Posts

Microsoft Is Killing Support for Internet Explorer 8, 9 and 10 On January 12th

Microsoft is ending the support for Internet Explorer 8,9, and 10 on January 12th. This news has come as a breath of fresh air as it was considered a bane for many web developers, thanks to the endless security holes in the software.

On Tuesday, a new “End of Life” patch will go live that will ping the Internet Explorer users asking them to upgrade their browsers. This End of Life patch will mean that these older Internet Explorer versions will no longer get regular technical support and security fixes.

This step also means that Internet Explorer 11 is the last version of Microsoft’s vintage browser that’ll be supported. This patch will be delivered as a cumulative security update for these versions:

On Windows 7 Service Pack 1 and Windows 7 Service Pack 1 x64 Edition

  • Internet Explorer 10
  • Internet Explorer 9
  • Internet Explorer 8

On Windows Server 2008 R2 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 x64 Edition

  • Internet Explorer 10
  • Internet Explorer 9
  • Internet Explorer 8

However, if you want to disable this update notification, follow these steps mentioned on Microsoft’s support page.

It’s expected that millions of users will choose to avoid these upgrade notifications, and thus will be prone to security risks. So, you are advisable to either upgrade your browsers, or switch to another web browser altogether.

Another layer of protection: Cryptolocker and other malware

Preventative Workstation protection:

This virus launches from a specific location on the workstation, thus it’s recommended to add a group policy setting to block it from Windows Vista/7/8 and from XP.

Use software restriction policies as follows:

Windows 7:

You can use Software Restriction Policies to block executables from running when they are located in the %AppData% folder, or any other folder. File paths of the infection are: C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)

Exploring Malware Types

Malware is the term given to a set of software with one specific function: Malicious activity. Most users know of this danger as a “Computer Virus”, but the term virus these days has a very specific meaning. When we break down the dozens of terms given to Malware, we can build an understanding of the level of infection we face during the removal process.

Here are a few of the major types of Malware users should be aware of:

Trojan

  • Malware that disguises itself as a normal file or program to trick users into downloading and installing malware. Does not self replicate or spread.

Virus

  • Malware that replicates and spreads based on user interaction. Opening infected files or running an infected executable usually triggers the virus.

Worm

  • The most common type of malware. They spread over networks by exploiting operating system vulnerabilities. Worms can contain “payloads” that perform certain actions (such as deleting or stealing data). Worms differ from Viruses in that they are able to self-replicate and spread independently. Ex. Polymorphic or Metamorphic.

Rootkit

  • Malware that enables continued privileged access to a computer. As a result, it can subvert software that is designed to circumvent or destroy it.  Typically deployed through Trojans, or security vulnerabilities. Can reside in the kernel of the OS, or even firmware of devices.

Spyware

  • Focuses on data harvesting or modifying security/permissions settings. Typically deployed through trojans.

Ransomware

  • Malware that essentially holds a system captive while demanding ransom. The most damage will come from users with Admin/root access running  a trojan.

Adware

  • Automatically delivers advertisements. Not always malware. When bundled with Spyware, can create elaborate phishing attempts.

Bot

  • Software that performs specific operations using a host computer. This can include cheating at video games, but more dangerously used in botnets to perform DDoS attacks.

Zero Day Attack

  • Not a type of Malware, but a description of the threat. A Zero-day attack is a threat that exploits a previously unknown application vulnerability. It is named as such because developers have had no time to address and patch the issue.

With an understanding of the different types of Malware, we can hope to prevent further infection and reinfection, as well as build a background to understand the newest threats.

DNSChanger Malware on Monday, July 9th, 2012

If you’ve browsed Facebook or Google lately, you may have come across a few articles with the warning that “millions of Americans will lose their internet connections” on Monday, July 9th. Some articles claim this so-called ‘DNSChanger’ malware is set to go off like a timed bomb; others claim the FBI is forcefully causing the shutdown. Regardless of the reason, there has been much concern about a possible internet outage this Monday, and whether or not it affects you both at work and at home. All of us here at NetCal would like to save you the headache, and break down the facts from the fiction.

Q: Is this issue real?

A: Yes, but the facts are greatly distorted.

The ‘DNSChanger’ malware is not lying dormant on your computer until Monday, and the FBI is not cutting off your internet access forcefully. The malware was real however, and may have infected your computer 4-5 years ago.

Computers use something called a DNS (Domain Name System) in order to translate ‘internet names’ into ‘internet numbers’. When websites like ‘www.google.com’ are typed into your browser, a request goes to a server which translates the name into the proper IP address (74.125.224.65). Your computer is normally setup to acquire the DNS server automatically from your ISP (Internet Service Provider), or from a DNS server set up in your business.

The ‘DNSChanger’ malware, widely released in 2007, changed the settings on the computers it infected and redirected the DNS address to private servers run by scam artists and identity thieves. Instead of www.google.com translating to 74.125.224.65, it would translate to their private IP addresses instead!

The scam was so widespread (half a million computers infected in the US), the FBI was forced to get involved to shut the criminals down. The criminals were caught, their equipment confiscated, and computers were rid of the infection in record time. There was just one catch: Getting rid of the DNSChanger infection did not change the computer’s DNS settings back to normal!

The FBI decided to setup real DNS servers using the IP Addresses that the criminals used. In the end, even if you were infected by the malware, your internet access was no longer compromised. Fast forward 5 years later to 2012, and the FBI are now retiring these servers. As a result, the previously infected computers will be without DNS services.

Q: How can I find out if I was infected?

A: You can visit ‘dcwg.org’ and have your computer tested online.

Click on “Detect” towards the top and see if you are using the FBI’s DNS servers.

Q: How severe is this infection? Can it be fixed?

A: It is very quick to fix, and does not permanently harm any systems.

 

For more information please visit the following:

http://www.slashgear.com/dnschanger-malware-for-dummies-sophos-video-explains-it-all-06237487/

Malware,Spyware,Scareware – How to detect and prevent infection…

What is malware and how do I get it?

Generally speaking, malware are malicious software designed to infiltrate a computer system without the owner knowingly allowing it to.  It’s intent is to perform devious acts on or using your computer.   These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.

Additional Malware Info

What are the symptoms?

Pop-ups, website redirection, network configuration changes, unresponsive computer, etc…

Information regarding Antivirus2009 Malware

Information regarding Internet Security 2010

How did I get it?

The source usually comes from emails, websites, pirated software downloads, P2P applications, fake video codecs, software exploits (ie. acrobat), etc… The typical scenario is a pop-up that asks you to download and install something.  Once the download and install happens, the malware will take over the computer.

How do I protect myself?

  1. We still live in a world where humans can usually make the best decisions.  This means user training is one of the best method to prevent infections.  Below are a list of things to train users on that doesn’t require a lot of time.
    • Users should be a little paranoid and skeptical when it comes to reading the emails they receive, especially emails requesting actions to be taken. If it sounds important, take the time to read and verify it carefully!
    • Users should make sure they have an SSL connection when making transactions online or logging into banking sites.
    • Exercise caution with e-mail and files received from unknown sources, or received unexpectedly from known sources.  If the email is from someone they know, make sure it has relevant content specific to that person (ie. writing style, context of message, etc.)
    • Users should know sometimes a pop-up can be made to look like a Windows error message. Recognizing legitamite software interfaces can help (Antivirus software, Windows Security Center, Windows Defender, Anti-malware software)
    • Don’t download random software from the Internet until you know it has a valid homepage and user base (look for software reviews for it). Once that’s verified, make sure you download directly from the vendor’s website.
    • Users should understand how a website can be spoofed to go to the wrong website using the HOSTS files.
    • Users should understand that a text link can have a different URL embedded.
    • Don’t install software unless you were intentionally trying to.
  2. Keep Windows and your browser software up-to-date by downloading and applying security updates.
  3. Use an active and updated antivirus and anti-malware application that detects harmful websites, files, and emails. There are many applications out there that are free. Some highly recommended ones are Spybot Webroot, Search and Destoy, MalwareBytes, SuperAntispyware, PC Tools Spyware Doctor.

Removal Tips:

  1. Boot into SAFE MODE. It will give you a more effective platform to work with.
  2. The key is to get the system to allow you to install anti-malware software with the latest updates to slowly remove the programs.
  3. Fix infections and reboot often will get you further along in the removal process.
  4. There is no perfect anti-malware software, therefore, you should run scans using multiple anti-malware software to make sure all malware is removed.
  5. Can’t run/install software due to access permissions – This is usually due to the software restriction in your local security policy or your registry has malicious group policies regarding software restrictions configured.
  6. Can browse website or weird website redirections – Check the Internet Explorer proxy settings. 95% of the time, it shouldn’t be using a proxy. Also, make sure your HOSTS file doesn’t have malicious entries in it.

Conficker (aka Downadup) – FAQ

What kind of damange can this virus do?

  • Create administrative accounts on your PC
  • Prevent you from downloading security and antivirus updates
  • Use your computer as part of a Denial of Service (D.O.S.) attack.
  • Could steal personal information
  • Populate your computer with malware pop-ups
  • Erase data on your computer

What computers are affected?

  • Unpatched Microsoft Windows operating systems (Microsoft Windows 2000, Windows XP, Vista, Windows Server 2003, and Windows Server 2008 systems)

What are some of the symptoms of being infected by the Conficker worm?

  • Windows Security Center will not work.  You can verify this by Start -> Control Panel -> Security Center
  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed (Symantec, McAfee).
  • Disable commercial antivirus software
  • Turn off Microsoft’s security update service

How do I prevent infections?

  1. Patch your Windows operating system with the following patches:  MS08-067
  2. Install the latest security updates from Microsoft
  3. Make sure you are running up-to-date antivirus software and definitions from a trusted vendor (Mcafee, Symantec, Eset, Microsoft, etc…)
  4. Disable the AutoPlay feature through the registry or using Group Policies
  5. Exercise caution in what websites you visit
  6. Don’t open file attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment.

How does the software spread?

  • Exploitation of the vulnerability that is patched by security update MS08-067 , MS08-068 a MS09-001
  • The use of network shares
  • The use of the AutoPlay functionality

How do I remove the worm from an infected computer?

  1. Disconnect the infected  computer from the network and the Internet.
  2. Install the patches below.  Use an uninfected computer to download the patch if necessary:  MS08-067 , MS08-068 a MS09-001
  3. Reset your system passwords to admin accounts using more sophisticated ones.
  4. Download and run the Conficker remover
  5. Reconnect your computer back to the network
  6. Update your antivirus application and definitions
  7. Install Microsoft updates

How do I protect my computer from similar threats?

  1. Enable Automatic Updates for your Windows computer
  2. Set your antivirus and definition update schedules to be more frequent (1 or 2 times a day)
  3. Exercise caution in what websites you visit
  4. Use caution when you see pop-ups on your screen (e.g. false virus notifications)
  5. Don’t open file attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment.