There’s a rumor going around and a lot of unconfirmed information that a facebook application known as fan check is actually a virus. I’m seeing several claims that if someone becomes a fan of this facebook app (which the page claims is undergoing changes and currently unavailable)… well if someone becomes a fan in the meantime their friends will all be notified of the app, password on the account changed, etc. I’m a bit skeptical at this point because EVERYTHING I see seems 3rd party and I don’t see anyone claiming that THEIR account was compromised. What I DO know is that some of the top search results are known malware attack sites. For instance the second result (which was the top result a few hours ago….

Is eaves.ca/cgi/facebook-fan-check-virus.htm and the page it redirects to pushes the Personal Antivirus download. I don’t know if you’re familiar with Personal Antivirus but it’s one of those rogue antivirus applications that tries to push you into downloading and then buying with all sorts of trumped up virus and problem claims.

So, I don’t know if the fan check virus is legit or not, what I do know is that you need to be cautious with the search results. If you get something pop up offering to scan your pc for viruses close the browser window. Don’t download the scareware that they’re pushing and for heavens sake don’t pay a cent to the companies that push these scare and other slimy tactics.

Sometimes you see a malware implementation that you have to have respect for the cleverness/ingenuity of the design. These pests can be dastardly to get rid of, but essentially this pest was occasionally popping up a “windows integrity scanner” installer. It wasn’t frequent, but it was persistent and the user was afraid that it was the gateway to other bad stuff. (That’s correct…) Anyway on inspecting the msconfig list of programs running at startup I found gsudxz.exe or some such nonsense (psuedo-random string of letters). I opted to reboot into safe mode and run the smitfraud removal tool because this looked like a typical smitfraud infection… turns out it wasn’t though.

The removal tool did it’s job, found the item I had suspected and I rebooted to find it gone. I continued to work on the machine for another 40 minutes or so on another issue and left. I soon had a call that it had returned! So, I revisited and sure enough there was another entry in the startup list…. wdxcijk.exe or something similar… Hmmm… were is the “puppet master” process though? I killed off the process in memory and the startup entry, but knew there must be something “lurking in the shadows” that put it back in place.

So, I ran the Autorun utility from sysinternals…. I haven’t used that utility before believe it or not, but it does an EXCELLENT job of listing every thing that might automatically run or load at startup. It turns out that there are run entries in the registry that are not displayed by msconfig. (Thanks microsoft…) This particular baddie had taken up residence at hklm (hkey local machine) / software / microsoft / windows / current version / policies / explorer / run … an the file it was running was safely tucked away in the c:\documents and settings\all users\application data area….

so this process was responsible for running at startup and making sure that it’s minion was active. If the minion wasn’t active it would create a fresh copy and run it/place it in the regular startup area. Clever…. someone cleaning manually or via utility would quite easily find the and remove and not be certain how it kept sneaking back in.

I’m usually a bit leery of new antispyware products. I do a first look at the rogue antispyware lists and just try to be as cautious as possible when moving away from the tools that I’ve tried and tested. I downloaded malwarebytes anti-malware very reluctantly to clean up a machine with “virus isolator” that nothing else seemed to be able to completely remove. It just seemed like the 10 headed hydra or something that kept coming back, so I found malwarebytes anti-malware recommended and must say it did the task quite well.

BTW, I have since added this into my virus, spyware and malware removal toolkit and should add it to my page of antivirus removal tools which also lists free virus removal tools.

I still need to read more about their licensing, but it installed, updated, scanned AND cleaned the pests out for free. There is a link to purchase the software and as I said I will need to read the license more fully to see what you are entitled to as an end user with the free download.

MalwareBytes Anti-Malware page If you’re fighting spyware and can’t seem to get the upperhand on the pest, this just might be the tool to give you a clean system again.

That much said, the old advice still stands that after a system has been compromised it is best off to format and reinstall from scratch lest you leave some pest/backdoor behind to bite you in the future.

I’ve seen a couple of these emails today and wanted to give a post just to warn people that these are bogus and you should NOT follow the link suggested in the email. I HOPE no one reading this falls for it, but the “tax software update” that they are pushing is a virus. (SHOCK!) Only a little over half the antivirus vendors currently detect it.

Read on for details on the message body…

I ran it through virustotal and it’s a variant of mytob according to some antivirus vendors.

Here’s the body:

Dear Tax Payer,

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, please visit http://65.15951047 and click “Open” when asked how to begin the download.

After doing so, no further action is required on your part.

Thank you for your cooperation,
IRS.GOV Agent #7[3

=======================

The only variation in the text between messages seems to be the last line...

IRS.GOV Agent #0[3

is what I saw in another message.

Both messages seem to be from the same machine... here's the initial received header.

Received: from Exploit ([92.48.88.145]) by domainremoved (8.13.1/8.13.1) with SMTP id m24LIbv9002684 for
; Tue, 4 Mar 2008 14:18:39 -0700

Gee, looks like a cool uberhacker calling their machine “Exploit” —better look out for them….

Sender addresses seem to be quasi-random… name+2-3numbers@irs.org (I wonder why they didn’t just try to spoof irs.gov?)

The address should not be visited obviously without the biohazard suit…, it contains a file program.exe served up in an frameset which means that on visiting the page there is a file popup to download/run.

The http address resolves to a machine at ip address 65.243.100.199 – I can’t seem to get a reverse lookup on it – no ptr record?

As always, proceed with caution when dealing with links in emails or files attached to emails.

Last week we talked about creating strong passwords, but should we use different passwords for every site? It’s best practice to do just that. Do they all have to be really hard passwords? Again ideally, yes. So, how can we keep up password spreadsheet? Big sheet of paper? Password management program. Some advantages of password management programs are that many are equipped with encryption. In other words one password locks the whole list away. The bad news is if you lose or forget that password you are locked out of everything. Lists are generally bad because with access to your pc, your list is easy to get at.

I kind of like the “sheet of paper” approach. The only bad thing about that is that anyone sitting at your desk and finding your sheet can copy parts of it and then you’ve been compromised. The bottom line with this is if you do decide to manage passwords through a file on the computer or a piece of paper, treat it like you would the keys to a safety deposit box. Keep it VERY safe.

I take a bit of a different strategy. I have several (maybe 10 or so) frequently used passwords. Some of these passwords are throwaways, they protect meaningless stuff. Think about the cheap, useless locks you have on various things. CD cases, cheap briefcases, diaries. Now think about the serious deadbolt locks, usually in the real world, the bigger the lock, the more important or valuable item it’s protecting. So, mailinglist signups, low importance forums without https logins, anything that I either 1) don’t trust the site owner, 2) it’s a plain text login (no encryption, i.e. no https) and 3) it’s a “cheap win” if someone gains access. For instance, if the WORST thing someone can do is unsubscribe me from a mailing list, that’s not a big loss. The same goes for forum logins, the only benefit to gaining access would be to pose as me and post. Embarrassing, perhaps, but not usually this is not exactly worth wasting a really good password on.

So, I have 2-4 very weak passwords that I use for these.

Next up is the medium strength passwords, for those I use most of the day to day work that’s protecting moderately useful and slightly more valuable locations. I need to see https on a site to use these unless I trust the network between me and the site (and trust the site as well.) Again, I have about 4 of these…

The hard passwords I save for the most important things. These I have maybe 4 of as well. These are for the items that I would be most at a loss if it were compromised. Of course, one of the tricks if you knew me and IF you were able to find out what passwords I use and IF you were able to discern which I capitalized and which I mix case in…. you would still have to go through at least 12 combinations for each login. That would happen really quick with cracking software, but…

Anyway, that’s how I manage to keep at least some sanity when it comes to dealing with remembering passwords for all the various things I do online.

Making up passwords is something we have to do almost everyday it seems. Banking web sites, forums, email accounts, webhosting accounts, mail lists, etc. But it seems that making passwords is one of the things that some people have the hardest time doing. Maybe it’s not that it’s hard to make a password, but hard to make a GOOD password. First off, what’s a good password and what’s a bad password? Anything that is a dictionary word (even in another language) is a BAD password. Personal names are usually very bad choices. Why?

Because there are password cracking programs that can go through dictionaries testing passwords very quickly. Now, one thing people have done is attempt to take dictionary words and replace characters with numbers. This is a bit better than dictionary words and is used onlineby l33t (leet or elite) h4×0rs (haxors or hackers)… even google has given a nod to this with a translation of their search engine. The problem is the cracker software has gotten to a point where it tries these substitutions. (The number 0 for the letter o, 1 for l, 4 and a, etc.) So, while this is a bit better, it’s still not great.

The BEST password is one that appears to be a random string of letters and numbers. Ideally they should be uppercase and lowercase and include numbers. 7Y45cVFHg3 is an example of a pretty good password, but HOW are we supposed to remember that. First off, it’s surprising how well you can memorize gibberish if you type it enough, so one suggestion might be to pick a ridiculously hard password and make a point to memorize it. But, I think there is a better way.

Come up with a sentence. It can be a favorite quote or saying, or even something that you have made up. Let’s take for example “ours is not to question why, ours is but to do or die.” (I remember this quote used a lot in an old Risk video game release….

Now, let’s take the first letter of each word. ointqwoibtdod … wow that looks impressive, but since we’re all lower case we only have 26 character possibilities, let’s mix the case a bit. How about we capitalize Ours Not Question Why Ours (again) But Die (everything but the 2 letter words). So now it’s OiNtQWOiBtdoD … this is looking promising. Let’s go back and do some number replacements to make it a bit more complex. 0’s for Os 0iNtQW0iBtd0D We could take this further, we could substitute 8 for B, 1 for i to help us remember that EVERY letter that resembles a number is swapped. But most places make you do 6-8 character passwords, what if that’s too long? Cut it in an easy to remember place… “Ours is not to question why” can be distilled down to 0iNtQW or if you want an 8 character password take the second half… 0iBtd0D

This may look very difficult still, but play around with the idea creating sentences of your own. Then work with them for practice. In some circumstances you may not want to limit it to just the first letter, you might take a few characters…. the word thinking – you might take th or thk or just tk, whatever you think you will be best able to remember. You also may play around with your number substitions. Who remembers the phrase “best friends 4 ever”…. I think you get the idea at this point.

No, I don’t use any of the above suggested passwords and neither should you. The more practice you put in at making good passwords the better you are at it.

There could be a record number of vulnerabilities addressed next week when Microsoft releases an expected dozen updates for its Windows and Office products. (According to Brian Krebs at the Security Fix.) Tuesday February 13th is the date scheduled for the release of updates. One critical udpate will affect Microsoft’s security software (onecare/defender/etc.) 3 patches will affect Office. Most of the updates to be released are rated as critical.

What’s frustrating to me is that the responsiveness of Windows Update has gotten to be so slow on update Tuesday that many systems I find I HAVE to postpone for a day or two so I can get them quickly installed. I’m wondering if anyone else has noticed the slow down on patch Tuesday.

If course, it’s important for the security of your systems to keep as up to date as possible on security patches for the operating system and any and all software that’s used. (Even drivers have security updates.)

Here’s a followup to one of the first big stories that I posted on… the Sony rootkit – there has been a settlement with the FTC (Federal Trade Commision). It has yet to be approved but, affected customers could see up to $150 to cover cost of repair (rootkit removal/etc.) They(Sony) must also allow the cds to be swapped. Under the settlement Sony does not admit breaking any law.

If you don’t recall – there was a BIG fuss over CD’s distributed by Sony after it was discovered that a rootkit was being installed without notification to the user. Essentially, if a windows user put a sony cd into their machine the software would silently install. Some attempts at removal could cause serious problems (if I recall even forcing a reinstall of the system.)

I want to make a note of this here… Microsoft has announced that XP Home and Media center editions will get extended support on par with that of XP Pro. Essentially this means security updates for these versions of the OS should be available until 2014. Previously support for XP Home was to have ended as soon as December 2006, but was then extended modestly until after the release of Vista. The “Home” oriented products weren’t given the same length of support as the “Professional” or Business class products at that time. This announcement puts the two versions of XP on par with Pro.

I heard on the local news last night that the North Carolina Department of Revenue has lost a laptop that had ~30,000 state taxpayers information on it. Social Security numbers/etc… The report I saw that the state has setup a hotline to “teach citizens about identity theft” and have sent letters to those affected. Thanks… lose a laptop with 30,000 and then teach US about identity theft. How about teaching employees with sensitive information about encryption? ……. so I looked into it a bit further this morning.

According to this article the laptop was stolen from a car in the Raleigh area in DECEMBER. North Carolina has a “victims toolkit” at this address which is geared towards giving people the tools to request a freeze on their credit, notifying the three major credit bureaus, etc. (The report was from mid-January).

Also, people are encouraged to act quickly if they are notified that their information has been compromised.

It’s amazing to me that such large volumes of sensitive data are carried around and assumably NOT kept in an encrypted loop-back or some other protected store. Let’s face it, there ARE many tools for making a file relatively unreadable without a good passphrase. There is no indication in the reporting that I’ve seen that any steps were taken to encrypt the data for just such a possibility.

This get’s me back to something I’ve said many times to folks that say they won’t make a purchase online because they’re concerned about identity theft. These days, we are at the mercy of EVERY company that we do business with (including the state/federal and local governments). There is risk EVERY time you give someone your social security number or let the credit card swipe because more often than not it goes into a database somewhere. If the companies that are keeping the data have lax security or make poor choices, then you’re out of luck.

From the Charlotte observer’s report….

The employee’s car was locked, and she had followed department policies about securing the computer, Brooks told the Observer. The computer contained security features, but Brooks said officials are examining additional software safeguards.

So… I will assume they at least had a login password as part of their policy… I’m afraid that may have been all.