January 28, 2009
Shootin' phish in a barrel

Just received a spam to lure me to a phishing site. (OK, so I knew it was phish and went anyway, so I wasn't exactly "lured." But bear with me.)

Here's the spam:

It's a pretty lame attempt at speaking English. But the link says "http://wellsoffice.wellsfargo.com/yadda, yadda, yadda." It's the last part before the first single slashmark "/" -- "wellsfargo.com" -- that tells you what the real site is, right? Wrong.

This is a time in which you want to see what that spam looks like in its raw view. It was sent in both text and html ("hypertext markup language," the computer code used for webpages), and the actual link is hidden in the html code. People with text-only email don't get fooled, but there aren't many of those people, and the phisher will just let them get away. With the html view, the link in the visible text is not going to be automatically turned into an active link by the email program. This is what the html code looks like:

Well there is a lot of gobbledygook there if you aren't used to html code. But there is one html tag you really need to be able to recognize: "<a href>" There may be other links in a spam, especially to images. And those will usually be to the real website in a phish email -- it makes it easier to carry out the deception. But the <a href> tells you the website the spammer is trying to take you to. In this case, it's

<a href=3D"http=
://wellsoffice.wellsfargo.com.session-id-072.sdlc.be/portal/form/do.jsp?u=
niquelink-id=[whole bunch of number identifying the person who received the email]">

(In this case, you can view the site without using the identifying information:
http=
://wellsoffice.wellsfargo.com.session-id-072.sdlc.be/portal/form/do.jsp)

Now look at the last part before the first single slashmark "/": It's "sdlc.be" That's the domain under the control of the phisher, and the one you would report to its registrar for shutdown.

".be" is for domains registered in Belgium. You can find a whois server that can tell you about .be domains here:
http://www.dns.be/en/home.php?n=44.002

January 25, 2009
Spam humor

The "Sloppy, Lazy and Stupid Spammer" forum at InboxRevenge.com is always good for a laugh. Even if you're not an experienced spamfighter who can laugh at the incompetent use of Dark Mailer software, you can always get the humor in the Fractured English or Mismatched Subject Headings threads.

Just one example posted there from user Moike:

January 23, 2009
Your computer has doors to the outside. Have you left any unlocked?

If you visit any anti-spam forums, you will quickly learn that a large percentage of the websites being advertised in spam aren't being hosted in the normal way. Instead of paying rent to have their websites hosted by commercial hosting services -- which costs money, lots of money if you want "bulletproof" hosting from a service that won't boot you off for spamming -- they hijack computers of innocent people using trojan horse viruses. Once infected by a trojan, a computer gives the attacker access to store his website files, and it allows people looking for that website to view those files. Similarly, most of the computers mailing the spam are also under the control of criminals.

That means an infected computer has to be "listening" for people trying to access it. It has to have a door left open. Those doors are called "ports." Port 80 is the one left open by computers that are supposed to be webservers, and a piece of malware can open any port of the programmer's choosing.

The ShieldsUp! website will do a free scan to see if your computer is listening on any common ports. There's more explanation about why you should care about open ports here. Should you find open ports, you need to find out why they're open and look for malware that may be on your computer allowing it to be part of a botnet.

Choosing strong passwords

The other issue is, even if you locked the door, did you leave the key under the mat? Burglars know where to look for hidden keys, and so do attackers. Obviously, how much trouble someone will take to get onto your computer depends on how valuable the information is. Do you do your taxes on your computer, meaning your social security number and other personal information is there? Do you buy online with credit cards? -- even if you tell your browser not to store them, malware could be logging all the keys you type. Do you have pictures of your kids that can be photoshopped with pornographic photos to conceal the identity of the child who was actually abused? If so, at least somebody could use your information, and a very weak password on your router/firewall isn't much better than none at all. Plus, who wants their computer to be the one used to upload the next al Qaeda decapitation video?

First, if you didn't know your router had a password, you may not have changed the default it was shipped with. So if every router of that type has the same password, you can guarantee there are people checking everyone logged into the internet to see who hasn't changed their default. Go to the manufacturer's website and find out how to change it.

There are a number of passwords that are used very frequently, and attackers try them first. So if you thought you were really clever by choosing "password1" as your password, you weren't. There are a number of sites with lists of common passwords. PC Magazine posted a top 10 list in April 2007 and Wired Magazine posted an analysis of the top 20 MySpace passwords in December 2006.

So if you look at those lists, you know to avoid password, password1, 123456, qwerty, abc123, letmein, common swear words, and your own first name. Anybody can try those without any special effort.

But hackers have software that allows them to try over and over if your router will allow it. So the next question is, "If they want to get in, how long would it take them to try?"

The quickest way in is a dictionary attack. If your password is a lower case dictionary word, with or without a single number at the end, a computer can try all the possibilities in a few minutes.

Besides avoiding words in the dictionary, avoid dates (even ones they don't know, like your nephew's birthday).

The best passwords are long -- once you get longer than 8 characters, the amount of possible combinations goes up very quickly. And a long password can discourage someone from trying further if the dictionary attack fails. The best passwords also don't just stick to lower case letters (26 possibilities), lower and upper case (52 possibilities) or even all letters and digits (62 possibilities). Throw in the special characters !@#$%^&*()_-+={}|[]\:";'<>?,./~ if you're allowed to use them, and you now have 93 possibilites. (Do find out if you're allowed to use them, so you don't choose a password that won't be accepted.)

To do the math:

4 characters, all lower case = 26 to the 4th power = 456,976 possibilities, which would be a lot for you, but not for a computer, especially one that knows to check common characters first.

6 characters, all digits (like a date) = 1,000,000 possibilities,. But a smart computer program will first try 0 and 1 in the first place and 0,1,2, and 3 in the third place, since dates only have those possibilities. In fact, there are only 365x100 dates in a century, plus up to 25 more for leap years in the last 100 years, or 36,525 total choices.

8 characters, taken from upper/lower/digits/special is 93 to the 8th power =5,595,818,096,650,400 choices. 10 characters is 48,398,230,717,929,000,000. Now you start talking about it taking even a fairly powerful computer years to crack the password, especially if the letters and other characters aren't in predictable combinations.

If you're choosing a password for work, you have an additional consideration -- you need to be able to type it quickly without looking at the keys, so people don't read over your shoulder. Rely on long passwords which are not single words, and use common punctuation as your special characters in those cases, as with practice you'll be able to enter them without an observer being able to follow what you're doing.

There are a number of youtube videos showing how quickly someone can hack a password using free software. The bad guys know about it; you should too. Here's one: http://www.youtube.com/watch?v=0dPyE-RY2To

January 19, 2009
More on Conficker

Gary Warner's blog expands more on the behavior of Conflicker. Important take-away message: Even if you have installed the patch to keep the worm from spreading from other machines in your network for from infected thumb drives, if the worm has your administrator password, it can still install itself from another PC in your network. How would it get your admin password? Lots of networks use the same administrator password for all machines on the network. If an admin logs into an infected computer, he has provided the password for all the others. Get the patch on ALL the machines on your network, ASAP.

January 18, 2009
Conficker/Downadup/Kido worm

Well, this is a pretty exciting worm, considering it hasn't done anything. Yet. It's spreading like kudzu, though. Should it rouse into action, we may find out what it does in a rather unpleasant manner.

It takes advantage of a Microsoft Windows vulnerability that was patched months ago. Microsoft didn't say much about it at the time; they just quietly fixed it with one of their regular updates. So while it didn't advertise the vulnerability to the bad guys, it didn't scare a lot of people into updating, either. (And maybe some people have decided to wait a while to install patches, after a recent Windows update made it impossible to access the internet if you had ZoneAlarm installed -- hard to fix that one, you know?)

Anyway, it spreads machine to machine via internal networks and also removable media, like flash drives. Since it's just installing itself and not doing anything to call attention to itself yet, it's been gaining access to a huge number of computers without spurring their owners into looking for problems.. And should they learn they are infected, it will try to prevent them from getting fixes by blocking access to a large number of sites that provide help. In fact, you can't get access to any sites that have the following character strings in their URLs:

cert.
sans.
bit9.
vet.
avg.
avp.
ca.
nai.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

At least it provides an easy way to figure out if you're infected. Try to go to

http://windowsupdate.microsoft.com/

using Internet Explorer. If it won't let you, you've got a problem. Remember that Conficker could have spread to your computer from other computers in your home/office network, so you need not have done anything stupid yourself.

If you're still okay, make sure you have all the updates from that Microsoft updates site. Make sure your firewall has not been deactivated, and set it to require new authorization from any connections from other computers in your network. If you don't have a firewall, Comodo still provides their excellent firewall for free. You have to download their (free) antivirus as well, but if you prefer your own, you can uncheck that option.

If you're already infected and need help, majorgeeks and bleeping computer are not on the blacklist.

January 17, 2009
Waledac trojan spoofs Obama campaign site

The Waledac trojan shares a lot of similarities with the Storm worm, though it's a different piece of software. (See the earlier post below for more about a similar malware spam campaign.) Waledac appeared recently with fake e-card sites. Now it's spamming for sites claiming that Barack Obama is refusing to assume office. Just like the old storm sites, it preys on people's curiosity about disasters to get them to click a link that will download the payload onto their computers. And the wording was clearly written by someone who doesn't speak English fluently.

Just don't click it, okay? The real campaign website is barackobama.com.

.

January 15, 2009
KSForum is now InboxRevenge.com

The KS Forums (Kill Spammers), previously hosted at thecarpcstore.com, was attacked in the first wave of the DDoS attack in August-September 2007 that also hit Castlecops, Spamnation, 419eater.com, and Artists Against 419. While Castlecops fought to stay on line in the face of the massive attack, KS moved underground with just their most active members and continued to fight internet criminals in secrecy. Although there were advantages to working where the criminals could not see what was going on, other internet users interested in joining the fight against spammers could not find them, either.

The new location, KSForum.InboxRevenge.com was unveiled today. It's a good place to learn about spam and internet crime, especially for people who are new to spamfighting and who might find other forums intimidating. Even if you know nothing about computers or email, senior forum members will help you start learning what you need to know to be an effective spamfighter.

KS always has had a close relationship with Castlecops.com, and many of those anti-spam volunteers have already moved to InboxRevenge since CC's demise last month.

.

January 9, 2009
Israeli/Palestinian conflict news story used as lure for malware download

Spam started arriving today claiming to link to CNN news stories about the Israeli/Palestinian conflict in Gaza. The subject is "Subject: Israeli War: The Zero Hour in French israel war hidabroot," though I'm betting the stuff in your inbox has one of an assortment of different subjects and texts:

Notice that the URL contains "edition.cnn.2009," but that isn't the last part of the URL before the "/" Only the last part counts:

The real location is "newsforusacnn.com," and that's the domain you would report to get this site shut down. It has no relationship to "cnn.com" at all. Close only counts in horseshoes and hand grenades.

Like the ones that preyed on people concerned about the Chinese earthquake last year, they appear to have a video that won't work unless you download an update to Adobe Flash. In reality, the "video" is just a still image called sw22.jpg:

Without the link to the malware file, you can click on that jpg all you want, and nothing's going to happen. Either way, you aren't going to see any "graphic" images.

Even if you're clever enough not to click, the page will attempt to reload itself. But instead of the same page, it will attempt to load the payload Adobe_Player10.exe instead, with a tag in the source code that looks like this:

<meta http-equiv="REFRESH" content="10;url=../Adobe_Player10.exe">

The best protections here are to notuse Internet Explorer, and to set your browser to always ask where to put a file when it downloads. When it asks where to put this one, just cancel the download. (When I downloaded it, I told it to change its name to "Adobe_Player10.exe.txt," which means my computer can't run it as a program, only open it as a text file. It's much safer for handling it.)

The malware itself is fairly poorly detected. My submission was the first one received at virustotal.com, so this would be considered a "zero-day" malware -- the antivirus companies have to be able to recognize it by its general characteristics, never having received a sample of this particular one before. You'll see those marked as "heuristic" or "DNA scan" or "suspicious." And since trojan horse viruses like this don't do anything much besides allow more malicious programs onto your computer -- and the downloads are usually encrypted -- they aren't easy to recognize that way:

http://www.virustotal.com/analisis/cdbd41d8a7481fc8e9e1875d5076f36c
File Adobe_Player10.exe.txt received on 01.09.2009 17:33:28 (CET)
Result: 9/38 (23.69%)
Antivirus …….. Version …….. Last Update …….. Result
a-squared …4.0.0.73 …2009.01.09 … -
AhnLab-V3 …2009.1.10.0 …2009.01.09 … -
AntiVir …7.9.0.54 …2009.01.09 … HEUR/Crypted
Authentium … 5.1.0.4 … 2009.01.08 … W32/Heuristic-210!Eldorado
Avast … 4.8.1281.0 … 2009.01.08 … -
AVG … 8.0.0.229 … 2009.01.09 … -
BitDefender … 7.2 … 2009.01.09 … -
CAT-QuickHeal … 10 … 2009.01.09 … (Suspicious) - DNAScan
ClamAV … 0.94.1 … 2009.01.09 … -
Comodo … 895 … 2009.01.08 … -
DrWeb … 4.44.0.09170 … 2009.01.09 … -
eSafe … 7.0.17.0 … 2009.01.08 … -
eTrust-Vet … 31.6.6300 … 2009.01.09 … -
F-Prot … 4.4.4.56 … 2009.01.08 … W32/Heuristic-210!Eldorado
F-Secure … 8.0.14470.0 … 2009.01.09 … Suspicious:W32/Malware!Gemini
Fortinet … 3.117.0.0 … 2009.01.09 … -
GData … 19 … 2009.01.09 … -
Ikarus … T3.1.1.45.0 … 2009.01.09 … -
K7AntiVirus … 7.10.584 … 2009.01.09 … -
Kaspersky … 7.0.0.125 … 2009.01.09 … -
McAfee … 5489 … 2009.01.08 … -
McAfee+Artemis … 5489 … 2009.01.08 … -
Microsoft … 1.4205 … 2009.01.09 … TrojanDownloader:Win32/Small.gen!C
NOD32 … 3755 … 2009.01.09 … -
Norman … 5.99.02 … 2009.01.09 … -
Panda … 9.4.3.3 … 2009.01.09 … -
PCTools … 4.4.2.0 … 2009.01.09 … -
Prevx1 … V2 … 2009.01.09 … -
Rising … 21.11.42.00 … 2009.01.09 … -
SecureWeb-Gateway … 6.7.6 … 2009.01.09 … Heuristic.Crypted
Sophos … 4.37.0 … 2009.01.09 … Sus/UnkPacker
Sunbelt … 3.2.1831.2 … 2009.01.09 … -
Symantec … 10 … 2009.01.09 … -
TheHacker … 6.3.1.4.214 … 2009.01.09 … -
TrendMicro … 8.700.0.1004 … 2009.01.09 … PAK_Generic.001
VBA32 … 3.12.8.10 … 2009.01.08 … -
ViRobot … 2009.1.9.1552 … 2009.01.09 … -
VirusBuster … 4.5.11.0 … 2009.01.09 … -
Additional information
File size: 7742 bytes
MD5...: d2326165be23464144a26abea694b841
SHA1..: ff3a6f283004a16cef00db62a04473199c92cf74
SHA256: 0dd6bb6563fbb4fc57a26136fe44049e3e7d5f5a7cd68d1387016dba6ed0fc82
SHA512: 155a37ee85af7437a01882d4e62e36e154259b2a6e1abbc18be6f6b986a231f4 04f52406a9c59c2016740d80d30d651aaff39b489278ada0df6a73df50557f73
ssdeep: 96:nPVw00/r52DfD5UfvXUqtddStibeKWaeTqpo5HTRVa7gi8uOg:ntwdgD75+1b eKRy5HT6ZUg

Moral of the story is, even a very good, fully updated antivirus program can miss something like this. Don't assume it's safe just because your AV program didn't raise a stink. Don't click on it. Period.

Update: Gary Warner's blog has more detail on this one, including information about the malware the trojan downloads and where it gets it.

.

January 2, 2009
AV Comparatives Summary Report for 2008

AV Comparatives does independent testing of antivirus products. In order to even get tested, the products have to prove they're at least adequate in the first place, so there are only 16 products being tested.

Winners for 2008 were
* Best Overall: Avira AntiVir (about $28/year at current exchange rate for antvirus+antispyware, free for antivirus alone), with ESET NOD32 Antivirus (about $60/year) a close second
* Best On-Demand Detection: Avira AntiVir, with just about everything a close second
* Best Proactive On-Demand Detection (detecting new malware no one has seen before): ESET NOD32; Avira was close, but lost points for false positives.
* Lowest False Alarm Rate: McAfee (about $30/year) with Microsoft's discontinued Onecare product in second place (Microsoft plans to replace Onecare with a free product)
* Fastest On-Demand Scanning: Symantec's Norton Antivirus (about $40 a year) with Avira in second place
* Fastest Speed for Copying/On-Access Scanning (scanning files while you're in the middle of opening them): Kaspersky Antivirus (about $60/year), with ESET NOD32 second.
* Best Overall Performance (how much it slowed down computers when running): ESET NOD32, but also with several others performing nearly as well.

The full report is here. In addition, Shadowserver does continuous comparisons on a daily/weekly/monthly/yearly basis, which often gives a better idea of how a single product can be completely fooled by a particular sample of malware that floods everyone's email inboxes, while performing extremely well with everything else. Watching how your AV program performs over time gives you information that a testing agency can't easily duplicate in a lab. Today's performance by Kaspersky is quite poor, for instance, although it is usually considered one of the gold standards that other programs are compared with.

AntiVir's good showing is consistent with its results in the Castlecops Unknown File Forum, where newly discovered malware was posted with results of scans done at VirusTotal and Jotti. False positives are always undesirable, but if you know to be cautious, it's probably better to get an alert and have to check it out than to get no warning at all. If your AV program detects something already on your system and you aren't aware of any problems, before deleting it, send the suspicious file to your AV program's manufacturer (each program should provide a way to do that) . They should get back to you within about 24 hours with a more thorough analysis to confirm or correct the previous results. That kind of input also helps keep your AV program one of the top performers.

Notice that you can get a very good program for a reasonable price. But also be aware that you still need to let your brain be your first line of defense -- no AV program detects all the malware the first day it shows up, and some products (especially some free programs that weren't tested) do quite poorly. Don't get a subscription for more than a year, because this year's stars might ride on their reputations, and this year's dogs might overhaul their procedures to improve their products. It's not worth changing for small differences in these types of competitions, but if you see your current product wasn't even tested because it couldn't meet minimum standards, yes, it's time to shop around.

.

January 1, 2009
More reviews of 2008

Gary Warner has posted his top ten list of most significant spam and malware developments of 2008.