Firefox Vuln and DNS Changers

A newer spyware program targets only Firefox users, according to these articles. (which includes links to technical information). Of course, one has to allow the initial infection to install.

It’s not clear how the initial infection gets to your computer. But once there, it puts hooks into Firefox to allow the spyware to watch and report on access to banking-type web sites. When such a site is accessed, the spyware grabs your login credentials and sends them off to the evil hacker. And that can’t be good.

Another evil is the DNS changer software that could live on the laptop next to you at the local coffee shop. When you connect to the coffee shop’s network, the evil laptop will intercept and change your DNS settings. That will allow the evil DNS server to intercept and redirect your access to a web site. Also not good.

Brian Krebs (Washington Post) has a write-up of it here . The trojan works by changing a registry value that changes the DNS server your browser accesses.

The trojan is another one that you have to decide to install, and is often disguised as a video ‘codec’ (add-on) that an evil site (often an ‘adult’ site) wants to install so you can view the videos. Could even be a site like www(dot)yuotube(dot)com (and no, that is not a typo).

A quick way to check if you have a DNSChanger problem is to try to browse to a known non-existant web site. Like . You should get a “Navigation cancelled” page. If you get anything else, then it’s time to start the cleanup process on your computer (and perhaps your router, since there are some DNSChanger attacks that try to hack into your router using known passwords).

Note that some ISPs redirect you to their search page if you type in a non-existent web site name, so this may not work for everyone.

Be careful out there!

USB Auto-Infection

One method of infecting a computer is through the use of AUTORUN.INF on a USB drive. This is a file that contains commands to automatically execute when the device is attached to a computer. If your computer is set to automatically execute that file, that setting can cause problems.

An example is when a USB picture frame device has malware on it, and it automatically runs the malware when the picture frame cable is connected to your computer. This happened last year, and there is some malware out there that will infect your computer. The US military has banned user-owned USB drives for this reason.

Most AV programs should be able to ‘catch’ the attempt at an installation of malware from an infected USB drive, since many of those infections are ‘known’ by a current AV program. You can also do a manual anti-virus scan of USB-attached drives.

You should be aware that there are more than just the USB “thumb drives” that might be a risk. There were many reports this year about infected devices such as photo frames that attach to your computer via USB. Those photo frames are a popular gifting item during the holidays.

Passing around infected USB thumb drives is a great way to do penetration of business systems. Some penetration testers have done that as part of their ‘war games’ against a business by dropping some infected USB thumb drives in the business parking lot or entrance area. (Of course, those war games were done with the permission of the business. You’d want to be careful about doing that yourself.)

Great social engineering way to get into a system….most people will plug the USB drive into their system out of curiosity.

There is a setting on your computer to disable auto-run via your Local Security Policy. On a Windows XP system: Use Start, Run, GPEDIT.msc . Then click down to “Computer Configuration”, then “Administrative Templates”, then “System”. In the right panel, double-click “Turn of AutoPlay“. Click on the “Enabled” button, and use the dropdown in “Turn off Autoplay on” to set it to “All drives”.

On a Vista system: use the “Start” button (the round Window icon), then type in “autoplay” and press Enter. That should get you to the “Control Panel, AutoPlay” dialog (which is another way to get there). In that screen, make the setting for “Software and Games” to “Take no action”. Also set the “Mixed content” choice to “Take no action”. (You could also set “Take No Action” on the other choices also if you want to be very conservative.)

Note that in a corporate/managed system, your network administrators may have already set this for you. If they haven’t, strongly encourage them to do so. This will cause CD’s to not auto-play, but that is a small price to pay.

Great Spam News

Are you getting less spam? A big spam host in CA was taken offline on Tuesday. One good source for the story is here , since Brian Krebs (the WP columnist) was one of guys responsible. The ‘co-location’ (a big web site hosting firm) looks to be responsible for up to 80% of the world’s spam, along with hosting other offensive sites (child pornography, etc).

As of Tuesday, their connection to the Internet was cut off.

As a result, the volume of spam being pumped out by all of those infected computers has gone down by 60% or more. At my office, we usually get about 800,000 messages a day; we block 92%+ as spam. Over the last 24 hours, that incoming volume has been reduced to about 250,000. Others are reporting the same reduction. (More details on Brian Kreb’s blog here:

It will be interesting to see how long this reduction lasts.

In the meantime, working on another web site project, some updating of existing sites, and the other usual stuff.

That MS Critical Patch

To add to all the coverage of the extra special (and critical) MS patch released yesterday, for the benefit of my three (that many?) regular readers:

My first reading of the various links about this vulnerability and patch (see below) indicate that, although the rating is critical, and the patch should be installed immediately, there is less exposure to Vista and Server 2008 and XP SP2+ systems because their default settings enable the firewall and block ports 139 and 445. (You can check if those ports are blocked by using the ShieldsUp test at

Note that this vulnerability has the potential for the same impact as the Blaster and Sasser worms (the blocking of those ports and default firewall enable XP SP2 and Vista is one of the results of learning from the Blaster worm). That blocking will help with external attacks, but an internal attack (behind the firewall) may be possible. For instance, our organization was severely impacted by an internal attack of the Blaster worm, which caused a Denial of Service (DoS) type of attack on network traffic.

The initial takeaway is that the MS patch, and probable (already released now) upcoming AV patches will be very important for all users, even if a ShieldsUp test shows that you are blocking ports 139/445.

Corporate/network users are strongly advised to get this one installed on all external and internal systems, even if their firewalls are blocking those ports. And home users are especially urged to install the patch.

There are reports of some limited attacks using this vulnerability; I suspect the hacker community is frantically working on exploits.

A typical exploit might be to install spyware/malware on your computer to gather confidential information. It is less likely, I think, that an exploit would try to just do a DoS-type (Blaster) attack; most hackers are now targeting systems for confidential information for financial gain.

More general info here: From the MS SDL (Security Development Lifecyle) blog ; an explanation of “why didn’t we catch this”.

Just remember safe computing practices: install updates, don’t click on links in emails alerting you to an update, pop-up messages while surfing the ‘net that alert you to malware are bogus and should be ignored, etc.

Adobe Flash Update

Adobe has released their latest update to Flash (for multimedia on web pages) to fix the “clickjacking” bug. (This allows an evil hacker to place a hidden ‘button’ on a web page that will do nefarious things when you think you are just clicking on a link on a page. This exploit is not widespread, and not terribly easy to do, but is rather sneaky.)

You can check their Flash version by going to this Adobe page: . You’ll get your current version, and a list of versions for Windows, Mac/OSX, Linuz, and Solaris operating systems.

Notice that this update is not just an Internet Explorer vulnerability, but also affect Firefox, Opera, etc.

All users should ensure they have this update.

Keeping Children Safe On-Line

Our children are constantly on-line. Even down to pre-schoolers. A great resource for parents (and grandparents) to help understand the proper precautions for children (and to understand the things that are available for children), is the Keep Safe Coalition site called .

There are resources for parents and children to understand how to keep safe on the ‘net. This is a place that every parent should look at with and for their children.

Those Password Questions

The Sarah Palin email hack was done by some simple Google-fu and stupid password reset questions. Like “what is the name of your high school?”. How hard is that to find out?

What to do? Well, set your password reset answers to something ‘out of the box’. Example: “what is the name of your high school?” answer could be “1947 Chevy Impala”. No way anyone will be able to Google that.

And what should you do to secure your digital life might be to follow the steps in this blog from a company called “Erratta Security” (link here: ).

At the very least, try the “7 Steps to Computer Security” at my DigitalChoke site here . I wrote that back in 2004, although it may be time for updating.

For wireless networking, try these “Simple Steps for Wireless Networks” .

And if you are worried about Global Warming, then you should get some Carbon Offset Certificates here . They are worth less than they cost !

Google Chrome Warning

There is lots of press and user interest about Google’s new “Chrome” browser.

It’s important to know that this is a ‘beta’ product. And that there are, even after two days, some serious security vulnerabilities, including the potential to allow a malicious web site to silently install nasty software on your computer. There are also risks of user information disclosure.
There’s even ways to easily ‘crash’ the Chrome browser. All of this risky behavior is publicly available information.

While “Chrome” may have some nifty features, it’s still in ‘beta’ (pre-release, buggy, insecure) mode.

I’m waiting for a bit, letting everyone else get the arrows in their back.

My recommendation? Use at your own risk.