Alert: How to deal with Rogueware software when it tries to load on your computer.

While surfing the web today I ran across a another version of the installer that tries to load one FAKE antivirus software (Antivirus 2010 is one of the most common names). The following can come up if you visit an infected website. The site that triggered these pop ups is a well known site, so do not assume that just because you are on a MAJOR website that you are not at risk.

What to look our for

As soon as you get to the website, the following pop up appears. **This is why it is important to read messages before clicking ok.

What you probably wont see (unless you drag the window above around the screen) is the little window (as shown below) that opens directly behind the main window. If you were to expand the little window you will see that its for 1anetantispy.

If you click on the OK button above you will get infected.

What to do if you see the AV check Window

1 – DO NOT CLICK ON ANY OF THE POP UP WINDOWS.

2 – On your computer click on the start button –> click on Run (or type Run in the search box) –> Once you get the run box, type taskmgr into the Run box and press OK

3 – This will open up the Windows Task Manager. Look for all items that involve the browser you are using. (In the example below, its Internet Explorer) Highlight each item and then click End Task. Once all the browser windows close

4 – (A) If you are using Internet Explorer go to Tools –> Options –> and Click on Delete Browser History. (B) If you are using Firefox, go to Tools –> Options – > Privacy –> and click where it says “Clear you current history”.

Alert: Desktop Security2010 – Another Rogueware program which seems to be spreading fast. This is NOT something you want on your pc.

Job security is the probability that an individual will keep his or her job, and with the rate of computer clean up that I have to do that unfortunately seems to be going up and not down, I think I have job security for a while (Honestly, this is not the kind of job security that I want). We have had many posts on TGM about viruses, spyware, rogueware, yet the “my computer is infected” calls continue to come in, as people continue to fall for the tricks that get them infected.

The latest rogueware infection is called DesktopSecurity2010. What will happen if you get infected with the DesktopSecurity2010 rogueware

DesktopSecurity2010 is an adware program that warns users of non-existing threats in their computers so that they purchase a certain program that removes them from the computer.
Additionally, in order to make users think that their computer is really infected, it displays a warning message when the computer is restarted, and from time to time the screen fades to black and other times blinks with different colors.
DesktopSecurity2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

What should you look out for when web surfing

DesktopSecurity2010 is easy to recognize, as it shows the symptoms below (These are some possible symptoms, you can still get infected without seeing these):

It reaches the computer in a file with the following icon:
When it is run, a screen to install the program is displayed:
Once installed, it starts to carry out a system scan in search for possible malware and once finished, it displays warning messages informing users that the computer is infected:

One of the known ways that the rogueware is installing

The following post on the PandaLabs site (LINK: http://pandalabs.pandasecurity.com/making-new-friends%e2%80%a6/ (http://pandalabs NULL.pandasecurity NULL.com/making-new-friends%e2%80%a6/)) shows 1 of the ways you can get infected. Two of the clean up jobs that I have had to do in this past week occurred because the user also fell for a greeting card email as described below (Confirmed).

Making new friends…

Posted on 05/13/10 by Olaiz

I’m very happy because I’ve received a greeting card via email from a new friend, thought it’s not my birthday, my saint’s day or anything like that :-)

Look what a nice card I’ve received:

Google_groups_email_en

Besides, it has been sent from 123greetings, which is a legal website to download and send cards, so it must be trustworthy.

I’ve clicked the picture of the message and I’ve been redirected to the website http://luxxxx.googlegroups.com/web/setup.zip, but I can’t see any greeting card here, but a Google groups website containing a link… maybe I have to follow the link in order to view it…

There’s no way. I can only see the Windows of an antivirus called DesktopSecurity2010 (http://www NULL.pandasecurity NULL.com/homeusers/security-info/218297/DesktopSecurity2010) informing me that my computer is infected and that I have to pay the license in order to eliminate the malware. I think that I got infected :-( and I have neither a greeting card nor a new friend…

Now, talking seriously, yesterday we commented how this false antivirus was using Google Groups users (with malicious intentions) to be distributed. In fact, the URL from which the rogueware is downloaded is like the following:

http://Google Groups user.googlegroups.com/web/setup.zip

Some of these users are felixss, gorlum or misterxyz.

Google has reacted to this and has started blocking these malicious users. So, if you try to access any URL that uses these malicious users, the following message is displayed informing you that the user cannot be found:

Google_groups

Even so, some malicious accounts may still be active, so don’t trust messages like this and don’t follow any link like those we’ve previously mentioned in this post.

So what can you do to help protect yourself

If you get a link, email, instant message, asking you or telling about something you were not expecting, even if it seems to be from someone you know, DO NOT TRUST IT! Getting a message from grandma saying check out the new pictures i upload and realizing she is 80 years old, ask yourself, does grandma really know how to upload pictures? It only takes a minute to call the person, and get a response to “did you send me….. message”, if they did, they will tell you instantly. If they didn’t they will be the 1st to say “What are you talking about”.
Because of Twitter, the use of link shorting sites seems to have become the norm. The problem is that a link to http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) could be a link to many place. How do you know if it is a safe link or not a safe link. Again, even if the link is sent to you by someone you know, DO NOT TRUST IT unless you were specifically expecting it. For the record, http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) is actually a link to techgeekandmore.com, and TGM does not list shorten links on the TGM site, because we want you to know where you are clicking to. One thing you can do to check shortened links is visit sites that expand the shortened link. (If you use one of these link expander services and copy the link, be careful to copy the link and NOT accidently double click on the link) Some of the sites you can visit to use to expand links

-> LongURL (LINK: http://longurl.org/ (http://longurl NULL.org/)), PrevURL (LINK: http://www.prevurl.com/index.php (http://www NULL.prevurl NULL.com/index NULL.php)), ExpandMyURL (http://longurl NULL.org/) (LINK: http://www.expandmyurl.com/ (http://longurl NULL.org/)), URL Snoop (http://urlsnoop NULL.com/) (LINK: http://urlsnoop.com/ (http://urlsnoop NULL.com/)), Securi.net (http://sucuri NULL.net/?page=tools&title=check-url) (LINK: http://sucuri.net/?page=tools&title=check-url (http://sucuri NULL.net/?page=tools&title=check-url)). At all the sites, enter the shortened URL and click to find out where the link will lead

-> In addition if you use Firefox to browse the web, you can install LongURLPlease (LINK: http://www.longurlplease.com/ (http://www NULL.longurlplease NULL.com/)), or LongURL (LINK: http://longurl.org/tools (http://longurl NULL.org/tools)), which are Firefox browser extensions that automatically preview the destination URL for shortened links from just about any shortener you can name.

As always make sure that your PC is updated with all the latest Windows Updates, your Anti-virus is updated, your install of JAVA is updated, your install of Adobe Flash player is updated, Your PDF reader is updated. Most viruses, spyware, rogueware use problems with these programs to get into your computer. Use can use sites like File Hippo (LINK: http://www.filehippo.com/ (http://www NULL.filehippo NULL.com/) ) to check and make sure your programs are up to date.

What to do if you do get infected

If you still get infected, you can use SuperAntispyware and Malwarebytes programs to clean your machine, I recommend downloading both before you get any infection. Run them on a regular basis (Regular = once a week or so), even if your computer does not show any signs of issues.

To download both programs I recommend using Ninite (LINK: ninite.com)

If you would like to see more information on ninite you can see the TGM post http://www.techgeekandmore.com/2009/12/25/software-two-must-haves-for-the-new-pc-pc-decrapifier-and-ninite/

If after running SuperAntispyware and Malwarebytes, you are still infected, then you will need to use a PE (Physical Environment) disk. The PE disk that TGM recommends is UBCD (LINK: http://www.ubcd4win.com (http://www NULL.ubcd4win NULL.com)). The how to for the UBCD can be found at http://www.ubcd4win.com/howto.htm (http://www NULL.ubcd4win NULL.com/howto NULL.htm) .

Alert: Fake Facebook Email – Its another trick to get you to download a virus.

Another “old friend” seems to be making an email visit again. People have started getting the following email claiming that “The Facebook team” has reset your password and that you have to click on the download to get your information….

***********************************************************************************************************

Facebook Password Reset Confirmation NR.2033
From: The Facebook Team | Date:
17/03/2010 8:09 AM | Email
To: xxxxxxx@xxxxxx.com
Attachments: Facebook_password_2264.zip (62 KB) (62 KB)
Hey xxxxxx ,
Because of the measures taken to provide safety to our clients, your
password has been changed.
You can find your new password in attached <document.
Thanks,
The Facebook Team.

***********************************************************************************************************

Considering how many calls and messages I’ve gotten today about infected machines, I’m know people are falling for it. So lets start with a simple lesson : FACEBOOK DOES NOT RANDOMLY CHANGE USERS PASSWORDS AND IT DOES NOT SEND YOU VIA EMAIL YOUR UPDATED INFORMATION IN AN ATTACHMENT. SO DONT OPEN THIS EMAIL IF YOU GET IT. OK with that being said, here are some tips while using Facebook (Directly from the Facebook Blog http://www.facebook.com/security?ref=blog#!/security?v=app_7146470109&ref=mf (http://www NULL.facebook NULL.com/security?ref=blog#!/security?v=app_7146470109&ref=mf) )

When we talk about security, we’re talking about scams, viruses, and hacks that could infect your computer or take over your Facebook account and result in a lot of annoyance for you and your friends.
Security isn’t just an issue on Facebook, but all over the web, which is why it’s important to be aware online, and to learn how to protect your accounts and your computer.
Here are some ways to be smart and aware on Facebook and across the Internet:

Use different passwords for your various online accounts. If you use the same password everywhere, and it’s stolen, you could lose access to all of your accounts at once.

Be wary of where you enter your password. Just because a page on the Internet looks like Facebook or another site you use, it doesn’t mean that it is. Check the address bar in your browser, and learn to tell the difference between a good URL and a bad one. If you ever have doubts about the legitimacy of a link, simply type the website’s URL (for example, http://www.facebook.com) into the address bar.

Don’t share your passwords with anyone. Don’t do it. Most reputable online services will never ask for your password through any form of communication.

Don’t click on links or open attachments in suspicious emails. If the email looks weird, don’t trust it, and delete it from your inbox immediately.

Use a complex password that can’t be easily guessed. Avoid common words, and make sure your password is at least eight characters long and includes capital and lower case letters, numbers, and symbols.

Be suspicious of any email or message that contains an urgent request or asks you to update your information or provide new information.

Be suspicious of emails or messages that contain misspellings or use bad grammar, especially if they’re from someone who is usually a good writer.

Make sure you have an up-to-date web browser equipped with an anti-phishing blacklist. Some examples are Internet Explorer 8.0 and Firefox 3.0.10.

Make sure you have up-to-date comprehensive security software on your computer that includes anti-virus, anti-spyware, anti-phishing, and a firewall.

Make sure you’ve set your operating system to update automatically.

Make sure you’ve listed a security question and answer for your online accounts. This will come in handy if you ever lose access and need to prove who you are. You can do this on Facebook from the Account Settings (https://register NULL.facebook NULL.com/editaccount NULL.php) page. You should also add a mobile phone number from this page (http://www NULL.facebook NULL.com/mobile/?settings), which will help if we ever need to send you a text message to confirm your identity.

Remember that you choose what you share and with whom you share it. Think before you post, especially if the information is sensitive or personal in nature. You can learn more about how to control your information on Facebook, including how to choose an audience for each and every post you make, in our Privacy Guide (http://www NULL.facebook NULL.com/privacy/explanation NULL.php)

In addition here are some known threats that you can find while using Facebook (Also directly from the Facebook Blog http://www.facebook.com/security?ref=blog#!/security?v=app_4949752878&ref=mf (http://www NULL.facebook NULL.com/security?ref=blog#!/security?v=app_4949752878&ref=mf) )

Spammy Wall Posts, Inbox Messages, and Chat Messages
When criminals gain access to a Facebook account, they usually post spammy comments on friends’ Walls, or send spammy messages through Inbox or Chat. These messages ask you to click on a link and often try to entice you by claiming there’s a new photo or video of you somewhere on the Internet that you need to check out. The link then takes you to a phishing (http://en NULL.wikipedia NULL.org/wiki/Phishing) site that asks you to enter your login information, or a malware (http://en NULL.wikipedia NULL.org/wiki/Malware) site that prompts you to download malicious software.
Don’t click on strange links in posts or messages, even if they’re from friends. If it seems weird for an old friend to write on your Wall or send you a message, it’s possible that the person’s account has been taken over by a spammer. Be particularly cautious of posts or messages that contain misspellings or use bad grammar.
Money Transfer Scams
Scammers sometimes post status updates, or send Inbox or Chat messages, from a friend’s account claiming that the friend is in some difficult situation and in need of money. These messages ask you to help by wiring funds through a money transfer service.
Never send money without first verifying the story through some other means, such as by talking to the person over the phone. If a friend’s account has been taken over, contact us (http://www NULL.facebook NULL.com/help/?faq=14257) so that we can block access. If you’ve sent money, report it to the money transfer service, and, if you’re in the United States, the Federal Trade Commission (http://www NULL.ftc NULL.gov/bcp/edu/pubs/consumer/alerts/alt034 NULL.shtm) or the Federal Bureau of Investigation (http://www NULL.ic3 NULL.gov/default NULL.aspx). You’ll find more tips and a complete transcript of a real conversation with a scammer here (http://www NULL.facebook NULL.com/note NULL.php?note_id=96651525765).
Fake Notification Emails
Spammers and scammers sometimes send phony emails that have been made to look like they’re from Facebook or another reputable website. These emails can be very convincing, and the “From:” field can even be spoofed to include “Facebook” or “The Facebook Team.”
If an email looks strange, don’t click on any of the links in it, and delete it from your inbox immediately. Be especially wary of emails that ask you to update your account, tell you to open an attachment, or warn you to act quickly before something happens.
Chain Letters and Messages from Phony Facebook Employees
You might occasionally see a status update or message making some claim about Facebook and urging you to take an action. Examples include:

Facebook is becoming overpopulated.

Facebook is going to start charging money.

Certain users have special access to profile information.

Facebook is selling your data.

Sometimes, these come from people claiming to be Facebook employees who then ask you to provide your password or other personal information.
If a status update or message doesn’t look right, don’t believe it. Disregard it, and tell your friends that it’s phony. If someone pretending to be a Facebook employee asks you for your password, don’t give it out, and report the person immediately by clicking the report link either on the message or the person’s profile.
For more information about Facebook site governance and privacy, check out these documents:
Facebook Principles (http://www NULL.facebook NULL.com/principles NULL.php)
Statement of Rights and Responsibilities (http://www NULL.facebook NULL.com/terms NULL.php)
Privacy Policy (http://www NULL.facebook NULL.com/policy NULL.php)
Suspicious Applications
Facebook has strict policies (http://developers NULL.facebook NULL.com/policy) for developers to help make sure that applications don’t misuse your data. While most applications play by the rules, you may occasionally come across one that doesn’t quite look right.
Use caution when interacting with applications. If you think an application is violating our policies, report it to us through the link on the application’s About page. You may also want to block the application by clicking the “Block” link on its About page.

Now that you have seen the information directly from Facebook let me add one more thing. I will acknowledge that having to chase down and fix computers for people who fall into the traps above (as well as other know internet virus/malware/rogueware traps) is job security. Seriously this is not the type of job security I had in mind.

Alerta: Mensaje en Espanol de correo electrónico que es un Virus de computadora.

Desde el inicio de la TechGeekandMore, uno de los ejes más grandes ha involucrado virus de computadors (que se llaman Rogueware o Malware). Rogueware y malware pueden infectar un pc a través de diversas maneras (visitar sitios del Web, haga clic en vínculos, a través de correos electrónicos, o mas….). Hasta ahora, todas las advertencias de correo electrónico cubierto correos electrónicos en inglés, porque eso es lo que se sabia que existia. Sin embargo por ahora puedo informar oficialmente que los correos electrónicos son ahora multi-lenguaje. Esta noche he recibido un correo electrónico (que me mando un miembro de familia) que dice "Amix, esto tienes probarlo".

La versión en inglés del correo electrónico se a visto por un tiempo, "Cheques para ver quien te está bloqueando en MSN". El gancho del ser que si puede clic en el enlace proporcionado en el correo electrónico, que podrá ver (supuestamente) que ha le bloqueado de su lista de MSN Messenger. Como se señaló mirando el origen del correo electrónico (abajo), es casi una traducción exacta de la versión en inglés, afirmando que si se mira el enlace usted será capaz de ver que está bloqueando le (bloquear las direcciones de internet dentro de la fuente del correo electrónico)

Lo que realmente hace el vínculo es instalar una versión de Antivirus2009 (o 2010) que produce una gran cantidad de dolores de cabeza para el usuario y normalmente requiere un tecnología para limpiar o reinstalar el equipo. Si tienes amigos ni familia de habla española, le recomendamos encarecidamente que Hágales saber no se van a abrir este correo electrónico y a sólo la lista como correo no deseado y elimínelo. Si ya han abierto el correo electrónico, pueden utilizar programas como la versión gratuita de SuperAntiSpyware (LINK: http://www.superantispyware.com/superantispywarefreevspro.html (http://www NULL.superantispyware NULL.com/superantispywarefreevspro NULL.html) ) o la versión gratuita de Panda (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)).

Alert: Malware emails are not just in English – They also exist in Spanish.

Since the start of TechGeekandMore one of the biggest focuses has involved Malware and Rogueware. Malware and Rogueware can infect a pc via various ways (visiting websites, clicking on links, via emails, etc….). Until now, all the email warnings covered English language emails, because that’s what was known to exist. However as of now I can officially report that those emails are now multi-language. This evening I received an email (from a Spanish speaking family member) that says “Amix, esto tienes que probarlo”, which loosely translates to “Buddy, You have to check this out”.

The English version of the email has been a regular for a while, “Checking to see who is blocking you on messenger”. The hook being that if you click on the provided link in the email, that you will be able to see (supposedly) who has you blocked from their MSN Messenger list. As noted while looking at the email source (below), it is almost an exact translation of the English version, claiming that if you look at the link you will be able to see who is blocking you (I did block the internet addresses within the source of the email)

What the link actually does is install a version of Antivirus2009 (or 2010) which causes a lot of headaches for the user and normally requires a tech to clean up or reinstall your computer. If you have any Spanish speaking family or friends, we highly recommend that you let them know NOT to open this email, and to just list it as junk mail and delete it. If they have already opened the email, they can use programs like the free version of SuperAntiSpyware (LINK: http://www.superantispyware.com/superantispywarefreevspro.html (http://www NULL.superantispyware NULL.com/superantispywarefreevspro NULL.html)) or the free version of Malwarebytes (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)).

Alert: Another Fake Email install Rogue Software (From Panda Labs Blog)

One of the biggest reasons why TechGeekandMore started came from how many customers I had (and still have) to visit every week to either clean Viruses of PC or (even worse) recover as many files as possible and then reinstall Windows. I wanted a way a to try and alert and educate my customers about how …..

- No African Prince was going give you millions

- Emails that say that they are from a friend or family with that weird looking attachment could actually be fake

- Hot College Girl……well this one just really doesn’t have much beyond “Don’t do it”.

ETC ETC ETC…….

In those lines a new email starting this week, that has only 1 goal, to trick you into downloading and installing some really nasty software (more of the fake antivirus software). This new email says that “You have received a postcard”……

The following information comes from PANDALABS blog ( http://pandalabs.pandasecurity.com/the-thousand-faced-rogue/ (http://pandalabs NULL.pandasecurity NULL.com/the-thousand-faced-rogue/))

******************************************************************************************************************

The Thousand-Faced Rogue

Mar 5

Posted on 03/5/10 by Olaiz (http://pandalabs NULL.pandasecurity NULL.com/author/olaiz/)

We want to inform you of a new flood of email messages that seem to contain a postcard but are actually distributing malware. Concretely, we’ve seen several thousands in a few hours.

It’s not the first time we see emails like this in circulation, as subjects like “You’ve received a postcard” are very recurrent.

The message is like the following:

postcardzip_en

The message seems to have been sent by a member of your family through a legal website to download and send postcards, so that users don’t suspect. In order to view the postcard, you have to open the attached file. It’s a file compressed with zip and if you run it, a rogueware program will be installed in your computer, which is different depending on the message and the operating system you have.

The following are some of the names of the fake antivirus that can be installed in your computer if you run this file:

% Antispyware 2010

Antivirus % 2010

% Guardian 2010

% Guardian

% Defender 2010

% Antivirus

% Antivirus 2010

% Antivirus Pro

% Antivirus Pro 2010

% Internet Security

% Internet Security 2010

where % stands for the operating system of the computer in which it is going to be installed. Some examples: XPAntispyware2010, Vista Guardian, Win 7 Antivirus Pro.

Let’s take as an example Antivirus XP 2010 and see the actions it carries out once it has been installed in the computer.

As every rogueware, it starts scanning the system to check if the computer is infected.

Once finished, it displays a list with the malware that has detected in your computer to make you believe that you’ve got a problem and that this program will offer you the solution:

AntivirusXP2010

However, all the malware it has detected makes reference to unexisting files, so the only threat you have is the own rogue.

Additionally, it prevents the execution of programs whose window title makes reference to the following programs:

Internet Explorer

Firefox

Several security suites.

When you try to run any of these, a message is displayed informing you that these programs are infected and recommending you to install the fake antivirus to solve the problem.

The following image belongs to the message that is displayed when Firefox is run:

Firefox_infected

It also contains code to uninstall different security solutions. This way, the computer would be unprotected and the real antivirus programs could not detect it.

Alert: BlackHat SEO attack targeting Google Nexus One (Updated) (From Panda Labs Blog)

From the Panda Labs Blog (BlackHat SEO attack targeting Google Nexus One (Updated) (http://pandalabs NULL.pandasecurity NULL.com/blackhat-seo-attack-targeting-google-nexus-one/))

A few days ago Google presented their brand new phone, called Nexus One:

And some days later we find out that if a user searchs for “buy Nexus One” he will obtain around 4,000 malicious links:

When clicking on any of these links, you will see some of the typical fake antivirus sites:

It will try to infect your computer with a rogueware called LivePcCare. Be careful while searching, and use at least some free web filtering tools (http://www NULL.mywot NULL.com/). (Like Web of Trust)

Update: 5 out of the 6 first results are malicious, including the 1st and the 2nd one.

Update 2: Now the same crew is using the Haiti earthquake

Alert: Criminals using Haiti Tragedy for new online scams

Unfortunately, the bad guys seem to try and use anything that is current in an effort to take advantage of the situation and unsuspecting people, many of which may have their guard down because of the circumstances. The tragedy in Haiti is the latest way for the bad guys to attack.

The FBI released the following warning this week after the earthquake (LINK: http://www.fbi.gov/cyberinvest/escams.htm (http://www NULL.fbi NULL.gov/cyberinvest/escams NULL.htm))

HAITIAN EARTHQUAKE RELIEF FRAUD ALERT

01/13/10—The FBI today reminds Internet users who receive appeals to donate money in the aftermath of Tuesday’s earthquake in Haiti to apply a critical eye and do their due diligence before responding to those requests. Past tragedies and natural disasters have prompted individuals with criminal intent to solicit contributions purportedly for a charitable organization and/or a good cause.

Therefore, before making a donation of any kind, consumers should adhere to certain guidelines, to include the following:

Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.

Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.

Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.

Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.

Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.

Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.

MSNBC has released a list of charitable organizations that are active in Haiti, to help you know that your donation is going to the right place. The list can be found at http://www.msnbc.msn.com/id/34835478 (http://www NULL.msnbc NULL.msn NULL.com/id/34835478)

——————– o ——————–

In addition to the the financial scams, there are now also web scams which will cause your pc to get infected with Rogueware (Things like fake anti-virus messages), while visiting sites that appear to be legit Haiti Support or Information sites.

In the latest attempt to use a news making event, into a way to spread Rogueware, those running what are called SEO (SEO = Search Engine Optimization) are targeting keywords related to the earthquake in Haiti. Running searches on terms such as ‘Haiti’, ‘RT (re-Tweet)’, ‘Wyclef Jean’ and his charity, ‘Port-au-Prince’, Haiti donations, just to name a few are bringing up sites on major search engines pointing users to what they believe to be legitimate news and images related to the tragedy. When in fact, these sites, because the criminals were able to manipulate results of the search engines, are showing fake sites mixed in with real sites.

(Picture from http://sunbeltblog.blogspot.com/2010/01/dangerous-web-search-haiti-earthquake.html (http://sunbeltblog NULL.blogspot NULL.com/2010/01/dangerous-web-search-haiti-earthquake NULL.html))

If you encounter one of these fake site, 1st thing that you should NOT DO is click on any pop up or link that says you need to install something to see the site. 1st thing you SHOULD DO is attempt to close your browser by selecting either the X on the top right or by selecting CNTR-ALT-DEL on your keyboard, going into Task Manager, highlighting your browser, and selecting END TASK (Never attempt to use any of the actual “Close” or “exit” buttons that will appear with the pop up as most of the time the “yes” and “no” button will both do the same thing which is install the Rogue program on your machine).

In addition, as soon as you reopen your browser (after closing it for the pop up), you want to make sure that you go in and clear your Temporary Internet Files and your Internet Cookies (In Internet Explorer its Tools –> Internet Options –> then under browsing history –> delete and then delete all. In Firefox its Tools –> options –> privacy –> clear your recent history / clear your recent cookies). That is in addition to making sure that your Anti-Virus software is up to date, that your Updates for your operating system (Windows, MAC, Linux) are up to date.

(Soapbox**) I continue to point out the need to update, and yet I still regularly get called out to clear infected machines, that are missing updates (Had a Windows PC last week on XP service pack 1 and Norton AV 2004 with updates from September 2005). Not that I don’t want to work, and get paid, but if you really want to make sure you don’t suffer thru the down time and expense of waiting for a tech like myself, UPDATE UPDATE UPDATE. Will updates protect you 100%, no, unfortunately in the age of the internet, new and more innovative ways to beat a system come up 100’s of times every day, seven days a week. However, keep in mind, when you leave your house, you lock your door. Why? Will locking your door, protect your house from being robbed? You hope so, and 99% of the time it will. So updating your system is like locking your door, if you don’t lock your door you will eventually get robed. (End Soapbox)

**Lastly – To the people of Haiti and those readers of TGM with family and friends in Haiti. You have our thoughts, during this difficult time.**

Software: Adobe Acrobat and Adobe Reader – Can be used to infect your pc

Adobe has sent out an alert (LINK: http://www.adobe.com/support/security/advisories/apsa09-07.html (http://www NULL.adobe NULL.com/support/security/advisories/apsa09-07 NULL.html)) concerning all versions of Adobe Acrobat and Adobe Acrobat Reader (v9.2 and earlier) advising that Acrobat and Acrobat Reader can be used to “Crash and potentially allow an attacker to take control of the affected system”. "There are reports that this vulnerability is being actively exploited in the wild”.

What does this mean to you-

- As of now if you have either Acrobat Reader or Adobe Acrobat installed, you could get your computer infected by clicking on specifically designed pdf document that you receive via email. It’s also likely that the email you receive would appear to be from someone you know, who would have opened the email and clicked on the pdf, infecting themselves and forwarding it to everyone in their email lists.

- As of now, the infection rate for this is still considered to be low but as with any other vulnerability that is known and “in the wild” (meaning that bad guys can go online and find out details on how to use this), it is expected that within time, you will see this vulnerability used in more ways by the bad guys.

- “Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue”

- In the mean time you have a couple of options

Option #1) Using the recommended steps by Adobe

disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Option #2) You can go to Add/Remove Programs (Control Panel –> Add/remove programs or Programs and features depending on your version of Windows) and uninstall Adobe Acrobat or Adobe Acrobat Reader and then install one of the many PDF alternatives. TechGeekandMore recommends the Foxit Reader (LINK: http://www.foxitsoftware.com/pdf/reader/reader-interstitial.html (http://www NULL.foxitsoftware NULL.com/pdf/reader/reader-interstitial NULL.html)) which is not currently affected by this vulnerability.

- Additionally, it is also recommended as always, to make sure your Anti-Virus, Anti-Malware software is current and updated to protect your pc.

Software: Microsoft Malicious Software Removal Tool

I ran into a situation recently with a client who clicked on a link they shouldn’t have, causing their pc to get infected with what is commonly known as nagware/scareware. This is when your pc pops up messages saying its infected (With official looking screens that make you believe that its part of your operating system) and if you “buy” their product that your machine will be cleaned for you.

One of the many tools you can use to check/clean your pc is called the Microsoft Malicious Software Removal Tool. Every month when Microsoft releases its updates for Windows, they also include this tool, so as long as you have been doing your Windows Updates on a regular basis you should have the latest version of this software installed.

The MS Software Removal Tool is overlooked many times, even by tech’s because MS does not have it install in your start menu and unless you know how to get to it, it isn’t easy to find (Not sure why this is done, MS should make this software easier for users to find, but that’s just my opinion).

So if you need to run the Software Removal tool, how do you get to it? Here are some simple steps for the MS SRT.

1) From your Start Button – Click on Start –> Run –> and type MRT in box and click ok

2) You will see the Malicious Software Removal Tool Window open. Here is a Key (BIG KEY), make sure that on the top it says the current month (The new version comes out on the 2nd Tuesday of the Month with the standard Updates normally).

If you are in November and the Window says June (Example) then we have 2 things going.

-> Your Malicious Software Removal Tool is seriously out of date and will probably not be updated to cover all the new versions of Malicious Software.

-> You probably haven’t been doing your Windows Updates or your updates are not installing properly. In either case you need to address that.

If your MS Malicious Software Removal Tool is out of date, you can directly download the updated version from the Microsoft Website (32bit Windows LINK: http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en (http://www NULL.microsoft NULL.com/downloads/details NULL.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en)) (64bit Windows LINK: http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en (http://www NULL.microsoft NULL.com/downloads/details NULL.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en)) or by running your Windows Updates and making sure all updates are selected.

3) If your Malicious Software Removal Tool is up to date, then just click on Next, where you will get 3 choices. If your pc is not showing any signs of infection and you are just running this as part of a regular maintenance program, you can select Quick Scan. If your PC is showing signs of trouble (Infection, slowness, unable to access specific websites), then you will want to run a Full Scan.

4) Once you select the type of scan you want and click on Next you will see the scanning window.

5) Once completed, you will either be told your pc is clean or a list of the infections that were found and cleaned will appear. Just hit finish. If anything was found, then I would recommend rebooting and then running the Malicious Software Removal Tool again after the reboot as many times, infections can reappear on reboot.

Since the MS Malicious Software Removal Tool has a limited number of malware that its designed to clean (It focuses on the most common types) and because it does NOT have a live monitor feature, this software should only be considered an additional tool in the fight against the bad guys (Malware, Spyware, Scareware, Viruses). This software is not a replacement for an anti-virus product. If you need an anti-virus product Microsoft offers Microsoft Security Essentials (LINK: http://www.microsoft.com/security_essentials/ (http://www NULL.microsoft NULL.com/security_essentials/)), in addition to the many offerings both paid and free from other vendors (LINK: http://techgeekandmore.com/2009/11/05/software-what-every-windows-pc-user-should-have-installed-to-secure-their-pc-part-1-anti-virus/ (http://techgeekandmore NULL.com/2009/11/05/software-what-every-windows-pc-user-should-have-installed-to-secure-their-pc-part-1-anti-virus/))

Tech Geek and More

Technology Explained for All

Category Archives: Spyware