End of the road for SMTP?

March 8, 2008 – 2:24 PM

Developed when the Internet was used almost exclusively by academics, the Simple Mail Transfer Protocol, or SMTP, assumes that you are who you say you are.

SMTP makes that assumption because it doesn’t suspect that you’re sending a Trojan horse virus, that you’re making fraudulent pleas for money from the relations of deposed African dictators, or that you’re hijacking somebody else’s computer to send tens of millions of ads for herbal Viagra.

In other words, SMTP trusts too much–and that has spam foes, security mavens and even an original architect of today’s e-mail system agitating for an overhaul, if not an outright replacement, of the omnipresent protocol.

“I would suggest they just write a new protocol from the beginning,” Suzanne Sluizer, a co-author of SMTP’s immediate predecessor and a visiting lecturer at the University of New Mexico, said in an interview.

Full story…

TweakUI PowerToy Update

March 8, 2008 – 2:23 PM

While X-Setup is the king of tweakers, that’s sometimes a little overkill when you just want to tidy up a few of your most cherished XP settings. A new interface is the most obvious change with the new TweakUI tool, giving you more of an Explorer sort of feel. The left pane shows expandable categories, with the right side displaying the contents of the selected item. Much more functionality has been added as well, making it a very worthwhile upgrade. Windows XP SP1 or Windows Server 2003 are required, so do bear that in mind.

Windows XP PowerToys

CWS Hijacker

March 8, 2008 – 2:22 PM

A new malware is being distributed that hijacks Internet Explorer start and search settings to one of several different web sites, including coolwwwsearch.com, coolwebsearch.com, youfindall.net, ok-search.com, and white-pages.ws. All of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for for every visitor they refer. There could be other domains involved in the future. This hijack is similar to the datanotary.com hijack discovered last month. As with that older hijack, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the malware involved with CWS is an updated version of the same malware involved with datanotary.

The start and search settings are changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also makes it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.

An executable file named bootconf.exe is copied to the windowssystem32 folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

Finally, the malware lists the hijacker’s web site in Internet Explorer’s trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer’s file system. We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

Removal Instructions

As of July 8, both Spybot S&D and Ad-aware should repair this hijack. Please use one or the other before doing anything else in an attempt to fix this hijack. If neither program fixes the problems, here are the manual removal instructions:

Download Merijn’s HijackThis program, extract it to a folder of your choice, and run a scan with it.

Look for entries containing numbers and % symbols as in this example, and tick the box next to them:
R1 – HKCUSoftwareMicrosoftInternet Explorer,SearchURL= http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73

Look for any O1 Hosts entries similar to this example, and tick the boxes next to them:
O1 – Hosts: 1123694712 auto.search.msn.com

Look for these entries and tick the boxes next to them (the stylesheet entry may have a different file name):
O4 – HKLM..Run: [sysPnP] C:WINNTSystem32ootconf.exe
O19 – User stylesheet: C:WINNTsystem.css

Click the “Fixed Checked” button to remove these entries, then restart your computer. After Windows has loaded again, delete these files (the stylesheet entry may have a different file name):

Finally, go to Internet Options > Security, and select “Trusted Sites”. Press the “Sites” button. Delete any entries that you know you have not placed in there yourself, such as *.coolwebsearch.com, *.coolwwwsearch.com, and so on.

This article is located at http://www.spywareinfo.com/articles/cws/

Paypal Scam Alert!

March 8, 2008 – 2:21 PM

Do you have a Paypal account? If so, then you need to be aware that, once again, someone is trying to steal your password.These scams are usually easy to spot because Paypal always logs you into your account using a secure page (https:// means secure). In this case, however, the con artist has registered a certificate for use on a secure connection. He has also disguised his web address to make it appear as if it led to Paypal’s web site.

Occasionally you may have come across a page on a web site that asks you to log in using a network password (example). You type in your user name and password and click OK to gain entry. There is a way to avoid having to enter your user name and password. You add your user name and password to the beginning of the internet address. http://my_name:[email protected]/passwd_protected/ is a good example of this.

The scammer’s email gives you a link to ki54ft.worldispnetwork.com/i.cgi, but it includes a user name and password for a password protected directory, and the user name happens to be www.paypal.com. This is the same cute trick used recently by a browser hijacker to fool people into thinking they were loading msn.com.At the web page linked in the email, there is a login form. If the victim fills in their password, they give this scammer their Paypal password, and his script combines that with their email address. After submitting the form, the cgi script redirects the user to the real Paypal login page. This is done in hopes that the victim doesn’t notice anything suspicious. The victim may not realize that anything is wrong until they get the email receipt of the scammer cleaning out their account.

Please, pass this warning along. Too many people fall victim to these scams, and this one is very convincing.


Hack This Site

March 8, 2008 – 2:20 PM

Those of you who want to try your hacking prowess, yet avoid legal entanglements, can try out this site. A lot harder than I thought it would be, but very interesting. The only caveat is that you aren’t allowed to share information about the levels. So if you figure it out, no spoilers.

Click here to try…