Author Archives: Jorden

TCPView & AutoRuns vs Undetectable Backdoor

5
Filed under Downloads, Misc, Personal, Security News
Tagged as , , ,

Intro:
We’re going to useTCPView to check active network traffic and AutoRuns to check and see what’s loading with Windows.

Scenerio:
The user is complaining of system slowness. Upon looking at the workstation I noticed AVG Free Edition, Spybot Search and Destroy installed and Windows Firewall enabled. Pretty standard novice user protection plan. Almost a given this system is infected.

Analysis:
I close Firefox and all open applications. Open TCPView and right off the bat I see outbound traffic to *.CO.UK using Firefox to make the remote connection. This is common in backdoors to use reverse connection methods. Once you execute the backdoor, it binds to a common process (IE, Firefox) and then reverse connects to the attacker. The reason for binding to a common process such as Internet Explorer or Firefox, is the fact that most novice users create rules for their software firewall and select “always allow” for common processes. This way the user isn’t bothered every time they open Firefox with “Do You want to allow firefox.exe access…” This is perfect for the backdoor, you’ve allowed unrestricted access outbound through firefox. Strike 1 for this novice user.

tcpview1

Port 95? Firefox should only be allowed access on port 80 and 443 (HTTP / HTTPS) Now that I know the user is infected, I need to find out what the file is called, where it lives, and why AVG’s superior detection is showing a clean system. I load AutoRuns and check for the suspicious Logon items. Bingo Bango! I see scchost.exe (not to be confused with svchost.exe, which is actually legit in most cases) loading upon reboot and it’s stored safely from novice users in the system32 folder. Now, 100% sure that is the backdoor, I would like AVG to agree, so I attempt to update AVG and check the file, No! AVG insists the file is clean. OK, to the USB drive for MalwareBytes. Sure enough a nice password stealer has been detected. Strike 2 for trusting AVG (signature based detection).

malwarebytes

MalwareBytes detected and removed the password stealer, I then put in the KAV rescue disk to scan the system and everything came back clean. In the end, I convinced the user to let me perform a clean install and even teach this user how to properly use Firefox (w/NoScript). Reminding the user that the software firewall is only as good as the user and that the AntiVirus program is only as good as its definitions.

Conclusion:
TCPView provided you with the information needed to see you have unauthorized access to a server in the UK. AutoRuns was able to show us the malicious file loading with Windows. The actual detection and removal is up to you and your utilities, however TCPView and AutoRuns gave you the heads up. On the flip side, the backdoor successfully executed and called home on the system. Being that it’s a password stealer, the information it was programmed to gather completed successfully.

I call this one a DRAW. Why? because a backdoor is designed to go unnoticed and AVG let it do just that, but with a few basic programs you can see that your system is not preforming normally. Also, after detecting the backdoor, I installed it on a virtual machine and after about 18 hours of leaving it alone, it downloaded a new executable and maintained a connection to the client. This shows that we caught it early enough on the users computer to detect and remove it before it phoned home for the latest instructions.

Malwarebytes – Bites Malware Back!

0
Filed under Downloads, Security Programs
Tagged as , , , , ,

Let’s face it! The same tools you used to remove malware/spyware/adware in 2006, are out of date and completely ineffective in battling malware/spyware/adware that actually has a purpose. That’s right! I said it, AdAware, Spy Bot Search and Destroy are no more than basic registry and cache cleaners. These days that can be accomplished with a simply application called, CCleaner.

So you ask, “Oh sweet nectar! What can I do to protect myself?” Well, rather than going on and on with a list of tools longer than your to-do list around the house, I’ll simply list a new one for you to add to your collection.

Malwarebytes’ Anti-Malware, This bad boy you should have already been using for some time now, so if that’s not the case, START NOW! It’s free, or for the 24.95 you can get automated scanning and automatic updates with real time protection. If you have a tidy system and stay on top of your computer cleansing and play nice around the web, the free version will do just fine. However, if your a click happy user who clicks on any link sent to you, please do yourself a favor and anyone else whom uses your high risk computer and purchase the full version.

Malwarebytes Free Version:
Download

Malwarebytes Full Version:
Download

Note: I’ll be adding this program into my future post, “Your Computer : A Fresh Start” This will be a complete guide from a clean install, into completely securing your Windows desktop (The best you can!).

Tech-Security – We’re Back!

0
Filed under Personal

After 2+ years of inactivity, we’re back online and ready to go! I’ve been side tracked in other projects the past few years, but now I’m back and ready to contribute.

We have a new little site design and I’ll be updating the website regularly. The goal is for everyone to share common/private knowledge about the security that surrounds us.

It’s Offical, Bush is a failure!

6
Filed under Misc

Google Search: Failure

Just when I my love for Google started to fade off…

Searching google for the word, Failure. I was expecting to see my first relationship at number one with my attempt to fly off my parents deck at a close second. Little did I know, I wasn’t even close, out of 529,000,000 possibilities, you’ll notice President Bush is number one on the list! I have to admit, this is hands down the most honest result I have received from a search.

The only question is, Did bush pay Google AdWords too put him at the top of this search? It wouldn’t surprise me!

Firefox 1.5.0.3 – DoS / PoC / Simple Fix

3
Filed under Downloads, Security News, Windows

Firefox Process

Introduction:
Another successful day for the script kiddies. The firefox community has been blessed with another exploit released for the latest version of firefox (1.5.0.3). Once again this is more of an annoyance than anything. If you enjoy your browser crashing random as you surf unsafely through the internet, I recommend you do nothing differnet and don’t waste your time researching anything that has to do with security. Seriosuly, there are simple solutions to these types of “exploits.” Please read on for ‘Proof of Concept’ (meaning you can test and see if your browser will crash) and recommended solution.

Exploit:
Firefox 1.5.0.3 Denial of Service – Test me! (Note: Link will crash browser)

Recommended Solution:

No Script Logo

NoScript [info] [download] (exstension for Firefox)

IE 6.0 SP2 – DoS Exploit (Released 05/10/06)

4
Filed under Downloads, Security News, Windows

I was wondering how long we’d make it before being blessed with another delicious exploit for Internet Explorer. Atleast it was the day after Microsoft released the round of ‘May-Day’ patches. No need to panic this is more of an annoyance then a real problem….or is it?

Error & Debug:
Debug

Affected:
IE 6.0 SP1/SP2

Not Affected:
IE 7 beta 1/beta 2
Mozilla (all)

Exploit:
Enjoy (IE 6.0 only)

If this exploit affects you, it’s time to start thinking about the big move. Let go of Microsofts hand and learn to walk on your own. On a serious note, I use IE 7 SP2 for trusted sites only (Banking, etc…) and everything else I use Mozilla w/ Noscript.

Recommended Solution:
Mozilla Firefox 1.5.0.3 Final [ download ] w/ NoScript [ info] [download]

Icesword 1.16 English & Darkspy 1.0.4 (1.0.2 English)

2
Filed under Downloads, Security Programs, Windows

IceSword 1.2

Anti-Rootkit programs are becoming a necessity in keeping your computer secure. I know Anti-Virus vendors are trying to implement rootkit detection. Personally I never believed in an “all-in-one” product for security. To be successful in preventing rootkits, you have to stay current with the latest leaders of this task. As of now, the leaders seem to be IceSword & Darkspy. Both of which just released new versions this month. My advice to anyone trying to get a handle on rootkits, would be to test them all. See which ones you feel comfortable with and which ones give you the best results.

IceSword 1.16 EN
http://www.xfocus.net/tools/200604/IceSword116en.rar

DarkSpy 1.0.2 EN (Test Evaluation)
http://lu0s1.3322.org/Utilitys/DarkSpy_En.rar

DarkSpy 1.0.4 CN
http://www7.spread-it.com/dl.php?id=5a7a4d6079e30f17270815bd2caac23231b08ae9

Note:
DarkSpy Author CardMagic says,
“sorry,i havent made a English version of DarkSpy 1.0.4.because this is a temporary version and will be updated soon.The new Engish version of DarkSpy will be pubished when some new functionalities are added.”

So We’ll be keeping an eye out for the latest version of DarkSpy as it’s released to the public. Just because these are the only two rootkit solutions I mention in this article, please don’t assume these are the only two out.

Other Anti-Rootkit Solutions:
Rootkit Revealer by Sysinternals
Blacklight by F-Secure

Gas War – We’ve lost the battle, lets win the war!

4
Filed under Misc, Personal

Gas Chart

Intro:
Looks like we’re off to a killer “May Day” month. I don’t know about everyone else but I’m tired of sitting around watching the gas prices shoot up through the sky. A 100.00 gas refund from the government isn’t going to last nearly as long as these prices do. It’s time we as the consumers work together to do our part, otherwise you have no right to complain.I don’t know if it’s true, but I was told that Russia and China are working together with Iran to take away our oil shipments and reroute the oil to China and Russia. This leaving our country in an economic disaster. I’m sure we have plenty of oil in reserve as well as coming from IRAQ to where we shouldn’t be affected for sometime now.

The Plan:
Phillip Hollsworth offered this good idea.

This makes MUCH MORE SENSE than the “don’t buy gas on a certain day” campaign that was going around last April or May. The oil companies just laughed at that because they knew we wouldn’t continue to “hurt” ourselves by refusing to buy gas. It was more of an inconvenience to us than it was a problem for them.
Please read on and join with us! By now you’re probably thinking gasoline priced at about $1.50 is super cheap. Me too! It is currently $3.35 for regular unleaded in California. Now that the oil companies and the OPEC nations have conditioned us to think that the cost of a gallon of gas is CHEAP at $1.50 – $1.75, we need to take aggressive action to teach them that BUYERS control the marketplace….. not sellers.

With the price of gasoline going up more each day, we consumers need to take action. The only way we are going to see the price of gas come down is if we hit someone in the pocketbook by not purchasing their gas! And, we can do that WITHOUT hurting ourselves.

How? Since we all rely on our cars, we can’t just stop buying gas. But we CAN have an impact on gas prices if we all act together to force a price war.

Here’s the idea:
For the rest of this year, DON’T purchase ANY gasoline from the two biggest companies (which now are one), EXXON / MOBIL. If they are not selling any gas, they will be inclined to reduce their prices. If they reduce their prices, the other companies will have to follow suit.

But to have an impact, we need to reach literally millions of Exxon and Mobil gas buyers. It’s really simple to do! Now, don’t wimp out at this point…. keep reading and I’ll explain how simple it is to reach millions of people.

Acting together we can make a difference. If this makes sense to you, please pass this message on. I suggest that we not buy from EXXON/MOBIL UNTIL THEY LOWER THEIR PRICES AND KEEP THEM DOWN. If we show we have control, this will show we can’t be pushed around.

Your Part:
Spread the idea, promote the idea. Don’t sit around and wait for our government to take control of this issue. Please leave feedback and feel free to comment!!

Reference:
I orginally recieved this in an email from a friend. Instantly I thought this was a great idea and decided to turn that email into a blog. I remember paying .73 a gallon when I was 17, the sad thing is I’m only 24. Look at what happened over 7 years…

My Part:
I decided that blogging about this and not buying gas from Exxon/Mobil wasn’t enough. Currently my Google Adsense account (money I make off the ads on my site) is at 92.38. I’m going to donate that as well as 100.00 of my own money in promoting this idea on Google Adwords. I’m tracking all the stats via Google Analytics and will keep the blog updated with stats of how many visitors and what locations are helping. At the end of the month if this isn’t successfully generating hits I’ll stop promoting it on Google. However, until the Gas prices have dropped I’ll keep this post up.

Thank you for taking the time in reading about this!!

Secure Instant Messaging, File Transfers, and Chat Sessions

1
Filed under Security Programs, Windows

Secure Instant Messaging, File Transfers, and Chat Sessions…

Something thats sounds so nice, who would have thought safe messaging… Having said the words ‘safe messaging’ is going to give a lot of readers the sense of false security. Please note, setting up a secure certificate isn’t going to protect you from IM worms or even exploits. This is to encrypt the traffic between you and your destination assuming both parties are using a secure certificate. Personally, I use this as a layer of my security in protecting myself against phishing attempts, or if somebody was trying to impersonate someone on my buddylist. This is extremly important to businesses and people that share private information over the internet.

Let me describe one perfect example of how having an secure certificate would have prevented a security threat; A few years ago, my brother recieved a message from one of his friends (we’ll name the friend Newbert), “Hey Tyler check out this program, WinAmp2005.zip” claiming to be a limited edition version. Tyler assuming it was from Newbert, downloaded the file without hesitation, extracted the zip file and ran the install. To his surprised he was prompted with an error and no installation began. What he didn’t know is the person he thought was his friend Newbert was actually some cyber script kiddie that just infected innocent Tyler with a trojan or password stealer. A few minutes later his screen name was signed off, and someone has changed his password. When he tried to request his password to his email address, his email password was already changed too. See if Tyler and Newbert would have had a secure certificate, tyler would have been able to verify that Newbert really was Newbert. Even if cyber script kiddie stole Newberts AIM password, locally on Newberts computer, he has to input another password to access AIM using the SSL cerificate. I’m not stating that a secure certificate will protect you against virus and worms. However, it adds a nice layer to your security.

It’s very easy to tell the difference between a secure user and the average user. If a user on your buddylist is using a secure certifcate you’ll notice a grey lock next to their screen name. if they are not you’ll notice nothing.

Aim Secure

So, now that you understand the importance of secure communications, I’ll leave you with a few choices. You can get a certificate for FREE from a few sources, however I would have to accept your certificate before communicating with you (I personally wouldn’t accept). Or you can make your own certificate. Last you can pay verisign.com to issue you one. This is the route I went, for I trust verisign more than some random source as well as myself. So for the 15.00 a year, it was worth it to me. However, they offer a free 60 day trial, so atleast check it out!

Free:
- Whitsoft Dev : http://www.whitsoftdev.com/aimcert/ – Very Simple to setup.

Pay:
- Verisign : https://digitalid.verisign.com/client/enroll.htm ( 19.95 1 yr. / 60 day free trial)

Once you’ve requested your certificate in either .p12 or .pfx format we can move forward with adding importing the SSL certificate into AIM.

Note: AIM Trinton doesn’t offer support for the SSL certificate. On a personal level you don’t want AIM Trinton.

Installation:
1) Copy the .p12/.pfx file to your desktop.
2) From your buddy list, go to ‘My AIM’ > ‘Edit Options’ > ‘Edit Preferences’
3) On the left side, select ‘Security’
4) Click the Advanced button.
5) Click the Import button under “Import a certificate.”
6) Browse to where you saved your SSL certificate and select the .p12/.pfx file listed and click Open.
7) When it asks for a “security” password, enter one. (This is the password you’ll be asked for everytime you sign on AIM for the first time)
8) When it asks for the password of the certificate, enter the same as above.
9) Make sure the box is checked next to “This certificate can identify mail users.” and press OK.
10) Click OK on all dialogs that come up, until you see one that says Certificate successfully imported, click OK on that one too.
11) Exit and re-start AIM.
12) Enjoy your SSL certificate and piece of mind while chatting with your online friends.

Ending Notes: Please let us know if you have trouble with creating or setting up your secure communication. Other than that, any feed back or different methods you might use for secure communications is welcome!