Better Safe Than Sorry

Facebook Hacking

A new applications on Facebook, "City Fire Department," has been compromised by hackers. The application had been modified to deliver an iframe which can bring content from one Web site to another. This iframe tries to exploit vulnerabilities to download a fake antivirus program called Antivirus Pro 2010.

A few of the other hacked or bogus applications are:

• MyGirlySpace
• Ferrarifone
• Mashpro
• Mynameis
• Pass-it-on
• Fillinthe
• Aquariumlif

Ok, here is the deal - When you find a wonderful new application on Facebook do a quick search on Google or bing to determine if anyone has had any problem with it. You can also wait, yes wait, for a day or two until enough newbies have started using it to provoke any disasters - if all is well after this then you might . . . might try it. Just make sure your Facebook preferences are locked down for maximum security. Or just don't use any of these silly applications until Facebook gets a grip and uses some mechanism to confirm these applications aren't a giant security hole!

Adobe Reader Critical Vulnerability

It appears the ever popular Adobe Reader (version 9.1.3 and earlier) has a gaping hole that could allow bad people to take over Windows installs. This problem as popped up before. One way to mitigate (but not eliminate) the threat is to disable Javascript in Adobe reader and/or change your browsers behavior to download .pdf files as opposed to view them. You also might want to try the free alternative called Foxit Reader which has a better record when it comes to security issues. Just sayin' . . .

Third-party apps create insecure Facebook

Popular social networking site Facebook has exposed users to phishing attacks that use already hacked accounts to contact friends. Links presented to users lead to look-alike pages not associated with Facebook that may hold any one of 11 rogue scripts (and counting) that do bad things. Trendmicro has details here.

Until facebook tightens up the ship now heading for the shoals be very careful about using third-party apps. Yes, that means a large chunk of facebook, sorry. Do this . . . no, seriously . . . and facebook will adapt or die. Now if Leafs fans would just do the same.

Critical Firefox 3.5 Security Flaw

The newest Firefox, version 3.5, includes Tracemonkey, a new feature designed to speed up Javascript scripts. A flaw within Tracemonkey could allow attackers to remotely install evil software when users visit compromised Web sites.

A simple fix is available until the next patch fixes the vulnerability:

1. Open up a new Firefox window and type ‘’about:config‘’ (without the quotes) in your browser's address bar
2. In the ‘’filter‘’ box, type ‘’jit‘’ and a setting called ‘’javascript.options.jit.content‘’ will appear.
3. If the setting is set to ‘‘true’’ it means the option is enabled.
4. If it is, double-click on the setting. This should change the option to ‘’false‘’ disabling it.

Another Insecure ActiveX? You Betcha!

ActiveX flaws pop up on a regular basis so forget the explanation. Go to Microsoft and click the ‘’Fix It‘’ icon under ‘’Enable Workaround‘’ and following the instructions.

Twitter Awareness

The recent cross-scripting attack on the newest buzzword universe called Twitter is merely another bump on the rocky road through Interpipe 2.0

These XSS attacks are the bane of Web 2.0 and will cause disasters for individuals who refuse to become aware of their online surroundings. Compound this with users who remain clueless about what is running on their PC's and you have a large impediment in the push through to Web 3.0 applications.

Now add smartphones and netbooks to the mix ;(

For a fine write up on the Twitter XSS attack see: http://twittercism.com/protect-yourself-on-twitter/

Be sure to check out the fine tip from Twittercism about XSS busting using Firefox browser with the Add-on NoScript with screencaps from Better Safe Than Sorry here.

Adobe FlashPlayer Fix Released

The most recent Adobe Reader vulnerability has been addressed with several patches all rolled into one download. If you use both Firefox and Internet Explorer browsers you must download a fix for each browser. The fix is here: http://www.adobe.com/go/getflashplayer

It's worth noting here that originally Adobe stated that a fix was to be available on March 11th, 2009 but when a third-party released a patch much earlier they were moved to action. heh heh heh.

Adobe Reader Vulnerability

Evil-doers are actively exploiting a security hole in Adobe Reader. Users need only open a rogue .pdf file to have their system taken over.

Since Adobe doesn't plan to patch the problem until March 11th, 2009 users should either disable Javascript within Adobe Reader (Choose "Edit", "Preferences", "Javascript", and uncheck the box beside "Enable Acrobat Javascript") or use an alternative to Adobe Reader called Foxit Reader which is available here: http://www.foxitsoftware.com

Downadup Worm Awareness

The nasty worm dubbed Downadup.AL is reaching out and touching many people. F-Secure has a (beta) application to check your Windows system for infection - it's here: ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip. If you use Firefox browser (and why wouldn't you?) using the Add-on No-Script is a wise move to prevent this and other nasties from gaining a foothold into your system. Of course, running a software firewall, hardware router and and Anti-virus application is your best bet to remaining free of doom.

Phishing Targets Tweeter

The popular mobile service Tweeter has been hit with phishing messages. Nothing new about this. It is a good time to remind folks about the devious nature of these evil doers. Any method will be used to induce the unwary or stupid to visit sites that will attempt to upload all kinds of malware, spyware, trojans, etc. to your PC, smartphone or other device. The vector for this specific attack is the very popular 'TinyURL' online application that turns large, unwieldy URLs such as “http://www.somewhere.orf/really/long/directory/” into something such as “http://tinyurl.com/4d4a2” which can be remembered long enough to key into a browser. The problem is that the TinyURL could lead one to evil sites. Very bad. TinyURL's solution, which folks either don't know about or don't use or understand is to use the Preview TinyURL. In our previous example one should append the TinyURL with preview: “http://preview.tinyurl.com/4d4a2”. This will allow for the best practice of safely viewing a rendering of the intended target before actually visiting it.

Severe IE Vulnerability

An unpatched vulnerability in Internet Explorer 7 (which also affects older versions of the browser as well) is on the loose. Microsoft has stated that IE 5.01 with SP 4, IE 6 with or without SP 1 and IE 8 (Beta 2) on all versions of the Window OS are affected. To complete the horror IE 7 on Windows XP SP 2 and 3 and Windows Vista with or without SP 1 are also vulnerable. Web sites are now actively exploiting the vulnerability. One has to merely view a Web site in order to have a Trojan horse program automatically downloaded to their machine. Once downloaded the evil doers can manipulate the rogue program to download other software which could perform actions such as sending spam emails or steal data. Since Microsoft's next patch is not due until January 13, 2009 one would be wise to use an alternative browser such as Firefox or Opera. Just sayin' . . .

Firefox Greasemonkey Targeted

A new type of malware that collects passwords for banking sites is in the wild. In this instance it only targets Firefox browser through the popular Greasemonkey script. The malware uses JavaScript to identify some 100 financial web sites (including PayPal). It then harvests logins and passwords which are forwarded to a server in Russia.

So, short of disabling or uninstalling Greasemonkey your best defence is the usual: do not download anything, including Firefox add-ons, from any site other than Mozilla's, do not visit dubious sites located in dubious domains (such as .ru) and always have your firewall, anti-virus, router and brains active ;)

Critical Microsoft patch available

Microsoft has issued an out-of-band update. This is unusual as Microsoft rarely releases patches ahead of the usual once monthly Patch Tuesday. In this case the severity of the security hole has prompted them to wisely hurry the process along. This update is for XP and Vista although for Vista users it is not deemed critical. What the heck, do it anyway. If you have Windows Update all organized (as you should) you should be safe. If you are unsure if you already have the patch installed then go to Add/Remove Programs in the Control Panel, make sure the check box for show updates is checked:

and, when the list is finally displayed look for:

If it's not installed go back to the Control Panel and click on Security Center. Make sure all the settings for Windows Updates, your firewall and whatever anti-virus you use are all functioning as they should.

Facebook .zip attachment is Bad

People have been getting these fake Facebook 'Add Friends' emails.

The evil-doers attached .zip file contains, wait for it you plugs, a Trojan Horse. C'mon, steady, don't fall for that old trick.

Unless you are expecting an attachment don't accept it. Anti-virus blah blah updated frequently blah blah backup daily blah blah idiot, don't be an ;)

Facebook - MySpace Trojans

Both popular social networking sites, MySpace and FaceBook have both been attacked by an emailed virus that, should you download the plug-in as it suggests, sends large quantities of bogus emails. They contain trojans that Symantec has identified as gampass. This trojan is loooking for data on your system regarding gaming. Since this data may well include credit card numbers this is a problem. So, always be suspicious of any requirement for plugins above and beyond what you normally have installed. Keep your anti-virus software loaded and updated. Just because they are your friend on any social networking site does not mean they won't do something foolish that might well ensnare you. Remember, security is an ongoing process not a product.

Evil Hewlett-Packard support application

If you use an HP computer chances are it has a pre-installed customer support application that has been found to contain multiple security vulnerabilities. The software is designed to make it simple for users to automatically update HP drivers and software. However, flaws in ActiveX components within the HP Instant Support allow drive-by download attacks in cases where users unwittingly visit insecure websites.

HP Instant Support HPISDataManager.dll version 1.0.0.22 and earlier are affected. Users should upgrade to version 1.0.0.24.

To install the upgrade HP users should visit "http://www.hp.com/go/ispe" and choose “launch an online diagnostic session".

Their problem could be your problem

It appears the website of an Ottawa recreation centre may have been the victim of a SQL injection attack that infected guests computers with a computer virus leaving them vulnerable to various nasties including spam, fraud or identity theft. The Ray Friel Recreation Centre was infected between May 14 - 21, 2008.

Those with up to date Anti-virus and spyware protection using Firefox or Opera browsers had little to fear but others may not have been so lucky. Mac users are safe ;-)

Remember, be alert because the world needs more lerts . . .

Patch your Flash NOW

Lessons Learned

It seems G-Archiver, a third-party tool for backing up Google's Gmail, was/is sending usernames and passwords back to evildoers. The lessons here are simple: Always check online to see if the software you are thinking of using is safe. A simple search should confirm if others have any concerns regarding security, privacy, function or usefulness. Secondly, consider trying open-source software when possible. Since these applications are constantly examined by users for problems you tend to be protected in part from hassles that effect proprietary applications.

AOL AIM IM BUST

Clear as mud, eh? Internet Service Provider AOL has been informed that its IM client has a flaw that makes it possible for evil attackers to remotely execute malicious code on users computers. Those using Internet Explorer are especially vulnerable. Best practices? Try an alternative such as Pidgin (formerly GAIM).

OS X Something!

No, I have not RTFA. I do know that having faith that a certain OS is more secure than others is, one day, going to cause . . . problems.

OpenOffice.org Virus Spreads

A virus written in numerous scripting languages that can affect Windows, Linux, and Mac OS X computers is slowly spreading via infected OpenOffice.org documents. Best practice is, of course, to never accept documents as attachments in email if you were not expecting them. Inform the sender that it is always best to announce attachments before sending. Having a good Anti-Virus and firewall is also an excellent idea just in case nasties end up on your system. Better safe than sorry!

Yahoo Messenger Critical Upgrade

Yahoo Messenger has released an upgrade to fix a known security hole that would allow attackers to execute code on your PC. Please upgrade to version 8.1.0.401 from here: http://messenger.yahoo.com/download.php

Google: 1 in 10 Websites Unsafe

Especially if you use Internet Explorer as opposed to Firefox or Opera. The chance of being nailed by a "drive-by download" is almost non-existent when using any browser other than Internet Explorer. Do yourself a favour and try a safer alternative.

Flaw Allows Critical Windows Exploit

"Upon viewing a Web page, previewing or reading a specially crafted message, or opening a specially crafted e-mail attachment, the attacker could cause the affected system to execute code," sez Microsoft in its advisory. Using any version of Windows, including Vista, and Internet Explorer could lead to catastrophe merely by viewing a web site. Simply viewing an .html page as displayed by most email clients such as Outlook Express could lead the same result. Best Practices? Consider using another browser such as Opera or Mozilla Firefox and/or another email client such as Thunderbird.

Apple Quicktime Exploit

A highly critical security hole affecting Apple QuickTime version 7.1.3 (or earlier versions) has been exposed. Users of Quicktime are advised to disable Real Time Streaming Protocol. Windows XP users navigate to: Edit –> Preferences -> Quicktime Preferences -> File Types tab : uncheck ‘’Streaming - Streaming Movies‘’. Secunia has suggested users be very wary of opening files with the extension .qtl hosted on sites that look in any way dodgy.

Be Careful of Holiday Greetings Attachments

Since this is the season to sent and receive pictures, songs, and other greetings you must be extra alert to the hidden dangers of email attachments containing evil crap. As always, the best practice is don't click on any link you have doubts about and delete any attachments you were not expecting. Should you in error activate one of these evil things your anti-virus software should stop it. You do have anti-virus software, right?

Quicktime movies phishing MySpace.com users through Internet Explorer

Quicktime .mov files have been exploited in order to, at least in part, launch phishing attacks against myspace.com patrons. The SpywareGuide Greynets Blog summerized it thus: 1) A new Myspace worm 2) Bad guys using HREF functionality available to Quicktime files 3) Hacked websites hosting fake Myspace login details 4) A pornographic website (linked to from various hacked profiles) that contains Zango content, as well as using a popunder to display more Zango videos. More info is here and here.

Hardware Mayhem

First, it was promotional mp3 players from McDonald's Japan that contained a trojan now it's some Apple Video IPods that shipped with a virus. So, the mantra you must repeat is, "Security is a process NOT a product." Best Practices? Be aware of the possibility of viruses, trojans, etc. appearing in all manner of places and have your defences (Anti-Virus, Firewall, Spyware killers, etc.) ready before you are infected.

McAfee Flaw

McAfee's whole slew of consumer products is at risk from a flaw that can expose information stored on Windows PC's. Information is here and here. Perhaps it's time to consider an alternative applications such as AVG Free for virus protection?

MySpace.com + IE Flaw + Known Exploit = Chaos

It appears Internet Explorer is again being exploited by evil Windows Metafile (.WMF) images. Worse, these images reside on MySpace.com with some 50+ million users. This exploit quickly follows the most recent Microsoft Update forcing drastic action from someone.At out-of-cycle patch from Microsoft or a third-party fix from a two-person shop in Guyana all works for me. Until a fix appears use an alternative browser such as Opera or Firefox.

MS PowerPoint Attachment Trouble

If you receive an email from an unknown Gmail address and it contains an MS PowerPoint presentation then delete it.

Word Macro Trojan

A new Trojan has been spotted arriving withina .zip file containing a Word document named my_Notebook.doc. While not that dangerous your AV application should detect it. Best practice, of course, is to be instantly suspicious of unrequested Word files. Tell 'em plain text works just fine.

Yahoo! Worm on the Loose

A mass emailer is currently spreading through Yahoo! The worm is activated by simply opening the email message thus making it quite dangerous. The subject line to watch for is: "[random word] New Graphic site".Yahoo is working on the problem. More info here.

IM Worm Targets Yahoo Users

A worm dubbed yhoo32.explr is spreading across Yahoo's IM network. It forwards itself using the contact lists of people whose computers have already been infected. If installed it hijacks the browser home page steering the users to an evil site that attempts to load spyware.

W32/Ginwui.A Word Trojan

In these trying times why not try an alternative to Microsoft Word such as Openoffice.org?

Poker Players Beware!

If you downloaded RBCalc.exe as distributed by checkraised[dot]com then you have a rootkit on your system! Always check downloads before you make them to ensure they are safe.

Winamp 5.13 Released

Nullsoft has released a new version of Winamp, version 5.13, that fixes a recent vulnerability. If you are using Winamp as your media player you should download and install this update.

Flexispy.A Symbian 60 Trojan / Keylogger

This nasty litle piece of work is actually a commercial product named Flexispy! It records information about voice calls and text messaging sessions. The information is sent to a company server where it can be viewed on the web. Now, I can imagine many scenarios where this type of application could be used in a positive manner but lets get realistic and assume it will be used for nefarious purposes. F-Secure has all the details.

Unofficial IE Patches Available

Since Microsoft has announced no patch would (likely) be available for the latest IE vulnerability until April 11, 2006 two patches, here and here, have been authored. Completely unofficially of course but if folks must use Internet Explorer then best practise is to install one of these patches. This is not the first time folks have “stepped into the breach” to cover Bill`s a**.

Internet Explorer Vulnerability Escalates

Reports state that over 200 legitimate websites have been infected with the source code of the latest Internet Explorer exploit. This means that even “safe” sites could potentially harvest data from your PC. Again, for now either disable IE's active scripting option or use any other browser.

Internet Explorer Vulnerability

Microsoft is reporting an unpatched flaw in Internet Explorer that could allow evil site owners to take over local machines. For now either disable IE's active scripting option or use any other browser such as Firefox or Opera.

Java Trojan RedBrowser-A Targets Cell Phones

Evildoers have created a Trojan that targets cell phones running Java. Found by Kaspersky Lab this puppy infects any device capable of running Java applications. The text is only in Russian so far so the chance of running into this outside of that country is small. The threat is that someone may reverse engineer it for other countries so keep on your toes. This Trojan pretends to be a WAP browser offering free browsing via SMS messages. Since many companies the world over offer cheap or free SMS the victim is tricked into believing they are able to browse the Web for free. In reality the trojan sends SMS messages to one specific number that will charge back a premium amount on the victims cell phone bill. Best Practices circa 1878: If it sounds to good to be true it probably is. Best Practices circa 2006: If it sounds to good to be true Google it.

Mac Safari Browser Vulnerabilty

Secunia is reporting on a vulnerability in the Safari browser caused by an error in the processing of file association meta data (found in the "__MACOSX" folder) in .ZIP archives. This could cause users to execute a malicious shell script that has been renamed to a safe file extension stored in a .ZIP archive.

Worse, it can also be exploited automatically when Safari visits an evil web site.

Secunia has a test available to confirm if your system is vulnerable: http://secunia.com/mac_os_x_command_execution_vulnerability_test/

The vulnerability can be lessened by disabling the "Open safe files after Downloading" option in Safari.

Mac OS X Bluetooth (Proof of Concept) Worm

When it rains it pours for you Macheads. F-secure received a sample virus, Inqtana.A, that spreads via the Bluetooth OBEX Push vulnerability described here: http://www.osvdb.org/displayvuln.php?osvdb_id=16074. The exploit is not in the wild and will expire on February 24, 2006 but to be safe from this threat now and in the future you are advised to install the latest patches for your OS X version 10.4 ASAP.

First Mac OS X Virus

The first virus for Mac OS X has been encountered today. Called OSX/Leap.A. by F-Secure the Malware was posted via a link to MacRumors forum. Supposedly a screenshot for Mac OS X v10.5 Leopard the virus spreads through iChat.

It appears the victim must be running in Admin. mode to be infected. As with any OS you should generally not be swaning around while in Admin. mode because of the risk of compromising your PC at the "root level" where all the important processes live. If these processes are taken over by rogue software you can lose complete control without even knowing it.

Do yourself a favour and make a new user on your Windows box with less than Admin. privileges before you go wandering off into the Interweb.

Nyxem.e Email Worm Spreading Fast

This puppy is really spreading fast - over 500,000 PC's are likely infected and when the trojans payload is released on the 3rd of February it could get much worse. Users need to practise safe emailing to avoid this and other nasties. F-secure has the details here: http://www.f-secure.com/v-descs/nyxem_e.shtml.

Norton SystemWorks Patch

Symantec has patched its Norton SystemWorks following the discovery of a security vulnerability. Users are advised to run LiveUpdate ASAP.

WMF Exploit Official Microsoft Patch Available

Microsoft has released the official patch designed to close the WMF exploit. If you are running Microsoft Windows 2000 with Service Pack 4 download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=AA9E27BD-CB9A-4EF1-92A3-00FFE7B2AC74. If you are running Microsoft Windows XP with Service Pack 1 or 2 download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9.

WMF Exploits via Email, Part 2

The latest email using the WMF exploit purports to come from Yale University. If the link within the email is clicked then the exploit launches. This evil site also attempts to exploit flaws found in older versions of Firefox - another reason to upgrade to the latest Firefox. Unless you are protected as previously outlined (here, here, here and here) you are screwed! Welcome to the Internet! Sheesh. Please add the following entries to your ever expanding hosts file:

• playtimepiano[dot]home[dot]comcast[dot]net
• 86[dot]135[dot]149[dot]130 # UDP
• 140[dot]198[dot]35[dot]85:8080 # IRC
• 24[dot]116[dot]12[dot]59:8080 # IRC
• 140[dot]198[dot]165[dot]185:8080 # IRC
• 129[dot]93[dot]51[dot]80:8080 # IRC
• 70[dot]136[dot]88[dot]76:8080 # IRC

Please note that [dot] (above) should be replaced with .

WMF Exploit Unofficial Patch

Tests performed on various machines protected by up to date Anti-virus applications have shown that they are almost powerless to stop this series of WMF exploits. On top of the previous best practices an unofficial patch has been released. Understand that Microsoft has no hand in this so if it breaks your OS you are on your own. Since Microsoft appears to not have a fix in the works for a long while this patch is likely a good move until an official fix is released.

Remember to first run the command "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotes) from START - RUN. Assuming you get the OK that the "Microsoft Picture and Fax Viewer" was successfully unregistered then run the patch found here: http://handlers.sans.org/tliston/wmffix_hexblog11.exe.

WMF Exploits via Email

The emails Subject line is: "Happy New Year" and the Body says: "picture of 2006". Included is an attached exploit WMF file named "HappyNewYear.jpg". When the HappyNewYear.jpg is accessed (file opened, folder viewed, file indexed by Google Desktop) it executes and downloads a backdoor trojan from www[dot]ritztours.com. Please add this domain to your hosts file and make sure your Anti-virus is up to date.

Windows Metafiles (.WMF) Exploits Continue, Part 2

Microsoft has explained how to unregister the Windows Picture and Fax Viewer (Shimgvw.dll):

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

NOTE: The Windows Picture and Fax Viewer will no longer open when yous click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps:

1. Click Start, click Run, type "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

Windows Metafiles (.WMF) Exploits Continue

It appears the real time indexing of metafile data using Google Toolbar is enough to exploit the payload. For now you should disable this indexing of media files until Microsoft issues a patch.

You should also add the following sites to your hosts file:

• Crackz.ws
• unionseek.com
• www.tfcco.com
• Iframeurl.biz
• beehappyy.biz

There is no "MSN Messenger 8 Working BETA" !

So don't be clicking those links to download a copy even if the Instant Message comes from a friend. Especially if that friend is not as security aware as you. All you MSN Messenger users read this: http://www.infoworld.com/article/05/12/27/HNmicrosoftvirkelvirus_1.html and this: http://www.f-secure.com/weblog/archives/archive-122005.html#00000751.

Windows Metafiles (.WMF) Exploits

You might add unionseek[DOT]com to your host file. The site is using images, specifically .WMF files (Windows Metafiles), to carry a payload of trojans. Internet Explorer is vunerable, older versions of Firefox and Opera are also at risk but at least they prompt users before they launch external applications ("Windows Picture and Fax Viewer") to view the image. F-secure has the details here: http://www.f-secure.com/weblog/archives/archive-122005.html#00000752. The first I saw of it was at The Register: http://www.theregister.co.uk/2005/12/28/messenger_virus/.

IM Trojan on the Loose

Various reports, including this one: http://news.zdnet.com/2100-1009_22-6002790.html, have a new Instant Messaging trojan being sent to AOL, MSN and Yahoo users. The link, to some lame Santa whats-it, also installs a Rootkit on users Windows PC. The links arrive from people on users "buddy lists" so folks are not as suspicious as they might otherwise be. Remember to never click, download, accept attachments, etc. unless you have been informed before the fact that they are on the way.

Fake McAfee Site via Email Links

F-Secure has reported instances of fake emails from McAfee with links that point to a bogus site with downloads that contain viruses. Applications do not update themselves by having their parent company send emails encouraging users to visit sites. Be aware what software is installed on your PC. Determine which of these update automagically and keep a grip on what URL's correspond to what websites. If in doubt do not click that link! Never respond to unsolicited emails.

IM Worm 'Chats' to Victims

CNET is reporting a new worm that tricks users on America Online's Instant Messenger to download a .pif file containing a trojan that does the usual evil things. The worm, IM.Myspace04.AIM, appears to respond to keywords. Dubious people asking about possible viruses are assured, "lol no its not its a virus". If this trend continues (oh, it will) make sure you only chat with known users and DO NOT download files unless you have an up to date anti-virus, etc. on your Windows machine. You might also want to try using GAIM IM client.

Sony Rootkit Patch

SunnComm Makes Security Update Available To Address Recently Discovered Vulnerability On Its MediaMax Version 5 Content Protection Software, Which Is Included On Certain SONY BMG CDs

The full scoop is here: http://www.eff.org/news/archives/2005_12.php#004234. Sony has finally (it appears) got the message that Rootkits are bad. Check the end of the article to determine if you have any of the affected titles and if so download and apply the patch.

More on Sober.Y virus

An excellent overview with links is available from the BBC: http://news.bbc.co.uk/1/hi/technology/4466016.stm

Below is a (probably partial?) list of Subject headers associated with this virus:

• You visit illegal websites
• Your IP was logged
• Your_Password
• Registration Confirmation
• Your Password
• Mail delivery failed
• smtp mail failed
• hi,_ive_a_new_mail_address
• Account Information
• Ihr Passwort
• Mailzustellung wurde unterbrochen
• SMTP Mail gescheitert
• Ermittlungsverfahren wurde eingeleitet
• Sie besitzen Raubkopien
• RTL: Wer wird Millionaer
• Paris Hilton & Nicole Richie

Beware the Sober.Y virus

Beware of emails purporting to come from official security agencies such as the FBI, CIA or German BKA. Like the previous ones this virus sends itself inside a ZIP archive as an attachment in email messages with English or German texts. All the details are here: http://www.f-secure.com/v-descs/sober_y.shtml.

Never open unexpected attachments. Always have an updated anti-virus installed.

MS to Remove Sony Rootkit via Anti-Spyware & Malicious Software Removal Tool

Microsoft has decided that the Sony Rootkit poses a threat to its operating systems. Future updates to the Microsoft AntiSpyware application and the now commonly updated Malicious Software Removal Tool will contain the signatures required to remove the truly evil Sony Rootkit. Thanks Bill!

Trojans Using Sony Rootkit

Those dumbasses at Sony can thank themselves now that the first and second Trojans have been found in the wild - both Trojans use the oft mentioned Rootkit to hide themselves - the exact thing that Sony claimed would not happen. The details from F-Secure are here: http://www.f-secure.com/v-descs/breplibot_c.shtml. This is a good time to remind you to make sure you have the usual precautions in place: updated anti-virus, organized firewall(s) and some common sense.

Sony Rootkit UNinstaller Almost Worse than Rootkit!

According to Mark Russinovich of Sysinternals.com (the chap who initially discovered the menace) the uninstaller only forces XP to issue the Windows command "net stop" that disables the driver. This inept handling can and has caused XP to crash. The President of Sony BMG's global digital business division Thomas Hesse has explained it all, "Most people, I think, don't even know what a rootkit is, so why should they care about it?" Right. I don't know what Sony stock is either so why should I care if it drops like a rock? Check out the story at The Register here: http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/ and don't miss the link to the NPR interview with the clueless Sony Prez.

First Symbian Trojan Targeted at the PC

A report from F-Secure details the first known attempt of a virus threat on the PC coming from a mobile phones memory card. While it seems unlikely to cause damage (read why here: http://www.f-secure.com/weblog/#00000659) this is still something to take note of for the future. Remember: Security is an ongoing process - you must be aware at all times of the potential for mischief in seemingly unrelated items. Because, cough, Better Safe Than Sorry, cough.

Windows Registry Flaw

A recently detected flaw in Windows registry concerns its handling of long string names. A malicious program could hide itself in a registry key by creating a string with a long name which would allow it to remain hidden. Keys added afterwards would also remain obscured so the horror could escalate. The vulnerability affects Windows XP and Windows 2000 even if they are fully patched according to Secunia. A detection tool can be found here: http://isc.sans.org/LVNSearch.exe

Srv.SSA-KeyLogger

If you still use Internet Explorer to surf the 'Net you may be at risk of turning over private information concerning sites you visit such as Paypal or your online bank. Sunbelt Software has discovered a keylogger that can be installed by merely visiting an evil web site where a "drive by download" may occur. The infection opens a backdoor on the system that harvests usernames + passwords that are then sent to repositories. Some 30,000 indviduals have already been victimized. Sunbelt has offered a detection tool. Please consider using an alternative browser such as Firefox or Opera as a way to prevent this type of threat in the future..

Adobe Acrobat Security Alert

Both Acrobat and Acrobat Reader have a flaw that would allow an evil .pdf file to cause a buffer overflow. The resulting crash could allow the risk of malicious code execution. Affected versions are Reader and Acrobat 5.1, 6.0 to 6.0.3, and 7.0 to 7.0.2. Users are strongly encouraged to update to the latest version of the software NOW. Use the auto update feature built into the software or visit Adobe.

Bot Battles !

When a trojan opens up a security hole in a computer it is very likely that other trojans will exploit the hole. This is what has happened with Zotob IRC trojan. In fact, it appears that at least four other trojans, broken into two teams, are attemping to kill Zotob. F-Secure has a "high-tech illustration" that explains the bot grudge match.

What You Should Know About Zotob

Microsoft has released several tools to check for and eliminate the series of Zotob virus now infecting Windows 2000 computers.

Zotob.A & Zotob.B Target W2K

Those of you still running Windows 2000 have to be aware of two nasty new Trojans named Zotob.A and Zotob.B - The worm attempts to connect to an IRC channel at a predefined address allowing attackers to, among other things, request system information and download/execute files. Access to numerous security related sites via the hosts file is also disabled.
Patches for this vulnerability have only been available for five days. Keeping abreast of critical security flaws and patching them quickly is your best defence. Never put off a security re-boot until tomorrow - it may be too late.

New Symbian Trojan

What would you do if the new application you just copied to your Symbian cell phone caused the fonts to disappear? Well, if you insist on visiting dodgy sites to download pirated software you may son have real world experience on the issue. A new trojan named SymbOS/Blankfont.A is waiting for you at a Warez site now!

Todays lessons learned:

• Never install an application on any device unless you have searched the Internet and came up blank on horror stories.
• Do not use pirated software.
• Stay away from sites that have evil intent or conduct illegal activities.

Windows 2000 Flaw

Uh-oh. Windows 2000 has been found to have a flaw in its core components that may be exploited to launch Worms and other nasties. Since Microsoft is no longer supporting this OS for casual users this is a problem. Now may be a real good time for you holdouts to drop a buck and upgrade to XP. Or take your chances and wait until 2006 when the new Vista OS debuts. What do you want to bet that Bill won't allow upgrades from 2000 to Vista? Uh-oh . . .

New worm poses as iTunes

A new worm, WORM_OPANKI.Y, is spread though AOL IM by using the name iTunes to trick users into running it on their machines. The fact that this is an *.exe file should warn people that it could be dangerous but it appears the clueless still click on and on and on . . .

Jacko Suicide Email is Trojan

Fake Windows Update Emails

Mabir.A Virus Spread Via SMS & MMS

Cabir Mobile Phone Virus Found in US

Future Threats

Bropia Worm Spread Through MSN Instant Messenger

New Virus Breaks Out

Bropia.A Worm via MSN Messenger

Hackers Tune In to Windows Media Player

New Phishing Trojan Attacks Windows XP

New Cabir Variants are Spreading Fast

New Windows Flaws

New Phishing Exploit via Internet Explorer Hole

The vulnerability lets an attacker display any Web site while the address bar in Internet Explorer displays a trusted Web address -- https://www.paypal.com, for example -- and even shows the icon indicating that Secure Sockets Layer security technology is in use, security researchers warned on Thursday.


The vulnerability lies in an ActiveX control in Internet Explorer and has been found to affect Version 6.0 of the browser running on Windows XP with Service Pack 2 and earlier versions, according to a Secunia advisory.

Rogue/Suspect Anti-Spyware Products & Web Sites

Trend Micro Mobile Security

Spyware Database Search

Skulls Trojan horse carries Cabir.B cellphone worm

Trojan Targets Symbian Handhelds

MyDoom variant exploits IE flaw, again