Malware Speaks! Please Listen

If malware could speak, what a tale his thoughts could tell.

If you could have a conversation with one, or more, of the scourges that infest the Internet, you might be surprised at what could be learned from such an imaginary conversation. It might go something like this:

I might be malware, but in most cases I’m pretty polite; I won’t infect your computer unless you invite me in. But I can count on lots of you doing just that.

Take my good buddy LOP, for example, he’s been away for awhile, but he recently came back from vacation and he’s now infecting unsuspecting computer users’ machines with renewed vigor. Since LOP is a shift changer, and is often incompletely recognized by many tools – particularly newer forms of the infection, he’s having a hell of a good time.

The people he works for (some might call them cybercrooks – well, actually everyone calls them cybercrooks), are experts at convincing you to install malicious code like LOP.

LOP is a pretty neat piece of malware (his employers are pretty smart fellows), since he’s been designed, amongst other things, to display ads from a range of advertisers through pop-up windows, banner ads and so on.

Oh, and he’ll automatically switch your Internet Explorer home page to his own search engine. One he particularly likes is http://www.mp3search.com. When searches are made with this engine, the results that you see will be advertising pages that LOP chooses to display.

(Sample misdirected search)

Here’s what WOT has to say about mp3search.com. Click on the graphic to expand the image.

Just in case you decide that LOP is no longer welcome on your computer (that happens all the time), he will connect, every so often, to a web page from which new malware files will be downloaded – making it much more difficult to delete all of the active malicious files on your system.

I should tell you that LOP is extremely hard to get rid of, and just in case you try, you’ll have to deal with over 200+ changes to your Registry Keys. And in case that’s not enough bad news, you should know that LOP will invite lots of his malware friends over, so that they can party on your system.

But LOP has even more tricks up his sleeve. He can  monitor your system’s processes, and can even play with your security applications making them ineffective.

Since he’s a sporty fellow, once he’s done that, he’ll launch a Keylogger to capture your key strokes and just for fun, he’ll go on to scan your email contact list so that he can bug your friends. Hmm, maybe they’ll soon to be your ex friends.

LOP is definitely a hard worker (which is why his employers like him so much), so in his spare time he’s going to look around your operating system for vulnerabilities. You see, he knows that most people, haven’t installed the latest operating system updates, nor have they updated their security applications, like their supposed to.

Even if they have taken care of updating their operating system, it’s almost certain that they haven’t updated installed productivity applications, and LOP knows just how vulnerable these applications can be.

So, think carefully before you offer LOP, or any of his malware friends, that invitation. Once invited in, LOP will settle in for a long, long visit.

Thanks for the chat, but I have to get going. There are lots of unaware Internet users’ waiting to invite me into their computers. I know that many Internet users’ are kind of “click crazy”; so why should LOP be the only one to have some fun!

Oh, by the way, unless you paid attention to what I said, I’ll probably drop by your machine soon. You have a good day now.

This is an edited and revised copy of an article originally posted here July 14, 2009.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Adobe Reader and Adobe Flash Player Vulnerabilities Remain Unpatched

You phone 911 to report an emergency in your home – a fire, burglary, accidental fall; I’ll let you use your imagination to expand on this list. While you’re imagining; imagine this – the 911 operator instructs you not to worry, help will arrive within a week or so.

Computer users running Adobe Flash player (versions 9 and 10), as well as Adobe Reader and Acrobat 9.1.2, are currently subject to attack by cyber-criminals capitalizing on a zero-day vulnerability, and find themselves in an analogous position.

This is an extremely serious vulnerability which could result in a successful takeover of an attack victim’s computer through remote code execution. Like the 911 operator above, Adobe’s response to this vulnerability is, don’t worry we’ll get to you, we’ll fix it – just not now.

According to Adobe:

“We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009.”

To read the rest of Adobe’s response checkout “Security advisory for Adobe Reader, Acrobat and Flash Player”, at the Adobe site.

If you are like most computer users, you were probably only minimally interested in installing the latest updates of Adobe products since you may not have been aware of the important security patches they contain. In fact, you may not be aware of how important it is to keep all installed applications up to date, and patched.

Save yourself a lot of time and aggravation, and ensure that all your installed applications are always patched and up to date, by installing Secunia PSI, a free application which scans your PC for installed application vulnerabilities. In this case, it would have notified you of the Adobe vulnerabilities.

Without Secunia PSI installed, you leave yourself open to attacks and exploits that seem to be increasing in frequency.

Consider this from ZDNet:

Ten free security utilities you should already be using –
Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine.

For more information on Secunia PSI please read “Play Russian Roulette – Don’t Update Your Applications”, on this site. This review of Secunia PSI includes download links.

In the meantime: Steps you can take while waiting for Adobe to issue these critical patches –

As always, be cautious when browsing untrusted websites

Ensure your AV definitions are current

If you are running FireFox you should be running the NoScript add-on, and you might consider installing and running the Flashblock add-on. Both offer substantial protection. This solution is not perfect however, and you may still be vulnerable.

Run all software as a non-privileged user with minimal access rights.

Frankly, I do not use, nor would I ever use, an Adobe product on any of my systems. These zero day exploits against Adobe products seem to be never ending.

To read a comprehensive technical report on this issue, check out “Heap Spraying with Actionscript – Why turning off Javascript won’t help this time”, on the FireEye Malware Intelligence Lab site.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

If Malware Could Speak – What a Tale it Would Tell!

If malware could speak, you could have an illuminating conversation with one, or more, of the scourges that infest the Internet.

You might be surprised at what could be learned from such an imaginary conversation. It might go something like this –

I might be malware, but in most cases I’m pretty polite; I won’t infect your computer unless you invite me in. But I can count on lots of you doing just that.

Take my good buddy LOP, for example, he’s been away for awhile, but he recently came back from vacation and he’s now infecting unsuspecting computer users’ machines with renewed vigor.

He will accept your invitation, to infect your system if, for example, you download and install either of two rogue Peer to Peer (P2P) applications currently making the rounds on the Internet. BitRoll-5.0.0.0, and Torrent101-4.5.0, are two programs that are used to exchange P2P files that he likes to piggyback on. There are many more than that of course.

The people he works for (some might call them cyber-crooks – well, actually everyone calls them cyber-crooks), are experts at using false/rogue applications to install malicious code like LOP.

LOP is a pretty neat piece of malware (his employers are pretty smart fellows), since he’s been designed, amongst other things, to display ads from a range of advertisers through pop-up windows, banner ads and so on.

Oh, and he’ll automatically switch your Internet Explorer home page to his own search engine. One he particularly likes is http://www.mp3search.com. When searches are made with this engine, the results that you see will be advertising pages that LOP chooses to display.

(Sample misdirected search)

Just in case you decide that LOP is no longer welcome on your computer (that happens all the time), he will connect, every so often, to a web page from which new malware files will be downloaded  making it much more difficult to delete all of the active malicious files on your system.

I should tell you that LOP is extremely hard to get rid of, and just in case you try,you’ll have to deal with over 200+ changes to your Registry Keys. And in case that’s not enough bad news, you should know that LOP will invite lots of his other malware friends over, so that they can party on your system.

But LOP has even more tricks up his sleeve. He can  monitor your system’s processes, and can even play with your security applications making them ineffective.

Since he’s a sporty fellow, once he’s done that, he’ll launch a keylogger to capture your key strokes and just for fun, he’ll go on to scan your email address book so that he can bug your friends. Hmm, maybe they’ll become your ex friends.

LOP is definitely a hard worker (which is why his employers like him so much), so in his spare time he’s going to look around your operating system for vulnerabilities. You see, he knows that like most people, you probably haven’t installed the latest operating system updates, nor have you updated your security applications, like you’re supposed to.

Even if you have taken care of these critical areas, it’s almost certain you haven’t updated your installed productivity applications, and LOP knows just how vulnerable these applications can be.

So think carefully before you offer LOP, or any of his malware friends, that invitation. Once invited in, LOP will settle in for a long, long visit.

Thanks for the chat, but I have to get going. There are lots of unaware Internet users’ waiting to invite me into their computers. I know that many Internet users’ are kind of “click crazy”; so why should LOP be the only one to have some fun!

Oh, by the way, unless you paid attention to what I said, I’ll probably drop by your machine soon.

You have a good day now.

Elsewhere on this Blog you can read “The Best Free Spyware, Virus, and Browser Protection”, an article on free anti-malware programs, including anti-virus software, and you can download those that suit your needs.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Windows Patch Tuesday – April 2009

Microsoft released 8 security bulletins on Tuesday (April 14, 2009) to fix remote code execution and denial of service vulnerabilities.

We have always recommended, on this site, that users ensure that Windows Automatic Update is enabled as a major step in maximizing operating system security.

It is not an overstatement to say; an unpatched Windows system is an invitation to disaster.

If you have updates enabled, patches will be downloaded routinely. Careful users will verify that patches, have, in fact, been applied.

If Windows Automatic Update is not enabled on your system, then you should logon to the MS update site and download and apply these patches immediately.

Vulnerability issues and the corresponding patches:

MS09-010/KB923561 – Important (XP, 2000, 2003): There are four bugs (two previously disclosed publically, two previously undisclosed) that affect a variety of word processing documents, that can allow remote code execution exploits to occur.

MS09-011/KB961373 – Critical (XP, 2000, 2003): This patch closes a hole that let attackers execute a remote code execution attack through MJPEG files; the bug is in DirectX 8.1 and 9.0x.

MS09-012/KB952004/KB956572 – Important (XP, Vista, 2000, 2003, 2008): This patch resolves four holes in Windows that have already been publically disclosed. The hole allows an attacker who is already logged onto the system to escalate their privileges and take full control of the system.

MS09-013/KB960803 – Critical (XP, Vista, 2000, 2003, 2008): This patch addresses three bugs in the Windows HTTP Services system; one of them allows remote code execution which allows an attacker to completely own a system. This is a “must patch” item for all Windows systems.

MS09-014/KB963027 – Critical (XP, Vista, 2000)/Important (2000, 2003): This is a cumulative security update for Internet Explorer 5, 6, and 7. Some of the fixes address already public bugs, some deal with privately disclosed exploits. You should install this patch immediately. Users with IE8 do not need this patch.

MS09-015/KB959426 – Moderate (XP, Vista, 2003, 2008)/Low (2000): This patch takes care of a problem with the Windows Search Path function that could enable an escalation of privileges.

Massive Patch Tuesday – 28 Vulnerabilities Patched

There are currently 28 vulnerabilities in unpatched Microsoft Windows, Internet Explorer and Microsoft Office, that could allow cyber-criminals to launch malicious attacks on your computer.

On Patch Tuesday, December 9, 2008, Microsoft released security patches to address these issues.

Vulnerability issues and the corresponding patches:

MS08-070 (critical; 6 vulnerabilities fixed): This update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls), which could allow remote code execution if a user browsed a Web site that contains specially crafted content.

MS08-071 (critical; 2 vulnerabilities fixed): This update resolves two privately reported vulnerability in Windows, which could allow remote code execution if a user opens a specially crafted WMF image file.

MS08-072 (critical; 8 vulnerabilities): This update resolves eight privately reported vulnerabilities in Microsoft Office, which could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file.

MS08-073 (critical; 4 vulnerabilities fixed): This update resolves four privately reported vulnerabilities in Internet Explorer, which could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

MS08-074 (critical; 3 vulnerabilities): This update resolves three privately reported vulnerabilities in Microsoft Office, which could allow remote code execution if a user opens a specially crafted Excel file.

MS08-075 (critical; 2 vulnerabilities): This update resolves two privately reported vulnerabilities in Windows, which could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL.

MS08-076 (important; 2 vulnerabilities): This update resolves two privately reported vulnerabilities in Windows, which could allow remote code execution.

MS08-077 (important; 1 vulnerability): This update resolves one privately reported vulnerability in Microsoft Office SharePoint, which could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack could result in denial of service or information disclosure.

It is not an overstatement to say; an unpatched Windows system is an invitation to disaster. If you have Windows Update turned on you’re covered, if not, I highly recommend that you download manually immediately.

Updated December 12, 2008:

The details being published about this weeks IE 0-day is incorrect and
insufficient to protect users, read more:
http://secunia.com/blog/38/

The updated Secunia Advisory is available here:
http://secunia.com/advisories/33089/

FireFox Full of Critical Security Holes – Update to Version 3.0.4 Now!

Mozilla has just released FireFox 3.0.4 which fixes eleven security issues discovered in FireFox version 3.0.3.

These issues run from high (critical), to moderate, and include the risk of illegal code execution, the possibility of personal information being exposed, and denial-of-service attacks.

If you haven’t already updated to version 3.0.4, it is critical that you do so now to ensure the integrity of your computer and to safeguard your personal and financial information.

The following are the vulnerabilities involved and the risk attached to each as per the Mozilla web site.

Critical vulnerabilities patched:

– MFSA 2008-55 Crash and remote code execution in nsFrameManager. A vulnerability in part of Mozilla’s DOM constructing code can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim’s computer.

– MFSA 2008-54 Buffer overflow in http-index-format parser. This is a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer.

– MFSA 2008-53 XSS and JavaScript privilege escalation via session restore. The browser’s session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state. This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges.

– MFSA 2008-52 Crashes with evidence of memory corruption. Mozilla developers identified and fixed several stability bugs in the browser engine used in FireFox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Two vulnerabilities rated as a high security risk have been patched:

MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals

MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation

The following vulnerabilities rated as a moderate security risk have also been patched:

MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome

MFSA 2008-47 Information stealing via local shortcut files

MFSA 2008-58 Parsing error in E4X default namespace

A Conversation with Adware – Secrets Revealed!

If you could have an imaginary conversation with LOP, just one of the millions of malware/adware strains currently circulating on the Internet, it might go something like this –

I might be adware, but I’m pretty polite; I won’t infect your computer unless you invite me in. But I can count on lots of you doing just that.

I’ll accept your invitation, to infect your system if, for example, you download and install either of two rogue Peer to Peer (P2P) applications currently making the rounds on the Internet. BitRoll-5.0.0.0, and Torrent101-4.5.0, are two programs that are used to exchange P2P files that I like to piggyback on.

Just so you know though, I’m pretty lazy so you won’t be able to actually download any files using these bogus applications.

My masters (some might call them cyber-crooks – actually, everyone calls them cyber-crooks), are experts at using false/rogue applications to install malicious code like me.

I’m a pretty neat piece of adware (my masters are pretty smart fellows), since I’ve been designed to display ads from a range of advertisers through pop-up windows, banner ads and so on. Oh, and I’ll automatically switch your Internet Explorer home page to my own search engine. One I particularly like is http://www.mp3search.com. When searches are made with this engine, the results that you get will be advertising pages that I choose to display.

(Sample misdirected search – click pic for larger)

Just in case you decide that I’m no longer welcome on your computer (that happens to me all the time), I’ll connect every so often to a web page from which I’ll download new files containing variants of myself which will make it difficult to delete all of my active malicious files on your system.

I should tell you that I’m extremely hard to get rid of, and just in case you try to get rid of me, I’ll make over 200+ changes to your Registry Keys. And in case that’s not enough to dissuade you from trying to kick me out, you should know that I have the ability to invite lots of my other adware friends over to party on your system.

I love to monitor your system’s processes, and I can even play with your security applications making them ineffective. Once I’ve done that, I can unleash my keylogger to capture your key strokes and just for fun, I might even scan your email address book so that I can bug your friends.

In my spare time I’m going to look around your operating system for vulnerabilities, because I’m pretty certain, that like many people, you haven’t installed the latest updates nor have you updated your security applications, like you’re supposed to.

Hey man, I’m here for a long, long visit, so think carefully before you offer me that invitation.

Have a good day now.

Elsewhere on this Blog you can read “The Best Free Spyware, Virus, and Browser Protection”, an article on free anti-malware programs, including anti-virus software, and you can download those that suit your needs.

FireFox 3.0.2 Released – 11 Bugs Fixed – Update Today!

The latest update of FireFox version 3.0.2 now available for download includes patches for 11 security deficiencies, many of them rated as critical by Mozilla Corporation.

If you are still using FireFox version 2, then you need to update this version as well, since the latest release of this version includes 14 patches. A number of patches in version 2 are exclusive to this specific version.

Frankly, if you are still using version 2 you need to take the plunge and update to version 3 now. There is no guarantee that Mozilla will continue to offer support for version 2.

A number of the vulnerabilities in version 3 were serious, and included stability issues related to graphics rendering, layout and JavaScript engines. Each has the potential to cause browser crashes could potentially leave the user open to exploitation by malicious code.

The latest FireFox security advisory lists the following vulnerabilities as having been patched.

MFSA 2008-42: Critical

Titled “Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)”–Mozilla says under certain circumstances memory corruption could be exploited to run arbitrary code.

MFSA 2008-41: Critical

Titled “Privilege escalation via XPCnativeWrapper pollution”–Mozilla says this fix includes “a series of vulnerabilities which can pollute XPCNativeWrappers and allow arbitrary code run with chrome privileges.”

MFSA 2008-39: Critical

Titled “Privilege escalation using feed preview page and XSS flaw”–Mozilla says this fixes “a series of vulnerabilities in feedWriter which allow scripts from page content to run with chrome privileges.”

MFSA 2008-37: Critical

Titled “UTF-8 URL stack buffer overflow”–Mozilla says “a specially crafted UTF-8 URL in a hyperlink…could overflow a stack buffer and allow an attacker to execute arbitrary code.

MFSA 2008-38: High

Titled “nsXMLDocument::OnChannelRedirect() same-origin violation”–Mozilla says the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed and could be used to execute JavaScript in the context of a different Web site.

MFSA 2008-43: Moderate

Titled “BOM characters stripped from JavaScript before execution”–Mozilla says certain BOM characters are stripped from JavaScript code before it is executed and could lead to code being executed.

MFSA 2008-44: Moderate

Titled “resource: traversal vulnerabilities”–Mozilla says the restrictions imposed on local HTML files could be bypassed using the resource: protocol, allowing an attacker to read information about the system and prompt the victim to save the information in a file.

MFSA 2008-40: Low

Titled “Forced mouse drag”–Mozilla says the vulnerability allows an attacker to move the content window while the mouse is being clicked, causing an item to be dragged rather than clicked-on possibly forcing a user to download a file or perform other drag-and-drop actions.

MFSA 2008-45: Low

Titled “XBM image uninitialized memory reading”–Mozilla says a bug in the XBM decoder allowed random small chunks of uninitialized memory to be read.

It is highly recommended that you update immediately on the Mozilla site, or by clicking on Help – Check for Updates in FireFox.

I am LOP – I am Adware – I WILL Control Your Computer

I might be adware, but I’m pretty polite; I won’t infect your computer unless you invite me in. But I can count on lots of you doing just that.

I’ll accept your invitation, to infect your system, if you download and install either of two rogue Peer to Peer (P2P) applications currently making the rounds on the Internet. BitRoll-5.0.0.0, and Torrent101-4.5.0, are two programs that are used to exchange P2P files that I like to piggyback on.

Just so you know though, I’m pretty lazy so you won’t be able to actually download any files using these bogus applications.

My masters (some might call them cyber-crooks – actually, everyone calls them cyber-crooks), are experts at using false/rogue applications to install malicious code like me.

I’m a pretty neat piece of adware (my masters are pretty smart fellows), since I’ve been designed to display ads from a range of advertisers through pop-up windows, banners ads and so on. Oh, and I’ll automatically switch your Internet Explorer home page to my own search engine. One I particularly like is http://www.mp3search.com. When searches are made with this engine, the results that you get will be advertising pages that I choose to display.

Just in case you decide that I’m no longer welcome on your computer (that happens to me all the time), I’ll connect every so often to a web page from which I’ll download new files containing variants of myself which will make it difficult to delete all of my active malicious files on your system.

I should tell you that I’m extremely hard to get rid of, and just in case you try to get rid of me, I’ll make over 200+ changes to your Registry Keys. And in case that’s not enough to dissuade you from trying to kick me out, you should know that I have the ability to invite lots of my other adware friends over to party on your system.

I love to monitor your system’s processes, and I can even play with your security applications making them ineffective. Once I’ve done that, I can unleash my keylogger to capture your key strokes and just for fun, I might even scan your email address book so that I can bug your friends.

In my spare time I’m going to look around your operating system for vulnerabilities, because I’m pretty certain, that like many people, you haven’t installed the latest updates nor have you updated your security applications, like you’re supposed to.

Hey man, I’m here for a long, long visit, so think carefully before you offer me that invitation.

Have a good day now.

Elsewhere on this Blog you can read an article on free anti-malware programs, including anti-virus software, and you can download those that may suit your needs.