Security Corner

February 18, 2009  5:05 PM

Scareware–Using Fear & Deception to Dupe Consumers

Ken Harthun Ken Harthun Profile: Ken Harthun

You’re checking out your favorite web sites when out of the blue a scary message appears on your desktop, which may look like the picture below, or it may just be a box that says “Warning! Spyware detected on your computer!”

What do you do? If you’re the average computer user, this will probably scare you (which is why it’s called “scareware”). You’ll be very tempted to click on the button, thinking that you are ridding yourself of some nasty spyware, but don’t do it: The message is a fake and you’re not really infected. If you click, however, you are going to get infected by some really nasty stuff.

Not only that, but clicking will probably bring up a “registration” screen and if you click on that, you’ll be taken to a web site where the crooks try to sell you their bogus–and totally useless–“security” software. Not only will they dupe you out of $39.95, $49.95, or whatever they’re charging, they’ll get your credit card or banking information and maybe clean you out for real. It’s all a scam and the criminals who run these things are making millions.

The only defense is knowing that these scams exist and not falling for the ruse if you’re ever hit by one. With that in mind–and with some help from various sources on the web–I present a list of some of the more prominent “scareware” scams. This list is by no means complete; new variations appear regularly. But all of them use the same tactic: scare the victim into taking some action.

  • AntiVirus 2008, 2009 and 2010: The above screenshots are of Antivirus 2009, but all three are basically the same program and have similar appearance.
  • AntiVirus Plus: Sometimes uses Microsoft Security Center alerts to trick you into thinking it’s legit. The screen shot below is totally bogus.

  • AntispywareXP 2009: Very intrusive. The fake alerts and scan results overload your system and slow it down.
  • XP Antispyware 2009: Virtually the same as AntispywareXP 2009.
  • WinDefender 2009: This little gem will always find malware on your system. Of course, what it finds is bogus, but it’ll scare you enough to dupe you into buying the software.
  • Personal Defender 2000: Uses the same tactic as WinDefender 2009, but gives a warning about your firewall and then tries to get you to buy the software.
  • AntiVirus Sentry: This is one that will often download itself even if you don’t click on anything.
  • Security 2009: The crooks responsible for this one have the audacity to advertise it on the Web as if it’s a legitimate application.
  • ProAntispyware 2009: You might see this one advertised on the Web, too.
  • RapidAntiVirus: This one is capable of damaging your system because it identifies legitimate system files as malware. If you remove the files, you can crash your PC.
  • Antispyware 3000: Usually budled with Trojan Horse programs. Looks legit, but don’t let it’s slick appearance fool you–it’s bogus.

Thanks to Redmond Magazine,, Microsoft Malware Protection Center, and others for information used to compose this post.

February 14, 2009  3:54 PM

There is no "Super Secure" Browser

Ken Harthun Ken Harthun Profile: Ken Harthun

Security is a complicated process, leaving many to desire a magic bullet. Unfortunately, there isn’t one. No matter how much security developers build into software, the behavior of the person seated in the chair will always be the weak link. Truth be told, all of the major browsers are safer than the browsing habits of their users. I have advocated safe computing practices for years, especially when it comes to keeping operating systems and applications patched. Sure enough, the best protection against malware is a fully patched system.

Recently, Roger A. Grimes of InfoWorld posted “Browser Security Wars” in his Security Advisor blog. For several months, Grimes tested the five most popular Web browsers: Chrome, Firefox, Internet Explorer, Opera, and Safari. His conclusion is no surprise:

So which one is guaranteed to make your Internet browsing experience perfectly safe?

None, of course. If you have the need for high security on a computer you manage, don’t allow it to surf on the public Web. It’s that simple. Internet browsers are highly complex pieces of software interacting with millions of combinations of highly complex active content and programming code, much of it not so friendly. There is no “super secure” browser.

Not exactly a great revelation; however, there is one surprising discovery: In Grimes’s testing, none of the browsers allowed malware to silently install as long as they were running on fully patched systems. Instead, most of them relied on tricking the user into intentionally running an infected executable:

Almost all the malicious Web sites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable — not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. [Emphasis added]

You’ll find a comprehensive rundown of security features and faults of all the aforementioned browsers in InfoWorld’s special report, “InfoWorld Test Center’s guide to browser security.”

February 11, 2009  10:30 PM

Software for Secure Computing: Easy Email & File Security with AxCrypt

Ken Harthun Ken Harthun Profile: Ken Harthun

Most of the email we send and receive from our co-workers, family, and businesses contains little that requires any degree of confidentiality. The same goes for most of the files we have stored on our hard drives and thumb drives. Occasionally, however, we need to pass on or store some information that wouldn’t be prudent for us to send or store in clear text, i.e., unencrypted. To go through all of the effort (and it’s a bit of effort, believe me) to set up secure email or create encrypted partitions or directories on the hard drive is a waste of time for most people. Fortunately, there’s a simple, free solution: AxCrypt.

AxCrypt is open source file encryption software for Windows. It integrates seamlessly with Windows to encrypt, decrypt, store, send and work with individual files. It runs on Windows 2000/2003/XP/Vista and uses AES-128 encryption.

Once installed, AxCrypt is integrated into Windows Explorer’s context menu. You simply right-click files and folders in Windows Explorer, select AxCrypt and then select the action you want from the sub-menu (see screen shot). If you choose Encrypt Copy to .EXE, AxCrypt makes a copy of the document, asks you for a passphrase, and creates a standalone, self-decrypting file that you can safely send across the network or store anywhere you choose.

To use AxCrypt for secure email, simply create a text file that contains all of the sensitive information you want to send, make a self-decrypting EXE file, and send it as an attachment. You’ll have to make contact with the recipient off-line to give them the passphrase, but your information will be secure in transit.

The AxCrypt site has plenty of information on how to use the program, as well as an excellent FAQ and command line reference.

Check it out. It’s a great addition to your secure computing software collection.

February 10, 2009  3:02 AM

OpenDNS Service to Track and Block Conficker Worm

Ken Harthun Ken Harthun Profile: Ken Harthun

With some estimates placing the number of computers infected by the Conficker worm at 10 million or more, Conficker has the potential to become one of the biggest botnets ever. Given that many system administrators probably don’t realize they’re hosting the parasite, it’s a good bet that things will get worse before they get better. Fortunately, the good guys at OpenDNS are offering a free service designed to alert administrators of Conficker’s presence and help them with containment and cleanup.

Though Conficker began spreading late last year, so far none of the infected machines has downloaded any software that would create a botnet or send spam. However, that could change in a blink if the criminals behind Conficker add a malicious payload to any of the domains the drones connect to every day. If a network has any PCs that try to connect to the rogue servers, OpenDNS will pinpoint them. As part of the service, infected machines will be prevented from connecting to the control servers:

What’s interesting about this particular virus is that it uses the Domain Name System in a unique way: Conficker contains an algorithm that checks 250 new domains per day for instructions on what it should do. This puts us in a unique position to keep you safe since we’re in the unique position of providing insight and intelligence into your DNS service. We’ve teamed with Kaspersky Lab to identify those 250 daily domains, and stop resolving them.

Administrators must register for a free account in order to take advantage of the service and must use OpenDNS on their networks. Once the account is set up, it’s a simple matter to check for Conficker’s presence:

To find out if Conficker has penetrated your network, simply log in to your account and select Stats on the left sidebar. From there choose Blocked Domains and filter “only domains blocked as malware.” This will generate a list of malware sites your network has attempted to connect with.

February 3, 2009  3:19 AM

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s?

Ken Harthun Ken Harthun Profile: Ken Harthun

Can Mac and Linux boxes harbor malware that does not affect them, but could affect Windows PCs?  Absolutely. It can and does happen. The Sophos white paper, “Protecting Mac and Linux computers: genuine need or nice to have?” presents a convincing case, describing just how Mac and UNIX/Linux machines threaten Windows PCs.

…it is very common for Windows networks to include a server running UNIX or Linux. Vulnerabilities, such as a weak SSH password, can allow hackers to convert a Linux server into a botnet controller, and install malware that will compromise desktop Windows computers.

Well, that’s one way, but consider this: Viruses, worms, and other types of malware are files, and can be stored on any digital media, regardless of the format or operating system that created them. A Mac/UNIX/Linux machine can store Windows files; a Windows machine can store Mac/UNIX/Linux files. That a Windows virus cannot damage a Mac/UNIX/Linux machine–and vice-versa–is irrelevant: Typhoid Mary harbored and transmitted typhoid fever yet never succumbed to it. She did, however, infect 47 others, three of whom died.

…computers harboring the malware can quietly transmit it to Windows computers. For example, UNIX computers can easily transmit the virus to Windows computers via the Samba fle-sharing system.

If you have a mixed network, it’s time to put some effort into protecting the non-Windows machines. Best practice now dictates that every server and desktop machine in your network be protected with some sort of anti-malware application.

January 31, 2009  3:58 PM

Five Essential Steps to Secure Your Home PCs & Network

Ken Harthun Ken Harthun Profile: Ken Harthun

When we buy an appliance, we expect to be able to take it home, take a brief glance at the instructions for setting it up, plug it in and go. For most things, this expectation is fulfilled, even, unfortunately, for the home PC. In fact, once you get a few things plugged into the back of it all you have to do is turn it on and start surfing. When you first start a Windows PC, there’s a short setup routine that asks if you want to turn on Automatic Updates (recommended), but little else in the way of how to properly secure your PC and the network it’s plugged into.

PC makers should at least provide a short, animated tutorial or video that explains these five essential steps to securing a home PC and network:

1. Install a NAT router. Inexpensive, and easy to configure, a NAT (Network Address Translation) router is your first line of defense on the Internet. While the Windows firewall is on by default these days, if your PC is plugged directly into your broadband router, you’re visible to everyone on the ‘Net. The router takes this live Internet address and translates it to a private address that is invisible to anyone on the outside.

2. Change the router default password. All routers come pre-configured with a default login and password. These are well known and lists are posted on the Web. Here’s an example of one that’s searchable by router model: While an attacker normally can’t get to this from the outside, if you somehow get infected with remote control malware, an attacker can get to it from your computer. He can change the settings to send you virtually anywhere he wants you to go. Not good.

3. Install and/or update a security suite. Most PCs these days come bundled with either anti-virus or a full security suite like McAfee Internet Security, Norton Internet Security or the like. My favorite is ESET Smart Security; unfortunately, this isn’t one that you’ll see bundled with a new PC. Make sure the software is up to date and make sure it will update itself automatically.

4. Turn on Automatic Updates. You should have done this when you set up the computer, but if you haven’t, do it now by following these instructions.

5. Learn about and follow safe computing practices. All of the security devices and software in the world won’t help you if you click on pop-ups, open every email you get, click on random links, and generally practice unsafe surfing. Unfortunately, this is the one of the main reasons why the criminals continue to succeed. Take some time to learn how to be safe on the ‘Net by taking advantage of these free resources:

Nine Steps to System Security – 2008:
Home Network Security:
Recognizing and avoiding email scams:
Protecting your privacy:
Avoiding Social Engineering and Phishing Attacks:

Good luck, and be careful out there.

January 30, 2009  4:23 AM

“Victim” of Cybercrime Found Searching for Illegal Porn

Ken Harthun Ken Harthun Profile: Ken Harthun

Talk about irony. You get infected by a cybercriminal’s illegal bot (Ozdok/Mega-D in this case) which takes a screen shot that shows you searching for illegal underage porn; then, security researchers get hold of some screen shots from the bot’s command and control (C&C) server; while going through the shots, the researchers come across those of your screen and notify the authorities (presumably, the FBI).

From a Security Works research note, Ozdok: Watching the Watchers:

Also, a note to the gentleman searching for images of nude preteen girls: You can run all the anti-spyware tools you can find, and employ the best anonymity tools in your web browser – it’s not going to help you if you get infected with an advanced trojan like Ozdok/Mega-D or one of the many others that allow hackers to take screenshots of your computer desktop. Don’t worry though, you probably won’t need a computer in the near term, as we’ve notified the authorities of your name and location (which you conveniently provided in a series of screenshots).

The good news is that you can remove the pest. Here’s what Symantec recommends for their products:

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Complete removal instructions in this article.

January 28, 2009  1:47 AM

Using the Malicious Software Removal Tool (MSRT) from the Command Line

Ken Harthun Ken Harthun Profile: Ken Harthun

In my September 13, 2008 post, “Software for Secure Computing: Microsoft Malicious Software Removal Tool,” I said, “Many people don’t even know that MSRT can be run from the website or downloaded and run at will.” I wonder how many people know that if you have automatic updates enabled, there’s no need to download MSRT to run it–the latest version is already on your system.

The MSRT can be invoked from the Run dialog or the command line using a simple three-letter command. Several options are available.  Hit Windows Key + R to open the Run dialog and type mrt /? This will bring up an information box as shown below. (The same thing happens if you type the command at a command prompt.)

The options are self-explanatory. If you just type mrt by itself, it will bring up a UI that allows you to point and click to select the type of scan you want. At the first UI screen, you can view a list of malicious software that the tool detects and removes. The signatures are updated monthly on patch Tuesday when Microsoft releases the latest version of the tool.

Remember that the MSRT is not a replacement for an anti-virus product; it targets only a limited set of specific, prevalent malware as determined by Microsoft’s security folks.  You should use a good anti-virus product.

January 23, 2009  2:15 AM

Will They Ever Learn to Patch?

Ken Harthun Ken Harthun Profile: Ken Harthun

The latest mass infection to hit the Internet is the Win32/Conficker/Downadup Worm, estimated to have already infected between 500,000 and 8.9 million PCs, depending on whose numbers you believe. This is astounding, considering that the worm exploits a vulnerability in Windows that Microsoft Security Bulletin MS08-067 addressed back in October 2008. Microsoft issued an emergency out-of-cycle patch to address the vulnerability. Windows users who have automatic updates enabled would have received the update so the hole is patched. But there are plenty of people and organizations who, for one reason or another, have automatic updates turned off.

Why any individual PC user would put themself at risk by having automatic updates turned off is beyond me. Organizations are another story; they want to test patches before deployment to ensure they don’t break critical applications or disrupt the network. But in this case, the patch should have been applied without question by every sys admin on the planet. Had this happened, the furor surrounding Conficker.A–the original worm–probably would have died down. Instead, enough sys admins left the hole open that a particularly ferocious variant–Conficker.B–surfaced; it’s the one responsible for the current mass infection.

You can read all about Conficker.B and its blended threat in this post at the Microsoft Malware Protection Center, so I won’t burden you with all the gory details about its blended threat here. I will, however, burden you with my informed opinion: Sometimes you have to heed the warnings and go ahead and patch, regardless of what problems that patch could potentially cause. A network taken down by a malware infection is much worse and potentially more costly to repair than a couple of broken apps here and there.

January 18, 2009  1:34 AM

The Great Drive Wiping Controversy Settled at Last

Ken Harthun Ken Harthun Profile: Ken Harthun

How many times do you have to overwrite a hard drive in order to securely wipe it? This question has been at the center of an ongoing controversy for a long time. On the one hand, we’ve had Peter Gutmann saying it takes 35 passes (Gutmann, P.  (1996) “Secure Deletion of Data from Magnetic and Solid-State Memory”); on the other hand, we’ve had the NIST saying one pass is enough ( So, which is it, one, 35, or something in between?

NIST gets the prize: One pass is enough to delete data such that it can not be recovered.  A paper published in December last year; “Overwriting Hard Drive Data: The Great Wiping Controversy” by Craig Wright, Dave Kleiman and Shyaam Sundhar R.S. as presented at ICISS2008 and published in the Springer Verlag Lecture Notes in Computer Science (LNCS) series, proves beyond doubt that data can’t be recovered from a wiped drive even if one uses an electron microscope. As Craig Wright puts it in a post on the SANS Computer Forensics blog:

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible. Even speculating on the possible recovery of an old drive, there is no likelihood that any data would be recoverable from the drive. The forensic recovery of data using electron microscopy is infeasible… The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.

That sure makes life easier for those of us who have to deal with secure deletion of sensitive data. I’ll use my copy of Darik’s Boot and Nuke (DBan) with one pass from now on and get those retired hard drives wiped in no time.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: