Saturday, November 22, 2008

New proof of concept script attack in all browsers bypasses AV detection


Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique, called script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines.

The attack works like this: Malware authors write benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR. This code contains no actual malicious content, and the same type of code is found on all of the major legitimate Web 2.0 sites.

When a user visits the Web page, the JavaScript and the XDR or XHR will slowly request more code from other Web servers a few bytes at a time, thereby only allowing a user's gateway anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site is malicious.

Once received by the client, the bytes are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a Script element within the DOM (Document Object Model) of the browser and add the information as text to the node. This in turn will cause a change to the DOM and execute the code in the script element.

According to Chenette, the entire process—from data being transferred over the network to triggering JavaScript within the DOM—can slip under the radar because no malicious content touches the file system. It's done completely in memory, and any content that is transferred over the network is done in such tiny fragments that anti-virus engines parsing the information don't have enough context or information to match any signatures.

The attack, which has not been seen in the wild by Websense, works on all the major browsers. Technically, however, it is not a browser vulnerability—it merely takes advantage of the way browsers work.

My initial thoughts: If this gets out into the wild, the only protection is to either turn off scripting entirely in Internet Explorer (which will cripple most legitimate websites), or use the excellent NoScript plugin for Firefox (and use it correctly.)

Thursday, November 20, 2008

Rootkits, Trojans -- they may 'own' your USB thumbdrive

A topic that I might have brought up before (too lazy to go find it) and which really hit home over this last weekend - USB portable storage devices and current malware are a match made in virus heaven.

Friend of mine called me in a panic - his main computer slowed down so he thought he might clean it up a bit. Made a full backup of his photo's and documents to a portable USB drive. Started the cleanup, saw some odd behavior, downloaded an alternate virus scanner trial, found nasty nasty stuff that he could not clean up, rebuilt the OS after formatting the drive -- and started to restore his files from that backup.

Remember that backup? The one he took from what was likely an already infected system? The second he inserted that drive into a USB port - wham! Infected again. That's when he finally called me . . .

Much like virus infections that spread via 5.25 and 3.5 diskettes in days of yore, a new generation of backdoor Trojans, Rootkits, Keyloggers, Botnet/Zombie infections and other malware use USB drives as an infection vector.

This is exceptionally nasty for consultants that use USB drives as their portable toolkit. They stick their drive into an infected computer, which infects their portable drive, which in turn infects the very next computer into which they insert said drive if Autoplay is turned on . . .

Solutions do exist though. My personal solution - which I use in my business - is to use USB thumb drives with a Write Protection Switch (a physical slider switch on the side of the drive that sets the drive to read-only mode and cannot be bypassed by software) while in the field. I also keep a full redundant backup of my software toolkit in safe storage. (Not to mention I scan my thumb drives after every client visit.)

So you set the drive to read/write when copying data to it from a safe computer. Switch the thing to read only while using it in other computers.

The only trouble is that if you need to write/save a file to the drive while visiting another computer - you had better make darn sure that a) that other computer is running a current and trustworthy anti-malware suite and b) that your own computer at your home or office has autoplay turned off and c) that afterwards you think very hard about using that drive in any other computer before getting it scanned from a safe location.

The other problem is that finding a USB drive with a physical "Write Protection Switch" is fairly difficult. I've got two different brands in my toolkit now. It took some serious google-fu to locate them and even more effort to find a vendor that sold the models. (Iomega and Kanguru for those curious - the Kanguru is fast and secure, but much more pricy.)

I've said it before, here it is again (and updated for Vista users):

I've often wished that the Autoplay feature was turned off by default in Windows. It would also be nice if there was an easy way to turn it off somewhere in the user settings . . . but it's a tad more complicated.

Autoplay is not really needed anyway, it's annoying when you insert a CD that you just want to browse, and it's been the vector for virii several times in the past. Just remember that if you turn it off, and you insert a CD from which you want to install something, you will need to browse to that CD and find the Setup program manually instead of waiting for the Autoplay setup to start automatically. I like having to start setup manually better anyway, gives me more control over my system.

To turn Autoplay off, find the heading for your operating system below.

Windows XP Home

1) Create a new TXT file and open it in Notepad.

2) Paste the code below into your new text file.

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

3) Save the file, close it in Notepad, and rename the file to end in the ".reg" extension.

4) Double click the REG file to import the setting into your registry. Click OK when it asks if this is something you want to do . . .

5) Reboot and done for Windows XP Home.

Windows XP Professional

1) Click Start, Run and enter GPEDIT.MSC

2) Go to Computer Configuration, Administrative Templates, System.

3) Locate the entry for "Turn Off Autoplay" and Enable it for All Drives.

4) Close the Policy Editor and reboot . . . done for Windows XP Professional!

Windows Vista

Note: Be certain you have installed Vista Service Pack 1 and have all the most recent patches before applying this change.

1) Create a new TXT file and open it in Notepad.

2) Paste the code below into your new text file.

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

3) Save the file, close it in Notepad, and rename the file to end in the ".reg" extension.

4) Right click the new REG file and select "Run as Administrator" to import the setting into your registry. Click OK when it asks if this is something you "really" want to do . . .

5) Reboot and done for Windows Vista!

For more information, see Microsoft's KB article on AutoRun/AutoPlay at

NVidia Tesla Update - supercomputing at the desktop

Update regarding a post I made almost a year and a half ago, NVidia's Tesla may be changing our definition of super-performing personal computers.

For those with enough cash - around 10 grand for the base model - you can get your very own personal "Super-Computer!"

Seriously - can you imagine what this could do for very small scientific research companies?

Each processor can sustain one teraflop. Need more power? Add processors . . . up to four for now and possibly more in the future.

More info:

Thursday, November 13, 2008

Long term data storage

I've been subscribing to the theory for several years that the best way to safely store data for long terms was to use redundant hard drive spindles, and keep up with maintenance. That used to be valid, because no optical storage media had been invented that was rated for any kind of decent long term retention. (10 years max used to be the rule of thumb - with no assurances whatsoever.)

Sometime in the last few years optical technology greatly improved the longevity of certain media types. I missed that . . .

So the question today I started researching was "how do I store all my family digital photo's safely?"

So far it looks like (Edit: hypothetical - they don't appear to exist yet on the market) Gold Media DVD+R is the way to go. Proper storage in a cool, dry, dark place in acid free liners also seems to be critical.

One of the preferred SATA burners on the market for good quality burns:
Samsung SH-S223F

Found several good articles on the topic, but wondering if anyone here has direct experience with this problem. If you have some tips, please post them below!

Links of worth so far:

Tuesday, November 11, 2008

November 2008 Patch Tuesday

If you're not set to use automatic updates on Windows (XP and Vista), be sure to fully catch up your patching today.

There was a super-critical out of cycle patch released 2 weeks ago, plus several critical patches released today.

You really want these security fixes . . . two of these vulnerabilities are being actively exploited right now.

Users of Grisoft's free AVG: don't delete that file until you check this . . .


An update for the AVG virus scanner released yesterday contained an incorrect virus signature, which led it to think user32.dll (netdef: a critical system file for Windows)contained the Trojan Horses PSW.Banker4.APSA or Generic9TBN. AVG then recommended deleting this file; this causes the affected systems to either stop booting or go into a continuous reboot cycle. So far, the problem only appears to affect Windows XP, but there is no guarantee that other versions of Windows don’t have the same issue.

Both AVG 7.5 and AVG 8.0 were affected by the update; a revised signature database has just been published that corrects this issue. People that have removed the user32.dll can either boot from their original Windows CD and choose the repair option, or use another CD to boot from and restore the file from C:WindowsSystem32dllcache.

Friday, November 7, 2008

A short break from computer topics . . . Bread!

One of my many side hobbies is baking. This morning I discovered an excellent resource for artisan bread at . . .

Am I allowed to "gleee?" (cough)

They are pushing a book, which I will likely buy -- but many recipes are listed in full on that site. I predict a very pleasant smelling weekend in my home as I try making their Pletzel. :D

Wednesday, November 5, 2008

US Presidential malware spam

From . . .

"Not a big surprise at all that a spam run distributing malware talking about Obama being elected the new US President started this morning (US time).

The link points to a website that looks like it contains a video and to view it the user has to download a new flash player, adobe_flash9.exe."

Installing that fake Adobe update releases a very nasty trojan with rootkit onto your computer.

Edit: suggests (in comments below) that users may be sure their Adobe products are updated safely by going directly to the source - rather than trust any pop up message announcing an update. This would work for Adobe Reader, Flash, Shockwave, Air, and Adobe Media Player. For Reader you can update from within the program itself. For other Adobe products, try and follow the free product links from their front home page.

Monday, November 3, 2008

Guard your domains - new wave of phishing attacks

Last week one of my clients forwarded an email to me that purported to be from Network Solutions - a well-known domain name registrar. The news looked fairly alarming. The emails stated that their domains had expired and were on the auction block - but if the victims would log onto the site and provide full contact info etc, they would be sent instructions on how to renew the domain before it was auctioned away forever . . .

The link in the email "looked" okay, but it was formatted in HTML and the true link went to a very dangerous web page.

Phishing attack for CC numbers / money?

Not exactly -- or more precisely, not ONLY that. Turns out that there is a new wave of phishing attempts for known, established domain names. The criminals behind the attacks are trying to spoof you into giving up your domain registrar account credentials so they can impersonate you just long enough to transfer that tasty domain into their anonymous ownership.

"The new phishing attacks are a way for spammers, malware writers, and fake antivirus writers to keep their operations running . . .

By grabbing legitimate domains, the cybercriminals secure safer cover for their operations. "With these phishing attacks, they'll get access to domains owned by good people."

Expect to see more of these attempts from all domain registrars (eNom, Network Solutions, GoDaddy, etc.) I also expect to see these phishing attacks combine malware infections that will attempt to infect your workstation with key loggers.

Don't click the links in those emails!

Saturday, November 1, 2008

New things to guard against in 2009 (Part 1 - Keys)

Long has it been advised to protect your personal information in public. Things like guarding your PIN from being observed at POS counters and ATM machines. Keeping a finger over your CC numbers as much as possible in public when they are out of your wallet. Don't carry your SS card in your wallet / purse. Watch for odd looking attachments on card readers (although lately that's not as effective, new black market card readers can be inserted inside some gas station pump CC slots.)

Now comes software that can duplicate your car and house keys from surveillance photos.

"UC San Diego computer scientists have built a software program that can perform key duplication without having the key. Instead, the computer scientists only need a photograph of the key.

. . . advances in digital imaging and optics have made it easy to duplicate someone's keys from a distance without them even noticing."

In one demonstration of the new software system, the computer scientists took pictures of common residential house keys with a cell phone camera, fed the image into their software which then produced the information needed to create identical copies. In another example, they used a five inch telephoto lens to capture images from the roof of a campus building and duplicate keys sitting on a café table about 200 feet away.