Be Afraid and Be Protected

This week’s letter is meant to frighten you. Hopefully you’ll become sufficiently concerned that you’ll take the necessary steps to protect yourself.
I’m sure you’ve noticed your inboxes filling up with spam. There’s been widespread media coverage of the problem. I have little to add, except to emphasize the spam is normally not innocent. It consists of spyware, Trojans, viruses, adware and other assorted malware that can ruin your whole day.
For a good summary of the outbreak, read an MSNBC article on this link:
http://www.msnbc.msn.com/id/4422372/
Just as I double-clicked the link to make sure it’s still active, this window popped up in front of it about a “Java Virtual Machine.”. If you do anything the window asks you — if you check the Never Download any of these components, or click Download, or Cancel, you’re sunk. This is malicious spyware having nothing to do with a Java virtual machine. It’ll open your computer to any hacker who wants to steal your information or merely destroy your computer.
I have plenty of protection, as you can imagine. Still, this got through. It’s not even safe to close the window by clicking the red X in the upper right hand corner. It’s only safe to close it through the task manager. That’s for another column.
Here’s a comment by a participant in a hacker’s forum:
“ I recently had some problems with adware, spyware and malware. Call them whatever you want, they are all a royal pain in the ass to deal with. I checked into Ad-Aware and looked at what it does and decided that I would spend the money for their Pro version (a shade under $40 US). One of the best purchases I have made. I like the fact that the pro version is pro-active in that it gives real-time protection against the above named evils as well as stopping pop-ups. It also gave me one additional level of protection, one I had not even thought about when I was purchasing it. When I had a really annoying adware incident, one that had popups happening while working on projects and not browsing the web. I went to their support forums and posted what was happening. It took only several hours and I was advised as to what to do so they could figure out how to solve the problem. I posted what they asked for and within a day I had an answer that worked and solved the problem. That also helped others in that the particular offender was quickly included in their updates. This help was entirely from other users! Talk about knights in shining armor coming to the rescue!”
Thus I suggest you buy Ad-Aware Pro. I bought it. Frankly, I can get any piece of software for free. Activation, serials, calls home, these can all be hacked. But this hacker, like me, bought Ad-Aware. As he indicates, support means everything.
Here’s an excerpt from an article in PC Magazine:
http://www.pcmag.com/article2/0,1759,1541544,00.asp
Combating Netsky.C, D, E Viruses
Security Tip: Don’t open undeliverable messages
“An unwelcome side effect of these latest worms is the barrage of undeliverable mail. Many users are getting undeliverable messages for two reasons. First, many of the viruses use “undeliverable” or similar messages in the subject line, since it is almost guaranteed to get someone to open the e-mail. In these cases, the attachment is the virus and opening it will infect the user. The other reason is that with the spoofing of addresses, the mail may actually be a legitimate non-deliverable one. The spoofed or harvested e-mail address may be a dead one, which causes the target server to refuse the message. Since your e-mail address may have been spoofed, it is returned to you. In both cases, it’s better to delete the message without opening it.
If you suspect that it might be from someone your really did mail, you can right click on the message line in Outlook, and select Properties to view the header (do not double click or you’ll open the message). While to most people, the header will read like some ancient lost language, it is possible to tell if it includes and e-mail address for someone you actually intended to contact via e-mail. If a real e-mail address is in the “To:” area of the header, then this is a real undeliverable response for the server where that e-mail once resided. However, this is not typically the case. If the “To” field contains an unintelligible or garbage address, you can safely assume tha5t it’s a virus.”
Dangerous MyDoom.F-mm Gaining Steam
For users who own their e-mail domain, many servers by default forward all mis-addressed mail sent to the domain to the administrator’s account. The following is an example of a spoofed message header. We’ve replaced the actual target domain with a place holder- “mydomain” to avoid further mining of this address. Note the random string “[email protected]” in the To: and the X-RCPT-TO fields.
Received: from uk03w2k.atlasventure.com [210.23.50.222]
by mail.mydomain.com with ESMTP
(SMTPD32-6.06) id A3284578013E; Tue, 02 Mar 2004 06:42:32 -0500
Received: from bos03w2k.atlasventure.com ([10.10.0.39])
by uk03w2k.atlasventure.com with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 2 Mar 2004 11:42:31 +0000
From: [email protected]
To: [email protected]
Date: Tue, 2 Mar 2004 06:42:30 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary=”9B095B5ADSN=_01C3FF4133983D2D0000AF58bos03w2k.atlasve”
X-DSNContext: 335a7efd – 4457 – 00000001 – 80040546
Message-ID: <[email protected]>
Subject: Delivery Status Notification (Failure)
Return-Path: <>
X-OriginalArrivalTime: 02 Mar 2004 11:42:31.0222
(UTC) FILETIME=[723ACD60:01C4004B]
X-RCPT-TO:
X-UIDL: 378063938
Status: U
If you do open the message by accident, you’ll see the text message. At this point, you’re not infected. However, do not try to open the attachment, as they may be executables spoofed to look like a text file.
The article continues for five pages, and I suggest you read it.
I’m going to finish this week’s article with an offer in a hacker’s forum.
Invisible KeyLogger Stealth for Windows 2000/XP is a standard security auditing tool for network administrators and concerned parents.
The heart of IKS is a high-performance Win2K/XP kernel-mode driver which runs silently at the lowest level of Windows 2000/XP operating system. You will never find it’s there except for the growing binary keystroke log file with your input of keystrokes. All keystrokes are recorded, including the alt-ctrl-del trusted logon and keystrokes into a DOS box or Java chat room.
In addition to a flexible and friendly keystroke log viewer, IKS is extremely configurable. We provide an easy-to-use install utility. You can rename the program file, and specify the name and the path of the log file. You only need to copy one file onto the target computer for the logging to take place.
There is almost no way for the program to be discovered once the program file and the log file are renamed by the install utility. An exhaustive hard drive search won’t turn up anything. And the running process won’t show up anywhere
The offer concludes with where you can download the program, and another link where you can get the ‘crack’ that allows the program to work without having to pay for it. No honor among thieves.
In the coming weeks we’ll work to make your computer safer. We can’t eliminate the risks altogether, but we can considerably reduce them.
Dennis Turner