Technology Explained for All
Alerts
ALERT: New Rogueware–This one can detect which browser your using and customize the fake alert to the browser you are using
Sep 2nd
In a never ending effort to inform the visitors to TGM, here is another ALERT concerning a new version of Rogueware (Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven)) that can actually figure out what web browser you are using and then customize the fake message to look like a standard message for the browser you are using. As always the reason these types of attacks work is because of the social engineering aspect, most people don’t know any better, they assume that if the message pops up on their pc the “it must be true”. Unfortunately the messages that you will see as a result of the Rogueware are nothing more than a trick to get control of your pc.
The following article (Written by Daniel Radu of the Microsoft Malware Protection Center) comes from the Microsoft TechNet Blog (LINK) http://blogs.technet.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piece-of-the-microsoft-security-essentials-pie.aspx (http://blogs NULL.technet NULL.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piece-of-the-microsoft-security-essentials-pie NULL.aspx) . You should pay close attention to what the fake alert can look at in each of the browsers (At the bottom of the message you get “Upgrade to a reliable solution”).
**************************************************************************************************************************************
Rogue:MSIL/Zeven wants a piece of the Microsoft Security Essentials pie
A new rogue has started making its appearance from compromised websites: Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven). We received a sample (70be8ca73142922fd78acf2aafa9f141a977f15a) and a URL and began our investigation.
Let us say from the beginning that the guys behind this rogue like to copy big-time. They start by auto-detecting what browser the user is currently using, and then faking the malware warning page if the browser is Internet Explorer, Chrome, or Firefox. This is meant to be a social engineering scheme in order to trick the user into downloading and installing the rogue, relying on the user’s trust of his day-to-day browser.
The similarity between the fake warning pages is so accurate that it can trick even highly trained eyes.
In the Firefox page, for example, you can see it’s not the real warning page because they misspelled ‘out’ and wrote ‘Get me our of here’.
Chrome
Internet Explorer
But for all three browsers, a common indication that you are not looking at the actual browser warning is the offer of some sort of an “update” or “solution”. All the “updates” point to a copy of MSIL/Zeven that promises to provide “a new approach to windows detection”. Internet Explorer, Firefox, and Chrome do not offer such a solution when a website is blocked.
When installed, the product looks very genuine: it allows you to scan files, tells you when you’re behind on doing your updates, and enables you to tweak your security and privacy settings. These features are usually available in various legitimate antivirus solutions. However, the features don’t work; everything is there just to look nice, not to offer any kind of protection (just like in all other rogue antivirus programs).
Of course once it scans your computer it’s bound to claim it found something scary (malicious), as shown below:
As usual with rogue scanners, although it “found” malicious files, it claims it cannot delete them unless you update. That implies that you need to pay for the full version, which has the ability to download updates. However, these files are totally bogus; no such files exist in the user’s computer.
If you decide to buy the product, this rogue opens an HTML window enabled with ‘Safe Browsing Mode’ and high strength encryption to “help” and ”protect” you while completing your purchase. Of course these features are totally worthless and don’t actually do anything in the way of securing your credit card details.
The main page of the rogue antivirus program itself looks awfully close to the Microsoft Security Essentials webpage – more copying from the bad guys. The people behind it have even copied the awards received by Microsoft Security Essentials and link to the Microsoft Malware Protection Center - pretty sneaky of them.
This is a screenshot of the rogue’s main webpage:
And, by way of contrast, this is a screenshot of the genuine Microsoft Security Essentials (http://www NULL.microsoft NULL.com/security_essentials/) page:
It seems that these guys want to profit on the good reputation and success of Microsoft Security Essentials in order to make money – but we remind our customers that Microsoft Security Essentials can be downloaded at no cost. And it really does protect your computer from malware!
We detect both the downloader of the rogue and the rogue itself as Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven).
Until our next encounter: browse safely!
Daniel Radu
MMPC Dublin
Apple: (From Gizmodo) Apple Security Breach Gives Complete Access to Your iPhone (ALERT)
Aug 3rd
Gizmodo is reporting that a new vulnerability has been found that affects iPhone, iPod, and iPads
From Gizmodo –
Right now, if you visit a web page and load a simple PDF file, you may give total control of your iPhone, iPod touch (http://gizmodo NULL.com/tag/ipodtouch/), or iPad to a hacker. The security bug affects all devices running iOS 3.1.2 and higher.
Update: Initially we thought that this exploit only effected iOS4 devices, but it turns out all iPhones, iPod Touches and iPads running 3.1.2 and higher are susceptible.
The vulnerability is easily exploitable. In fact, the latest one-click, no-computer-required Jailbreak solution for iOS 4 devices (http://gizmodo NULL.com/5601874/jailbreakme-20-jailbreaks-all-apple-ios-40-401-and-321-devices) uses this same method to break Apple’s own security (although in a completely benign way for the user).
The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions… anything can be done.
The short answer to this issue is that you need to be careful and not click on any links to PDFs on your iPhone, iPod, or iPad until Apple releases an update to this issue.
The complete post can be found on the Gizmodo site (LINK:) http://gizmodo.com/5603319/ (http://gizmodo NULL.com/5603319/)
Sprint: The EVO 4G’s are getting the OFFICIAL Android 2.2 update (froyo) starting as of Aug 3rd. (Or tomorrow 7/30 if you want to manually update your EVO)
Aug 2nd
*****8/2/2010 UPDATE – UPDATE IS HERE************
To my fellow EVO users –
To those who want to install the Froyo 2.2 update, as of 9:15 pm (EST) it is now available directly from your phone. Customers can access the software update through their HTC EVO 4G under the Settings Menu > System Updates > HTC Software Update. This will initiate the three-step process also.
*****7/30/ 2010 UPDATE******************************
As of 5p it seems that the update has yet to be released for those who are looking at updating early. Latest Report was that the update was going to be ready after 12p CST and that it would be available at some point during the afternoon/evening Friday. Ill update as soon as I can get more details.
****************************************************
Based on an announcement on the Sprint Community Blog (LINK: http://community.sprint.com/baw/community/sprintblogs/buzz-by-sprint/announcements/blog/2010/07/29/sprint-is-the-first-wireless-carrier-to-bring-android-22-to-customers-using-the-award-winning-htc-evo-4g-beginning-tuesday-aug-3 (http://community NULL.sprint NULL.com/baw/community/sprintblogs/buzz-by-sprint/announcements/blog/2010/07/29/sprint-is-the-first-wireless-carrier-to-bring-android-22-to-customers-using-the-award-winning-htc-evo-4g-beginning-tuesday-aug-3)), the EVO will be getting its froyo update in the next couple of days. As of now the announcement says that the froyo (2.2) update for Android will be available as of 12p (CST) tomorrow 7/30 for download if you want to manually update the phone yourself (This is a nice touch on Sprints part for those who just don’t want to wait) and as of Aug. 3rd Sprint will begin (OTA) over the air updates to the EVO Devices.
Froyo which is the latest (and very highly awaited) update to the Android operating system, will carry numerous updates and new features as part of its update.
Some of the changes are -
For those who just can’t wait until the Froyo OTA update, you can manually trigger the download (As of 12p CST on 7/30) by doing the following
Customers can access the software update through their HTC EVO 4G under the Settings Menu > System Updates > HTC Software Update. This will initiate the three-step process also.
Apple: Possible fix for iPhone 3G(S) that run slow or have issues after upgrading the phone to iOS4
Jul 29th
Virtually everyone is aware of the “Antennagate” issues with the iPhone 4, however there have also been reported issues for those using iPhone 3G/3GS models that upgrade to the iOS4 software. The issues appear to be everything from shortened battery life, to very slow performance of the phone (making it unusable, to random reboots of the phone. With all the attention to the antenna issues, these other issues haven’t gotten as much attention until now. The Wall Street Journal is reporting that Apple is now conducting a probe concerning complaints about these issues (LINK: http://blogs.wsj.com/digits/2010/07/28/apple-investigates-reports-of-problems-with-ios4-on-iphone-3g/ (http://blogs NULL.wsj NULL.com/digits/2010/07/28/apple-investigates-reports-of-problems-with-ios4-on-iphone-3g/) )
With all that being said, it now seems that a member of the tech site Neowin (http://www.Neowin.net (http://www NULL.Neowin NULL.net)) by the name of NathanMillson (http://www NULL.neowin NULL.net/forum/?showuser=327910) may have just figured out the cause (At least one of them) and a simple solution that many have reported fixes the issues.
From Nathan’s Neowin post:
From my experience, I find if you go into Settings->General->Home Button->Spotlight Search-> Deselect every option. No more background indexing on iPhone 3G.
I haven’t had much performance issues after this…
If you find this solution works for you, post a response and TGM will make sure to let Nathan and Neowin know.
Alert: Yahoo website (Including mail) and Yahoo Messenger appear to be currently down
Jul 22nd
**UPDATE – As of 12:10p its seems the issue is now corrected and it appears that the issue affected those with Comcast or AT&T Internet providers.
**********************************************
As of 11:15 a (EST) it does appear that most (if not all) of the Yahoo properties (Website, Mail, Messenger) are not responding. No details are known as of yet. More details to follow as soon as possible.
Software: ALERT – Critical Adobe Flash Update Released. You need to make sure your system is updated to this version.
Jun 12th
Adobe has released an update to its Flash Player (New Version 10.1) and Adobe AIR software to correct 32 issues that could lead to everything from the application / your computer crashing all the way to someone else (“Bad Guy”) being able to take control of your computer. The bad guys in the past week figured out how to use the vulnerabilities to be able to infect peoples computers, this update corrects those issues.
This Adobe advisory (http://www NULL.adobe NULL.com/support/security/bulletins/apsb10-14 NULL.html) outlines the severity:
Critical (http://www NULL.adobe NULL.com/devnet/security/security_zone/severity_ratings NULL.html) vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
The vulnerabilities in this patch batch affects all major operating systems: Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe AIR 1.5.3.9130 and earlier versions for Windows, Macintosh and Linux.
**NOTE THAT THIS ISSUE DOES AFFECT SOFTWARE INSTALLED ON WINDOWS, MAC, AND LINUX.
Here are some things to keep in mind.
- If you have more than 1 browser installed on your computer (Internet Explorer, Chrome, Firefox, Opera, etc), you MUST check this on each one of the browsers, even if you only use one. Check on any that are installed.
- You need to verify the Adobe Flash Player version number installed on your system, Adobe recommends that users access the About Flash Player page (http://www NULL.adobe NULL.com/products/flash/about/), or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu.
- In addition, check on your installed programs list (Windows Users – Start-> Settings-> Control Panel-> Add/Remove Programs or Programs and Features). Check and see that it doesn’t list multiple installs of either Adobe Flash or Adobe AIR. If it does from that screen highlight –> select uninstall to all but the latest one.
- If you would like to make absolutely sure that all older copies of Adobe Flash are uninstalled or if you are having issues doing the upgrade, go to the Adobe knowledge base page (tn_14157) which is at (LINK) http://kb2.adobe.com/cps/141/tn_14157.html (http://kb2 NULL.adobe NULL.com/cps/141/tn_14157 NULL.html) and download the Adobe Uninstaller. This will go thru your computer and automatically delete all versions of Adobe Flash. Then you can just install the latest version.
- The following 2 links are the direct downloads from Adobe for Flash (NOTE that 1 link is for Internet Explorer and the other is for the rest of the Browsers).
http://fpdownload.ad…h_player_ax.exe (http://fpdownload NULL.adobe NULL.com/get/flashplayer/current/install_flash_player_ax NULL.exe) (IE)
http://fpdownload.ad…lash_player.exe (http://fpdownload NULL.adobe NULL.com/get/flashplayer/current/install_flash_player NULL.exe) (All other browsers)
Keeping your computer safe is not just about updating the Operating System and having an Anti-Virus program. These days the bad guys are looking for anyway into your system. Imagine that when you left your home, you locked all your doors, but left a Window unlocked because the lock was broken. A bad guy could use that Window to get inside. So what would you do, replace the lock of course. This issue with software is the computer version of just that situation.
(http://www
