Computer Tips -Tech Info

Category: Security

  • Lotus Notes WMF vulnerability

    This is really the same zero-day wmf vulnerability, but there is a twist. It’s been found that Lotus Notes v. 6.x and up are vulnerable to the Windows Meta File (WMF) exploit that’s making the rounds. Probably not surprising given that there are reports of many vectors of attack, not JUST the web browser. What makes this one noteworthy is that it is vulnerable EVEN WITH THE regsvr32 WORKAROUND. The only other solution that’s been reported thus far is DEP (Data Execution Protection) with supported DEP hardware.

    (more…)

  • Hamachi p2p vpn

    A few days back I was at grc to run a “shields up” scan on a clients machine and found reference to their Security Now podcast (Leo Laporte and Steve Gibson.) The cast was about a VPN tool called Hamachi… so I revisited and gave a read to the Security Now! transcript. And then visited the Hamachi site. I’ve got to say, I’m impressed on a couple of levels with Hamachi. 1st it sounds as though they’ve done a great approach to a secure free VPN implementation. (Steve Gibson is a pretty good reference….) It’s also easy to install and use and beyond that there are linux/Windows versions of the client currently, Mac will be released after the 1.0 for Linux and Windows.

    (more…)

  • Network Security guide for the home or small business network – Part 17 – The Security Mindset

    This may be one of the most important entries in this series. An important defence against those that would try to access your network is to constantly have the “security mindset”. Ask yourself “do I need this, how could it be exploited, what are the implications of this”… When it comes to people asking you to click on a link… “do I trust the person, am I sure it’s from the person that it claims to be… how sure? is it normal behavior for this person to ask me to click on a link?” I guess what it comes down to is developing some healthy critical thinking and skepticism…

    (more…)

  • Another workaround for the 0-day WMF Exploit

    I notice that the Sunbelt Blog has some instructions up for blocking the zero-day Windows Meta File (WMF) exploit with their newly acquired kerio firewall. (Free or full version.) Either version can use an add-on rule from bleeding-edge snort (intrusion detection signatures…) Instructions in the link above on how to implement the rule addition.

  • Spyware, viral cleanup disabling system restore

    Sorry, but to get into the guts of what I found in the wake of the WMF exploit, I did leave out another important step in the cleanup process. IF you are trying to clean up an infested machine one of the first real goals has to be disabling system restore. (start, (settings,) control panel, system, system restore, and use the checkbox on that sheet, then ok to confirm.) This was one of the first things I did after infection to start the process of cleaning up. Windows uses system restore to keep copies of vital windows files. Unfortunately they can be viral/trojaned files as well.

  • Update on the WMF exploit – more sites to block

    I haven’t checked to see if these are already on other block lists for the WMF exploit, but the following addresses are advised to be blocked (from f-secure)….

    toolbarbiz[dot]biz
    toolbarsite[dot]biz
    toolbartraff[dot]biz
    toolbarurl[dot]biz
    buytoolbar[dot]biz
    buytraff[dot]biz
    iframebiz[dot]biz
    iframecash[dot]biz
    iframesite[dot]biz
    iframetraff[dot]biz
    iframeurl[dot]biz

    (more…)

  • http://60.topnssearch.com popups in infestation

    One other note from the previous series on WMF exploit infestation cleanup. Among the multiple popups that came when launching internet explorer, most were directed at the site http://60.topnssearch.com –

  • Cleaning up after WMF Exploit – summary

    Can I say enough times that after a bad trojan infestation you should format and reinstall? I’ve cleaned up the infested image that I “sacrificed” to the WMF exploit and as I’ve said you’re pestware install will likely be somewhat different. An exploit is just the road, the spyware and viruses are the cars. Once the road is built, just about any car can use it…. Hopefully the series has been helpful on working through some of the problems with a system cleaning.

    (more…)

  • Cleaning up after WMF exploit – BHO removal

    Browser helper objects (BHO’s) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I’ve used BHOdemon in the past to identify and disable BHO’s and a tool like that is the preferred method. However, in my case, this is a disposable virtual machine and I used the “blunt object” approach…. regedit.

    (more…)

  • Cleaning up after WMF exploit – is it clean?

    So, I’ve got most of the baddies cleaned out and I’m not getting popups anymore. No nags on boot, the boot process is quicker, but is it really clean? I found a few files (winlogon.exe, alg.exe in particular) that could be legitimate windows file names. Am I running the good one, or the trojan? That is exactly why a clean install is usually the best treatment for a badly infested system. Ultimately to trust this cleaned system a bit better I would need to. Watch it for signs of peculiar network ports open or peculiar processes…..

    (more…)