“How did I get an infection?”

This is a question we hear quite often. It used to be that we could make the general recommendation “avoid adult, pirate software and file sharing sites”. That is no longer the case. Many argued the answer was Firefox because the viruses were being installed with ActiveX controls. When Internet Explorer cracked down on the installation of ActiveX controls, virus creators gave up on that.

Tonight I was researching a project. I clicked on a result in Google that took me to the page I wanted to go to. I did land on the correct page. However, at the same time Microsoft Security Essentials sprang into action and popped up a warning that a threat was detected in a web page it had saved in cache. The threat was a javascript infection imbedded in a web page (htm) file. Deleting the threat resulted in this message:

What’s interesting about this is that the website had no advertising, nor did it have any Adobe files on it. Yet here, on my computer, something is trying to use my Adobe Reader and Java (a .jar file is a Java file) to infect my computer. I performed a search to find out where 188.72.211.253 (the internet IP address) came from. As you can see in the following screenshot, the address is administered by Ripe in Amsterdam:

Amsterdam?? My web page was based in Idaho. Ripe Network controls half the internet. There’s more digging to be done here. Let’s search the Ripe database to find out where our little criminal mastermind is hiding their files:

Let’s all say hi to our friends in Turkey. Here’s the funny part. Go to http://www.imajhost.com/. The title of their page suggests “The Most Secure Network”. Really? Hmmm.

I do a little more digging and find this:

http://www.windowsecurity.com/articles/Prepare-MPACK.html

As it turns out, it’s a team of Russian hackers calling themselves the “Dream Coders Team” that developed a kit called Mpack retailing for $300 to $1000. A similar product first showed up in 2007 called Icepack, developed by the IDT group. It seems that Mpack and IcePack faded from the public eye in 2008 or so.

I did a little more digging and found these:

http://www.securelist.com/en/analysis/204792044/Bootkit_the_challenge_of_2008

http://research.zscaler.com/2010/03/recent-spike-in-neosploit-activity.html

In 2007 another web attack kit named Neosploit surfaced. It functions in a similar way to Mpack and Icepack and originally sold for $1000 to $3000. I’ve found references to Neosploit Toolkit as late as April 2010 being found on web servers.

Recently (May 4, 2010) the US Treasury website was hacked using the Eleonore Exploit Pack. You can read about that here. The Eleonore Exploit Pack was created by ExManoize in June 2009 and retails for about $1000 USD. It is updated once a month or so as new exploits are added. Currently he’s up to over a dozen of them in his “pack”.

The goal of these kits is to find vulnerabilities in websites and exploit them. PHPnuke, Wordpress, contact forms, Adobe Flash, ActiveX, third party widgets, etc. with security flaws are all targets of these tools.

The attackers hack the server the website is hosted on to install the tool’s manager and alter the webpage. What it does is add an “iframe” to any normal webpage. An Iframe can load a webpage that’s not related to the site you are viewing and can be hidden. What these guys are doing is altering normal web pages. As your proper webpage loads, the page loaded in the Iframe is redirecting you to a PHP server running the tool kit. This server determines what operating system you have, what browser you are using and what vulnerabilities you have on your computer. Once it figures that out, it launches the infection. It may keep trying until it finally finds an infection that works. A report is then sent back to the operator of which exploits were successful and which country you are from.

In my case the infections were hosted in Turkey and launched three different exploits. The first was a trojan downloader that would try to connect to different websites. The second, the JAR java file in the screenshot above, tries to start shell code and then starts the downloader. The third is a PDF exploit. It checks the version of Adobe Reader on my computer (unfortunately for them, Acrobat is my default PDF handler), downloads a PDF file, executes it with PDF reader and a a script in the file executes automatically.

Fortunately Microsoft Security Essentials caught it. These toolkits are constantly updated. The point of installing the manager on the infected web server is so that even when the website is fixed, it is reinfected by the attackers at regular intervals. If you are a web site owner, the way to protect yourself from these attacks is to change your FTP password at regular intervals and ensure all your applications are updated.

To read more about how these types of infection work, see this article and this article

It’s very easy to get your hands on these toolkits. It didn’t take me long before I found and downloaded Neosploit 2 to confirm the download link was still active. Script kiddies all over the world are wreaking havoc on the internet by having easy access to these tools.

Another problem we’ve seen a lot of is infected banner ads. Attackers are exploiting third party advertising sites such as Interclick to spread their vicious payloads.

So why do this? The answer is money. One scenario is that the attackers can affiliate themselves with sites like Clickbank. Clickbank will give them a little commission for each product they are responsible for selling. One product that pops up on Clickbank on a regular basis is fake antivirus software. Using Mpack, the hackers (well, script kiddies is more like it) can infect your computer with the fake antivirus. When you purchase it they get a commission. Alternatively the makers of the software themselves can use Mpack to spread their scumware. In the end, the result is the same. They make money with their crime…and the chances of getting caught are very, very low.

So what is the solution? We’re still working on that, but your best defence is to keep your Windows and browser software up to date. You can also view this list of known domains participating in these scams to add to your HOSTS file (if you’re unsure how to do this, bring your computer into us for servicing and we can do it for you). It’s also critical to keep Adobe Reader, Adobe Flash and Java up to date. When you see a popup to update them, it’s important to do so. It re-emphasizes the importance of having legitimate Microsoft software to make certain you get the proper updates. It also helps ot have the best antivirus installed. We currently recommend Kaspersky Internet Security or Microsoft Security Essentials.

Share

Save

Phishing scams in your email… The real truth.

I’m just going through some junk mail, looking at a phishing scam email from MBNA Canada (supposedly). This is interesting, take a look at this:

http://www.letsfish.net/images/glyph/include/
onlineaccess/NASApp/NetAccess/mba.jpg

Dear admin@npinc.ca,

Your MBNA Canada account(s) have been recently flagged by our security and fraud department in order to prevent any monetary loss or unauthorized charges. It appears that your credit card account(s) have been tampered with and accessed by an unauthorized user.

Protecting the security of your account(s) is our primary concern. Therefore, as a preventative measure we urge you to secure and confirm your account immediately. Once you have been identified by the system, your account status will be restored to normal as our security and fraud department continue their pending investigation in this matter. Please continue below to safely secure your account:

https://www.onlineaccess.ca/NASApp/NetAccess/ http://www.letsfish.net/images/glyph/include/
onlineaccess/NASApp/NetAccess/

Please note that you must authenticate your information within the next 48 hours. Failure to do so could result in a suspension/termination of services, as well as your liability of all possible unauthorized activities on your account(s). Thank you for your patience and cooperation in this matter as we work together to protect your account(s) security.

Sincerely,

Brian Sheldon
MBNA Canada Security

________________________________

Copyright © MBNA – MBNA Canada 2010
(74R4CB8H1B)

Note the links. The first link is the one you can actually see in your email. It looks like it’s coming from onlineaccess.ca. The second link is the REAL link. Where you’re directed to when you click on it (using html email coding, the same as web pages, you can hide actual links).

Here’s the interesting part. When you click on the actual link, you’ll end up at a warning page. The APWG has already been notified. Go to the parent site. www.letsfish.net. Notice what it is? It’s a website for fishing tours off the coast of Venezuela. Is it just me, or do you wonder just how much of people’s stolen money paid for the boats in those photos?

There you have it, for whatever it’s worth. I’m sure the owners of www.letsfish.net will have some glorious nonsense story about some “hacker” using their website to steal financial information. They’re no doubt COMPLETELY oblivious.

Share

Save

Fake Microsoft Outlook update installs a trojan

There’s an email floating around, claiming to be from Microsoft. It has an attachment that is supposedly an update, but it’s really an infection. You can read all about it over at PC World.

Microsoft does not distribute any updates via email. If you get any emails with attachments, do not open them unless you’ve first personally verified the origin with the sender.

Share

Save

Adobe CS3 Installation problems?

Several people have reported problems installing Adobe Photoshop CS3. Most of the problems that you may run into with your CS3 install are as a result of conflicts with other Adobe software. Here are some links to help you try and resolve those issues.

First you will want to have the Windows Installer Cleanup Utility installed. You can download the tool here.

After you have installed the Windows Installer Cleanup Utility, uninstall any previous CS2 or CS3 products.

Adobe CS3 Cleanup Script:

Once you have uninstalled your products, run this script to clean up the previous installation.

Note that this tool has two extra levels that aren’t in the options, levels 3 and 4. Run the tool at level 3 until it doesn’t come up with any more issues, then run it at level 4. For a full tutorial on how to use the Adobe CS3 Cleanup Script, please see this Adobe knowledgebase article.

Adobe CS3 Technotes for Mac:

If you have a Mac and are trying to install CS3 or repair a damaged install, check out these technotes from Adobe.

Share

Save

On Boxing Day, beware the “extended warranties”!

Big retailers are desperate to move product this year. Sales have been slumping, evidenced by aggressive pricing long before Christmas ever arrived. The consensus is that this will put a damper on Boxing Day as they’ve already trimmed what they can.

The downside for the consumer is that they will see a lot of sales that aren’t really sales, and worse there will be greater pressure to purchase “extended warranties”.

MSN just published a great article on these warranties. Profit margins on them are very high. They make up for the shortfall in the aggressive pricing of the product. They’re an easy sell to unwary consumers and a “hidden cost” that drives up the price (and the profits). For you as a consumer, it means a couple of things.

a) Consider your usage of the product and look for the exclusions. Extended warranties have become infamous for their exclusions, resulting in very little value to the end user. In fact, they have become so notorious that companies like Best Buy and Futureshop have landed on the Ontario Consumer Beware List as a result.

b) Extended warranties are about lining the corporate coffers, not good customer service. Consumers spend as much as 20% of the value of the product on these “warranties”. The profit margin to the retailer is almost 50%. The consumer ends up with a lower quality product and paying the same price, or more, as getting a better product and service at an independent retailer.

Small vendors like us use higher quality parts that give far superior manufacturers warranty than an off the shelf product and we back it up with our service and knowledge. If you’re considering a computer purchase, consult an independent retailer that uses the better quality products with the better warranty. When considering a price comparison, factor in the extra you’d spend on warranty or “service plans” at the box store to get the same level of service at your independent retailer included for free.

The pressure will be on for the salespeople to sell as many of these “warranties” as possible. Be informed. Be prepared. Then get the best bang for your dollar.

Share

Save

iTunes, iPhone and 0xe8000065 error when syncing

If you use an iPhone or iTouch you may run across an 0xe8000065 error when trying to sync with iTunes. I ran across the 0xe8000065 error when trying to sync my iPhone on my Windows 7 computer. Every time I plugged my iPhone into a USB port to sync it, whether on the front or back, strange things would start happening. The computer would restart, iTunes would fail with an unknown error, my mouse would stop working, etc. I also found the mouse would freeze as soon as I sent a print job to the printer. As it turns out, I have an Intel I7 processor and a P55 chipset and there’s an issue with the USB power.

There is a setting in your BIOS called C-State. It’s supposed to monitor low voltage and CPUs to save power, but it also seems to control the power to the chipset. To repair the problem, restart your computer and press Del or F2 to get into your BIOS. Once there, go into the CPU settings and enable the C-State option. Save and exit to reboot your computer. Once this option is enabled you will no longer get the 0xe8000065 error.

Share

Save

Viruses can come from the most unlikely places…

It seems every day that we’re asked how they could have infections on their computer. They practice safe browsing practices, don’t open strange emails, don’t click on advertisements, etc.

Today I saw a real life example of an infection from an unlikely place. I was clicking through a slideshow at Forbes.com today when suddenly I was greeted with a box saying that my computer was infected and I needed to act now. I was dragged away from the Forbes page to some rogue website promoting a new piece of garbage I haven’t seen before, PC Healthcenter. Another window popped up with a fake virus scan telling me my computer was chock full of infection. I could be saved from this horrible disaster if only I paid for the full version of this new saviour of the computer universe.

I must say that I would never have thought Forbes to be a likely place to pick up an infection. It’s unlikely even they are aware of it. I saw a flash advertisement load, and no sooner had that happened the PC Healthcenter scumware sprang into action.

The long and the short of it is this. Infections can come from the most unlikely places. Be safe. Always have a good virus scanner installed. If you suspect you’ve been infected, call us as soon as possible or bring the computer in to be checked. Upon investigation it turns out that PC Healthcenter brings with it the Vundo or Virtumondo trojan, which will open a “door” to your computer and download more scumware without you knowing it.

For more information, contact us today to repair your computer.

Some good, free antivirus programs:

AVG

Avast

Avira

Share

Save

Before you hire a computer repair technician…

We understand that the web, while a powerful tool in the right hands, has handed people an unusual power… The power to say or claim to be anything.

This makes your job as a consumer difficult as you can never tell who is legitimate and who isn’t, which may result in your computer looking like the one in the photo. The photo is of a computer (containing the customer database and accounting) we pulled out of a business, provided to them by a “fly by nighter”.

While it’s not perfect or guaranteed, here’s a list of things to be on the lookout for:

• Free email addresses, like Hotmail or Gmail. Usually legitimate companies have their own domains and associated email addresses.
• Cell phone numbers, not business lines. Legitimate companies don’t provide cell phone numbers as their main contact.
• No company name, or a company you’ve never heard of.
• “In business for {xx} years” but you’ve never heard of them. If they’ve been around that long, wouldn’t you have heard of them by now?
• Gratuitous use of “we”, “us” and “our” with no evidence of more than one person.  A favorite trick of fly by nighters or amateurs is using the plural to make it sound that they are a big company, or even a company.
• Gratuitous use of clipart.  Clipart is a valuable resource, helpful in making a statement.  However, if all they use is clipart, they may be hiding something.
• Websites on free webhosts. {name}.myfreehost.com or http://www.myfreehost.com/{name } are often a dead giveaway. Web hosting costs under $100 a year. http://www.myname.com costs $10 a year. Typically genuine companies consider these a worthwhile investment.
• No location or signage. While not carved in stone, legitimate companies will usually give a location or have some sort of signage.
• “We come to you”. This is a tough one. Some legitimate companies do come to you. If there’s no option to drop your computer off, it can be a sign that it’s a fly by nighter or amateur working out of their basement.

There are some excellent independent techs out there. Look for honesty, such as “I..”, “my name is…”, a personal email address such as johndoe@sympatico.ca , etc .

Remember;

• no investment means nothing to lose.
• if they’re not honest in their advertising, will they be honest with you?

Your data is an important, irreplaceable investment. Trust it to the professionals. Ask for references. Ask your family and friends for a referral.

Share

Save

Disable that annoying BEEP! in Windows

Some programs make gratuitous use of a service in Windows called “beep”.  Quite simply put it makes your computer’s internal speaker beep.  There probably isn’t a more annoying sound on a computer than that “beep” sound.

Here is how you disable it, once and for all:

In Windows XP:

• Click Start
• Click Run
• Type in CMD
• Click “Ok”
• A black Console box will appear.
• Type in “net stop beep” without the quotes.
• Press “Enter”
• Type in “sc config beep start= disabled” without the quotes.
• Press “Enter”
• A confirmation will pop up
• Close the Console window (the black window)

If you have Vista, to get to the console do the following:

• In the Search box above the Start button (Windows logo) type in CMD
• Right click on “cmd.exe” in the search results above it
• Click “Run as Administrator”
• Click “Continue” in the dialogue box that pops up if you have User Access Control enabled.
• A black Console window will appear
• Follow the remaining steps above

After you’ve successfully followed these steps you’ll have no more annoying beep noises in Windows.

Share

Save

Avoiding Nigerian scams – Facebook and classified ads

It’s no secret that Nigeria is a well documented source of scams.  Everywhere you look, there’s another batch of Nigerian scams.  So-called lotteries, “victim compensation”, dead relatives, the list is absolutely endless.  Now they’ve turned to Facebook and classified ads.

Facebook scams

With the popularity of Facebook, it’s no surprise the Nigerian scammers targetted it.  They hack the accounts, then send messages to your friends telling them they’ve been robbed and are stranded.  They take details of your account to try and make their claims sound legitimate.   They claim to be stuck in another country, with no money and no plane tickets to get home.

In his blog, Meng Wong provides a transcript of an attempted Nigerian scam where he fools the scammer into visiting a particular web page so that he can grab the IP address and track him down.  Sure enough, the IP address was from Nigeria. 

Rakesh Agrawal also published a transcript of a Nigerian scam in action on his blog.  I encourage you to read the entry so that you can familiarize yourself with how these scammers work and avoid the same trap.

More information:

Nigerian 419 scams on Network World

Nigerian 419 scams on C|net

Nigerian 419 scams on Red Tape Chronicles (MSN)

Classified ads

Another favorite Nigerian scam is replying to classified ads.  In this scam, they try to tell you they’re out of the country (UK seems to be a favorite destination) and asking you to either accept certified cheques (which turn out to be counterfeit), payment by stolen credit cards or offering you much more than a product is worth, plus a large sum for shipping, through Paypal if you’ll only ship to Africa. 

By the time you catch on, it’s too late.  Your product is gone and you’re out the money.  I’ve even seen these scammers tell you that they have a product, ready to ship, that will be shipped once they get their payment.  Of course they disappear and your promised product never arrives.

To protect yourself, unless you’re buying off Ebay never pay for an item or service without seeing it or receiving it.  The old rule “if it sounds too good to be true it probably is” certainly applies.  My favorite response after a brief email exchange to a scammer was “a payment is pending on proof of shipment”.  A scammer was advertising a car that was supposedly in a crate in Edmonton.  Needless to say, the scammer never responded.

Familiarizing yourself with how Nigerian scammers work will help protect you when you are finally a victim yourself.

To protect yourself:

• Change your Facebook password regularly
• Make sure your password is not obvious, posted in any form in your profile.
• Make sure your password contains a mix of upper and lower case letters, numbers and symbols.
• If you’re a victim of a scammer, notify Facebook immediately to have the account disabled.
• Make phone contact with the supposed friend or relative.  Ask for their phone number to contact them for confirmation.
• Never, ever send money over Western Union.  Scammers use this vehicle because it’s virtually untraceable and pretty much impossible to get your money back.

Share

Save