Thursday, February 25, 2010

CERT describes China exploit in IE

CERT (at Carnegie Mellon) has reported on the “Aurora” Microsoft Internet Explorer exploit, analyzed by McAfee.

The systems affected are:

"(1) Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
"(2) Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2"

The brief description is
“Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.”

The following link from CERT gives all the details. Subscribers to their email list were notified this morning.

It appears that attacks were started when employees were duped by phishing scams.

The email gives a long list of “malicious domains” associated with the incident. One of these is “blogspot(dot)blogspite(dot)org”, trying to dupe users to believe they are visiting Blogger.

It appears that KB978702 update, described in MS10-002, fixes the problem. Users got with automatic update got this fix in late January.

Wednesday, February 24, 2010

Webroot hangs on startup with Vista updates also available (incident)

Today, I had an unusual experience with Webroot Spysweeper. It seemed stuck in a loop with the yellow circle saying “loading” on startup. It could not be started from Vista Security Center. However, Vista then advised me that it had updates, five of them critical. After the updates downloaded and installed, with the normal reconfiguration during restart, the Webroot started properly the second time. It warned of an error the previous session.

Last night Webroot backup ran, and it seemed to run normally (this time it was rather small). However, it did not send the usual email report.

Has anyone else ever experienced a Webroot hang on startup?

Tuesday, February 23, 2010

Programmer in China who wrote IE exploit identifed; the history of fix attempts is long

Microsoft issued a patch to Internet Explorer about a week after (in late January) reports that major American software companies had been breached from China. Apparently this was covered by Microsoft Security Bulletin MS10-002 (Critical), knowledge base 978207, and covers several versions of IE. The Microsoft link is here. I found this update installed on my own Dell Vista laptop Jan. 23.

The media reports that the main vulnerability was in IE 6 (which wouldn’t be used as much in corporate sites as later versions, although some companies are not progressive in maintaining updates). Elinor Mills has a story (link) on CNET (among many others in the media Monday) reporting that a specific programmer in China who wrote the exploit code has been identified.

The programmer did not launch the attack, and the circumstantial evidence suggests involvement of China’s government.

I see that I wrote about a quirk in the Microsoft update process here Jan. 23 and about another IE vulnerability (KB 979352) as well as an Adobe vulnerability possibly exploited by Chinese hackers Jan. 15.

Sunday, February 21, 2010

PC World has major issue on security tips

The March 2010 yellow issue of PC World has a useful article “How to Stop 11 Hidden Security Threats” by Tony Bradley, link here, on p. 68.

Most of these recommendations are well known, but it is true that a wise home user doesn’t just assume that his antivirus package or Windows firewall takes care of everything.

Bradley recommends that people encrypt their data even on backups, out of concern over physical theft. Of course, people can use off-site backup services (like Mozy) or backup data onto flash drives and put flash drives in safe deposit boxes at banks. People should consider carefully their own travel habits with laptop carriage, along with changes in TSA rules.

He recommends screening a Windows machine with Microsoft’s Malicious Software Tool (often upgraded with automatic update) but admits that its scope is limited.

The article warns about social engineering attacks through Facebook or social networking sites.

It also discusses preview tools for "tiny url's" (as with Twitter) leading to websites that could be triggered with malware. He also uses the term "animalware" (try this report on another fake virus remover for use of the term, discussing the "spy falcon", by "Daniel").

The issue also has an article (p. 42) on flaws in Adobe Reader and Acrobt, by Erik Larkin (p. 42), with issues in EPS files, AIR programs, and Flash players.

There is an article on p 24 by Ginny Mies on risks in social networking games, and even surveys.

On p 41, there is an article by Erik Larkin, “Security Alert: Malware aims to evade Windows 7 Safeguards”. Larkin notes a survey which showed that “automatic” infections on Vista machines from infected web pages were 62% lower than for XP, and Windows 7 is supposed to have even more layers of protection against exploits. I have experienced a couple of problems on a new Vista machine with web pages which Webroot Spysweeper noted as having malicious adware (considered a virus or Trojan, not “just” a spy cookie), in one case an attempt to download fake anti-virus software. In six months, Webroot has quarantined four such Trojans (McAfee never detected anything like these). I suppose that Windows 7 might me less vulnerable to these than even Vista is.

Wednesday, February 17, 2010

Government does war game on cyber attack: could cell phones become an Achilles heel?

On Wednesday, Feb. 17, Ellen Nakashima ran a story on p A3 of The Washington Post, “War game reveals U.S. lacks cyber-crisis skills: staged emergency displays need for strategy, organizers say,” link here.

This is not the 1983 movie “War Games” involving NORAD. Here, the Enemy mounts a massive surreptitious attack turning millions of cell phones and maybe Blackberries into zombies, shutting down the Internet and even the power grid. Does the government have the necessary authority to monitor or even quarantine cellphones? Does our entire grid have a “webroot”? Civil libertarians will be horrified.

Another question is whether individual cell phone or Blackberry users should be held reponsible for security them. I've noticed that Verizon once in a while updates my Blackberry with security improvements (as well as the Access Manager on the laptop); the automatic update can take ten minutes or so, during which the phone cannot be used.

In 2002, the media ran some stories on the vulnerability of power grids, but a good question is why they have any connection to the public Internet at all. (The Dominion Power outage viewer need not have any bi-directional path to the grid itself.) The August 2003 northeast power failure had to do with a hardware feedback loop in Ohio, not with the Internet. Maybe a bigger problem would be EMP (electromagnetic pulse). Perhaps eventually Dell and other manufacturers will cell Faraday devices to protect home users from any such possible future threats.

Picture: Schick uses the brand “Titanium”, but that’s the name of one of my unpublished screenplays!

Tuesday, February 16, 2010

Kaspersky's strategy for automatic updates and warning computer owners about protection status

I thought I would document a little anomaly of sorts with my use of Kaspersky on my rebuilt XP Home Dell machine. If it’s been turned off for a while, when it’s turned back on, Kaspersky always “updates”. That takes about 3 minutes with broadband. Usually it has a “green light” meaning that the computer is protected. Sometimes, however the band is yellow, and says the computer is not protected, and the yellow turns to green after a longer update.

Tonight, after being green initially upon bootup, it suddenly turned red, and Windows Security reported that no security products were working. After playing with the “fix it now” button, the update reran, and at 29% the banner color shifted from red back to green, saying that the computer is protected.

There are no words!

Sunday, February 14, 2010

Webroot Spysweeper exe icon (or Home link) not responding -- problem

Today I had a bizarre experience with Webroot spysweeper. The executable went into a “not responding” situation when I clicked on the Programs Menu icon on my Windows Vista Dell XPS laptop. If I clicked Close, Vista would eventually bring it back (but once it slipped into "not responding" when I clicked on "Home"). I then tried running the sweep and found only a few (15) spy cookies, not unusual, but a higher than usual number of traces (51). After quarantining, the program again went into not responding, but Vista brought it back.

I restarted the machine, and it operated normally after restart.

Typically on bootup, the Webroot trademark with Sophos appears, and then Windows Security reports no anti-virus is running. In about 15 seconds the yellow circle appears with the “loading” Passover, which becomes active after less than a minute, whereupon Webroot displays the alerts.

Windows problem reports shows a failed automatic update on Feb. 9 which was reinstalled successfully on Feb. 10.

Does anyone know of other problems where Webroot does not respond? I see a few problems reported on Sutdown with Bing, and some speculation that Webroot gets locked by Internet Explorer sometimes. I do notice that sometimes IE is slow to bring up the Dell/MSN site.

Saturday, February 06, 2010

The Troj/ByteVer-G trojan is found by Webroot Spysweeper

Today Webroot spysweeper turned up a “Virus found” on Troj/ByteVer-G. So far, there is little information on this Trojan, outside Sophos (the virus engine for Spysweeper) which says it was entered into the database Feb. 5, with this entry. Webroot placed the Trojan into quarantine without incident.

Sophos offers much more detailed instructions for removing Trojans than merely deleting files, here. Trojans may resume execution at startup if they affected the registry. I presume that the Webroot quarantine prevents this from happening.

Curiously, after the sweep, Webroot told me it had just updated the security definition file. I restarted, then cold booted and reran the sweep and found no items.

Earlier, I had gotten a message on my Facebook page regarding a marketing company. I did click on the website, and it kept trying to get me to look at an offer before going away until I clicked out completely and closed Facebook. I don’t know if that was the source. I generally am not interested in “get rich” marketing schemes, as few work.

I could not find any mention of this Trojan at McAfee.

The Trojan may resemble Troj/FakeAvJs-A, already discussed. offers a discussion of “clean, quarantine, or delete?” here.


Note that the Sophos Trojan removal link doesn't address Vista or XP.  I don't know why.

Thursday, February 04, 2010

US service providers work with National Security Agency; no real privacy problem for ordinary users

Numerous media outlets reported yesterday that a number of major US Internet companies and service providers, most of all Google, are working with the National Security Agency to investigate the recently reported compromises to security that appear to have originated largely in China and be aimed at dissidents. Other possible sources of security problems could include Iran, the Balkans, elements in Russia, and maybe even North Korea, and perhaps radical Islam (but maybe not too likely).

The work with the NSA should not ordinarily affect the privacy of ordinary correspondence and Internet postings, forums, social media, and the like of ordinary users, nor is there any evidence that government is interested in tracking these.

However, webmasters or bloggers who post controversial material could conceivably attract destructive activity, particularly dissidents overseas. In April 2002, a web page of mine (a copy of a chapter of my second book) was hacked at the exact point that I started talking about suitcase nukes (it was a long essay about the response to 9/11, which at the time had happened only six months before). The file turned to jibberish, and the beginning of one other file was overwritten. Some of the jibberish appeared to include the names of remote areas overseas in other languages. A “libertarian” friend investigated and found that the particular ISP had left a Unix SITE command open. The problem never reoccurred. Of course, I recovered quickly by re-ftp since I had clean copies of all my own files. Later in 2002 I received two bizarre emails, including one about Indonesia (shortly before a major bust there) and another with a map showing critical locations in Russia. (I shared these with the FBI.) It seems that bloggers can attract attention and tips, but need to be careful.

Needless to say, I’ve gotten pretty savvy at recognizing “Nigerian scam” (and other phishing) emails from the subject lines (I never got one at all until 2000) and almost never open them (I report them as spam); these particular emails appeared to be trying to convey legitimate information.

Monday, February 01, 2010

Domestic computers are too often zombies in botnets

Jack Goldsmith makes a chilling point about the habits of US computer users in his op-ed Monday morning Feb. 1 in The Washington Post, “Can we stop the cyber arms race?”, link here.

While it’s right to be concerned about foreign cyber spying and hacking on US commercial and security interests, it’s also true that a great deal of the knowledge base on computer crime lives inside this country. He points out that the United States has most of the infected botnet computers in the world, and that many botnet attacks (often DDOS attacks) do result within the US. The mechanisms for these events have been well publicized in the media since about early 2001, well before 9/11. Many of the infected computers have always been poorly protected home and small business computers. After 9/11, some authorities raised concerns that home computers could become targets for steganography, although actual incidence of this does not seem to have grown.

We still could be facing consideration of how much legal responsibility home users should have when they connect to “the Outside” for safetly, just as we do with driver’s licenses and auto liability. Will there be an Internet driver’s license some day?