Security Fix Live

Network News

X Profile
View More Activity
Brian Krebs
Security Fix Blogger
Friday, January 30, 2009; 11:00 AM

Security Fix blogger Brian Krebs was online Friday, Jan. 30, at 11 a.m. ET to answer your questions about the latest computer security threats and offer ways to protect your personal information.

The transcript follows.

____________________

Brian Krebs: Greetings, dear Security Fix readers! Welcome to Security Fix Live. I'm about to dive right into the questions, but wanted to remind readers to please offer me as much information as possible about your setup, installed security software, browser of choice, and any error messages when asking questions about security or tech problems with your computer or network. With that, ONWARDS!

_______________________

Four Seasons MO (ex Mt Vernon VA): What's a good source for getting rid of malware that pops up a virus warning (like Adwar.win32.SuperJuan) and popping up new web windows with "cures" named StopZilla, AntiVirus 2009, PremiumAntiVirusScanner, and Registry Defender. I have F-Secure as part of my ISP's program but it hasn't found the virus yet. And a Google search led to results that obviously very old. Thanks.

Brian Krebs: The symptoms you describe strong suggest you have scareware on your system, which tries to frighten you into purchasing bogus security products by warning you about threats that may or may not be on your machine. The problem is that this type of threat now often comes bundled with other nasty stuff, such as DNSChanger, which routes your Internet traffic through servers controlled by cyber crooks. That probably explains why Google searches are acting up as well.

If you run that HijackThis tool mentioned in several posts above, chances are good that in the log file created by a scan with HijackThis will show on line 17 something like:

HKLM\System\CCS\Services\Tcpip\. .\{OE1B5OA6-A27D-45DB-A69D-69B0414E9E21}:

NameServer = 85.255.114.198,85.255.112.176

017 - HKLM\System\CCS\Services\Tcpip\. .\{105291E7-E687-45B4-AA3O-7C99A51ACF36}:

NameServer = 85.255.114.198,85.255.112.176

If you see any addresses that look like that (85.255.x.x.), your system is indeed infected with DNSChanger, and probably a boatload of other really bad stuff.

Two tools, in addition to HijackThis, can help remove these pests for the most part. Both have trial versions that should do the trick. SuperAntispyware, and MalwareBytes' Antimalware.

However **and this is the most important part of my advice** in order to do this properly, you should strongly consider getting some step-by-step help at DSLReports' Security Cleanup forum. BleepingComputer.com also has a very active help forum that should be able to promptly assist you, providing -- again -- that you follow their instructions *before* posting.

_______________________

Virus City, VA: Hi Brian--Here are my specs: Laptop with Windows XP home, security packet 3, use Firefox, AVG free package plus Microsoft security. Just after your last chat, my computer was infected by Antivirus XP 2009. Just as Rapid City said, it took over my computer. Had I not read the comment, I would not have been as informed about it or how to respond. I downloaded both SuperAntispyware and Malwarebytes and have used them faithfully since. Despite this, there are tracking software and trojans that are persistent such as: Trojan.Vundo, Trojan.Waledac, Adware.Admedia, and Trojan.Agent. They just show up time and again.

Here's my question: The spyware seems to be catching and blocking a LOT more than it use to. Is this because of the virus? Is this because of the increased spyware software? Finally, how or when will I know that I'm completely safe to use my computer without fear? I'm always checking and double-checking before, during and after using the computer because I'm afraid of password downloads, etc. Am I doing enough?

Brian Krebs: See my answer directly above. You have the same problem. I cannot stress enough the importance of having seasoned security professionals walk you though the process of scanning, removing, rescanning, removing, etc., until all signs of the malware are gone. That process, unfortunately, is a bit beyond what I can offer in this chat.

Assuming you heed my advice, and I hope you will, I'd strongly recommend that you read and then act upon one of the advice in one of the following two posts:

The Importance of the Limited User

or

Windows Users: Drop Your Rights

The first approach will make it so that you will not be able to make most important system changes without being logged in as administrator. This is crucial because much of the malware attacks, drive-by-installs, etc. mainly work only when the user is running Windows as the all-powerful administrator.

The second, drop-my-rights, approach, is less drastic, and merely allows you to drop the system privileges of specific applications that you choose. If you choose this approach, I'd strongly recommend setting up drop-my-rights on any Internet facing applications that you use daily, such as Instant Message software and of course your browser.

_______________________

Virginia Beach, Va.: Opera Problems

Each time I check for an update of Opera, I get an image file for some stupid company that downloads to my profile, then ends up in my Skin folder. When I reboot, this image replaces my desktop image. This has happened several times in the past few months or since I downloaded Opera. I use ESET as my virus, etc vendor. I am using the latest version of Opera 9.63.

Ever heard of this, recently?

Brian Krebs: I have not. But have you considered uninstalling the browser, and then reinstalling it using a fresh download of Opera? You might also blow away the skins folder if it is for some reason left behind in the Opera program directory under Program Files.

_______________________

Arlington: Brian, What is your opinion of software that is advertised to clean computer registries? Do you know if System Mechanic or PC Tools Registry Mechanic work? Can using them instead cause problems with the registry? Thanks.

Brian Krebs: I have not used either of these tools, so I can't vouch for them one way or the other. My guess is they work by searching for unused or leftover registry entries, which may or may not improve the operation of your system.

I will say, however, that monkeying with the Windows registry is a dangerous proposition if you don't know what you're doing, as a missing registry entry that the computer searches for upon boot can completely prevent Windows from starting up. I would advise that before messing with the registry at all, you should review Microsoft's advice for how to back up and restore your registry should something go wrong. Alternatively, if you have system backup software, make a complete backup image of your C drive and store that on a removable or secondary drive, making sure you understand how to restore that also.

One tool that's very good -- and usually quite safe -- for removing extraneous registry entries (or at least disabling them) is HiJackThis!, now owned by TrendMicro. Run this free tool, and it will present you with a list of registry items that get called when Windows boots up. There you will see a bunch of entries that are usually safe to uncheck, assuming you understand what they're for (usually a quick google search on the .dll file will tell you which program it belongs to). For instance, removing things like QuickTime and Winamp agent and various browser toolbars are usually safe and may improve performance.

_______________________

Washington, D.C.: In the ongoing battle between Firefox and IE what are your favorite security plug-ins for FF, and is there anything comparable for IE. I currently use advisory and noscript for FF.

Brian Krebs: I use noscript, adblock plus, mcafee site advisor, and netcraft toolbar, on most of my systems.

_______________________

Boston, Mass.: Hi,

You spend a lot of time talking about American and Eastern European Internet crooks -- all of which is goodness of course -- but you hardly ever mention the Chinese.

I say this because over 1/2 of the attacks on my servers come from IP addresses in China. The Chinese dictatorship is known to have a large military presence on the Internet and has been reported to be behind intrusions attempts and other badness. And given the heavy monitoring of their people, if the dictatorship deemed such attacks to be undesirable they could easily shut them down, but they don't. Why?

I think the Chinese are not interested in spam or robbing people's bank accounts, but instead are trying to gather intelligence data and also to be in a position to attack and seriously disrupt American infrastructure via the Internet (and any other way they could) should overt hostilities ever break out (which they will if the lessons of history are any guide).

I'd like to hear your comments on the above.

Thanks, Jeff B., Boston

Brian Krebs: This is true, because from my reporting it is not apparent that Chinese hacker groups are interested in stealing credit cards, financial and personal data. At least, not in the way that Russian malware gangs try to hoover it up wherever they can find it.

Chinese malware does tend to be geared toward stealing secrets, intelligence information, and most often -- intellectual property. Targets are mainly companies and governments, and sometimes advocacy groups that don't get along with the Chinese government.

Still, to say that the Chinese aren't involved in the threat from malware and other online attacks traditionally aimed at stealing financial and personal data for money is probably not correct. That's because China is home to a great many compromised computers. Indeed, consult Spamhaus.org's list of compromised machines spotted as sending spam over the past week, and you'll see that China has at least 300,000 systems that are currently being used to relay traffic for cyber criminals.

One explanation for why you don't see Chinese hacking groups going after financial and personal data at the level attributed to E. European gangs is that getting busted in China for doing that can earn you the death penalty. As it happens, most chinese hacker gangs are involved in stealing computer game credentials and other "virtual" goods, which apparently the authorities there haven't put very high on their agenda of things to go after.

_______________________

LEXINGTON, MASS.: At 10pm on 25 January, my MacG5 had a message in 4 languages: SHUT OFF THIS COMPUTER!! I did so. (Wild superstatic noises were there just before I shut it off.) Later on the message said "panic (cpu O caller Ox000326DC) thread invoke:preemption_level1 latest stack backtrace for CPUO:kernel loadable modules in backtrace (with dependencies)com.symantec.kext.ips internet security (1.1.2f2) WHAT WAS THAT!!?? PLEASE ADVISE. THANKS

Brian Krebs: I'm stumped on this one. Not even a hit from Google on that stop/panic error message. Any readers have advice for Lexington?

_______________________

Dallas: Hi Brian,

I am having a problem updating my stand-alone Quicktime on a Win XP laptop. When on the website, I select the Quicktime only update. It downloads just fine but on installation REQUIRES an installation of iTunes as well to proceed. I do not need or want iTunes on this machine.

1) Is there some way to just get the stand-alone Quicktime?

2) If not, is there some other program that will easily take its place in Foxfire and to watch family generated .mov files? (Like Foxit Reader does for pdf)

Thanks

Brian Krebs: Have you tried the installer at this link? It appears to be the stand-alone version for the latest QT update.

_______________________

Eugene, Ore.: Thanks, Brian, for informative chats.

The Firefox site for add-ons tells us to install add-ons only if we trust the author. How would we know whether to trust or not? Does the site do any malware checking of its own? Has there ever been malware on the site? Why do some add-on writers reserve to the their own personal website the downloading the newest version of their .xpi?

Brian Krebs: Recently, there was a piece of malware that hid inside of Firefox's add-ons folder. There may have been other examples I'm unaware of.

However, you should be fine as long as you're downloading an add-on from Mozilla's add-on site. Those will have been vetted by the Mozilla community and are almost certainly safe.

Some add-on writers do distribute their creations only through their own sites. Not saying those add-ons aren't worth trusting, but I would strongly encourage you to do your homework by researching any third-party add-on (i.e., not available through Mozilla) before installing it. As to why some add-on writers force you to grab updates from their site instead of mozilla, I don't know. But I suspect it may have something to do with compatibility with the latest versions of Firefox.

In the past, it has not been uncommon for an update to the browser itself to cause installed add-ons to stop working. Usually, Mozilla and add-on developers work this out fairly quickly, but one reason may be because the add-on developer is anxious to get the update shipped out as fast as possible. I don't know. Just guessing here, really. I've forwarded this question to a Mozilla employee, and if I receive a response, I'll try to paraphrase it here.

_______________________

Tampa, Fla.: Does using a limited user account on Windows compromise your ability to use legit websites that aren't infected with malware? In particular, can using a limited user account compromise updating your internet security software (BitDefender, in my case)? And will using a limited user account compromise programs like OpenOffice and MS Office?

I urge my relatives using Windows to use a limited user account for everything other than updating software, such as Windows and Office update, and updating security software. But they are concerned this interfere with other legit websites and programs.

Brian Krebs: I have found that most antivirus and security software today works fine with a limited user account. That said, it isn't uncommon to experience problems updating definitions, etc. after switching an admin account over to a limited user account. In those case, I have found that simply uninstalling the antivirus or security software, then reinstalling it once the limited user account is set up, usually fixes any problems on this front. Hope that helps.

_______________________

Tampa, Fla.: Lexington may have had a kernel panic. See http://support.apple.com/kb/HT1392.

"UNIX-style operating systems (such as Mac OS X, Mac OS X Server, AIX, and A/UX) may experience a type of error called a "kernel panic," which may provide information useful for software developers.

"A kernel panic is a type of error that occurs when the core (kernel) of an operating system receives an instruction in an unexpected format, or that it fails to handle properly. A kernel panic may also follow when the operating system is not able to recover from a different type of error. A kernel panic can be caused by damaged or incompatible software or, more rarely, damaged or incompatible hardware."

The whistling noise may indicate a hardware failure.

Brian Krebs: Thanks, Tampa. More advice/information for the Lexington reader with the Mac crash.

_______________________

Reading, Pa.: Brian:

Finally decommissioning my venerable Micron Millennia (ca. 1998), Pentium II, 266 mhz, after 10 years of faithful service. The machine and monitor will be properly recycled through our County program, but what should I do with the hard drive? Smash it with a hammer, run it through a horseshoe magnet, drown it in the pond?

Thanks!

Brian Krebs: All of the above? :)

Seriously, you probably want to avoid the sledgehammer approach (flying bits of metal shrapnel=no fun). I'd recommend downloading DBAN, and then creating a bootable CDrom with it, and then booting up into that CDRom, and running the DBAN program to overwrite the data on the disk.

_______________________

Washington, D.C.: Hi Brian -

Thanks for working to keep us safer (or at least providing the illusion). In your recent article about the need to patch other programs (adobe flash, MS Access, Quicktime, Yahoo stuff, etc...) I wondered to what extent it matters how much we use them. For instance, I'm not aware that I ever use Access or Quicktime but I know they are installed on my machine. I don't believe either is loaded on booting up. Do I still need to worry about programs I never use?

Also, if I am running limited user accounts can the bad guys still quietly download malware that becomes active when I log in as administrator? Thanks again.

Brian Krebs: Thanks for your question. Running the system under limited rights is a great way to stop a large number of attacks. Unfortunately, it can't stop them all. Some malware (certain keyloggers, eg.) can run under the current user account regardless of the rights. But since most of these programs try to make system-wide changes as well, limited user accounts can help thwart a great many of today's attacks.

If you look carefully at the list of programs I mentioned in that blog post you're referencing, you'll see that most of those are browser plug-ins. This means that it doesn't matter whether you use the programs/plugins. If they are installed and are outdated -- with known, exploitable security flaws -- then a malicious or hacked site could use them to install software without you doing anything but visiting that site.

As it relates to those specific flaws, as I mentioned in the post, the majority are specific to Internet Explorer. So, in the case of the Winzip ActiveX flaw, for example, if you had that vulnerable plug-in installed for IE, but were browsing a malicious or hacked site with Firefox, the attack would almost certainly fail. However, it may still be possible for alternative browsers to be used as a vector for attacking Windows vulnerabilities, (e.g., the VML overflow exploit mentioned there).

_______________________

Baltimore, Md.: Brian: I know that Microsoft is running away from Vista ASAP by debuting Windows 7. So I am wondering how much longer the company will keep supplying updates for XP Home. Do you have any idea? Thanks.

Brian Krebs: I believe Microsoft will be supporting XP with patches for at least a couple more years, but perhaps as long as five more years. This link has a bit more information on their timeline, but it's still not all that clear. My sense is that it may depend on how many people adopt Windows 7 and how quickly they move off of XP that ultimately determines how long Microsoft may decide to continue shipping updates for XP.

_______________________

Columbus, Ohio: It not being the time of the month for "Patch Tuesday," I was surprised to find the MS update shield in my system tray this week. Since I long ago disabled automatic updating, the shield remains there awaiting my enabling clicks. Do I need these updates (Microsoft.NET Framework 3.5 SP1 and update KB951847) to better secure my XP/SP3 home-based system? From what I can tell thus far, these updates are not security-related. Thus my inclination is to wait and see what problems others may encounter from installing them. One more thing: I am about to have a tech wipe my hard drive and reinstall my OS (after nearly 4 years). Is that yet another good reason to wait before installing this week's MS updates?

Brian Krebs: You are being offered that update because you have Microsoft's .NET framework installed, which is required by (and often fetched and installed by) some programs in order to work properly. There is an update that Microsoft shipped on Jan. 27, 2009 that addresses bugfixes, stability updates, and new functionality. I am not aware of security-related issues in this update (you can check for yourself here.

I don't think it matters too much either way. The .NET fix is rather large (250+MB) and may take some time to install. So if you're just going to blow away the current install and start again, why not just wait for the tech to reinstall and see it is offered again when you go to install any needed updates?

_______________________

Arlington: When I am done using the computer, I leave it in XP's "Standby" mode. My antivirus and antispyware programs apparently do not do anything (like updating) while the computer is in Standby. I assume there is no Internet activity either, although the modem is still hooked up. Is the computer safe from viruses and other attacks while it is in Standby?

Brian Krebs: Standby mode shuts off the computer's Internet connection, so you are correct in that it won't be downloading updates or anything else for that matter, while in standby.

_______________________

Alex., VA: Looking at the log on my router, I am being attacked (DOS Attacks - Denial of Service).

What does that mean? Since my router has detected it, does that mean it has stopped it? What measures should I take?

Brian Krebs: Most hardware routers (wired and wireless) are set up to simply ignore or drop any incoming data packets that were not initiated by you or a program on your system. For example, on the Linksys WRT-54G, one of the most home-user routers in use, the "Firewall" setting is by default set up to "block anonymous internet requests." You didn't say what kind of router you're using (tsk tsk), but I'd be willing to bet your router is ignoring the attack -- i.e., not accepting the incoming connections --- but still recording the attempts.

_______________________

McLean, Va.: Any chance that "The Beast" (Obama's ride) will soon have a computer with network connections in the back seat? If the White House, Air Force One, Camp David, every hotel room he visits, and perhaps even Marine One all have computers (so that he always is within arm's reach of a computer), why would he still want a GD wannabe-Blackberry?

Will the West Wing have Macs during the next 2 years?

Brian Krebs: I'm guessing that the President of the United States probably has little difficulty finding answers to anything he wants to know, very quickly -- sort of like his own personal Google. But can you begrudge anyone in this day and age wanting to be able to keep in touch with loved ones, friends, etc easily?

Interesting question, anyway. I have no idea about a conventional computer in Marine One, the Beast, etc. Probably not. Ditto for Macs replacing Windows in the West Wing, at least anytime soon -- that is, if a letter to the editor that The Post printed last week is accurate.

_______________________

Dummer New Hampshire: It's my understanding that the security breach at Heartland Payment Systems involved unencrypted data being sent over Heartland's internal network. A few questions: (1) Given the sophistication of today's crackers, why would a company NOT encrypt the data on their internal network? (2) On what kind of a device inside the company's internal network would the sniffer likely have been placed? Desktops? Servers? Both? (3) What risk is there to an individual card holder if he or she has a card that was on the Heartland list? On a final note, I do my best to run a secure computer. I patch my machines the day a patch is released. I always stay up to date, both at the OS level and the application level with fixes. I do not download from untrusted sources, etc. I expect companies to take even more vigorous measures. Heartland obviously did not.

Brian Krebs: My answer to question #2 is purely speculative.

To 1) the answer seems to be that the payment card industry (PCI) requirements don't require it. This is what likely happened also with the Hannaford Bros. breach. It may be that companies short-sightedly do not want to incur extra costs that may be involved with encrypting all of their traffic -- or at least the most important stuff -- flowing over their internal networks. However, those who don't and then suffer a breach, probably will wish they had.

Don't take my word for it: Heartland's CEO last week issued a press release calling on the entire payment industry to adopt end-to-end encryption, and in the same breath the release admits that Heartland itself hasn't yet met this lofty goal.

2) It could be anywhere in the payment processing system, really. There are probably a large number of places where sniffer malware would have worked. This could include third-party administrators at other companies that submit payment card data to the company for processing, or Heartland's internal network itself.

3) the risk to consumers is next to nil. under federal law, consumers can not be held liable for more than $50 in charges attributed to credit card fraud, and most banks will waive that as well.

_______________________

Annandale, Va.: A friend of mine is running an old Toshiba laptop with Home XP, Service Pack 3, Free AVG, SnoopFree, and ZoneAlarm. He must use his USB port to connect wirelessly. However, he cannot detect his home router and can only see a neighbors unsecured LinkSys router. Is it possible that his USB 1.0 connection is the cause of this? Thanks.

Brian Krebs: It is most likely because the card is old and does not support the type of wireless network that his router is broadcasting. E.g., some cards work on with 802.11b routers, while some work with both B and G version routers. Check the USB wireless card (google the model number) to see if it supports the signal put out by your router. You may be able to get the existing equipment to play nice just by changing a setting on the router. Good luck.

_______________________

Brian Krebs: I am out of time for today, folks. A big thanks to everyone who submitted questions, and my apologies to any questions I did not have time to answer. Please join us again in a couple of weeks for our next Security Fix Live. Until then, consider making it a habit to drop by the Security Fix blog each day, and/or subscribe to our RSS feed?

Be safe out there, people!

_______________________

Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.


© 2009 The Washington Post Company

Network News

X My Profile
View More Activity