21. August 2008 by Myke.

There is a lot of junk and crazy crap happening on the Internet these days and you can never be too safe.  Just because you have Anti-virus software does not make you protected or safe.  Think of it this way, just because you use a condom…that does not mean you cannot still get pregnant or get an STD.  The Internet is full of nasty STD’s that can cause some serious burn.  If you follow these 7 rules, you may help protect yourself even more.

“You can’t be too safe,” said Jeff Fox, technology editor at Consumer Reports. People are more savvy today about online security, says Fox, “but a lot more education is needed. You need to be street-smart, the way you are in the real world.”

In an interview with CNN, Fox listed seven common online blunders that make people vulnerable to viruses and theft, and offered tips on how to avoid them:

Assuming your security software is protecting you
Just because you install it and run it, does not mean it cannot happen to you.  Your best bet is to run a security program that makes you answer questions to learn your habits.  it is frustrating at first but that means it is working.  Always make sure your software is up to date as new viruses and variations of old ones come out every day.  Along with virus issues, there is Malware/Spyware that can cause just as much if not more damage.

Accessing an account through an e-mail link
In short, don’t do it. If you get an email from your bank asking you to update financial or personal information, there’s a good chance it’s actually from a “cybercrook” seeking to empty your account. Such “phishing” scams allow criminals to steal your logins, account numbers and other sensitive data.  These e-mails are especially insidious because they come adorned with genuine corporate logos and look legitimate.  “This stuff has gotten so sophisticated that it’s pretty much impossible for people to know … if the e-mail is real or not,” Fox said.  Because of this, most banks have stopped sending out e-mails asking for updated customer information, said Fox, who thinks the ones that still do should stop. People who must access an online account should do so by typing the institution’s address in their browser, he said.

Using a single password for all online accounts
Yes, trying to remember a bunch of passwords can be a serious pain but it can also limit your chance of having everything hacked in one fell swoop.  Some cybercriminals use code-cracking software, which uncovers passwords by trolling through millions of common number-letter combinations.  “If somebody manages to get hold of your password … they basically have entree to all your accounts,” Fox said. “You’re making it easier for them to impersonate you.”  Fox suggests using variations on the same password to make them easier to recall. He also recommends a complex password with at least eight characters, including numerals or punctuation symbols, to thwart thieves’ computers.

Downloading free software
It is okay to do this, but you had better make sure the source is well known and trusted.  Remember, if it is too good to be true…then chances are it will bite you in the *** later.  Some “free” software comes loaded with spyware, which clogs your computer with ads or employs a keystroke-capture program to steal your personal information. Fox recommends downloading only from such reputable sites as Download.com or SnapFiles.com, or, if you have a PC, scanning it with Windows Defender software.

Thinking your Mac shields you from all risks
Macs are much less susceptible to viruses and spyware than PCs. But surveys show that may breed a false sense of security among Mac owners, who still fall prey to phishing scams at about the same rate as Windows users.  Until Apple beefs up Safari, Fox recommends using another browser with phishing protection, such as the latest version of Firefox.

Clicking on a pop-up ad that says your PC is not secure
This is one of the most famous attacks of all time and to this day it still works.  Unless a pop up window comes up from your software you have loaded, never click on these messages.  Danger Will Robinson Danger.  It’s easy to click inside the ad by mistake and be redirected to a spyware site or have malicious software downloaded to your computer. In a recent Consumer Reports survey, 13 percent of respondents said they did just that.  Instead, Fox recommends clicking on the tiny “close” button in the ad’s upper left or right corner. Or better yet, enable your browser’s pop-up blocker or use a free one from Google Toolbar.

Shopping online the same way you do in stores
Shopping online is a huge business anymore but is also the most dangerous way to shop.  One of the biggest problems for companies today is employees shopping online from work.  Not only do you run the risk of infecting your PC but the entire company.  On the Internet, you can’t always be sure who you’re doing business with. When entering your address and credit card information, make sure the site’s URL says “https,” which offers greater security than “http.” Don’t shop online with debit cards, which, if stolen, offer no liability protection, Fox said.  Fox suggests using one credit card for most of your business transactions and a separate card for your online purchases. That way if a hacker steals your credit card number and you must replace the card, it won’t disrupt your gym memberships or other accounts.  Finally, some banks (Citibank is one) will even issue you a temporary, one-time credit card number for specific transactions, Fox said. If stolen, it’s completely worthless.

posted  by: Myke Reinhold

Posted in Internet, Security | Print | No Comments »

19. August 2008 by Myke.

We received a few calls today from a  client stating there was a window on their screen claiming they had Spyware and we needed to load a Spyware removal tool or Anti-Virus software.  Well, that is the first clue you have been taken for a ride, on the Spyware/Malware roller coaster.  Upon investigation, we noticed that the message was not in fact a window, but rather a background image.  Very tricky, sort of.  We found the image on the PC, lphcerpj0ec7t.bmp, and it was every where.  We then proceeded into the registry and sure enough it was there as well.

After checking every location it was located without actually touching it, we decided to Google the item and we found nothing.  So now it was reverse engineer time.  Without sending you through engineering 101, here are some steps to follow to remove this item.  The sad part is that Symantec, McAfee, AdAware, Spybot S&D and a few others could not find it or fix it.  More on that later.

Steps to remove said crap on one’s PC:

1 - Boot the PC into safe mode
2 - Open Regedit and do a quick backup to your hard drive and then do a find on lphcerp
3 - Every single instance you find of the item (.bmp, .exe, .scr and so on), replace the item with a valid file
      Example - replace lphcerpj0ec7t.bmp with bliss.bmp (as long as bliss.bmp is located in your System32 folder)
      Example - replace lphcerpj0ec7t.scr with blank.scr
4 - Once you have cleaned these files out of your registry, reboot and go back into safe mode
5 - Now do a search on your local drive for lphcerp and delete every single instance (shift - delete)
6 - Once this is complete, reboot your PC and log into Windows normally
7 - Verify that your desktop looks correct now and that you can right-click on your desktop and make a change to your desktop background and your screen saver.

We decided to copy this little beast and load it on our laptop that was running BitDefender and then launch it.  Without ever letting us down, BitDefender not only stopped the file, but it deleted it right away.  We love you BitDefender.  Just as an FYI, we are running BitDefender Total Security 2008 and we have never run into any issues.

posted by: Myke Reinhold

Posted in Security | Print | No Comments »

11. August 2008 by Myke.

Okay, just about everyone has tried one if not both of these Internet social sites.   Well, a new worm is raising havoc for Facebook and MySpace users. The virus is called Koobface (and alternatively the Facebook Worm, MySpace Worm, Facebook Virus, or MySpace Virus).  The MySpace and Facebook worm posts messages on Facebook and MySpace with links to what it claims to be a video. When the user follow the Koobface MySpace or Facebook worm link, they are told that they need to update their video player, and to “click here”.  This is the first sign of trouble.

Of course, what they download isn’t really a video player update, it’s a trojan called “codecsetup.exe” which allows their computer to be taken over and controlled remotely.

The Koobface worm, which comes in two variants, whose full names are Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b, was first detected by Kaspersky Labs.  Net-Worm.Win32.Koobface.a is the MySpace worm variant, and posts fake comments to MySpace pages, with the malicious links.

Net-Worm.Win32.Koobface.b is the Facebook worm variant, and it sends messages to infected Facebook users’ friends via the Facebook site.

Says Kaspersky Senior Analyst Alexander Gostev, “Unfortunately, users are very trusting of messages left by ‘friends’ on social networking sites. So the likelihood of a user clicking on a link like this is very high.” Ah, trust is always the worst thing to have these days. 

Gostev points out that “At the beginning of 2008 we predicted that we’d see an increase in cyber criminals exploiting MySpace, Facebook and similar sites, and we’re now seeing evidence of this. I’m sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity.”

For now it may suffice to simply not follow any links you get via Facebook or MySpace which claim to show you any kind of video. But soon - probably very soon - that will not be enough to keep you safe. The best advice is to exercise the same amount of caution with any links or attachments you get via Facebook or MySpace as you would with links and attachments you get via email. If you don’t know the person who sent it to you, don’t click on it. If you do know the person who supposedly sent it to you, confirm with them first that they really were the ones who sent it to you, and that it’s safe.

Bottom line folks, you can trust no one anymore.  You are all alone is this world.  Seriously folks, use some common sense and you should be okay.

posted by: Myke Reinhold

Posted in Security | Print | No Comments »

11. August 2008 by Myke.

Well folks, as many of you may have already seen, there is a new version of the CNN SPAM message.  Now if you have a decent SPAM blocker, you are okay.  but for those of you that quarantine these message for review know that this is getting way out of control.  the new message comes in from CNN Alerts with the subject line of CNN Alerts: My Custom Alert.  You can follow the same rules as before from our previous post.

http://techtalk.homerun-networks.com/2008/08/08/fake-cnn-news-items-malware-campaign-spreading-rapidly/

Posted in Security | Print | No Comments »

8. August 2008 by Myke.

What happens when you work for a French Security magazine and you attend a Black Hat security conference and start sniffing the network…you get thrown out.  Even though they claim the mishap to be a joke, Black Hathad nothing to do with it.  The three men thrown out were Dominique Jouniot, Mauro Israel and Marc Brami.  The men work for Global Security Mag, which was a media sponsor of the event held in Las Vegas.

Comment - “It was a big mistake,” Brami said via telephone. “(Israel) said it was a joke and that he didn’t think it was important.” - You attend a security event and start sniffing the network to steal passwords and you seriously thought it was not important.  Really?  Really?!?

The full story can be found at cnet.com.

posted by: Myke Reinhold

Posted in Security | Print | No Comments »

8. August 2008 by Travis.

So, I’m not sure if any of you have run into this (if I were a betting man I’d say yes) but the latest round of malware distribution is taking the net by storm in the form of fake CNN news items. You may notice some items in your inbox that have the following subject line:

“CNN.com Daily Top 10” & “CNN Alerts: My Custom Alert”

 While opening the mail doesn’t actually do anything to your system, following the links can set you up for disaster. Once clicked the link will take you to a fake cnn.com page that will prompt you for an install of a viewer. Typically flashupdate.exe; get_flash_update.exe and watchmovie.mpg.exe. Once installed it leaves your systems open to a variety of issues.

 Be on the lookout people. As usual, don’t install things you don’t know about, don’t install stuff you think you’ve already installed and if you’re in any way confused. Click cancel and email or call your IT support.

–

Also something to be aware of. There has been a rash of similar type installations being prompted on social networking sites such as myspace.com and facebook.com. The same rules as above apply. Be smart, be safe!

–

 post mirrored on: travis.sarbin.net

Edit to post by Myke Reinhold:

This message comes as if it was sent from a random generated user email address, not the typical CNN.com address. The spam or malspam email comes from the email address Harjinder-lkpn@321facets.com. By the email address alone, it should raise a red flag but with a catchy title like “CNN.com Daily Top 10″, many computer users may over-look the domain that it comes from. CNN would never use some unprofessional email address such as the one listed above. Obviously they would use a CNN.com domain or variation of CNN.com.

The website that you may be redirected to from this malicious email looks like it attempts to load a flash video. It stops you dead in your tracks only to display a notification that you have an incorrect version of the Flash player through a message that says “Video ActiveX Object Error. Your browser cannot play this video file.” The error prompts you to download and install a new version of Flash if it is clicked on. This is where it gets exciting. The so-called “flash download” is a malicious Trojan downloader called Trojan-Downloader.Agent.EL. This file first comes as a harmless get_flash_update.exe executable file until it is accessed.

Trojan-Downloader.Agent.EL Details
The Trojan-Downloader.Agent.EL infection has the ability to install other malware onto an infected machine such as the rogue anti-spyware program Antivirus XP 2008. It may go onto create executable files found in the directory %System%\cbevtsvc.exe while creating a new service CbEvtSvc file. The registry of the infected system is also modified in addition to a direct IP address connection is made to a report host via TCP/IP for port number 443. The MD5 is defined as “dabb5a9b431c88c77281bcf1158a9879″ for this specific infection.
A Trick to Avoid “CNN.com Daily Top 10″ Message for Outlook Users
Some email messages in Outlook and other web-based mail clients messages initially show up as a series of broken images such as in the “CNN.com Daily Top 10″ message. Many times you will choose to load the images which will enable the website link for when you click on the image. In other words, it will redirect you to the designated site automatically once an image is clicked on. If you choose to bypass or disable image loading, then it will prevent the web links from being active. In this case the “CNN.com Daily Top 10″ message would not be very effective in spreading malware because the embedded image link is not followed.

Recommended Outlook Rule
We know that Outlook cannot block every spam message or send bogus messages to your junk mail folder every time so we suggest manually creating an Outlook rule to help catch messages like the “CNN.com Daily Top 10″. You can simply create an Outlook rule to look for the specific text in the senders name and move the message containing it to your junk email folder.   To create an Outlook Rule, you must access the “Rules and Alerts” option within Outlook and add the proper text needed so that it may send emails that meet your criteria to the junk email folder. The image below is an example of this rule being created.

Outlook 2007 recommended rule
Because the current “CNN.com Daily Top 10″ bogus message has been effective in creating havoc over the Internet, we look for other variations of this message to strike again. Creating an Outlook Rule may only go so far in protecting you but it is one step in the right direction to help keep you safe from malicious messages. There is no guarantee that an Outlook rule will block all future emails that are variations of “CNN.com Daily Top 10″ spam email. Also, you may end up blocking legitimate emails from CNN.com in some instances.
Please Note: CNN is not a part of or affiliated with this particular threat nor does CNN operate the website in question. The malicious messages are being sent from random email accounts from infected computers. It is advisable that you keep this infection in mind if you encounter CNN emails.

Posted in Security | Print | 1 Comment »