As reported yesterday in The Register, the “psyb0t” worm targets home routers and modems and may be the first piece of malware to do so. Researchers from DroneBL, a real-time tracker of abusable IPs, say that as of March 22 100,000 hosts had been infected.
Whether or not your equipment is vulnerable depends on three things:
- Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
- Your device also has telnet, SSH or web-based interfaces available to the WAN, and
- Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
“This technique is one to be extremely concerned about,” the researchers say, “because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information.”
If you believe your equipment is vulnerable or has been compromised, you should immediately take the following actions:
- Power cycle your router.
- Disable WAN-facing telnet, SSH or web-based configuration interfaces.
- Change the passwords to something unguessable (see this article).
- Upgrade to the latest firmware.
Since the early days of Windows (3.x and forward), the operating system has relied upon vritual memory in the form of files stored on the hard drive to compensate for the lack of a machine’s physical memory. When the machine’s physical memory begins filling up, pages of data are moved from physical memory to the virtual memory file. Until Windows NT, this file was called win386.swp; when NT came along, it was renamed to pagefile.sys. While the pagefile generally enhances performance, it’s a security risk.
For one thing, Windows’ default behavior leaves the pagefile intact when a user logs out, so there’s a good chance of viewing information in any files the user opened while logged in.
Encryption doesn’t necessarily mean the data is safe, either. Sure, the file itself is encrypted, but in order to work with encrypted files, the system must first decrypt them and this unencrypted copy may be stored in the pagefile.
There’s a simple registry setting that will clear your pagefile when you shutdown your computer. Why this setting isn’t enabled by default only makes sense from a performance standpoint. It may take Windows slightly longer to shut down, but you’ll rest easier knowing your confidential data isn’t at risk.
Start regedit and navigate to:
Set the key ClearPageFileAtShutdown to 1
Close regedit and reboot your computer to apply the change.
Why, all of a sudden, is everyone concerned about secure file deletion? I hesitate to say it’s a sign of the poor economy, but perhaps people consider it even more important to protect their personal information when the idea of losing control of their assets—and their lives–through the incompetence of corporate “managers” and well-intentioned but clueless politicians is more abhorrent than losing control through the outright thievery of Internet gangs. It’s weird. I harped on people about securing their data all along and mostly, my advice fell on deaf ears. Now people are worried. And it’s not because they see more spam email phishing attempts, it’s because they feel they can’t trust anyone anymore, not their formerly respected captains of industry, and certainly not their elected officials.
But, I digress. This post is about security tools, not politics, so I’m now officially off of my soapbox.
I recently posted an article about SDelete, a tool that can be used to securely delete files and folders on a hard drive. There’s another little known, useful tool that has been built into the OS since Windows 2000: cipher.exe. Microsoft provides the following in Knowledge Base article 315672:
How to Use the Cipher Security Tool to Overwrite Deleted Data
To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:
- Quit all programs.
- Click Start, click Run, type cmd, and then press ENTER.
- Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.
One more tool you can use to mollify your paranoid clients.
Hey, fellow Geeks,
Now through the end of April, your tech savvy can earn you the chance to win one of three Xbox 360 game consoles being given away by our favorite tech site, IT Knowledge Exchange. Winners will be the top three community members who have the most Knowledge Points earned and have asked five IT-related questions. You still get points for asking other questions, but only those related to IT will be counted for the contest. Full details are in community manager’s Jenny Mackintosh’s ITKE Community blog posting, so go there for rules, etc.
The three winners will receive:
- First Place: Xbox 360 Elite
- Second Place: Xbox 360
- Third Place: Xbox 360 Arcade
This is a chance to show off your IT guru skills and win a neat prize in the process. Go ahead and ask a tough question (remember, you need to ask five of them) by going to the Ask a Question page.
Good luck and have fun!
If you like Security Corner and find it useful, I would appreciate your nomination. I suppose the best category would be the non-technical blog. Here’s info from their blog post:
The nominations for the Social Security Awards are well underway and we currently have more than 450 nominations in hand. People can keep nominating until March 31 at which time we will sift threw the nominations and hand over the final five in each category to our esteemed panel of judges from CSO Magazine, Washington Post, Forrester Research, Dark Reading and TechTarget.
I want to clarify that you need not be present to win one of the Social Security Awards, so get your readers to nominate you in one of the following categories:
- Best Security Podcast
- Best Technical Security Blog
- Best Corporate Security Blog
- Best Non-Technical Security Blog
- Most Entertaining Security Blog
Thanks in advance for your show of support!
Mozilla Foundation released Firefox 3.0.7 today to address multiple vulnerabilities. According to the Security Advisories, the vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. Mozilla says that the vulnerabilities also affect Thunderbird and SeaMonkey. No updates have been released for these applications at this time.
The following Security Advisories are addressed in Firefox 3.0.7:
- Mozilla Foundation Security Advisory 2009-07: “Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
- Mozilla Foundation Security Advisory 2009-08: “An anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim’s computer.”
- Mozilla Foundation Security Advisory 2009-09: “Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website.”
- Mozilla Foundation Security Advisory 2009-10: “libpng maintainer Glenn Randers-Pehrson reported several memory safety hazards in PNG libraries used by Mozilla. These vulnerabilities could be used by a malicious website to crash a victim’s browser and potentially execute arbitrary code on their computer. libpng was upgraded to a version which contained fixes for these flaws.”
- Mozilla Foundation Security Advisory 2009-11: “Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.”
Everyone should immediately upgrade to Firefox 3.0.7 to mitigate these issues.
For those who grew up with the graphical user interface, command line tools are often seen as arcane remnants from the dawn of PC history, a time when badly-dressed nerds sporting horn-rimmed glasses and pocket protectors ruled the universe (well, maybe just the computer lab). For them, nearly all of the command line tools are little known; for us dinosaurs who were typing on terminals well before the PC arrived, there are few of these older tools we haven’t seen. However, as the GUI gradually replaced the command line and we command line geeks began to point and click more and more, some useful tools escaped our notice. One of these is the ten-year-old SDelete by Mark Russinovich of Sysinternals fame. Microsoft acquired Sysinternals in July, 2006 and made all of the excellent tools available free.
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier.
Usage: sdelete [-p passes] [-s] [-q] <file or directory>
sdelete [-p passes] [-z|-c] [drive letter]
-c Zero free space (good for virtual disk optimization).
-p passes Specifies number of overwrite passes.
-s Recurse subdirectories.
-q Don’t print errors (quiet).
-z Cleanse free space.
SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, which is overkill (see The Great Drive Wiping Controversy Settled at Last), but ensures your data is deleted forever. There is one caveat: SDelete securely deletes file data, but not file names located in free disk space. If you want to be completely sure that all traces of a file are gone, be sure to use the –c or –z option.
Want to see even more useful, little known tools? Check out Sysinternals Live:
Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.
You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.
In my area, there has been a rash of phishing calls targeting bank customers. Coincidentally, today’s WXP News (Vol. 8, #59 – Feb 24, 2009 – Issue #367) addresses the same issue:
You might never click a link in an email purporting to be from your bank, but what if someone from the bank called you on the phone and informed you that your account may have been compromised, and asked for your credentials? The best of these scammers will express concern for “security” and insist that you call them back to “verify” that the call is legitimate. And of course, the number that they give you to call is answered with the bank’s name. Some even go so far as to spoof the caller ID information so your phone displays the name of the bank when they call.
The countermeasure to this is to hang up, dial the bank’s main, published phone number and ask to speak to someone in their security department (some banks call it their “Bank Protection” section). Tell them you believe you may be the target of fraudulent activity. Most banks adhere to some variation of this policy: [XYZ Bank] does not contact customers via email, phone or mail to request or verify security information about passwords, personal identification numbers (PINs), credit card numbers or Social Security numbers.
Check your bank’s website for more information and current security alerts. And don’t give out any information over the phone unless you are absolutely sure who is on the other end.
What happens when people fall for the scareware ruse and actually install the stuff? Oddly enough, they may not even know they’ve been duped. Their systems may run a little slower, but they may be fooled into thinking they’re now being protected by the malware they’ve installed. What follows is a real-life example of someone who wrote in to a well-known security forum. (So as not to cause embarrassment to the victim, I have changed names and details.)
Question one, [Miss K] is very upset that Microsoft uninstalled her new antivirus program. [Gentlemen], she writes, “I turned on my computer a few days ago, and I got a message saying that Microsoft MSRT had removed AV 2009 from my computer. So now I don’t have an antivirus installed. I tried to download another copy of AV 2009, but I couldn’t remember where I got it. Can you tell me…” [the gentleman reading this question actually thinks it’s a joke] “Can you tell me where to find it, or recommend a free AV program?”
Here is some of the conversation between the hosts:
Host1: And a lot of people have been getting it. And MSRT has been removing it from a lot of machines. So in case [Miss K] is serious, we’re not laughing at you, we’re laughing with you.
Host2: Yes, because you’re not alone. There are many, many, many people who’ve fallen for this. I get – literally I get this call on the radio show all the time.
Host1: Yes. Yes. So do not go looking for another copy of it. Actually it’ll probably find you, without you having to look for it, and happily crawl into your computer. It is malicious. It’s good that Microsoft MSRT removed it.
You’re checking out your favorite web sites when out of the blue a scary message appears on your desktop, which may look like the picture below, or it may just be a box that says “Warning! Spyware detected on your computer!”
What do you do? If you’re the average computer user, this will probably scare you (which is why it’s called “scareware”). You’ll be very tempted to click on the button, thinking that you are ridding yourself of some nasty spyware, but don’t do it: The message is a fake and you’re not really infected. If you click, however, you are going to get infected by some really nasty stuff.
Not only that, but clicking will probably bring up a “registration” screen and if you click on that, you’ll be taken to a web site where the crooks try to sell you their bogus–and totally useless–”security” software. Not only will they dupe you out of $39.95, $49.95, or whatever they’re charging, they’ll get your credit card or banking information and maybe clean you out for real. It’s all a scam and the criminals who run these things are making millions.
The only defense is knowing that these scams exist and not falling for the ruse if you’re ever hit by one. With that in mind–and with some help from various sources on the web–I present a list of some of the more prominent “scareware” scams. This list is by no means complete; new variations appear regularly. But all of them use the same tactic: scare the victim into taking some action.
- AntiVirus 2008, 2009 and 2010: The above screenshots are of Antivirus 2009, but all three are basically the same program and have similar appearance.
- AntiVirus Plus: Sometimes uses Microsoft Security Center alerts to trick you into thinking it’s legit. The screen shot below is totally bogus.
- AntispywareXP 2009: Very intrusive. The fake alerts and scan results overload your system and slow it down.
- XP Antispyware 2009: Virtually the same as AntispywareXP 2009.
- WinDefender 2009: This little gem will always find malware on your system. Of course, what it finds is bogus, but it’ll scare you enough to dupe you into buying the software.
- Personal Defender 2000: Uses the same tactic as WinDefender 2009, but gives a warning about your firewall and then tries to get you to buy the software.
- AntiVirus Sentry: This is one that will often download itself even if you don’t click on anything.
- Security 2009: The crooks responsible for this one have the audacity to advertise it on the Web as if it’s a legitimate application.
- ProAntispyware 2009: You might see this one advertised on the Web, too.
- RapidAntiVirus: This one is capable of damaging your system because it identifies legitimate system files as malware. If you remove the files, you can crash your PC.
- Antispyware 3000: Usually budled with Trojan Horse programs. Looks legit, but don’t let it’s slick appearance fool you–it’s bogus.
Thanks to Redmond Magazine, bleepingcomputer.com, Microsoft Malware Protection Center, and others for information used to compose this post.