My Dad called me today to say that he had a problem with his PC. A rogue anti-virus got installed on his PC and has hijacked it. He is running McAfee AV but that failed to stop it, although he did admit that he saw warnings, but really thought at the time that the virus program was a safe one.

I have Googled the fix for him and found that Malwarebytes have an automatic removal solution in place already. You can download Malware Bytes from Bleeping Computer (a website devoted to helping people prevent and remove viruses), here is the direct link: Malwarebytes’ Anti-Malware

Now, before you go jumping to any conclusions, let me make it clear that I may be adding to the confusion. As this evening I had a comment posted to my Facebook Wall that was obviously a bit suspect. It said “Jon, this is without doubt the sexiest video ever! ” with what appeared to be an embedded YouTube video of a woman with a large behind dancing. Admittedly I did click on it, rather foolishly. The person that sent it to me really is not the sort of person that generally sends such things, and I was curious.

Anyway, nothing seemed to happen, but I speculated that this may have been connected with the virus my Mum picked up earlier today, so decided to investigate a bit further. The current result is that I doing a thorough scan with Malwarebytes now, after having run CCleaner and Cleanup (two tools to help remove trash from all areas), my thinking that maybe the files are not active yet and they will clean them out…..

So, next was a Google for “Personal Antivirus” and Candid / Facebook together. Nothing. So they may not be connected.

No idea what the Candid Video virus on Facebook does apart from send itself on to all your Facebook contacts. Maybe it spreads a more serious PC hijacking Trojan virus. The thing about these things is that often they lay low for a few days. One person on Facebook said that it is a serious virus, although they did no elaborate on that. Another complained that Facebook as usual are doing nothing to stop it spreading. Great.

Will update you if I find out more. If you have any information let me know.

UPDATE:

Just read this on Infosecurity-us.com and it explains what the virus does, although still unclear what its endgame is. There is a Facebook anti-malware scanner that can be installed though, so that is worth investigating.

“Patric Runald, senior manager for security research at Websense, told Infosecurity that the installed malware would steal a user’s Facebook username and password, log into the user’s account, and then begin to spread the malicious link by posting messages to group and user walls and via messages to friend/group lists.

To prevent possible infections from future scams, Runald told Infosecurity that Websense offers a free Facebook application called Defensio to monitor for malware and other malicious content on a user’s page. It can be installed for free on any user’s profile, both in a personal or corporate setting.”

www.infosecurity-us.com

It seems to me that Facebook is becoming a popular place for virus writers to peddle their wares. As security tightens on the Internet with improved web browsers and anti-virus software, Facebook remains vulnerable. People are quickly drawn into viruses when they think that their friend is trying to show them something. There are so many applications on Facebook that people are so used to signing up to apps and accepting terms and conditions that they do not think twice when a friend sends a video and they need to agree to something to watch it. Although in this case I am still not clear if any agreement os required, it seems a more advanced version of the one that spread a couple of years ago.

Last night Ant-Virus software McAfee released a security update that broke Windows. The AV mistakenly thought that part of the Windows operating system is a virus, so locked it down. This resulted in computers being unable to boot up.

So what exactly happened?

McAfee’s 5958 update wrongly identified the Windows svchost.exe file as the wecorl.a virus. This worm tries to replace an existing svchost file with its own version to help it take over a machine.

A fix has been released already, but some PC’s may be stuck in a reboot loop and unable to update.

If you are having problems then you will not be able to comment below. Bad luck!

A similar problem happened with Avast! home edition not so long ago. Many people woke up to find that Avast! had identified part of Skype as a virus.

But, it is always better to be safe than sorry.

Spam is a horrible thing. It is probably what annoys people the most about the internet. And for webmasters, owners / managers of websites, email spam can be horrific. For years spammers have been building “bots” that crawl the internet and seek out email addresses. As many people rely on email for their online business, this is very problematic. If you place your email on your site, you get inundated with so much spam you cannot spot the new customers. If you remove your email address, you lose customers, and lose trust.

The first solution to this was the contact form, which allowed new customers to fill out an enquiry form to send an email, usually using PHP mail servers on the webserver. But spammers learnt to hack these. Some people would resort to just writing their email (i.e. not using the mailto: HTML code that allows people to click the link to open their mail client). But then the spammers would learn to seek out any instances of @ followed by a domain and copy that from the page. To combat this, site owners then started using images to show their email, meaning clients would have to read and then manually type the email into the email client. Not customer focussed!

However, there is a more simplistic method that is very successful at stopping spammers. It is called Email Obfuscation, and luckily there are some tools online that do it for us. What is Email Obfuscation? Well, it is simply a way to use code to make your email appear differently to the bots, but still work as normal in the web browsers. Some people have used js (javescript) for this in the past, although more intelligent bots (ok, programmers) can now read these too. Client side javascript tricks can look like this:

<script type="text/javascript">
var name = 'user';
var at = '@';
var domain = 'example.com';
document.write(name + at + domain);
</script>


which simple displays the result of the “document.write part, i.e. the “user” followed by “@” and then “example.com” to create an email address.

The method that we prefer is known as Transparent name mangling, which involves replacing characters in the address with equivalent HTML references from the list of XML and HTML character entity references. Check out this email obfuscation tool (the second one down in the email one). Basically it will convert an email address into something that looks like this, but much longer (email address anchor changed for “contact me” in this example):


<a href="&#109;&#111;:&#x6A;&#x6F;&#x6E;&#64;&#98;&#109;&#104;&#x73;&#x2E;&#99;&#x6F;&#109;">Contact Me</a>

This is currently the best tool for disguising emails. We have been using this method for about 2 years and the email address we use is still spam free. Do not dismiss forms though, as there are some excellent contact forms available too. If you are looking for a form script, then we recommend that Dagon Design Contact Form.

Barry Welford, one of the Cre8easiteforums moderators, has just alerted us to the follow phishing scam that is targeting Google Account holders.

I have now twice within the last few days had a very authentic-looking Gmail message from Google that in fact is a phishing exploit. If you click on the www.google.com link you end up on the nautilusdiving.com domain but with a very authentic Gmail Welcome page that encourages you to enter your username and password. More details are here: http://www.otherbb.com/2009/07/latest-gmail-phishing-very-tough-to-spot-watch-out.html

Don’t be taken in.

Things to remember when receiving an email from ANYONE asking for account information:

• Does the company state in their terms that they will contact you by email? Many banks will not contact you by email.
• Double check the domain name that the link in the email leads to. It is very easy to trick someone into following a link. Here is an example: Use http://www.google.com for the best search experience! Who spotted out trick BEFORE clicking?
• If in any doubt, ignore the email, and go to the website in your usual favoured manner, and log in to your account. If there really is a change you need to approve etc. then this should be obvious once you have logged in.
• If in doubt, close the email and Search for the problem. If it is a scam, then it is likely that someone has already reported it.
• If you are still not sure, then phone the company / visit their blog to request further information.

You can never be too carefull, especially with your Google account if you use Google Checkout, or use it for your business etc. Google is exceptionally secure, however if you give your password to someone, then no amount of security will protect you.

There is currently a major PC virus attack in progress, which is affecting millions of PC’s, and mostly is going unnoticed by home computer owners that do not follow PC security news, or run AV software. The virus is called Conflicker, and appeared in October 2008. All the major AV houses spotted it and informed customers so that they updated their software. However many PC’s are unprotected, then virus has until now been sitting quietly. But on 8th April 2009 the virus (which is really a trojan) started downloading something onto the computers that it has infested. At the moment we still do not know what conflicker is planning. Some people think that it could be planning a worldwide internet shutdown, or simply just planning to wipe out millions of Windows operating system installations. Only the Conflicker creators know what is going to happen.

It is downloading the software slowly to avoid suspician – this is a common trick adopted by virus creators, as they can now install large files onto PC’s over broadband without the owner noticing, especially if they “trickle” the download, meaning making it slower than the maximum bandwidth of the connection, so that users are not affected.

We do know that once the Conflicker virus is installed on a PC is makes on random website check (usually to MySpace, MSN, eBay, CNN or AOL) to check that the computer still has an internet connection. Once installed, the virus then deletes all evidence that a download took place. It is so well designed and encrypted that security experts are still unsure of what it is going to do. However, they do know that it is installing itself deep in the Windows operating system, which means that it could do some pretty serious damage, as well as steal any data it desires. If it includes keylogging software then it can gather all credit card and banking details, as well as all user names and passwords for websites, such as social networking sites, Google, Yahoo, Amazon, eBay etc.

The problem is so serious that Microsoft are offering a reward of $250,000 (£172,000) to anyone that can inform them of who is behind the Conficker virus. Since it started circulating in October 2008 the Conficker worm has managed to infect millions of Windows computers. If anyone can help, then contact Microsoft direct. If you know who may be behind the attack, then contact your local police force, and you could be in for a nice little windfall!

Computer security firm Sophos has warned that many new websites have sprung up that are exploiting the death of actress Natasha Richardson. Many of the sites are designed to attract people that are searching for information on her life and the tragic skiining accident, but then host bogus anti-virus software which is actually a virus in disguise.

This form of criminal activity online is increasing, and anti-virus analysts are seeing more people suffering as the result of downloading fake AV software. Many of these fake AV programs actually mine information from your computer and send it back to criminals, and can include key loggers which means that even if your credit card details are not stored on you computer, someone may be watching you the next time you type them into your favourite shopping site.

Today a major UK retail chain has lost all internet visibility. All of DSG International’s online stores are currently off-line! The websites for Dixons, Currys and PC World have all been offline for most of the day today. The message on each website states that “We’re reall sorry, our website is not available at this time” (Dixons.co.uk example is below). Now, there could be a valid reason for taking all sites offline at the same time, and keeping them offline all day. But maybe something more serious has occured. What if their only dedicated server went into meltdown, and they never made a back up to an alternative server? Really, any large company should be running off at least two servers, so that when major upgrades and maintenance work is needed, websites can still be kept online.

• http://www.dixons.co.uk/
• http://www.currys.co.uk/
• http://www.pcworld.co.uk/

Is this a major screw up? Have these companies lost their sites for good? If the databases are permanently deleted, and there was no backup to another server, then the answer could be yes. And how will it affect the share price of these companies? Every penny counts at the moment while we are in the depths of a global economic crisis, and any length of time offline could tips the account books permanently into the red. This could be the end of this group! Am I scaremongering? Two years ago, you could have said yes. But today, this major balls up by the webmasters of the UK largest electronics retails chain could spell their end.

It is likely too that heads will roll over this event. Monday’s are often the busiest day in online retail, as people return to work and use company pc’s to order items online. And with the New Yeat sales in full swing, every day counts.

We received an email today stating that our domain was being cancelled as the WHOIS information was not correct. Here is a except of the email:

On Sat, 1 Nov 2008 08:04:38 +0200 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registration and the account holder and inform them to update the information.

The contact information for the domain which displayed in the Whois database was indeed invalid. On Sat, 1 Nov 2008 08:04:38 +0200 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.

PLEASE VERIFY YOUR CONTACT INFORMATION – http://www.enom.com.ssl45.mobi

If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:

Attn: Domain Services
14455 N Hayden Rd
Suite 219
Scottsdale, AZ 85260

LINK TO CHANGE INFORMATION – http://www.enom.com.ssl48.mobi

Thank you,
Domain Services

At first glance this looks serious. But if you receive something like this, ask yourself the following questions:

1. If my contact information is out of date, why are they sending an email?
2. Which domain? The email does not state a domain – it assumes that most people may just own one.
3. Who are they? Check the URL – their website is actually ssl48.mobi and not related to enom.com (one of many domain name registrars) in any way. The whole www.enom.com is just a subdomain of ssl48.mobi.

Replying to such an email, or providing your personal information, could actually result in you inadvertently handing your domain over to the phishers.

This is how most people are tricked by email phishers – they do not understand how domains are structured, and as soon as they see a familiar name with a .com after it, they think that it is genuine.

Fortunately there is already a warning on ssl48.mobi, if you have some good anti-phishing software installed, so your browser should not open the link. But this is not always the case.

Take care, always double check a mail, and if in doubt, make a phone call you you registrar. If they do not accept phone calls, move!

There is a new trend in online theft – criminals are targeting CV’s to obtain personal data. Job seekers have been cautioned to be extra careful when sending CVs to employers’ websites or online recruitment agencies. In an experiment using a fake website, 107 people submitted their CVs, full of personal information that could have led to identity theft.

From the 107 applicants, 61 CVs held sufficient information to apply for a credit card or loan. The experiment was carried out during the National Identity Fraud Prevention Week earlier this month. It involved a CV company called iProfile, with the support of the Police and the Information Assurance Advisory Council (IAAC), setting up a website for a bogus company called Denis Atlas. The fake firm placed an advert in a national newspaper for a job as an office manager, inviting people to apply by sending in their CVs to the website. Although 107 people did so, a quick search of the website would have shown that it was in fact a fake operation.The home page of the website reads:

If you have arrived at this website it probably means you’re researching a job advert we placed for the company Denis Atlas. Firstly, we have to tell you that both the company Denis Atlas and the job we advertised don’t exist. The advert was placed to raise awareness of the dangers of CV ID theft and the solutions available, such as the iProfile, to help combat it.

We hope you are not too disappointed and this hasn’t inconvenienced you too much. Let us explain what this is all about.

The advert was placed as part of a research project by online CV provider iProfile, who provide a solution to help combat CV ID Fraud. They wanted to raise awareness of CV ID Fraud by exploring the connection between the rise of identity theft and CVs. – http://www.denisatlas.co.uk/

“Many people are happy to send their CVs ‘blind’ without thinking about the consequences if their information fell into the wrong hands,” said Neil Fisher of IAAC. In the CVs submitted there were on average eight separate pieces of information that could be used by a fraudster to steal someone’s identity. The full address and date of birth are the most important pieces of information. In one CV the applicant also provided a passport and national insurance number. “We advise everyone not to post personal details on the internet which could collectively be used to clone your identity,” said Det Supt Russell Day of the Metropolitan Police. The most useful items of information for criminals, which should be
omitted from an online CV, are date of birth, marital status, and place of birth, according to iProfile.

With the current credit crunch leading to more job losses, and therefore more poeple in the employment market, it is possible that more unscrupulous companies may attempt to employ new methods to steal personal information. There has already been a rise in phishing (Credit Crunch Leading to Increased Phishing and Net Fraud) as a direct result of the credit crunch, and now CV theft is looking to become a greater problem. Our advice is to only provide the minimal information on a CV, and call the company before sending to confirm.

Source: BBC News

OK, this sounds like a 70′s horror movie, but it is actually one of the greatest threats currently to online security. It is estimated that there are now about 300,000 zombie computers operating. These are computers that have been taken over by hackers and are being used to send spam, or infect other machines with adware, malware and other nasty viruses.

Fortunately a group have decided to battle on behalf of the rest of the world, to tackle and destroy the hacker-zombies criminals. This group is called the Shadowserver Foundation

The number of infected machines has doubled in the last year, and this is the result of hackers becoming more organised, and forming networks of machines to act as super servers, which are referred to as botnets. These networks are used to steal personal identities, attack websites, and sell pilfered e-mail addresses to professional spammers. Yes, when you receive those annoying, trashy emails, it is often because someone has stolen your personal information, and then sold it on to internet vermin.

Internet crime is becoming a serious problem, with costs to consumers and businesses in the USA rising to $239 million in 2007, up 20 percent from the year before. Similar patterns are seen in the UK and other countries. Botnets are growing in popularity and sophistication as tools for hackers, and Shadowserver’s research helps law enforcement and security companies such as McAfee Inc. identify emerging threats.

Established in 2004, The Shadowserver Foundation gathers intelligence on the darker side of the internet. We are comprised of volunteer security professionals from around the world. Our mission is to understand and help put a stop to high stakes cyber crime in the information age.

In the weeks leading up to Georgia’s military conflict with Russia in August, Shadowserver was among the first to report that hackers attacked Georgian President Mikheil Saakashvili’s Web site, taking it down for 24
hours. The hackers used a botnet to swamp the site with requests.

“Botnets pose a significant risk because they’re the Swiss Army knife of malicious code,” – Nicholas Ianelli, an analyst at the CERT Coordination Center, which studies Internet security as part of Carnegie Mellon University’s Software Engineering Institute. “They can do so many things with one compromised host.”

Last year the FBI carried out an investigation of botnets, named Operation Bot Roast, which found over a million infected computers and more than $20 million in economic losses from
crimes related to botnets.

Shadowserver’s members spend anywhere from 5 to 40 hours a week tracking Internet-security threats. DiMino, a native of New York who now lives in New Jersey, said Shadowserver’s members are not vigilantes and don’t “hack the hackers,” as some other volunteers do, they report their findings to internet and computer security companies, to help to make home computers more secure.

“It gets us pretty jazzed when we can see that things we’ve worked on have had a tangible result in Internet safety. That’s really a key motivator for all of us.”

In February, the group said it uncovered an attack on 32 gambling sites, including one run by PartyGaming Plc, the owner of the PartyPoker.com website.

Learn more about the The Shadowserver Foundation.