More info on phishing.

How to get removed from Spamcop's blacklisting? - 16th Oct 2006

What happen is probably the spammer send emails to your email addresses that are known by them to auto respond with a message and they use Spamcop's known spamtrap addresses as the return addresses for these mails.

Once your autoresponder replied to the spamtraps too often, you will get yourself blacklisted.

This is done by the spammers to firstly generate anger against Spamcop and secondly to cause enough legitimate domains to be blacklisted to generate distrust towards Spamcop as a reliable source for blacklisted ip addresses.

Embedded Web Font Vulnerability

Another new vulnerability in IE discovered on 10th Jan 2006 - embedded web fonts causing remote code execution. Visiting a malicious site could allow them to take control of your system.

Affected systems need to update their IE with patch offered at http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx.

Work around offered by Microsoft for older version of Windows OS that is not supported by them anymore - disable or prompt under Font Download in your Internet and Local Intranet zone settings under Internet Options / Security.

New Microsoft vulnerability on IE - 5th Jan 2006

New virus targetting .WMF file vulnerability

A more recent case of a typical job scam

Email reads as follows:

Subject: Need people with time ASAP
Are you really looking for a job? Maybe you looking for just additional money you can earn? Or you are in need of money real bad? You're a student and you need a good job ? You found it!
Our company welcomes people who wants to work, with enthusiasm, all over the world. You will not have any problem with money ever if you will work with us. If you're ready then start right ahead and you will get paid with a stable salary.
Employee requirements:
1. Age 18-45 y/o.
2. Enthusiastic/Workaholic.
3. Little computer kowledge.
4. NO school degree required.
If you're satisfied with requirements then you can start right ahead and make a registration on our website, you will get your own working account . www.fastjobseek.org click "Register" . After registration we will contact you and our advisors will provide you with information and your account information, login and password.

These are just job scam where you become a tool to help scammers launder the money the steal from exploited account. People who are tricked into believe that there is such online job becomes "money mules" where you help in covering up the tracks of scammers by withdrawing money from accounts of victims of scams and phishings and then transfer it to the the scammers/phishers via anonymous methods such as Western Union.

Thus when the law catches up on it, the money mules are the one getting arrested and their bank account frozen while the scammers remain untraceable.

The preferred hosting provider for such fake job sites is Yahoo hosting probably because they are too big to be able to act fast on such sites and also the setup of hosting package is easily done with a credit card with stolen card details.

W32.Sober.X@mm!zip

Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison

Attachment contains Sober.X in a zip file. Infected host opens up port 80, ready to send out spam and also continuously propagates itself to email addresses in contact list or address book.

Sony Distributing Spyware

Sony, in their futile digital rights management efforts, has taken to playing dirty with the music CDs. Multiple security sources are confirming the existence of spyware in the form of rootkits on Sony's music CDs. This behavior is unethical in the eyes of many and the legality may be questionable as well.

This unethical behavior by Sony shows the lengths companies are willing to go to protect the music. Passing around malware in the form of rootkits could create real problems for many computer users and possibly leave them susceptible to other hackers in the future. The whole purpose of this rootkit is to be sneaky and stick stuff in they don't want you to know about.

F-Secure went on to say Sony BMG is using the rootkit-based DRM (*Digital Rights Management Program) on some CDs sold in the U.S. and the system may have been in use since March of 2005.

Source: Security Pro News

When a flaw is known, exploits will be available just as quickly.

Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.

Sony's announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology's ability to avoid detection. Hackers discovered they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology.

Source: Yahoo News

More information about XCP.Sony.Rootkit

The rootkit techniques make Sony's (DRM) program virtually undetectable on Windows systems.

What is rootkit technology? - Rootkits are a technology that can hide any trace of themselves and can hide other software, files, data, etc. that's running on a PC. Therefore, rootkits compromise your PC's security by enabling undetected access to it by intruders.

How does it affect my computer? - Rootkit technologies, like the one deployed by Sony on some of its music CDs, can be abused by malicious hackers to hide their own programs on your computer without your knowledge. This makes it seem as if attacks are coming from your PC not theirs.

This would seems mild as in our opinion rootkits were supposed to not just hide programs but also allow root (administrator) access to the compromised machines.

How do I uninstall it? - Even sophisticated PC professionals have a hard time removing Sony's rootkit manually. Fortunately, CA's eTrust(r) PestPatrol(r) detects and removes Sony's rootkit technology upon normal software installation process.

Does eTrust PestPatrol remove Sony's entire rootkit? - eTrust PestPatrol detects and removes the harmful elements of Sony's rootkit technology including:

• The Rootkit itself (that's the part that hides files)
• The installer
• The patch installer
• The media player

CA is actively working towards giving PestPatrol the ability to safely remove the entire rootkit including the XCP.Sony.Rootkit portion. This remaining feature of Sony's rootkit protects them against music piracy. While this feature limits your ability to share your Sony music, it does not compromise your PCs security.

New Worm Hits Windows

August, 2005

Affects: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP, but Windows 2000 most seriously

The worm hits at an security hole in the follwing critical update released last week, which may have not been rolled out by administrators on their network.

Security Update for Windows 2000 (KB899588) Overview A security issue has been identified in the Plug and Play service that could allow an attacker to compromise your Microsoft Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Download the update here

Zotob.a and Zotob.b are the first variants of a new worm which uses the MS05-039 vulnerability as a means of propagation.

Zotob.a then makes a copy of itself on the system named %System%\botzor.exe. Zotob.b copies itself as %System%\csm.exe. Then it adds the appropriate value to the

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices registry keys:

"WINDOWS SYSTEM" = "botzor.exe" or "csm Win Updates" = "csm.exe"

It then sets the value:

"Start" = "4" in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess in order to disable Windows Shared Access service.

Update your Windows 2000,
restart in Safe Mode remove the above registry entries,
search for and remove botzor.exe or csm.exe,
restart system,
press Ctrl-Alt-Del and look for suspicious process,
terminate it,
update your virus definitions and
do a throrough scan of your system.

The worm spread via TCP 445 which is by default blocked from WAN port except those with leased lines and public IPs. Thus it won't affect most companies (even those that may not have patched their systems) that does not allows

• remote access to users,
• guest users from outside the network,
• no mobile users on the network,
• no unsecured wireless network,

This worm hits at machines in the local subnet, so once a single node is infected, all the rest within the network will be infected as well unless they are firewalled on their port 445.

Home users are likely to be affected if they connect to the Internet directly via their cable modems or ADSL modems without a firewall, as all ports on their system will be open to attacks.