According to the Washington Post, “Hackers are increasingly targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients doing business overseas.”
Needless to say, I’ve informed all of my clients who may be affected.
The attacks turn out to be classic “spear phishing” attacks and they can be very convincing. (Recall that a couple of years ago, dentists were targeted.) Here’s what the FBI has to say about the current round of attacks:
[The FBI says hackers are using] spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms. During the course of ongoing investigations, the FBI identified noticeable increases in computer exploitation attempts against these entities. The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard. Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link. Network defense against these attacks is difficult as the subject lines are spoofed, or crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests. In addition to appearing to originate from a trusted source based on the relevance of the subject line, the attachment name and message body are also crafted to associate with the same specific business interests.
I wasn’t able to find the text of the latest emails floating around in this spear phishing campaign, but the above description should give you a clue.
I was all for MS Security Essentials when I heard the announcement of its release (see Microsoft Security Essentials Goes Live and Microsoft Security Essentials is a Game Changer). I installed it on all my machines. Then, I had some big time performance issues. My desktop machine slowed to a crawl and would often take the better part of 10-15 seconds just to repaint the screen. I experienced random lockups where the mouse pointer just froze and nothing would happen. I would start typing in a browser address bar (both IE and Firefox) and I’d have to wait several seconds before any characters would show up.
I didn’t attribute this to MSE. Instead, I got rid of my background picture on the desktop, defragmented my registry, defragmented my page file and did all of those things I normally do to completely tune up a machine. No joy.
Then, Panda came out with version 1.0 of Cloud Antivirus and I commented on that: Panda Cloud Antivirus Emerges From Beta. I said “slight” performance issues had been evident with MSE. I was wrong: They were major, and I’m not the only one who has experienced that. Here’s a comment I just got on my Ask the Geek blog:
nothing was working for me…until I disabled microsoft security essentials – which apparenlty came with Windows 7! I prefer another malware program and virus program anyway…then I did a msconfig service cleanup of all the crap (including stopping ms sec essentials)….everything’s been loading great.
Evidently, MSE isn’t all it’s cracked up to be and I stand corrected. BTW, Panda is doing fine and I no longer have the performance problems. Microsoft, please get it right for once.
Who else is having problems? Comments welcome.
Over the past couple of years, I’ve written several articles and blog posts about cyber-warfare, the two most popular being: Will You Be Used As a Weapon Against Your Own Country?, and Uncle Sam Wants You–to Become a Cyberspace Warrior. The former began with this scenario Continued »
I tested Panda Cloud Antivirus extensively on my systems while it was in beta and only recently switched to Microsoft Security Essentials (MSE) for evaluation. Today, I’ll switch back to Panda on my older, slower system to compare performance of each one. I have noticed a slight performance degradation with MSE that was all but non-existent with Panda. Now that Panda Cloud Antivirus is out of beta, I can make a fair comparison which I will report on later. In the meantime, here’s some info from Panda’s press release I received this morning
Panda Cloud Antivirus, the industry’s first and most comprehensive free cloud-based anti-virus that protects consumers PCs against the latest malware, spyware, rootkits and viruses, today emerged from beta after six months of user testing. To experience the expanded performance and support capabilities of Cloud Antivirus, as well as benefit from both online and offline security protection, consumers can download the free service from Panda Security at http://www.cloudantivirus.com.
Recognized for being “the first anti-virus without an update button”, Panda Cloud Antivirus delivers the fastest protection against the newest and most dangerous viruses. This is made possible thanks to Collective Intelligence, Panda’s advanced system that gathers malware information from its global community of users in the cloud to automatically identify and classify new malware strains in minutes. Collective Intelligence combines local detection technologies with real-time cloud-scanning to maximize protection while minimizing resource consumption. Available in 11 languages, Panda Cloud Antivirus works under Windows XP (32 bits), Windows Vista (32bits and 64bits) and Windows 7 (32bits and 64bits) operating systems and only consumes 20 MB of RAM.
It’s an interesting technology and one that I think we’ll see more of in the future. As more users join the collective, the application gets even more sensitive to new malware strains. A PC World review found Cloud Antivirus impressive:
“Among all of the free anti-virus software we tested for our latest roundup, Panda Cloud Antivirus was the best app at blocking known malware. The approach is intended to take advantage of the latest signatures without the need for signature-database updates–and if its excellent showing at detecting malware in AV-Test.org’s zoo of half a million samples is any indication, the approach works. Panda’s app produced an impressive 99.4 percent overall detection rate.”
Let me know if you try it and how you like it.
Maybe it’s time for a new technology.
So, if all you need to do with your PC is write documents that you’re going to print out locally or balance your checkbook with information that you’ve input offline, you should be safe, right? Wrong. Did you bring home anything from the office, like on a thumb drive, or on an – now obsolete – floppy disk? Do you ever do this? Well, if you do, then you’re not completely safe.
Have you been computing long enough to remember the “Stoned” virus? This little nasty (though it really wasn’t very nasty compared with today’s malware) spread via infected floppy disks. My entire business (8 computers) got hit with it in 1989. We had a “sneaker net” in those days and almost everyone had to work on various documents at some point. The disk got passed around to every computer before I figured out what was going on and neutralized the threat.
It’s true that if you never get on the Internet, you reduce your attack surface significantly, but, really, do you know anyone who isn’t connected to the Internet in some way these days? I think not. So, Houston, we have a problem.
Who do you know who’s willing to unplug their PC from the Internet?
I guess those of us in the security field don’t really have to worry about our jobs, do we?
I just got these in my email from http://techsupportalert.com (Gizmo’s Freeware site) and figured I should pass them on. You can’t beat free and these two programs are top-rated. Note that these are time limited offers.
Emsisoft are releasing their top rated a-squared Anti-Malware program with a free one year license. This offer is valid for 24 hours only commencing at 11:11 (CET) on Wednesday 11th November, 2009.
Combine the excellent Agnitum Firewall with the excellent BitDefender AV and throw in online support direct from the product user interface and you get the Bullguard Internet Security Suite- one of Europe’s most popular security products. Get a full 12 month license including support on November 5 and 6 only. A Gizmo’s Freeware exclusive.
I highly recommend Gizmo’s site; there’s nothing but the best freeware and it’s the first place I look when I’m trying to find any utility.
Hey, tomorrow’s Halloween, our annual celebration of all things dark and evil. This video, produced by security firm Comodo is hilarious, yet hides a rather dark truth–quite in the spirit of our creepy holiday.
The video pays homage to the popular A&E Television series “Intervention,” which portrays people whose lives are on a downward spiral, and the redemption of the people who care about them. In this case “Laptop” is infected with malware, and the experts step in.
“We make the point any way we can,” said Melih Abdulhayoglu, CEO of Comodo. “This parody is funny. We hope its humorous approach grabs viewers’ attention and convinces them to install antivirus and firewall software.”
In “Intervention: Laptop (The Banned Episode!),” Laptop is a personal computer struggling with an addiction to malware and viruses. Her loved ones are desperate for help, and have reached out to the Intervention team. Can an intervention set Laptop down the right path, or will she shut down for good? Watch and find out.
Happy Halloween, everybody!
So far, we’ve explored the first 7 basic missions at HackThisSite.org. The difficulty of these challenges increases at each level, but this one is not too tough if you look at the clues. Here’s the challenge:
The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser).
Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/
However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.
Did you catch that key phrase in the description above? It’s “…executed by the server…” and it’s PHP. That’s what tipped me off. We should be able to execute a simple PHP script from the input box, don’t you think? In PHP you can execute commands with a simple structure. Let’s see what happens if we type in the ls command like this:
[<]!–#exec cmd=”ls”–[>] (brackets to allow proper display only–don’t use them)
That give us some output, but not what we’re looking for, I’m afraid:
Your file has been saved. Please click here view the file.
That output is at ../level8.php. If you click the link to view the file, you’ll see this at ../tmp/[random filename].shtml:
Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml…[and a lot more].
That’s not what we’re looking for.
Oh, wait. We just did a listing of the current directory, /var/www/hackthissite.org/html/missions/basic/8/tmp/; We want to go up one level to /var/www/hackthissite.org/html/missions/basic/8/. Let’s try that command again so we list the parent directory:
[<]!–#exec cmd=”ls ..”–[>] (again, don’t use the brackets)
Voila! Now we get this as the output when we click the link to view:
Hi, au12ha39vc.php index.php level8.php tmp!
The file au12ha39vc.php looks like the one. Plug it into the browser and you get the password: 40087506.
My recent post, Convert Any Live CD to a Bootable Thumb Drive in Minutes, referred to the Kaspersky rescue CD as one possible way to make an anti virus bootable USB thumb drive. A lot of people over at my Ask the Geek site have done that and had success with it. However, I have been getting a lot of questions about the updating function, most of them along the line of how to force a static IP address. This should clear it all up.
The Question: Hey Geek, As with the other commenters, thank you so much for this guide and utility. It could potentially be a life saver.
I do however have a few questions:
1) I am guessing the networking side of things works via dhcp, i have looked through the files, but am no linux expert so wondered if there is a way of setting a static ip?
2) Where are the virus deffinition updates saved to? I ran the update on my laptop (dhcp) then plugged the usb drive to a machine with no dhcp and it said the deffinitions were out of date, I would have hope it updated them on the usb key?
My answer: 1. Yes, it works via DHCP. Normally, you would be able to set a static ip address by using the procedure below. You’ll want to get into the linux command console. I believe the rescue disk UI has a link for that. You can then assign a static ip address:
ifconfig eth0 <ip address> up netmask 255.255.255.0
route add default gw <gateway router address>
ifconfig eth0 down
ifconfig eth0 up
route add default gw <gateway router address>
You can verify the ip address by typing ifconfig with no parameters. It
should show the address you set for eth0.
2. The updates are saved to memory, so they go bye-bye when you reboot.
It’s better to update every time you use it anyway, so you always have
the current definitions. I’ll investigate the ../etc/conf file and see
if I can resolve this.
Hope this helps anyone here who has had similar questions.