Professional Computer Consultants
 
Need an account?  Enter all values below and your account will be ready to go!  All fields are required.

First Name 
Last Name 
Password (min 5 char) 
Security question 
Correct Answer 
Email (only one address please)   
Access Requested




News Archives

Here's where you'll find all of our news articles.  (We save everything!)  Take a look around and see if you can't learn something new, or confirm something you heard.  If you are having trouble finding something, let us know!

August 10, 2008

Although we in the IT community can't expect every user everywhere to NEVER click anything in an email message, no matter how dangerous we explain it is to do so, here are some tips for the user community to help better understand the ever-present threat of email hijacking, spear phishing and related nefarious activities.

Don’t click any links when:

  • The email was sent by someone you do not know
  • The email was sent by someone you might know, but whose name and email address do not match. e.g sender: John Smith <Shjdyu@yahoo.com> or Albert Einstein <stacyB@hotmail.com>
  • If the email asks you to click a link to “verify” personal details. e.g. “please click the link below to verify your account details”.
  • The link looks funny. e.g. http://123.123.123.123/dhjeuaUhskw/special_surprise or www.notquite-the-banks-name.com
  • the web page says you have
    • “won a laptop, click here to claim”,
    • “a spyware, click here to download a program to fix it”,
    • “been selected as our lucky winner for .....”

If you have passed all of the above tests and you succumb to the urge to click, then before you click ask yourself some additional questions:

  • How certain am I that the email was sent by the sender?
  • Does the link match what I would expect it to be? e.g. www.xyzstore.com rather than www.xyzzstore.com
  • When you hover the cursor over the link, where does the browser say it will take you? e.g. Hover your mouse over the following link http://www.xyzstore.com would this link take you somewhere “special”.

Just some things to consider before clicking that link, picture, sound clip or video in your email message, EVEN if it's from someone you know. Of course, if you have any questions on this or need advice you can always contact us for free and we'll be happy to help.


July 30, 2008

NEVER disable your home or personal firewalls, no matter the reason. If there is a site that won't work because of your firewall, they need to figure out how to make it work for you. It is the site that wants 'you' and 'your business' so they need to post instructions to aide in you safely and securely configuring your home and personal firewalls. If they won't, do a bit of research, ask a friend, or ask a computer pro to assist with a packet capture and find out what needs to be done. But whatever you do, DO NOT disable your firewall unless instructed to do so by a trusted computer professional. -Excerpt from Tony Carothers, SANS


May 11, 2008

Windows XP Service Pack 3 was released back on the 6th. For those who have already updated, you already know that there wasn't anything noticeable from an end-user point of view. All it basically does is roll up all updates from service pack 2 into one large bundled update, and add a few enhancements. The most important thing to note is its effect on Internet Explorer. If you're using IE6, it will simply update it. You'll still be able to upgrade to IE7 later if you want. If you're using IE7, it will update it, but you will never be able to revert back to IE6...ever! If you're using IE8 beta, you'll have to uninstall it, install SP3, then reinstall the beta.

There are other invisible features and enhancements that go with the service pack. If you're interested, the white paper for Service Pack 3 can be viewed or saved here.


April 10, 2008

Two pro-Tibet websites (FreeTibet.org and SaveTibet.org) are hosting a malicious iframe that redirects the visitor's browser to a trojan virus that downloads itself on the person's computer. Once finished, the trojan then downloads harmful wares (adware, spyware, etc). Apparently in response to all the protesting taking place against China's human rights issues and the Olympics, someone or some group seems to feel it necessary to attack people who are trying to make a difference or learn more about the crises in Tibet. Visiting these sites will infect your computer, so use caution or block them at your router or firewall.


April 4, 2008

The site nmidahena dot com is causing several high-profile sites to experience problems with something known as "iframe injection". DO NOT visit this site, you will be infected. For those who are adding sites to either their proxy or into the HOSTS file (Windows), consider adding this one as well. Apparently, the affected site's SEO practices of locally caching any search queries submitted are abused. Whenever the malicious attacker is feeding the search engine with queries, the sites are storing the results, so when the malicious party is also searching for the iframe in a "loadable state" next to the keyword, it loads it. -Excerpt from Dancho Danchev

Basically, the intent is to create a "user experience" through cross-site scripting by exposing a security risk inherently found in basic SEO practices.


January 14, 2008

It would appear that two different web infections are moving around the Internet. One is about 15% of ScanSafe's traffic, the other only 1%. The 15% represents e-commerce websites hosting the infections and passing them on to visitors. The 1% traffic is significantly more interesting as it appears to be intelligent enough to produce a randomly generated file name each time the person visits the site. It is this fluxing which is causing so much discomfort with Incident Handlers worldwide. -from SANS, Mari Nichols


December 31, 2007

The Storm Worm is at it again, showing itself as an e-card directing unsuspecting users to a malicious website called "u have post card dot com", "happy cards 2008 dot com" or "new year cards 2008 dot com" (Actual websites had spaces inserted and the period replaced by the word "dot" intentionally.  DO NOT attempt to visit these sites!)  The malware file is called "happy2008.exe", "happy-2008.exe" or "happynewyear.exe".  If you are physically blocking websites either in your Windows HOSTS file or at your firewall, be sure to block these.   If someone tries sending you a card be very cautious of clicking the link or visiting the domain especially if it looks anything like one of these!


October 30, 2007

The Federal Trade Commission (FTC) is reporting that spoofed email messages that appear to come from the FTC contain malicious attachments. If you open one of these attachments you may infect your computer with a keystroke logger or other malicious code. The solution? Don't open unsolicited email, no matter who it's from...even if it's from the FTC!


October 20, 2007

Secunia has put out an advisory about a vulnerability in the iPhone and iPod touch. Viewing a malformed TIFF image can cause attacker-supplied code to be run. As of 10/19/2007, it does not appear that Apple has released a patch for this; the only workaround of which we're aware is not viewing TIFF images from unknown sources. We understand there is active exploit code in the wild for this vulnerability. -Abstract from SANS, William Stearns



September 08, 2007

It seems folks suddenly aren't able to get updates (after 31 Aug) to the "Active Virus Shield powered by Kaspersky" that they had gotten from AOL. It appears that AOL has switched from Kaspersky to McAfee and are now distributing "McAfee Virus Scan Plus-Special edition from AOL" according to sources. It isn't entirely clear how (or if) this was communicated to the folks using the Kaspersky software. Tests show that the old software may still get updates if you point back to a Kaspersky site, but that isn't entirely clear and we're unable to find anyone to answer that question for sure. Without some action by the user, however, it appears that they will now be unprotected, which is unfortunate. In the meantime, if you have an AOL e-mail address, you can still get free anti-virus software from here. Kaspersky and McAfee are two of the big names in the field, so both are good. I'm not sure why AOL decided to change, but they are still to be commended for providing anti-virus software to their customers. -Abstract from SANS, Jim Clausing



August 11, 2007

An Email DoS (Denial of Service) storm broke out last night around 9pm EST. The source of the attack is unknown, but several major routers in North America show 100% packet loss. The email messages are designed to pass through spam filters, and are succeeding. Users are strongly cautioned to delete unexpected messages, or ones from unknown senders. Disabling the "Auto Preview" pane in Outlook, or the "Reading Pane" for Outlook and some email programs is highly advised, as these features actually open the message. Also users are strongly advised, as always, to NEVER click links, images or videos in the body of an email message. If a vendor or company wants you to update something, see something, or whatever, you should visit their site and log in there to do what they request. Forewarned is forearmed, and when surfing the internet, you can never be too careful!



July 22, 2007

Kaspersky Lab, a leading developer of secure content management solutions, has detected the latest version of Gpcode, a virus which encrypts user data and demands payment for the decryption routine.

Virus.Win32.Gpcode.ai uses a complex encryption algorithm to encrypt user files and archives, making it impossible to open them. It also drops a file called "read_me.txt" onto the victim machine, which contains the following text:

Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA).

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at: xxxxxxx@xxxxx.com and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system.

If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.

Glamorous team

In reality, this version of the blackmailing program uses a modified version of RC4, and not RSA-4096 as mentioned in the text. The claim that user files are sent to the malicious user is also false.

Kaspersky Lab has always been successful in finding the decryption key for files encrypted by previous versions of Gpcode. Signatures for Virus.Win32.Gpcode.ai have been added to the Kaspersky Anti-Virus databases, and all users are recommended to update their databases. It should also be stressed that the Proactive Detection module in Kaspersky Anti-Virus 6.0 products provides protection against this malicious program without the need to update databases. PDM will detect Gpcode.ai as Trojan.generic and Invader, and block its activity.

If your files have been encrypted by Gpcode, we strongly recommends that you should not pay money to the creators of this virus, as this will encourage further crime. Antivirus solutions are able to deal with the issue and restore encrypted data to its original form. -abstract from Kaspersky.com



June 10, 2007

Yahoo! Messenger users are vulnerable to a new malicious attack courtesy of someone out there. It's an exploit that redirects you to a different location silently, where the payload is downloaded. Looking at the code, it's not very well written, but it does the job, and the average user would be susceptible. Fortunately, Yahoo! sent out a patch immediately to combat the issue. Users are well advised to upgrade their Yahoo! Messenger immediately just in case.



May 26, 2007

Targeted attacks by email claiming to be from the Better Business Bureau are on the rise. The spam always comes with an RTF attachment. Basically the attackers use an application called Object Packager to embed an executable in a RTF document. The executable is typically a downloader which, when executed, downloads a second stage malware. The attackers keep changing both the downloader and second stage malware, together with sites they are using. It is worth pointing again that this attack does not exploit any Office vulnerability; instead it relies on social engineering.

While the attack itself is not very interesting, what is interesting is that the spam e-mails carrying this seem to be targeted at company CEOs or CFOs. AV detection of embedded objects in RTF documents seems to be very weak. If possible, you can block RTF files on your e-mail gateways, but this might have a counterproductive effect as we have been encouraging users for years to use more friendly text formats such as RTF. As always, the best defense here is user education. Besides general awareness, it might be good to warn your users (especially the C*O levels) about this particular attack as it does rely purely on social engineering (the user has to confirm that he wants the executable opened). (Abstract from Bojan Zdrnja of SANS)

April 25, 2007

On Monday in an article in USA Today the title reads “Cyberspies exploit Microsoft Office”. The article states that the CyberSpies have tainted Microsoft Office files and are emailing them to specific organizations in hopes that the unsuspecting employee will open the attachment, infect their computer thus opening a hole which the attacker can then use to explore in the infected network and look for trade secrets, military secrets, passwords, etc. MessageLabs in an interview with USA Today said that it has intercepted assaults coming from Taiwan and China since November 2006. It appears that the targets are Federal Agencies, Defense and Nuclear contractors. -- Originally from SANS, Deborah Hale

April 19, 2007

It might be wise to block the IP address range 81.29.241.x, as recent analysis shows a whole host of malware beign downloaded from there, disguised as .htm files, when they're actually .exe files. Unless you do business with folks in Moscow, Russia, it wouldn't hurt to block these ASAP to prevent further spread of the garbage.

March 31, 2007

The .ANI File Format vulnerability has seen an increase in exploit attempts in-the-wild. McAfee Avert Labs has detected many Web sites linking to other sites that attempt to exploit this vulnerability. We have also observed a spam run that tries to lure its recipients to Web sites hosting code exploiting this vulnerability. Technical details and exploit code can now be easily obtained from these malicious Web sites. Following links in unsolicited e-mails and visiting unknown Web sites are strongly discouraged." This will affect email clients on vulnerable Operating Systems that render HTML. Exploit could occur when the malicious message is either opened, previewed, or forwarded. Additionally, if you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system. At least automated processes won't trigger execution (unlike WMF.)-abstract from Kevin Liston, SANS

March 29, 2007

People are getting spam from 'admin@microsoft.com' with a link to a file called 'IE7.0.exe'. This is not a valid link, and it's suspected that this has the potential to be malicious. This is not a microsoft-generated link, as Microsoft would never have you click a link in an email to repair or patch your Windows-based device. They would instead provide you with a Security Update and have you connect to their Update service to get it. DO NOT follow this link. Instead, just delete the email and move on. As more develops we will provide updates.

March 25, 2007

The Gozi malware trojan is a Russian-born baddy that inserts itself between Internet Explorer and the socket used to send data. It then steals the data prior to encryption and sent it to your happy local Russian hacker. This may be the first real slick attempt to steal SSL data by inserting a listener to take the data pre-encryption, but the technique is not new.

Encryption is meaningless if one of the endpoints of the communication is compromised. If you tunnel your transaction over SSL to a vendor who happily takes your data and sells it, the SSL won't help you. The same goes true for home PCs which according to any definition of security are completely untrustworthy. There are plenty of techniques to grab data before it is encrypted. The neanderthal way is to use a keylogger. Now there are other techniques in use. --Abstract from John Bambenek

February 10, 2007

There's a new email scam posing as a security advisory from your ISP. At this time, most Anti-Virus programs pick this up, but please don't test yours by attempting to install this according to directions...it will work! If you see this email, notify your ISP and delete it. Be sure to tell others if they send the message around warning you...propagate the truth!

Dear (insert ISP name) valued members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "guard.php" in: "./public_html" or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux based websites that use PHP/CGI/PERL:
1) Download the attachment named "guard.zip"
2) Extract file "guard.php"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "Public_html" or "htdocs"
6) Choose "Upload Files"
7) Upload the file "guard.php"
8) Check its URL too "http://www.yoursite.com/guard.php", if it is ok

For Windows based websites that use ASP:
1) Download the attachment named "guard.zip"
2) Extract file "guard.asp"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "wwwroot" directory
6) Choose "Upload Files"
7) Upload the file "guard.asp"
8) Check its URL too "http://www.yoursite.com/guard.asp", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards
(insert ISP name)

February 9, 2007

There's a new worm making the rounds over MSN in Asia. Message content is something like "Heeey! I found a picture of you online, take a look". Sites implicated so far (where the binary comes from) are viotagallery-dot-com and modelosunica-dot-com. It might be wise to block these in your HOSTS file, or at your router since AV protection is still leaky.--Original abstract taken from SANS, Daniel Wesemann

February 8, 2007

A buffer overflow vulnerability in TrendMicro Antivirus seems to affect the product pretty much in all its versions. According to Trend, applying the latest pattern is sufficient to plug the problem until a new version of the engine (8.5) gets released. Chances are though that the trend (no pun intended) will continue that AV products themselves contain the same type of vulnerabilities they claim to shield other software against. --Originally taken from SANS, Daniel Wesemann

February 1, 2007

Windows Vista seems to have a very dangerous flaw in it's Speech Command function! Apparently through experimentation, folks have been able to send a .wav file through the PC's own speakers, requesting a step by step command to open internet explorer and download a malicious package. This has been tested successfully in several different circumstances. Microsoft has acknowledged the problem, and recommends disabling this feature of Vista until a patch can be issued, most likely one that will ignore commands when they are coming from the PC's own speakers!

December 2, 2006

There are malicious codes spreading on the MySpace network using Javascript support within Apple's embedded QuickTime player. Websense has confirmed this.

Extracted from Websense writeup:

Once a user's MySpace profile is infected (by viewing a malicious embedded QuickTime video), that profile is modified in two ways. The links in the user's page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user's site. Any other users who visit this newly-infected profile may have their own profile infected as well.

An infected profile can be identified by the presence of an empty QuickTime video or modified links in the MySpace header section, or both.

Originally taken from SANS, written by Koon Tan.

December 1, 2006

There is a new form of adware/spyware being spread, that sends you to a bogus error site called 404dnserror/dot/com (DO NOT VISIT THIS SITE!) The page looks like a generic server error, but also advertises an anti-spyware tool in the form of an ActiveX like installer toolbar at the top of the page. Downloading the file in the toolbar will cause your computer to be infected. Your best bet? Block this site in your firewall, or for admins, block this address at the router or by using the hosts file. (XP)

November 30, 2006

A number of major news sites picked up on an alert issued by the US Department of Homeland Security (DHS), suggesting a major pending cyber attack by al Qaeda against US banking interests. The news coverage suggests that the attack will begin tomorrow and last until year's end. The entire issue is probably best summarized by a quote from a DHS spokes person, published on CNN.com:

"There is no information to corroborate this aspirational threat. As a routine matter and out of an abundance of caution, US-CERT issued the situational awareness report to industry stakeholders,"

In other words, ensure you follow best practices and keep your guard up. Its probably not going to be Al Qaeda, but someone will probe your defense tomorrow as they did today. And whatever helps against them will help if Al Qaeda should launch a cyber attack after all. (Originally from Johannes Ullrich, SANS)

November 24, 2006

Kaspersky Lab has detected mass mailings of new variants of Email-Worm.Win32.Warezov, which started at 5am Moscow time (GMT +3), 22nd November 2006. A new version is being sent out in each mass mailing. The variants are all highly similar, and spread as an attachment to infected emails. Once launched, they may terminate antivirus and firewall programs and download other malware. The latest variants are Email-Worm.Win32.Warezov.gl and Email-Worm.Win32.Warezov.gj. Antivirus updates have been released for all the latest variants. Users are strongly recommended to ensure that they keep their antivirus software up to date.

November 21, 2006

A vulnerability has been reported in the way OS X handles corrupt DMG images. This would typically be a local user exploit for privilege escalation. The exception here would be that it could also be exploited remotely via the Safari web browser. A lot of OS X binaries can arrive as DMG files. They are complete file systems, and are automounted in a default configuration. A corrupted DMG file would then compromise the system and allow for arbitrary code execution. There currently is no vendor patch for this vulnerability. To reduce the risk of remote compromise reconfigure Safari and be careful with DMG files from untrusted or unknown sources. For Safari disable opening "safe" files after downloading.

November 19, 2006

There will be an early release notification by McAfee for a DAT originally scheduled for Monday, November 21st. The new DAT was made available early due to its potential for spreading quickly. W32/HLLP.Philis.bq (aka PE_LOOKED.LF-O, W32.Looked.O, and Win32/Looked.BZ) is a file infecting virus that searches for executable files on the infected machine to prepend its viral code. It is also responsible for dropping a .DLL file, which downloads a password stealing trojan from a website. For those with McAfee products, your patch is coming on Monday. For those with other scanning utilities, check with your provider to see when a patch or updated DAT file will be released. Meanwhile, to ensure protection from the password-stealing trojan that it downloads, you may want to block the following URL at your network appliance (gateway, router, etc.): guajfskajiw.43242.com/[hidden]/a1.exe. Your best bet is to block guajfskajiw.* to be safe. For more information, follow this link: http://vil.nai.com/vil/content/v_140922.htm

November 17, 2006

The U.S. Computer Emergency Readiness Team (US-CERT) has some excellent advice for protecting our technology from spyware and viruses without compromising ourselves, or decreasing the performance of our machines. Read below for more: (Authors: Mindi McDowell, Matt Lytle)

Investigate your options in advance - Research available anti-virus and anti-spyware software to determine the best choice for you. Consider the amount of malicious code the software recognizes, and try to find out how frequently the virus definitions are updated. Also check for known compatibility issues with other software you may be running on your computer.

Limit the number of programs you install - Many vendors are now releasing packages that incorporate both anti-virus and anti-spyware capabilities together. However, if you decide to choose separate programs, you really only need one anti-virus program and one anti-spyware program. If you install more, you increase your risk for problems.

Install the software in phases - Install the anti-virus software first and test it for a few days before installing anti-spyware software. If problems develop, you have a better chance at isolating the source and then determining if it is an issue with the software itself or with compatibility.

Watch for problems - If your computer starts processing requests more slowly, you are seeing error messages when updating your virus definitions, your software does not seem to be recognizing malicious code, or other issues develop that cannot be easily explained, check your anti-virus and anti-spyware software.

November 11, 2006

A vulnerability has been discovered in Broadcom's Wireless driver, BCMWL5.SYS. This should only raise a concern for those using a wireless network. Currently, only Linksys has a patch available. Be careful before applying any patch, unless you're using a Linksys device. Applying the wrong patch or incompatible version can cause connectivity problems, so use caution! Check with your provider or manufacturer first to be sure.

November 09, 2006

It appears now that McAfee's name is being used to spread a new trojan via email. The email arrives presumably from McAfee with an attachment that actually spreads the trojan. This mass mailing is unusual because it attempts to spoof the email address mcafee @ europe . com. This trojan has been given the name Lafool.v by Kaspersky labs and is a password stealing program. (Originally taken from SANS Handler's Diary, Nov. 7th, written by Deborah Hale)

November 08, 2006

The US-CERT acknowledged a vulnerability today in Mozilla's FireFox and Thunderbird products. These security vulnerabilities can allow an attacker to take control of your computer without your knowledge or consent! If you're not already running FireFox version 2.0, the recommendation is to download the latest releases that fix these security issues. They can be downloaded off of their website at http://www.mozilla.com