webDotWiz Online has a Space: Security

Malicious Software Removal Tool – Key Findings for July to Dec 2007

Mon, 23 Jun 2008 09:30:08 GMT

You can download the full report, Microsoft Security Intelligence Report (July through December 2007) - Key Findings Summary, but here are some figures for Australia for July to December 2007.

webDotWiz’s attention was drawn to this report from a blog entry by Sandi, Microsoft Security Intelligence Report (July through December 2007) - Key Findings Summary (Australia, Canada, Germany, Japan, Netherlands and Norway).

Here are Australia’s results:

During each month in the second half of 2007, the Microsoft Malicious Software Removal Tool (MSRT), on average, removed malware from 1 out of every 204 Windows-based computers it was executed on.
Zlob (Trojan) 6.9%
Starware (Potentially unwanted software) 4.4%
Hotbar (Adware) 2.7%
WhenU (Adware) 3.3%
Winfixer (Potentially unwanted software) 2.7%
Agent (Trojan and trojan downloader) 2.6%
All others - 77.7%

Other important notes from the key findings summary (all countries)

The total amount of malware removed from computers worldwide via the Microsoft Malicious Software Removal Tool (MSRT) increased over 40% during the second half of 2007 to more than 450 million unique computers worldwide per month.

During the second half of 2007 there was a 300% increase in the number of trojan downloaders and droppers detected and removed.

The most prevalent rogue security software detected in the second half of 2007 was Win32/Winfixer, with more than five times as many detections as any other single family. Winfixer displays erroneous alerts warning of severe system threats. The program then offers to remove the erroneous detections for a fee. These warnings appear under multiple false product names in several different language versions.

129.5 million pieces of potentially unwanted software were detected between July 1 and December 31 2007, resulting in 71.7 million removals. These figures represent increases of 66.7% in total detections and 55.4% in removals over the first half of 2007.

Adware remained the most prevalent category of potentially unwanted software in the second half of 2007.

The top potentially unwanted software family detected in the second half of 2007 was Win32/Hotbar.

Technorati Tags: Malicious Software Removal Tool,Malware,Exploits,Security

Update the Adobe Flash player (to version 9.0.124.0)

Thu, 10 Apr 2008 10:24:41 GMT

As of writing, you are strongly urged to update the Flash player to the latest version (9.0.124.0) to better protect yourself from malvertisements.

Courtesy of Sandi:

Please update Flash

A security update has been released - details here:
http://www.adobe.com/support/security/bulletins/apsb08-11.html
You can install the update via this URL:
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
Make sure the version installed on your computer after the update is 9.0.124.0 (you may need to restart Internet Explorer).
If you need to distribute Flash in a corporate environment such as an intranet, you can apply for a distribution licence - see here:
http://www.adobe.com/licensing/
After you register you can download EXE, MSI or MSM installers (and DMG, GZIP and RPM for non Windows users) as well as an SMS catalogue.

Thanks to Sandi's investigations, research and examination of the malvetisement criminal activity over the past months, Adobe have brought out an update to the Flash player - take advantage of this update - it's imperative you do so.

Posted using Windows Live Writer.

Technorati Tags: Flash player,malvertisements,malware,exploits

Do not click on this advertisement!

Mon, 07 Apr 2008 06:17:09 GMT

Courtesy of Sandi's blog (Spyware Sucks at http://msmvps.com/blogs/spywaresucks/)

Here is a screenshot:

If you click on the advertisement you may end up at a web site hosting Exploit.HTML.IframeBof and Trojan-Downloader.JS.Multi.av.

We can safely view the target web page by using a web sniffer. When we do that we discover that a couple of lines of code have been added to insert an iframe that loads content from two different chinese URLs.

Posted using Windows Live Writer.

Technorati Tags: Malware,malvertisements,exploits,viruses,trojans

Oxfam impersonated by Errorsafe pimps - Spyware Sucks

Fri, 29 Feb 2008 23:25:49 GMT

Sandi (at http://msmvps.com/blogs/spywaresucks/) has been tracking down and exposing malicious Flash ads for months now and this Oxfam impersonation is one of the worst cases she's come across so this post is in support of her efforts.

The link to her latest post is below.

Other posts from her blog include the following:

Adobe Flash is turning into the Typhoid Mary of the Internet: msmvps.com/blogs/spywaresucks/
Beware Unexpected e-Valentines: redtape.msnbc.com
Cleanator advertised on groups.msn.com (Malicious Flash ad): msmvps.com/blogs/spywaresucks/
Critics Throw Stones At Security Of Adobe's Flash: www.informationweek.com
Detecting potentially malicious advertising campaigns: msmvps.com/blogs/spywaresucks/
Fraudware targetting the MAC: msmvps.com/blogs/spywaresucks/
Malicious advertisement at diepresse.com: msmvps.com/blogs/spywaresucks/
Malicious advertisement on MySpace.com: msmvps.com/blogs/spywaresucks/
Malicious banner advertisement at 123greetings.com: msmvps.com/blogs/spywaresucks/
Malware - Happy Stormy New Year: blog.trendmicro.com
Malware - Roasting on that Open File: blog.trendmicro.com
Who is behind malicious Flash advertisements: msmvps.com/blogs/spywaresucks/

Oxfam impersonated by Errorsafe pimps - Spyware Sucks

Posted using Windows Live Writer.

Technorati Tags: Malware,malicious Flash ads,scareware,fraudware,security,viruses

Installing Windows Live OneCare - webDotWiz's experience

Thu, 25 Jan 2007 10:57:00 GMT

So you've got a rough idea of what to expect when you install Windows Live OneCare, here are some of the steps the install wizard will go through.

Reminder: if you tried out OneCare for the free 90-day period, you'll probably get an email with an invite to install the new, full version at the special discount price of $39.95 (Australian dollars; up to 3 computers). If you didn't try the free version, go to http://get.live.com/onecare/introCC1 to get the special discount price (available until Feb 12).

webDotWiz clicked the link in the email he received, Special offer for Beta participants and was taken to a page where he selected his language/country.

After signing in to his Windows Live ID, he had to drag out his dust-covered credit card and give all the necessary details. Then the download and install started - the page gives you the estimated time and it's pretty accurate.

Now like all good webDotWizards, webDotWiz has been using AVG Free for virus protection and Windows Defender to ward off spyware. OneCare knows about AVG Free and it'll popup to tell you it's going to remove it. After AVG Free goes through it's removal process, untick the box that AVG shows because it wants to restart your computer. Don't worry because after you've unticked that box and you come back to the OneCare install screen, OneCare tells you to restart - just click to Finish and it'll do it.

After your computer restarts, OneCare will prompt you to finish installing online. You'll get a Good status (in bright, shiny green).

A few seconds later you'll be prompted to Activate your subscription - click the button to do so.

You'll have to give a name for your computer (if you've got a home network you may not have to do this because your computers will each have a name).

Sign in again to your Windows Live ID and OneCare goes off to check if you've got an existing OneCare account. After a bit, OneCare will be happy and you're activiated.

That's it.

Technorati tags: Windows Live OneCare, installing, security, antivirus, antispyware

Windows Live OneCare now available for Australia (at a discount) - get it

Thu, 25 Jan 2007 10:23:13 GMT

The release of Windows Live OneCare has been publicly advertised as January 30 but it's available now - get it - at a discounted price until February 12.

Those who tried out the earlier version using the 90-day trial period (it wasn't possible to buy it in Australia so those of us who tried it had to remove it after 90 days) should receive an email from the OneCare team with an invite to purchase at the special price. Here's part of the email that webDotWiz received:

Special, Limited-Time Introductory Offer for Beta Users
To show our appreciation for our beta participants, we are offering you the full, released version of Windows Live OneCare at a price of $19.95 for one year. This offer is over 60% off the full retail price and covers up to 3 Windows XP or Windows Vista PCs. The offer will expire February 12, 2007, so be sure to take advantage of it soon.

That $19.95 is the U.S. price and webDotWiz remembers being charged $39.95 for his Australian version but that's a good price for what OneCare does (and you can install OneCare on 3 computers).

Even if you weren't a beta tester (i.e., used up the 90-day free trial or were able to purchase a copy if you were in the U.S.) you can go to http://get.live.com/onecare/introCC1 and purchase OneCare at the special price (until Feb 12).

Windows Live OneCare provides the following:

antivirus
antispyware (via Windows Defender if you haven't already got it installed)
2-way firewall (XP service pack introduced a one-way firewall to protect us only from nasties coming in; a 2-way firewall stops nasties that may have got onto your system from doing more damage by trying to do their nasty work on other computers on the 'Net)
backup and restore (a monthly reminder to backup; knows to backup to a DVD if you've got one - webDotWiz's favourite feature; after the first big backup, monthly backups are incremental onto the same DVD if there's space)
tuneups (clean up and disk defragmenting in the background)

Everything runs in the background without slowing down your computer (even old, slow ones like webDotWiz's) or being intrusive with popup messages.

For more info, see the Windows Live OneCare team blog and Liveside.

Technorati tags: Windows Live OneCare, download, available for Australia

Windows Live OneCare now available

Wed, 31 May 2006 11:50:03 GMT

Windows Live OneCare is now available as a retail product. You can start off, however, with a free 90 day trial and later pay for the service. Note payment for Live OneCare is for up to three computers under the same account (i.e., Windows Live ID).

webDotWiz has decided to try out the service via the free 90-day trial offer. OneCare consists of a anti-virus scanner, anti-spyware scanner (Windows Defender) and an improved two-way firewall (unlike the standard XP firewall which is only one-way). The first step in the installation checks your computer for what security services you're already running (e.g., it found AVG free edition and unininstalled it on webDotWiz's machine) before installing the OneCare package.

For a full list of what OneCare does, see the Service overview page at the OneCare site and to keep up to date with news from the OneCare team, visit their Space.

Live Safety Centre goes global

Mon, 29 May 2006 11:05:12 GMT

The Windows Live Safety Center at http://safety.live.com is a free online antivirus and anti-spyware scanning service to rid your computer of nasties. The team has just announced that it's now available in 43 languages with more to come.

By the way, if you're using Live Messenger, check the Activities menu tab because you may find you can help out family and friends by running a Safety scan for them inside their copy of Live Messenger. Here are the details.

Talking about OneCare now certified by ICSA and WCL

Fri, 26 May 2006 10:28:27 GMT

WindowsLive OneCare is a full service to protect your computer and when the full service begins, it will become very attractive, both in features and price, for individuals and organisations. Reports indicate OneCare offers excellent protection against viruses and malware and keeps your computer tuned for best performance.

Quote

OneCare now certified by ICSA and WCL

Windows Live OneCare – ICSA Labs and WCL Labs certified
My name is Girish Bablani and I am the engineering manager for Windows Live OneCare. Yoav thought it would be interesting for some of the managers on the OneCare effort to share their thoughts on the product and so here I am.

I have been a reader of this space and now am really excited to be blogging on it as well. I think this forum is invaluable for exchanging views between the people working on the product and you who are really helping us make the product better.

Today I will talk about 2 things – Windows Live OneCare earning industry certifications and share a personal experience with OneCare Advisories.

Windows Live OneCare becomes a certified service
First, we have some great news to share. The final version of Windows Live OneCare – coming soon to a retail store near you – has been certified by ICSA Labs as an effective solution to combat viruses and other forms of malicious code as well as providing a quality firewall service. In addition, OneCare has achieved West Coast Lab’s Checkmark certification, meeting the lab’s criteria for protection against malware. These certifications are evidence of our commitment to deliver a comprehensive, quality PC Care product and another key milestone in the product development process.

For those of you unfamiliar with the certification process – in short, it is an official recognition from an independent 3^rd party organization that OneCare is effective in helping protect your PC from malware. This means that our customers can be more confident than ever that OneCare is effectively helping protect their PCs. We’ve worked hard to achieve this important certification and we’re thrilled that we get to share this news with all of you. This is a major milestone and we thank you – our customers – for helping us get there. We also want to thank our partner teams for helping us get there - see Matt Braverman's blog for more on this topic: http://blogs.technet.com/antimalware/archive/2006/05/25/430279.aspx

Windows Live OneCare Advisory – A Story
Second, I wanted to share a story with you which was very motivating for me and keeps on reminding me how much we can simplify a customer’s life by having a service backing up our software. If you remember in late November there was an attack with a new variant of the Sober worm which was characterized as the biggest virus outbreak ever by some media. The story on the attack and the virus was all over the media, and of course people who read or heard the news were nervous about whether they were protected or not. One such person happened to be my neighbor. He was someone who I had persuaded to install OneCare. Anyway to cut a long story short, when our operations team realized that the Sober news was blanketing the world they sent out an advisory that stated that if a OneCare machine was “green” it

WMF security patch released early

Fri, 06 Jan 2006 05:42:21 GMT

The Windows Meta File vulnerability in IE has been patched early by Microsoft. Yesterday it was announced that the patch would be part of the monthly update process (due next Tue, January 10) but the patch has been released five days in advance after all necessary testing had been satisfactorily completed.

We don't have to do anything to download and install as Automatic Updates looks after everything.

Via to Bink and Scoble.

Rogue antispyware in web page banner ads

Wed, 04 Jan 2006 09:17:26 GMT

Mark Russinovich of Sysinternals has a timely discussion under the heading of The Antispyware Consipiracy about the real dangers being posed by web page banner ads that lead to sites offering dubious, and in some cases rogue, antispyware software.

The most innocuous of malware-like antimalware behaviors is to advertise with web site banners and popups that mislead average users into thinking that they have a malware problem. Most of the advertisements look like Windows error dialogs complete with Yes and No buttons, and although the word “advertisement” sometimes appears on the dialog background, the notice is usually small, faded and far from the area where users focus their attention. Even more unlike Windows dialogs, however, is the fact that clicking anywhere on the image, even the part that looks like a No button, results in the browser following the underlying link to the target page.

Read Marks' complete article to acquaint yourself with the types of ways that these companies force us to respond. In particular watch out for Spyware Cleaner, Spyaxe and SpySheriff, the latter being particularly vicious in that it will install malware and spyware to an unpatched version of Internet Explorer.

You can follow up Mark's explanation and demonstration by visiting Ars Technica's investigation into anti-spyware and Eric L. Howes' Rogue/Suspect Antispyware products and web sites page.

So keep well away from clicking on any banner ads that promise to "clean" your computer. There is one ad that's used by some sites that comes up with a Windows-like dialogue box asking for a "Yes" or "No" response - click on "No".

Sony Rootkit DRM Roundup Part III

Wed, 23 Nov 2005 10:11:44 GMT

Boingboing has part III of the Sony rootkit fiasco caused by the XCP DRM program secretly installed and the later-discovered Mediamax DRM program whose un-installer also leaves a user's computer more vulnerable to attacks than with the original so-called DRM program.

Phishing filter updated

Tue, 22 Nov 2005 03:42:36 GMT

The MSN Toolbar phishing filter can be downloaded from http://addins.msn.com/phishingfilter/.

The purpose of the phishing filter is to protect us from fraudsters attemtping to send us to bogus bank sites and then steal our sign-in and password information. Read all about it at the link above.

Microsoft Antispyware updated

Tue, 22 Nov 2005 03:11:26 GMT

Get over to the MS Antispyware download page to download and install the latest version.

Thie version is still classed as Beta 1 and the expiration date has been extended to July 2006.

Microsoft tools will remove Sony-BMG rootkit

Mon, 14 Nov 2005 06:16:00 GMT

So we all know what's happening. Microsoft will:

update the definition signature file in Microsoft Anti-spyware so that the Sony-BMG rootkit will be removed (if detected). The Anti-spyware definition file is usually updated weekly and if you're using the default settings, it's an automatic update.
update the Microsoft Malicious Software Removal Tool that runs every month as part of the Windows and Microsoft Update cycle (usually the second Tuesday of the month) so that it too will look for the Sony-BMG rootkit and, if it's on your computer, remove it.
Windows Live Safety Centre will have its scanning definitions updated so it too will carry out a similar operation to the tools above. Windows Live Safety Centre is the new free online Windows Live service to carry out virus scans, etc., online.

Microsoft Phishing Filter

Tue, 25 Oct 2005 05:41:49 GMT

Adding the phishing filter to your MSN Toolbar is another means of protecting yourself against yourself to avoid being caught by criminals who are attempting to steal your personal information (particularly bank details).

webDotWiz has held off for a while but now regards the phishing filter as a mandatory addition to all computers, particularly those used in public.

Internet Explorer 7 will have a phishing filter built-in and it'll become available for IE6 users too. In the meantime, install it from the MSN Addins page. Yes, alright, you'll have to install the MSN toolbar (if you haven't already) but you might as well get used to tabbed browsing now and the MSN toolbar does a good job of implementing tabbed browsing.

Update: when installing the filter, you'll have to shut down any browser windows (in other words, close IE). There is a message to this effect but it might be hidden under the Installation progress dialogue so before clicking "Install", close IE.

Quote

Phishing is an attempt to gain people’s credit card, SSN, and other personal info. Quite often the method of attach is luring people to official-looking websites that prompt them to enter this information.

MSN Search's WebLog : Microsoft Phishing Filter & Games Add-ins