My Anti Spyware

Found new Internet Explorer Vulnerability

Found Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability.

When Internet Explorer handle DirectAnimation.PathControl COM
object(daxctle.ocx) Spline method, Set the first parameter to 0xffffffff will triggers an
invalid memory write, That an attacker may DoS and possibly could execute arbitrary code.

Affected windows version:
Windows 2000
Windows XP
Windows 2003

Windows users.. check out Firefox, Opera, and whatever other nice browsers you can throw out there.

Worm uses MS04-007, MS05-017, MS05-039, MS06-040 bugs

For the past several days, ISC have received all kinds of emails about the recent increase in scanning on port 139. One of loyal readers out there on the ‘Information SuperHighway’, Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it “W32/SDbot.worm!MS06-040“, Sophos is calling it, “W32/Vanebot-A“, and Symantec is calling it, “W32.Randex.GEL“. (Yes, it’s been out for a couple days)

Let’s take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it’s about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to “forum.ednet.es” over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..

For protect your PC block 139 and 445 at the router/firewall. Netbios traffic shouldn’t be allowed to exit or enter your network from egress points anyway.

Update your antivirus. At least daily. Patch your Windows.

Thanks ISC

How to remove DriveCleaner Infection

DriveCleaner is a security assesment tool which gives exaggerated reports of security and privacy risks on a computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported risks.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: DriveCleaner

Download HijackThis.

Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis.
Download HijackThis.exe into this folder.

Download Look2Me-Destroyer.exe and save it to your desktop.

· Close all windows before continuing.
· Double-click Look2Me-Destroyer.exe to run it.
· click the Scan for L2M button, your desktop icons will disappear, this is normal.
· Once it’s done scanning, click the Remove L2M button.
· You will receive a Done Scanning message, click OK.
· When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
· Your computer will then shutdown.
· Turn your computer back on.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error ‘339′ please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
Next, Download, install, and update the free version of Ewido security suite:

· Install ewido.
· Run the application
· Clickon scanner
· then select the “Settings” tab.
· Once in the Settings screen click on “Recommended actions” and then select “Delete”.
· Select “Automatically generate report after every scan”
· Un-Select “Only if threats were found”
· Click Complete System Scan and the scan will begin.
· When the scan is finished, Set all items to delete
· Apply all actions
· look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Run HijackThis, Choose “Do a system scan only” and checkmark the box next to the following entries:

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe

Restart your computer.

Download and unzip Avenger to your desktop.

Start up Avenger.
Check the ‘Input script manually’ option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINDOWS\System32\winlog.exe

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

Java extremely important update

Sun has released Update 8 for Java Runtime Environment 5.0. This is an extremely important update.JRE has long been used to install malware as it contains numerous vulnerabilities which allow remote code execution. Another important factor is that JRE works with all web browsers. This means that a vulnerability in JRE will affect all browsers.

The most serious issue in JRE has finally been fixed. The problem with previous JRE releases was that they didn’t prevent a Java applet from calling earlier JRE versions. As previous JRE versions aren’t uninstalled automatically this creates a very dangerous situation. If machines have the latest version of JRE, but older versions haven’t been manually uninstalled the machines are still vulnerable.

So install the latest update ASAP. Either go to the website or update the program via the control panel.

There have been reports in the past that the updater in the Java Control Panel will say that the latest version is present, even though it’s not. So double check that you have the latest version or go to the website.

P.S. If you uninstall all the older versions you’ll probably free up quite a lot of space on your hard disk.

Don’t be a victim or how to make better choices

There are some current tools out there which may help users make better choices (or block their bad choices). I’m just going to talk about browser toolbars. For the user class of not completely hopeless up to expert I really recommend McAfee’s SiteAdvisor. This toolbar works with Firefox and IE and will provide more prominent and granular indicators that a site is dubious (or downright malicious). Users will need to keep an eye on their browser corner (which may require education) or optionally glance at the pretty red, yellow, green icons next to their google search results (RED means BAD)

SiteAdvisor

Also for those looking at getting involved in the community sign up to be a reviewer. Help SiteAdvisor catch and correctly flag all those bad sites that try oh so hard to look legit.

Netcraft Toolbar

So back to phishing. Netcraft has a really nice toolbar which can provide visual clues (YMMV) as well as speed bumps to doing something unsafe. It can actually block access to a site pending user verification (ok so we all know most users click OK on anything that pops up to get it out of the way)

NoScript

Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site.
This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality…
Experts do agree: Firefox is really safer with NoScript ;-)Works with: Firefox 1.0 - 3.0a1, Mozilla 1.7 - 1.8

SpoofStick

A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won’t notice the incorrect URL and give away important information. This practice is sometimes known as “phishing”. SpoofStick makes it easier to spot a spoofed website by prominently displaying only the most relevant domain information.

Sandboxie

You may want to run your Web browser inside the sandbox most of the time. This way any incoming, unsolicited software (spyware, malware and the like) that you download, is trapped in the sandbox. Changes made to your list of Favorites or Bookmarks, hijacking of your preferred start page, new and unwanted icons on your desktop — all these, and more, are trapped in and bound to the sandbox. You could also try a new toolbar add-on, browser extension or just about any kind of software. If you don’t like it, you throw away the sandbox, and start again with a fresh sandbox. On the other hand, if you do like the new piece of software, you can re-install it outside the sandbox so it becomes a permanent part of your system.

Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.

Expect this warning and popup trend to continue. Google is taking steps to prevent accidental wrong exits (see http://www.stopbadware.org/ for details on this initiative)

The next versions of IE and Firefox should have some of these protections built in. None of these will remove the need for user education (good luck explaining hostnames and mouse-overs to grandma). The criminals will figure out ways to circumvent these technologies and users will continue to ignore all the annoying popup warning windows and glaring red warning symbols. Its just human nature. If only it were as simple as just telling people to “only surf trusted sites”. Right. uh huh.

Sophos Anti-Rootkit Eliminates hidden applications and processes

Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care. Free Sophos Anti-Rootkit, finds and removes any rootkit that is hidden on your computer.
What is a rootkit?

The term rootkit is used to define a Trojan (or technology) used to hide the presence of a malicious object (process, file, registry key, network port) from the computer user or administrator.

Easily detect and remove rootkits

As part of its complete protection of endpoint computers, Sophos Anti-Virus detects rootkits and prevents them being installed on any of your desktops, laptops and servers.
Sophos Anti-Rootkit provides an extra layer of detection, by safely and reliably detecting and removing any rootkit that might already have secreted itself onto your system.

Using Sophos Anti-Rootkit is straightforward. Whether you use its simple graphical user interface or run it from the command line you can easily detect and eliminate any rootkits on your computer.
Download Sophos Anti-Rootkit

Netcraft Toolbar

Netcraft has a really nice toolbar which can provide visual clues as well as speed bumps to doing something unsafe. It can actually block access to a site pending user verification (ok so we all know most users click OK on anything that pops up to get it out of the way).
The Toolbar community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing frauds. Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.

The Toolbar also:

• Traps suspicious URLs containing characters which have no common purpose other than to deceive.
• Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls.
• Clearly displays sites’ hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union).

Please download and try out the Netcraft toolbar.

SpoofStick

A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won’t notice the incorrect URL and give away important information. This practice is sometimes known as “phishing”. SpoofStick makes it easier to spot a spoofed website by prominently displaying only the most relevant domain information.

Download SpoofStick

NoScript very nice toolbar for FireFox

Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site.
This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality…
Experts do agree: Firefox is really safer with NoScript

Download NoScript now.

HostsMan 3.0 beta for Windows was released

HostsMan is a freeware application that lets you manage your Hosts file with ease.

You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems.

Features:

- online update and auto-update of hosts file;
- enable/disable usage of hosts file;
- open Hosts file with one click;
- merge two hosts files;
- built-in hosts editor;
- scan hosts for errors, duplicates and possible hijacks;
- find how many host names;
- easily install newly downloaded hosts file;
- create encrypted backups of your hosts file;
- resolve host names;
- keep log of latest blocked sites;
- exclusion list;
- etc.

What’s new:

- added: Auto-Updates;
- added: editable update list;
- added: option to mark updates as not installed;
- added: support for proxy basic authentication;
- added: option to restore original Windows hosts file;
- added: ‘Additional Information’ window;
- added: IPv6 support (hosts file);
- added: comment lines support;
- added: fix hijack of hosts file (’databasepath’ registry value);
- added: support for regular expressions to the Exclusion List;
- changed: 90% of the code rewritten;
- changed: memory manager replaced;
- changed: hosts lock removed;
- changed: interface updated;
- changed: exclusion list improved;
- changed: editor improved (rewritten from scratch);
- changed: ‘Block Adverts’ removed from update list;
- changed: HostsServer replaces built-in HTTP Server;
- fixed: some encrypted backups are not created correctly;
- fixed: several bugs;
- etc.

Download