Spam Messages go out with Fake Conficker Alerts

Paul

Sopho’s blog is reporting:

This past weekend, SophosLabs noticed a new “Conficker” theme in the content of these spam messages. Instead of saying there is a critical windows update that needs to be applied, they say that “your Internet company” believes you to be infected, and to click the link to scan your computer

[Via Sophos]

[ad#cricket-right-ez]As in [intlink id=”3114″ type=”post”]previous post about fake Anti-virus Software[/intlink] sites trying to scare you into sending them free money.  You should always be cautious when it comes to these sites that make you think you have a virus.  Some things to consider when you visit sites that are claiming you have a virus:

  • Is this a true anti virus company?  If your unsure you can always google the company to better help you determine if this a fake site.

  • You also should consider going to the real deal on anti-virus there are several different companies that I know of off the top of my head but it should always be one that is not a fly by night type of anti-virus company.   The real companies have people and resources watching for the latest viruses, and other Maleware.

According to Sopho’s the Maleware site is detected as Mal/FakeAV-AH with there system.  Remember you don’t always have to buy anit virus software there are [intlink id=”2205″ type=”page”]several good free versions[/intlink] out there that do a pretty good job at defending against a virus, Trojan, or a Computer Worm.  If you feel you might have a virus you can do a free anti-virus scans to make sure you are not infected.   I also suggest having a firewall installed if you have not done that yet, that will also greatly help prevent a virus or worm but remember you are the last line of defense with Maleware!!

Securing your Windows Machines

Paul

After a Long day at work, you sometimes feel like there isn’t much you want to talk about. Then this idea comes to me? Why do people blog and why do people talk about security?

I’ve come to realize something, I’m not one who was grew up understanding bits from bytes. I grew up as any family does fighting with my siblings.

Having been blogging the past few years, it seems like only yesterday that I started blogging. Cliche I know but still very much true. Most blogs do what they know, I aim to learn and teach each day I blog. Like days like this when the world is pretty much quite and the [intlink id=”3214″ type=”post”]remnants of the conficker[/intlink] worm dies to a rumble.

[ad#cricket-right-ez]So how do you secure your Windows Machine?

After a day long battle with  my wife’s system, I grow to wonder if there is something I should do differently with how to prevent Viruses and Worms on her system.  So I’ve groomed my Knowledge base and come up with 5 good points when it comes to locking down your Windows Machines:

  • [intlink id=”994″ type=”post”]Lock down your Router/Modem[/intlink]  — Some people don’t know that having an insecure router with weak passwords is a way to get on another system.   This can easily be prevented if the users takes some steps to prevent. it.  Although if a hacker wants to break your encryption and find your Signal there is really nothing you can do but try to prevent that.

  • [intlink id=”2205″ type=”page”]Firewall and Anti-virus[/intlink] —  Although I know people think I am a broken record this will always be something I encourage for everyone who reads my blogs.  I will never stop beating people over the head with this.   Seeing the [intlink id=”3272″ type=”post”]Conficker map[/intlink] tells me there are quite a few without an Anti-virus or a Firewall, which might of given someone a heads up find out if they do or not!!

  • [intlink id=”2984″ type=”post”]Disabling AutoRun[/intlink] —  This can prevent a USB stick from installing software it shouldn’t.  Remember Microsoft has issued an statement on how to disable it for sure.  Although I must say The Security Now episode 187 seems to talk about this really well and how to make sure you do disable it the right way.

  • Make sure it is a Limited user account —  Most people always run as administrator when in fact that sometimes makes you more vulnerable to viruses, worms, and trojans.   Any software you install as an administrator will automatically be given Administrator rights.  That can be very bad when it comes to virus and such.

  • [intlink id=”2883″ type=”post”]Keep your System up to date[/intlink] — This is essental for people who to prevent exploits to be used against you.  Although  if your like me and you want to make sure your software is up to date some of that can be done with [intlink id=”553″ type=”post”]APPSNAP[/intlink].

With These tips, your system can be a little more safer.  Just remember there is no perfect way to protect your systems 100% only some of the time.  The rest depends on you, because your the last layer of defense.  Also it isn’t a bad idea to [intlink id=”2407″ type=”post”]back up your system from time to time[/intlink].

Hackers Jump onto Power Point Exploits : KB969136

Paul

In my Previous post, we talked about Microsoft [intlink id=”3280″ type=”post”]Advisory for KB969136[/intlink] and the exploit was in the wild.  It looks like Trend Micro has published some new spam attempts to get the users to open up the Maleware for them to deposit TROJ_PPDROP.AB onto there systems.

[ad#cricket-right-ez]Trend Micro has some screen shots of the most common Fake Presentations for you to see just how they try to get you to open the file.

Although these are some common tactics for  attackers to use such as  nude pictures, Earth Hour, or Celebrities without Makeup,  users who don’t normally use PPT should check the files out before you load them.  You also should remember to save them to a file and [intlink id=”2205″ type=”page”]scan them with your Anti-virus software[/intlink], also it wouldn’t hurt to have a firewall software.  It looks like these exploits tries to connect to the internet and you might be able to find out by the request from the firewall.

According to Internet Storm Center, the CVE place Holder for this is CVE-2009-0556 and hasn’t become live yet. I do not think they will release that information until they get a chance for Microsoft to patch the systems.

This would be a good time to remind IT staff and anyone who might use Power Point that they should not open anything they aren’t expecting and even then they should verify with your IT staff that it is safe until Microsoft issues a patch for this. I expect that if this become widely used it will be released out of Cycle or even In May’s Patch Tuesday. According to Microsoft you could install Microsoft Office Isolated Conversion Environment (MOICE) but requires Office 2003 and Office 2007 systems. Find out how you can use this work around at Microsoft’s Advisory of KB969136 for further instructions.

Microsoft issues Advisory KB969136 (Zero Day Exploit in the Wild)

Paul

Well, this had to happen sooner or later.  It looks like Powerpoint can be exploited with a Remote Code Execution.   So Microsoft today has issued an Advisory for KB969136.

In there post they say:
[ad#cricket-right-ez]

At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. If you suspect that you were target for such an attack, you can scan your computer with the Windows Live OneCare safety scanner. The malicious PPT files are detected as Exploit:Win32/Apptom.gen. Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Products affected are Microsoft Office PowerPoint 2000 Service Pack 3, Microsoft Office PowerPoint 2002 Service Pack 3, and Microsoft Office PowerPoint 2003 Service Pack 3. Microsoft Office PowerPoint 2007 is not affected.
[Via Microsoft Blog]

Microsoft has even added a diagram on how an attacker could implement this into an email.

So what do you need to know:

If you receive a Power Point presentation from someone you aren’t expecting either scan it good with a[intlink id=”2205″ type=”page”] free anti-virus[/intlink]. There are no major workarounds to this because Microsoft is telling people not to open the Power Point files directly. I tend to agree you should however know if you are expecting something from someone by either emailing them back or if it’s an office situation pick up that phone for the time being. I am sure Microsoft will issue this patch in the coming months probably May or June at the earliest. I don’t think it will be April Patch Tuesday, they could however make this an out of cycle if enough hackers start to use this.

According to Micrsoft the Windows Live One care picks this up as Win32 Exploit so I am sure other [intlink id=”2205″ type=”page”]Anti-virus Software will do the same[/intlink].   Just for the time being you will want to scan any presentations that come your way.  I will update the blog as more information becomes available!!

Conficker maps of US!

Paul

conficker_us_map

The Conficker Work Group has been busy the last few days compiling data of where the [intlink id=”3240″ type=”post”]Conficker Worm[/intlink] is in the world.  I am just showing one of the many pictures they have compiled.

[ad#cricket-right-ez]

Now I must say this isn’t entirely accurate, but it gives a good impression of how many computers in the US have been infected and still need to be removed.   Giving that most of these are business that haven’t updated there Windows Machines, this isn’t surprising.  So I am guessing that if this map is close to what we expected, some of the companies didn’t do anything about[intlink id=”3214″ type=”post”] Conifcker during the hype[/intlink].

That being said, I would like people to answer this question?  Has any technicians had to disinfect systems that had the conficker worm?  Are you seeing a rise in repairs, in regards to conficker related problems?

I was look around there website, the Conficker Work Group, and I stumbled on a really good resource.  It is called Conficker Eye Chart.  If certain images don’t load then you might be infected.   If you want to find out if your infected go check the chart out for yourself.

The Group also has a great list of tools to remove the Conficker Worm.    Although, I have been saying for the past week that the best way to prevent from getting infected is having [intlink id=”2205″ type=”page”]Anti-virus, and Firewalls[/intlink].  You will also need to remember that only you can prevent from getting a computer virus or worm, you’re the last line of defense!!