Last night I saw a banner ad for a “new” version of Risk. I use to play Risk, the board game, many years ago and thought this looks like fun. So I downloaded and installed it. With in a couple of minutes, ESET NOD32 was blocking downloads from a site I wasn’t at. Next time I went to use google to search for something, my search results were being redirected. Looks like it installed some malware on my computer. Most likely it’s some sort of XSS cross scripting exploit.

So first I downloaded Spybot Search n Destroy. Back in the day, it was one of my must have malware removal tools. First let me say I’m not knocking the people over at http://www.safer-networking.org they do great work and they make Spybot S&D free. I also highly recommend their RegAlyzer which you can even find here in my download section. But Spybot only found 4 “threats” which were all cookies. In this day and age, lets face it, cookies aren’t really a “threat” but the anti-malware software makers, especially the demos, in an effort to pump up the number of “found threats” and scare you into buying their product are call cookies “threats.”

My next download was AdAware. Also one of my old standbys. After a couple of hours of scanning, it didn’t find anything. Even though it wasn’t finished I had hoped that after a couple hours it would have found something, anything. Then I thought there must be some other tools out there these days. There was one more on my old reliable but I’ll skip that for now since I didn’t get it. I figured I should find some malware related forums and update my knowledge on what’s out there these days. I don’t mind getting my hands dirty and digging through registry keys and directories. Which, I didn’t mention, but had already gone through the auto start and run registry keys and files that were created around the time my hijacking took place. In my search I came across the Malwarebytes users support forum. After reading a couple of posts I realized this was a good place for finding out about new malware and removal techniques as well as the program Malwarebytes. Since I haven’t tried it before and the forum, which is a forum that was created by users/fans of Malwarebytes, spoke so highly of it, I downloaded and installed it and started a complete scan. In a couple of minutes it had found 2 infections. I let it scan my system, which scanned 653800 objects and took 6 hours 28 minutes for the full scan. The scan just completed and found 35 infected objects. A quick view of the results shows me several registry files and the rest are files, non of which are cookies. Since I ran Spybot S&D earlier and deleted the cookies it found, I can’t say if cookies would have been part of the results. With the exception of a couple of false positives, some of my security tools, the results are looking very promising. One item I see right of the back is svchost.exe which is in my /Local Settings/Temp/ which is defiantly bad. This is something pretending to be a legit windows service but it doesn’t belong here. There are also a couple of registry keys listed as Trojan.BHO which, even though I forgot to mention I did run earlier, Hijackthis didn’t identify. Now I unchecked the couple of false positives, and told Malwarebytes to delete the rest and save a log file. After this I’m told it needs to reboot. No problem, I expected that. Windows is rebooting and I’m anxiously waiting to see if this fixed my problem. I haven’t played World of Warcraft or logged into any of my sites in case there was also a password stealer installed. In fact I’m writing this from my wife’s laptop which is on my network but doesn’t have any write permissions from network users.

Reboot has completed and now comes time to test this. I sure hope it works because I’m posting the results regardless of the outcome. First I will launch Firefox. This isn’t my main browser but I have a script blocking extension in it which has alerted me to some of the redirects and blocked them. My first search “malware forums” brings up plenty of results and the first result I click on, Majorgeeks.com, goes where it should. But this was what happened before. The first result I clicked on would work but all the results I clicked on after would be hijcked… Awww a new window just opened to www.searchfindsite.com which doesn’t look good. !@#$@#$ I just tried another result from google and was redirected to findservicesonline.com and I see that malwarebytes.com didn’t clean it this one up. It did find and remove some items that spybot s&d didn’t but I still have the hijacked search results. And my quest continues. When I do find a way to remove this, I will post about it.

If you know of some good malware removal tools, please leave me a comment. I’m going to try a couple of others I have and let you know what I find.

Just a quick warning about a couple of e-mails that had a virus attachment. They are both pretending to be from U.S. Shipping companies.

First we have this one from “UPS”

From: UPS Manager Romeo Law [delivery@ups.com]

Subject:  UPS Delivery Problem NR 08488.

Dear customer!

We failed to deliver the package sent on the 6th of January in time because the recipient’s address is incorrect.

Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Dear customer!
We failed to deliver the package sent on the 6th of January in time because the recipient’s address is incorrect.Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.

attachment: UPS_invoice_NR34587.zip

NOD32 identifies the virus in this attachment as virus Win32/Oficla.CX trojan. A couple of ways you can tell this is fake, besides the attached virus are; why would UPS wait a couple of weeks to notify you of this? Do they really sign their e-mail United Parcel Service of America? They tell you to pick it up at the office but there is no address or contact info for the office. Just thought I’d point this out.

Next we have one from DHL:

From: Manager Gabrielle Bird [customer@dhl.com]

Subject: DHL Office. Get your parcel NR.4486

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Global Forwarding Services.

attachments: DHL_label_Nr2385.zip > ZIP > DHL_label_Nr2385.exe

ESET-NOD32 Identifies the virus in this attachment as Win32/TrojanDownloader.Bredolab.BE trojan

In case you don’t know this already, never run an .exe file you get in e-mail. Nothing good ever comes from running an .exe you received in e-mail.

Watch out for these or variants of them.

If you follow this blog, you know that I did an article on the first stable release of Namp http://www.pccybertek.com/2010/01/nmap-5-20-released yesterday. Now that it has been out for a week, Fydor has already released another update, Namp 5.21 which is also a stable release and not a beta. It’s mainly just a bug fix release. So I have updated the download section here with a link to the 5.21 release, which is on the right column about 3/4 of the way down the page. My download link is directly to the file on the insecure.org website or you can go to the Nmap download page yourself.

But I don’t want to just tell you about the update, I’d like to offer you some more since you took the time to stop by here. So here is a link to Iron Geek’s Baisc Nmap Tutorial video. And if already know the basics and would like to move on to some more advanced lesson, here is Iron Geek’s Nmap Video Tutorial 2: Port Scan Boogaloo Happy port knocking.

Some how this one slipped by me because it was published by Adobe on the 19th.

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided above.

This update resolves a buffer overflow vulnerability that could potentially lead to code execution (CVE-2009-4002).

This update resolves multiple integer overflow vulnerabilities that could potentially lead to code execution (CVE-2009-4003).

Download Adobe Shockwave Player version 11.5.6.606  here

You can find out which version you have by going here Test Adobe Shockwave Player

Fydor has released Nmap 5.20. This is the first stable release, or non beta release, of Nmap since July 2009. And like usual, it has a lot of nice improvements and upgrades. If I could only have one security tool, Nmap would be it. It’s the first, and sometimes the only, program I run when I want to do any kind of security audit or if I want an inventory of  the LAN and which services are running .

Many of the improvements are under the hood like a completely rewritten traceroute engine. This new version  sent out 50% less packets and reduced the amount of time it took to complete by 96% when compared to the previous version. Traceroute will also send out an ICMP echo request probe if no working probes against the target were found during scanning. Memory consumption has also been reduced. One example of this is the size of the internal nmap OS DB, which has been reduced by more than 90% and the OS detection scan, has had the peak memory consumption  reduced from 67MB to 3MB. These are just a few of the under the hood improvements.

So much for the internal workings, now lets move on to some of the cool upgrades.  There are 31 new Nmap Scripting Engine (NSE) scripts which brings the total up to 80. These NSE scripts are one of my favorite features of Nmap. These scripts allow me to run Nmap in ways I never even thought about. I’m one of those people who learns better by example so the included scripts helps me to have a better understanding of how to write my own NSE scripts. Check out the complete list of NSE scripts.

There has also been an increase in the OS fingerprints, thanks to user submitted fingerprints and many corrections. Some of the more interesting new fingerprints include Google’s Android Linux (for smart phones), Mac OS X 10.6 (Snow Leopard), The Chumby (an internet radio player), a bunch of printers and routers for a total of 1349 fingerprints. This is including the 40 new vendors, 342 new fingerprints and 81 corrections.

Speaking of databases, the OS detection has seen some real growth. Thanks to user submissions, 2,576 of them since Feb. 2009, more than a thousand signatures have been added. That many users submissions shows the kind of community support Nmap has earned.

Nmap started out as a command line tool. But don’t let that scare you away from trying it out if you never have before. There is also a GUI (graphical user interface) called Zenmap that comes packaged with it. Zenmap has also seen improvements. You can now filter the results in Zenmap. So say you have performed a scan and have a lot of results but you just need to see the computers running Linux or a particular service like IIS. You can now apply a filter to your scan results and just have a list of  those machines which are running it.

These are just a few of the improvements made to Nmap since version 5.00 and you can get a complete list of the changes since 5.00 from the release notes. Or just download it and give it a try. There is a release for just about any OS you have. If you work with networks at all, you owe it to yourself to give Nmap a try.

For quite sometime, the post date format has not bee what I wanted. It was displaying day-month-year ( 21-1-10). This was confusing some of my readers. I tried to change it in the WordPress dashboard under Settings, but it never made a difference. I searched for a solution and found several people had the same problem but no one actually had a good answer. However, one of the posts refered me to Customizing the Time and Date and while this was just the formatting of the date and time, it did give me a clue of what to look for.

WordPress is written in the programming language PHP. The date formatting functions in WordPress use PHP’s built-in date formatting functions. You can use the table of date format characters on the PHP website as a reference for building date format strings for use in WordPress.

Armed with this information, I went to my WordPress dashboard and clicked on Appearance and then Editor. Then I started going through the Template Theme files. Sure enough, I found <?php the_time(‘D, m-d-Y’) in the Main Index Template (index.php) file. So I went back to the Format  page to see what options I had and decided on the day, month-date-year for my format. So I changed <?php the_time(‘D, m-d-Y’) to <?php the_time(‘D, m-d-Y’) and then clicked on update. And as you can see, the dates of my posts, on the main page, now have the post date formatted the way I wanted.

The other place you can change the time and date format is in Single Post (single.php) which I did a little different that my main page. I decided to go with l, F jS, Y which will look like: Friday, January 22nd, 2010

UPDATE: I found a couple other places that needed to be changed in my theme. So here is a list of the files that I could change my date format in.

Archives (archive.php)

Comments (comment.php)

Main Index Template (index.php)

Single Post (single.php)

Hope this helps. If you have any questions, leave me a comment and I will try to help.

At one time I was going to make at least one free software recommendation a week. At some point I realized that in order to do this, sooner or later I would either run dry of suggestions, or make suggestions of products I really haven’t throughly tested. So I changed my mind and decided to only write about programs I have used for quite some time and really like. One of the first was Miro

Tonight’s pick is an all in one Instant Messenger, E-mail and Social Network client called Digsby. I’ve been running Digsby for around a year and it is really nice. I’ve set it up to connect to my AIM, MSM, Yahoo Chat, Facebook, Myspace, Twitter and all my various e-mail addresses. It sits nicely in my system tray and when I click on it, it pops up a sidebar on the left side of my screen that lists all the services I have it monitoring. If I click on the MSM bar it expands so I can see who is online and if I click on anyone who is online, I’m chatting with them just like I was running MSM. Instead of having to load all those different chat programs, I just run Digsby. Of course there are other programs like this, I use to run Trillian but it felt kinda clunky me and I haven’t tried the newer version of Trillian which now also supports Twitter and E-mail. However, I see Trillian still offers a pro version which isn’t free so it doesn’t totally fall into my “Free Software” category. Digsby also has several options for notification. Mine is configured so it pops up a little alert window. This is real handy for Twitter. I see the complete tweet and have options to retweet or reply to it. If I click on the notification window it will take me to that tweets page and I will already be logged in to Twitter. The same goes for any notification window, by clicking on it. If it’s one of my webmail accounts, I will be logged in and taken to that e-mail, or if it’s a pop mail account, it will launch whatever application you have chosen for your e-mail, such as Outlook.

Here’s a sample of the features in Digsby:

Instant Messaging
One combined buddy list for all your AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat Accounts.
Manage multiple conversations with tabbed conversation windows. You can drag tabs out into their own windows for important conversations.
Rename contacts with an alias so you don’t have to remember buddy names like ‘giantsfan123′.
If one of your friends has more than one IM account you can combine them into a single merged contact to eliminate duplicate buddies.
Send your friends SMS messages right from the IM window.
The InfoBox lets you check everyone’s status message and profile just by moving your mouse down the list.
Changing your status has never been easier. just one click right on the buddy list!
Multitask while you chat. Minimize the IM window and you see popups of new IM’s. Best of all, you can reply right from the popup and get back to what you were doing.
Log conversation history and find the information you need our search-enabled log viewer.
And so much more.
Email
Manage your Hotmail, Gmail, Yahoo Mail, AOL/AIM Mail, IMAP, and POP accounts right from digsby.
Get popup notifications when new email arrives. Clicking a popup takes you right to the message with auto-login into webmail accounts.
The email InfoBox gives you a snapshot of your unread messages with just one click
Perform actions such as “Mark as Read” or “Report Spam” right from the email InfoBox.
Send emails to your friends right from the IM window. The email is sent directly from any account digsby is tracking for you.
Social Networking
Stay up to date with everything happening on your Facebook, Twitter, MySpace and LinkedIn accounts.
Receive alerts of events such as new friend requests, messages, group invites, etc.
The social network InfoBox gives you a real time NewsFeed of what your friends are up to. Everything from new photos, to status updates, to upcoming birthdays is just a click away.
Set your Facebook, Twitter and LinkedIn status right from Digsby.
Personalize
Customize digsby with application skins to give it a personal look and feel.
Change the way your conversations look with themes – everything from simple AIM-style windows to 3D conversation bubbles.
Complete control over the layout of buddies on the buddy list. Change everything from buddy icon size to whether or not to show a snippet of their away message.
Sort your buddy list how ever you want! You can organize buddies manually, by status, by service, by name or by log size to place those you communicate with most at the top. You can even choose a secondary sorting method.
Customizable notification system lets you choose what events you want to be alerted about and how.

If you give it a try, or are already using it, please leave a comment to let myself and others know what you think of it. If you’d like to see it action, you can watch the video demo of it. Or just download Digsby.

Here we go again. This isn’t news hot off the press, but I decided I should post about it here just in case some of you have missed it. There has been another Adobe Acrobat Reader exploit, CVE 2009-4324. Since it was first disclosed back in the middle of December, it has grown even nastier. The Internet Storm Center over at sans.org has a good analysis of one of the current variants.

There are still a couple days before Adobe releases a patch, which will finally be released on Jan 12. Adobe suggests you disable Java support until then. This is not the first time this has happened. What I’m suggesting is that even after this is patched, just keep Java disabled. If you open a PDF file that requires Java support, you could always turn it back on. With so many exploits in the wild, and how long it takes for the anti virus vendors to discover them, this one won’t be fixed for almost a month since it was first disclosed publicly, it’s better safe than sorry. Just disable Java support for good. Here’s how to disable Java support in Adobe Acrobat Reader

quoted from Adobe.com

SOLUTION

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:

All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
Acrobat 9.2 running on Windows Vista SP1 or Windows 7
Acrobat and Adobe Reader 9.2 running on Windows XP SP3
Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.

Watch your docs and surf safe

Just got an e-mail that says it’s from e-cards@hallmark.com with the subject: You have received A Hallmark E-Card! It had an attachment called Postcard.zip which was identified by my antivirus, I use NOD32 by E-Set

__________ ESET NOD32 Antivirus warning, version of virus signature database 4693 (20091216) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Postcard.zip – probably a variant of Win32/Merond.AA worm – deleted
Postcard.zip > ZIP > document.chm .exe – probably a variant of Win32/Merond.AA worm – was a part of the deleted object

This came from one of my works TV affiliates mailing list. So I am guessing it is one that goes through your address book and sends itself to everyone on there.

Figured this was also a good time to remind people to be careful with any “e-cards” they get. Watch out for infected attachments, as was the case with this one, and watch for links that send you to websites designed to infect you or steal your identity / information.

Phishing scams seem to keep on rolling. Recently I have been seeing a lot of them that claim to be survey companies. They aren’t too hard to spot. The e-mail address that they supposedly come from, may be a legit survey company.  In the body they will ask you to register by filling in all your information like name, address, phone number etc. and send it to and email address that is in the body of the e-mail. This is what makes it so easy to spot. The e-mail address they want you to send your “registration” info to is different than the one listed in the header and usually a variation of it. For example, I got one that said it was from register@surveys.com in the e-mail’s header, yet they wanted you to send your registration information to surveys@gmail.com or @yahoo.com or some other address. If these were legit, they wouldn’t have you register by e-mailing your information and to an address that’s different from where it supposedly came from. I don’t think any of them would have you e-mail them your information at all, you would register on a website. So far I have seen 6 variations of this in about a week. I wouldn’t be surprised if they actually set up websites with registration forms next. Just to be safe, I would never send identity related information to anyone no matter what they claim they need it for,  unless you expected the e-mail in the first place. Remember, just because an e-mail says it’s from someone, this can be spoofed to say anything.