The Computer Clarity Blog

Have you ever tried to make a telephone call but couldn’t because all the telephone circuits were busy? This may happen on a major holiday and often happens on Mother’s Day. In fact, in the United States, telephone companies used to air commercials on television and radio that suggested you avoid peak calling times by making your calls early or late in the day.

The reason you couldn’t get through is because the telephone system is designed to handle a limited number of calls at a time. That limit was determined by weighing the cost of having all calls get through all the time with the amount of traffic the system receives. If the total number of calls is always high, it makes economic sense for the telephone company to provide more capacity to match that demand. However, if the number of calls is low compared to the holiday peaks, then the telephone company will build networks that accommodate only the lower off-peak number of callers and advise their customers to avoid peak calling times. It’s a basic matter of supply and demand.

Imagine that an intruder wanted to attack the telephone system and make the system unusable by telephone customers. How would they do this? One way would be to make call after call in an attempt to make all circuits busy. This type of attack is called a denial of service, or DoS, attack. In essence, the intruder has caused the telephone system to deny service to its customers. It is not likely that one caller working alone can tie up all telephone circuits. To do that would require making as many calls as possible from as many telephones as possible. This is called a distributed denial of service, or DDoS, attack.

Computer systems can also suffer DoS and DDoS attacks. For example, sending an extraordinary amount of electronic mail to someone could fill the computer disk where mail resides. This means that people who use the computer with the full disk cannot receive any new email until the situation changes. While this is an older style of DoS attack, it is still popular today.

In addition, intruders have turned their efforts toward denying people the services provided by networked computers. Examples of frequently attacked services are the World Wide Web, file sharing services and, more recently, the Domain Name Service. Because so many of our computers are connected through the Internet, attacking one of these services can have a significant impact on the whole Internet community. For example, by launching a DoS attack on a popular merchant during a high sales period, the intruder affects not only that merchant, but everyone who is then unable to buy their products.

To deny these services to prospective users of a computer service, intruders run specially written computer programs that send extraordinary volumes of Internet “calls” to one of the computers that provides that service, similar to the way that an intruder can tie up the telephone system.

When a computer answers such a call, most often there’s no one on the other end, so answering the call turned out to be a waste of time. Unfortunately, the attacked service cannot tell this in advance, so it has to answer all calls placed to it. Answering each call takes time, and there’s only so much time available. It’s the supply and demand issue all over again.

In addition, the volume of traffic may be so high that the networks connecting the attacking computers to the victim’s computer may also suffer from lower performance. Just like the telephone system and service computers, these networks cannot handle traffic beyond a certain limit. Users wanting services from computers on those networks are denied those services, too. Those networks are also considered victims of a DDoS attack.

How do intruders wage a DDoS attack against a victim’s computer?

First, they build a network of computers that will be used to produce the volume of traffic needed to deny services to computer users. We’ll call this an attack network.

To build this attack network, intruders look for computers that are poorly secured, such as those that have not been properly patched, or those with out-of-date or non-existent anti-virus software. When the intruders find such computers, they install new programs on the computers that they can remotely control to carry out the attack.

Intruders used to hand-select the computers that made up the attack network. These days, however, the process of building an attack network has been automated through self-propagating programs. These programs automatically find vulnerable computers, attack them, and then install the necessary programs. The process begins again as those newly compromised computers look for still other vulnerable computers. Once a DDoS program has been installed on a computer, that program identifies the computer as a member of the attack network. Because of this self-propagation, large attack networks can be built very quickly. A by-product of the network-building phase is yet another DDoS attack, because searching for other vulnerable computers creates significant traffic as well.

Once an attack network is built, the intruder is ready to attack the chosen victim or victims. Some information security experts believe that many attack networks currently exist and are dormant, passively waiting for the command to launch an attack against a victim’s computers. Others believe that once a victim has been identified, the attack network is built and the attack launched soon afterward.

To reduce their chances of being discovered, intruders distribute their attack across computers in different time zones, different legal jurisdictions, and with different systems administrators. Intruders also make the electronic traffic they create appear to be from a computer different from the one that actually created it. This is called IP spoofing, and it is a commonly used method to disguise where an attack is really coming from. If the source of the attack is unknown, it is difficult to stop it, giving intruders free reign with a high

What can be done about DDoS attacks?

There are no short-term solutions to eliminate DDoS attacks. Today’s best practices involve making computers and networks more resilient in the face of an attack. We call this survivability.

All systems have their limits. One way to make a system more survivable is to increase these limits; the more resources there are, the better the chances are that the system will survive an increased demand for use. To increase the telephone system’s limits, the telephone company adds more circuits. For a web service, the webmaster might increase the number of connections that a web service can accept; for example, a site could add more web servers. This spreads the increased load over more computers and helps to ensure that no one computer operates too near its limit. The higher the limits of all the potentially affected systems – the network and the computers on that network – the better the chances that network will survive a DDoS attack.

You can do your part to ensure that your computers are never part of a DDoS attack network by following security best practices:

Then, be alert to changes in your computer or network performance.

Computer Clarity | Making Computers Clear for you

Google has analyzed 240 million web pages over a 13 month period and discovered that fake anti-virus programs account for 15 per cent of malicious software, according to a report by the BBC.

The study expresses surprise that people fall victim to these attacks and even hand over credit card details. The problem is scareware doesn’t always come in one easy to recognize form.

Most users should have an up-to-date anti-virus suite on their computers, and so logically they should realize that they don’t need any more protection, but something obviously gets in the way of the users thought process when confronted with the dreaded dialogue box.

They don’t know the risk – the user may be from a vulnerable group and easily exploited or they may be completely in the dark about computer security.

Apathy -  the user may be at the end of a long day and just want to get on with what they logged on to do – clicking on anything to make the annoying box disappear.

Panic – scareware targets people in the safety and comfort of their own homes. By throwing out alarming warning messages, offering to perform free system scans and bringing back even more alarming results.

Design – most programs aren’t designed to make saying ‘no’ easy. There may be no visible way to close the dialogue box down without clicking on an option.

Sometimes the only choice is to close the browser window down completely or use task manager to kill the process, which makes it more difficult to avoid for those who just want to be left alone.

The tendency is to click first and think later which results in the installation of malware.  So if something pops up on the screen that you’re not expecting to be there – don’t click it.

Computer Clarity

Unfortunately, many users are victims of viruses, worms, or Trojan horses. If your computer gets infected with malicious code, there are steps you can take to recover.

How do you know your computer is infected?

Unfortunately, there is no particular way to identify that your computer has been infected with malicious code. Some infections may completely destroy files and shut down your computer, while others may only subtly affect your computer’s normal operations. Be aware of any unusual or unexpected behaviors. If you are running anti-virus software, it may alert you that it has found malicious code on your computer. The anti-virus software may be able to clean the malicious code automatically, but if it can’t, you will need to take additional steps.

What can you do if you are infected?

1. Minimize the damage – If you are at work and have access to an IT department, contact them immediately. The sooner they can investigate and clean your computer, the less damage to your computer and other computers on the network. If you are on your home computer or a laptop, disconnect your computer from the internet. By removing the internet connection, you prevent an attacker or virus from being able to access your computer and perform tasks such as locating personal data, manipulating or deleting files, or using your computer to attack other computers.

2. Remove the malicious code – If you have anti-virus software installed on your computer, update the virus definitions (if possible), and perform a manual scan of your entire system. If you do not have anti-virus software, you can purchase it at a local computer store. If the software can’t locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk that is often supplied with a new computer. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities.

How can you reduce the risk of another infection?

Dealing with the presence of malicious code on your computer can be a frustrating experience that can cost you time, money, and data. The following recommendations will build your defense against future infections:

• Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current.

• Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. This includes passwords for web sites that may have been cached in your browser. Make the passwords difficult for attackers to guess.

• Keep software up to date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.

• Install or enable a firewall – Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer. Some operating systems actually include a firewall, but you need to make sure it is enabled.

• Use anti-spyware tools – Spyware is a common source of viruses, but you can minimize the number of infections by using a legitimate program that identifies and removes spyware.

• Follow good security practices – Take appropriate precautions when using email and web browsers so that you reduce the risk that your actions will trigger an infection.

As a precaution, maintain backups of your files on CDs or DVDs so that you have saved copies if you do get infected again.

Computer Clarity

419 Advanced Fee Frauds

These schemes are quite elaborate and despite their somewhat preposterous appearance manage to hook a surprising number of victims. Essentially, these scams attempt to entice the victim into a bogus plot to acquire and split a large sum of cash.

Many perpetrators of this kind of fraud have been Nigerian citizens. Consequently, the name “419 scheme” is taken from the section of the Nigerian penal code that addresses fraud.

419 scams are recognizable by their subject lines, which frequently call for an urgent response or refer to a personal introduction, and sender names, which are frequently (though not always) African or African inspired. Examples of senders and subject lines include those in the list below. You should note, however, that these examples are merely a few of the many thousands of variations of names, subject lines, or stories used in these scams.

           Sender                                        Subject Line

           usman bello                              URGENT REPLY NEEDED

           Charles Conneh                       Re: Pleased to meet you!

           Miss Kate Kasaka                    Miss Kate Kasaka

           Mr.Adnan A.K.Ismail                  Cooperation

           MR. Michael Okpala.                Good dey from MR. Michael Okpala.

A 419 advance fee fraud begins with an email that looks like this:

Date: Wednesday, August 24, 2008 5:55 PM -0700
From: “Mr. Henry Bassey Udoma” henrybassey_udoma@example.com.ar
To: mrtarget@example.com
Subject: From: Henry (Regarding Dr. H. Paul Jacobi)

From: Henry (Regarding Dr. H. Paul Jacobi)

Hello,

I am sending you this private email to make a passionate appeal to you for assistance. Kindly accept my apology for contacting you this way and forgive me if this is not acceptable to you. My name is Henry Bassey Udoma; I am an auditor at one of the Nigerian Banks. On Tuesday, 19 January, 2006, one Dr. H. Paul Jacobi a foreigner, made a numbered time (Fixed) Deposit, valued at £10,550,000.00 (Ten Million, Five Hundred and Fifty Thousand Pounds) for twelve calendar months in my Bank Branch.

Upon Maturity, we sent a routine notification to his forwarding address but got no reply. After a month, we sent a reminder and finally we discovered from his company that Dr. Paul A. Jacobi was aboard the Egypt Air Flight 990, which crashed into the Atlantic Ocean on October 31, 2006. After further investigation, it was discovered that he died without making a WILL and all attempts to trace his next of kin proved abortive….

These schemes work by getting the victim to take the initial bait, then slowly convincing him or her of the legitimacy of the plot through a series of forged documents, carefully crafted communications, and even visits by the victim to the country of origin for meetings with bogus “officials” in phony “government offices.” At key junctures in the scam, the perpetrators will ask the victim to advance them money to pay bogus fees or bribes. Additionally, they may extract what amounts to an extortion payment by threatening to cut the victim out of the plot. Once the perpetrators believe they’ve gotten all they could from the victim, they cut off communication and vanish.

In short, if you discover an email in your inbox proposing a complicated arrangement to secure and split funds in a foreign land, you can safely assume someone is trying to ensnare you in a 419 scam.

Filter Spam

Because most email scams begin with unsolicited commercial email, you should take measures to prevent spam from getting into your mailbox. Most email applications and web mail services include spam-filtering features, or ways in which you can configure your email applications to filter spam. Consult the help file for your email application or service to find out what you must do to filter spam.

You may not be able to eliminate all spam, but filtering will keep a great deal of it from reaching your mailbox. You should be aware that spammers monitor spam filtering tools and software and take measures to elude them. For instance, spammers may use subtle spelling mistakes to subvert spam filters, changing “Potency Pills” to “Potençy Pills.”

Regard Unsolicited Email with Suspicion

Don’t automatically trust any email sent to you by an unknown individual or organization. Never open an attachment to unsolicited email. Most importantly, never click on a link sent to you in an email. Cleverly crafted links can take you to forged web sites set up to trick you into divulging private information or downloading viruses, spyware, and other malicious software.

Spammers may also use a technique in which they send unique links in each individual spam email. Victim 1 may receive an email with the link <http://dfnasdunf.example.org/>, and victim 2 may receive the same spam email with the link <http://vnbnnasd.exaple.org/>. By watching which links are requested on their web servers, spammers can figure out which email addresses are valid and more precisely target victims for repeat spam attempts.

Remember that even email sent from a familiar address may create problems: Many viruses spread themselves by scanning the victim computer for email addresses and sending themselves to these addresses in the guise of an email from the owner of the infected computer.

Treat Email Attachments with Caution

Email attachments are commonly used by online scammers to sneak a virus onto your computer. These viruses can help the scammer steal important information from your computer, compromise your computer so that it is open to further attack and abuse, and convert your computer into a ‘bot’ for use in denial-of-service attacks and other online crimes. As noted above, a familiar “from” address is no guarantee of safety because some viruses spread by first searching for all email addresses on an infected computer and then sending itself to these addresses. It could be your friend’s computer is infected with just such a virus.

Use Common Sense

When email arrives in your mailbox promising you big money for little effort, accusing you of violating the Patriot Act, or inviting you to join a plot to grab unclaimed funds involving persons you don’t know in a country on the other side of the world, take a moment to consider the likelihood that the email is legitimate.

Install Antivirus Software and Keep it Up to Date

If you haven’t done so by now, you should install antivirus software on your computer. If possible, you should install an antivirus program that has an automatic update feature. This will help ensure you always have the most up-to-date protection possible against viruses. In addition, you should make sure the antivirus software you choose includes an email scanning feature. This will help keep your computer free of email-born viruses.

Install a Personal Firewall and Keep it Up to Date

A firewall will not prevent scam email from making its way into your mailbox. However, it may help protect you should you inadvertently open a virus-bearing attachment or otherwise introduce malware to your computer by following the instructions in the email. The firewall, among other things, will help prevent outbound traffic from your computer to the attacker. When your personal firewall detects suspicious outbound communications from your computer, it could be a sign you have inadvertently installed malicious programs on your computer.

Learn the Email Policies of the Organizations You Do Business With

Most organizations doing business online now have clear policies about how they communicate with their customers in email. Many, for instance, will not ask you to provide account or personal information via email. Understanding the policies of the organizations you do business with can help you spot and avoid phishing and other scams. Do note, however, that it’s never a good idea to send sensitive information via unencrypted email.

Configure Your Email Client for Security

There are a number of ways you can configure your email client to make you less susceptible to email scams. For instance, configuring your email program to view email as “text only” will help protect you from scams that misuse HTML in email.

Computer Clarity

These emails, which appear to come from seemingly legitimate law firms, indicate that someone has filed a copyright lawsuit against the message recipient. The messages may contain malicious attachments or web links. If a user opens the attachment or follows the link, malicious code may be installed on the user’s system.

Overview

An email is being sent out warning the recipient of a “Copyright Lawsuit filed against you.”  We received a copy here and a number of .EDUs has reported its receipt.  It looks something similar to:

March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern:

On the link below is a copy of the lawsuit that we filed against you in court on March 11, 2010.
Currently the Pretrial Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.
The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infringement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc
Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.

Sincerely,

Mark R. Crosby
Crosby & Higgins LLP

The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms.

If a user clicks on the link and opens the document it will attempt to download additional payload.

Initial Detection

Currently only a few AV solutions detect the initial document: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837

Behavioral Notes

Following Daniel’s process (http://isc.sans.org/diary.html?storyid=6703) one could extract the executable and determine what it’s up to.

It appears to reach out to 121.14.149.132:80 to make a request similar to:

GET /fwq/indux.php?U=1234@1014@1@0@0@c791d4a4a147b2cd1843fe4f7f27f3a1df63f95daf0c3ddcd5f1b1e4538fd803

Computer Clarity

This week’s PandaLabs report looks at a worm, a Trojan and a new fake antivirus.

TwittWorm.A is a worm that uses Twitter and Messenger in order to spread, sending a malicious message to all contacts of the infected user. These messages appeal to the curiosity of users, with subjects such as “I just got a piercing and you’ll never guess where! Take a look at the photo.   ” or “You’re going to be mad at me for sending you this photo, but you NEED to see it :3″. The worm edits the registry so the system cannot be restored or started in safe mode. It also makes a series of changes to the host file to prevent users from accessing certain Web pages, particularly those related with antivirus companies.

Another feature is that it prevents the running of certain programs for viewing active processes or monitoring network traffic. Twittworm.A also spreads through USB devices, creating an autorun.inf to automatically infect computers on connection. To protect these types of devices, Panda Security has launched Panda USB Vaccine, which can be downloaded free from: http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

Sinowal.WTF is a keylogger Trojan, designed to capture keystrokes with an aim to stealing passwords and other information from infected systems. This Trojan reaches computers through an email claiming to have been sent from MySpace

(see image in Flickr:http://www.flickr.com/photos/panda_security/4293518692/).

The message warns victims about a change to the user’s password and contains a .zip file attachment which supposedly contains the new password. The attached file, once extracted, has an Excel icon, but is really malware. When run, the system is infected and the icon disappears.

Finally, GhostAntivirus is a new strain of fake antivirus. As with other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4292776611/).

If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4293518638/).

This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users’ credit card details.

Computer Clarity

How Our Technicians Secure Your Computer with our Clarity Shield Services
In this video, I will demonstrate how our technicians protect your computers security
with our Clarity Shield Services.

Computer Clarity

Three Rules To Prevent Computer Virus Infections

First Rule: Read Your Computer Screens.

Read the window that pops up on your computer screen before you hit “Okay”, “Cancel”, “Run”, “Yes”, “No”, or even “Maybe”! People are like monkeys. Any monkey can be trained to hit a button to get what it wants. We have been trained with a Pavlovian response to hit a button, get something out of our face, then we get what we want. Every virus writer knows this! Most viruses don’t get you because of sophisticated programming code. They get you with social engineering. They get you because they know that most humans don’t think. Like monkeys, most humans will hit the button until we get what we want, regardless of what that button really does. So, many of the viruses I am hired at expensive rates to remove, are installed by the user because they were tricked into hitting a button without reading the screen. But the really insidious part of this scenario is that one screen is often a EULA (End User License agreement) This is a legally binding contract that, by hitting the “Okay” button, affirms your agreement to the terms and conditions of proceeding with the installation. In other words, even if you know the person who did this to you and you had them in court in front of a judge, you could not hold them liable for the damage to your computer system because you legally agreed to the installation that caused the damage. They screwed ya, and you legally asked for it. You must read your screens!

Second Rule: Google Everything.

Now, this doesn’t mean that you must use Google, any search engine will do. But, anything that you don’t understand…Google It! This can apply to anything of life’s issues in today’s world, but in this context, if you read your screens and you come across a company you don’t know, a program you don’t recognize, or a message that just don’t make any sense to you…GOOGLE IT!. If the company, its software, or its messages are legitimate, your Google search will reveal information supporting its legitimacy. If it is a fake trying to trick you into a disaster, you will see thousands of websites all saying how bad it is and all of the problems it causes. You don’t need to read any further; in a heartbeat, you know to close every window before this thing really gets you into trouble.  Read this article:  One of The Most Common Infection Tactics Today for instructions on closing dangerous windows.

Third Rule: Maintain, Trust, and use YOUR Antivirus Properly.

This involves a few things. First, just like the lock on your front door, if it isn’t installed properly, maintained properly, and used properly, it won’t keep bad guys out. Installed properly is fairly obvious. If there is an error during installation, it ain’t werkin. Remove the antivirus, reinstall it, or pick a different one. Second, maintaining the security system properly. If the subscription runs out or the software stops updating, it is not properly maintained. Just like the lock on your front door, if the screws are hanging out, it ain’t protecting you. Fix it or you will have an intrusion. Second, you have a security system. This is like your computers security guarding company. If your house is guarded by Brink’s Home Security, you wouldn’t trust a guy from ACME Security Systems to come and fix a security problem, but this is exactly what happens. Some fake antivirus warning pops in front of your face warning you of all of these infections, but if it is not YOUR antivirus, RUN!!! Third, Use Your Security System Properly. If you have a lock on your front door that you never lock and you invite anyone who knocks to “come on in”, no lock can protect you. Using your antivirus properly means that you do not invite everyone in and that you scan everything that you download before you run it. If you don’t use your antivirus properly, you will get infected and your computer will die. Just like the lock on your front door, its only a matter of time until a bad guy tries to open it.

These are the three rules to avoid getting a virus on your computer. These are the three rules that, if everybody followed, I would loose 80% of my computer repair business overnight. But these are the three rules that so few people follow, so, my job is secure. Keep breaking these rules and, as a computer repair technician, I’ll always have work. But, if you can follow these rules, I can finally stop that insanity and do something I really like. So, be smart, be careful, and be virus free.

Computer Clarity