s system was hacked to the tune of tens of millions. Something that Citicorp denies. Or the hijacking of personal pages on social networking sites like Facebook that are resulting in identity theft, it is nice to finally read about a success story. Well here is one of those successes.

In November 2009, FireEye Inc. successfully shut down one of the most notorious and nefarious botnets on the internet to date. For more information regarding “Botnets”, press HERE. In it’s hayday, the Mega-D botnet (aka Ozdok) was responsible for up to 15% of the spam that infests our emails on a daily basis. This literally equates to millions upon millions of spam messages being sent daily by this botnet. Here is a blow by blow about how FireEye succeeded in the take down.

For 2 years, FireEye researcher Atif Mushtaq had been checking on new ways in order to keep malware from infecting networks. During this research, he obtained crucial information about how these botnet controllers , known as “Command & Control” (C&C) servers, actually functioned.  This was the turning point and in November, the defensive posture that was being implemented regarding these huge botnets, was suddenly changed to an offensive one.

With cooperation from Internet Service Providers (ISP’s) located in the U.S., who were unknowingly hosting the C&C servers that were being utilized for the “zombie” computers to connect and receive new commands, were able to redirect these connections and effectively point them to “no-where”. So when these “zombie” computers tried to connect to their master, they could not. Note that there were two ISP’s over-seas, one in Israel and one in Turkey who did not cooperate in the siege.

Next, FireEye contacted the domain registrars in order to obtain the IP addresses for these C&C servers. With this pertinent information, FireEye was then able to see any and all alternative addresses that were written into the code for the botnet. These alternative domains were set up, as a backup, should the zombie computers not be able to contact the C&C servers. Remember, the infected computers could no longer “phone home” due to the ISP’s cooperation. With these alternative domain names and IP addresses in hand, FireEye was then able to create, what is known as a “sinkhole”. Basically, they could then monitor the attempted incoming messages from the “zombie” computers without them actually contacting the C&C. By reviewing the log files from these transmissions, FireEye was able to determine that this botnet was an army of over 250,000 infected computers strong. With each zombie computer having the capability of sending up to 15,000 spam messages per hour. Mega-D certainly was most capable.

But not anymore. The day after Mega-D was brought down, it’s “market share” of total spam messages being sent, went from a staggering 15% to less than .5%, and this low number is probably because of the ISP’s that did not cooperate in crushing this botnet. Mega-D may try to reassert itself by registering new domains for it’s C&C servers, but with eyes now on them, it is more likely that the criminals responsible will simply move on and attempt to create a new botnet.

Even with that in mind, we now know how to bring these botnets down, however Mega-D was only the tip of the iceberg. Although a substantial threat, it was not the most aggressive, nor the largest. Finding the resources to knock these botnets off of the internet is the real challenge.

The “Good Guys” won this battle, but the war rages on……………

What are your thoughts??

WOT……

With Thanksgiving now behind us and the Holiday Season fast approaching, we are all looking at finding that perfect gift. Using the web, you can usually find it but can you get it at that bargain basement price. Well, unfortunately scammers know what we are looking for too. Fraudulent and malicious sites are popping up all over the internet, at this time of year, promising to ship the items you are looking for at real cheap prices. We all know about looking for TLS (Transport Layer Security), formally known as SSL (Secure Socket Layer) certificates before entering any personal information on any e-commerce site. We all know about checking URL’s to ensure that the site we are entering our personal information is, in fact, the site we intended to visit. But sometimes in the hustle and bustle that comes with the season, we forget, and get careless. Well, this is what the scammers are depending on. With phishing, scareware, browser hijacking, and malware on the rise, we could use all the help that we can get.

This is where WOT (Web Of Trust) comes into play. It is a lightweight plug-in that works in either Firefox or Internet Explorer and will alert you should you visit a known malicious site due to the “spirit of the season”. But this is not a certified authority, like VeriSign, that is a singular authority that verifies sites. WOT is made up of a large team that has checked over 25 million websites and will alert you before you click where you should not. WOT works with Google, Yahoo, and other search engines. Before you click on a search result, you will notice either a green, yellow, or red indicator as to the websites safety rating.  Green means that the site is safe, yellow indicates that caution should be taken, and red is telling you that the site you are about to enter is known as a malicious site.  WOT will also warn you should you click on a link to download software from a known malicious site. It will give you the option to over-ride the warning, but I would take the recommendation seriously.

To use WOT, download the add-on for your browser of your choice. Once it is installed, and you do a search, you will notice colored circles to the right of the search result. By hovering your mouse over the circle, a drop down window will appear showing the rating for the site in various categories including trustworthiness, vendor reliability, privacy, and child safety. Should you click on a known malicious site, a large warning will appear on your screen. Think carefully about clicking on a site in which you get this warning. You do get the option to proceed, but again, I would seriously consider against the click on the link. Sites, in which, WOT does not have sufficient information will be marked with a question mark.

Especially, during this festive season, it is imperative that we get all the help that we can in order to keep our computers malware free. But more importantly, it is imperative to keep our personal information out of the hands of the cyber-criminals.  WOT is a great tool that is lightweight and will aid you in ensuring that you do not click on something that could harm either yourself or your computer. This is not fool proof, and should be used along with your best weapon…..common sense!!!!

To view a video about the Web Of Trust, click HERE…

To download the Web Of Trust, click HERE…..

Just another tool to help keep you safe.

Happy Holidays!!!

It Is Only Getting Worse!!!!

Scareware, I have talked about it before.  You are warned that your computer is infected with a myriad of infections and that for $49.95, this miraculous software will fix all of these problems.  The site looks legitimate so you decide to download the software and fix this, seemingly, serious problem. However, what appears to be a problem is really a scam, you pay the money and what makes a bad situation worse, is that by downloading this software, that is supposed to fix all of your problems, you are actually downloading malware.  So you basically just paid a scammer to infect an otherwise healthy computer.  Well, just when you think that this could not get any worse……it does!!!  Panda Security has just found a new and nastier way in which the bad guys are taking advantage of innocent users.  This new technique is more invasive and can be more costly than anything that has been seen in the past.  Known as “Total Security 2009”, this new scam not only wants you to purchase their software, but will take your computer hostage in order to get it.  By clicking on their warning, software is installed on your computer which makes your file system useless.  Meaning that you cannot do anything, nothing will work on your computer, except you browser.  You have two choices at this point, either pay them the ransom, which by the way has increased, from the $49.95 to around $79.95, or reformat your drive and reinstall Windows.  So we pay the ransom.  This is a bad idea, as not only have you wasted your money, but the malware is still on your computer.  Yeah, you can now scan with a legitimate anti-malware software now and hopefully clean your computer, but I would not put a lot of hope in that.

Luis Corrons, the Technical Director of PandaLabs states that “Users are often infected unknowingly, in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge. Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus. For this reason, on the PandaLabs blog, we have published the serial numbers required to unblock the computer if it has been hijacked. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of this fake antivirus”.

So you see, this is a serious new threat to users everywhere.  This new threat is probably being implemented by scammers as users have become more aware of the previous threats and thus make them less effective.  This is just another example of how the scammers are staying one step ahead of the providers of malware protection.  Panda Security has a real nice overview of this new threat.  You can find it HERE and get the serial numbers at Panda’s Blog Site  HERE.

Keep this in mind when web surfing and checking emails.  As always, never click on links in emails, unless you are sure they are safe, and never open any media files (movies, photos, audio) from sites that you are not 100% sure are secure.  Also make sure that the site you are searching for is, in fact, the site that you are going to.  Always check the URL to make sure you are pointed at the site that you are really looking for.

Here is an article entitled “The Business of Rogueware” written by Sean-Paul Correll and Luis Corrons from Panda Security. (download the PDF)

By doing these things, it may prevent you from being held ransom from some hacker who just wants your money.  Ransom-ware is fast becoming a serious threat to regular users and not just large organizations and corporations anymore.

What are your thoughts…..Leave a comment!!!!