Month: March 2010

Microsoft Vice President of Trustworthy Computing Scott Charney, in a keynote address at the RSA security conference in San Francisco yesterday, called for quarantines on malware-infected PCs. His remarks were widely covered by a variety of web news outlets.

He compared the threat from infected PCs with the threat from smokers in public places and resulting bans on smoking because of second-hand smoke: “You have a right to infect and give yourself illness. You don’t have the right to infect your neighbor. Computers are the same way.” Charney didn’t discuss specific techniques.

The idea has been discussed before but usually stumbles on the issue of forcing ISPs to shoulder the expense and legal problems from enforcing quarantines.

Story here.

Tom Kelchner

Want a place to check the legitimacy of a charity?

http://www.charitynavigator.org/

“Founded in 2001, Charity Navigator has become the nation’s largest and most-utilized evaluator of charities. In our quest to help donors, our team of professional analysts has examined tens of thousands of non-profit financial documents. As a result, we know as much about the true fiscal operations of charities as anyone. We’ve used this knowledge to develop an unbiased, objective, numbers-based rating system to assess the financial health of over 5,000 of America’s best-known charities.”

Thanks Alex.

Update

U.S. Federal Trade Commission web site advises those making donations for victims of the Jan. 12 Haiti earthquake to read their web page of dos and don’ts:

http://consumer.gov/ncpw/helping-haiti-give-wisely/

and check the InterAction web site for a description of legitimate charities at: http://www.interaction.org/crisis-list/earthquake-haiti

InterAction is the largest coalition of U.S.-based international nongovernmental organizations focused on the world’s poor and most vulnerable people.

Tom Kelchner

In the same way that media event X guarantees Rogue Antispyware Y, a new and highly anticipated videogame that’s about ready to launch will similarly bring out the scams and fakes.

If you have any family members that like their PC games but perhaps aren’t clued up on their Internet fakeouts, you might want to warn them that no matter how cool the so-called “Battlefield: Bad Company 2” keygens look, they should steer clear:

There are a lot of these files being promoted on sites such as Youtube at the moment, and without fail all of them will give your PC a very bad hair day. It’s just not worth the risk…

Paper Ghost

It won’t work if you have a rootkit infection, but it won’t blue screen your machine either.

Microsoft has reissued Security Bulletin MS010-15 from last month to work around a problem that had occurred when a WinXP user attempted to install the patch on a machine that was infected with a rootkit. (blue screen, blue screen)

Jerry Bryant, Microsoft’s senior security communications manager lead, writing on the company TechNet blog said that the new installation packages for MS10-015 have new logic that will prevent the security update from installing on rootkit-infected systems. Microsoft also is offering guidance for those with infected machines and a scanning tool that can detect system conditions that will prevent the patch from applying itself.

Microsoft TechNet blog here.

We described the problem on the Sunbelt blog Feb. 11 “WinXP users: hold off on installing MS010–15.”

Tom Kelchner

We’re glad to see that world governments took our advice from the Sunbelt Blog last week and started taking down botnets. (Right!)

Police in Spain have arrested three people and shut down the Mariposa botnet, which was thought to have controlled 12.7 million machines in nearly 200 countries. The three were all Spanish citizens. Police identified them only by their handles and ages: “netkairo,” 31; “jonyloleante,” 30 and “ostiator,” 25.

Researchers have been working on taking down the botnet for nearly a year, according to reports.

Story here: “Authorities dismantle botnet with 13 million infected PCs”

Tom Kelchner

Communications security firm FaceTime of Belmont, Calif., has released the results of a survey (of 1654 people) that strongly indicates we are all using a lot of Web 2.0 applications at work and a third of our IT staffs aren’t aware of it. It was FaceTime’s fifth annual survey.

Social media and Web 2.0 apps are being used by virtually all end users (99 percent) to support business processes, but 38 percent of IT professionals surveyed think there is no social networking on their networks.

Web 2.0 and social media prevalence:

— Web chat: found in 95 percent of organizations
— Instant Messaging: reported by 40 percent of IT staffs
— Social networks: 27 percent of IT staffs
— Tools such as Twitter: used for work by 78 percent, according to end users.

The survey also found widespread use of Skype, file sharing, web conferencing and IPTV.

Fifty three percent of the end users surveyed said that newer Web 2.0 tools were “better than those provided by my employer.”

FaceTime said 69 percent of the organizations they surveyed reported at least one Web 2.0-related attack,

Story here.

Tom Kelchner

Here’s a new vector: exploiting a Windows vulnerability through an Internet Explorer help menu Visual Basic script: “get ‘em to hit F1 and you own ‘em.”

Microsoft is warning of a VBScript vulnerability in Internet Explorer (on Win2K, XP and Server03) that could be used to run malicious code. A malicious operator could create a web site that displays a specially crafted dialog box and prompts a victim to press the F1 key (help menu.) The exploit could then execute malicious code on a victim machine. (Windows versions that are not vulnerable are: Vista, Win7, Server08 R2 and Server08.)

Proof of concept code has been circulated, but Microsoft has said: “We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.”

The company said in its security advisory: “Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

Microsoft Security Advisory 981169 here.

Tom Kelchner

 

Today Sunbelt released version 4.0 of its major products that are driven by the VIPRE engine. The version 4.0 platform includes new cutting edge anti-malware technology, additional optional features for more layered protection and a new management console for enterprises.

The new VIPRE 4.0 architecture

The 4.0 architecture is an extensive update of Sunbelt Software’s anti-malware technology which is known for its lightening speed and conservative use of system resources. It includes an optional firewall, host intrusion prevention system (HIPS), intrusion detection system (IDS) and a new framework for managing enterprise endpoints.

The version 4.0 Sunbelt Software products are:

VIPRE Antivirus 4.0 – A major update of our VIPRE 3.1 Antivirus + Antispyware product, VIPRE 4.0 has some cool enhancements, including 64-bit rootkit support, support for Scan Extensions in Mozilla Firefox (equivalent to Browser Helper Objects in Internet Explorer) and support for more file types.

VIPRE Antivirus Premium 4.0 – This edition – for professionals and consumers –
includes a bi-directional desktop firewall, HIPS, IDS, malicious web filtering, ad blocking and anti-phishing.

VIPRE Enterprise 4.0 – This is VIPRE Enterprise with a brand new management console and new VIPRE 4.0 agents. The management console has support for large enterprise environments with a multi-site tiering model.

VIPRE Enterprise Premium 4.0 – New Enterprise Premium features include a bi-directional desktop firewall, HIPS, IDS and malicious web filtering.

CounterSpy 4.0 and CounterSpy Enterprise 4.0 – CounterSpy is basically VIPRE focused on antispyware protection. CounterSpy has been upgraded with many of the same enhancements as the core VIPRE 4.0 product. CounterSpy Enterprise has been upgraded with the same enhancements in VIPRE Enterprise 4.0 including the new management console and multi-site tiering model.

So, what does CEO Alex Eckelberry have to say about it:

“The evolution and acceleration of malware development over the past five years is unprecedented and requires a fundamental shift in how detection technology is engineered. Many vendors have added layer upon layer of capabilities onto already bloated, outdated anti-malware engines in a flawed attempt to catch up.

“When we released VIPRE, we took a different approach, building a new product entirely on new proprietary next-generation technology. Now, we’ve taken that same technology to the next level with the release of our 4.0 platform, which delivers strong, comprehensive malware protection and continues the performance standard we established with VIPRE.”

Check it out: http://www.sunbeltsoftware.com/Press/Releases/?id=334

Tom Kelchner

The Australasian Consumer Fraud Taskforce began its 2010 Fraud Week campaign today with release of the first Australian Competition and Consumer Commission (ACCC) scams activity report. Wednesday it will release information to help small businesses protect themselves.

The March 1-7 Fraud Week hopes to reduce the incidence and impact of fraud and scams. The annual event tries to co-ordinate the release of information for consumers, timed to coincide with the International Consumer Protection Enforcement Network Global Consumer Fraud Prevention Month.

The Consumer Fraud Taskforce began in 2005. It is chaired by ACCC deputy chair Peter Kell and includes representatives from 21 government agencies from Australia and New Zealand that are responsible for consumer protection regarding frauds and scams.

Consumers who have been scammed are invited to complete the Australian Institute of Criminology’s annual scams survey at http://www.aic.gov.au/crime_types/economic/fraud/acft/survey.aspx

More information about the task force is available at www.scamwatch.gov.au

Tom kelchner

 

You may be wondering why I have a photo of a bunch of pocket calculators up above (a photo that I took myself, copyright fans). Well, they’re actually authentication devices for various PC games, which are designed to give an additional layer of security to your online ID:

http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660

The World of Warcraft authenticator is rather popular with anyone that takes their MMORPG (Massively Multiplayer Online Role Playing Game) action seriously. Well, it seems a scam from November 2009 is back but with an alarming twist: World of Warcraft players are reporting that the new infection file is managing to intercept login data (thus getting around the authenticator) and send it elsewhere, by means of a “Man in the middle attack” according to Blizzard Technical Support:
http://forums.wow-europe.com/thread.html?topicId=12730404058&sid=1&pageNo=1#15

Some more info at the following links, including some victims of the attack:
http://forums.wow-europe.com/thread.html?topicId=12730404058&sid=1
http://www.mmo-champion.com/news-2/authenticator-accounts-hacked-icc-quests-crimson-deathcharger/
http://www.worldofraids.com/topic/15642-authenticator-keylogger-source-fake-wowmatrix-website/

The sites (advertised in Google Adverts such as the one below):

Are being listed as
Cursea(dot)com
deadlybossmodss(dot)com
gamesacca(dot)com
wowmatrixf(dot)com

And you should probably consider avoiding them for the time being. The sites do pretty much the same thing as the scam from last year – ask you to download a fake application, run it and give yourself a very bad day. Some screenshots:

Some “install” fun:

Finally, this is the file you do NOT want on your PC:

 

Emcor.dll is apparently the source of so many woes at the heart of this story. This is obviously a bit of a fresh one, so more information will no doubt come out in the wash as time goes by. For now, be extremely careful what you’re downloading – as the Blizzard Support guy says, “No method is ever 100% secure”.

Chris (Paper Ghost) Boyd