Tuesday, November 3, 2009

New Trojan horse that encrypts files: the .vicrypt file extension

Source: http://news.cnet.com/8301-27080_3-10388541-245.html

Symantec's technical description and removal tool:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-102708-2133-99&tabid=2

There's a new Trojan propagating across the web that encrypts files and changes their extension to .vicrypt. Rather than popup enticements to "offer decryption services" (ransom-ware) to the victim, they are relying on end-users searching for that file extension, in the hopes of landing on the malware authors website, where a tool is being sold.

Now you can get a free removal and decryption tool from Symantec, see link above.

This virus is not yet wide-spread, and hopefully won't become so. But if you see that file extension on your system, you should review the details and get cleaned up.

Thursday, September 24, 2009

Prepare for your Windows 7 Upgrade after October 22, 2009

Here are a few tips to help prepare for your Windows 7 upgrade once it's released to the public on October 22nd.

- Run the Microsoft Windows 7 Upgrade Advisor :

From Microsoft: In general, if your PC can run Windows Vista, it can run Windows 7. But if you're not running Windows Vista, or are just not sure if your system is ready to run Windows 7, there's a quick way to do a simple check.

Just download, install, and run the Windows 7 Upgrade Advisor Beta. You'll get a report telling you if your PC can run Windows 7 and if there are any known compatibility issues. If an issue can be resolved, you'll get suggestions for next steps. For example, it may let you know that you need an updated driver for your printer and where to get it.


- Centralize or identify your data and take a full backup of it:

Make sure everything you care about is either located under your "My Documents" folder, or that you know where it is. When you perform an upgrade to Windows 7, you will find that making a full copy of your data onto an external storage device -- such as a USB drive, then deleting all your data on the old hard drive, will make for a much faster and smoother upgrade experience. Once you've completed the upgrade, copy your data from that external storage back to the proper folders.

- Get Windows 7 compatible drivers for all your system devices in advance:

Go to the sources for your devices: nvidia.com for NVidia video cards for example, Intel for your Intel network adapters, or your motherboard manufacturer for so-called integrated network adapters. Get a copy of each driver, expand it using WinZip or 7zip if needed, all into a special sub-directory on a separate partition or onto that external storage device you used earlier. At the very least get that network driver -- even if you skip the others -- so that once Windows 7 is up and running you can use auto-update to get further drivers as needed.

- Check your hard drives health:

Most problems that I've seen so far with interrupted upgrades were due to hard drive failures that happened before the upgrade. This may be an excellent time to upgrade your hard drive to a newer, faster model . . . You should at the very least force a full chkdsk on your drive. Open a CMD prompt (in admin mode under Vista, or normal under XP) and type: "chkdsk c: /f" and press enter. Answer "Y" without the quotes to any questions asked, then type EXIT and press enter. Now reboot your system and let the scheduled disk check proceed uninterrupted.

You can also do a deeper analysis using any of the excellent tools available online that can read your hard drives SMART status. All attributes from that analysis should read OK. If any show as weak, or failed, replace the drive. Here are two of my favorites:

Speedfan (use the SMART tab to check HDD status.)
Hard Disk Sentinel

- Add more RAM:

Now is the time to finally upgrade your on-board memory. If you're already at 3 or 4GB of RAM, disregard. If not, I recommend adding or replacing your RAM to get to the 4GB level. Windows 7 will run under less, but it will run great if it has more memory to use -- and so will your applications. If you're sitting at 2GB or less, it's highly recommended that you upgrade.

- Check your RAM's health:

One of the more . . . interesting . . . scenarios where an upgrade can fail is when some of your RAM has gone bad.  It worked fine on the old system, but Windows 7 uses more RAM than older operating systems and will reveal weaknesses that you did not know existed.  Before you upgrade - and even when you buy new RAM - you should test the installed memory to be sure it's in good shape.

A decent memory tester can be found at:
Memtest86+

Download the ISO and burn it to a CD, then boot to that CD and run the test through at least two full passes. If you get a 100% pass, you're good to go.

- Consider upgrading to the 64 bit version of Windows 7:

If your hardware is fairly recent, and you have 4GB or more of RAM, then you will find that Windows 7 64-bit will run faster, be more stable, and is more secure against some of the worst exploits on the internet than the 32-bit edition. This will likely require a clean install for you though, so it's up to you to balance your needs and scenario. Windows 64-bit is much more compatible with older applications than any previous 64-bit OS from Microsoft, plus there is a much larger library of drivers for old and new devices for 64-bit than ever before.

Friday, August 28, 2009

Migration in Process from Livejournal

This space under construction . . .  I'm in the process of migrating all my Livejournal entries (sadly, sans comments) over to Blogger.  Due to a Google imposed limitation of 50 posts per day -- to prevent abuse -- this will take me at least a week from today.

Once the posts have been successfully moved, I will lock the LJ side and continue my musings about computer security right here on Blogger.

Thanks for your patience while the dust settles!

Thanks to http://linuxlore.blogspot.com for his excellent Blog2Blog application, which is making this chore much more feasible than I first suspected!

Tuesday, August 25, 2009

Texting While Driving PSA

Parental guidance suggested

I personally feel that anyone that uses a cell phone and drives a car should view this. But be warned -- this is a very graphic video. I totally lost it when the little girl asked why her mommy wouldn't wake up.

Your search = malware drive by?

cnet posted an interesting summary from McAfee's SiteAdvisor:

http://news.cnet.com/8301-1009_3-10317029-83.html

Through no fault of her own, actress Jessica Biel is now the most hazardous celebrity on the Internet.

Fans searching online for Biel have a one-in-five chance of hitting a Web site with malware, according to McAfee's third annual report listing Hollywood's most "dangerous" online celebrities.

In general, hunting for Hollywood's in-crowd poses a much greater threat than searching for just about anyone else. For example, President Obama and first lady Michelle Obama ranked No. 34 and No. 39, respectively.


Add to this the fact that searching for things like "free wallpaper" or "free screen savers" can also land you on a compromised site that can infect the majority of machines . . . it's a parasite laden jungle out there.

But by far the worst infections these days still seem to propagate via email. Spammers send links or attachments -- and users still open them!

You -- you know who you are: stop that!


Thursday, August 13, 2009

PDF Users - lock down your 'free' reader

I've not yet figured out just why Adobe's PDF document structure needs JavaScript. It's a document, I read it, act or think on it, then close it! I don't need code handling ability within my document.

Perhaps someone in the know can enlighten me? Anyway . . .

For several weeks now there have been several viruses circulating that take advantage of a now-patched security hole in Adobe's PDF viewers, both the free and paid versions.

Patch your Adobe Reader
The first thing you should do is force a check for updates to your Adobe PDF viewer. Open Adobe Reader (7, 8 or 9) and click the menu item "Help, Check for Updates." Then click the small text saying "List Details."

Compare the left side of the list to the right side. Anything on the left side thats not listed on the right should be checked, and updated -- unless it's a Language Support update, that's optional.

If you are asked to reboot, do so.

Then check again . . . repeat until no new updates appear. At the end of this, you want to check your version and make sure it's at or higher than:

Reader 7: 7.1.3
Reader 8: 8.1.6
Reader 9: 9.1.3

Turn off JavaScript in Adobe Reader
Now that you've patched your Reader, I suggest you turn off the JavaScript feature entirely. You won't miss it . . . and it might help prevent trouble in the future.

Open Adobe Reader again . . .

Click the Edit menu item, select Preferences.

Find and click the entry on the left side for JavaScript, and click to clear the first check box labeled "Enable Acrobat JavaScript."

Be warned that earlier versions of the reader may prompt you to enable JavaScript every time you open a PDF document . . .

Click OK and close the Reader.

Done!

More info about this here: http://www.us-cert.gov/cas/techalerts/TA09-133B.html

Better yet, get rid of that bloated PDF viewer entirely!
Those interested in alternatives can Uninstall Adobe Reader and try the (free for personal use) Foxit Reader 3.0 instead. I recommend you decline the free toolbar they ask you to install, but other than that it's much faster than Adobe's product, and does not currently have the security vulnerabilities.

See http://www.foxitsoftware.com/pdf/reader/


Monday, July 6, 2009

Critical Security hole in Windows XP / Server 2003

Microsoft announced today that a nasty security vulnerability has been discovered but not yet patched that allows a malicious remote website to remotely control your machine. It is being actively exploited around the Internet.

From http://www.msnbc.msn.com/id/31766751
Microsoft Corp. has taken the rare step of warning about a serious computer security vulnerability it hasn't fixed yet.

The vulnerability disclosed Monday affects Internet Explorer users whose computers run the Windows XP or Windows Server 2003 operating software.

It can allow hackers to remotely take control of victims' machines. The victims don't need to do anything to get infected except visit a Web site that's been hacked.

Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability. People are drawn to these sites by clicking a link in spam e-mail.


I easily found a few of these sites by analyzing several spam emails containing links to rogue domains announcing things like eCards, or purporting to have news about recent events (M Jackson or Obama for example.)

If you still use Windows XP or Server 2003 and you use Internet Explorer (any version) then you are vulnerable . . . Vista, Server 2008 and Windows 7 Beta/RC users are not affected. Oddly enough, users of the venerable Windows 2000 with SP4 are also not affected.

There is a workaround for this issue, although using it will disable certain types of motion video in the browser. For end-user friendly workaround instructions (as well as a method to remove the workaround -- which you WILL want to do once this is patched) go to Microsoft's page on the topic at:

http://support.microsoft.com/kb/972890

Once you get to that page, use the Enable Workaround (*Fix it*) button in the middle of the page and follow the prompts. After you have successfully enabled the workaround make sure to close and re-open IE -- or reboot -- before you continue surfing the web . . .

For advanced users / IT Admins you can find out more about this issue at:

http://www.microsoft.com/technet/security/advisory/972890.mspx



.

Friday, March 13, 2009

April 1st may be a nasty day if your system harbors hidden malware

. . . of course this has been true for the last few years. April 1 seems to be a favorite time for malware criminals.

This year it's "Conficker" aka "Downadup." Since my last post about this rapidly spreading piece of nastiness, the virus has seen (at least) two updates from it's authors. The most recent edition is more aggressive about spreading itself and more resilient against detection and cleanup than any virus I've personally seen in years.

It installs at least two rootkit variants and uses known Windows exploits to spread on local networks -- bypassing any user interaction (such as surfing a compromised website or opening infected email) altogether. It's still using USB devices to spread through AutoRun - which makes me wonder why Microsoft hasn't offered to disable that for everyone through Automatic Updates.

It's short-term purpose in life -- so far -- seems to be getting as many machines infected as possible. Long-term it's a botnet awaiting commands from the criminal owners. Those commands could be anything from an update to currently infected machines to make them harder to detect and clean, to a DoS attack on the Internet infrastructure or specific targets, or sending spam from millions of infected workstations, or activating/installing key-loggers to steal your ID/Bank accounts.

I'm betting a combination of the above -- with the twist that the whole botnet will be up for hire and thus will change it's mission frequently and randomly as underworld buyers subscribe to services.

I am very much concerned that after April 1st we will all know a lot more than we wanted to about Conficker.

So what can you do about this?

a) Don't rely on Windows Automatic Updates (it's been known to get into a stuck state on certain machines.) Visit Microsoft's Update site and verify that you are completely caught up on all critical updates. If you see any available critical fixes then you should install them, reboot, and check again. (Some updates stack on older updates and won't appear until you catch up a bit.) Repeat the check, install the next layer, repeat until you show zero critical hot fixes on the list. Get to the manual update check from IE, the Tools menu, and select Windows Update. Or you can take a huge risk and click this link while using Internet Explorer (and hope that this blog post can be trusted): http://windowsupdate.microsoft.com/

b) Make sure you're running a current anti-virus/spyware product, and that your subscription is active. I'm not trying to play favorites, but you get what you pay for in most cases. Free AV products have not generally been as effective as pay-for versions (even within the same company/product group where a free version is offered - no names here.)

c) Lock down your wireless network if you use such at work or home with WPA2 - someone that's infected could wardrive your LAN and infect your machines if you leave your wireless open to the world. (Not to mention all the other crap they can do to you if you leave your network unsecured.)

d) Change your firewalls password from the factory default. (See your owners manual . . . )

e) Turn off AutoPlay (yes I know, I rag on this a lot - Microsoft should pay attention already.)

f) Use IE in High Security Mode and (if you have IE 8) Enable Protected Mode. (Vista IE 7 users get this by default) or better yet use FireFox 3.x in combination with NoScript.

g) If you can't do the above . . . then on March 31 turn your computer off, go outside, and enjoy some sunshine. Go find some nightlife too - away from your computer. You can come back on April 2nd. Maybe. Seriously folks -- these things spread so easily because we get lax about our personal safety online.

Would you drive on sagging bald tires with an engine light showing low oil with no seat-belt at very high speed on the interstate highway system?

Wait . . . don't answer that.

Saturday, February 28, 2009

Paul Harvey

Paul Harvey died today, less than a year after his wife passed away.

http://www.msnbc.msn.com/id/29447376/

He was 90 years old.

I used to listen to him faithfully every day when I still listened to radio.

What a voice. What a life. And now he's off to discover the rest of the story . . .

Saturday, February 7, 2009

Clyde Tombaugh's 16 inch telescope pictures at Pluto Park, NM

Clyde Tombaugh's (discoverer of the planet Pluto) 16 inch telescope has been
restored and installed at Rancho Hidalgo aka "Pluto Park" near Animas, New Mexico.


The opening ceremony occurred Wednesday afternoon, January 28, 2009.
Approximately 50 people attended the ceremony. Some of the key attendees
included Jack and Alice Newton; Walter Haas; David Levy; Michael Bakich;
several members of the New Mexico State University physics and astronomy
faculties; various amateur astronomers from Tucson, Las Cruces and surrounds;
and Patsy Tombaugh, Clyde Tombaugh's wife.


For more pictures by other attendees and an excellent write up on the event see
the blog entry on Astronomy.com by Michael Bakich: On the road: Party in Pluto Park.

Click on any picture below to download a larger version.

Clyde Tombaugh's 16 inch telescope.

Clyde Tombaugh's 16 inch telescope.

Clyde Tombaugh's 16 inch telescope seen from below.

Clyde Tombaugh's 16 inch telescope seen from below.


Patsy Tombaugh, her daughter Annette and daughters husband at Pluto Park.

Patsy Tombaugh with her daughter Annette and Annette's husband Wilbur at Pluto Park.


Patsy Tombaugh and Michael Bakich at Pluto Park.

Patsy Tombaugh and Michael Bakich at Pluto Park.


Clyde Tombaugh's 16 inch telescope at sunset at Pluto Park.

Clyde Tombaugh's 16 inch telescope at sunset at Pluto Park.


Creative Commons License

These pictures of Clyde Tombaugh's Restored 16 inch Telescope at Pluto Park
by WaS are licensed under a

Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License
.

Friday, February 6, 2009

Educational



"I think TV is very educational,

every time someone turns on a TV

I go in the other room and read."


- Julius Henry "Groucho" Marx

Saturday, January 24, 2009

Mashup of this weeks ponderings

Circuit City going bankrupt - and both they and the media still don't get the reason why. Too many articles blaming super-competitive behavior from Best Buy. That's not the reason. In fact BB should be watching closely because they are next to go under if they don't upgrade their act. Part of the problem is the economy, but CC's problems started well before we got into the current mess.

I believe that BB needs to start competing with online sales for computer and AV equipment, software etc. Look to Amazon, NewEgg, TigerDirect, CDW, and many other online retailers that are underselling BB. If BB fails to take online sales competition seriously - and by that I mean price matching and quality assurances - then BB will be out of business in a few years or less.

Windows 7 Beta - it looks like Vista, but feels and works MUCH better. I am a bit peeved about this. I think W7 should be the next service pack for those that purchased Vista. Don't take me for a MS hater - I'm not. Vista SP1 has its strengths, but it still feels unfinished and clunky. I personally think that there should be some consideration from MS for Vista adopters when W7 is released - and I don't mean their standard "Upgrade" discounted editions that won't let you do a clean install onto a system.

Windows 7 may entice most XP users to upgrade - assuming the economy rebounds in time. Vista users will want to upgrade so they can save what's left of their hair. Windows 7 combined with Windows Server 2008 is a powerful partnership for the enterprise.

Virus / worm / potential Botnet attack - still in progress. Downadup, Conflicker, call it what you will - is still spreading rampantly. Trouble is it doesn't seem to be doing anything. This has AV researchers worried, as it's entirely likely that all 12 Million plus infected computers may in fact be waiting for a specific date or deadline to activate and wreak havoc on the Internet. I am personally going out on a limb here, but it's almost beginning to look like a well funded terrorist attack in progress/preparation. This virus is sophisticated, but it's doing nothing ... yet! If whomever owns the botnet decides to use it as a Denial of Service attack machine, and assuming infections continue to increase at current rates, the infrastructure could be in trouble. See my previous post about this topic at http://netdef.livejournal.com/55150.html

I miss my kitty . . . been almost 18 months. Might be time to go find a new kitten.

Monday, January 19, 2009

The World's First IT Guy



I'm still laughing over this one, but it might hurt later . . .

Friday, January 16, 2009

I told you so! Conficker Worm spreading ~ 10 Million computers in a week.

I always wanted a post title like that . . .

The Conficker Worm is making it's rounds and may very well become the most aggressive and fastest spreading malware in history with a truly nasty payload. I'm not going to count the Melissa Virus or the "I Love You" Virus of a few years ago, because as rampant as they were, their payload was relatively benign.

This new worm takes advantage of a multi-pronged attack to infect new victims. It's first intent is to create a new BotNet and "zombify" your computer. It's other mission is to steal passwords, personal info and account information in an attempt at mass identity theft.

It's using a vulnerability in Windows that was patched last month by Microsoft as the primary vector, then it attempts to use AutoRun on USB drives as well as a brute force Administrator account password hack once it gets inside a local area network.

So if you haven't yet, get patched completely to the most up to date versions you can, and turn off AutoRun on your clients and servers, and make sure all accounts on your systems that have Admin rights also have strong passwords. Even if you are using a home computer behind a firewall, make sure your account has a password.

More info here:
http://www.pcworld.com/article/157876/protecting_against_the_rampant_conficker_worm.html