Highly Critical Exploit Found In Windows

Microsoft issued a new Security Advisory on Friday, July 16th regarding an old Windows vulnerability associated with shortcut icons.

This vulnerability, which is rated as ‘Highly Critical’ by Secunia, effects every version of Windows back to and including Windows 2000. This flaw even effects Windows 7 Service Pack 1 Beta and Windows Server 2008 R2, which were only released a couple weeks ago.

The flaw has been traced back to a flaw in the way Windows Shell parses shortcut files. This can enable malicious code to be executed, normally from a USB thumb drive or external media storage device, such as a CD or DVD. However it has been found that this flaw can be ran using malicious links in email as well as from malicious websites. Network Sharing and WebDav are also viable venues to exploit this flaw.

Shortcuts are links to actual files and uses the hidden .LNK extension. A specially crafted .LNK file needs to be parsed by Explorer, in Windows, for the exploit to work. The maliciously crafted file uses AutoPlay to execute the malicious code. Even if AutoPlay is disabled at it is in Windows 7 by default, this code is still able to run on a users computer. Users who are operating as an Administrator are most vulnerable to this flaw. If the exploit is successfully ran, it can enable a hacker to take over a users computer.

Although, in a blog post, Microsoft softened the severity of this flaw by stating that only ‘limited’ attacks have been occurring. However you can be sure that malicious hackers will be jumping on this real soon and more widespread attacks will be occurring. Microsoft stated that most attacks are occurring in Iran and Indonesia, and is related to malware known as the Stuxnet worm.

Hopefully, Microsoft will issue an ‘out-of sequence’ patch for this exploit, but as of now, they have only released a work around ‘fix it’ option which, for most will be more annoying than worrying about the exploit. It works by disabling all .LNK files. By using the ‘fix it’ option, all icons on the computer will default to the white rectangular blank icon. Microsoft also offers directions for a manual fix which is aimed more at IT professionals. Recently, however, even these work arounds have been found to not be completely effective at protecting infected systems. These work arounds only work on systems that are running Windows XP SP3, Server 2003, Vista, Server 2008, 7, and Server 2008 R2.

Being that this worm also effects older versions of Windows, such as Windows 2000, Windows XP, and Windows XP SP2, this exploit is even a more dangerous threat as these computer will NEVER receive a patch. Microsoft recently discontinued support for these operating systems. Being that there are a lot of machines operating that are still utilizing these softwares, this exploit can have far reaching and longer term effects.

This exploit has been around since the early days of Windows but has, only recently, been discovered. This is regarded as a ‘Zero Day’ flaw, which means that it was only discovered after it was actively being exploited in the ‘wild’.

Hopefully Microsoft is working around the clock to permanently fix this flaw and will issue and ‘Out of Sequence’ patch soon. At the very worst, let’s hope that it will be fixed with their next scheduled update which is set for Tuesday, August 10th.

For more information on this exploit, visit Microsoft’s Security Advisory 2286198 and Support Articles.

Where Do We Go From Here?

Zero Day Vulnerabilities, Man In The Middle Attacks, Worms, Exploits, Phishing, Hacked accounts, and the list goes on and on. The fact is that computer users in today’s world are facing a growing threat from outside sources when using the internet. Most people are not aware, nor care about these threats, that is, until it is too late. But why and how is this happening? What are we doing about it? and Where do we go from here? All valid questions, that really do not have a solid, absolute answer.

We hear almost everday about new threats, either that are attacking an unknown exploit (Zero Day Attack), or of horror stories regarding account hacks and phishing scams. Windows, Adobe, Apple, and just about every other major software creator has faced this issue at least once, some many, many times. In the early days of hacking, viruses were mearly a proving ground, a gold star for a lapel, for many young and very talented software writers. No malicious intend, for the most part was ever meant. All they wanted to see, is who’s virus could propogate the fastest and to the greatest extend. It was a game to them, albeit a very annoying one. However, those days are long gone, and the occasional malicious software written by a teen with a chip on his/her shoulder are no longer of a concern. Today, these onslaughts are being carried out by large criminal organizations, who do have malicious intent, and have found out that these scams and attacks are also very lucrative. What’s worse, is the people doing this are extremely talented and savvy software creators who are constantly deriving new ways in order to get deeply into the pockets of the ordinary computer user.

For most, all that is wanted, is to turn on the computer and get email, check accounts, and do some online shopping. Security, although they care about it, is something that most users do not want to know any of the juicy details behind how it works, and what dangers to look for. They simply want a machine that works and is safe to use. Unfortunately, that is not the way of today’s computing. Even so, simple is better to most users. SSL/TLS, file encryption, WPA2, and the like are all things that the ordinary computer user does not want to know about, or even care about. And quite frankly, why should they? Computer offectionado’s thrive on this sort of stuff, but for the normal user……no!!! The casual user knows that an anti-virus software will keep them safe. Some may even use an additional anti-malware scanner, but will rarely use it to fully scan the computer. Firewall…..I know I need one, but what is it? But even with these tools, our computers are still not safe from becoming compromised.

The major anti-virus companies will all admit that this is a hurry, and catch-up game. The bad guys always seem to be one step ahead of the good guys, sometimes quite a few steps ahead actually. The AV manufacturers are always trying to lessen this lead, but like I said earlier, this is no teen with a bad attitude, these are savvy, technical, and treacherous organizations that are making our life online hell. A new bug is released into the ‘wild”, now it will take the anti-malware companies time to find it, reverse engineer it, and then launch a fix for it. Heuristics have helped in this matter, but have also created some new problems, namely false positives. Heuristics is a method of scanning your computer in which the anti-malware software is not looking for specific malware, but are only looking for malware-like activity, such as registries being changed. As a result, false positives are becoming more prevelant, in which the anti-malware falsely labels a vulnerability, when it is really a legitimate act. Holes/vulnerabilities that are found in software, and then are issued fixes through software updates, are still being exploited, due to the average user not knowing enough or caring to get the update. Time is expensive, and updating software can be time consuming, and all the user wants to do is turn the machine on, do what they need to do, and move on to the their next agenda. Look at the conficker worm, a patch and a fix for this bug was issued long ago (Oct 2008) and yet, it is still out there.

So where do we go from here?

Well, short of turning off the internet, re-working the entire infrastructure, and then turning it back on again, we have only a limited amount of tools at our luxury. However, the strongest of these is education. The word has got to be spread throughout the computer world the need to protect one’s self while on the internet. I certainly do not mean that everyone needs to become a computer security guru, but general knowledge of things to look for would definitely not make it so easy for the bad guys to get in. Even then, it is still going to be happening. Their is money to be made, and like I said earlier, these bad guys have found out that there is a ton of it to be scammed.

In the end, this is the way it is, and appears to be the way that it will remain in the immediate future. In fact, the chances are, that it is going to get more volatile out there. The one true weapon that we all have to battle this armegeddon on the internet, is our ability to use common sense. That is our most powerful weapon, without it, we are doomed. Add a small dose of knowledge, and we could vastly hamper these attempts in ruining our lives. We need to keep our critical personal data safe and secure, knowing what is OK to become public knowledge and what could hurt us is paramount. I would never post my banking information on the internet, although many people have clicked on links in emails stating that their accounts have problems, and enter banking credentials. You may as well have posted it directly to the public internet. It is things like this, that make it easier for the bad guys to successfully do what they do. A pound of common sense, coupled with a sprinkling of knowledge is out greatest weapon.

What Are Your Thoughts??

Some Interesting & Informative Data from Microsoft

Microsoft bi-annually posts on it’s website what they refer to as the Microsoft Security Intelligence Report. The current report encompasses a time frame spanning from January to June 2009, and it offers a slew of interesting and very valuable information. It is very interesting to see what types of vulnerabilities and malware are thriving and in what areas of the world. It also shows what Microsoft and outside software companies are contributing to these threats. All of this is done utilizing color coded and easy to read charts and graphs with dialog explaining the meanings of all this data.

A couple of things that stood out to me is the problems that have arisen due to the Adobe suite of software, actually maybe it is not that surprising being that we are being inundated with security updates, from Adobe, on what seems a weekly basis. The disparaging differences between the exploits and infestations occurring in XP and Vista also made me wince. It will be interesting to see what the differences are once Windows 7 is part of the report.

You can download this report by going to Microsoft’s site, by clicking HERE. There are two different versions of the report in two different formats. I would recommend downloading the 19 page summary version (1.7 mb) as a PDF. It also comes in XPS format. The full comprehensive report is 232 pages (10.3 mb) and contains the exact same charts and graphs.

After reviewing this, kindly leave a comment and let me know what you see as surprising and interesting. I would like to see different views.

Here is the link to Microsoft…..

http://www.microsoft.com/downloads/details.aspx?FamilyID=037f3771-330e-4457-a52c-5b085dc0a4cd&displaylang=en

It’s That Time Again!!!

Patch Tuesday.

My, the month went fast. It seems like it was just yesterday when Microsoft issued the itty-bitty patch in January. It’s funny how a month can change things. Tomorrow, Tuesday February 9th is the day when Microsoft will push out it’s updates to the Microsoft family of software. Although Microsoft does not officially post what patches are coming until they are released, it has been said that this update is going to be quite large. 13 bulletins, fixing a total of 26 vulnerabilities, of which 5 have been labeled as critical. Microsoft has acknowledged that one of the fixes will be an exploit which could allow remote code execution. Most of the updates will be for Windows, but the Office Suite will also have updates. And of course there will be an update for the Microsoft Malicious Software Removal Tool (MSRT).

It is always prudent to create a System Restore Point before getting these updates. Although, it is imperative that you get these updates, it is always possible for something to go wrong. Creating a System Restore Point may just save you should something happen. I know, Microsoft does that automatically when installing updates, but I still like to create one manually. Call me paranoid, but I just do not trust Microsoft that much.

As always, from Internet Explorer, go to http://www.update,microsoft.com, download and install all of the critical updates. If you have Automatic Updates turned on (which is highly recommended), all of the critical updates will come to your system automatically. Look for the yellow shield in your tray (next to the clock).

Once the update is complete, it is recommended that you scan with your anti-virus, and anti-malware software. Don’t have one, check out my posts HERE and HERE. Even though the MSRT does a “quick” scan after updating, it is recommended that you manually run it doing a “Full Scan”. To do this, click on “Start” and in the search dialog, type in MRT.exe and click Enter. In XP, click on Start, then select Run, and in the dialog box, type MRT.exe and hit Enter. Once the scanner opens, click on Next, Select “Full Scan”, and start the scan.

Make sure you are looking for these updates, and if they do not come through automatically tomorrow, or by Wednesday at the latest, make sure you manually update. Not updating is the number one way that Windows computers become infected, or exploited. The bad guys know that some Windows users do not update, and once Microsoft publishes these updates, they essentially let the bad guys know exactly what exploits are available and will attempt to take advantage of the one’s who do not update.

Keeping that Windows machine healthy makes for a Happy Computing Experience.

Firefox Browser Add-ons Contain Malicious Software

Mozilla’s popular web browser, Firefox, has recently been found to contain two experimental add-ons that contain Trojan Horses. Once installed on a computer, these trojans will run, thus infecting the computer. The two add-ons that were installing the malicious code were known as the Sothink Web Video Downloader, version 4.0, and all versions of the MasterFiler add-on. Mozilla has said that these two add-ons have been removed, however removing the add-on will not get rid of the trojan horses that are already running on infected computers. Mozilla recommends that any users who have installed either of these two add-ons should immediately remove them and scan their computer with anti-virus software.

The Sothink Web Video Downloader contained the trojan horse known as:

Win.32.LdPinch.gen.

The Master Filer contained the trojan horse known as:

Win32.Bifrose.32.Bifrose.

More information from the Mozilla Firefox BLOG.

This is a Windows only infection. Mac OSX and Linux operating systems were not affected.

Uniform Resource Locator – Part Deux

Now that we know the basic format in which all Uniform Resource Locators (URL) utilize, let’s now look into ways in which you can be fooled into going somewhere that you never intended. If you did not read Part 1, you can check it out HERE. Crooks use techniques, such as URL Spoofing, MitM (Man in the Middle) Attacks, and Browser Hijacking in order to steal your valuable personal information. The URL can, in most instances, let you know exactly where you are going when you do a search, however it is not always as intuitive as you would think. Criminals are very good at tricking you into entering sites that you never intended.

We all now know, from my last post, the basic format for URL’s.

http://www.domain.com/folder/sub-folder/page_name/

Before we get started, I would like to take the opportunity to state that the e-commerce sites used in the following examples are not being attacked in the portrayed manner. These types of attacks are not occurring on their sites and are only being used for the purpose of showing an example. Amazon.com and Paypal.com are perfectly safe venues for using e-commerce.

Here is why this information is important. Crooks will attempt to trick you into clicking on a malicious site deceiving you by manipulating the URL. In this example, I am going to use Amazon.com, but they are only being used to prove a point, this is not an actual event. Let’s say you do a search for Amazon.com. Well the true URL for their home page is http://www.amazon.com.  The search result you return is for Amazon, and may even have the Amazon logo next to it. But, by looking at the URL, you notice that it is actually taking you to” http://www.amazon.badguy.com/GetVirusHere/”.  As you now know, even though it says Amazon in the URL, you are not going to Amazon.com, but are actually going to the domain “badguy.com”. Amazon is a high profile search term and is easy to identify, as it is always the top return in a search query, however when you do a search in which the results may not be as intuitive, it is important to look at the URL to ensure you are going where you want. Other tricks that may be used:

“http://www.badguy.com/amazon.com/”……In this case, even though the last .com is from Amazon, it is after the first slash (/), which tells you that it is a folder on the badguy.com domain. (Remember the file cabinet.)

“http://www.badguy.amzon.com/getvirushere/”….Simple spelling errors are ways that the bad guys will attempt to lure you to malicious sites.

OK, these are the easier to recognize tricks that hackers will use to fool you. The next trick uses a more sophisticated method of luring you. Let’s say that you receive an email stating that you have a gift certificate for Amazon.com. Naturally, it looks official so you click on it, and within the very official looking Amazon email, you see a link that looks like this: “http://www.amazon.com/GetGiftCertificateHere/“. Well this looks good right? Yeah, you are right, it does look legitimate, however click on the link and see what happens (don’t worry, nothing bad will occur),  Just because the text in a link looks correct, it does not mean that the link is taking you where you think. You may be asking, so how can I be sure? The easiest method of making sure you are going to where you want is to hover over the link (do not click it), and right click the link and select properties. Your browser will then show you where that link is pointing.

So the browser will tell you that you are not going to “http://www.amazon.com/GetGiftCertificatHere/” but are actually going to another The Edible Earth page. Crooks will obviously not be so kind and will take you to malicious sites.

Now let’s say that you arrive at a web site and everything looks OK, including the URL, but something just does not look right. The way to be sure that you are actually where you think you are is to run a little JavaScript. By copying and pasting the script into the URL bar of the site that you are on and clicking Enter, a description of the site’s actual URL and Address URL will be displayed. If this shows that the .coms do not match you may have been spoofed and may be at a malicious site.

Copy and paste the following JavaScript in the URL bar (NOTE – When you copy and paste this, clear the URL information that is already there. This script should be the only thing in the URL bar):

javascript:alert("The actual URL is:\t\t" + location.protocol + "//" +
location.hostname + "/" + "\nThe address URL is:\t\t" + location.href +
 "\n" + "\nIf the server names do not match, this may be a spoof.");

These types of spoofs are common on nefarious websites, so make sure that you are aware of where you are going before clicking on links.

However, crooks are getting more and more clever with their tricks, and even though, the aforementioned tactics can be effective, there are some types of tricks that are even more difficult to detect. The first is browser hijacking in which you are directed to a fake website after clicking on, what appears, to be good link. These fake sites are very well built, and will look very much like a legitimate site. Let’s say you click on a link that you think will take you to Amazon.com, however you wind up at a site that looks exactly like Amazon.com, but is not. From here, the cyber criminals will attempt to get your personal information. Simply by glancing up at the URL will tell you that you are not at the correct site. The criminals are relying on, the fact, that hopefully because the site looks so genuine that you will not even question what the URL says. Always, check the URL. Again, by running that little JavaScript will tell you exactly where you are.

These hijackings may even take you to a site, that may, look nothing like Amazon.com, but will contain malware or links to malware. Should you ever think that you are going to a particular site, and wind up somewhere unexpected, do not click on anything on that site, no matter how appealing it may seem. Chances are you are going to wind up with a virus, worm, trojan horse, or spyware.

Even more dangerous are what are known as Man in the Middle (MitM) attacks. These are hacks in which the criminal will get in between your transmission and the expected website, kind of like an intercepted pass in football, and steal your personal information. This was a very simple thing for an experienced hacker to do, however e-commerce sites have become more aware of this type of attack, and have made changes to their site so as to make MitM attacks more difficult. One way that this could be accomplished is by going to a page that is asking for your personal information that is not protected by an SSL/TLS (Secure Socket Layer/Transport Layer Security) connection. Any connection that is protected be SSL/TLS is encrypted so that all that a MitM will see is gobble-d-gook. All websites that are encrypted by SSL/TLS will always begin with “https://” instead of just “http://”. The way that a MitM Attack could occur is for you to go to an e-commerce site. You would then add items in which you want to purchase. You are looking at the page with the item(s) that you are intending to buy. This page has a button that says “Purchase Now”, however this page is not protected with SSL/TLS (starts with https://). Before we go any further, I will give you the nickel explanation of how these sites expect to receive packets over the internet.

When packets of information are sent over the internet, that contain personal identifying information, most sites like Amazon.com, Paypal.com, etc. expect them to arrive at their server sent over an encrypted transmission. If they are received un-encrypted, these packets will be dropped by the site, which is a good policy as it protects you. When encrypted purchase information is received, confirmation information is then sent back to you, also through an encrypted transmission.

OK, now let’s return to that page in which you are going to purchase your items. The page was designed to be un-encrypted (http:// only), however once you enter your credit card information, and push the ‘Purchase Now’ button, the information will then be sent over SSL/TLS. What happens is that the criminals hack the site, and overlay the ‘Purchase Now’ button with an address that goes to their malicious site, over a non-encrypted transmission, where they now have all of your personal information. Now remember, the e-commerce site will not receive any information that is not encrypted, so the hacker will then cover their tracks and pass the information on to the e-commerce site over an SSL/TLS connection so that the e-commerce site receives the packets of data exactly the way that they are expecting it. Likewise, you will receive your purchase confirmation just as you expected, thus will never know that your data was intercepted. Most e-commerce sites have fixed this flaw as anytime that you enter your personal information, it will be entered on a page that is over an SSL/TLS connection as well as sent over one. This way no hacker can manipulate a page in which any personal information is entered as the page is encrypted. This is only one way that a MitM attack can occur. Most of the time you will never even know that it has occurred.

I would like to take the opportunity to thank all of the e-commerce sites used in the examples above. These types of attacks are not occurring on their sites and are only being used for the purpose of showing an example. Amazon.com and Paypal.com are perfectly safe venues for using e-commerce.

In order to safely use e-commerce and browse the web, it is essential to understand the concept behind a URL, their structure, and how they work. When browsing the web, make sure that you pay special attention to the URL address that you are actually going to so as not to get spoofed and potentially endanger your personal information.

And as always, make sure that you keep your Operating System, anti-virus, browser, and anti-spyware software updated. Never click on solicited links in an email and always use common sense. If a deal seems to be too good to be true, it probably is.

Let me know if you have experienced these types of attacks……

Leave a Comment!!!!

Thanks for asking, I Am Fine!!!

Wow, It’s Been Awhile…..

Yes, it has been a while. But guess who has reared it’s ugly head once more? None other than Conficker!!

New Zealand’s Waikato District Health Board has announced that the Conficker (aka Downadup) Worm has infected it’s entire hospital network. On Thursday, 12/17 was when the problems were first discovered and Microsoft was called in to diagnose the problem. Two hours later, Conficker was found to be the culprit. This forced 3,000 of the Districts networked computers to be shut down. This caused the 7 hospitals, in their network, to urge patients not to seek care at their facilities, unless it was an absolute emergency.

The Conficker worm, which has become the most prolific computer infestation in history, is estimated to infect up to 15 million different computers, although due to the difficulty in tracking this worm, range from a low of 5 million infected computers. Each serving as a ‘zombie’ in it’s vast botnet. For a reminder regarding Conficker, you can check out my past post from 1/23/09 HERE and from 3/25/09 HERE, once again on 4/12/09 HERE.

But here is the part that gets me. How? and Why? did this worm get into that hospital’s network. First off, where was there IT staff? Conficker, although prolific, is not something that any computer should ever become infected with as long as proper security measures are in place. When the worm was first detected in 2008, and found it’s way into computer systems due to an exploit in the Windows Operating System (OS), Microsoft reacted quicky and on October 23, 2008, issued a patch (MS08-067) which closed the hole in the OS. They then pushed out a tool know as the Malicious Software Removal Tool or MRT, which effectively could remove the malware from an infected computer. It is true that the initial spread of this malware was through external USB storage devices, such as thumb drives, which were inserted into “Auto Run” enabled computers, but the fact remains, that a simple update and scan using the MRT should have removed the worm. The fact that Conficker, like I said earlier, may still infect up to 15 million computers is appalling, since a patch and fix for it has been available for 14 months now.

So let’s all make sure that we are updated. Using Internet Explorer, go to http://www.update.microsoft.com and check to make sure that you have all the critical updates that are available. Keep checking until there are no more updates available. Then make sure that Automatic Updates is turned on. Next make sure that your anti-virus software is up to date. Don’t have an anti-virus software, then check out my recommendations HERE. And lastly scan using the Malicious Software Removal Tool. Don’t know how??  Click HERE.

Although this is news, in my opinion, an organization such as this should be embarrassed that this incident has occurred. No major organization, with a competent IT department, should ever run into a situation like this. Of course, sabotage is always something to investigate, but under normal circumstances, Conficker should technically be dead and buried by now.

What are your thoughts regarding the Conficker worm…..

Leave a Comment!!

Finally, Chalk One Up For The Good Guys!!!!

In this day and age, we seem to read everyday about how we are losing the battle against spam, malware, and fraud while using the internet. Like the FBI’s investigation regarding allegations that Citicorp’s system was hacked to the tune of tens of millions. Something that Citicorp denies. Or the hijacking of personal pages on social networking sites like Facebook that are resulting in identity theft, it is nice to finally read about a success story. Well here is one of those successes.

In November 2009, FireEye Inc. successfully shut down one of the most notorious and nefarious botnets on the internet to date. For more information regarding “Botnets”, press HERE. In it’s hayday, the Mega-D botnet (aka Ozdok) was responsible for up to 15% of the spam that infests our emails on a daily basis. This literally equates to millions upon millions of spam messages being sent daily by this botnet. Here is a blow by blow about how FireEye succeeded in the take down.

For 2 years, FireEye researcher Atif Mushtaq had been checking on new ways in order to keep malware from infecting networks. During this research, he obtained crucial information about how these botnet controllers , known as “Command & Control” (C&C) servers, actually functioned.  This was the turning point and in November, the defensive posture that was being implemented regarding these huge botnets, was suddenly changed to an offensive one.

With cooperation from Internet Service Providers (ISP’s) located in the U.S., who were unknowingly hosting the C&C servers that were being utilized for the “zombie” computers to connect and receive new commands, were able to redirect these connections and effectively point them to “no-where”. So when these “zombie” computers tried to connect to their master, they could not. Note that there were two ISP’s over-seas, one in Israel and one in Turkey who did not cooperate in the siege.

Next, FireEye contacted the domain registrars in order to obtain the IP addresses for these C&C servers. With this pertinent information, FireEye was then able to see any and all alternative addresses that were written into the code for the botnet. These alternative domains were set up, as a backup, should the zombie computers not be able to contact the C&C servers. Remember, the infected computers could no longer “phone home” due to the ISP’s cooperation. With these alternative domain names and IP addresses in hand, FireEye was then able to create, what is known as a “sinkhole”. Basically, they could then monitor the attempted incoming messages from the “zombie” computers without them actually contacting the C&C. By reviewing the log files from these transmissions, FireEye was able to determine that this botnet was an army of over 250,000 infected computers strong. With each zombie computer having the capability of sending up to 15,000 spam messages per hour. Mega-D certainly was most capable.

But not anymore. The day after Mega-D was brought down, it’s “market share” of total spam messages being sent, went from a staggering 15% to less than .5%, and this low number is probably because of the ISP’s that did not cooperate in crushing this botnet. Mega-D may try to reassert itself by registering new domains for it’s C&C servers, but with eyes now on them, it is more likely that the criminals responsible will simply move on and attempt to create a new botnet.

Even with that in mind, we now know how to bring these botnets down, however Mega-D was only the tip of the iceberg. Although a substantial threat, it was not the most aggressive, nor the largest. Finding the resources to knock these botnets off of the internet is the real challenge.

The “Good Guys” won this battle, but the war rages on……………

What are your thoughts??

What Now…..This is getting old fast!!!

Are you a Verizon Wireless customer?  Well if you are, then pay special attention.  There is a new scam in the wild right now that is targeting Verizon Wireless customers directly.  It is estimated that about 16% of all Verizon Wireless customers have come into contact with this scam.  This is how it works.

You will receive an email, which appears to be from Verizon Wireless, which states that you have exceeded the minutes limit on your account and asks you to check your account by downloading a “balance checker” tool.  Keep in mind that this message looks exactly like a legitimate Verizon message.  But it is not from Verizon Wireless. If you should download and run the tool, what you are in fact doing, is installing a Trojan Horse. By installing this Trojan Horse, you open up your computer to a myriad of other malware from the Zbot Botnet.  This Bot is notorious for lifting banking and credit information from User’s accounts.  So as you can see, this is a serious threat.

The first emails were sent around 11:30 AM Pacific Time on Friday, 11/13/09.  Friday the 13th’s are always notorious for the launch of new scams on the internet.  Since then, it has been estimated that about 200,000 messages have been sent per hour.  So this scam is already well established.

So how do I know if the Verizon Wireless message is legit? and what should I do if I do receive this message?  First off, and I have stated this many times before in past posts, do not EVER open a message that states that there is a problem with your account from an email that you receive without having asked for the information prior to receiving the message.  Even then, I would be real cautious.  The best way to keep yourself from falling for these scams, is to never open an email from anyone, even if you have an account with them, that states that there is a problem with your account.  Instead, go to the company’s website, in this case Verizon Wireless’, and log into your account.  From there, you can check to see if there is anything that needs your attention.  As always, make sure that you log in over SSL, meaning that the URL starts with ‘https://” and not “http://”.  I cannot say this strongly enough……never, ever open a link in which the email states that there is a problem with your account.  These are almost always scams as companies do not alert you of problems in this manner.  Always, manually log into your account and check it once you are securely logged into your account.

This new Verizon Wireless scam will render your computer useless, should you fall for it, and believe me, it is easy to do.  These scammers know what they are doing and create fake sites, and messages that look exactly like one that you would receive from Verizon Wireless, complete with logo.  They are easy to fall for.  Knowing the basics is all you need though to ensure your safety. Always delete those emails alerting you to account problems and log into your account from the vendors website and check to see if the message is valid from there.  Never click on any link that was sent to you without you asking for it. It is that simple.

For more information, check out the Trend Micro Security Blog Site.

Watch out for this scam as it is a serious one and is easy to fall for.

Let me know your thoughts……

 

iTunes….What are you doing???

I’ve mentioned in past posts about the dangers of the AutoRun feature in Windows.  I think Microsoft has finally recognized this too, as in Windows 7, it is finally disabled by default.  If you missed my earlier post, you can check it out HERE.  But now it seems other software, namely iTunes, is looking to turn this feature back on.  Hang on, I may be getting a little a head of myself.

For those of you who do not know what AutoRun is. It was implemented by Microsoft all the way back in the Windows 95 operating system.  Originally, it was not that bad of an idea.  It was a way in which software manufacturers could ensure the proper installation of their software on systems which had a user who was not very tech savvy.  When a properly formatted CD was inserted into a computer, the system would simply just start loading the information off of the disk, no questions asked.  In the day, this greatly reduced assistance calls to software manufacturers’ help lines.  So initially, it was not a bad idea.

However, like most things in this day and age, hackers found ways to exploit it.  By infecting any removable media device, such as a CD/DVD, flash (thumb) device, or external hard drive, and plugging it into a computer that is AutoRun enabled, it would simply load the malware onto the clean computer without the user’s knowledge or action.  This was the primary venue in which the Conficker Worm was started.

So now getting back to iTunes.  When an audio CD is inserted into a computer running Windows 7, iTunes will prompt you with a message that looks like this.

Do NOT turn the AutoRun functionality on. It was disabled, by default, for a very good reason.  Just click No.

After, iTunes will then present you with another pop up that looks like this….

Press F5 so that you can see the contents of the disk.  This is not 100% secure, but it is much safer than turning on AutoRun. From here you could even scan the disk with your anti-malware software if there are any questions about it’s security.

I don’t think that Apple is doing anything malicious by doing this. It may be that it simply was not prepared for this functionality being turned off in Windows 7, even though Windows 7 has been available for almost a year, in beta versions.  But that is not the issue. The issue I have, is why are the pop-ups being displayed in this order?  It seems to me that they are backwards. The first message is deceiving, at best. It gives the impression that iTunes will not be able to play the user’s CD unless the AutoRun is enabled……period. The pop-up should tell you to view the contents of the CD by pressing “F5”, and then prompt you to enable the AutoRun, if you should desire. Although I have no idea, from a security standpoint, why anyone would do that.

That is the way I see it, let me know what your views are……