Security news and information

One of our members, YourHighness, has written a very detailed and concise guide on backing up and restoring data using a free program called Cobian Backup. The program is easy to use and allows you to upload your backups off-site via FTP if you have a FTP site. It is definitely worth a read if you are currently not backing up your data regularly. An excerpt can be found below:

As many of you know, today’s digital world comes with a lot of things that make our daily life easier. However, as time goes on you rely more and more on the information stored on your PC. No one is completely safe from power outages, corrupt hard disks, an infected system through a backdoor or Trojan, or even a fire. To make sure that a computer can easily be restored to a previous point, software developers created what is called backup software or imaging software.

There are different methods of creating a backup of your partition or hard drive, but this tutorial will only focus on one possibility, using a freeware tool called Cobian Backup.

If you wish to receive a broader overview of the different forms of backing
up data, you can browse this excellent Wikipedia article on backups
or another one on images.

The tutorial can be found here:

How to backup and restore your data using Cobian Backup

Tags: Backup, Cobian Backup

You didn’t think that VirusBurst was done creating new infectors now did you? Well, as usual they released another pair of infectors. The two new DLLs are

C:\Windows\System32\httge.dll
C:\Windows\System32\gqagksr.dll

As always the removal guide has been updated to include these two new infectors.

Tags: VirusBurst, Security, Windows

Microsoft released today the official patch for the VML security hole. This comes as a surprise as Microsoft tends to not release patches earlier than the second Tuesday of each month.  It seems that this exploit has had more widespread ramifications than first suspected.

Microsoft Security Bulletin MS06-055 provides further information about this vulnerability and the security update that is available.  The update is also now available on Windows Update and through automatic updates.  If you use automatic updates, which you should, then the patch should be available soon on your computer to install. 

The update has the following information:

Security Update for Windows XP (KB925486)
A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

We strongly advise that everyone install this update as soon as it becomes available to you.

Tags: No Tags

Is it easy to get infected? Well that depends on how knowledgeable of a computer user you are. If you are someone with a fair amount of computer security knowledge, then very difficult, but if you are the every day user with minimal computer security knowledge, then very easy. Why? Because the installers for these programs are Trojans masquerading as legitimate programs.

The Trojan downloader will disguise itself as a a codec for Windows that will enhance the video and audio on your computer. For example here are some of the things said on a known infector site:

Media Player Video Codec is a multimedia compressor / decompressor which registers into the Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. Media Player Video Codec will highly increase quality of video files you play.

Or

Media Player Video Codec enhances your music listening experience by improving the sound quality of video files sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass sounds.

The reality, though, is that these statements are all fake. These codecs do not do a single thing other than install rogue anti-spyware programs like VirusBurst, SpywareQuake, etc on to your computer.

Below is a video where we show the typical scenario a person will go through that gets them infected with these types of malware. Please note that the below video contains an URL that will infect you if you download their software. I strongly advise you do not visit this site at all.

When watching the video notice how at the beginning I have only one entry in my HijackThis log, but after installing the codec you will see that I have many more. Another, sad but humorous, item is that VirusBurst will find the codec files that installed VirusBurst in the first place and state they are Trojans.

To watch the video click on the link below.

Tags: VirusBurst, Security, Windows, Codec

Everyone, even malware writers, likes a good game here and there, right? Well it seems like the writer of one of the newer VaneBot worm called W32/Vanebot-M likes Bioware games a little too much. So much so, that they decided to give it the file name of dragonage.exe and the Run Windows Registry name of Dragon Age - Bioware. I doubt, though, Bioware wants this type of publicity for one of their upcoming games.

For those who do not know who Bioware is, they are a leading game design company that primarily makes RPG games and who also excels in world building. It so happens that one of their in-development RPGs is a game called DragonAge.

Dragon Age™ is a blockbuster fantasy role-playing game set in a vast new world created by BioWare.

Your adventures will take you across the kingdom of Ferelden. Explore blood-soaked battlefields, ancient forests and intriguing urban settings. Resist the corrupting power of magic as you discover the abandoned wizard’s tower; then descend into the halls of a dwarven kingdom. But beware! Dwarven politics may prove as deadly as their blades. This is a world as real as our own, but where the dark allure of magic ultimately shapes every facet of society. It is a world where willpower and cunning can claim a kingdom!

Unfortunately W32/Vanebot-M is not all fun and games. This malware is a worm and a backdoor that connects your computer to an IRC channel where it waits patiently for commands to be sent to it. These commands will then be executed on your computer without your knowledge or consent.

The worm component spreads to other computers using the following methods:

• To computers vulnerable to common exploits, including SRVSVC (MS06-040)
• To MSSQL servers protected by weak passwords
• To network shares via:
• MSN Messenger
• Yahoo Instant Messenger

Using a name of a game, which most people consider harmless, is the creators attempt of using simple social engineering, as discussed in one of our previous blog entries, to make you think the program is harmless and can be trusted. Now you know better.

Check out the real DragonAge, though, as it looks to be a very interesting game.

Tags: Bioware, Dragon Age, Security

Surf Sidekick, one of the more prolific adware programs bundled with other malware, is a contextual adware program that displays popups or extra search results based upon search terms or sites you visit.  This software tends to be installed without your knowledge or consent along with other malware.

Surf Sidekick, most likely due to its notoriety, has recreated itself as DeluxeCommunications.  DeluxeCommunications performs the same function as Surf Sidekick but so do many other malware.  So how do we know that they are the same program from the same creators?  Lets look at some of the evidence.

Unfortunately both domains, dxcdirect.com and surfsidekick.com, use private registrations so there is not much to glean from that.  If we look at the IP address for www.dxcdirect.com, 66.51.207.27, and for www.surfsidekick.com, 66.218.58.107,  we see that they are both being hosted at the same ISP, DSL Extreme. That alone is definitely not enough evidence though.  Lets dig down further.

The filenames that are part of DeluxeCommunication’s package have almost the same format as Surf Sidekick.  This is shown in the table below with the similar names bolded where ?? means random characters.

If that was not enough proof, lets take a look at the FAQ web pages for both Surf Sidekick and DeluxeCommunications.  Currently the main Surf Sidekick web page is coming up blank, but if we go to a deeper page in their site we can see their FAQ page in order to compare it with DeluxeCommunications FAQ page. 

 
DeluxeCommunications (dcxdirect.com) FAQ Page

Surf Sidekick (surfsidekick.com) FAQ page

Need we say more?  The dxcdirect.com (DeluxeCommunications) and the surfsidekick.com (Surf Sidekick) pages are essentially the same.

For those who regularly block malware sites using HOSTS file you can blackhole the following domains which are used by this software.

dxcdirect.com
dl.dxcdirect.com
www.dxcdirect.com

We have also created a removal guide for DeluxeCommunications here:

How To Remove Deluxecommunications (uninstall Instructions)

A big thanks to sUBs for finding the new malware and Miekie for letting me know about it!

Tags: Deluxe Communications, Adware, Security, Surf Sidekick

A new unpatched exploit in Microsoft Internet Explorer was recently discovered by the folks over at Sunbelt Software. This exploit, if you are unprotected, will allow malicious web sites to download and install malware on to your computer without your consent or even knowledge. 

Recent testing by Adam Thomas of Sunbelt Software shows one site using this exploit to install approximately 47 different types of malware. That’s nasty! These malware include Virtumonde, SpySheriff, Qoologic, and Backdoor.Shellbot among many others.

In order to help protect you, our readers, BC has put together a guide to help you protect yourself from this exploit.  This guide contains manual instructions and automated batch files to do it for you.  The guide can be found here:

How To Protect Yourself From The Vector Markup Language (vml) Exploit In Internet

Tags: Malware, Security, Windows, Exploit

You do!

This was not a trick question…but the reality is that many computer users have absolutely no idea what a firewall is. As a matter of fact, until recently, my somewhat computer illiterate wife thought that firewalls were only utilized by big companies to protect their own network.

Among my family and friends I am the resident computer geek, and if you are like me, you know that means when you are over their house or apartment you are invariably asked to fix a problem. One of the things that I notice immediately is that the most of the computers do not have a software or hardware based router/firewall protecting their computer from Internet attacks.

The Internet is a scary place with constant probing and attack attempts by hackers and malware. These probes and attacks are being done so that the attacker can set up shop on your computer and essentially use your computer to perform tasks like the following:

• Use your computer to hack other computers.
• Send out spam through your computer
• Use your computer to illegally distribute copyrighted software, movies, and music.
• Attack computers in the attempt to bring them down.

What does this mean to you? Well besides the potential legal issues that may arise from illegal activities being conducted on your computer, these activities will also affect your computer’s performance.

As a test to see how many attacks my computer would receive in a a day, I set up an Intrusion Detection System and let it run for a period of time. I then created a report detailing the attacks and probes that my computer received on the day of September 18th 2006. The report showed that in a 24 hour period my computer was probed or attempted to be hacked/exploited a total of 92 times by 43 different IP addresses. That is a significant number of attacks by a lot of different computers.

I have outlined the attacks and the amount of times for each below. If you want more information about the individual attack you can click on the more info link which will bring you to more information at the end of this blog entry.

Security attempts on September 18th, 2006:

The amazing thing is that for a small price, under $100 USD, or for no price at all, free software firewalls, the majority of Internet related attacks can be stopped from even reaching your computer. A list of different hardware and software firewalls can be found here. Heck, even Windows XP SP2 comes with a sufficient enough firewall to block you from external attacks though it won’t help you stop your computer, that may be infected, from sending out data. That is a discussion that deserves it’s own entry though.

Still do not understand why a firewall protects you so well? Let me explain how all these security risks happen in the first place. When a company programs a large program like an Operating System there are millions upon millions of lines of programming code. Due to the complexity of programs like this, bugs invariably will be created and go unnoticed by the authors. Hackers and security experts, knowing this, attempt to find these bugs and exploit them to gain unauthorized access to the operating system, thus being able to take control of it. Many of these bugs are exploitable remotely because the program running is connected to the Internet. When you use a firewall, you block the ability for remote users to to connect to these running programs and thus there is no way they can be remotely exploited.

So with all of this said, get a firewall! If you want to protect an entire network, then go out an purchase a cheap router/firewall. If you just have one computer to protect, think about using one of the free software firewalls, or the commercial ones with more features. If you have no money to spend right now, then at least enable the Windows XP firewall as it will offer adequate protection from these types of attacks.

RPC/DCOM Exploit attempt (ISystemActivator)
Related to: Microsoft Security Bulletin MS03-026 (July 16, 2003)

This security hole in RPC/DCOM was patched in the Summer of 03 and yet from time to time we still see people infected with the MS Blaster worm. Microsoft had stated in the past that they estimated about 10 million computers were affected by this vulnerability.

ICMP PING generated by CyberKit 2.2 in Windows.
Related to: Microsoft Security Bulletin MS06-040 (August 8, 2006)

CyberKit is a program that contains a myriad of network utilities such as ping, TraceRoute, finger, whois, and a port scanner among others that can be used to get information about a remote computer. This alert meant that someone used this tool to determine if my computer was currently on and connected to the Internet. If the program received a successful ping, the user can then assume that the computer is on and not protected by a firewall, as most firewalls block pings.

MS-SQL Worm propagation attempt (Sasser)
Related to: Microsoft Security Bulletin MS02-039

A security hole in Microsoft SQL Server allowed a remote user/program to execute code on a server running Microsoft SQL. A widely spread worm called Sasser is said to have infected almost a half a million SQL Servers. The most amazing thing about this worm is that it is said to have actually slowed down general Internet traffic throughout the world.

NETBIOS SMB DCERPC NetrpPathCanonicalize request
Related to: Microsoft Security Bulletin MS06-040 (August 8, 2006)

A security hole in the Windows Server service could allow an attacker to remotely execute code or take complete control of an affected system. These attacks were most likely generated by worms that attempt to exploit this vulnerability in order to spread itself.

NETBIOS IPC$ access

All Windows XP/2000/2003 installations have default administrative shares that are used by the operating system or for communication between different computers. An attempt was made to connect to one of these administrative or private shares in order to access the files contained within them.

TCP Portscan

Certain programs, when run, listen for connections over a network or the Internet. When these programs listen, they do this by binding themselves to a particular port on the TCP/IP stack of the operating system making the particular port open. A TCP Portscan is a method for a remote user to scan your computer to see what ports are open. They can then use this information to determine if your computer can be remotely exploited or attacked. More information about TCP Ports can be found here.

Terminal Server Request or Connection

Windows contains a service called Terminal Server or Remote Desktop. This service allows a remote user to connect to the computer and see a/the desktop on the remote computer and use that desktop as if they were sitting in front of it. Attempts to connect to a Terminal Server means that someone tried connecting to a desktop on your computer.

MS04-011 LSASS Exploit
Related to: Microsoft Security Bulletin MS04-011 (April 13, 2004)

A buffer overrun vulnerability exists in LSASS that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Some worms that are known to exploit this security hole are:

Win32/Gaobot
Win32/Sasser
Win32/Korgo
W in32/rbot
Win32/Sdbot
Win32/Mytob
Win32/Spybot
Win32/Wootbot
Win32/Bobax

Tags: Firewall, Security

A new infector were discovered today for VirusBurst.  The file is:

C:\Windows\System32\titiau.dll

As always the removal guide has been updated.

Tags: VirusBurst, Malware, Security

What can I say, I am addicted.  I personally did not like to blog before I found Windows Live Writer.  The web interface was too cumbersom, imho, and this allows me to be offline and still compose my entries.  Even more important, though, is that this program is so easy to use and is compatible with so many different blogging services.  This allows almost anyone to easily blog and have the entries look good. So a big  to this program.

As discussed previously one of things that I absolutely love about Windows Live Writer is it’s plugin system.  The plugin system allows people to make plugins that extend the functionality of WLW similar to how FireFox extensions work. 

My favorite plugins so far are the following:

• Keyword Tags for Wordpress.  Not a plugin for WLW but rather a plugin for WordPress.  This plugin allows you to use the keywords field in WLW to show Technorati tags in WordPress blog entries. Instructions and info on this can be found here.
• Insert Simple Table. This plugin allows you to create an easy HTML table for formatting text.

One plugin that I am currently not using but looks very interesting is the Currently Listening plugin. This plugin allows you to insert into your blog entries the titles of the songs you are currently listening to in iTunes and Windows Media Player.  Support for Winamp is coming soon according to their web site.

Tags: No Tags