Archive for December, 2005

Hamachi p2p vpn

Thursday, December 29th, 2005

A few days back I was at grc to run a “shields up” scan on a clients machine and found reference to their Security Now podcast (Leo Laporte and Steve Gibson.) The cast was about a VPN tool called Hamachi… so I revisited and gave a read to the Security Now! transcript. And then visited […]

Network Security guide for the home or small business network – Part 17 – The Security Mindset

Thursday, December 29th, 2005

This may be one of the most important entries in this series. An important defence against those that would try to access your network is to constantly have the “security mindset”. Ask yourself “do I need this, how could it be exploited, what are the implications of this”… When it comes to people asking you […]

Another workaround for the 0-day WMF Exploit

Thursday, December 29th, 2005

I notice that the Sunbelt Blog has some instructions up for blocking the zero-day Windows Meta File (WMF) exploit with their newly acquired kerio firewall. (Free or full version.) Either version can use an add-on rule from bleeding-edge snort (intrusion detection signatures…) Instructions in the link above on how to implement the rule addition.    […]

Some Sony news

Thursday, December 29th, 2005

You had to know we couldn’t make it to the end of the year without another story about the Sony DRM rootkit…. I noticed last night that the sunbelt blog had mention of a proposed settlement in their legal troubles in the wake of the XCP copy protection DRM rootkit MESS. *(Mediamax is not quite […]

Spyware, viral cleanup disabling system restore

Thursday, December 29th, 2005

Sorry, but to get into the guts of what I found in the wake of the WMF exploit, I did leave out another important step in the cleanup process. IF you are trying to clean up an infested machine one of the first real goals has to be disabling system restore. (start, (settings,) control panel, […]

Update on the WMF exploit – more sites to block

Thursday, December 29th, 2005

I haven’t checked to see if these are already on other block lists for the WMF exploit, but the following addresses are advised to be blocked (from f-secure)…. toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz    Send article as PDF   

http://60.topnssearch.com popups in infestation

Thursday, December 29th, 2005

One other note from the previous series on WMF exploit infestation cleanup. Among the multiple popups that came when launching internet explorer, most were directed at the site http://60.topnssearch.com –    Send article as PDF   

Cleaning up after WMF Exploit – summary

Thursday, December 29th, 2005

Can I say enough times that after a bad trojan infestation you should format and reinstall? I’ve cleaned up the infested image that I “sacrificed” to the WMF exploit and as I’ve said you’re pestware install will likely be somewhat different. An exploit is just the road, the spyware and viruses are the cars. Once […]

Cleaning up after WMF exploit – BHO removal

Thursday, December 29th, 2005

Browser helper objects (BHO’s) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I’ve used BHOdemon in the past to identify and disable BHO’s and a tool like that is the preferred method. However, in my case, this is a disposable […]

Cleaning up after WMF exploit – is it clean?

Thursday, December 29th, 2005

So, I’ve got most of the baddies cleaned out and I’m not getting popups anymore. No nags on boot, the boot process is quicker, but is it really clean? I found a few files (winlogon.exe, alg.exe in particular) that could be legitimate windows file names. Am I running the good one, or the trojan? That […]

Google
 
Web www.averyjparker.com