Friday, November 25, 2011

No, it isn't the Blaster Worm

There has been a rash of posts in help forums by people reporting their computer is infected with the Blaster Worm, w32blaster/worm.  It is not the Blaster Worm that has infected these computers but rather a fake/rogue antispyware program called "Spyware Protection".

Those who have attempted self-help fixes are reporting that they are unable to boot the computer in any mode.  If you are getting notices that your computer is infected with  the w32blaster/worm, follow the following steps:

1. Please restart the computer in Safe Mode with Networking. (To do this, turn your computer off and then back on.  Immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)
Note:  If you are unable to connect to the Internet, it will be necessary to go to an uninfected computer and download both RKill and Malwarebytes and transport the files to the infected computer via CD/DVD or memory stick.
2. Please download RKill from one of the following links at Bleeping Computer and save to your Desktop:

One, Two,Three or Four

  • Double-click RKill to run.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave RKkill on the Desktop until otherwise advised.
  • Do NOT restart your computer after running rkill as the malware program(s) will start again.
Note: If you you receive security warnings about RKill, please ignore and allow the download to continue.

3. Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, be sure Quick scan is selected, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:


  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

After completing the above steps, take the additional time to update the third-party software on your computer, particularly Adobe products and Java.  Also, double-check that any old, vulnerable versions of Java have been uninstalled.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

If you are still having problems with your computer after completing the above instructions, assistance is available from trained analysts trained in malware removal at the sites listed in Malware Removal Help Sites.  As each site has different requirements, please follow the instructions provided at the site.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Wednesday, November 23, 2011

Safety Tips for Online Shopping

Online shopping is no longer reserved for Cyber Monday, the Monday after Thanksgiving when most Americans return to work after the long Thanksgiving Holiday weekend.  However, during the Holidays, online shopping does increase.

Along with the increased shopping, there is also increased opportunities for scams, phishing, and identity theft.  If the deal sounds too good to be true, most likely there are hidden strings, such as high shipping costs. 

.

Protect Your PC

Before you start shopping, take care of basic security.  This includes having a software firewall and up-to-date antivirus and anti-malware software.
  • If your antivirus software license expired, either renew the license or uninstall it and download and install Microsoft Security Essentials.  (If the replaced antivirus was a "security suite", be sure to activate the Windows Firewall when uninstalling.)
  • Now run a full system scan with your updated antivirus software.
  • Next, scan with an anti-malware software.  If you do not have an anti-malware software, my favorite is Malwarebytes' Anti-Malware.  Another popular program is SUPER AntiSpyware.
  • Check for and install Security Updates, including third-party software such as Adobe Flash and Java.
  • Be sure you are using an updated browser.  Each version release includes security updates.


Protect Your Credit

Your computer is ready and so are you.  But, safety precautions do not end with your computer.  Now the onus is on you to protect your credit.
  • Shop at reputable websites.  If the offer sounds too good to be true, it is probably a scam. Customer evaluations are available at sites like Epinions.com or BizRate to help you determine the legitimacy of a company.
  • ONLY do your online shopping from home and never from an insecure public WiFi spot or public area like an Internet cafe.
  • To complete your purchases, checking out will require creating an account.  It is not advisable to store your credit card and other personal information on the website.
  • At checkout, the site web address should be https: and there should be a closed padlock there or in the lower right corner of your browser.  If not, forget about it.  You will be giving away your credit card information!
  • It is best to use a "true" credit card, rather than a debit card as it is better fraud protection.
  • At the completion of your order, print or make a screen copy, including the confirmation number, as a receipt for your purchase.

Tips

Finally, a couple of money-saving tips that may result in additional savings when you shop online.
  • Be wary of most of the "coupon sites".  However, there is at least one that I am aware of that appears to have a good reputation and is "McAfee Secure":
"Hundreds of well-known online stores like Barnes and Noble, Staples, and Overstock.com have a place within their shopping cart for a "coupon code" that gives a percent or dollar amount off your purchase. If you don't know the code, you can't take advantage of the discount. You can find these secret discount codes and coupon codes listed on many sites across the internet but the problem with these sites is that they're usually personal homepages and they don't maintain their lists! Currentcodes.com has a full-time staff of trained individuals whose only job is to find new coupon codes and discount codes and verify the accuracy of the existing database. We don't flood you with ads and we don't throw deals in your face. No hype, just current codes."
  • Check CyberMonday.com which includes special offers, including free shipping, at hundreds of online merchants.  On the actual Cyber Monday, the site will provide hourly specials and exclusives from popular online retailers.  A portion of the proceeds from CyberMonday.com supports the Ray Greenly Scholarship Fund.
  • RetailMeNot.com has printable coupons as well as coupon codes for online shopping.  It is definitely worth checking.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Friday, November 11, 2011

Lest We Forget

At the the 11th hour of the 11th day of the 11th month, set aside politics and petty grievances and take time to pay tribute to all who died for their country.  As it happens, the 11th hour this year will occur on 11/11/11.

As in previous years, I am republishing my friend Canuk's last tribute. The comment he posted provides one example of why he was a special person:
"I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."
LEST WE FORGET








We Shall Keep the Faith by Moira Michael, November 1918

Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields.
Flags courtesy of3DFlags.com







Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Thursday, November 10, 2011

Microsoft Security Advisory 2641690 Addresses Fraudulent Digital Certificates

Microsoft released Security Advisory 2641690 which relates to the revocation of trust in an Intermediate Certificate Authority, DigiCert Sdn. Bhd. (Digicert Malaysia). 

The subordinate CA issued 22 certificates with weak 512 bit keys.  The subordinate CA has also issued certificates without the appropriate usage extensions or revocation information. to a Windows kernel issue related to the Duqu malware, a trojan that injects malicious code into other processes.

If you do not have automatic updating enabled, the update is available by checking for updates or can be downloaded from KB Article 2641690.


References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Releases Critical Update for Flash Player and AIR


A critical update was released today by Adobe for Adobe Flash Player and Adobe AIR.  The update was released to address critical security issues in which all except one of the CVE's relate to vulnerabilities that could result in code execution.  The remaining vulnerability could lead to a cross-domain policy bypass for Internet Explorer users.


Release date: November 10, 2011
Vulnerability identifier: APSB11-28
CVE number: CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460
Platform: All Platforms

Update Instructions

Adobe Air

The update to Adobe AIR 3.1.0.4880 can be obtained from the following locations:


Adobe Flash Player

The latest version for Adobe Flash Player for Android is 11.1.102.59.  It is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

The newest version of Flash Player for Windows, Macintosh, Linux and Solaris is 11.1.102.55.

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, the direct download links are as follows:

(Edit Note:  Download links updated.  Thank you, ky331!)

Flash Player 11 (32-Bit)
Flash Player 11 (64-Bit)

If you use the Adobe Flash Player Download Center, be careful to UNCHECK the box shown below. It is not needed for the Flash Player update.  In addition, any toolbar offered with Adobe products can be unchecked if not wanted.





Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

Do this for each browser installed on your computer.


References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, November 08, 2011

Mozilla Firefox 8 Released, Includes Critical Security Fixes


Mozilla released Firefox 8 today, in keeping with the rapid release schedule,

As expected when a version update is released, you may find that many of your favorite add-ons are not compatible with the new release.  Use Add-on Compatibility Reporter to test and report on your favorite add-ons in version 8.

Security Updates

The following security updates are included in the release of Firefox 8, in which MFSA 2011-48, MFSA 2011-49 and MFSA 2011-52 are rated Critical, with the other three updates rated High.
  • MFSA 2011-52 Code execution via NoWaiverWrapper
  • MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU
  • MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D
  • MFSA 2011-49 Memory corruption while profiling using Firebug
  • MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)
  • MFSA 2011-47 Potential XSS against sites using Shift-JIS

What's New

The Release Notes listed the following new features in version 8:
  • Add-ons installed by third party programs are now disabled by default
  • Added a one-time add-on selection dialog to manage previously installed add-ons
  • Added Twitter to the search bar for select locales. Additional locale support will be added in the future
  • Added a preference to load tabs on demand, improving start-up time when windows are restored
  • Improved performance and memory handling when using
  • Added CORS support for cross-domain textures in WebGL
  • Added support for HTML5 context menus
  • Added support for insertAdjacentHTML
  • Improved CSS hyphen support for many languages
  • Improved WebSocket support
  • Fixed several stability issues
  • Fixed several security issues

The upgrade to Firefox 8 will be offered through the browser update mechanism.  However, as the upgrade includes critical security updates, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Microsoft November 2011 Security Bulletin Release


Microsoft released four (4) bulletins addressing vulnerabilities in Microsoft Windows. One bulletin is rated Critical, two Important and one Moderate. 

The Critical update, MS11-083, Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516), requires a restart.

Three three threat families are included in the November edition of the Microsoft Malicious Software Removal Tool - Win32/Carberp, Win32/Cridex and Win32/Dofoil. Additional information about Win32/Carberp is available in MSRT November '11: Carberp.

Support

The following additional information is provided in the Security Bulletin:
  • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
  • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Adobe Releases Critical Update for Shockwave Player


An update to Adobe Shockwave Player has been released to address critical vulnerabilities in version 11.6.1.629 and earlier version on both Windows and Macintosh systems. If successfully exploited, malicious code could be executed on the system.



Release date: November 8, 2011
Vulnerability identifier: APSB11-27
CVE number: CVE-2011-2446, CVE-2011-2447, CVE-2011-2448, CVE-2011-2449
Platform: Windows and Macintosh

Update Information


The newest version of Shockwave Player 11.6.3.633 is available here: http://get.adobe.com/shockwave/.

Please remember to uncheck any unwanted 3rd party toolbars/programs during installation. Also please do not confuse this with Adobe Flash Player which is a different program.

For how to disable the auto-update setting in Shockwave Player, see http://kb2.adobe.com/cps/166/tn_16683.html (This must be set every time Shockwave Player is updated if you do not want auto-updating.)



Reference

Adobe - Security Bulletins: APSB11-27 - Security update available for Adobe Shockwave Player


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Friday, November 04, 2011

Microsoft Fix it for Duqu Malware, Security Advisory 2639658


Microsoft released Security Advisory 2639658 which relates to a Windows kernel issue related to the Duqu malware, a trojan that injects malicious code into other processes.

As illustrated in the image below of the Duqu infection schematics, provided by Symantec in Duqu: Status Updates Including Installer with Zero-Day Exploit Found,  once infected, the trojan can then install programs; view, change, or delete data; or create new accounts with full user rights.



Microsoft is aware of targeted attacks that try to use the reported vulnerability and reports that at this time they see "low customer impact". Work continues to provide a security update for the vulnerability, either via an out-of-band update or during the regular monthly release process.  An update is not expected to be ready for delivery with the scheduled November update.


Microsoft Fix it

As an interim work-around, Microsoft has provided a Microsoft Fix it solution to simplify the work-around for workaround to deny access to t2embed.dll. 

The Fix it solution is available from Microsoft KB Article 2639658, with direct links to the download files to enable and disable the solution below.

EnableDisable
Fix this problem
Microsoft Fix it 50792
Fix this problem
      Microsoft Fix it 50793

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, November 03, 2011

Security Bulletin Advance Notification for November, 2011


On Tuesday, November 8, 2011, Microsoft is planning to release four (4) Security Bulletins, addressing four (4) CVEs in Windows. One bulletin is identified as Critical, two as Important and one Moderate.

The bulletins address Remote Code Execution, Elevation of Privilege and Denial of Service, several requiring a restart. Whether required or not, it is advised to restart your computer after installing updates. 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...