Network Attacks

Recently either I was, or my ISP was, the target of a drive by attack. My Internet suddenly froze up and stopped working. I have my network designed so I’m behind two Nat routers. Been this way for years. When I couldn’t find any kind of virus or malware on the machine, I figured it was time to check the router logs.

I had no problem connecting to my internal lan router and when I did, the logs weren’t telling me anything. Next I went into the routing tables of the internal router and there it was. Some how the external Wan router had a strange gateway and IP address. (116.97.116.101) but I couldn’t log into my external wan router. After clearing, rebooting and reconfiguring all the settings, I was back up and running. Did another Malware scan just in case and found nothing. I’m betting if I didn’t have the second router on the network, I’d still be killing bugs.

Now it was time to find out where this rouge address would lead, and of course, “The connection has timed out”. Did a Google search for the address and found some interesting info from this link.        http://whois.domaintools.com/mavr-best.com

Whois is a database site of internet addresses and ownership of domains. There are a number of different useful and valuable tools on the Whois.domaintools site. Windows has a set of these tools built in. (In another article I’ll show where they are and how to use them)

I used a trace-route tool on the rouge address that ended with a domain in Asia. (no surprise there) The Information below is what I found from the Whois site.

+++++++++++++++++++++++++++++++++++++++++++++++++++

Here’s what we know about mavr-best.com:

* “GHS” owns about 110 other domains
* lidenezretr@yahoo.com — is a contact on the whois record of 2 domains
* 1 registrar has maintained records for this domain since 2009-05-10
* This domain has changed name servers 3 times over 1 year.
* Hosted on 3 IP addresses over 1 years.
* 11 ownership records archived since 2009-05-12 .
* Wiki article on Mavr-best.com

DomainTools for Windows®

Now you can access domain ownership records anytime, anywhere… right from your own desktop! Find out more >
Registration Service Provided By: WEBST.RU
Contact: +7.9139079575
Website: http://webst.ru/

Domain Name: MAVR-BEST.COM

Registrant:
GHS
Antony        (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434

Creation Date: 10-May-2009
Expiration Date: 10-May-2010

Domain servers in listed order:
ns2.suspended-domain.com
ns1.suspended-domain.com

Administrative Contact:
GHS
Antony        (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434

Technical Contact:
GHS
Antony        (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434

Billing Contact:
GHS
Antony        (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434

Status:SUSPENDED
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

As you look down through the information you’ll see the domain name “mavr-best” has changed name servers 3 times in the last year, was hosted on 3 IP address in the last year, and had 11 owners over the past year. (that can’t be good)

The registrant name and address is also a bit strange. (bad spellings and such) By following the link for the Wiki article on Mavr-best.com, I was able to see an excerpt of the site. The only excerpt available looked like this:

100.111.99.117.109.101.110.116.46.119.114.105.116.101.40.39.60.101.109

.98.101.100.32.115.114.99.61.34.104.116.116.112.58.47.47.109.97.118.114

.45.98.101.115.116.46.99.111.109.47.105.110.99.108.117.100.101.47.115.

112.108.46.112.104.112.63.115.116.97.116.61.79.116.104.101.114.124.85.

110.107.110.111.119.110.124.85.83.124.85.110.107.110.111.119.110.34.32.

119.105.100.116.104.61.49.48.48.48.32.104.101.105.103.104.116.61.49.

48.48.48.32.115.116.121.108.101.61.34.98.111.114.100.101.114.58.110.111

If you break these up properly they are all internet and router addresses. Somewhere in the “Marv-best” website itself is embedded code that executes a handful of malware and Trojan installs. When scrolling to the bottom of the aboutus.org page I came to the topic “Related Websites”. What did I find? You guessed it….

EdenGay.com, Indian-Sex-Hoes.com, IndianWorldSex.com, Premium-Galleries.com, BiLara.com, GayBambino.com, and Mahjoob.com

Clicking on the link for the acual site link “http://mavr-best.com” in the aboutus.org site shows this to be a bad site.

The actual page is blocked by the domain server and the domain is under suspension. To get a better Idea of the sites reputation, Web of Trust is a great site to see trustworthiness, rankings, privacy and child safe scores. http://www.mywot.com/en/scorecard/mavr-best.com#comment (you should see this)

This article is a prime example of the intent and resourcefulness of malware distributors. If a Domain Name Server can become infected, then the bad guys can fool some people into click on bad web pages and entering personal information. I discussed this in the article  “Web Surfing Protection”. More information on Spyware and Malware can be found on the Gen-Tech Enterprises home website at  http://gentechenterprises.webs.com/spywaremalware.htm

Learning more about how your network operates can be a big advantage in stopping threats at the outside edge. Software and hardware alone are sometimes not enough. You need to be able to know and understand what is happening on your network or your machine so you can keep your computer environment healthy and clean. Remember, always have the latest Microsoft updates, run updated Anti-Virus / Anti-Malware program, and always pay attention to how your computer is acting.

44.305069 -69.976995

Web Surfing Protection

We’ve all been surfing the web loading up on information, looking for games to play,  shopping, banking, you name it and we’re doing it. What we tend to forget is that the bad guy is doing the same thing, but he’s looking to you for information. Once the bad guys get what they need, they use your info to either get into your banking, scam you in your emails or even set your computer up as a jump spot to do these things to others without a trace back to him. These sites are also called “Badware”. Badware is software that fundamentally disregards a user’s choice about how his or her computer or network connection will be used. More information on “Badware” can be found at   stopbadware.org

The first thing to do when browsing the web, is to secure your web browser. If your Using Internet explorer, make sure you have the latest version and updates installed.      Windows Update

Check your Internet Explorer privacy setting by going to Tools/Internet Options and over to the Privacy Tab. Cookies taste good but some of the cookies from “Bad Web Sites” can leave a bad taste on your surfing if they are allowed to be placed in your cookie cache. Make sure to set your slider to medium, and check the box to prevent pop-ups.

IE8 has other features built into it’s browser. Click on the Safety tab on your tool bar and there are a number of other options in there to protect your browsing. Make sure “Safe Site” is enabled.

If you prefer to use Firefox, which is my default browser, then make sure it also is updated. the latest version of Firefox is 3.6 and can be found here.           Mozilla Fire Fox 3

Firefox 3 or later contains built-in Phishing and Malware Protection to help keep you safe online. These features will warn you when a page you visit has been reported as a Web Forgery of a legitimate site (sometimes called “phishing” pages) or as an Attack Site designed to harm your computer (otherwise known as malware).

These features are turned on by default so unless your security preferences have been changed, you are likely already using them. Phishing and Malware Protection options can be found on the Security Preferences pane. Go to Tools > Options… > Security.

You can test to see if Phishing Protection is active by trying to visit Mozilla’s
phishing test site. You should see a page with a warning like this:

Likewise, you can try to visit Mozilla’s malware test site. You should see a page warning like this one:

to confirm that Firefox is blocking Attack Sites as well. With Phishing and Malware Protection turned on, both sites should be blocked from loading.

There is also the Google Chrome browser that has this feature too. It is a fast feature rich browser and can be picked up from Google Chrome Official Site.

__________________________________________

To compliment the settings in your browser there are other programs you can install that help to protect you further. One program I am using is called “Spybot Search & Destroy”.

Many of you may be familiar with Spybot – Search & Destroy, but very few people realize the power of this application. Spybot has special protection for browsers to keep malware from infiltrating your system through weaknesses in your browser.

Spybot has many other valuable features that not only keep your browser safe, but keeps your system from becoming a boat anchor. These features alert you to possible spyware and alert you when programs are being changed or installed on your system. The newest version is 1.6.2 and can be found on the  Safer-Networking website.

You will be redirected to one of the servers holding Spybot. Look carefully for the correct download. (sometimes sites have other products advertised where you would expect the download link for the product you are looking for) Download, install and update right away.

The First setup screen you will do a custom install and check all but Icons for the Blind. (unless your are blind) Next make certain to check both boxes for permenent protection.

Click next, then install. Spybot will then download additional files, so you must be connected to the web during this install process. When asked to do a registry back-up click yes. Next search for updates. I tend to pick a file server closest to me and one that I recognize, but you can use which ever default server is highlighted.

In the update window, check all boxes. Once the update is complete a pop-up will appear telling you to re-immunize. In the main menu on the left click on the Immunize logo, a quick scan will run, once that is finished go ahead and click Immunize on the top toolbar. (indicated here in blue)

Spybot will show how many protected and unprotected items are present on your system. The latest version of Spybot (version 1.6) provides protection for Firefox, Internet Explorer and Opera. After immunization you should have 0 Unprotected items. The number of Protected items and the Total number of items should be the same.

Once you have immunized your system, click on Mode at the top of the window and select Advanced Mode. You will receive a warning message about the dangers of using advanced mode if you do not know what you are doing. What I am about to recommend is reasonably safe, so click on Yes to enable advanced mode.

Now click on Tools and then on Resident. Make sure you have a check next to the following options in the Resident screen:

• Resident “SD Helper” (Internet Explorer bad download blocker) active and;
• Resident “TeaTimer” (Protection of over-all system settings) active

The last step in Spybot for now is the configuration of your Hosts file. Your Hosts file is like an address book for Internet addresses. Each time you enter a website address into your browser, it first looks in your Host file and if the address is not found in your Hosts file, it looks in a very big ‘address book’ on the Internet. Spybot adds a list of websites, known for browser hijacks, malware installations and other kinds of bad behavior, to your Hosts file and replaces the real IP address of each site with 127.0.0.1, which is the IP address of the local host (your own computer). Each time when a request is made to visit or display ads from one of these bad websites, the browser redirects to your local machine, effectively preventing the bad website (or ads from such a site) from opening.

To add this list to your Hosts file, click on tools in the advanced mode, put a check in the window next to Hosts File, then over to the left and click on Hosts File logo.

Next click on the Add Spybot-S&D hosts list button, (shown below highlighted in blue)Spybot makes a backup of your current Hosts file, each time you make changes to it through Spybot. Spybot stores the last 6 backups of your Hosts file, so you can easily restore your old hosts file by clicking the Restore backup button and choosing a relevant restore date from the list.

__________________________________________

Remember that the best way to be safe is to follow these simple rules:

Keep your PC current with the latest software updates and patches.

• Apply the latest security updates and patches to your software programs and operating systems and enable automatic updates where possible. Since cyber criminals typically take advantage of flaws in software to plant malware on your PC, keeping your software current will minimize your exposure to vulnerabilities

Protect your PC with security software.

• Install Anti-Virus and Malware software, most of which can be found free on the web or on the Gen-Tech Enterprises Spyware & Malware page.

Choose secure passwords.

• Use a combination of letters, numbers and symbols and avoid using your login name and your first and last names. Avoid using the same password for all your login needs. Don’t use the same password for your banking site that you use for your social networking sites. Change your password every few months.

Protect your personal information.

• Beware of unexpected or strange-looking emails and instant messages (IMs) regardless of sender. Never click on links in these emails and IMs. Never provide personal information in your email or IM responses.
• Beware of web pages requiring software installation. Scan programs before executing. Always read the end user license agreement and cancel if you notice other programs being downloaded in conjunction with the desired program.
• When shopping, banking or making other transactions online, make sure the website address contains an “S”: https://www.bank.com. You should also see a lock icon in the lower right area of your web browser.

Having good surfing habits and using protection will give you a better surfing and computing experience, and will keep you PC in the condition you want it used for.

Happy Surfing and  as always “Be Safe Out There”

44.305069 -69.976995

How To Manage UAC Notifications in Windows 7 & Vista

Disable UAC on Windows 7

One of the more annoying features of Windows Vista was UAC (User Account Control) popping up and asking permission for about everything. Now in Windows 7 it is a lot more manageable and today we’ll  look at how to manage it or completely disable it too.

The purpose of UAC is to inform you when a program makes changes that require administrator permissions. It is a security feature that will block malicious software from making key system changes without your permission.

To manage UAC notification settings go to Start \ Getting Started \ Change UAC settings.

By default it is set to notify you when programs try to make changes to the computer, which already is a less annoying setting that Vista was. You can adjust the level to what your most comfortable with and to completely turn it off slide it down to Never notify.

A reasonable setting if you’re hesitant to turn it off is having it notify you without dimming the desktop and stopping everything you’re doing just to address it.

If you turn it off and are logged in as Administrator you will no longer be bothered with it at all. Standard users will not be able to make any changes that require Administrator privileges.

If you’re a power user and make a lot of tweaks to your system then you will definitely like the fact you can adjust UAC settings easier in Windows 7 than Vista

————————————————-

Disable UAC on Windows Vista

Open up Control Panel, and type in “UAC” into the search box. You’ll see a link for “Turn User Account Control (UAC) on or off”:

On the next screen you should uncheck the box for “Use User Account Control (UAC)”, and then click on the OK button.

You’ll need to reboot your computer before the changes take effect, but you should be all done with annoying prompts.
————————————————————–

Disable User Account Control(UAC) For Administrators Only

If you can’t stand the User Account Control prompts, but you’d still like to retain a little bit of security, you can disable it for Administrator accounts only. What you’ll be doing is actually changing Windows Vista to automatically elevate the privilege level for administrators without prompting.

Note: Disabling UAC will lead to a less secure system, so be warned.

The nice thing about doing it this way is that regular users as well as Internet Explorer still run as regular users, and would still use the normal security mechanisms.

To configure this setting on Windows 7 / Vista Business and Ultimate, you can use the Local Security Policy configuration. Just type in secpol.msc into the Start menu search box and hit enter.

Now browse down to Local Policies \ Security Options

Find the following in the list: “User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode” and double-click on it.

Change the setting to “Elevate without prompting”. You should be all done.

For Windows Vista Home users, the Local Security Policy doesn’t come with the distribution, so you’ll have to use the following registry file.

http://dc191.4shared.com/download/223401382/8e62e578/DisableUACforAdministrators.zip

Just download, extract and double-click on the registry file to add the information into the registry. Also added in another registry file to re-enable UAC again.

44.305069 -69.976995

What’s the Google “Buzz” All About?

Google has unveiled its new social network “Buzz”. The site runs from within
Gmail, as long as you have a Gmail account. Once your logged into your Gmail account you will see the familiar red, yellow, blue and green icon in the left pane under your in-box that say’s Buzz.

When first activated you have the opportunity to add or connect other networks that you use. At this time there are only 6 sites to chose from, Twitter, Picasa, YouTube, Google Reader, Google Chat Status and Flickr. Amid privacy concerns the auto follow was removed so you’ll have to add any one on your contact list.

I added my Twitter and YouTube accounts, and Buzz automatically added my Google Reader and Picasa accounts. They aren’t activated until you click the add button in your profile settings. As far as I know, I only have Picasa installed locally. I can’t help but wonder what .dat file in Picasa is advertising my presence to Google.

After logging in and adding networks you’ll need to fill out your profile to be listed on Google’s search engine. So I went about doing just that. once I was finished the profile page came up and I have to say it looked more like an over sized different colored “Twitter” page than what I was expecting. (Google Buzz won’t be taking Facebook followers any time soon)

First test I did was to share a page in Twitter from one of my other sites using addthis from my FireFox toolbar. Buzz is said to have the ability to “retweet” your post onto your Buzz profile. I did see a post from 3 weeks ago but I posted that one directly. I haven’t seen the test one yet. (and I keep refreshing hoping to be surprised) It did how ever send me an email of that Feb 15th post.

Next I tested a shout from my YouTube account. Still nothing. I clicked on the Google Reader icon on my Buzz profile page, and it brought me to a Google Reader page that was all shared items from YouTube. The last entry was 1/20/10, and today is 2/15/10. I also made a post in Buzz and haven’t seen it on Twitter. After doing some searching I found a few apps that you can install as addons to your browser that will indeed re-post to your other acounts.

Google has many Gmail users that have their calendars and other apps set up in Gmail and on their Igoogle page. For these users Buzz will provide another avenue of conversation without having to log in to a different account.

According to both the Wall Street Journal and the Los Angeles Times, the company has set up a “war room” at Google headquarters that monitors what users are saying about Buzz, and that the company plans to make further changes to the service in response to that feedback. The most recent changes to the service — in which Google switched from an auto-follow approach, where users found themselves following Gmail and GTalk contacts automatically, to a “suggested follow” approach — was made on Saturday by a group of Google engineers and senior executives including VP Brad Horowitz and senior engineering VP Jeff Huber. The changes are being rolled out this week.

While the company has been applauded by many for its rapid response to user complaints and the addition of new features, that doesn’t seem to have placated some privacy advocates, who say Google’s approach was wrong from the beginning. According to the LA Times, the Electronic Privacy Information Center is planning to file a complaint with the Federal Trade Commission over Buzz. “”The bottom line is that self-regulation is not working,” center director Marc Rotenberg told the newspaper. “Google pushes the envelope, people scream and they dial back the service until the screaming subsides.”

As far me using Buzz, I think it will have to be able to do and show a lot more for me to get excited over.

44.305069 -69.976995

Open Firefox Tabs at the far right

Firefox 3.6 includes a new feature where new tab, when clicking on a hyperlink that’s targeted to open in new window or tab, middle-click a link, or right click a link and select “Open Link in New Tab”, will be inserted and opened right next to and after the current or existing active tab containing the link in the Tab bar. The behavior facilitate the related tabs, where tabs for the original web page and web pages that are open by following hyperlinks that span from the original page are grouped together.

Blank new tab continues to open at the far right end of the Tab bar. Previously, before Firefox version 3.6, all new tabs were added at the far right end of the Tab bar of the popular web browser used to surf the Internet. The changes make Firefox tab behavior to be most similar to Internet Explorer, specifically IE7 and IE8.

Firefox users who can’t get used to the new tab opening style, and want to revert and get back to the old way of opening new tabs, where all new tabs are inserted and added at the far right end of the Tabbar after all existing tabs, can use the following how-to trick to make the change.

Follow this link and use these simple instructions:

How to Open New Tab At the End of Tab Bar After All Existing Tabs in Firefox and Disable Insert Next to Current Tab

44.305069 -69.976995

Remove Update (KB977165) Causing PC to Crash

Microsoft has halted distribution of one of the XP patches released on February Patch Tuesday, which happened earlier this week. The company wants to investigate reports of the dreaded Blue Screen of Death (BSOD) as a result of the patch.

The issue is that when the system attempts to reboot, it will halt with a BSOD. At their support forums, the thread has a temporary answer from Microsoft for those experiencing the BSOD:

instructions on how to uninstall the particular Windows update (KB977165) which is causing the BSOD.

1. Boot from your Windows XP CD or DVD and start the recovery console (see this Microsoft article for help with this step)

Once you are in the Repair Screen …

2. Type this command: CHDIR $NtUninstallKB977165$\spuninst

3. Type this command: BATCH spuninst.txt

4. When complete, type this command: exit

This isn’t the first time a Microsoft update has caused issues. It’s also not a “feature” limited to Windows updates alone.

44.305069 -69.976995

Auto Update Crashes PC

Microsoft has removed one group of patches it released as part of this week’s Patch Tuesday — MS10-015 (KB977165) – from its Windows Update service until it can investigate reports by some users that it is causing havoc with their PCs.

Microsoft provided an update on the Microsoft Security Response Center (MSRC) blog on February 11 about its actions, after a day of reports by users with problems, including some XP users claiming blue-screen-of-death (BSOD) issues seemingly resulting from application of the KB977165 patch.

Microsoft claimed the number of users experiencing problems as a result of the path were “limited.” More from the blog post by Jerry Bryant, Senior Security Communications Manager Lead:

“(W)e have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.”

Microsoft is advising customers to apply the other patches it released this week, as there have been no reported problems with them, according to Bryant.

You can find more about this on ZD Net News

44.305069 -69.976995