January 2009 - Posts

IXQuick - Internet Search facility avoids logging user searches

Idea I've just learned of this Search engine, which originates from a company located in Holland.  While I'll continue to use Google, MS Live, MSN, Yahoo, etc., their emphasis on privacy is beneficial to users. 

IXQuick promotes privacy by not storing IP address information when searches are conducted.  While Google and other search engine providers capture IP addresses, this information is usually sold to interested parties on an aggregate basis, (e.g., where all users are bundled together without reporting specific user information).  Although most of my searches would be boring to someone analyzing them, privacy is important to safeguard in all Internet activities.

IX QUICK HOME PAGE
http://www.ixquick.com/

HOW TO CUSTOMIZE SEARCHES  (Good content filtering controls)
http://www.ixquick.com/do/preferences.pl?language_ui=english

IXQUICK Privacy Policies
http://www.ixquick.com/eng/protect_privacy.html
http://www.ixquick.com/eng/privacy-policy.html

Sunbelt has issued the following warning on this new rogue program, that ressembles the AntiVirus 2009 family. 

http://sunbeltblog.blogspot.com/2009/01/new-rogue-ie-security.html

QUOTE: IE Security is a new rogue security application from the IEDefender family.  IE Security replaces Win Defender 2009

Star This is an excellent approach to use in handling email:

AVERT LABS - Hoax or Not, Treat It the Same
http://www.avertlabs.com/research/blog/index.php/2009/01/29/hoax-or-not-treat-it-the-same/

QUOTE: Late last year, my sister forwarded to me an email that foretold of great evil and destruction should anyone open an email with a “Happy New Year” greeting for a subject. The email begged us to save the world by forwarding it to everyone we know. She wanted to know if she should believe it.

More recently I got something similar, this one warning that a deadly email will have a subject concerning President Barack Obama’s acceptance speech. This one added an air of authenticity by claiming that a popular hoax-tracking site has verified the details to be true. Hoax or not, I rarely read past the subject line of these types of emails, and I never forward them to others.

Sunbelt has issued the following warning and offers a free trial version that can clean this rogue and other members of AntiVirus 2009 family.

Total Defender - New security rogue
http://sunbeltblog.blogspot.com/2009/01/new-rogue-total-defender.html

http://www.sunbeltsoftware.com/alex/gblog/Total_20Defender_20GUI_thumb.jpg
http://www.sunbeltsoftware.com/alex/gblog/Total_20Defender_20site_thumb.jpg

QUOTE: The free trial of VIPRE will clean this:
http://www.sunbeltsoftware.com/Home-Home-Office/VIPRE/

Star HOW TO CLEAN CONFICKER INFECTIONS IN THE CORPORATE ENVIRONMENT

1. Research the malware threat thoroughly.  Determine how it attacks systems and the best approach for cleaning.  Check several sources to learn as much as possible prior to cleaning.

2. Corporately, and even for home users it's always a good practice to SHUT DOWN the infected system, unplug it from the network, and stop using it completely.

3. Instead, work with the system while it is off the network.  It's recommend to burn a CD or DVD from a clean non-infected source or use a lab environment that's isolated from main network.  Cleaning tools that can be used include MS08-067 patch and multiple standalone cleaners (F-Secure, MSRT, other tools).   A CD is safer than USB due to the AUTORUN risks.

4. Bring the system back online after it's isolated from the main network.  Then use up-to-date Anti-Virus software to scan for additional malware.  If the AV Product doesn't offer good rootkit detection capabilities consider downloading F-Secure's Blacklight RK detector or other similar tools. Anti-Spyware and other malware detection products should be run to ensure the system is as clean as possible.

5. If you find additional malware, evaluate it thoroughly.  While a Conficker infection alone can be cleaned without the need to rebuild the system, additional malware infections received while the system was infected need to be evaluated in terms or damages and how successfully they can be cleaned.  In some cases, it may be beneficial to rebuild   

6. After cleaning Conficker, install the MS08-067 patch before returning the PC or Server online.

7. After installing the MS08-067 patch, it's critical to REBOOT the system, so that the patch becomes operational prior to bringing the PC or server back to the network environment. 

8. Finally, if you have weak passwords, open network shares, or the AUTORUN issues with removable media - it's important to strengthen these areas to prevent future attacks. Otherwise, Conficker or other malware could continue to reinfect vulnerable servers/PCs until the root cause is properly addressed.

9. Log all infected servers and workstations that were cleaned for future reference

10. Re-evaluate the formally infected systems periodically to ensure their defenses are holding up.  Use network sniffers, IDS, AV software and other tools to carefully monitor inbound and outbound traffic.

Star As of January 19th, F-Secure updated it's free cleaning and removal tools offered to the public.  If you are using an earlier version, this latest version should be used.

ISTP and F-Downadup Removal Tool
http://www.f-secure.com/weblog/archives/00001588.html

F-Secure decription of Conficker (aka Downadup)
http://www.f-secure.com/v-descs/worm_w32_downadup_gen.shtml

F-Downadup Removal Tool - Download from here
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

F-Downadup Removal Tool - Instructions
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.txt

Microsoft Help and Support - Knowledge Base Article 962007
provides numerous details for manual disinfection of Conficker.B (alias Downadup).
http://support.microsoft.com/kb/962007

Star Updated information related to this current attack is listed below:

January 22, 2009: MS08-067 Conficker Worm Update
http://blogs.technet.com/msrc/archive/2009/01/22/january-22-2009-ms08-067-conficker-worm-update.aspx

Centralized Information About The Conficker Worm
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx

IDEA.GIF Please check your credit card statements over the coming months -- at least those of you not afraid to look Wink

Seriously though, I heard a good related point that the "bad guys" will try some very small $1 charges at first to see if it works and has some limits still left. If they're successful, then it's "katie bar the door" as they will then take it to the limit and you'll become a victim of identity theft.

Time Based on current trends, several emerging developments should be followed closely in the coming year.

AVERT Labs - McAfee 2009 Threat Predictions
http://www.avertlabs.com/research/blog/index.php/2009/01/20/the-mcafee-2009-threat-predictions/

Some areas highlighted for 2009

1.  Threats Hide in the Cloud
2.  Personalized Threats Speak Your Language
3.  Malware Targets Consumer Devices
4.  The Rogue Web and Malvertising
5.  McColo: The Effects of a Spam Network Takedown

More in-depth 10 page report (PDF)
http://www.mcafee.com/us/local_content/reports/2009_threat_predictions_report.pdf

The following Microsoft resources have been published to help mitigate Win32/Conficker.B infections

Star MS08-067

Star Malicious Software Removal tool

Star Win32/Conficker.B

QUOTE: In response to this threat, Microsoft has:

·         Updated the January version of the MSFT to detect and remove variants of Win32/Conficker.B.  You can download this version from the MSRT from either the Microsoft Update site  or through its associated Knowledge Base article.

·         Created the KB article 962007 Virus alert about the Win32/Conficker.B worm to provide public details on the symptoms and removal methods available to address this issue.

·         Announced the release of the items and the virus threat itself on the Microsoft Malware Protection Center blog.

Idea Informative article on what corporate IT security departments should have in place to prevent the current 3-pronged attacks:

-- Patch Management (patching plus testing to ensure everything is up-to-date)
-- Reduce/Eliminate Autorun for removable devices and wide-open network shares
-- Test/Strengthen passwords

Trend Blog - Good Corporate Security Policies can prevent Conficker infections
http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/

Sunbelt is reporting focused attacks for advertisers as noted below.  Any business email received should always be carefully examined to ensure links or attachments are genuine.


Phishers target Yahoo advertisers
http://sunbeltblog.blogspot.com/2009/01/phishers-target-yahoo-advertisers.html

QUOTE: New run, targets Yahoo advertisers (Yahoo’s service is similar Adwords


New Google Adwords - Phishing Run
http://sunbeltblog.blogspot.com/2009/01/new-google-adwords-phishing-run.html

QUOTE: Google Adwords phishes have been quiet for a while, but now they’re back. Unlike most of the other Google Adwords runs, these use new TLDs, like Belgium and EU (.be and .eu)

Lightning This attack uses false messages and a botnet similar to Storm worm's design for spreading.  Messages and websites should be avoided.  

Dangerous Email claims Obama refuses to become President
http://www.avertlabs.com/research/blog/index.php/2009/01/17/do-not-worry-obama-di-not-refuse-to-be-a-president/

QUOTE: In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.  This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique.

If you have friends or family who might not be versed in applying Windows Updates, you may want to share with them how they can become safe from this rapidly spreading attack.

Calculating the Size of the Downadup Outbreak
http://www.f-secure.com/weblog/archives/00001584.html
http://www.f-secure.com/weblog/archives/00001582.html

QUOTE: The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing.

Star  Microsoft - Windows Update Web Site

Star  Microsoft - Security at Home  (learn security basics)

 

Automobile My corporate Blackberry phone is being called 2X or 3X weekly with a pre-recorded message.  On our local radio station it was noted to avoid this scam, as coverage will not provided properly for those who sign up.  As our 1994 Mazda MVP Van is not covered under warranty, that also provides a clue to avoid this scam.  Always be cautious with phone calls, emails, etc.  While I plan to register at the Do Not Call website, I read in some of the forums that this may be honored.

Automobile MESSAGE BEGINS: This is the second notice that the factory warranty on your vehicle is expiring

Google Search

More Posts Next page »