Pick Shane’s Brain

Just checking in for a moment to let you know that I’m still around, just really really busy launching a new business.

In short:

Watch out for a nasty piece of malware named JS/Redir. a.k.a. Gumblar. Reports have surfaced this little sucker is making quite a stir.  I can actually verify that it is indeed very active.  I just spent the better of two days at a customer site tracking down this little beasty and all the other friends he invited to the party. What a mess for those guys, but I did find a couple of decent blog sites that give pretty good information; very helpful to those already affected:

http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

http://www.pakzilla.com/2009/05/06/how-to-protect-your-website-from-gumblarcn-infection/

In my last post I mentioned that “Web-based email readers and email reader applications such as Outlook offer additional controls, including viewing the source of an email message prior to actually opening it.”  That got one reader’s attention, who asked: “What controls are you talking about?”

Ok, so ‘controls’ might not be the term somebody working at Microsoft would use. They’d probably call them features, or options. I call them controls because they allow you to control how you view email, even how you view email before you open it.  Here are some of those controls…

In applications such as Outlook Express, the Viewing Pane comes enabled.  It really is nothing but a pain, and it’s dangerous.  Disable it!  The view pane allows you to simultaneously view email subject lines and email message content in a split-frame screen.  When you highlight (single-click) an email’s subject line in the upper frame, the email message is automatically rendered in the bottom frame. If the message is rendered as HTML, there is the possibility of launching malware attachments.

In Outlook Express you can view the source of the message w/o opening it. Simply right-click the email subject line, select Properties, click on the Details Tab, then click on Message Source.  An additional window will open allowing you to see the raw text of the message, including nefarious HTML coding. This control/feature/option is my personal favorite.  All email applications should offer such a thing!

There are options in email that allow you to render the message as text, regardless of how the sender sends the message to you.  These settings are usually found in the Preferences or Options settings of the email reader application.  I wholeheartedly recommend this particular setting.  Even web-based email applications allow to view mail as text-only.  Everybody should use it.

Strip all attachments. Surf naked! Heh, heh, I just really wanted to say that. Seriously though, there are options that allow you to strip attachments that are potentially unsafe. The attachments are stripped prior to rendering the email.  Images are kept on the side. Make sure this control always is, and always stays, enabled.

Some time ago I wrote a SecurityFocus article on some of the dangers of HTML email.  My advice in the article still applies today, although  thankfully MS has since made Outlook and OE more secure by disabling most of the ‘automatic’ features that malware tries to take advantage of.

No license required, and no restrictions on where ya fish. 

At least that is what Facebook is finding out. This past week Facebook has felt the brunt of not one, but two fairly significant attacks.  Both attacks involved an email phishing scheme to trick a person in to logging in through what they thought was an actual Facebook login screen.

It works like this: A Facebook user receives an email from a ‘friend’ (a.k.a. an attacker).  The email contains a crafty phrase like ’Check this out’, and includes a link to a site that appears to require a Facebook login.  The login page looks real enough, but is faked of course.  A victim enters their Facebook credentials at the fake login screen.  Credentials are sent to the attacker.   Attacker takes control of the account.  Using the address book of the account, attacker sends more ‘Check it out’ messages.   Those users then attempt log in through the faked login screen. Wash, rinse, repeat.

What have Facebook users learned?  Don’t blindly follow links in email, even when they appear to be sent from friends.

This following advice applies to thwart similar attacks, but can also be used everyday by any email user: If you do not immediately recognize the purpose of the email, question why it is being sent to you.  You might even ask the sender verbally if they meant to send you that email.  If there are links inside of the email, do not click on them.  Instead, open a browser window and manually type the address in by hand.

Web-based email readers and email reader applications such as Outlook offer additional controls, including viewing the source of an email message prior to actually opening it.

References:

http://www.cnn.com/2009/TECH/04/30/facebook.phishing.attacks/index.html?imw=Y&iref=mpstoryemail

http://www.newsfactor.com/news/Facebook-Boosts-Phishing-Security/story.xhtml?story_id=0020002HDV2K

An interesting couple of articles this morning about swine flu.  I’ve listed them below in the references. 

I know a biological virus really has little to do with computer security, at least directly. And while similarities can be found between computer and biologicial viruses, comparisons between how the two act, spread, etc., quickly break down.

Nonetheless I think the World Health Organization is going to have a tough time if they are serious about renaming Swine Flu. Here’s why…

References 

 Swine flu name change? Flu genes spell pig

 Is the name swine flu hogwash?

It figures that as soon as I say something about Conficker something else begins to happen. Well, I did say it would be smart to continue monitoring it. And that is what the experts are doing, and according to Reuters journalist Jim Finkle, Conficker is showing signs of life. One prediction for Conficker has it that it will be a slow-to-happen event. That could very well be. I’ll take a guess that any activity right now is a test run, across a very small and well-controlled segment of the botnet. Too many eyes are still on this particular piece of malware, and its controllers are probably doing their best not to get caught. Another belief is that alternate malware has been installed to Conficker-exploited machines. Also a very good chance. While we’ve all been concentrating on Conficker itself, other malware has been seeded and spread, some of which may interact with Conficker in as-of-yet unknown ways.  Whatever the case, it will be an interesting next couple of months!

Robert McMillan of IDG reports from RSA in San Francisco. The Feds may have actually hit the nail on the head this time, or at least have come close in doing so.  I agree with Shawn Henry — hype over Conficker is way overblown.  Sure it’s a big botnet, but remember that bigger isn’t always better; the bigger you are, the more noise you make and the bigger the target you become.  At the end of of Feb, 2009 there were 451 other active threats confirmed in the wild, some far more dangerous than Conficker. At least for now.  It is wise to continue to monitor Conficker, but prudent to keep in mind that it is but one part of much larger problem.