miekiemoes' Blog

Back to the future (nowadays)

noreply@blogger.com (miekiemoes) — Mon, 16 May 2016 21:05:00 +0000

Wow, I can't believe I haven't been blogging for more than 3 years already.... time went so fast, just too fast... until someone reminded me.. "Mieke, you know you still have a blog - why don't you update it with some news?".

Honestly - I totally forgot about my blog, as I am not a writer or anything else in between, but I do feel guilty for not "maintaining" this anymore. Thanks to my followers for keeping up with me ;-)

So Yes, I'm still alive and trying to kick (malware) asses - but more in the background as that's where I prefer to stay - out of the picture.

The fact that I don't blog anymore is mainly because I just don't always have the time for it. There's always something new, challenges that keep me away from this. My work environment has become so interesting... and challenging.

But yes, I should maintain this more often with sense and nosense about malware or anything else in between, so I promise I'll do my best to update my blog more frequently.

Unwanted or wanted toolbars, when to detect..

noreply@blogger.com (miekiemoes) — Sat, 16 Feb 2013 17:26:00 +0000

This is a follow up on a previous blogpost of me: http://miekiemoes.blogspot.be/2012/01/unwanted-toolbars.html
I received a lot of feedback on this (mainly via mail) which was an eye-opener....

We can't ignore the fact that more and more free software is bundled with an additional toolbar or software to cover the costs. After all, developing & have the bandwith available for downloading the software isn't free, so it's understandable they need some sort of coverage for the costs. The affiliate who offers the most is obviously being used more frequently into bundled installs. In most (almost all) cases, when a user installs the software, they are presented with options whether they want - or do not want to install this additional certain software bundle. Since, in most (almost all) cases, this is pre-selected by default, people don't bother with the install screens, don't read and just click "next" and "next". Then, in the end, they are complaining about an additional toolbar/startpage/searchpage they never wanted.

This is exactly why I can't stress enough to read "install screens" while you're installing a program. If you don't want the additional crap, just unselect from the install screens. In case you have installed it already, in most cases, it's easy to uninstall them again. Most of these affiliates have additional uninstall/remove instructions on their site.

Alot of these toolbars or additional software is harmless though - you can basically compare them with the "google" - or "yahoo" toolbar (although there are some exceptions).
This is why I would love to hear your thoughts on this. Should an AV-Vendor detect such (harmless) toolbars or not? Basically, when to detect - or when not to detect?

Toys for Xmas

noreply@blogger.com (miekiemoes) — Tue, 18 Dec 2012 18:19:00 +0000

I've listed some "must have" goodies for the geeks among us for 2013. Probably, most of you have these goodies already, but in case you don't, it may be a good idea to put on your Xmas list.

* USB3 & USB3 & more USB3

If you're planning to buy a new PC or laptop or anything else with USB ports, please make sure you have at least 1 or 2 USB3 ports. While USB3 was released in November 2008 already, we now start to see more units with USB3 ports/support. USB3 is much faster than USB1 or USB2 and they are still backwards compatible with older USB ports. Basically, it's almost 10 times faster than USB2. If you want to buy a flash drive, get a USB3 flash drive. It's still more expensive than USB2, but it's really worth the price (which will drop soon anyway). Ofcourse, you gain most from this if you connect from a USB3 port. Most (if not all) new units are supported/have USB3 ports now anyway, so this is one of the reasons why you should stop buying USB2 flash drives or anything else USB2-ish :D

* Replace old drives with an SSD (Solid State Drive).

Many of you probably have old PCs/laptops and you want to give it some boost/power. Adding RAM is a good option, but you may want to consider to replace your HDD with an SSD. Solid State Drives are faster than conventional spinning drives because they have no moving parts. The storage on an SSD is handled by flash memory chips. Advantages are less power usage, higher reliability and faster access to your data. They are also less resistant to shocks and vibration.

In general, when you install an SSD, the first immediate benefits are faster application load time and faster boot time. SSDs aren't cheap, but really worth the price. Disadvantage is, you have less data storage than a conventional HDD (comparison size/price with HDD), but if storage isn't a real problem for you - then you really might want to consider an SSD. After all, you can still combine it with an internal or external HDD to store your data. SSDs have dropped in price to the point where it's affordable to replace your laptop or PC HDD. Normally, a 128GB SSD should suffice your storage needs (just compare with the current storage you need/have) - but a 256GB SSD is even better. You can have larger SSDs as well ofcourse. You can read more about SSDs here: http://en.wikipedia.org/wiki/Solid-state_drive and here: http://lifehacker.com/5932009/the-complete-guide-to-solid+state-drives

You can also easily migrate your Windows installation from an HDD to an SSD without losing any data or reinstalling Windows. There are a lot of tutorials on the net for that.But I personally prefer to start from scratch to avoid any issues. In either way, there's a good tutorial here: http://lifehacker.com/5837543/how-to-migrate-to-a-solid+state-drive-without-reinstalling-windows

* Get a docking station for your SATA drives with USB support

This is really a MUST HAVE! I am sure many of you have come in situations where your HDD wouldn't boot, or you want to mount a drive that has failed.

For many (inluding me), it's a hassle to mess around with adding the drive as a slave to your PC in order to get access to the data and transfer/alter/delete. This is exactly one of the reasons why I bought this. Just slide in your SATA hard drive, connect via USB to your PC/Laptop and power on in order to see it as an external drive. You have them in all types and flavours - support for 2,5" drives AND/OR 3,5" drives, SSD, dual docking SATA station (for quick/easy cloning)... Ofcourse, I also recommend to get one with USB3 ports/support.

If you have any other MUST-HAVE! for Xmas, please let me know - I still haven't decided yet what to get (I have above already) :)

images courtesy of http://blog.laptopmag.com, http://www.sharkoon.com, http://www.datapro.net

Unwanted Toolbars

noreply@blogger.com (miekiemoes) — Thu, 05 Jan 2012 12:38:00 +0000

While I know this is old news and has been blogged/posted about a thousand times already - I still notice a lot of users having problems with an overload of toolbars they don't want/need.

More and more software (mainly free software) bundle their software package with a toolbar since it's an extra source of income.
While in some cases, a toolbar *can* be necessary or useful, always ask yourself if you really need/want this toolbar.

Additional Toolbars can slow down your browser since it takes longer to start them up, can interfere with certain webpages you want to view, can have compatibility issues with other toolbars/add-ons already installed or can even crash your entire browser.
Apart from a toolbar/BHO, some toolbars also add additional loading points (run key, service, appinit_dlls..) which may cause an extra slowdown of your computer in general.
Toolbars also take up extra space in your browser, leaving you with less content of the webpage you want to view.

Do you really want your browser to look like this?

If the answer is Yes, then I suggest you check with your eye specialist or stay away from computers and find another hobby.

Also, not all toolbars are as harmless as they look. Do you want them to monitor your browser activities? What sites you visit? Collect other info from your computer?
Do you want them to redirect searches? Change your startpage? Display Advertisements (targetted Ads)? If the answer is No, then uninstall them or don't install them in the first place.
In most cases, legit software with a toolbar bundled, offers the user the option to uncheck the toolbar during install. Too bad most have these toolbars pre-checked already, so many users who install the software just click through the installation screens (next) in a hurry and end up with toolbars they don't want or need.
And that's still the biggest mistake users make.

That's why it is always a good practice to read every part of the installation screens the software displays, so you don't miss the option where you can uncheck the toolbar or other junk during install.
Also, it's a good practice to always read the EULA/Privacy Policy when you want to install certain software.

Example:

Unfortunately, not every software bundled with a toolbar/other junk offers this option to uncheck during install. This is bad practice and such software should be avoided in the first place.

In case you have (accidentally) installed a toolbar you didn't want/need in the first place, use the Windows’ built-in "Add/Remove Programs" in the Control Panel ("Programs and Features" in Vista/Win7) and look if it's listed there so you can uninstall it.
Or, in case it's not listed there, you can disable or remove them them via your browser:
For Internet Explorer: http://technet.microsoft.com/en-us/magazine/dd364987.aspx or http://mintywhite.com/windows-7/7security/5-easy-ways-uninstall-toolbars-internet-explorer-8/
For Firefox: http://kb.mozillazine.org/Uninstalling_toolbars
For Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=en&answer=113907
For Opera: Click Tools > Preferences > Advanced Tab > Toolbars (listed on the left). There you can select and delete the toolbar.

In general, if you don't use/need toolbars, uninstall them or don't install them in the first place.

ABN AMRO Phishing mail

noreply@blogger.com (miekiemoes) — Wed, 30 Nov 2011 09:22:00 +0000

Another phishing mail I received today. Looks like my mailbox attracks phishing mails this week...
This certainly gives me a reason to blog more often again ;-)

This one is targeting Dutch ABN AMRO bank account users.

------

Geachte ABN-Amro klant,

® Op dit moment is ABN-Amro bezig met het vernieuwen van de systeembeveiligingen. Hierbij vragen wij u om uw persoonsgegevens opnieuw in te vullen door op de onderstaande link te klikken

Wij zullen de gegevens verifieren en als het nodig is de aanpassingen opnieuw in het systeem opnemen. Hierna wordt telefonisch contact met u opgenomen om de gegevens te beveiigen.

------

This one is sent from the spoofed mailaddress ABN AMRO NV customercare @ abnamro.nl
When you click the Log in button, it redirects you to a phishing page where it asks you to fill in your bank account and passnumber.

It looks like there are a lot of similar phishing mails going around lately to target ABN AMRO bank account users and I fear a lot of new ones will follow.
In case you have received a similar mail from ABN AMRO, please report it via their website:
https://www.abnamro.nl/nl/overabnamro/f_aanvragen.html

Beware Telenet.be users - Telenet.be phishing scam going around

noreply@blogger.com (miekiemoes) — Sat, 26 Nov 2011 14:25:00 +0000

First of all - WOW! It has been ages I have blogged here ! I really should start to blog more often again. Work & life has kept me real busy lately, so unfortunately there's not much extra free time left over anymore.
If only there were 36 hours in a day, so much I still want to do and learn...

Anyway, Just received the following in my mailbox today:

Dear 'pandora.be' E-mail User,

We are currrently upgrading our database and all account need to be verified.To complete your account activation with us, you are required to reply
to this message and enter your password in the space provided (********) you are required to do this before the next 48 hours of the receipt of this email or your database will be de-activated from our database.You are required to reply this message to telenet.be helpdesk database office on their email address: help-desk@email.com

Full Name:
username:
Password:
Thank you for using pandora.be.
Copyright 2011 © pandora.be web Team.

Stacy Williams
PANDORA.BE HELP DESK OFFICE
Hosting: Telenet Operaties N.V.
IP Address: 195.130.144.20

Telenet.be (Pandora.be is controlled by telenet.be) is one of the biggest ISPs here in Belgium
Above is a fake email and in no way associated with Telenet.be.
This mail is designed to steal your telenet.be credentials.
Telenet.be would never ask for your credentials via email, nor would any other company.
As a matter of fact, never ever give your passwords/credentials via mail, no matter who the company claims to be.

If you received this mail, delete it - certainly do not respond to it.
In case you have become a victim of this mail already and responded to it, change your password asap.
For telenet.be users, see here.

Rogue HDDDefragmenter

noreply@blogger.com (miekiemoes) — Mon, 01 Nov 2010 08:11:00 +0000

HDD Defragmenter is a rogue which appears quite easy to get rid of. That's not what I wanted to talk about. It's about how much Rogues have improved.

Once installed, you get the following message:

Your executables cannot launch. Clicking the 'Scan Hard Drives' button brings up the next image:

When scanning, it even has a FAKE safe mode. Desktop just goes black with the corners showing 'Safe Mode':

Next images show how convincing these rogues can be:

To get rid of it, scan with Malwarebytes or another Antivirus/Antispyware application.

Credits go to sUBs for screenshots and analysis

Fighting Trojan Horses is a Family thing

noreply@blogger.com (miekiemoes) — Sat, 30 Oct 2010 06:55:00 +0000

My cousin Jimmy also fights Trojan Horses, but in a slightly different way...

More info and Biography of Jimmy here:

http://www.fmx4ever.com/clanky/team/jimmy-verburgh/
https://www.facebook.com/jimbo199/

IOBit Steals Malwarebytes’ Intellectual Property

noreply@blogger.com (miekiemoes) — Mon, 02 Nov 2009 19:52:00 +0000

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version since they deleted the thread - well, now the cached version got deleted as well. Glad I still have a screenshot, see below) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes’ Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can’t publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don’t want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, dummy.exe. It is a harmless dummy executable that runs, displays a “Hello World” message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! — the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes’ Anti-Malware software and indeed it was flagged as “Don’t.Steal.Our.Software.A”. We scanned it with IOBit using their current build and database version and it was flagged as the same “Don’t.Steal.Our.Software.A”. We have included log file file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, “rogue.exe”, matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other “fake.exe”, matches our Adware.NaviPromo definition (screenshot). VirusTotal results for “fake.exe” and “rogue.exe” so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes’ proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.

Copy/paste of the original Article here

Update to this post: IOBit’s Denial of Theft Unconvincing

My New Toy... a HTC Magic

noreply@blogger.com (miekiemoes) — Fri, 31 Jul 2009 14:43:00 +0000

I finally decided to buy a Smartphone...: http://www.htc.com/www/product/magic/overview.html

Love at first sight!
Too many options and too much stuff to configure. This will certainly keep me busy for a while....

Searchengine Redirects? It could be a patched ws2_32.dll file...

noreply@blogger.com (miekiemoes) — Wed, 10 Jun 2009 22:45:00 +0000

I was helping someone yesterday (online support via forums) who was complaining about searchengine redirects. Redirections mainly went to mybig-portal.com, virus-detect-soft.com, edmonds.com, us.peeplo.com, directkitchenremodeling.com...

There are already many different infections responsible for searchengine redirections, I see several different ones every day.... so after a while, it's getting easier for me where to look/search.
The info is mainly gathered from logs (Registry loading points, Rootkit scans, etc).

However, this one was different. I just couldn't find the culprit. Same scenario as with the first Daonol/JsRedirect/Gumblar variant I discussed here last year (October 2008).
People who know me also know that I will search untill I find it, so I finally found the culprit - a patched ws2_32.dll file.
The ws2_32.dll is a legit Microsoft Windows file that contains the Windows Sockets API used by most Internet and network applications to handle network connections.
In this case, it was patched by malware. Its copies in the dllcache and ServicePackFiles\i386 folder were also affected. Reference thread here.
It wasn't detected by any scanner yet. Sophos Antivirus will now detect this one as Troj/WShack-B.

So if you encounter the same and just can't find the culprit of a searchengine Hijack after trying anything else - then it *may be a patched ws2_32.dll file. Don't delete that file if it's indeed patched/infected, but replace it with a clean copy.
If unsure/in doubt, post you issue in the forums.

In case you're wondering....

noreply@blogger.com (miekiemoes) — Wed, 06 May 2009 12:38:00 +0000

Yes, I'm still alive, just extremely busy lately.

It's now already a couple of months that MalwareBytes hired me as Malware researcher, so that's where most of my time goes nowadays.
I've decided I will only blog here once in a while - I hope at least once a month - but I cannot promise anything :-)

Also... Thank you for the nice mails I've received lately via this blog and sorry I didn't respond earlier. It looks like something went wrong with the "Contact Me" mailform, so a lot of delayed (2 months or so) mails arrived just today. Anyway, this should be fixed now.

In between message...

noreply@blogger.com (miekiemoes) — Fri, 06 Mar 2009 11:26:00 +0000

It's been a while that I've blogged and since I'm going through some major changes in my personal and professional life (maybe new job), I won't have the time and inspiration either to blog in the next couple of weeks.
In a meanwhile... Click the icon to play a little game, so you didn't come here for nothing. :-)

See you later!

Virut and other File infectors - Throwing in the Towel?

noreply@blogger.com (miekiemoes) — Tue, 17 Feb 2009 13:25:00 +0000

I actually wanted to blog about this last week, but didn't find the time yet...
In the last couple of weeks, I noticed a HUGE increase of Virut present on computers. As a matter of fact, 30% of the infected computers I analyzed were infected with Virut. This is bad, really bad... :-(

Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well.
This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. So you can already imagine what may happen if the owner is a webdesigner and uploads the infected webpages.
An excellent write up on this latest variant (and previous one) can also be found here (by Nicolas Brulez): http://securitylabs.websense.com/content/Blogs/3300.aspx

Disinfection of the infected webpages should be easy - it's just a matter of deleting the iframe script in it.
The disinfection of the infected exe and scr files is something else...
Since Virut infects legitimate files, the files may not be deleted, but disinfected instead. And that's where the problems start...
Virut was known to be a buggy Virus in the past and it appears that this hasn't changed yet. We've seen this with other File infectors as well: To Junk Or Not To Junk.

And because of that, Virut may misinfect a proportion of executable files > result > corrupted file.
The same applies for other File infectors such as Sality.

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall.
And even though an Antivirus is able to disinfect the files, in a lot of cases, many files will be corrupted anyway > result > many programs won't work > loads of errors > corrupted Windows + there's still no guarantee that the Virus is really gone.
So why bother to clean this if a format and reinstall is the fastest and especially the safest solution?

And that's why I am blogging about this in the first place, especially since Virut is a very common infection nowadays. It's a pity to see that so many people are struggling with it and whatever they try, nothing helps. Then they ask for support via the forums and in a lot of cases, the one who is helping/guiding won't give up either and posts a new set of instructions to deal with this one.
Unfortunately another failure as result, so again, new instructions are posted... and this may go on and on...sometimes for weeks....
Is this responsible?
I'm not saying it fails everytime, but from what I have seen so far and especially if you're helping someone else with this infection... don't guarantee them a "clean" and errorfree computer afterwards .

In anyway, that's how I see it. Imho, dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall.
Many people may see this as "giving up", but I see this different.
After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

Happy Dance - Blog 1 year old!

noreply@blogger.com (miekiemoes) — Wed, 04 Feb 2009 15:55:00 +0000

I started with this blog exactly 1 year ago. I actually didn't expect anything from this since I'm not a writer and don't have enough inspiration either to update my blog every (other) day.
The main goal of this blog was to post some tutorials and thoughts for the "average" user I was helping on forums and newsgroups - so I could link to my blogposts instead of reposting it again and again.
I was already happy with only a few blogposts and actually didn't really plan to update it anyway - only once in a while.
Maybe I could have updated my blog more often with latest Security News etc, but decided not to do so.
However, after a month or two, I saw that some people started to follow this blog and linked to it as well. That was a pleasant surprise.
And that's why I'm still updating this blog with thoughts (mainly rants), tutorials and other (stupid) stuff.

Anyway, thanks for the comments and feedback I have received so far - I've learned a lot from this and I'm still learning every day!

Thank you readers!

IX Web Hosting - Reliable?

noreply@blogger.com (miekiemoes) — Sat, 31 Jan 2009 11:46:00 +0000

Someone contacted me recently about the wdmaud.sys / sysaudio.sys - Win32:Daonol infection. This because his site was injected with the iFrame Javascript "Yahoo! Counter starts here". People who visit the compromised site will get infected with Win32:Daonol.
Even though he removed all injected code, it came back all the time. Also, he couldn't understand how his site(s) got compromised in the first place.
Until he told me what his webhosting service was..... IX Web Hosting.

A quick google search explained a lot....

There's even a blog called "IX Web Hosting Warning" to warn people for this webhosting company.
Quote from their About page:

"IX Web Hosting the incompetant cheap web hosting company was hacked in May of this year, and hackers managed to “seed” the servers, which are now injecting 1000’s of innocent paying customers websites, on a weekly basis. It has gotten so bad, and happened so frequently that even the backups are infected.

This has been going on now for almost 8 months!!… Yes that is correct, 8 months, and IX web hosting has still not fixed this massive security issue.
The worst part of this ordeal, is the fact that IX web hosting knows, and has openly admitted to certain people ( myself being one) that they have a massive issue, they still blame the innocent customers that it is their fault."

In anyway, that may also explain why so many people got infected with Win32:Daonol lately:
http://ixwebhostwarning.wordpress.com/2008/12/24/ix-web-hosting-and-the-yahoo-counter-script-injection/
http://ixwebhostwarning.wordpress.com/2009/01/11/is-your-site-infected-by-the-yahoo-counter-or-htaccess/

"Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines."

Lesson learned: Avoid IX Web Hosting - Avoid sites being hosted with IX Web Hosting, because you may get infected.

Miekiemoes rules ?? Yeah right...

noreply@blogger.com (miekiemoes) — Thu, 22 Jan 2009 09:41:00 +0000

This is about the Searchengine Hijack I blogged about a couple of months ago. Files responsible for this hijack are sysaudio.sys or wdmaud.sys, present in the system32 folder - detected by most scanners as Win32:Daonol.
Someone notified me yesterday about a version of Win32:Daonol which is a bit different than other versions.
The malware author(s) decided to add "Miekiemoes rules" under file description in one of its versions.
Again, another proof why not to believe what malware tells you :P

This is what you get when you hover your mouse over the malicious wdmaud.sys:

I only have above screenshot. The person who uploaded this screenshot for me already deleted the wdmaud.sys, so no sample available. In anyway, thanks for the screenshot.

~~Sample is welcome (only above version).~~
Edit - Sample received - Thank you blogreaders :)

Settings won't save in Firefox

noreply@blogger.com (miekiemoes) — Wed, 14 Jan 2009 14:57:00 +0000

This is another common problem I see in forums lately. This especially since more and more malware targets firefox as well.
An example we see in forums lately is "Yoog Search". This is a searchengine Hijacker - comes with a variant of AdRotator/IconAds Adware.
The Firefox startpage + searchengine / Searchsettings get hijacked and even though the malware (responsible for changing startpage+searchengine) is gone/deleted already, if people want to change it back to default again, or change it back to their own startpage / searchengine, firefox won't save the settings.
So after a next Firefox session, the Hijacked startpage / searchengine etc is back again.

The cause is a user.js file present inside the Firefox profile folder. So, in this case the %APPDATA%\Mozilla\Firefox\Profiles\"identity" folder.
The user.js file does not exist by default and was in this case added/modified by malware.
This file is used to set or reset preferences to a default value. For example whenever the browser is loaded, the values present in the user.js file will supersede the stored values in the prefs.js file.
The prefs.js file contains the values you can access/modify via about:config or via the preferences in Tools > Options Menu in Firefox.
See here for more info about the user.js file.

I've also seen the same where malware changed the Proxysettings and created a user.js file to store the Proxysettings there. Result > once the malware was removed, the user would get the error: "The Proxy Server is Refusing Connections" since the user.js file is still in use.
Some versions of the Ask Toolbar also create a user.js file in the Firefox userprofile, so after uninstalling the Ask Toolbar, the homepage + searches are still set to Ask.com because the user.js file is still present.

That's why, if you're ever having problems with Firefox that won't save settings like startpage, searchengine, proxysettings etc.., then look if a user.js file is present in the Firefox profile folder and delete or modify it.
The presence of user.js in the Firefox profile folder doesn't necessarily mean that it's a bad file. Many people create their own user.js to supersede the stored values in the prefs.js file. So if you didn't create the user.js file yourself, you may delete it (since it's not present by default anyway).
If you're not sure, just rename it to user.js.bak, or open the file with notepad to see what values are present there.

Cold Turkey for X-mas.

noreply@blogger.com (miekiemoes) — Mon, 15 Dec 2008 10:05:00 +0000

I haven't been online much lately, this for several reasons. One of the reasons is.. I quit smoking!
I was trying to avoid situations where cigs were needed the most. I have to admit that actually every situation where I was allowed to smoke was a reason to smoke.
But the worst situation was when I was using computers - more than 10 hours a day, one cig after another. You can imagine I was smoking a lot!

I've already tried to quit last year - but that failed. I was going nuts after two days and a cig was my only relief. Sad, isn't it?
After my failure last year, I decided to smoke less. I didn't allow myself to smoke in the house anymore. So everytime I wanted a cig, I had to go outside, or smoke in the garage.
This actually helped a lot, I didn't break my own rule and smoked only the half of what I used to smoke. Even when I was using the computer, instead of having 6 (or sometimes more) cigs in one hour, I only had to go outside 2 or 3 times an hour. (I know, I know, it's still a lot).

After a couple of months (last week), I was wondering what I was actually doing. This was just silly and I had to stop that.

My own rule to go outside for a smoke worked like I charm and I never broke that rule. So why can't I make my own rule to quit smoking?

So, last week, I smoked my last cig and that was it.

I'm not using any nicotine replacement therapy aids like gum, patches or inhalers. No medications either like Zyban to reduce the craving, no hypnosis, acupuncture.... whatever. Just quit smoking Cold Turkey.
The only thing I used was a book (no, I didn't smoke it) by Allen Carr - "Easy Way To Stop Smoking". As a matter of fact, it is easy if you believe it!

It's already more than a week I quit smoking and I have to say - it's going pretty well. I've tried to avoid computers as much as possible in the first couple of days. Now I'm "facing" computers again and I don't really feel the "hunger" for a cig. The only thing is - I still feel the need to stand up 2 or 3 times in an hour to go outside. :-)
I'm like Pavlov's Dog - but then I remember the famous quote by Yoda: "You must unlearn what you have learned".

Anyway, I'm glad I quit smoking and I'm sure I won't fail this time.

Happy Holidays!!

Please disable Autorun asap!

noreply@blogger.com (miekiemoes) — Sun, 23 Nov 2008 14:31:00 +0000

We see an increase in USB-Based Malware Attacks lately - See here and here for more info.
Unfortunately, in the last few weeks, I have seen many cases where the enabled autorun feature caused A LOT of problems afterwards. This means that many are not aware of the dangers yet.
For example.. Some scenarios I have seen in the last couple of weeks are:

* Computer gets infected with Win32/Sality.NAR (NOD32 detection). This is a polymorphic file infector which searches local and network drives for files with the .exe extension and infects them by adding a new section that contains the viruscode.
It also copies itself into the root folders of removable drives using a random filename and creates an autorun.inf file to make sure it runs whenever it is inserted into another computer. It also disables most AV scanners by terminating their services/processes, disables Taskmanager, disables Regedit and much more to prevent it being detected or disinfected.
In this case, the user had an USB flashdrive and used it to transfer removal tools etc in order to remove this infection, since no scanners would work. What happened was, since this virus also spreads via removable media, his USB flashdrive became infected > result > His other computer was infected as well!

* Computer gets infected with W32/AutoRun-OY - This one also spreads via removable drives. This computer is used at home and every user has its own account. Mom, dad, son and daughter. Son loves to play games, but also loves to download games + cracks via illegal resources.
And that's how the computer at home gets infected with W32/AutoRun-OY. No detection since the Antivirus application that was installed was only a trial and was already expired for more than a year. Dad works for a big company and he tranfers his database+files from the computer at work to an USB flashdrive so he can proceed with his work at home.
The usb flashdrive gets infected when he inserts it into the infected computer at home. Since no scanner (because it's outdated) gives an alert and blocks the malware, there's no sign that the computer + Flashdrive is infected.
Dad goes back to work, inserts the flashdrive into his computer at work and... it gets infected as well. No alert, nothing! It appears that the computer at work didn't even have an Antivirus installed !! And, worst part of all was... Virut was also present! See here for more info. This is imho a lost case, and especially for business owned computers, it is irresponsible to clean this up manually. Format and reinstall is the fastest and especially the safest solution here.
So, who is to blame here? Imho, everyone is. The son who is responsible for visiting illegal sites in order to download his games + cracks, plus the fact that the Antivirus was outdated, plus the fact that dad uses an USB flashdrive containing corporate information and inserts it into the personal computer (see here how to protect your data), plus the fact that the computers at work didn't even have any protection/AV installed.
Anyway, this is so irresponsible, especially when company owned computers are involved.

* And today, I have another case where someone gets infected with W32/AutoRun-OY, where mom uses an usb flashdrive to transfer files to use at work and is already complaining about the fact that there are "problems". This thread is still in progress and I really hope this isn't a lost case.

No wonder the Military bans disks and USB drives

This appears to be a common problem nowadays - that's why it is so important to prevent spreading similar infections by disabling Autorun.

To disable autorun, please read the following tutorials:

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/ (applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ (aplies for XP Home. Same can be used for XP Pro)
http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/ (applies for Vista)

Some malware removal tools already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled. If you really want to enable this again - then it's your own responsibility. Don't complain afterwards if you get infected and are responsible for infecting a lot of other computers as well.

Update: Extra instructions to disable autorun (by US CERT) can be found here.

And another Paypal Phish...

noreply@blogger.com (miekiemoes) — Wed, 19 Nov 2008 17:40:00 +0000

This is a mail I received in my mailbox one hour ago:

For your protection, we have limited access to your account until additional security
measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that Pay Pal
used to make its decision to limit your account access, please visit the Resolution Center.

We encourage you to log in and restore full access as soon as possible. Should access to your
account remain limited for an extended period of time, it may result in further limitations on
the use of your account or may result in eventual account closure.

----------------------------------------------------------------------------------------------

Click here to resolve the problem.

----------------------------------------------------------------------------------------------

Sincerely,
PayPal Account Review Team

Click to enlarge

After I clicked the link, I was presented with this fake page:

Click to enlarge

Ok, let's enter "my" Email Address and PayPal Password to Log In.

Click to enlarge

The usual Logging in screen, which then opened the following page:

Click to enlarge

They don't only want your Paypal Password, but as you see, A LOT of other information as well - Card number, Expiration date, Card verification number, Pin number and Bank name.

Anyway, if you became a victim of this Phish, contact Paypal and your Bank immediately and change your Paypal Password asap!

MSN Virus!! No scanners detect it!!!!

noreply@blogger.com (miekiemoes) — Sun, 16 Nov 2008 00:34:00 +0000

This is a common subject I see in forums lately.
People are complaining about an "MSN Virus" and no scanners can detect it.
This so called "MSN Virus" is responsible for sending links to their contacts list.
Yes, there are indeed some worms, spreading via messenger and infecting your computer, for example the IRCBOT-RB Trojan and many other variants.

However, this one is totally different... and is actually already going on for a while...

It appears that many aren't aware of this one yet, because I still see so many threads in forums where many AV scanners and other scanners were being used > result > no detections, no strange files, no strange loading points etc..
Long threads with no ending since they can't find the main cause.

Actually, the main cause is very simple - The login/password of the MSN account was gathered because they entered that info via the link they received once.
This is an example of a link they receive:

More detailed info from some older blogposts:
http://phatybomb.blogspot.com/2008/04/how-to-solve-this-pesky-msn-virus.html
http://blog.spywareguide.com/2008/06/another-site-asking-for-msn-lo.html

Links may be different, but the scenario is still the same.

If you click that link, your browser will open and you are presented with a webpage where it prompts you to enter your MSN Login and Password to proceed.
Ofcourse, the only purpose here is to gather your Login and password so they can (ab)use it to log in into your account and send the same link to your other contacts.
In this case, your computer isn't infected which explains why scanners won't find a thing.

Solution is simple: Change your MSN password.

As I said, this one is already going on for a while - but in the last couple of days, I see more and more threads in forums about this one - endless threads with several different logs which won't show anything.
That's why, if you think you're dealing with a similar "infection", change your password first and see if that solves your problem. If not, then make sure your Antivirus Scanner is up to date and perform a full scan with it.

Congrats Belsec!

noreply@blogger.com (miekiemoes) — Tue, 11 Nov 2008 11:31:00 +0000

For the people who don't know Belsec, check out the blog here: http://belsec.skynetblogs.be
Today, Belsec exists 1 year - Happy Birthday!!!

Some exclusive articles, free stuff and other goodies will be posted there this week, so make sure you don't miss it.

Meet the Medion Family

noreply@blogger.com (miekiemoes) — Mon, 03 Nov 2008 08:15:00 +0000

A picture of my "Workplace"...

That was a stupid thing to say

noreply@blogger.com (miekiemoes) — Mon, 27 Oct 2008 12:32:00 +0000

I was helping someone yesterday with a SEVERLY infected computer. This computer was infected for at least 1 year since older malware was still active and running, with on top, newer malware including a File infector, some backdoors, random adware and god knows what else...
So you can imagine there wasn't much we could do about it, this computer was TOAST.
Then this user told me that he was actually PROUD of the fact that he managed to get 4 different computers infected/damaged in a short period of time.
Excuse me?

That's where I ended my support - told him to format and reinstall Windows and never use a computer anymore.

This is once again an example why some people should be restricted to use computers and is a perfect addition to my previous rant: "The Neverending story".
Oh, and yes, I do agree with Eugene's Final thoughts - with the addition that Internet access should be restricted for such people as in above example.