PC-Armor Computer Security News Blog

Nasty Trojan causes Task Manager and Registry Editor to stop working

I received a call from a friend over the weekend asking for help to rid his neighbor’s computer of a nasty Trojan.  Apparently, he had been working on the problem for days and didn’t know what else he could do, so I took a look and it was indeed a nasty infection.  The computer had McAfee and Norton security products installed, but they apparently didn’t help prevent the infection, so we removed them and installed CounterSpy and F-Secure.

What happened was the Trojan hijacked the desktop and changed it to a Bright Red background with a warning stating that the computer was infected with a malicious program and provided a link to for the user to click to purchase a program that would clean the computer.  Obviously, this was not a legitimate link, so I copied the link location to notepad and it pointed to hxxp://antispyspider.us/69.  DO NOT GO TO THIS LINK, IT IS VERY BAD!  Some other things this infection did was change the IP address and subnet mask; disabled the Task Manager and Registry Editor; and caused Internet Explorer to launch every couple of minutes to connect to the malicious site.  There was also a service that was added to the computer and it launched when Windows XP started.

The steps we used to try and defeat this nasty infection included:

- Running “msconfig” to disable all programs from starting
- Disabled the “Service” that was installed
- Turned off the System Restore feature, since we didn’t want anything malicious to be included in a restore
- Installed and ran CounterSpy, which found many malicious files, registry entries, and cookies.  We removed everything successfully

But we could not kill the Trojan, so I googled “AntiSpySpider” and found a very good web page showing how to kill this critter and if you need the instructions, you can get them from:

http://www.bleepingcomputer.com/malware-removal/antispyspider

The fix includes running a program to restore the registry editor, as well as a file to restore the task manager.  The instructions do a great job showing the victim how to remove this threat, so if you are one of the unfortunate souls, try this fix.  Then if you get it removed, you might consider running CounterSpy and F-Secure Internet Security; both of these programs have been quite dependable protecting our computers, as well as people we know.

How safe are your Stored Windows Passwords?

Windows operating systems have a feature known as the “Protected Storage”, which is a place within the operating system where sensitive information is stored for retrieval at a later time.  Protected Storage stores user names and passwords, web addresses, and data entered on forms.

Why should you know about this feature?  Well, it is possible, and in fact has happened, where an attacker who gained access to a system, either locally or remotely, is able to retrieve any information found in this repository.  The information found could include user name/password combinations for PayPal, eBay, online banking accounts, email, and pretty much any other type of authentication information.

This feature is enable by default to save time and make surfing more convenient; however, if you are concerned about computer security and protecting your personal information, it is possible to turn it off.  The only noticeable change is that you will be required to enter your user name and password for accounts that Windows previously stored.  I would prefer to enter the information and know that there are no traces that can be retrieved from my computer.

To turn this feature off, open Internet Explorer, click the “Tools” menu and then select “Internet Options” from the side menu.  You will now see the Internet Explorer “Properties” windows and will notice a number of tabs across the top; click the tab labeled “Content” and then click the “AutoComplete” settings button.

This will bring up another window with various autocomplete options that will most likely have check marks next to to them.  Remove all of the check marks, starting with the “Prompt me to save passwords” option, and then click the “OK” button.  If you have Internet Explorer version 6 or earlier, you should see two additional buttons allowing you to “Clear Forms” and “Clear Passwords”; if you have these buttons, click both of them to clear your history and then you are finished.  Otherwise, follow the next step, which is for Internet Explorer version 7.

Next, click the “General” tab and then click the “Delete Forms…” and “Delete Passwords…” buttons and confirm.  This will clear any data that was previously stored.

Now, you are just a little bit more secure!

Trends in Badware 2007

Stopbadware.org recently released a 12-Page report outlining the current threats to user’s privacy and security when using computers that are connected to the Internet.  This report is a “Must Read” for everyone who surfs the Internet and can be viewed at:

http://stopbadware.org/pdfs/trends_in_badware_2007.pdf

“Trends in Badware 2007” starts with a brief history about viruses, why they were initially created, and how and why they evolved into the many different forms threatening everyone’s personal privacy today.  The rest of the reports discusses the different types of attacks that are now threatening all Internet-connected users, how each threat infects computers, and the types of damage each one is capable of inflicting.

We encourage everyone to read this report; it is well worth your time and will undoubtedly raise your level of awareness and encourage you to invest in good protection!

And the threats keep evolving…

SearchSecurity.com published a very good article by Noah Schiffman titled, “Building malware defenses: From rootkits to bootkits” and it is a warning to everyone that they need to lock down physical access to their computers because of the latest threat…bootkits.  The article can be found here:

Before I read this article, I thought Rootkits were the most threatening form of compromise; but after reading this article, I think bootkits have just moved into first place.  Why?  Bootkits infect computers during the boot process, before the operating system loads and this means that detection is virtually impossible.

The good news is that you can protect your computer against this type of infection by:

- Configuring the BIOS to disable any boot devices other than the hard disk
- Use strong and complex BIOS password, which would be required to successfully boot the computer
- Limit physical access to your computer AND the motherboard by locking the case to prevent access to the interior of the case
- And if you really wish to lock it down, you could disable the USB and Firewire ports in the BIOS; but that could really hinder your computer’s functionality.

Check the article out…you’ll be amazed at the damage a bootkit is capable of causing!

You Might want to think Twice before playing Online Poker…

F-Secure.com posted a blog today titled, “Trojans, Online Poker and Terrorism” and for those of you who enjoy playing online poker games; you may just want to read this article.  You can find it at: http://www.f-secure.com/weblog/

In a nutshell, the article points out that not only are you at risk from being infected by Trojans and other types of malware…you could be inadvertently funding terrorism if your identity has been stolen because of these infections.

Check it out, it’s worth reading.

Have you tried Firefox with the Firekeeper Add-on?

As you know, Microsoft’s Internet Explorer is a very popular Internet Browser and because of its popularity, it is a huge target for attackers. It is because of these vulnerabilities that I also use Firefox by Mozilla.

Firefox is an open source browser that is freely available for download from the Internet and what makes it attractive [to me] is the many “add-ons” available to freely download and install. As with any software, you probably would not want to download and install every possible add-on; however, there are a few that are definitely worth running.

Here is a short list of add-ons that I have personally found to be valuable security-enhancing tools:

· Firekeeper - An Intrusion Detection and Prevention System for Firefox that is capable of detecting, blocking and warning users about malicious sites. I have been running Firekeeper for a few months now and just received my first alert last week. I was browsing a “trusted” site that I had used in the past; however, this time when I tried to access an article posted on a specific page within the trusted site…I immediately received a warning from Firekeeper advising me that the page contained malicious code! I was then prompted to allow or deny access to this infectious page and for obvious reasons, I denied access. Firekeeper also gave me an option to add the page to the built-in “Blacklist” feature and I immediately jumped on that option to prevent future occurrences from that page. With the volatility of today’s Internet landscape, Firekeeper is a great security tool to install and use while surfing the Internet. You can download your copy at: http://firekeeper.mozdev.org/

· Adblock Plus – A great tool to block ads and banner advertising. This tool is easy to use and gives you the option of selectively blocking specific advertisements. You can download this add-on from: http://adblockplus.org/en/

· NoScript – This is another important security tool that will block JavaScript, Java and other executable content, unless you explicitly allow the content to run from specific domains or web pages. Attack vectors using JavaScript and other executables are becoming quite a popular method of attack and this tool will give the end user an effective method to counter these types of attacks. You will find this add-on at: https://addons.mozilla.org/en-US/firefox/addon/722

Do yourself a favor and install Firefox and these add-ons; you do not have to remove Internet Explorer, as both will run together on the same computer. You will find Firefox at: http://www.mozilla.com/en-US/products/?flang=en-US

Having a hard time choosing a good Anti-virus program?

Many people go to on-line newsgroups, forums, or ask their friends for recommendations in choosing a good Anti-virus product to protect their computers from harmful malware; but the advice offered is many times not dependable.

Continue reading Having a hard time choosing a good Anti-virus program?…

Is your Computer Infected with a Rootkit?

Rootkits are one of the most threatening types of compromise to computers and the use of this threat is gaining popularity with the bad guys.  If you would like to learn more about this very serious threat, Microsoft  has a great page full of information about Rootkits and you can find it at:

http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

You will also be able to download a copy of RootkitRevealer, which is a program that can used to detect the presence of Rootkits on Windows NT or newer computers.  This page also contains links to other sites and articles about Rootkits.