Friday, August 31, 2007

Bank of India Website Now Clean

The Bank of India website has been cleaned of the malware it was infected with finally. After testing and reviewing what happened, it looks like you were only in danger if you were not up to date on your Windows security updates. In particular, this update from Microsoft that was just released earlier this month.

When I visited bankofindia.com with a fully patched Windows XP machine, none of the reported malware was loaded. There was a significant delay for the page to finish loadding while mymoonsite.net was trying to download something, but nothing harmful was. There were some harmless html and picture files in the temporary Internet files folder, but nothing to cause any problems. Internet Explorer 7 did warn about an Active X control that wanted to download. Normally you would want to deny this on a web page with malware, but I allowed it to download. Once again, nothing malicious was installed.

The lesson here is to keep up to date with Windows updates. The lesson for Bank of India and their website administration is to keep their system patched and up to date. It's not clear yet exactly how the site was compromised, but I'm sure they will now take security seriously.

Here is an updated list of malware that was found by Sunbelt that could have been downloaded to your computer:


Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

Thursday, August 30, 2007

Bank of India Website Hacked

Sunbelt Blog reported that the Bank of India website has been seriously compromised. That was about 8 hours ago. I just checked and it is still compromised. It still has a hidden iframe loading something from goodtraff.biz. I also noticed a lengthy connection to mymoonsite.net, which is listed on Sunbelt researcher Webhelper's CWS list. Mymoonsite is registered by the infamous ESTDOMAINS. They register many malware websites, like ones that have the zlob trojan.

I haven't had time to take a good look at what happened by loading Bank of India's site. I do not recommend going to bankofindia.com until it is fixed. More later, but so far Sunbelt reported the following malware being served:

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz

Wednesday, August 29, 2007

Windows Vista SP1 Announced

Microsoft have announced the release of Windows Vista Service Pack One for the first quarter of 2008. Whilst SP1 will contain valuable updates to Windows, you don’t need to wait until it has been released to enjoy Windows Vista today.

If you are thinking of upgrading your current PC then you can check whether your hardware is up to it using the Upgrade Advisor although I would encourage a fresh install rather than over the top of XP.

There is a whole load of information about what Windows Vista SP1 will include, I could post it here but it’s probably better if you get it direct from the horses mouth as it were at the Windows Vista Blog and the Vista Service Pack 1 White Paper.

There will also be a service pack released for Windows XP in the first half of 2008, it won’t include any new features apart from Network Access Protection, but it will roll up all the hotfixes and patches that have been released since SP2.

By the way, as a recipient of the Microsoft MVP award I am in no way obligated to push or even like Microsoft products. In fact I am positively encouraged to be as critical as I feel the need to be. But apart from the UK pricing issues, I do believe that Windows Vista is a better, more secure, family friendly operating system.

Tuesday, August 28, 2007

BlackICE Discontinued

IBM Internet Security Systems announced recently, the End of Life for BlackICE PC Protection. BlackICE will no longer be sold after September 19, 2007 and will not be supported after September 29, 2008.

All is not lost however, the good guys at Sunbelt have offered a free one years subscription to the full version of the famous Sunbelt Personal Firewall. Visit saveblackice.com for more details and a small online form to complete to take advantage of this offer.

Sunday, August 26, 2007

Secure Against MPack Threat

There was quite a bit written earlier in the year about the Mpack threat, I even managed a little piece myself! Symantec recently added an update to their analysis of Mpack. It’s not really good news I’m afraid.

They have listed the exploits that are targeted by Mpack, and Eric Larkin of PC world went one further and asked Symantec what we need to do to make sure that we are not vulnerable.

See his article at the PCWorld Blog for a list of Must Close Holes, and remember to keep all your software up to date. If you aren’t too sure how to check your software then Secunia Software Inspector is a great tool that will help you out here.

Zango Ticks Off Chris Pirillo

Chris Pirillo was looking at search results for one of his videos and noticed that Zango was leeching off of him at number 2 in Google results. As a result, he ranted about it on his site. Digg has picked up on it as well, so go Digg it up and Digg down the Zango promoters.

Tuesday, August 21, 2007

Microsoft Update Catalogue

Posted on the MU technet blog last week

I am excited to announce that we have released version 1.0 of the Microsoft Update Catalog! With the new Catalog, you can search for updates available through the Microsoft Update service and download them to your machine (regardless of whether the update is applicable to your machine). You can also import updates from the Catalog directly into WSUS 3.0, System Center Essentials 2007, or System Center Configuration Manager 2007.

Some key features of the MU Catalog include:

  • Full-text search: You can search using a keyword, KB article, MSRC bulletin, driver manufacturer, driver model, driver version, product, and/or classification.
  • RSS: Save your searches in RSS and get notified when new updates match your criteria.
  • Download with BITS: We use BITS to make the download experience robust and efficient.
  • “Shopping basket”: You can select multiple updates (and multiple languages) and download them together.
  • Integration with WSUS: You can import updates from your basket into Windows Server Update Services 3.0, System Center Essentials 2007 or System Center Configuration Manager 2007.
  • Localization: The Catalog is localized in all core Windows Vista languages.

We hope you enjoy this new offering! Please give us your feedback. There are feedback options on the help page on the MU Catalog site.

Nice one, I’m sure that will come in very handy.

Sunday, August 19, 2007

MVPS Hosts File Update

The Hosts file contains the mappings of IP addresses to host names. This file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.

Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by that DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements. Why? … because in certain cases “Ad Servers” like Doubleclick (and many others) will try to open a separate connection on the webpage you are viewing.

Lots more information and download links and installation instructions at Blocking Unwanted Parasites with a Hosts File

smallvista.gif Vista users make sure you read the special instructions here

Tuesday, August 14, 2007

Another Firefox Vulnerability

A vulnerability has been discovered in Firefox that could allow criminals to remotely scan all variables in your Firefox plugins and use an Ajax script to log that information on to a server.

In non techy terms this means that information stored in your plugins, like whitelists, passwords, user names, email addresses, ftp information etc etc could be stolen and seriously compromise your online privacy and security. According to the 0×000000 blog, this isn’t something that can be easily fixed either.

For now, your best form of defence is to run with the NoScript plugin enabled.

Sources | The Register and 0×000000

Sunday, August 12, 2007

FDF Spam

The last wave of spam was a PDF file attached to an email…. now it’s a FDF file which can be opened in a PDF reader just as easily. What’s an FDF file? Well here is the techy bit if you really are interested.

This sort of spam fest is known as stock spam. spam.gif

Friday, August 10, 2007

Critical Symantec Flaw

An input validation error in two ActiveX controls used by Norton AntiVirus, Norton Internet Security, and Norton System Works could allow an attacker to execute code on the target system.

Affected Products

  • Norton Antivirus 2006
  • Norton Internet Security 2006
  • Norton Internet Security, Anti-Spyware Edition 2005
  • Norton System Works 2006

Details
Symantec was notified that two ActiveX controls supplied by NAVCOMUI.DLL contain an input validation error for two properties of the controls. This error could allow an attacker to crash Internet Explorer, or possibly run arbitrary code with the rights of the logged in user.

How to Obtain the Update
Symantec Norton product users who regularly launch and run LiveUpdate should already have received an updated (non-vulnerable) version of NAVCOMUI.DLL.
However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in Interactive mode as follows:

  • Open any installed Norton product
  • Click on LiveUpdate in the GUI
  • Run LiveUpdate until all available product updates are downloaded and installed

Best Practices
Symantec recommends any affected customers update their product immediately to protect against potential attempts to exploit this vulnerability. As part of normal best practices, Symantec recommends the following:

  • Run under the principle of least privilege to limit the impact of exploits.
  • Keep all operating systems and applications updated with the latest vendor patches.
  • Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of detection and protection from inbound and outbound threats.
  • Keep anti-virus definitions and IPS (firewall) signatures up to date.

Symantec Security Advisory

Microsoft Security Bulletin Advance Notification for August 2007

Microsoft have released an advance notification for the normal monthly updates that are due to be released next Tuesday. Don't forget to prepare for the updates as I've outlined in an earlier entry - How To Prepare for Patch Tuesday.

On 14 August 2007 Microsoft is planning to release:
Security Updates

  • Five Microsoft Security Bulletins affecting Microsoft Windows with a Maximum Severity rating of Critical. These updates will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
  • One Microsoft Security Bulletin affecting Microsoft Office with a Maximum Severity rating of Critical. This update will not require a restart and will be detectable using the Microsoft Baseline Security Analyzer
  • Two Microsoft Security Bulletins affecting Internet Explorer with a Maximum Severity rating of Critical. These updates will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
  • One Microsoft Security Bulletin affecting Visual Basic and Office for Mac with a Maximum Severity rating of Critical. These updates will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

Six Critical Bulletins in total.

  • One Microsoft Security Bulletin affecting Windows with a Maximum Severity rating of Important. This update will not require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
  • One Microsoft Security Bulletin affecting Windows Vista with a Maximum Severity rating of Important. This update will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
  • One Microsoft Security Bulletin affecting Virtual PC and Virtual Server with a Maximum Severity rating of Important. This update will not require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

Three Important Bulletins in total.

Microsoft Windows Malicious Software Removal Tool

  • Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.Note that this tool will NOT be distributed using Software Update Services

Non-security High Priority updates on MU, WU,WSUS and SUS

  • Microsoft will release two NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
  • Microsoft will release four NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
    Microsoft Security Bulletin Advance Notification

Obtaining Other Security Updates

Updates for other security issues are available from the following locations:

  • Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch".
  • Updates for consumer platforms are available from Microsoft Update.
  • You can obtain the security updates offered this month on Windows Update, from Download Center on Security and Critical Releases ISO CD Image files. For more information, see Microsoft Knowledge Base Article 913086

Microsoft will host a webcast to address customer questions on these bulletins on Wednesday, August 15, 2007, at 11:00 AM Pacific Time (US & Canada),for attendees to ask questions about the bulletins and get answers from the security experts.

Wednesday, August 08, 2007

Protect your Email Address from Harvesters

If you have a website of any description then you probably have a contact ‘mail me’ link somewhere on it. Trouble is, spambots love these links as they are easy pickings and they can get your contact email address and spam you with all sorts of stuff.

I came across a method of encrypting your email address on your web page, all you need is a little bit of javascript and a little bit of HTML know how. Email Protector has everything you need to make your Javascript snippet and will provide you with the necessary decryption script too. All for free.

Sunday, August 05, 2007

Spyware Quiz

I told you a little while ago about the McAfee Phishing Quiz which was fun to do and thought provoking. (Although it seems to be offline at the moment which is a shame.)

If you have a few spare moments, why not have a go at their Spyware Quiz or the Spam Quiz

There were some interesting stats gathered from the Spyware Quiz.

Friday, August 03, 2007

WinPatrol 2007(Version 12) Goes Live

Well it didn’t take long to get the bugs ironed out of Winpatrol 2007 version 12  (if there were any) and today I’m happy to announce the the new version is available for download.

So what’s new?

i) Scotty has a lovely new icon

ii) HijackPatrol log - The new HijackPatrol Log button on the options screen will create and display a style of output familiar to many online helpers. HiJackPatrol.logs aren’t exact duplicates of the popular HijackThis log or meant to replace them but the format should be familiar. HijackPatrol logs will also contain additional information which is routinely monitored by WinPatrol.

iii) SpreadSheet Log - Important details will be output in a CSV(Comma Separated Value) format popular with spreadsheets and many database programs. WinPatrol users will be able to sort all their system data in any format they want.

iv) Easy Access to PLUS Info - Program properties and PLUS Info have been combined into a single page of information from our extensive online library. Instead of multiple steps, you can now just double click on any filename to access the new improved PLUS format. Free WinPatrol users will also see improved information to help them decide if a program is worthy.

v) PLUS Requests updated for future expansion - This change also allows us to expand our PLUS Info response and provide more specific and helpful information based on more than just a filename. You’ll see some additions immediately when using WinPatrol 2007 version 12. Scotty

What’s New and Download Link

Why Winpatrol Plus

Sitemeter