Today’s Security Alert

The Internet is a wonderful place to spend time – whether personally, professionally, or socially, you can travel to distant lands, and meet folks from the comfort of your bedroom / home office.

But it’s absolutely NOT a place to casually provide details about your self. And when you travel by internet, you absolutely must protect the vehicle (your computer) that you travel in. So stay aware what’s happening in Internet security.

12/12 If you have Yahoo Messenger, you may need to be aware that a new phishing attack, which uses YM, has started. IM security firm IMLogic reports in New Yahoo IM Phishing Attack Surfaces

The attack, IM.Marphish2.Yahoo, attempts to steal personal information by dupong a user into believing that they are in violation of Yahoo’s Terms of Service. The user is instructed to contact the “abuse department” through a URL that points to the domain.

As always, please be very careful when presented any IM message that includes a URL. If the message is not part of an active conversation, OR if it’s from anybody that you don’t recognise, examine it with great suspicion. If you get an IM message, that contains a URL, from a friend, and you’re not in the middle of an active chat with that friend, take the time to verify that the message was intentionally sent. You could be helping both of you by doing this.

11/29 Yesterday, a friend wrote me for advice, as she was contemplating the purchase of a DVD burner for her recently purchased computer. I told her

Please don’t buy a Sony product.

And she didn’t. She bought a competitor’s product. This accomplished 2 things:

  1. One less sale for Sony.
  2. One more sale for a Sony competitor.

I just lit a candle. Will you light any?

11/23 Success – of a sort! BusinessWeek Online Sony’s Escalating “Spyware” Fiasco reports that

Overnight, Get Right with the Man dropped to No. 1,392 on Amazon’s music rankings. By Nov. 22 — after the news made headlines and Sony was deep into damage control, pulling some 4.7 million copy-protected disks from the market — Get Right with the Man was even further from Amazon’s Top 40, plummeting to No. 25,802.

The wrath of fans killed Sony’s CD copy controls, with the company pulling 52 titles off retail shelves, beginning the week of Nov. 14. But the wrath of bands could be far worse for the company — and for efforts to protect content in general.

Singers and songwriters are increasingly expressing frustration at devices used by record companies to protect digital content from widespread theft that results when CDs are copied repeatedly or popular tracks are given away on peer-to-peer (P2P) networks, such as LimeWire and BitTorrent.

Maybe, just maybe, Sony and the rest of the RIAA will decide that their customers (the ones that remain) deserve their respect, not their contempt. If they wish to stay in business, anyway.

11/22 The shenanigans by Sony aren’t the only thing to worry about this month. The Register Password-stealing keyloggers skyrocket warns us that

Hackers are on target to release more than 6,000 keystroke loggers in 2005, a 65 per cent increase from the 3,753 keyloggers released last year.

And their delivery mechanisms are getting pretty sophisticated too. ISC SANS More Sober Variants warns of the latest Sober variant, which may arrive in your Inbox disguised as a letter from a US Government agency like the CIA or FBI (as if).

Be paranoid. Be very paranoid.

11/21 The lawsuits against Sony have started. Mark Lyon, of, has a comprehensive list of the various actions underway around the world.

11/18 The whole Sony problem started some time ago. I first reported it, personally, over 2 weeks ago. Today, SSX4life, in BBR Forums Sony – Opinion and Future, points out

If you put a frog in a boiling pot of water it will try to jump out and struggle for dear life. However if you put a frog in a cold pot of water and slowing bring it up to temp the frog will more than willing sit and boil to death.

If Sony and other music, software, “tech” company’s slowing remove the rights of the consumer to a CD / DVD / Peice of software that you purchased then then what will happen to the every day consumer…

This is a small quote from this very long thread, and several like it, in BBR Forums and elsewhere.

It is very dark here, and this blog is a very small candle. I’m going to light it, though, and join the Sony Boycott. If you care about your rights, as a consumer of electronic content, you should join the boycott, and sign the petition, too. Demand your rights – it’s your money that pays the salaries of Sony, and of the RIAA.

11/17 As predicted yesterday, Sony’s uninstall procedures created a vulnerability worse than the original rootkit. Websense Security Labs have now published an alert stating

Websense® Security Labs™ has received reports of websites that are using the Sony DRM uninstaller as a means to perform malicious actions on end user machines.

Any user who has downloaded and run the Sony uninstaller program is susceptible to this attack.

Various security software vendors, such as Sophos and Symantec, have produced reliable rootkit removal programs. I do not recommend that you use any software provided by Sony.

11/16 How much deeper can Sony go? The Inquirer Sony DRM infection removal vulnerability uncovered points out what many have discovered

According to Freedon To Tinker, the web based installer is a worse vulnerability than the original rootkit. More on the story here, FTT goes into detail. It seems the ‘cure’ from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine.

And to do themselves still more harm, they still claim to have only 20 infected CD titles out in the wild. USA Today Bad things hide in PCs using Sony BMG software reports

Sony says 20 CD titles use this form of copy protection, from British firm First 4 Internet, but it won’t say which titles. The Electronic Frontier Foundation, a non-profit civil-liberties group, identifies 19 on its website from artists including Neil Diamond, Van Zant, Celine Dion and Switchfoot.

However, many watchers of Sony have identified way more than 20. Such as IdiotAbroad, which currently lists 47.

11/15 The Sony issue gets bigger each day. Wired News Sony Numbers Add Up to Trouble reports that AT LEAST half a million computers are out there, infected with Sony’s dirty work. That number was arrived at by technical research, it is absolotely accurate at the mimimum, and is most likely a lot lower than the actual count.

11/14 The Electronic Frontier Foundation has now entered the picture. In the BBR Forum Microsoft will wipe Sony’s ‘rootkit’ and more, a copy of the advice sent Sony by the EFF, regarding what Sony needs to do to make its image right with its customers, was presented. We will now see how responsive Sony is.

11/14 The discussion about Sony’s activities is continuing, and it appears that the Rootkit discovered recently is just the tip of the iceberg. Check out BBR Forums SONY throws in the towel … for now, for a very fast moving thread with diverse opinions.

Also, for a comprehensive, and dynamic, list of CDs (or things that look like CDs but aren’t), that you do not want to buy, see the CDR Bad CD list.

11/13 Here’s a neat game. You load a free keylogger on your computer, downloaded from WhatPulse. You form teams, and try to beat each others keystroke counts. WTH?

OK, the keylogger has been checked out, and this version is free from anything malicious. All that it does is count keystrokes. But what about future versions, or imitators versions? At best, this game is blurring the line between malware and irresponsible game playing. And what happens if this gets bought out by the bad guys? I just know one of them must be looking at this right now – it’s just perfect for exploitation.

My personal opinion? Encouraging folks to install a keylogger, even something benign (right now) is not something I would recommend. I don’t think this is post Sony paranoia speaking – I would always feel this way. I think this is irresponsible. What do you think?

11/12 BTW, I’m curious. Are there any folk out there reading this, who think that the whole Sony Rootkit thing is much ado about nothing? Well, now that the story is out, folks are looking backwards at previously reported problems. Look at, for instance BBR Security Forum Some earlier signs of Sony’s rootkit…, with a list that bears investigation.

11/12 Sony has backed down, at least publicly. In BBC News World Edition Sony stops making anti-piracy CDs

Sony has said it will suspend the production of music CDs with anti-piracy technology which can leave computers vulnerable to viruses.

I will try to keep an open mind, but for right now, Sony is off my Christmas shopping list.

11/11 The Sony Rootkit story just gets better and better. NPR (National Public Radio, for those of you not USA citizens) did a piece on it Sony Music CDs Under Fire from Privacy Advocates. They interviewed Sony BMG’s Global Digital Business President Thomas Hesse, who had the gall to say for the record

Most people, I think, don’t even know what a rootkit is, so why should they care about it?

And here is my favourite interpretation of that blunder, from BBR Forums First Virus found that uses Sony Rootkit…

Most people, I think, don’t even know what a rootkit is, so we can get away with it.

And here’s a short list of other websites, which I have found, which are also discussing this:

11/10 The Sony Rootkit issue is not going to go away. The Electronic Freedom Foundation, in Are You Infected by Sony-BMG’s Rootkit?, provides an inventory of CDs that are using Copy Protection and the Sony Rootkit.

Now, as predicted, the bad guys are now using the Sony Rootkit to hide their own malware. The security firm Sophos reports in Trojan horse exploits Sony DRM copy protection vulnerability

Experts at SophosLabs™, Sophos’s global network of virus and spam analysis centres, have detected a new Trojan horse that exploits the controversial Sony DRM (Digital Rights Management) copy protection included on some of the music giant’s CDs.

The Troj/Stinx-E Trojan horse appears to have been deliberately spammed out to email addresses, posing as a message from a British business magazine.

Typical emails look as follows:

Subject: Photo Approval Deadline

And legal action has started in Italy. As reported by SmartHouse Police Called In To Investigate Sony

The group, calling itself the ALCEI-EFI (Association for Freedom in Electronic Interactive Communications – Electronic Frontiers Italy), filed a complaint about Sony’s software with the head of Italy’s cyber-crime investigation unit, Colonel Umberto Rapetto of the Guardia di Finanza.

Please let Sony know what you think of their antics. The RIAA has to be brought into control, and maybe this is one battle which may help. See The Sony Boycott Blog for other ideas about how to take action.

11/2 Is using a WiFi network, that you didn’t setup, theft? Some believe it is, others believe it’s not. I think there are a lot of grey areas.
If you have any feelings one way or the other, join BBR Forums (it’s free), and participate in this, and similar, discussions.

10/31 The RIAA continues to dig itself into a hole. Sony is now selling music which comes with self-installing software, in an attempt to enforce Copy Protection. If you try to play, for instance Get Right with the Man by the Van Zant Brothers, as distributed by Sony / BMG, on the CD player on your computer, you will have to install special drivers. These drivers protect themselves as a Rootkit.

When you try to play any similarly Copy Protected music, which is protected by First4Internet’s DRMServer, you will first have to agree to a EULA. Upon agreeing to the EULA, DRMServer will be installed on your computer. To protect DRMServer, which runs a process $sys$DRMServer.exe, your system will be modified to prevent you from even seeing any traces of processes named $sys$(anything) on your system. This, my friends, is a Rootkit.

This assinine and poorly constructed attempt, to subvert the integrity of your computer, was recently discovered by Mark Russinovich, author of RootkitRevealer and a multitude of other very useful system utilities. Mark further discovered that, if you attempt to un install the DRMServer drivers, your CD player will become inoperative. This, my friends, is a badly written Rootkit.

Mark further discovered that the Rootkit will hide other files, such as one that he created in a test.

I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.

This, my friends, is a dangerous Rootkit. What if one of the bad guys writes a very bad application, with programs using names protected by DRMServer, and gets it installed on your computer?

Here is another, slightly less techie oriented, viewpoint of Sony’s sorry mess. Be patient, this article is on a slow server.

Please let Sony know what you think of their latest attempt to continue a system which was valid, only marginally, in the 1950’s.

10/9 Vista is Coming! I just recently spent 4 very intense and brief days in Seattle, as a guest of Microsoft, at MVP Summit 2005. I got my first actual look at Vista, and was treated to half a dozen very detailed descriptions about technical features of Vista. Security wise, it is 2 to 4 times as significant as Windows XP, as Windows XP SP2 was to Windows XP RTM. I can’t say more, but I will be updating my personal impression of it, as time permits. Watch this blog.

8/26 Occasionally there is good news. Today, just 2 weeks after Zotob hit the Internet, the US FBI and others arrested two suspects in its creation. CNet Nes.Com reports in Arrests made in probe of worm that hit ABC, others that the two suspects arrested are suspected of creating both the Mytob and Zotob worms.

This is only a start, but maybe fear of arrest, and fear of execution (as the good news on 7/26 described), might lessen the onslaught of malware just a bit.

But don’t stop protecting yourself just yet. Just don’t give up.

8/17 ZDNet Security Windows worms knocking out computers reports on the ongoing evolution and spread of Zotob, with the latest family member which Symantec has named Zotob.G. F-Secure suggests that the newer versions of Zotob are the product of rival gangs, each busily creating their own botnets.

“We seem to have a botwar on our hands,” Mikko Hypponen, chief research officer at Finnish software security firm F-Secure said in a statement issued on Wednesday.

“There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines,” he said.

Please patch your systems. If your system is infected, you might not notice anything right now. When the bots are activated, that might change.

8/16 The Zotob threat in particular, and the MS05-039 vulnerability in general, having stabilised (not gone away, just stabilised), ISC SANS is Back to InfoCon Green. Zotob is now just another worm, in the background noise on the Internet. Like other worms, it continues to mutate, and has most recently been identifed by Symantec as Zotob.E, which is an IRC Bot.

Zotob this afternoon successfully infected CNN, ABCNews, and the NYTimes.

Your computer could be next, so protect yourself. Patch up. But please, and this is an important distinction here, do not protect yourself indiscriminatly.

8/15 Zotob continue to evolve.

ISC SANS Zotob Update now reports that Zotob is adding a mass mailer to its payload. In Other Words, Zotob has now become part of the spammers world, and is probably providing financial reward for its releaser. Anybody surprised?

In another unfortunate turn of events, ISC SANS Zotob affecting some XP SP2/2003? recommends that you protect your servers by disabling anonymous connections. Note that they cover themselves by saying “…this will require testing to ensure it does not break valid applications.”.

Seemingly a harmless and simple change to make, it has been my experience that, if you depend upon seeing a neat list of all of the computers on your network, in a portion of your desktop known as “My Network Places”, or “Network Neighborhood”, that disabling anonymous connections will also disable any server from being displayed there. I’m trying to get a confirmation out of Microsoft. Right now, if you are reading the SANS diary referenced above, please don’t go disabling all anonymous connections, at least without knowing the possible consequences.

8/14 ISC / SANS now reports the detection of the first worm to use the MS05-039 vulnerability. The new worm, Zotob, has been reported by Symantec currently in two strains – Zotob.a and Zotob.b.

So the predictions from Friday, which prompted SANS to go to a Yellow Alert, have been proven to be correct.

Patch up, folks. Please.

8/12 Happy Black Tuesday Week, everybody. Yes, last Tuesday was the first Tuesday of the month. And Microsoft issued a suite of updates, including 3 Critical ones. You may see them reviewed in the SANS Diary Microsoft Security Bulletins for August.

Don’t go away yet, though – this gets better. Today’s SANS Diary POC code available for multiple updated MS vulns announces that, of the 6 vulnerabilities admitted to by Microsoft, no less than 4 of them have Proof Of Concept code published, which will exploit the announced vulnerabilities.

And we’re not done yet. The MS05-039 vulnerability, Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588), is expected, by SANS, to become a critical issue over the weekend. Three separate exploits for that vulnerability have been announced during the past 24 hours. Proof Of Concept code is expected to be superseded by active attacks, during the next few days.

The Internet Storm Center main page is now at Yellow Alert. This is only the second time that I can remember this being the case since they implemented the colour system.

Both Microsoft, and SANS (and myself) all recommend that you apply all Critical Patches – MS05-038, MS05-039, and MS05-043 – at your most immediate convenience, if not sooner; and the other three – MS05-040, MS05-041, and MS05-042 – soon afterwards. All users of the Internet thank you for your cooperation.

8/11 The bad buys are getting either more brazen – or more desperate – you decide which.

Since people are getting more and more suspicious of ANY email that asks them to fill out private information online (which is good), ZDNet Security: New scam asks people to fax away data reports that the scammers are now asking you to download a form, fill it out, and fax it to a toll free phone number.

Whether the bad guys giving you a phone number is a stupid move on their part (you can give the number to the police, who can locate the bad guys), or a genius move (the bad guys know you would try to do that, so you would never believe that it was a scam), is being debated.

One thing is obvious: You can not trust ANY email that asks you for ANY personal data, in any form. End of story.

8/3 The Internet is a big community, composed of lots of little communities. And the bad guys, and potentially bad guys, are getting into the act, in new ways, all of the times.

Everybody wants a new ways to get “eyes” – that is, to put up a web pages, and get visitors to come once, and come back, over and over. One of the newer ways is to provide online databases, “free” to all who wish to participate. Create a new type of community, in other words.

What a neat idea. NOT.

A couple months ago, we had the Birthday Reminder database. Send us your email address, and your birthday. And send us your friends email addresses, and their birthdays. And “we” (our automated mailer) will email YOU when one of your friends birthdays is coming up. What a deal.

Can you say “Identity Theft”? I bet you can, if you try.

This month, we have blatent online databases – Online Contact Databases. According to SANS It Takes a Village…, a popular service Plaxo now lets you store all of your contacts data in their “free” online database. And then emails all of YOUR friends and invites them. And it’s all free. Right.

To broadly paraphrase one Internet wise guy, “If someone emails YOU and tells you that YOUR birthday and / or email address has been added to their online database, and asks you to add your friends to your entry, please forget that I’m your friend.”.

Seriously. DO NOT EVER add my name, birthday, email address, or anything about me, to any online database without ME telling you to do so, and what database to add it to. And don’t be holding your breath waiting for me to name one that I consider safe. And if I do find one, chances are, it won’t be free.

TANSTAAFL. I’ll be a nice guy.

7/29 And a new worm hits the Internet. The worm, Hagbard.A, passes itself off as an IM from one of your friends, and trys to trick you into downloading a free version of a hot video game, as, according to ZDNet Security, Worm poses as pirated ‘Grand Theft Auto’.

Except what installs itself on your computer is no game, it’s a server program, so YOU can serve up another copy of the worm to your former friends. As one of YOUR former friends just did to you.

Be skeptical, folks. And when you get an IM with a URL in it, always ask yourself if your friend would actually send that. Then ask your friend to verify.

7/28 When asked for technical advice, by someone with AOL, I’m usually tempted to say something curt like “If you have AOL, then you’re beyond my ability to help you”. A lot of Networking and Security snobs will say that anyway.

Today, that attitude shouldn’t apply. If you have AOL, particularly Bring Your Own Internet, where you pay for AOL content but have another ISP, you’re just like any Internet user. So, since you hopefully understand about the need for Defense In Depth, aka Layered Security, you setup a NAT router and / or a personal firewall, just like any other Internet user. And you’re just as safe as any other Internet user. Right?


With the AOL Bring Your Own Internet service, you setup a Virtual Private Network between your network and AOL. You get AOL content, but it’s safer than the rest of the Internet, because the VPN means no unsafe traffic from non-AOL sources. If you can trust AOL, then you’re safe.

Unfortunately, the AOL VPN goes from your computer, thru your personal firewall, and thru your NAT router, as protected content. Neither your personal firewall nor router filter it in any way. And if the AOL content ever becomes dangerous, your network is wide open. Lawrence Baldwin, of myNetWatchman, provided Why you should block AOL Client on a corporate network, which explains the problem in more detail, some time ago.

Today, SANS offers The Penetrating Packets: Spam E-Mail (scroll down a bit from the top of their page, there’s no direct link), which is a real live example of how someone’s AOL connection, thru his home network, caused contamination of an actual workplace network.

If you have AOL (and I won’t get into what I don’t like about it), particularly AOL with BYO Internet, please examine how your firewall / router / other Layered Security is setup. Please harden your network with a bit of extra care. Don’t trust the AOL backbone any more than you must.

7/26 As a follower of Christianity, we are taught to love our enemies. Nonetheless, it’s hard not to feel some small bit of pleasure in reading SecurityFocus Russian spammer murdered.

Apparently, even though spamming is not illegal in Russia, someone there saw fit to end his arrogant abuse of the Internet.

The elimination of one bad guy can only be a small improvement in the world; Lord willing, more of his coworkers might be hoped to follow him. We have the right to enjoy the Internet and all of its legitimate improvements upon our lives without having to put up with abuse by Kushnir and his peers.

2005/07/26 The increasing popularity of blogs has now drawn its share of imiitators, including the bad guys. A Blog, which is simply a bulletin board or discussion forum with easy to use software, can be setup by most folks with any technical skills, and that apparently includes some bad guys, who are now luring the innocent to their sites from email and Instant Messages.

According to ZDNet Security Phishing twist relies on bogus blogs, once lured to a malicious blog, the unwary victim’s computer becomes infected with software designed to steal sensitive information, such as passwords and bank account information. In a later article Attackers lurk on photo sites, firm warns, we learn of one noted case

When a victim clicks on a link, the computer becomes infected. In one case, a greeting card was displayed and a tune played in the background while spyware was being installed on the compromised PC, Websense said.

Once again, if you’re going to surf the web, particularly from IM and email, please protect your computer.

2005/07/15 Are you one of 220 million US consumers who are trying to get a copy of your government mandated free credit report? According to SecurityFocus Report: Squatters a major problem for credit-report site, if you don’t type in the URL very carefully, you may quite possibly end up on one of 200 imitation or openly bogus websites.

At best, you will be charged a $35 fee for the same information which is available from the genuine website for nothing. In extreme cases, you may become an identity theft victim, if you unknowingly provide your SSN and other details to one of the more malicious websites.

The link to the genuine website is above. Or, type the URL very carefully, as “”. Or, as Paul Dixon recommends, contact the credit bureaus by phone or mail.

2005/07/14 Oh by the way, for those of you using Firefox (and I hope that includes most of you!), Firefox V1.0.5 has just been released. Install it, please.

2005/07/13 Another chapter in one of my favourite serial security articles – Follow the Bouncing Malware VI: Hypnotized and EULAgized was published today. For those of you who are new to this web page, FTBM is a repeating yet every changing look into how clever the malware authors of the world are getting.

Follow the Bouncing Malware is a SANS feature that started about a year ago, as one unprotected computer was exposed to the Web, and its ensing infections recorded in detail. It was so popular that it’s author has repeated his experiment 5 times since the original, with something new each time.

2005/07/12 Happy Patch Tuesday! Microsoft released 3 critical patches today. Start patching.

2005/07/12 So, almost 2 weeks since the last alert. Boring? Not really. True, there haven’t been too many new threats. I’d guess that the bad guys have been too busy managing their ongoing activities, selling their services, and traveling to the bank with all their illegally earned cash, to create any new threats.

Who needs new threats? The increase in botnet activity quadrupled in April thru June of this year, compared to the previous quarter. That’s from a McAfee Quarterly Report, as reported by ZDNet Security: Computer hijacking on the rise.

Don’t be part of the increase – keep your computer clean – practice Layered Security.

2005/06/28 Earlier this month, I alerted you to an old threat that had just been enhanced by its creators, making it even more of a nuisance. Bagle, renamed MitGlieder, had been released in a new, enhanced, form with extra powers.

Well, ZDNet Security reports that MitGlieder.BQ was released last weekend. So keep being very careful what email you open – look out for surprises, because this one is a surprise that you don’t want!

2005/06/22 If you use secure websites that require a username and password, make sure that you protect yourself against phishing attempts from malicious websites. The latest threat? If you surf to a malicious website, that isn’t already blocked by a Layered Defense, the website could open a window from a website that you trust, then a pop-up window on top of that from their own website. If the pop-up window doesn’t display any details about where it comes from, you could be fooled into thinking that it’s from the trusted website underneath.

You enter your username and password to the trusted website into the phishing window, and the bad guys now have your username and password.

The solution? Don’t trust pop-up windows that don’t include an address bar or a lock icon that verifies that it came from a certified source.

See if you’re vulnerable! Run the Secunia Multiple Browsers Dialog Origin Vulnerability Test.

For more details, read Microsoft Browser Windows Without Indications of Their Origins may be Used in Phishing Attempts, and ZDNet Pop-up vulnerability found in major browsers.

>>Yesterday’s Alerts


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: