Virus Info

Microsoft OneCare Sees Gmail as BAT/BWG.A

Can you say Whoops?

Microsoft sure can, today users of Microsoft’s OneCare program were reporting that it was seeing Gmail as a virus, more specifically the BAT/BWG.A virus.

“I would like to confirm that this was a false positive and let you know that we pushed a fixed signature to Windows Live OneCare users today.

We will investigate how this false positive happened and take steps to minimize the risks of additional incidents.” ? Ziv Mador, response coordinator in the Microsoft Antimalware team. Source: Googling Google

One of the commenters noticed he was running as administrator, hehe, you can’t get stuff past anybody anymore can you?

1 comment - What do you think?  Posted by Jimmy Daniels - November 14, 2006 at 1:15 am

Categories: Google, Virus Info   Tags:

Authentium Circumvents the PatchGuard Kernel Protection

I’ve posted before about how security companies are up in arms about the new Windows PatchGuard protection from Microsoft that can block any application from accessing, or “hooking” Vista’s kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits. Authentium says they have circumvented this feature using a loophole that allowed the operating system to support older hardware.

The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.

When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsoft’s Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running.

Authentium said its workaround allows it to access the kernel without incurring the shut-down.

The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company’s tools to infiltrate Vista’s kernel hooking driver, and get out, without the OS knowing the difference. Source: eWeek

Looks of good reading there, including more info on PatchGuard and links to other articles where security companies have taken Microsoft to task over it. One industry insider says he thinks McAfee and Symantec have already done this themselves, but are keeping the heat on for a different reason,

At least one industry watcher believes that Symantec and McAfee have developed methods of their own for working with, or circumventing, PatchGuard, and contends that the firms have only kept the heat on Microsoft over the feature to keep antitrust regulators alert to Microsoft’s continued push into their territory.

Which makes sense, they have to protect their bread and butter. Alex Eckelberry from Sunbelt has posted a few articles on PatchGuard, but the one he posted today actually made a lot more sense than the other complaints I have seen from Symantec,

The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.

PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.

The ability of security companies to fully support the 64 bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won?t even be available until 2008!

HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it?s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.

McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it?s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.

Now, every other article I have read on PatchGuard and these security companies, and I could have missed a bunch I am sure, has just pretty much been whining about how Microsoft won’t allow use access to the kernel, this is the first good explanation of why they need this access. If some new threat, remember Code Red, comes out that requires access to the kernel to prevent it, then these security companies will have to ask Microsoft for an API to the kernel, where, before they could have just added the extra functionality. And we all know how long it takes Microsoft to issue patches, what will they do if a new threat comes out, will they help security vendors fix it, or will they try to fix it themselves?

1 comment - What do you think?  Posted by Jimmy Daniels - October 25, 2006 at 3:50 pm

Categories: Microsoft News, Security, Software, Virus Info   Tags: , , , , , , ,

Windows Live OneCare Beta v1.5

The Windows Live OneCare Beta 1.5 begins today, download herecourtesy of Neowin.net.

OneCare is a automatically self-updating PC care service that?s always on, helping provide persistent protection against viruses, hackers, and other threats, and helping keep your PC tuned up and your important documents backed up.

1 comment - What do you think?  Posted by Jimmy Daniels - October 9, 2006 at 11:42 pm

Categories: Security, Spyware Info, Virus Info   Tags:

IE7 Immune to VML Exploit

In testing on a couple different blogs, IE7 has proven to be immune to the vml exploit currently making the rounds. Ed Bott says Vista passes one security test,

Now, it’s important to note that the developers of IE7 clearly had no idea that this vulnerability existed in IE6. But their development process managed to block this particular exploit right out of the box, and the additional layers of security provided important clues that this page was potentially dangerous.

Sandi Hardmeier at Spyware Sucks says Important – IE VML Vulnerability – IE7 is immune and as a matter of fact says it has been immune to almost all the other vulnerabilities that have come out since its realease.

And the IE team says, “…With the exception of a very short list of issues we’re aware of and working on, we think the product is done…. Depending on your feedback, we may post another release candidate. We?re still on track to ship the final IE7 release in the 4th calendar quarter.”

Sounds like this may be as good of a time as any to read the release notes and upgrade to IE7, but be warned, there are still some software issues with other programs.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 26, 2006 at 2:08 am

Categories: IE7, Internet Explorer, Security, Virus Info   Tags: , ,

MS Messenger Block on Pif Files is Case Sensitive

Recently, Microsoft blocked the spreading of Trojans on the Messenger network by blocking .pif files, two out of the three viruses at the time were using .pif files to spread themselves. How did that work?

Not too Good!

Apparently, all the hackers had to do was change the extension to .PIF, or .Pif or .pIf, and the filters let the messages flow on through.

Each of the links lead to a different Trojan-downloader. The downloaders download a variety of adware and adware-related Trojans.

Moreover, IM-Worm.Win32.Licat.c is also downloaded, which in turn launches a new mass mailing of the original message. Nothing unusual, right?

Wrong! Both worms spread using links to .PIF files. But some of you might remember that Microsoft blocked messages containing “.pif”?

Yes they have, but… the MS block is case sensitive!

So the criminals used capital letters, “.PIF” and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.

We have notified Microsoft of this and hope they take the necessary actions. In the meantime, users and admins should beware. Source: Analyst’s Diary via Security Fix

One of the best solutions for all instant messaging users is to only allow people on your buddy list to send you messages, while this wont block the viruses that your friends contract, it will at least block the ones from EVERYONE else. Then you still have to decide whether you really want to click on these links at all, it would probably be safest to message them back real quick and ask what it is, if they don’t know what link you are talking about, then they probably have a virus. As always, update your anti-virus, scan for spyware frequently and lets be careful out there.

Update: According to their weblog, here, MSN has fixed the problem with the different pid extensions working.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 25, 2006 at 11:59 am

Categories: Adware, Security, Virus Info   Tags: , ,

Browsershield Built to Block Malicious Code in Webpages

Microsoft has been working on a new project to help Internet Explorer block malicious code that’s hidden on webpages, one that will show a harmless version of the webpage instead. It’s called Browsershield and its just one of many security related products coming from Microsoft. From Neowin,

The BrowserShield project, the brainchild of Helen Wang, a project leader in Microsoft Research’s Systems & Networking Research Group, and an outgrowth of the company’s Shield initiative to block network worms could one day even become Microsoft’s answer to zero-day browser exploits such as the WMF (Windows Metafile) attack that spread like wildfire in December 2005.

“This can provide another layer of security, even on unpatched browsers,” Wang said in an interview with eWEEK. “If a patch isn’t available, a BrowserShield-enabled tool bar can be used to clean pages hosting malicious content.” BrowserShield, described by Wang as a tool for deleting embedded scripts before a Web page is displayed on a browser, can inspect and clean both static and dynamic content. Dynamic content has become a popular vector for Web-borne malware attacks of late, security experts have said.

We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser,” Wang said. “We’re inserting our layer of code at run-time to make the Web page safe for the end user.” If the prototype is eventually folded into a Microsoft product, it could also protect against drive-by attacks that target flaws in IE, which is used by approximately 90 percent of Web surfers worldwide. BrowserShield is one of many security-related projects coming out of Microsoft Research.

This sounds pretty cool, until it starts messing up my webpages. ;) Anything that can block some of this crap these losers put out there on the web, is fine with me. More info from Microsoft Research.

“This transformation logic,” Wang says, “can be injected at a firewall, as a browser extension, or by Web publishers.”

Dunagan provides an enthusiastic elaboration.

“That’s something that we both think is really, really nice about this,” he says. “It’s something where ISA can help protect all the people within a corporation, or it can be something where MSN Search makes it so that any of the cached Web pages that you can see on their site cannot contain these exploits; they can help protect everybody who is going to MSN Search to look at these things. There are two different value propositions, and they appeal to many people.”

Some search engines have been trumpeting something called “safe search,” which amounts to a blacklist of known malicious sites.

“BrowserShield can enable a much more powerful way of doing this safe search,” Wang states. “Basically, even for a malicious site that is not already blacklisted, BrowserShield can help prevent it from doing known bad things, such as exploiting a vulnerability of a browser.”

The technology, similarly, can deliver security-enhanced browsing.

“Say there’s a zero-day browser exploit,” Wang says. “At a particular time, a patch might not be available. But in the meantime, we can allow users to browse through a BrowserShield-enabled toolbar. Users would then be able to type URLs into the toolbar rather than in the usual address bar. This allows all Web sites to be sanitized by the BrowserShield toolbar and enables a safe browsing experience.”

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 5, 2006 at 11:44 pm

Categories: Internet Explorer, Security, Spyware Info, Virus Info   Tags: , ,

Yahoo Contains Yamanner Worm

Yahoo says that it has contained the “Yamanner” Worm, a malicious program targeting the millions of people using their email service. The worm infected anyone who opened the email and the worm then scanned that users contact lists for email addresses with the yahoo.com and yahoogroups.com domains. Yahoo said that a very small fraction of it’s userbase was infected and steps have already been taken to protect their users and that nothing needs to be done by any yahoo users as the fix has already been distributed to all Yahoo Mail customers. Yahoo also advised users to update their antivirus programs and to block all incoming emails from av3(at)yahoo.com. Nothing was said about wether the infected users needed to do anything else or not, but updating antivirus programs and scanning their computers should take care of it.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - June 14, 2006 at 12:24 am

Categories: Tech News, Virus Info   Tags:

Mcafee Launches Apple VirusScan

Windows is still the whipping dog, with the largest market share, but more and more attention is being paid to Apple and their security problems, no matter how small. These will be taken more advantage of as their userbase increases. Not because people want to do Apple like they do Microsoft, it will be purely monetary concerns I am sure. As more people use Apple, the bigger the money made from maleware, spyware, etc.

McAfee has launched a Mac security product, saying that Apple Computer’s OS X is “just as vulnerable” as other operating systems are to targeted attacks.

The antivirus vendor introduced McAfee VirusScan for Mactel on Friday. To back up its statement, McAfee cited the release in March of a patch that fixed 20 vulnerabilities in OS X. A proof-of-concept worm that targeted the OS X platform was also discovered earlier this year.

“Historically, Microsoft has been targeted because it has had dominant market share. As there are more Apple users (in the future), more threats will appear,” Sal Viveros, a security expert at McAfee, told ZDNet UK. Source: News.com

Be the first to comment - What do you think?  Posted by Jimmy Daniels - May 7, 2006 at 1:25 pm

Categories: Virus Info   Tags: ,

Internet Security Threat Report and How to Avoid Most Threats

Symantec has released the latest copy of their Internet Security Threat Report, and, not surprisingly, the nature of the threats are becoming more economical in nature. As more and more criminal activity moves to the web, it will just keep getting worse and worse, it’s too easy for people to take advantage of other people in today’s internet, I can make a fake email right now for paypal and spam it around the internet and probably have people’s login details the first day, and I’ve never, ever done anything like that before, that’s how easy it is. It’s way to easy to fashion a piece of spyware as well, distribute it through security holes and other bad websites across the web and be knocking down great money in no time.

The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, and future trends. The latest report, released March 7, is now available.

This volume of the Internet Security Threat Report offers an overview of threat activity that took place between July 1 and December 31, 2005. In this edition, the new threat landscape is shown to be increasingly dominated by attacks and malicious code that are used to commit cyber crime, criminal acts that incorporate a computer or Internet component. Attackers have moved away from large, multipurpose attacks on network perimeters and toward smaller, more focused attacks on client-side targets.

The threat landscape is coming to be dominated by emerging threats such as bot networks and customizable modular malicious code. Targeted attacks on Web applications and Web browsers are increasingly becoming the focal point for cyber criminals. Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud, for financial gain.

Over the last six months of 2005, Symantec detected an average of 1,402 Denial of Service (DoS) attacks per day. This is an increase of 51 percent from the first half of 2005, when Symantec detected an average of 927 DoS attacks per day. Source: Symantec.

I wish I could teach everyone how to use the internet in one big session, but I’ll try to do as many here as I can.

1) Never, ever click on any links in your emails, like the ones you get from eBay and paypal, etc, always type it in the address bar in internet explorer or fire fox, or whatever browser you are using. It’s way to easy to make a fake email that looks like it came from paypal, you click on a link and try to login to a website that looks like paypal, and they have your paypal info right then and can start spending your money immediately.

2) You can see exactly where a link goes on any webpage, all you have to do is hold down the mouse button when you click on a link, and you can see where the link goes in the bottom of internet explorer, if you want to go there, simply release the button, if you don’t, keep the button held down and slide your mouse away from the link, and it will not cause the click to happen.

3) Nothing is free on the internet, it will cost you in some way. Most, not all, but most, free screensaver sites load some form of adware or spyware if it doesn’t cost you anything to purchase it. A lot of game sites, and celebrity sites will do the same thing, as they have to pay for all the bandwidth they are using.

4) When installing software, there is always a license agreement, read it. I know, I know, no one reads these things, but at least scan through them as they are supposed to list in it if they install any other software.

5) Do NOT forward anything that says forward to everyone or ten people or whatever. None of it works, none of it is true, it’s sole reason for existing is to waste bandwidth, and that is exactly what happens when you forward this latest email to everyone you know.

6) When posting on forums or wherever, do a search while you are there first, if it is a common question, the answers will already be there and no one will be calling you noob or newbie and telling you to search for the answer first.

7) Don’t believe everything you read, even the big news sites get things wrong some days, although they are usually the most trustworthy, just like this site. ;)

8) If you like a site, support it by buying stuff through their links, or donating if they have a donate button. It does cost money to run a website, and the more popular it is, the more expensive it is.

9) Always have an anti virus program and an anti spyware program, the ones I like are Panda for anti virus, that link is for their free online scan, and X-Cleaner for anti spyware.

10) If you use a peer to peer network to get music, movies, whatever, you will end up with loads of spyware and you may get caught and possibly fined by the RIAA, or whoever is trying to stop the file sharing now. You have been warned.

Of course, these are for newbie?s and non technical people, if you know anything about computers, then you probably already know these.

Symantec’s latest Internet Security Threat Report, to be issued on March 7, 2006, analyzes data collected from over 24,000 security devices deployed in over 180 countries. It covers the six-month period from July 1 ? December 31, 2005 and includes analysis of network-based attacks, a review of known vulnerabilities, highlights of Adware, Spyware, and malicious code, an analysis of Spam and Phishing data and a forward looking analysis in Future Watch.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - March 9, 2006 at 12:10 pm

Categories: Reviews, Spyware Info, Tech News, Virus Info   Tags: , , , , , , ,

Top Ten Cybercrime, Viruses and Spyware

Panda Software has released the top ten in cybercrime, viruses and spyware for January 2006, most frequently detected by Panda ActiveScan, the free online antivirus solution.

Malware and % frequency
W32/Sdbot.ftp at 2.99%
Exploit/Metafile at 1.99%
W32/Sober.AH.worm at 1.30%
W32/Netsky.P.worm at 1.25%
W32/Gaobot.gen.worm at 0.90%
W32/Tearec.A.worm at 0.80%
Trj/Torpig.A at 0.80%
Trj/Qhost.gen at 0.76%
W32/Alcan.A.worm at 0.70%
W32/Parite.B at 0.61%

Since July 2005, Sdbot.ftp has been the threat that has had most impact. This is a script used by certain malware specimens to download, via FTP, the Sdbot worm. It does this by exploiting several operating system vulnerabilities such as LSASS or RPC-DCOM.

Metafile, which first appeared towards the end of December 2005, was the second most prevalent threat in January 2006. This is an exploit or code written to take advantage of a security vulnerability in GDI32.DLL, used by programs such as Windows Picture and Fax Viewer. This threat affects the following Windows platforms: Windows 98, Millennium Edition (ME), 2000, XP and Server 2003.

The impact of Metafile, along with the top-ranking position of Sdbot.ftp, once again highlights the success of malware creators in exploiting vulnerabilities in major programs to bolster the impact of their creations.

Here is the spyware ranking for January 2006

Spyware and % frequency
Spyware/New.net at 1.28%
Spyware/Smitfraud at 0.55%
Spyware/Virtumonde at 0.46%
Spyware/RXToolbar at 0.37%
Spyware/Altnet at 0.35%
Spyware/BetterInet at 0.29%
Spyware/Media-motor at 0.26%
Spyware/SafeSurf at 0.23%
Spyware/MarketScore at 0.22%
Spyware/Petro-Line at 0.20%

January’s spyware ranking shows that first place remains unaltered with respect to the previous month, with New.net (1.28%) in first place. The remaining examples of spyware in the Top Ten all have frequency percentages of less than 1%: Smitfraud, Virtumonde, RXToolbar, Altnet, BetterInet, Media-motor, SafeSurf, MarketScore and Petro-Line. The most notable features of this spyware ranking, with respect to December’s classification, are the appearance of Smitfraud and SafeSurf, replacing Cydoor and Premeter, which last month, held second and third places respectively.

As always, we recommend Panda Software and their Free Online Virus Scan as a first step, to actively protect yourself, you should check out all of their great products after you run the Free Scan.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - February 1, 2006 at 4:06 pm

Categories: Spyware Info, Virus Info   Tags: ,

« Previous PageNext Page »