Microsoft Windows

Search for Screensavers at Your Own Risk

Enter “screensavers” into any major search engine and there’s better than a fifty percent chance that any result you click on will land you on a malicious website. According to McAfee’s recently released report “The Web’s Most Dangerous Search Terms,“ that search term carries a maximum risk of 59.1 percent. Furthermore, lyrics and anything that includes the word “free” have a high risk of exposing users to malicious or fraudulent web sites. Health-related search terms have the lowest risk profile. Check out The Web’s most dangerous keywords to search for on ZDNet.com.

One of the biggest problems is that the bad guys, using Black Hat SEO techniques, grab onto the trending search terms of the moment and use their popularity to get links to compromised sites placed high in the search engine rankings. This, coupled with the fact that 77% of Websites carrying malicious code are legitimate sites, make for an increasingly dangerous environment for the casual surfer.

This is yet another reason to continue to beat my drum: If you use IE, disable scripting and ActiveX (IE8 has increased security, so consider upgrading). Better yet, switch to Firefox and use the NoScript plugin. Tell the users who trust you to do the same, will you? And make sure they have the latest security patches on their systems. Most people are trusting souls; on the web, they shouldn’t be. Let’s instill the “trust no one” (except for us white hats, of course) mentality into everyone we can.

How to Use the Windows Registry for Cyber Forensics: Part 1

I recently completed the free SANS mini-course on cyber forensics (see my post, Free Mini-courses from SANS). That course could not have shown up at a more opportune time as I had just been asked to see if I could determine whether a client’s former employee had stolen their customer list. I learned a bit about looking in some nooks and crannies–specifically, the Windows registry–that I hadn’t considered before and was able to determine with reasonable certainty that the employee had not saved any sensitive information to any external storage media.

I’m no expert in this subject, but I’m confident that I now have a good idea of how to conduct a quick and dirty preliminary forensic examination based upon information found in the Windows registry. When you consider that virtually everything you or a program does in Windows refers to or is recorded into the registry, it stands to reason that it will reveal most anything from minor mischief to major mayhem to the examiner who knows where to look. In this first part, we’ll take a look at how to examine the registry and explore a few of the more common registry entries that have potential forensic value.

Let me first introduce you to the concept of date/time coincidence. All the evidence in the world means little unless it can be shown that it coincides with the time window of the specific incident in question. Therefore, it’s very important that you examine the “LastWrite” time of each key you examine. While this property doesn’t tell you what value was written, knowing the LastWrite time of a key can allow you to infer the date/time coincidence of an event. You can determine the LastWrite time by right-clicking any key, selecting “Export” and then saving it in .txt format. When you open the .txt file, you’ll see something similar to this:

Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Class Name:        <NO CLASS>
Last Write Time:   5/27/2009 - 12:29 PM

Here are five keys that can give you a quick overview of the activity on a given system and will tell you if it’s worth your effort to dig deeper. The fact that you’re investigating in the first place means that you have some idea of what you’re looking for and if you’re dealing with a non-technical user, it’s a good bet you’ll find something among these.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MRU is the abbreviation for “most recently used.” This key contains a list of files that were recently opened or saved via the Windows Explorer common dialog boxes. Note that this does not apply to Microsoft Office documents. The subkey * contains the file paths to the 10 most recently opened/saved files.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Similar to the OpenSaveMRU key, but it also contains the name of the program executable file that was used to open/save the document as well as the path to the file. All of the information is in binary format.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key has a similar arrangement to OpenSaveMRU. Only the filename in binary format is stored here and it contains both network and local files recently opened.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Here you’ll find a list of entries with full file paths and commands that have been executed using the Start>Run command. This is useful to determine whether your suspect has been messing around in the registry, using the cmd shell or any management consoles.

HKCU\Software\Microsoft\Internet Explorer\TypedURLs\

A listing of the 25 recent URLs or file paths typed into the IE or Windows Explorer address bar. Useful to determine what websites your suspect has been surfing, but this key is cleared if IE’s Clear History option is invoked. Still, some people may not know about it and some may forget. It’s a good way to disprove the I-have-no-idea-where-that-came-from excuse.

Next time, we’ll look into how data can be encrypted and hidden in the registry.

What Will Conficker do on April First?

No one knows for sure, but we do know that *something* is going to happen on April Fools’ Day. Conficker is a new breed of malware; the people behind it are of exceptional intelligence. They aren’t a crew of script kiddies out to make a quick buck. Whatever Conficker is specifically designed to do, you can bet its actions will be directed toward: 1. Maximizing proliferation of its binaries (survival); 2. Avoiding detection; and, 3. Maximizing profit (or damage).

The worm has been pretty effective at #1, by some estimates having already infected several million PCs. It has done this through exploitation of a Windows vulnerability, MS08-067 that was patched back in October and about which I wrote Will They Ever Learn to Patch? in January. However, it’s possible that those computers in the most concentrated areas of infection–China, Russia, India, Brazil, and Argentina–are impossible to patch because they are running pirated copies of Microsoft Windows software, and Microsoft does not allow updates of any kind to its pirated software. Seems to me this is a self-defeating policy, but I’m just a sensible Geek, not a Microsoft executive.

As for #2, the latest variant has added new anti-detection features. According to Larry Seltzer writing in PCMag.com, “Avoiding detection is a major theme with Conficker.C. It’s not the first malware to try to defend itself in-memory against security software and diagnostic tools, but “C” does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center.”

We’ll find out Wednesday, April 1st, what–if anything–happens with #3. My bet is that it’ll be another Y2K-type event. Then again, who knows?

NoScript Blocks Latest Firefox Bug

Got NoScript? If not, get it–the latest Firefox bug, an XML tag remote memory corruption vulnerability released on Wednesday, is mitigated by having the NoScript addon installed.

The bug can be exploited by a malicious website and can cause the browser to execute malware with no user intervention. All 3.0.x versions of Firefox running on Windows, Mac, and Linux operatintg systems are vulnerable. According to the Mozilla Wiki, the patched version, Firefox 3.0.8, “…is a high-priority firedrill security update to Firefox 3.0.x” and will be rolled out April 1.

The 3.0.8 release also fixes the Pwn2Own bug discovered at CanSecWest 2009, an issue that NoScript also mitigates.

I’ve said it before (see “Software for Secure Computing: Firefox & NoScript“); now’s a good time to say it again: install NoScript, and enjoy secure computing.

SecurityFocus bulletin: http://www.securityfocus.com/bid/34235/info.
The Register article: http://www.theregister.co.uk/2009/03/26/new_firefox_exploit/.
Mozilla Security Blog post: http://tinyurl.com/mozillasecurityblog

Firefox 3.0.7 Released, Addresses Multiple Vulnerabilities

Mozilla Foundation released Firefox 3.0.7 today to address multiple vulnerabilities. According to the Security Advisories, the vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. Mozilla says that the vulnerabilities also affect Thunderbird and SeaMonkey. No updates have been released for these applications at this time.

The following Security Advisories are addressed in Firefox 3.0.7:

• Mozilla Foundation Security Advisory 2009-07: “Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
• Mozilla Foundation Security Advisory 2009-08: “An anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s garbage collection process. The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim’s computer.”
• Mozilla Foundation Security Advisory 2009-09: “Mozilla security researcher Georgi Guninski reported that a website could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy. This vulnerability could be used by a malicious website to steal private data from users authenticated to the redirected website.”
• Mozilla Foundation Security Advisory 2009-10: “libpng maintainer Glenn Randers-Pehrson reported several memory safety hazards in PNG libraries used by Mozilla. These vulnerabilities could be used by a malicious website to crash a victim’s browser and potentially execute arbitrary code on their computer. libpng was upgraded to a version which contained fixes for these flaws.”
• Mozilla Foundation Security Advisory 2009-11: “Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location. An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious web page.”

Everyone should immediately upgrade to Firefox 3.0.7 to mitigate these issues.

Use This Little Known Tool to Securely Delete Files and Folders on Your Hard Drive

For those who grew up with the graphical user interface, command line tools are often seen as arcane remnants from the dawn of PC history, a time when badly-dressed nerds sporting horn-rimmed glasses and pocket protectors ruled the universe (well, maybe just the computer lab). For them, nearly all of the command line tools are little known; for us dinosaurs who were typing on terminals well before the PC arrived, there are few of these older tools we haven’t seen. However, as the GUI gradually replaced the command line and we command line geeks began to point and click more and more, some useful tools escaped our notice. One of these is the ten-year-old SDelete by Mark Russinovich of Sysinternals fame. Microsoft acquired Sysinternals in July, 2006 and made all of the excellent tools available free.

Using SDelete

SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier.

Usage: sdelete [-p passes] [-s] [-q] <file or directory>
sdelete [-p passes] [-z|-c] [drive letter]

-c     Zero free space (good for virtual disk optimization).

-p passes     Specifies number of overwrite passes.

-s     Recurse subdirectories.

-q     Don’t print errors (quiet).

-z     Cleanse free space.

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, which is overkill (see The Great Drive Wiping Controversy Settled at Last), but ensures your data is deleted forever. There is one caveat: SDelete securely deletes file data, but not file names located in free disk space. If you want to be completely sure that all traces of a file are gone, be sure to use the –c or –z option.

#####

Want to see even more useful, little known tools? Check out Sysinternals Live:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolnam…; or  \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

There is no "Super Secure" Browser

Security is a complicated process, leaving many to desire a magic bullet. Unfortunately, there isn’t one. No matter how much security developers build into software, the behavior of the person seated in the chair will always be the weak link. Truth be told, all of the major browsers are safer than the browsing habits of their users. I have advocated safe computing practices for years, especially when it comes to keeping operating systems and applications patched. Sure enough, the best protection against malware is a fully patched system.

Recently, Roger A. Grimes of InfoWorld posted “Browser Security Wars” in his Security Advisor blog. For several months, Grimes tested the five most popular Web browsers: Chrome, Firefox, Internet Explorer, Opera, and Safari. His conclusion is no surprise:

So which one is guaranteed to make your Internet browsing experience perfectly safe?

None, of course. If you have the need for high security on a computer you manage, don’t allow it to surf on the public Web. It’s that simple. Internet browsers are highly complex pieces of software interacting with millions of combinations of highly complex active content and programming code, much of it not so friendly. There is no “super secure” browser.

Not exactly a great revelation; however, there is one surprising discovery: In Grimes’s testing, none of the browsers allowed malware to silently install as long as they were running on fully patched systems. Instead, most of them relied on tricking the user into intentionally running an infected executable:

Almost all the malicious Web sites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable — not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. [Emphasis added]

You’ll find a comprehensive rundown of security features and faults of all the aforementioned browsers in InfoWorld’s special report, “InfoWorld Test Center’s guide to browser security.”

Are Windows PCs Threatened by Malware Harbored on Mac & Linux OS’s?

Can Mac and Linux boxes harbor malware that does not affect them, but could affect Windows PCs?  Absolutely. It can and does happen. The Sophos white paper, “Protecting Mac and Linux computers: genuine need or nice to have?” presents a convincing case, describing just how Mac and UNIX/Linux machines threaten Windows PCs.

…it is very common for Windows networks to include a server running UNIX or Linux. Vulnerabilities, such as a weak SSH password, can allow hackers to convert a Linux server into a botnet controller, and install malware that will compromise desktop Windows computers.

Well, that’s one way, but consider this: Viruses, worms, and other types of malware are files, and can be stored on any digital media, regardless of the format or operating system that created them. A Mac/UNIX/Linux machine can store Windows files; a Windows machine can store Mac/UNIX/Linux files. That a Windows virus cannot damage a Mac/UNIX/Linux machine–and vice-versa–is irrelevant: Typhoid Mary harbored and transmitted typhoid fever yet never succumbed to it. She did, however, infect 47 others, three of whom died.

…computers harboring the malware can quietly transmit it to Windows computers. For example, UNIX computers can easily transmit the virus to Windows computers via the Samba fle-sharing system.

If you have a mixed network, it’s time to put some effort into protecting the non-Windows machines. Best practice now dictates that every server and desktop machine in your network be protected with some sort of anti-malware application.

Five Essential Steps to Secure Your Home PCs & Network

When we buy an appliance, we expect to be able to take it home, take a brief glance at the instructions for setting it up, plug it in and go. For most things, this expectation is fulfilled, even, unfortunately, for the home PC. In fact, once you get a few things plugged into the back of it all you have to do is turn it on and start surfing. When you first start a Windows PC, there’s a short setup routine that asks if you want to turn on Automatic Updates (recommended), but little else in the way of how to properly secure your PC and the network it’s plugged into.

PC makers should at least provide a short, animated tutorial or video that explains these five essential steps to securing a home PC and network:

1. Install a NAT router. Inexpensive, and easy to configure, a NAT (Network Address Translation) router is your first line of defense on the Internet. While the Windows firewall is on by default these days, if your PC is plugged directly into your broadband router, you’re visible to everyone on the ‘Net. The router takes this live Internet address and translates it to a private address that is invisible to anyone on the outside.

2. Change the router default password. All routers come pre-configured with a default login and password. These are well known and lists are posted on the Web. Here’s an example of one that’s searchable by router model: http://www.routerpasswords.com/. While an attacker normally can’t get to this from the outside, if you somehow get infected with remote control malware, an attacker can get to it from your computer. He can change the settings to send you virtually anywhere he wants you to go. Not good.

3. Install and/or update a security suite. Most PCs these days come bundled with either anti-virus or a full security suite like McAfee Internet Security, Norton Internet Security or the like. My favorite is ESET Smart Security; unfortunately, this isn’t one that you’ll see bundled with a new PC. Make sure the software is up to date and make sure it will update itself automatically.

4. Turn on Automatic Updates. You should have done this when you set up the computer, but if you haven’t, do it now by following these instructions.

5. Learn about and follow safe computing practices. All of the security devices and software in the world won’t help you if you click on pop-ups, open every email you get, click on random links, and generally practice unsafe surfing. Unfortunately, this is the one of the main reasons why the criminals continue to succeed. Take some time to learn how to be safe on the ‘Net by taking advantage of these free resources:

Nine Steps to System Security - 2008: http://tinyurl.com/6nt2jr
Home Network Security: http://www.us-cert.gov/reading_room/home-network-security/
Recognizing and avoiding email scams: http://www.us-cert.gov/reading_room/emailscams_0905.pdf
Protecting your privacy: http://www.us-cert.gov/cas/tips/ST04-013.html
Avoiding Social Engineering and Phishing Attacks: http://www.us-cert.gov/cas/tips/ST04-014.html

Good luck, and be careful out there.

No More Security Updates for Firefox 2

Security Fix reports that on December 16, Mozilla released its final update to Firefox 2, and plans no further updates for this version. From the Firefox 2 Release Notes page:

Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 2.0.0.19 does not include Phishing Protection.

Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.

If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.

So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.

Have a safe and happy holiday season, both on and off the web!