|
Archive - June 2006 The Alternatives...Posted Jun-30-06 10:05:10 PDT Alternative Browsers: For simplicity, we will ignore the fact that Internet Explorer was the alternative while NetScape, Mosaic, Lynx and Opera browsers were the applications regularly used to surf the Internet. It wasn't until the summer of 1996, when MicroSoft introduced IE3.0, that anyone considered using Internet Explorer... While NetScape, then the number 1 browser, cost approximately $50.00, MS decided to give IE away... Once IE3 was downloaded/installed on a Windows 95 machine, it could not be completely uninstalled... By late summer 1997, MS started shipping Internet Explorer 4 completely integrated into Windows 95, Windows NT and, when later released, Windows 98. In fact, during the first 24 hours IE4 was available online, it was being downloaded once every six6 seconds. This amounted to the transmission of a whopping 10 terabytes of data! But in a matter of days, security issues began cropping up, and MicroSoft began releasing what was to become a very long stream of patches, updates and service packs. The rest is history - that is if you consider that history ended five5 years ago with the introduction of IE6. Internet Explorer has been stagnant ever since... Only recieving critical updates and a popup stopper. Then, in June of 2004, the United States Computer Emergency Readiness Team (USCERT) urged consumers and businesses to stop using Internet Explorer until MicroSoft solved the worsening security vulnerabilities and fixed the flaws inherent in its browser... Thus MS's IE7 push to catch up with the browsers found below.
Good Luck! Internet ExplorerPosted Jun-30-06 08:05:53 PDT Understanding IE's Security Settings: First, there is NO browser that is 100 percent safe... Vulnerabilities are found every day. Those employed by malware purveyors are paid handsomely to develop programs to exploit those flaws... After all, it is a multi-billion dollar business. Browser flaws are patched regularly, though the time between the discovery of a "known" exploit and patch varies significantly. It can take MicroSoft a month or longer to issue a browser update, so, if IE is your preferred browser, keep alert to recently discovered IE vulnerabilities because MS may stongly suggest that you DISABLE some functions in the browser until the patch is made available. Assuming Internet Explorer is your default browser, first, scrutinize the rationality behind your preference... If the only answer is that you don't want to switch, that is likely because IE is the browser that came installed on your machine. That's not a choice, just an acceptance. However, if you have tried alternative browsers and you do prefer Internet Explorer over brand-x, then there's nothing really to say... If you don't want to switch, you don't have to. It is your computer. There is nothing wrong with IE as long as you follow a safe practices policy to reduce your risk. This includes keeping your Windows operating system and browser up-to-date and that you have a basic understanding of Internet Explorer's security zones. IE's Security Zones: For brevity we'll only discuss ActiveX controls here... For additional information about IE's zones review Internet Explorer Security Zone Controls. In "default" configuration, before Internet Explorer downloads an ActiveX control that has not been signed, or that has been signed but certified by an unknown "certifying authority", the browser will present a dialog box warning the user that this action may not be safe... The user can then elect to abort the transfer or continue the transfer and take his/her chances. Unfortunately, some Websites will suggest that the visitor adjust IE's "Internet" zone settings to a lower slider position to get a particular site function to work... Thus, even though that site may be safe, the action puts the browser into jeopardy when visiting other sites that may contain possible malicious content. If you download an unsigned control and it crashes your machine - hmmmm - guess you could blame the one sitting on the keyb browser settings. Windows XP Service Pack 2 tightened up some of the active content problems and Internet Explorer 7 will restrict active content much more aggressively though the browser is still bound tightly into the PC's operating system. Currently in IE7 BETA 2 you will find features alternative browsers have incorporated for a few years: Tabbed browsing, Integrated Search (with the ability add/remove preferred search providers), RSS Reader, One-click Privacy Purge, Phishing Filter, Zoom (that works very well), etc... Importantly, Internet Explorer 7 will have a NO add-ons mode (SafeMode in alt. browsers) that lets you start IE without toolbars, ActiveX controls, or other add-ons that might slow your computer or prevent you from getting online. If you migrate up to IE7, all BHOs (Browser Helper Objects) and ActiveX that you used in the previous version will continue to work uninterrupted... Unfortunately, this also means if a BHO or ActiveX control is scumware, they will continue to function... When encountering any new BHOs or ActiveX controls IE7 will present you with a series of warning dialogs which in time will be ignored by most users. The current trend among some malware developers is to mark "Patch Tuesday" on their calendars and schedule a full day's work... "Patch Tuesday", the second Tuesday of each month, is when MicroSoft issues OS and IE patchs. Once the patchs are released, those developers download the updates, dissect and study them, find the weakness the patch is intended to fix, determine where the patch goes within the OS or IE and then build malware attacking those very vulnerabilities that MS is patching. These are know as "Zero-Day Exploits"... Within hours of the patch release, malware has been developed, distributed among malicious sites, put up for sale in an underground market, and new malicious domains opened to infect yet-"unpatched" systems. It is in your best interest to mark "Patch Tuesday" on your calendar also. Good Luck! Stop! - Think! - Click!Posted Jun-30-06 07:29:06 PDT Risk Reduction: It is quite easy to reduce your risk potential... Stop! - Think! - Click! Starting with yourself, whenever at the computer, if encountering something unexpected or confusing; getting a popup window; installing a plugin; downloading a game; checking emails, just stop... You've got time. Why would you need to install a plugin to view an eCard? Really? Why can't it just display in the browser? How did the Website you are visiting scan your entire computer file system so quickly when it informed you via a popup window that your computer was infested with spyware? Why is the End User License Agreement to the game you are downloading so long and confusing? Why isn't it written in plain easy-to-understand language? Those smileys are sooo cute, but do you know anything about the Website you are about to download them from? Do those smileys really enhance your emails? What is in the file you just downloaded? Why did your IM "buddy" Bob drop the link "Sooo FUNNY, check THIS out!" into the middle of a very serious life-changing chat? You just got off the phone with Aunt Millie, why did she then send you a email with an attachment? Why did she not mention it during your conversation? How do you stop all that "spam"? Why did you get a terse email from eBay warning that your account will be closed in 24 hours? Why did the eBay email cause you to panic, did you really do something wrong? Should you immediately verify your identity as instructed? See, think comes naturally - expand it, don't suppress it. Click is another issue... You have to know when to click... When not to click... And most importantly, what to click! With a little more thought, you will quickly figure it out. Your browser should, even using very strict settings, be able to display an eCard so don't click the install button (eXit the page - don't click the browser's "Back" button, but either eXit the browser window or tab, OR click a safe "bookmarked" site from your toolbar). A popup tells you your computer is infested, it's a SCAM (don't click any button within the popup window, even if it says "Click HERE to Close", instead RIGHTclick the popup from the Taskbar at the bottom of your screen and click Close from the expanded menu). Don't understand the EULA, don't click to complete the install. Those smileys may be cute, but until your research determines that the site is safe, don't click anything. That file you just downloaded, RIGHTclick it, select Scan with "your security software" before you install. That link from "buddy" Bob, don't click it (wait until the tone of the chat changes and ask him to post it again, possibly Bob's computer is infected with a virus and he is not even aware that it is trying to replicate via his IM client). Don't click Aunt Millie's attachment (click your email client's "Compose", "Create Mail", or "Write" button and send Millie an email questioning the attachment, her machine may be infected similar to Bob's). In "spam" email, don't click the link "Remove me from your mailing list." (instead, click the Delete button). Though at times it may seem that the inmates are running the asylum, don't click any link within a eBay email (click your email client's Forward button and send the email to spoof@ebay.com). To reiterate; the general "click" rules of thumb:
 will give you a simple idea of what you can accomplish.For examples; showing team support during the World Cup Understand the basic principles of your browser's security settings... Take into consideration the architecture of any Website that you frequent when adjusting those settings... For this very reason, never-ever place ebay.com into your Internet Explorer's "Trusted Sites" zone. Place your online bank's account page into the "Trusted Sites" zone. Place your online stock trading page into the "Trusted Sites" zone. Place MicroSoft's Windows update page into the "Trusted Sites" zone. The difference being that those pages (and you should restrict the trust to only the server that those secure pages reside on) contain only first party content... Whereas placing the entire eBay domain, as often instructed, in the "Trusted Sites" zone will allow all content, including third-party content that eBay has no control of nor will accept responsibility for, to run unrestricted. Do not place any eBay "owned" domain (example ebayrtm.com) into the "Trusted Sites" zone UNLESS eBay can provide in clear, easy to understand language the full purpose and function of the domain and the cookies it sets... With "trust" comes "transparency". Keep an eye on your browser's status bar so that you have an idea where that link you are about to click will lead to. Keep your security tools up-to-date... Your anti-virus application should be running the most current definitions file... Make sure that the update schedule for the software coincides with when your computer in on and connected to the Internet. Your malware detection/removal tools should be running the latest reference files... Update before each scan. Maintain your machines immunization by periodically checking for updates in those specialized tools mentioned earlier... Keep your OS and browser up-to-date. Be Persistent! Be Vigilant! Stop! Think! Click!
References:
Understanding RISKPosted Jun-30-06 07:04:29 PDT The Risk Potential: Research concerning scumware is published in print and to the Net continually - with findings that ascertain, depending on varying criteria, that 50 to 90 percent of all online computers are infected with at least one form of malware. Recently McAfee published the results from a quiz The Sophos's global network of monitoring stations Symantec’s latest Internet Security Threat Report Webroot's latest Internet security report If you think someone is out-to-get-you, you could very well be right. As previously mentioned, the number one cause of infection is currently sitting on the keyboard side of the screen... Sorry. Conversely, the best defense against any form of scumware is ALSO sitting on the keyboard side of the screen. Have you downloaded/installed any screensavers, smileys, free games, or song lyrics? Any file-sharing applications such as eDonkey, KaZaa, and BitTorrent? Have you shared any files online? Have you installed any toolbar or plugins into Internet Explorer? Opened any unexpected email attachments? Visited a site to view an eCard? Closed any popup window using a button found within the popup? Did you answer yes to any of these questions? If so, you are an average user, everyone does at least one of those activities... Unfortunately though, each activity is high risk and a possible source of trouble. Have you kept your operating system current of all critical patches? Are you running the latest patched version of your preferred browser? Are your alternative browsers the most recent versions? Do you understand the security zones in Internet Explorer? Are all your service applications that have access to the Internet up-to-date? Are all of your security applications up-to-date? Do you use a bi-directional firewall that monitors all incoming and outgoing traffic? Have you disabled file transfers in IM (Instant Messaging) programs? Have you enabled the Hidden files and folders option in Windows? Have you answered no to any of these questions? Each NO is a risk. Fortunately it is quite easy to reduce your risk potential...
References:
The PlatformPosted Jun-30-06 06:29:42 PDT Keep Your Operating System Updated: 1. By now, you have run, at the very least, those parasite detection/removal applications previously discussed, as listed below...
2. You have immunized your computer using the functions found within Spybot - Search & Destroy AND SpywareBlaster. 3. You are running the monitoring system found within Spybot - Search & Destroy (after applying the patch), as well as using SpywareGuard or Windows Defender (depending on your OS). 4. You have closed the "preview pane" of your email client, checked with your ISP (Internet Service Provider) and activated, if available, anti-virus scanning at the INBOX level of your account... Then you installed anti-virus software on your machine that performs real-time scanning, on demand scanning, email scanning, and has automatic updates, AS WELL AS installing a A-V application that you can use exclusively for on demand scans. 5. You have installed a bi-directional personal (software-based) firewall. Those of you just stumbling on this post should start reading from the very BOTTOM of this blog. Now, you must visit MicroSoft's Windows Update and bring your OS current with all "critical" updates... Even if you have Windows XP and heard of problems about installing Service Pack 2... 99.5 percent of all SP2 problems were because users installed it over a "dirty" system, usually one that had worms and trojans. Your machine is clean now, so it is imperitive that it is brought up-to-date! It is also critical that you use the highest version of browser that your operating system can support. To repeat with emphasis: The previous posts may, to some, seem mind-numbing long or complex. They are NOT... You are just treading into unknown territory... Keep a clear mind, DON'T PANIC, research if in doubt. You will reap enormous benefits running a clean machine... Spending 30 minutes a week maintaining a clean machine will likely save you an extremely frustrating weekend trying to repair the machine, could prevent possible monetary loss, will protect your privacy, etc. Good Luck! The Third LegPosted Jun-29-06 00:04:48 PDT Firewalls: Regardless whether you use dialup OR have a broadband connection, the use of a good bi-directional personal (software-based) firewall is essential... One that will monitor ALL incoming and outgoing traffic and query you for access permission if such traffic is detected. The firewall should also be capable of true "stealth" (does not answer to any unsolicited HTTP requests) status. The firewall within Windows XP Service Pack 2 (SP2) can produce "stealth" results if your PC's services are properly configured, however, it does not adequately monitor outbound traffic. Even the firewall in Windows Vista will have half its protection turned off by default, because that is what enterprise customers have requested. It is important that you DO NOT have two personal (software-based) firewalls running on a machine at one time... Similar to not having two real-time anti-virus applications running together... In cases where multiple firewalls OR intrusion detectors OR anti-virus software, etc., run simultaneously on the same PC conflicts arise because the applications often compete to "own" the processes they're designed to monitor. You can, however, run a personal firewall on your computer while a "hardware" firewall runs in your network's router... What gets past the hardware firewall will likely be caught by the other. First up is the highly regarded ZoneAlarm firewall... The FREE version could be described as the Ron Popeil
This time last year, the alternative to ZoneAlarm would have been the FREE "Sygate Personal Firewall"... Unfortunately, Symantec purchased the Sygate firewall about a year ago, then abruptly discontinued it on November 30, 2005. So, instead, consider Kerio:
As you likely noticed, neither of the above a compatable with Windows 95, 98, or ME... MicroSoft support ended sometime ago for Windows 95 and on July 11th. 2006 MS will publish the last critical updates for Windows 98, 98SE, and ME thus ending their life-cycles. Since firewall protection is currently a must for any computer connected to the Internet, you could try searching the NET for older versions that will work on those operating systems... Try to find the latest version just before the security firewall company ended support for the system you use. Try searching through the software at www.download.com Good Luck!
References:
2 Legs TurnedPosted Jun-26-06 09:51:32 PDT Anti-Virus software: By now your computer should be cleansed of all scumware, spyware, adware... AND immunized to keep it clean. However, a good Anti-Virus application is a necessity... As scumware and viruses are responsible for 90 percent of the computing problems most users have. Another problem, especially for Windows ME and XP users, is that some viri and other threats could be stored in backup files in those computers' "System Restore" utilities... In hindsight, this should have been mentioned earlier. Oh, well. For information about temporarily disabling the "System Restore" utilities, visit this very concise McAfee instruction page. There are many excellent A-V programs that you can purchase, but keeping with the FREE theme here, the following are all highly recommended. ONE of the first two found below should be used as your real-time PRIMARY A-V program... They are FULL FEATURED with real-time scanning, on demand scanning, email scanning, and automatic updates. The best of the lot:
Next for your inspection:
In addition to your main Anti-Virus application, it is advisable to use another A-V program that performs on-demand scans but has either been disabled from running in real-time OR real-time scanning is not an option... I use ClamWin as mentioned in an earlier post:
There are additional FREE (for personal use) Anti-Virus applications available on the Net... Your preferred search engine can likely find some good candidates for you... Just keep in mind that the primary A-V application you do install must have real-time scanning, on demand scanning, email scanning, and automatic updates. Good Luck! False PositivePosted Jun-25-06 12:52:51 PDT A false positive: Earlier today I was downloading TaskSwitchXP, As the executable file was downloading, ClamWin popped up this warning:  Since I was pretty confident that the source and file were "secure", I continued with the download then scanned with Grisoft's AVG:   Then scanned with ewido (now part of Grisoft's offerings):   Since both found nothing, did a manual scan with ClamWin to review what it was detecting:   Armed with the information the last ClamWin scan provided, I pulled up a Google Search Tool from the system tray and entered a select few "keywords":  Which led me to these Google search results. Verdict: false positive. To be fair though, it must be openly declared that the signature/reference file within ClamWin was last updated twenty days ago... I neglect to check for updates since ClamWin only runs on this machine when the Firefox Download Manager is performing its' task(s)... AND I do download ten to thirty items a day through the manager. shame One Leg is TurnedPosted Jun-25-06 09:39:59 PDT Keeping Your System Clean: If you followed all the previous posts, you just built yourself a great toolkit... If you used the detection/removal tools in their most aggressive configuration and removed the confirmed threats, you should have a clean system in regards to scumware, malware, crimeware. If you immunized and hardened your machine, you should have no trouble keeping those threats away. You likely noticed that all the TOOLS were FREE to individuals for personal use... Commercial users are expected to purchase license agreements, but there are still "trial" FULL FEATURE versions for you to explore before making a final commitment. Some may say, "I've got brand-X's software suite that does all this and more!" OR "I've already got brand-Y's removal tool and it works good because it is always finding spyware!" Software suites are fine... They surely are convenient... Unfortunately, the threats addressed in the previous posts cannot be fought with only one tool. No single security company adequately provides components within their suites to detect and remove everything... AND some security software becomes an actual target If you have "brand-Y's removal tool", make sure it is not on this list: Rogue/Suspect Anti-Spyware Products. If you are certain your computer is clean and immunized, most future scans can be performed in "smart" or "simple" mode with the various tools... Only when you believe that your system may have gotten infected do you need to scan aggressively again. You need not scan daily... Whenever you do though, ALWAYS PERFORM AN UPDATE BEFORE EACH SCAN. The table found below gives a suggested scanning schedule and if you wrested cookie control from fuddling software, the tools will likely find nothing that will alarm you... However, don't let those "clean" scans cause you to become too lax.
The tools CWShredder, HijackThis, and RootkitRevealer have specific purposes and should only be run when needed (click the update buttons before each use)... Similarly, SpywareGuard (which runs in the background) only needs to be checked for updates approximately every other month. Some may notice that the Windows hosts file has not been mentioned as a security feature. This is because I am not a big fan of using the "hosts" file to block Websites because some network service providers will legitimately redirect URLs only to be caught in the blocked "hosts" file loopback
Good Luck!
References:
Use With CarePosted Jun-25-06 08:19:01 PDT Use with care: Recently, the media has been reporting a "new" threat: Rootkits. This all came to a boil because Sony BMG was caught automatically installing a Rootkit Rootkits have existed for the Unix/Linux systems for some time, therefore the "Root" is the user with the highest possible level of access privileges... Similar to the "Administrator" privileges in Windows machines, giving unrestricted access to the operating system. Once started, the Rootkit carries out the task it was designed for, hiding any trace of itself and the software it is meant to conceal in the OS. Rootkits in themselves are not dangerous as their only purpose is to hide software... Unfortunately, by their very nature, they do present an indirect danger. Malware creators could use the basic functionality of a "known" Rootkit installed on a computer to hide their own software... Because the Rootkit would need to be "known", doing so would not be an easy task and would entail many variables. Not nearly as easy a attacking "known" vulnerabilities in Internet Explorer. However, it is possible that blended OR hybrid threats containing their own Rootkit could easily infect machines and the reality is that full protection against Rootkits may require the use of multiple products. So, hesitantly, I point you to the FREE SysInternals RootkitRevealer. Good Luck!
References:
email and "spam"Posted Jun-24-06 15:13:39 PDT Email Control: A few years back there was an article about two Grandmothers, one who made a living sending millions of "spam" Therein lies part of the problem, the "spam" recipient had the "preview pane" of her email client open... Any email displaying, even for the split second only to delete it, can pose a threat to your privacy and allow active content within to run. Any remote hosted image that arrives within the email can authenticate the email address. And active content could be a menace. That's why the "default" security in new email clients display alert bars stating: "To protect your privacy, Thunderbird has blocked remote images in this messsage." OR "Some pictures have been blocked to help prevent the sender from identifying your computer." Further into the article you the "spam" recipient states: "When I first started getting the junky stuff," ... "I sent them back an e-mail saying, 'I don't want it.' It seems like the spam got worse." Exactly! Whether you viewed a remote image (or a remote hosted "unseen" 1 x 1 pixel image), or clicked the link "Take me off your list" you just confirmed your email address... Confirmed addresses typically sell in blocks of a million at the going rate of 500 addresses per U.S. penny. Get "them" on eBay. Course, the real money for those address sellers comes from "sucker lists" (those that have purchased an item or items via "spam")... Those sell in blocks of a million for typically two addresses per U.S. penny. "spam" would not be so troublesome if it was not a profitable advertising vehicle. Your aim should be to cut back on nuisance emails: If you are a Outlook/OutlookExpress user, since a number of computer viruses make use of security vulnerabilities within those clients, infecting computers via email, to reduce the possibility of your computer being infected, you MUST keep your operating system and your version of Internet Explorer up to date. Similarly, those using other email clients must keep abreast of critical updates for their preferred programs. Nearly 100 percent of ISPs (Internet Service Providers) offer virus protection on their servers where your remote INBOX is located... A majority of ISPs also offer "spam" filtering on those same servers... Make sure that both are activated for your INBOX(es) and familiarize yourself with their user interfaces so you can adjust "spam" settings. When registering at Websites for whatever reason, be vigilant about reviewing the email/newsletter OPT-IN/OPT-OUT checkboxes... If you left the box checked OR checked the box to receive email from the Website, it really is NOT "spam" when ads arrive in your inbox. Keep your email client's "preview pane" closed and DOUBLEclick, to open, only emails that you are certain are legitimate... Delete all others without opening. Avoid viewing remote images or allowing active content run within the email. Do not click on the "Take me off your list" links in "spam" email that you do open... If it is indeed email you opted-in for (or failed to OPTOUT of) then it is permissible to click the link. For single instance communication and/or to protect your regular email address, use disposable email addresses
The following is just a short list of FREE "disposable email address" providers (in no particular order)... Forwarders (all forwarders require advanced registration): Throw-away email: For additional sources, check out this Google search: free disposable email address If you are a user of "spam" reporting services like SpamCop, AVOID sending reports or forwarding FORWARDED DISPOSABLE EMAILS for diagnosis ... Either machine level interpretation or user reports can implicate the forwarding service as the source of the "spam"! For this very reason, I never forward the eBay phishing emails found in my forwarders "trash" folder to spoof@ebay.com... I don't have confidence that eBay can interpret them correctly. To illustrate account handling, I'll use the "Spam & Virus Reports" that my ISP sends for three of my regular email addresses as examples: The following account is the one I use to register domain names... As such, the email address is displayed on the Registrar's Webpage for the domain information... Since those pages are often scraped by "spam" robots for valid email addresses, I've set a very high sensitivity level for the email filtering... Sensitive enough that I had to "whitelist" the Registrars' domains to receive their emails.  The second is the email address associated with this eBay account... Using various search methods I can find at least five instances of the "real" email address posted on the Internet... In addition, this is also the account that I receive forwarded disposable emails (those "bounce" addresses are often posted on eBay boards, my "me" page, etc. so they are also easily harvested).  The last account below is the one I designate to receive emails/alerts/newsletters from online sources that I implicitly trust.  The emails tagged as "spam" above just disappear into the ether... I never receive them as they are deleted when they arrive at my ISPs INBOX. Of the 346 emails that did arrive in my inbox, five were "spam" that the filters missed. The forwarding service also filters email and does not send along any that fail their low-sensitivity filter, placing the suspect communication into the Web-based account's "trash" folder (it does not forward eBay phishing emails - or any email with a forged header)... This coming month's "spam" report for the account that accepts the forwarded emails will likely show a lower level of infraction since I recently deleted numerous "disposable" addresses. If you are a eBay seller, where communication is absolutely important, you will need to investigate your ISPs "spam" filtering methods to insure that your incoming email doesn't get improperly tagged OR deleted... You may need to inquire about their "blacklisted" sites, etc. Good Luck!
References:
ImmunizationPosted Jun-24-06 14:55:24 PDT Updated Jun-24-06 14:57:17 PDT Immunize and Harden Your Machine: First, using Spybot Search & Destroy as part of the immunization and system monitoring: If you have downloaded and installed Spybot - S&D and you enabled TeaTimer found within, you may have encountered the bug where you cannot click the Allow/Deny buttons... The fix is a small patch found at: Sbybot - S&D Safer Networking Forums. Once the zipped folder is downloaded to your preferred location, MAKE SURE THAT Spybot Search & Destroy is NOT OPEN... Then DOUBLEclick the zipped "patch" folder to open/unzip... TeaTimer; not to be confused with the "Resident" browser helper for Internet Explorer also found in Spybot - S&D, monitors system processes called/initiated... When it detects suspect malicious processes wanting to start it terminates them giving you Allow/Deny - Allow Always - Deny Always options on how to deal with the process in the future. Additionally, when recently installed software wants to change some critical registry keys, TeaTimer will alert you with similar dialog boxes. If you are using Win2K SP4, WinXP SP2, or Win Server 2003 SP1, AND MicroSoft's Windows Defender, it is not necessary to run Spybot's TeaTimer, though TT will alert you to more system changes than Windows Defender does... Both can run on a system at one time, you will just get duplicate alerts. Once you have determined whether you are going to run TeaTimer in the background and, if so, patched the file, start up a Spybot-S&D session... As with all security tools, always UPDATE and INSTALL the reference and detection files as the first order of business:  Then start the immunization process: 
Next, augment the immunization with SpywareBlaster:
Next, especially for those systems unable to run MS's Windows Defender, SpywareGuard is a must for system monitoring (it nearly mirrors every Windows Defender alert I've seen):
Good Luck! One Changes Its StripesPosted Jun-24-06 09:16:59 PDT In The News: You met an adware provider in a previous post. That adware maker plays a supporting role in Ben Edelman's revealing article posted on his site June 22nd. 2006, demonstrating what can occur since most spyware-infected computers often contain multiple spyware programs. When the spyware parasites interact, their ad networks are likely to show explicit popup images. Edelman explains in detail, including video and screenshots, the chain of events demonstrating how the explicit popups appear on your screen while visiting "normal" sites. Watching the video, our previously discussed purveyor of popups makes an appearance with full page ads. That would explain those forum and chatboard posts you see on eBay about the "porno" popups eBay is serving. I can't point you to that Webpage, even though the explicit ads and video have been edited, they still may not be appropriate for viewing in some settings. If you do search out the site, pay particular attention to the ad networks involved. In other news, Claria Corporation It's hard to determine if Claria's new venture, the "PersonalWeb", a service that generates a personalized Web portal on-the-fly, will be able to replace the $100,000,000.00 revenue stream that their adware product brought in. Course, getting out of the adware business may substantially reduce legal fees associated with the libel suits they often brought against anyone who dared refer to them as a spyware company
References:
Windows DefenderPosted Jun-19-06 15:51:03 PDT Windows Defender: If you are using Windows 2K SP4 (Service Pack 4), Win XP SP2, or Win Server 2003 SP1, it is highly recommended that you download and install MicroSoft's Windows Defender BETA. Defender, previously known as "MicroSoft Anti-Spyware" is the latest re-incarnation of the powerful Giant Anti-Spyware software that MicroSoft purchased late in 2004. It is very effective and appears to have the best protective capability of any of the FREE anti-spyware products out there. Its multiple real-time monitoring provides excellent defense against nearly all current threats. There are reports that it may be a little vulnerable to polymorphic trojans in particular, and for this reason it is wise to periodically run the previously mentioned FREE ewido malware detector as part of your security monitoring. In addition to the minimum operating system recommendations above, your machine also needs 64MB of RAM (minimum) - 128MB RAM (recommended); 20MB of available hard-disk space; MicroSoft Internet Explorer 6.0 or later. Windows Defender HOME Good Luck! Digging a Little DeeperPosted Jun-17-06 15:51:35 PDT Aggressive Tools: Anti-virus and anti-spyware programs do not detect ALL threats, often missing some trojans and Remote Administration Tools (RATs)... You will need software that specializes in the removal of those types of malware. Both of the anti-trojan applications found below are FULL-FEATURED "trial" versions... After the trial period ends, the real-time protection within the software is disabled, but can still manually run as a very useful scanner. High risk users (P2P file sharing, game cheat sites, warez sites) should consider the added security found in the full versions once the trial periods have ended. Both programs can produce "false positives" (depending on your point-of-view)... For example, if you have BitTorrent installed and have paired BT with another application like Azureus OR have built some torrents, they may flag BitTorrent as malware based upon heuristic analysis... If it quacks like a duck it's a duck. Don't panic, but ask yourself, are you 100 percent positive that your file-sharing application(s) came from a "trusted" source, are you 100 percent certain that some plugin or module that you added did not corrupt the software? You do not have to jump right in and start removing items flagged as malware... Take some time to go through the list of recommendations and make your own decisions. Just like adware/spyware detection/removal tools, tracking cookies and Web-bugs are going to be flagged... It is strongly recommended that you create your own cookie policy as outlined IN THIS POST. First up is ewido:
Next up is a-squared, especially useful to those still using Windows 98 and WinME:
For most PC users the trial version is sufficient to regain control of an infected machine... Once the trial period ends and the application disables advanced functionality and becomes a scanner only, IT IS STILL AN ESSENTIAL TOOL TO KEEP... Continue to periodically update the reference files and perform scans... When you then encounter a threat that other detection/removal software is having a problem removing, you can use the scan results to find appropriate help/instructions to manually remove the pest. For those systems that meet the operating system requirements, you could install and run one application until the "trial" period expires, then install and run the other application, giving you 44 days of full protection. Good Luck!
References:
Spyware Adware Removal Continued...Posted Jun-16-06 06:41:38 PDT Updated Jun-17-06 10:34:49 PDT Specialized Tools: On Tuesday, the 13th., MicroSoft issued a "dirty dozen" patches for 21 flaws in its software, admitting that ALL but two of them could let an intruder run malicious code on a compromised computer.
Back to the topic - the number of malicious Websites that use Windows vulnerabilities to infect unsuspecting visitors with drive-by downloads OR trick them into accepting a dubious software is increasing... Most of those sites exploit those very flaws that MicroSoft has already provided a patch. Websense discovered a $15.00 hacking tool This first specialized tool addresses one of the parasites that your machine can contract if it has not recieved the MS03-011 patch... CoolWebSearch (CWS) is a particularly nasty browser hijacker that redirects your browser to "coolwebsearch" affiliated sites. There are at least 59 known variants, all of which infect your PC in various ways including through the ByteVerify trojan in the JAVA machine and unpatched Internet Explorer HTML Help file systems. This hijacker is also notoriously difficult to remove and some of the variants are known to shutdown parasite detection/removal software so that it can not be removed. If you find that when typing in your Web-browser the text is slow to appear, the browser page scrolls slowly [3], you experience redirects when trying to access search engines or certain Webpages, you encounter unexpected popups, and porn bookmarks have been added to your favorites, then it is possible your computer is infected with a variant of the CoolWebSearch Hijacker. It is known only to affect Internet Explorer, so those who are using Firefox or Opera should not be bothered by this pest. It is always advisable to use parasite detection/removal tools such as Ad-Aware and Spybot - Search & Destroy first... Should your detection/removal tools automatically close when performing a scan or fail to remove troublesome items, then CoolWebSearch could be the source of your problem and CWShredder may be the cure.
This next tool is NOT for the novice to use without the guidance of those experienced in malware removal... HOWEVER, it is an essential tool. If you are having difficulties removing a parasite and visit a Internet security forum for assistance or advice, nearly all of them will insist that you download and run HijackThis... Though it gives the user the ability to remove pests, most forums rely heavily on its detailed scan reports... Forum members may see something that your detection/removal software is missing. Since HijackThis is a NOinstall executable (runs from a temp folder) and has the ability to delete pests it is important that you place it in a folder of its own... This will allow scan logs and backups to be archived rather than disappear when you close the program.
References:
Cutting Back on the CaloriesPosted Jun-13-06 07:53:55 PDT Beacons - Bugs - Trackers: Time and again you will find in a eBay forum or chatroom a member complaining that eBay implants tracking cookies, Web-bugs, Web-beacons and the like into the browser. The post usually goes something like this: "I run my spy remover 3 times a day AND I HAVE ONLY VISITED EBAY and the remover has found hundreds of cookies and bugs that come from spy sites each time. HOW CAN EBAY BE ALLOWED TO DO THIS!!! This is dishonest - they are selling my private information - I'M NEVER COMING BACK!!!" First, let's look at those "spy" cookies... If the poster believes these to be threats, why does s/he allow the browser to accept them? Tracking cookies are found everywhere... Most Websites, most Webpages... They are for the most part, benign... There is nothing special about them... They contain no more information than what you have willingly provided or that your browser sends. Sure, if your browser contains 80 tracking cookies from the same data-mining domain, the "spy" site could aggregate the data and profile you - so, in some cases, there are definite privacy concerns. The commonality is that these "spy" cookies are all third-party content found on the site you were visiting... Have you ever really visited doubleclick.net or mediaplex.com with your browser? Likely not - so the cookie was placed remotely while visiting another site. Yes, there is that possibility that you have visited doubleclick.net to OPT-OUT of their cookies... That's quite a concept - have a DoubleClick cookie installed to inform the DoubleClick servers that you don't want any to accept cookies from them... How much information does your browser send when the OPT-OUT cookie is read? DoubleClick is merely an example of infrastructure providers that can create and read cookies across sites that network with their services... They can track your movements, log your page views, catalogue your search queries, etc... If it is their intent, they can compile your browsing habits into a very rich profile. AND there are hundreds of similar network providers that can/could do the same... But the majority of tracking cookies are anonymous. The source of the problem, the cause of confusion, hence the grounds of unwarranted frustration is the slider cookie policies most employ in Internet Explorer's "Privacy" settings... The varying slider levels will set your preferences according to doctrine found within the "Platform for Privacy Preferences" (P3P). Needlessly confusing! AND P3P relies on "truthful" privacy statements and summaries... P3P doesn't vet them, it accepts them as fact. Internet Explorer has an obsessive trait of caching every cookie it accepts... I've seen IE "Temporary Internet Folders" with over 17,000 cookie entries... I've heard of instances where the counts exceeded 100,000. What are the chances that even a small minority of those sites will ever be encountered again during normal browsing activities? On some sites cookies perform a useful function - chiefly, they allow you to customize the page view/format according to your personal preferences - they allow you to quickly login to site functions and/or display the functions you prefer - they help you keep track of a thread or discussion - etc. But of those thousands of sites that you have visited, how many can be customized or require a login? Caching cookies for sites you will never visit again or accepting data-mining/tracking cookies even though they cause you concern is silly. Instruct your browser to responsibly handle cookies. It is really that simple! Internet Explorer 6 provides the tool... As it has done so for over five5 years... In the same location it has always been... Sitting right under that useless slider. Before performing the task below, you should seriously consider deleting all your stored cookies and starting afresh, OR, at the very least, deleting the third-party cookies that have built up over time... After using the IE tool, any existing cookies left in your computer can still be read by the Websites that created them even if you specifically block those cookies in the Advanced Privacy Settings dialog box.
You have just executed your personal privacy policy... IE will accept all session-only first-party cookies (those originating from the site you are visiting)... IE will block all third-party cookies (those that are often referred to as "spy" cookies)... IE will accept and store, until their expiration date, all cookies from those sites that you specified as "Allow" in the "Per Site Privacy Actions" dialog box... When eXiting your IE browser session, ALL session cookies will be flushed. Virtually identical settings can be accomplished in your Firefox browser.
If you performed the above task and you have cookie management software on your machine, UNinstall it... Similarily if your Internet security application(s) manage cookies, disable that feature... They are no longer needed because you are in control, you know how to add sites if you want cookies stored, you have likely figured out that you can remove a "allowed" site if desired, etc. So gain back some of your system resources by removing/disabling fuddling software. Now on to Web-bugs and Web-beacons... For the vast majority, let's say 99.8 percent, these pests are also benign. More often than not they are simply unseen counters. They are no different than any other embedded image found on a page except that they are miniscule in size, often clear, and act no differently than a visible counter... The browser will send no more information to the server hosting the bug/beacon image than it sends to any server when requesting any image. Sure, they can implant a cookie, as any image server can, but you now have that under control. There is that troubling two-tenths of a percentage that can cause a trouble... A Webpage could host a 1 X 1 pixel IFrame that could remotely download, install, and run malicious code Lastly, it must be noted that an exchange of information between your browser and a server happens with every link you have ever clicked or will click... The exchange happens with every image you've seen or not seen on a Webpage. It happens with all content found on a page... It's how the Internet works. Unfortunately some security vendors, even those highly regarded, will alarm you with a list of largely overblown dangers that you have encountered while Web-browsing... The eBay poster's complaint would be valid if his "spy" remover had detected "180Solutions SearchAssistant", or "BonziBuddy", or "PrivateNet", or any similar real threat and s/he was convinced the infection came through eBay. Any highly regarded detection/removal tool should avoid needlessly alarming you to imaginary or easily blocked minor threats... PLUS, and this is important, regardless the browser you are using, IT IS YOUR BROWSER... They all have tools within to keep it your browser... If you don't want your browser to accept anything that makes you uncomfortable, use the tools available that will set your browsing preferences. Detection/removal tools are basicly after-the-fact applications... You think you have accidentally infected your machine, update the detection/removal tool and run it, otherwise, any more often than once a week is not necessary.
References:
Getting StartedPosted Jun-12-06 08:11:38 PDT Updated Jun-12-06 08:13:05 PDT The Basic Tools: You need two2 tools to start off with - Lavasoft's Ad-Aware and Safer-Networking's Spybot - Search & Destroy. It might sound stupid, but if these tools find malware on your machine, the first thing to do is: Don't panic and don't start deleting files. If you are already a user of these tools and find it necessary to run system scans with them on a daily basis because your computer gets infested quickly, something is amiss... There is a chance that you are misinterpreting the risk, or you are not aware that the number one cause of infection is currently sitting on the keyboard side of the screen... Sorry, but it is the truth. Conversely, the best defense against any form of scumware is ALSO sitting on the keyboard side of the screen. First pick up Ad-Aware.
Next up is Spybot - Search & Destroy... If confronted with a long list of malware, this may bear repeating: Don't panic and don't start deleting files. Numerous times I have seen on eBay's "Discussion" threads and "Chatboards" posts similar to: "I downloaded SPYBOT and IT REMOVED my Ebay toolbar. I COULD NOT GET IT BACK. I uninstalled the spybot AND I STILL CAN'T GET THE TOOLBAR BACK. Why did the spybot do that? What's wrong with the toolbar? Why can't I get it back? Spybot is NO GOOD IT RUINS YOUR PC IT'S BAD AND RUINED MINE." Well, first off, the eBay member should have reviewed the list of suggested items slated for removal after the scan... S/he had the option to remove eBay's toolbar from the list and the ability to instruct Spybot to ignore the toolbar on any subsequent scans. After all, it is your computer. The second problem was UNINSTALLING Spybot... Spybot, performing as it should, set a kill-bit in the registry so that the eBay toolbar could not sneak back onto the system... Had the member simply gone back into Spybot and opened the quarantine file s/he could have restored the toolbar back into place. Uninstalling Spybot left the kill-bit in the registry so even with Spybot gone, the toolbar still cannot (re)install. With any luck, those members who did as posted above, did not delete the system folder for Spybot... If the folder was left in place, simply reinstalling Spybot, then using Spybot's recovery manager, the eBay toolbar could be returned. I myself do not understand the fascination with the eBay toolbar... Though I must confess, I've never installed it NOR have I ever seen it installed on any other machine. Since I do sometimes have a lapse of good judgement, there is someone who stands directly behind me AND his sole purpose is to dummy-slap me back into reality should it ever appear that I may click the install link for the eBay toolbar. That said, get Spybot.
Good Luck! Is it Still Paranoia if Someone is Really Out To Get You?Posted Jun-11-06 09:36:47 PDT The Threats: You met a typical adware company in the previous post (remember, with Blogs, the most recent post is at the top of the page and the earliest is at the bottom)... Adware Some people confuse a parasite with a virus... Though both can cause system problems, crashes, etc. there is a big distinction between the two... Viruses seek to spread, parasites embed - A virus propagates and once it has done so, it will deliver its payload, and being intentionally destructive by nature, it will kill the host... A virus infects your computer in essence to replicate and ultimately to infect as many other computers as possible, as quickly as possible. Once established, a virus will use most anything it can find on your machine to infect other machines; your email client's address book, your IM buddy list, shared documents, FTP applications, any services or programs on your computer that communicate with other computers. A parasite needs the host to live, though its residency will often weaken the host considerably, BUT a non-functional computer has NO revenue potential. Then there is crimeware... It's just what it sounds like, criminal activity... It's just moved from the dark shadows and back alleys to the information super highway, heading right to your IP address. Though crimeware can use parasites or viruses or any blended threat, it increasingly uses sophisticated malicious programs such as - Worms Whether the crimeware's purpose is to serve pornography to the Internet via your machine, relay or create and send "spam" or "phishing" emails, perform denial of service attacks on other computers or systems, steal login information, steal your credit card numbers or personal information including financial documents, etc. is entirely up to the creator... It comes in many forms and will stealthily take control of your computer. Your responsibility is to make sure that your computer is 100 percent clean... It's not a faith-based option, you must be 100 percent certain... The next posts will discuss FREE, highly regarded tools and the instructions for their use. Good Luck! Adware's "Dirty Little Secret"Posted Jun-10-06 15:11:18 PDT Updated Jun-11-06 09:29:18 PDT In The News: Earlier I was reading a few of the recent articles Both companies have been accused by security analysts and privacy advocates of installing on users PCs without permission, hijacking computer and browser settings, spawning unwelcome popups, and making it difficult to uninstall their software. Both often pass the blame unto "rogue" affiliates and/or unscrupulous software bundlers. This practice is not a rare thing and sometimes it is hard to pin down exactly who is at fault. Reading through a few of the articles found in the Google News search, one bit of information stands out... 180Solutions claims that with the Hotbar merger, they will have a base of more than 30 million users and 150,000 new installs each day. As typical with most advertising vehicles, the advertisers buy keywords from 180Solutions so that computers that had n-CASE installed are steered to their sites when those keywords are used in searchs. The advertisers pay for the keywords one of two ways... "X" amount for each visit to the advertiser's "Home" page OR a commission on sales to customers who visited the site via n-CASE. The larger advertisers, like ebay and Dell, would typically pay only when an n-CASE user made a purchase. Unfortunately, it is an advertising model that works... The companies that use these vehicles to advertise, the ad-brokers they hire to place ads, the affiliates that contract with the companies and adware makers, etc., all are aware that adware yields more clicks and sales than traditional banners and on-site popups. Quite simply, it's about the money. The diagram below somewhat illustrates the flow, though not entirely since the "rogue" affiliates often hide their tracks through numerous accounts redirected through various commission tracking sites.  Illustrated above, a Company/Corporation (The Advertiser) develops an affiliate program to drive traffic to the site. The Advertiser contracts directly with Ad-Networks and Adware Makers. The Advertiser contracts with a Ad-Broker... Ad-Brokers develop an ad strategy that deals both with Ad-Networks and Adware Makers. The Advertiser's affiliates contract with sites to place Company/Corporation ads... The Advertiser's affiliates use Ad-Networks and Adware Makers... Some of The Advertiser'a affiliates contract exclusively with Adware Makers. The Adware Makers need to get onto as many machines as possible so they: Work with Bundlers to include the adware application into otherwise useful programs... They use their own Affiliate Program to promote their adware application. The Affiliates are to follow the The Advertisers - Adware Makers rules... The Rogue Affiliates don't - they use browser exploits or deception to get the application loaded onto a machine. When encountering these applications it should all be about disclosure... Some Adware Makers fully discribe what their application does - some don't OR use confusing language in their EULAs... Some Bundlers disclose all information about the bundled applications - some don't OR use confusing language. Rogue Affiliates couldn't care less. As mentioned above, IT'S ABOUT MONEY: The moment the adware is downloaded to your machine the Bundlers and Affiliates start making money... The moment someone clicks on a adware popup the Adware Maker makes money... The moment someone purchases an item via adware everyone makes money. Many advertisers and adware makers will claim that they are/were not aware that their ads/applications are/were being silently installed on unsuspecting users For more information about Adware's "Dirty Little Secret", read the report by the Center for Democracy and Technology How Advertising Dollars Encourage Nuisance and Harmful Adware (PDF).
References:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
) 
 About eBay | Announcements | Security Center | Resolution Center | eBay Toolbar | Policies | Government Relations | Site Map | Help | |
Copyright © 1995-2009 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy.
| |