PC CyberTek » malware

Fake Apple Store Order E-mail

chris — Sun, 11 Apr 2010 05:15:36 +0000

Time to add another fake e-mail to the long list of social engineering e-mail scams. This one looks like this.

Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

Malware Removal Sites, Software and Thoughts

chris — Sun, 07 Feb 2010 08:50:25 +0000

Last night I saw a banner ad for a “new” version of Risk. I use to play Risk, the board game, many years ago and thought this looks like fun. So I downloaded and installed it. With in a couple of minutes, ESET NOD32 was blocking downloads from a site I wasn’t at. Next time I went to use google to search for something, my search results were being redirected. Looks like it installed some malware on my computer. Most likely it’s some sort of XSS cross scripting exploit.

So first I downloaded Spybot Search n Destroy. Back in the day, it was one of my must have malware removal tools. First let me say I’m not knocking the people over at http://www.safer-networking.org they do great work and they make Spybot S&D free. I also highly recommend their RegAlyzer which you can even find here in my download section. But Spybot only found 4 “threats” which were all cookies. In this day and age, lets face it, cookies aren’t really a “threat” but the anti-malware software makers, especially the demos, in an effort to pump up the number of “found threats” and scare you into buying their product are call cookies “threats.”

My next download was AdAware. Also one of my old standbys. After a couple of hours of scanning, it didn’t find anything. Even though it wasn’t finished I had hoped that after a couple hours it would have found something, anything. Then I thought there must be some other tools out there these days. There was one more on my old reliable but I’ll skip that for now since I didn’t get it. I figured I should find some malware related forums and update my knowledge on what’s out there these days. I don’t mind getting my hands dirty and digging through registry keys and directories. Which, I didn’t mention, but had already gone through the auto start and run registry keys and files that were created around the time my hijacking took place. In my search I came across the Malwarebytes users support forum. After reading a couple of posts I realized this was a good place for finding out about new malware and removal techniques as well as the program Malwarebytes. Since I haven’t tried it before and the forum, which is a forum that was created by users/fans of Malwarebytes, spoke so highly of it, I downloaded and installed it and started a complete scan. In a couple of minutes it had found 2 infections. I let it scan my system, which scanned 653800 objects and took 6 hours 28 minutes for the full scan. The scan just completed and found 35 infected objects. A quick view of the results shows me several registry files and the rest are files, non of which are cookies. Since I ran Spybot S&D earlier and deleted the cookies it found, I can’t say if cookies would have been part of the results. With the exception of a couple of false positives, some of my security tools, the results are looking very promising. One item I see right of the back is svchost.exe which is in my /Local Settings/Temp/ which is defiantly bad. This is something pretending to be a legit windows service but it doesn’t belong here. There are also a couple of registry keys listed as Trojan.BHO which, even though I forgot to mention I did run earlier, Hijackthis didn’t identify. Now I unchecked the couple of false positives, and told Malwarebytes to delete the rest and save a log file. After this I’m told it needs to reboot. No problem, I expected that. Windows is rebooting and I’m anxiously waiting to see if this fixed my problem. I haven’t played World of Warcraft or logged into any of my sites in case there was also a password stealer installed. In fact I’m writing this from my wife’s laptop which is on my network but doesn’t have any write permissions from network users.

Reboot has completed and now comes time to test this. I sure hope it works because I’m posting the results regardless of the outcome. First I will launch Firefox. This isn’t my main browser but I have a script blocking extension in it which has alerted me to some of the redirects and blocked them. My first search “malware forums” brings up plenty of results and the first result I click on, Majorgeeks.com, goes where it should. But this was what happened before. The first result I clicked on would work but all the results I clicked on after would be hijcked… Awww a new window just opened to www.searchfindsite.com which doesn’t look good. !@#$@#$ I just tried another result from google and was redirected to findservicesonline.com and I see that malwarebytes.com didn’t clean it this one up. It did find and remove some items that spybot s&d didn’t but I still have the hijacked search results. And my quest continues. When I do find a way to remove this, I will post about it.

If you know of some good malware removal tools, please leave me a comment. I’m going to try a couple of others I have and let you know what I find.

Another Adobe Acrobat Reader 0-Day Exploit

chris — Thu, 07 Jan 2010 11:13:57 +0000

Here we go again. This isn’t news hot off the press, but I decided I should post about it here just in case some of you have missed it. There has been another Adobe Acrobat Reader exploit, CVE 2009-4324. Since it was first disclosed back in the middle of December, it has grown even nastier. The Internet Storm Center over at sans.org has a good analysis of one of the current variants.

There are still a couple days before Adobe releases a patch, which will finally be released on Jan 12. Adobe suggests you disable Java support until then. This is not the first time this has happened. What I’m suggesting is that even after this is patched, just keep Java disabled. If you open a PDF file that requires Java support, you could always turn it back on. With so many exploits in the wild, and how long it takes for the anti virus vendors to discover them, this one won’t be fixed for almost a month since it was first disclosed publicly, it’s better safe than sorry. Just disable Java support for good. Here’s how to disable Java support in Adobe Acrobat Reader

quoted from Adobe.com

SOLUTION

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:

All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
Acrobat 9.2 running on Windows Vista SP1 or Windows 7
Acrobat and Adobe Reader 9.2 running on Windows XP SP3
Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.

Watch your docs and surf safe

E-Card Virus Warning

chris — Wed, 16 Dec 2009 17:20:54 +0000

Just got an e-mail that says it’s from e-cards@hallmark.com with the subject: You have received A Hallmark E-Card! It had an attachment called Postcard.zip which was identified by my antivirus, I use NOD32 by E-Set

__________ ESET NOD32 Antivirus warning, version of virus signature database 4693 (20091216) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Postcard.zip – probably a variant of Win32/Merond.AA worm – deleted
Postcard.zip > ZIP > document.chm .exe – probably a variant of Win32/Merond.AA worm – was a part of the deleted object

This came from one of my works TV affiliates mailing list. So I am guessing it is one that goes through your address book and sends itself to everyone on there.

Figured this was also a good time to remind people to be careful with any “e-cards” they get. Watch out for infected attachments, as was the case with this one, and watch for links that send you to websites designed to infect you or steal your identity / information.

Metasplot Framework 3.3 Just Released

chris — Fri, 20 Nov 2009 09:07:42 +0000

t’s been about a year since one of the best pen testing tools has seen an upgrade to the framework. Metasploit Framework 3.3 is now available. Not only does it support Linux, Windows, OS X, and many versions of BSD, but now it also supports Windows 7. And according to the website this release has 446 exploits, 216 auxiliary modules, and hundreds of payloads, including an in-memory VNC service and the Meterpreter. However one of the new features that I’m pleased about is you can now run a full console version in Windows using Cygwin which is how I like to run nmap when I’m on my Windows computers, and RXVT. To be honest, I haven’t fired up any of my Linux machines in a while. I just boot from a Linux Live CD most the time but I digress.
The Windows installer works on all versions of Windows from 2000 to Windows 7 and the Linux installer works on most versions of Linux released in the last five years.
I’d like to point out, this is not a toy. This is the bad boy of penetration testing tools. I love using this because I know that if I can’t get into the system I’m testing with it, I can feel pretty confident that system is pretty secure. I wouldn’t go so far as to say that I’m 100% secure because I’ve been doing this long enough to know there is no such thing. But if you can’t successfully attack one of your computers with this, then chances are neither can the script kiddies.

Remove Fast Browser Search From IE 7 & IE8

chris — Fri, 23 Oct 2009 03:48:09 +0000

As you may know, I was never able to get Web Tattoo to install into IE7. Something I have done during the removal of it and Fast Browser Search from Firefox somehow causes the install file to crash when I tried to install it in IE7. This is fine for me, but because I never could get MakeTheWebBetter installed in IE7 or IE8, I couldn’t figure out how to uninstall it and tell you how.

Over on a google forum is a link to my first post on removing Fast Browser Search from Firefox. So I subscribed to that thread and today when I checked my e-mail, I found this in it, how to remove Fast Browser Search from IE7 & IE8

Re: [Web Search Help] How do I remove “Fast Browser Search”?

Inbox X

Reply

|
Google Help
to me

show details Oct 14 (9 days ago)

from Google Help
to
date Wed, Oct 14, 2009 at 12:35 AM
subject Re: [Web Search Help] How do I remove “Fast Browser Search”?
mailed-by confucius.bounces.google.com
signed-by google.com

hide details Oct 14 (9 days ago)

Kundan555 has posted an answer to the question “How do I remove “Fast Browser Search”?”:

PLEASE FOLLOW THE INSTRUCTIONS AND RESOLVE THE ISSUE FOR IE8 AND IE7.

=================================================================

Please uninstall fast browser from the program and features in vista and, add and remove program in XP. Then

To fix the new tab issue you need to be comfortable using regedit. Run regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs

under Tabs, clear the fastwebsearch junk and input the following as value data:

res://ieframe.dll/tabswelcome.htm or any entry related with fastbrowser listed over there.

close and restart IE.

I have been unable to verify this, however my knowledge of the registry tells me this could fix it and would be worth trying. Just be CAREFUL any time you run regedit. Messing around in the registry could really bork your system.

Here’s the links to my other Fast Browser Search removal posts

http://www.pccybertek.com/2009/08/my-web-tattoo-fast-browser-search-search-gurad-plus-uninstall-removal/

http://www.pccybertek.com/2009/08/more-my-web-tatto-removal-information/

http://www.pccybertek.com/2009/07/removing-my-web-tattoo-phone-number/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-removal-update/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-remove-part-1/

http://www.pccybertek.com/2009/05/remove-fast-browser-search/

Fake Adobe Flash Player

chris — Fri, 11 Sep 2009 10:27:22 +0000

There is a fake adobe flash player updater that monitors your google searches. It looks just like the adobe flash installer. I’m not sure where I picked it up, but luckily I found this fake adobe flash player on a computer running firefox. Good thing I run NOD 32. I have been getting a notice that NOD 32 was blocking an outbound connection

I found out that I was infected by this Fake Adobe Flash Player

While that website does tell you how to figure out if you have it or not, it doesn’t really tell you how to remove it, unless you buy their program. So I’m currently in the process of removing it. If you do have it, you’ll want to stop it right now! I’ve found that by going into Firefox’s extensions (Tools -> Addons -> extensions) you can disable Adobe Player 0.2 and restart Firefox. After doing this, I no longer got the warning for NOD 32 that it’s blocking the connection that msjupdate site, which I don’t know why it hasn’t been shut down yet.
I found socks.exe was running and when I looked for that file, I found it in my Windows/system folder with a creation date of 09-09-09, so I stopped socks.exe and renamed it socks.bak I would have deleted it but just in case it wasn’t installed by this Trojan, I figure it’s better to rename it. If some legit program I have starts complaining that socks.exe is missing, I can always rename it back to socks.exe

Once I’ve figured out how to completely remove it, I will update this post. In the meantime, disabling it will work. It’s after 3AM and I should have been in bed hours ago, but this was too important not to immediately warn you about it and give you at least a way of stopping it until I can post removal instructions.

My Web Tattoo – Fast Browser Search – Search Gurad Plus Uninstall & Removal

chris — Sun, 02 Aug 2009 08:09:11 +0000

While writing a new article about removing Fast Browser Search and My Web Tattoo, I was analyzing a new version of MakeTheWebBetter, which is the file I got from the MyWebTattoo site. I noticed it connected to a new site since the last time I looked at it, www.tattoodle.com Looks like they have expanded their operation to include My Space. I also found a new updated uninstall page which included Search Guard Plus, which was another new file I found that was being installed since I wrote my first uninstall guide. I am going to keep writing the new article I am working on but in the mean time, check out the new official uninstall page they have set up. It’s much better than before and like I said it includes the new programs.

Official Tattoodle Uninstall Page

It still doesn’t tell you how to fix the search redirection in Firefox so if that still plagues you, I have a guide for that here

If that still doesn’t fix it for you, and you have some basic computer skills, my next post may be the one to help you.

Firefox Addons Insecure

chris — Sat, 01 Aug 2009 23:19:01 +0000

Unable to attend DefCon this year, I’ve been following it on twitter. There was a talk about how insecure Firefox extensions are.

@ramereth word to the wise: DO NOT trust any firefox extension. assume they can grab and do anything including executing other code #defcon

Just one of many tweets talking about how scary the talk was. So until I can get more information on this, I’m disabling most of my Firefox extensions. Could this be Firefox’s vulnerability equivalent to Internet Explorer’s active-x? Ironically, I’ve been using Google’s Chrome browser lately. I’m liking it more and more. I was just switching back to Firefox because it has a couple extensions I use a lot. But now that they might not be safe, it looks like Chrome is going to be set as my default browser. At least until I find out more about these Firefox extension exploits.

Seeing how this talk was given today, I suspect there will soon be a rash of these exploits and figured I should pass on the info I have even though it’ sketchy at best at this point. To disable your extensions in Firefox, just go to Tools, then addons, then extensions, and uninstall or disable them.

Removing My Web Tattoo Phone Number

chris — Sun, 26 Jul 2009 07:48:57 +0000

I haven’t stopped working on how to remove My Web Tattoo and the associated programs. If you have it in Firefox, then you’re kinda in luck. I have removed it from Firefox

And I found a phone number that was on the EULA page for Make The Web Better, which is the first program that is downloaded from the My Web Tattoo page. I suggest if you haven’t been able to get it removed from Internet Explorer yet, you follow the advice on their page

If you experience any problems installing and/or
uninstalling the Software Product, please contact us via email at: info@make-the-web-better.com, or call us at: 1 (800) 831-8940.

I’m still working on removing it. I can’t get it installed on IE 7 on my test computer. So I’ve been doing some other stuff like running it in a sandbox to see what it does. I’ve identified several registry keys that are affected and where it’s sending data to. I just got this info though and I’m in the middle of a computer repair job that should have been done already. So when I get some more time I’ll write up what I have found about removing it and more.

In the meant time, there is the number you can all. You can leave comments on how it went if you do call them. I’m sure others will be interested in how they helped you.