11/24/2009
51 Month Prison Sentence for Spammer Ralsky
Few things get the ire of computer folks more than spammers. Even spammers hate getting spam.
What's even worse than spam though is when nefarious techniques including using zobmie PCs (those computers whose security has been compromised by a trojan, worm, or virus to do their bidding, typically without the owners knowledge) to send the spam.
According to the latest conviction, that's what spam "Godfather" Alan M. Ralsky did though.
Washington Post's Security Focus Blog brings us news of the Spam Godfather's Sentence saying,
"Ralsky, 64, of West Bloomfield, Mich., joined two co-conspirators in earning stiff prison sentences for long careers of blasting junk e-mail.
"Following more than four years in prison, Ralsky will be subject to five years of supervised release and will forfeit $250,000 the government seized from him in December 2007, the Justice Department said."
While it's great news for anyone in PC security when someone like finally gets caught, it's especially good news when the dragnet also ensnares cohorts as this one did, naming a total of 10 co-conspirators in the original federal grand jury indictment, including Ralsky and 10 others from China, Canada, Hong Kong and Russia in a 41-count indictment for wire fraud, mail fraud, money laundering and violations of the CAN-SPAM Act
.
The three things that make the way they were spamming (at least the way they were spamming according to Spamhaus.org), especially egregious were,
| What they did... | Why it was especially egregious... | |
|---|---|---|
| 1. | Sent spam. Lots and lots and lots. And lots of spam. | Does anyone like spam? |
| 2. | Used "zombie" PCs to send spam. |
If your drive crashed or network card or modem died because of the extra use and had to be replaced, it's your expense to do so. It cost the group nothing for your trouble. |
| 3. | Sent stock "pump-and-dump" spams. | According to the government, Ralsky was a top promoter of so-called pump-and-dump scams... Now, we all should know better than to open spam to begin with, but for those many people who did and who bought any of the stocks touted by the group, many of these victims had very real financial losses. It's anyone's guess as to how much. |
It's because of groups like these that we all need antispam software and antivirus software to begin with.
We're glad to see yet another spam group get ensnared, making PC security--and the spam in our inboxes--a bit better for us all, and while it took a while, we're glad they finally got their just desserts.
11/22/2009
Vulnerabilities Discovered in Internet Explorer
In a recent post to its security blog Symantec, makers of Norton antivirus revealed, a new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well.
The announcement of the Internet Explorer exploit was surprising to many because of how it targets Cascading Style Sheets, something that hasn't typically been used in these types of attacks.
The exploit got notoriety when a security researcher has published code that could allow an attacker to take over an unsuspecting user's Internet Explorer and install code on the person's computer and then when Symantec took notice and began doing research of their own.
There has always been--and likely always will be--a large degree of controversy around so-called "full-disclosure" security like this because one group of people believe that it's most responsible for the researchers to first notify the manufacturers about the vulnerability so that things can be kept quiet 'til patches are ready.
The other group believes that it's most responsible for the researchers to first notify the community about the vulnerability so that users can take steps to protect themselves against attack.
The debate is though that on one hand if you're only disclosing to the manufacturers and don't notify the community, there could very well be active exploits in the world that other hackers are already using. So, if you don't notify the community, you're being irresponsible by holding back information that may users to protect themselves.
In contrast, if you don't first notify the manufacturers and immediately post the exploit, you're allowing hackers to get information on how to take over your computer without giving any chance for the manufacturers to develop patches.
There are definitely valid points to both sides of the debate, regardless, though in this case the exploit was released to the community first and not to the manufacturer, in this case Microsoft, so there's a new attack on Internet Explorer for which there's no patch available yet.
The good news is that it appears that the best antivirus software is already able to protect against this exploit. Symantec for instance on their Security Blog says,
"Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is working on new signatures now.
"Symantec IPS protection also currently detects this exploit with signatures HTTP Microsoft IE Generic Heap Spray BO and HTTP Malicious Javascript Heap Spray BO.
"A new IPS signature, HTTP IE Style Heap Spray BO, has also been created for this specific exploit.
"To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft." [emphasis ours]
As of the writing of this post, there's still no patch; however, by following the steps recommended by Symantec users should be reasonably well protected against this exploit.
11/19/2009
Arrests Made for ZBot / Zeus Trojan
Police in Manchester, England, arrested two people in connection with the Zbot Trojans.
If you're unfamiliar with the ZBot Trojan, also called "Zeus," it's a nasty bugger that was responsible for over $415,000 being stolen from a Kentucky county's bank account earlier in 2009.
But that's not all it's known for.
Zbot/Zeus is, according to mention in a Sophos security blog is,
"...one of the most notorious pieces of malware of recent times.
"It's a data-stealing Trojan horse, designed to grab information from Internet users which would help hackers break into online bank accounts and social networking sites such as Facebook and MySpace."
That's just the start of it. Zbot also gets/got spammed to average people using the Internet using a variety of social engineering tricks to try to trick the unwary into opening an attachment or clicking on a link to a website hosting malware.
So, assuming the right folks were arrested, this could be rather good news. Let's hope that they did get the right folks, and let's hope also that even though they're out on bail already, they soon face the appropriate amount of justice--especially given how many people, companies, governments, and other organizations were harmed by their Trojan malware.
And, to the cops responsible for the arrest, again assuming they caught the right folks, "Well done."
11/16/2009
November 2009 Microsoft Patches Several Programs
With the November 2009 Microsoft "Patch Tuesday," as it's called, there were a number of important security exploits that were dealt with.
If you haven't recently updated your Windows OS, we urge you to do so now. Here's one way to to so:
- Open Internet Explorer
- Click Tools
- Windows Update
- Select "Express" or "Custom"
- Select All applicable updates
- Download & install updates
Now for our take on the latest vulnerabilities and patches...
| Microsoft Security Bulletin ID | Microsoft Knowledge Base Article ID | |
|---|---|---|
| MS09-063 | 973565 | |
| Vulnerability Summary | Vulnerability in License Logging Server Could Allow Remote Code Execution | |
| Executive Summary Highlights | This security update resolves a privately reported vulnerability in the Web Services on Devices Application Programming Interface (WSDAPI) on the Windows operating system. |
|
| Our Take | This vulnerability affects a ton of different systems, and while Microsoft says an attacker would have to be on the same local subnet, they leave out an important detail as to what this means. What they don't explain is that this means anyone using a free wireless connection (i.e. like those at the airport or a coffee shop) could easily be affected, and the way wireless works, the attacker wouldn't necessarily have to be in the same room as you. They could be around the corner or even down the street Microsoft rates this as "Critical." |
|
| Microsoft Security Bulletin ID | Microsoft Knowledge Base Article ID | |
|---|---|---|
| MS09-064 | 974983 | |
| Vulnerability Summary | Vulnerability in License Logging Server Could Allow Remote Code Execution | |
| Executive Summary Highlights | This security update resolves a privately reported vulnerability in Microsoft Windows 2000. |
|
| Our Take | This vulnerability only affects Windows 2000 systems, but if you're still running W2K, Microsoft gives this vulnerability a "critical" rating. So, even if you are running antivirus firewall software (which should help mitigate the risk from this vulnerability), you should still patch your machine(s). Microsoft rates this as "Critical." |
|
| Microsoft Security Bulletin ID | Microsoft Knowledge Base Article ID | |
|---|---|---|
| MS09-065 | 969947 | |
| Vulnerability Summary | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution | |
| Executive Summary Highlights | This security update resolves several privately reported vulnerabilities in the Windows kernel. |
|
| Our Take | Pretty much every Windows system appears to be affected except for Windows 7. There are some caveats to this for Vista and Windows Server 2008, so if you're running either of those OSes you should consult the Security Bulletin and Knowledge Base Article for complete details. This is a classic case where, as Microsoft points out, you can get a virus or other malware installed on your machine just from visiting a web site. And, as they also point out, it's also possible for your machine to be infected if someone has taken over a site you trust or if you're visiting a site that has user-provided content. While this is unlikely to affect Facebook, this is the type of thing Microsoft is talking about: sites where the users provide content--even things like chat or forums. This is also a classic case where Internet security software is often able to minimize the risks from these types of attacks. Microsoft rates this as "Critical." |
|
| Microsoft Security Bulletin ID | Microsoft Knowledge Base Article ID | |
|---|---|---|
| MS09-066 | 973309 | |
| Vulnerability Summary | Vulnerability in Active Directory Could Allow Denial of Service | |
| Executive Summary Highlights | This security update resolves a privately reported vulnerability in Active Directory directory service, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). |
|
| Our Take | Lots of affected systems with this one, although apparently only systems running
|
|
| Microsoft Security Bulletin ID | Microsoft Knowledge Base Article ID | |
|---|---|---|
| MS09-067 | 972652 | |
| Vulnerability Summary | Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution | |
| Executive Summary Highlights | This security update resolves several privately reported vulnerabilities in Microsoft Office Excel. |
|
| Our Take | Anyone running Microsoft Excel is likely to be affected, and while MS rates this as only "Important," we have to beg to differ. We believe this merits a "critical" rating since so many people run Excel and since all versions of the exploit allow for remote code execution. Anytime there's remote code execution, it means an attackers may be able to completely take over your system. Better safe than sorry. If you're running an older version of Windows like Windows 2000 or Windows XP, you'll need to manually update your Microsoft Office to get this patch. Here's one way to do it:
Microsoft rates this as "Important." |
|
| Microsoft Security Bulletin ID | Microsoft Knowledge Base Article ID | |
|---|---|---|
| MS09-068 | 976307 | |
| Vulnerability Summary | Vulnerability in Microsoft Office Word Could Allow Remote Code Execution | |
| Executive Summary Highlights | This security update resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Word file. |
|
| Our Take | As with the above Excel vulnerability, there are many affected people because practically everyone runs Microsoft Word. You're at less risk if you're running the best antivirus software and if you're not using the Administrator account (or an account with Administrator privileges), but this is another update to be sure you get. Microsoft rates this as "Important." |
|
11/05/2009
Critical Security Vulnerabilities in Adobe Shockwave Player
Let's cut to the chase: patch your Adobe Shockwave. There are four different critical vulnerabilities in the Adobe Shockwave Player that lets an attacker remotely execute the code of their choosing on your PC.
| Vulnerability Cause | Why It Matters | |
|---|---|---|
an invalid index when handling certain Shockwave content |
could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page |
|
an invalid pointer when processing certain Shockwave content, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. |
same | |
an invalid pointer when handling certain Shockwave content, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. |
same | |
a memory corruption related to string processing, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. |
same |
It isn't clear how much these threats can be mitigated by Internet security software, but typically the best antivirus firewalls do help mitigate these types of attacks.
Whatever the case though please take a minute now and update your Shockwave player. It's worth the time to eliminate this simple to exploit attack vector.
11/04/2009
Windows 7 Virus Vulnerabilities: Is It Getting Better?
There's a lot of hoopla about how much better Windows 7 is than prior versions at keeping viruses and other malware at bay and keeping people safe online.
What's the reality though?
Are the default settings in the Windows 7 User Account Control (UAC) all that's needed to protect your PC?
A lot of people want to know, and here's what we found out from antivirus vendor Sophos.
"We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up.
"Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows.
"The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7."
Hrm... well, that doesn't sound good. Does the UAC work at all?
As it turns out, yes. In the Sophos' tests they saw that the UAC blocked 1 of the malware samples. At least that's a start.
Chester Wisniewski, the writer of the piece, goes on to say,
"User Account Control did block one sample; however, its failure to block anything else just reinforces my warning [Editor's note: registration required] prior to the Windows 7 launch that UAC's default configuration is not effective at protecting a PC from modern malware.
"Lesson learned? You still need to run anti-virus on Windows 7.
"Microsoft, in the Microsoft Security Intelligence Report released yesterday, stated that 'The infection rate of Windows Vista SP1 was 61.9 percent less than that of Windows XP SP3.'"
We'll go a step further. It isn't just antivirus software these days that's needed. It's firewall software, too.
Putting the two together (along with solid antispyware), as the Internet security suites do, along with using the Windows 7 UACs offers the best, most complete combination of software to protect your PC.
That said, is the upgrade to Windows 7 worth it from a security standpoint?
We think so.
Regardless of the failure of it to block 9 in 10 sample malware, that's what it's doing today. Give the engineers at Microsoft some time with their next service packs for Windows 7, and they'll no doube improve it even more.
Another thing to consider is that the sample size of 10 viruses isn't terribly big. With a greater number of threats, more representative of those you might actually encounter online, the UACs may help thwart some of the viruses.
But, as we see here, there's still no substitute for antivirus software.
11/02/2009
Virus Writers Turning to Online Games
A great piece today from the BBC's technology section called, Video gamers face malware deluge talks about the latest computer security / virus threats.
What may seem strange to some is that one of the main purposes of these viruses is to steal the game players online credentials (i.e. their usernames and passwords) to the video games themselves.
This may come as a surprise to many since typically the primary purpose of viruses is to infect the computers themselves; however, in this case it appears the goal is just to steal your access to the games.
Why?
Simple. To make a quick buck.
One of the main things gamers get out of online games is the long-term satisfaction, often including friends and companionship, from playing with the same group of people over a long period of time.
Additionally, gamers as they progress get higher and higher levels of performance their in-game characters get a host of different things including new 'skills', weapons or other attributes. The challenge is the time spent getting there.
Some people, after having seen the excitement that awaits them once they've built up a certain attributes in their in-game character, want to short-circuit the time needed to build up to the high levels, so they purchase the accounts from others who've spent the time playing the game to build up to the high levels.
In some cases these high-level accounts go for hundreds or even thousands of dollars--or more.
And, therein is the profit motive.
These virus writers, rather than attempting to build up their own characters to sell for profit, have created viruses that steal passwords, and by doing so, they can take over the accounts and sell the hard-won, highly lucrative characters to often unsuspecting buyers who're just looking for a way to avoid what some gamers perceive as early-game slog to get to the good stuff.
According to the story,
"Cliff Evans, head of security at Microsoft UK, said its latest look at the software threats facing Windows revealed a strong growth in one family of malicious programs known as taterf.
"In the last six months, Microsoft has seen more than 4.9m infections caused by Taterf - a figure up 156% on the total seen in the last six months of 2008."
Elsewhere in the article, and getting less note since it wasn't the headline, was discussion of worms like Conficker.
Information on the Conficker worm itself and help with Conficker removal have been covered here extensively for a variety of reasons, including as Mr. Evans of Microsoft cites,
"worms that travel networks independently looking for victims were seeing a resurgence.
"Such self-guided programs were now the second biggest security threat to Windows users." [Editor's Note: Emphasis is mine]
Worms, like all malware, are out there for a variety of reasons, but these days the most common one isn't just for the notoriety the virus/worm writer gets as it spreads, as it once was, it's for profit.
The profit may be from selling/using your computer as a spambot, from using it to steal people's banking information or identities, or it may be (as we see now) from selling your online gaming profiles.
All-in-all these worms, viruses, and other malware are threats. Their writers are clever, and they're only coming up with newer, more ingenious ways to ferret themselves into your computer and your life.
What to do?
- Be careful with your passwords. Use different ones for each of your online banks/credit cards/utilities. Use different ones still for your email.
Using one password everywhere opens you up to even more problems, as if one account is compromised, especially your email, where someone can easily see the places with whom you do business, it's trivial for them to login to these other business' websites and see if your credentials work. - Be careful with where you point your browser. Avoid using a search engine, even the best ones like Google, Yahoo, MSN/Bing, and Ask just to get to a website whose website address you already know.
Why give the scammers an opportunity to setup a rogue website that looks just like your bank and get it listed in a search engine? It's very, very hard for the engines to know what's a real bank and what's a fake one.
If you know you're banking with Wells Fargo, for example, why go to Google to get to Wells Fargo? Just type www.wellsfargo.com into your browser and go there directly. Then bookmark it, so you're not subject to a typographical error next time, which could just as easily ensnare you in a malware/phishing trap.
Taking out that extra step of going to the engines to get to a place you already know could mean the difference between keeping your information safe and not.
All this crapware shows is that it's always smart to run antivirus firewall software, to keep it updated, and to keep your Operating System updated, too.
Lastly, remember: your online safety is your responsibility. Many of the companies you deal with do make efforts to keep your information safe, but in the end it's still your responsibility.