Internet Security Zone Blog

By Jordy Berson, group product manager, ZoneAlarm products

We just got the results in from our malware testing team. We don’t like to claim victory early, even when we are fairly certain of a win. But now we know (Technical details are in the last paragraph for the “just the facts” folks).

“Are you ready to ruuumble??”

To be sure, it wasn’t the best fight. ForceField won. Easily. There wasn’t even any contact. It made for a snoozer of a fight. But a snoozer is exactly what you want when your identity and security are at risk.

Here’s how it went down:

The victim user went to one of many possible sites. So far, more than 3,000 Web sites have been attacked including a popular entertainment site and sports site. The second the victim arrived on the infected site, Gumblar was waiting. And not for a fair fight. 

When you cannot even see the enemy, what chance do you have? 

Far from facing its victims, Gumblar sneaks right past you, through a vulnerability in your computer software. Normally, the fight would end here. Gumblar would find a quiet place on your computer and take over. He could then do any number of things as these types of threats do. He could spy on you, watch what sites you go to, record everything you type, open doors to let some of his friends onto your computer, and use *your* computer to attack other computers!

But not this time

The enemy Gumblar faced was ForceField. Not brawny, but definitely wise and clever, ForceField saw right through that invisible cloak and instantly knew Gumblar was an uninvited guest. So when Gumblar snuck onto the victim computer, ForceField did a classic sneak attack of its own.  Gumblar ended up on the victim computer, sure enough, but landed straight in jail. Here, Gumblar was completely isolated from the rest of the computer and was unable to do anything at all. This maneuvering on ForceField’s part was done automatically – you as a user had to do nothing to protect yourself. 

So were you a victim or not?

·         First of all, it is more likely you did NOT hit a Gumblar-infected site than you did**.  So take a breath and read on.

·         People using ZoneAlarm ForceField as a trial or who own ZoneAlarm ForceField are protected.  Right on!

·         People using ZoneAlarm Extreme Security get the protection of ForceField as well. But in ZoneAlarm Extreme, you have to activate the virtualization protection as it’s off by default.  Go to the Browser Security panel of ZoneAlarm Extreme, click the Settings button, and make sure there’s a checkbox next to “Enable Virtualization.” 

·         If you are running ZoneAlarm anti-virus: ZoneAlarm anti-virus signatures have been updated to offer an additional layer of automatic protection against Gumblar.

·         If you weren’t running ForceField virtualization, see my previous blog “Gumblar – Not a new Parker Brothers game” for details on how to know if you’ve been infected.

**The likelihood of falling victim to a single attack is low. But because there are so many attacks out there, the likelihood you’ll hit one eventually is much greater. So protect yourself!  Even if you don’t run ForceField, at least make sure all the software on your computer is always up-to-date!

Gumblar versus ForceField: Just the facts

·         We were able to locate an actual Gumblar attack and test ForceField against it. ForceField successfully defended the computer against Gumblar.  

·         ForceField used virtualization to redirect the automatic, hidden drive-by download so it could not run on the victim computer. It also used heuristics to label the host site as suspicious and warn the user not to download anything from the site or enter personal information into the site (this was done in case Gumblar had a social engineering component to its attack in addition to the drive-by download attack, which in this case it did not).

·         Based on this successful test, it is very likely ForceField protects from other variants of Gumblar (though it is the nature of this quickly-evolving business that nobody can ever be 100% certain).

·         ZoneAlarm anti-virus signatures have also been updated to offer an additional layer of automatic protection against Gumblar.

·         As always, users should ensure they have the latest version of their browser, operating system, Adobe software, and all other software including security software.

Test conditions we used:

1. IE v. 7.0.5730.11

2. Adobe Reader v. 9.0.0

3. ForceField v. 1.3.153.0

By Jordy Berson, group product manager, ZoneAlarm products

Gumblar!! 

Is it an outrageously fun new board game that combines Jenga and Cranium to test your right brain, left brain and "Parkinson's-proneness" all at once? No. But this fun-sounding little guy could test your computer security, your identity theft protection and your ability to reformat your computer. And it could definitely bring outrage!

Gumblar is another multi-faceted, everywhere-you-want-to-be online, ninja-quiet Web site attack that can wreak havoc on your life. It begins in what seems to be one or a combination of Russian, Latvian and Chinese kitchens where it is then embedded into vulnerable Web sites.  Which Web sites? So far, ones you've probably never heard of.  But if we know anything about such attacks, we know any Web site can fall victim. Google, Yahoo, and the Miami Dolphins are just a sampling of sites that have been compromised by other attacks. (So yes, it can happen to you.)

So...what's the big deal? 

Well, news says (CNET by Elinor Mills, CBR by Kevin White, plenty more) Gumblar sneaks onto your PC when you visit a Web site, injects itself into your browser and intercepts traffic between you and the Web sites you visit.  That means anything you type is seen (unless it's encrypted, which most reputable bank and shop sites are).  But it can also redirect you to malicious Web sites that look like real Web sites, which can download more malicious code to your PC. The net net?  Play with Gumblar and you can lose your identity, unwittingly attack other computers, definitely lose money and maybe lose your mind! (“Mom, Gumblar won't stop hitting me!”)  

Seemingly contrary to its spunky, extroverted name,

Gumblar won't announce itself when it hits your computer. So you've got to go digging.  The CNET friends give this advice (as reported by Elinor Mills):

To find out if a computer is infected:

1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);

2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;

3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;

4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.

You can also just, you know, "do a full reformat and reinstallation" of your operation system 

That would definitely test your right brain in a way that Cranium can't.  If all this sounds like less fun than a long game of Monopoly, may I and my Check Point ZoneAlarm friends (and your grandmother) use an old adage?  "An ounce of prevention is worth hundreds of megabytes of cure."  In this case, that ounce ranges from 6 MB to about 70 MB depending on the Check Point product (ZoneAlarm ForceField and ZoneAlarm Extreme Security, respectively) but is smaller than the ounces you get from most other security companies.  And in the context of, "not all protection is created equally," this happens to be an area where ZoneAlarm shines. Because we've got ForceField, baby! 

If Gumblar, Conficker, Hungry Hippo or the red-nosed "Operation" guy try to sneak onto your computer, ForceField browser security - with less than a proverbial lift of a finger - is designed to redirect those jokers straight to a sandbox. But in this sandbox, nobody is allowed to play. Sorry, Gumblar! Meanwhile, we'll be gathering more data and will update you on the protection ForceField provides against Gumblar and its variants.  

By John Gable, Director of Consumer Products

ZoneAlarm blocks a web site that you want to visit.  For example, some users have noted that ZoneAlarm blocks them when they go to TinyURL.com.  Why would ZoneAlarm do this, and what do I do if that happens?

Spyware has occasionally been downloaded from TinyURL.com or a partner site (TinyURL often redirects users to other sites).  To protect you from this threat, ZoneAlarm warns you about it and blocks that specific Web site.  But people might still want to use TinyURL.com anyway – after all it’s a useful tool for posting short urls on Twitter.  Well, you still can.

Go to www.tinyURL.com.  If the site is blocked, you should see a balloon pop up in the lower right corner of your screen.  If you click on it, you will go to an interface where you can add tinyURL.com as an exception which allows you to access the site.  You can also manually get to that interface within the product by doing the following:

1)       Right click or double click the ZoneAlarm icon in your system tray.

2)       In the ZoneAlarm control screen, click Anti-virus/spyware, and then click “Spy Site Blocking”.  If it has blocked you from a website, it will show you the name of the web site with an X showing that it was blocked.

By Daniel Armao, Security Advisor (Guest blogger)

            Adobe has released information that its PDF software Adobe Reader and Adobe Acrobat have two new critical vulnerabilities (CVE-2009-1492 and CVE-2009-1493). If exploited, the vulnerabilities could allow an attacker to take control over victim’s computer and download malware to steal banking information, turn the computer into a botnet, or download fake “antivirus” programs. The vulnerability could be exploited by viewing a website or opening an email attachment.

            Adobe recommends disabling Javascript in Adobe Reader and Acrobat by opening Adobe Acrobat Reader>edit>preferences> go to Javascript>uncheck “enable Javascript.” Adobe expects to provide a product update for by May 12, 2009.

Some security experts have recommended using an alternative PDF which can be found at: http://pdfreaders.org/. Other alternatives not listed are Foxit Reader and CutePDF.

The drive by download attacks that take advantage of the Adobe PDF vulnerability in web browsers may be prevented by ZoneAlarm ForceField. ForceField’s technology puts your computer in a “protective bubble” that isolates the browser (Internet Explorer, Firefox, etc.) from the rest of the hard drive preventing drive by downloads from downloading and modifying system files without your consent.

More information will become available at Adobe's security bulletin and advisories at: http://www.adobe.com/support/security/

ZoneAlarm is giving away FREE Amazon gift certificates worth $30 to 40 Full Disk Encryption beta users on a first come, first serve basis.

You may also be interested in James Grant's blog post about this new consumer Full Disk Encryption product.  

by Daniel Armao, Security Advisor

The Conficker worm recently received a new update by using a peer to peer network. The new update will download a bogus "antivirus" program called SpywareProtect2009. SpywareProtect2009 will try to trick users into buying the fake antivirus by using scare tactics. The scare tactic is a fake “virus scan” that offers to “delete” nonexistent threats only if a consumer buys the fake antivirus. SpywareProtect2009 will also generate popups that show messages such as “your computer is infected” and will hijack the infected computer's Web browser. There is speculation that Conficker might be using the Waledac, a botnet that spreads by email in the form of fake holiday e-card, to send spam from infected machines and to steal passwords by the use of a keylogger.

If you encounter a scareware popup on the Web do not click on the popup at all, not even the Cancel and X option. To get rid of the popup prior to infection, access the task manager (Ctrl-Alt-Delete) and in the application’s tab click “end task” on your Web browser (Internet Explorer, Firefox, Safari, etc.).

            Scareware such as SpywareProtect2009 can also infect a user without Conficker on the Web. To protect yourself against scareware and other malware make sure you have the latest updates from Windows, have your ZoneAlarm Internet Security up to date and use the ZoneAlarm firewall. ZoneAlarm Forcefield will also protect from scareware and other malware by keeping the browser in a protective bubble. Make sure you do not buy SpywareProtect2009 because not only are you out of $49.95, the creators will also now have access to your credit card number…and we all know what that means – unauthorized charges on the card. If you are a victim of scareware tactic, please dispute all charges with your credit card company.

More information on how to detect and remove Conficker can be found at:

http://blog.zonealarm.com/blog/2009/03/the-conficker-worm-signs-protection-and-removal.html

By Frank Bailinson, Head of Strategic Products

Pardon this commercial posting, but you may want to pass this on to friends/family who need full PC security but thought they couldn’t afford it.

In response to the economic hard times, we wanted to create a give-away promotion because some people may consider PC security a luxury they can’t afford. We believe it’s a basic need.

For 24 hours starting 6am PDT on Tuesday April 14 (Microsoft patch Tuesday), we will reduce the price for ZoneAlarm Internet Security Suite (a full 3-user, 1 year copy) to $9.95.  The offer ends the next day at 6am. We are limiting this offer to new customers only.

We will donate 50% of the proceeds to TechSoup, the technology place for nonprofits.  We hope these funds will allow them to spread security to many other charities. 

Here is the link for the offer: www.zonealarm.com/only24hours

By Jordy Berson, Group product manager, ZoneAlarm products

Social engineering is a cruel hacking technique that plays on our naivete, behavioral patterns, curiosity and general humanness.  A few examples:

• HACKER SEND US: An e-mail on Valentine's Day with subject, "Someone wants to kiss you!"

• WE: Must know who.  The woman I spilled my cinnamon dolce latte on at Starbucks? The guy at 7-eleven who bought M&Ms while I bought Reese's Pieces?

• RESULT: Click the Web link from the e-mail, go to the Web site, malware secretly downloads to our PR to spy on us.

Or:

• HACKER CONTACTS US: Our lost uncle from Britain whom we never knew died (sad) and left us $50,000 (sadness fading a bit). We just need to send in $1000 for handling to get the money.

• WE: Send in the $1000 and wait by the mailbox like Linus in the pumpkin patch.

• RESULT: The $50,000 (and The Great Pumpkin) never arrives

These scams piss me off more than any other because they take people's dignitiy along with the prize they're after.  What pisses me off even more is that hackers around the world are bringing in comfortable six-figure incomes purely by plundering us workers!  (See related article that my buddy Frank sent around the office:) http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html?wprss=securityfix

The best way to protect yourself from these online parasites, may they all be caught and jailed, is to use the same street smarts online that you use in the real world.  Be suspicious! Don't respond to offers that are too good to be true or seem weird in the least without checking them out first. Never click a Web link from a strange e-mail. Use updated security software to protect yourself.  Keep all of your computer programs, browser plug-ins, and your operating system up-to-date at all times.

But it's not always easy!  Even the best of us can be tricked because hackers make use of the same processes we've come to use and trust online in order to trap us.  I was talking with my fellow blogger James this week about this because a journalist had asked us to consider: What if hackers took advantage of e-mail viral marketing to attack us and our friends?  For example, Web sites such as Yelp! and LinkedIn among many others will go into our address book to invite our friends to participate in their services (with our permission). For example:

• TRUSTED WEB SITE: Offers to e-mail our address book of friends on our behalf and invite them to use Yelp, Facebook, etc.

• WE: Trust them.

• RESULT: No harm done. We and our friends have special moments together online through our increased connectedness.
  

Now we've been trained to trust this technique.  So it's ripe for the taking as far as hackers are concerned.  A hacker could attack the legitimate Web site we trust; could spoof the Web site we trust (we think it's the legitimate site, but it's a malicious site made to look just like the legitimate site); or could create a brand-new site from scratch. In any case, this same technique could e-mail our friends on our behalf.  Our friends get an e-mail from us so they trust it (social engineering), follow the Web link, and KABLAM! Spyware downloads to our friends' computers.

This puts extra stress on our relationships.

Then James brought up a similar scenario that's even more dangerous.

• TAX PREP SOFTWARE: Offers to automatically gather our tax info from Fidelity, eTrade, etc.  We just need to give it our username and password to each financial site.

• WE: Hate taxes, and will do anything to make it go faster and easier.

• RESULT: We are sad (if we owe), happy (if we get a refund), but no harm done.

But it's easy to see how the above could have an unhappy ending.  I have no doubt the tax prep companies such as Turbo Tax do a great job of ensuring security.  And I've yet to hear of any vulnerabilities in this area.  But the fact that hackers are highly motivated by their six-figure incomes and the fact that no security is 100% secure makes me think things could go very wrong here. Imagine just handing over the keys to your financial information to a hacker because they've stepped in between you and a trusted Web site or have spoofed a Web site you trust. 

The lesson: Think before you give the away the keys to any of your information. Consider the cost/benefit to these types of automated features.  Certainly make sure the entity you're trusting is deserving of your trust and is who it says it is.  This is not to say you should abstain from these automated features.  The risk as of now and as far as I know, is small to nil of getting hacked in this way.  We'll see what the future brings.

By James Grant, Team Lead and Senior Developer

PointSec, the product that has been protecting company laptops for years is now available for the consumer market. Pointsec Full Disk Encryption is the defacto standard of disk encryption products, leading others in independent test results:

http://www.checkpoint.com/products/datasecurity/pc/test-results.html

Companies were the first to see the need for data security as their employees took their work outside the company walls. Increasingly, consumers are choosing laptops for themselves. It is the ideal choice for a student on the go, for example. With the price of laptops tumbling, they are very affordable and they take less space than the big box.

The biggest risk of a laptop is having it stolen. The chance of a college student having their laptop nabbed while they are out is higher than the chance of a home break-in. For most of us, the biggest concerns are the cost of the computer and the setback of losing the information that was on it (I really love USB thumb drives as a backup tool for important information, BTW!). For some, there are privacy and identity theft concerns as well. Did you have private email on there? Picture? Your taxes? Anything with your social security or financial account numbers or passwords?

All those concerns are gone with Full Disk Encryption, available here in beta:

http://download.zonealarm.com/bin/free/beta/index.html

The "beta" label is on the user interface and packaging part of the software, not the encryption part. The core encryption tool is the same as is in use on millions of computers around the world, including the one I'm using right now!

As soon as we went to beta, I installed it at home .. on my wife's computer. The result: "Hon, I'm getting a new logon screen when it starts. What should I do?" So I wrote the username and password on a sticky note and stuck it to the screen. Hey, my goal wasn't security as much as seeing it work. It did.

As I saw the PointSec product transform into a Consumer product, my fears of total disaster subsided:

• Firstly, I knew rationally that the encrypting part was the same as what I'd used for years at work.
• Next, the product doesn't start encrypting until recovery information has been backed up on our servers (the files are encrypted by your password, so they are no use to anyone but you - including us).
• Lastly, the product helps you burn a recovery CD so if - just if - something were to go wrong, you could boot off the recover CD and unencrypt the drive. Forgot your password? No problem. Contact our Support team, tell them who you are, answer the security questions and they supply a code that unlocks your computer. (In other words, we can help you reset your password, but we don’t know your password, so you're truly safe.)

So if you've wanted to keep your laptop private in case of theft or break-in, ZoneAlarm's new FDE (Full Disk Encryption) is what you've been waiting for. Let us know what you think. While it is in beta, we are looking for feedback from you.

By James Grant, Team Lead and Senior Developer

Usually, when you hear about massive online attacks using botnets, it is legions of infected Windows computers that are doing the dirty work. Here is something new, the exploitation of routers:  Network Bluepill -a stealth router-based botnet has been DDoSing DroneBL for the last couple of weeks:

“…this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems. Many devices appear to be vulnerable. The size of this botnet so far cannot be determined The author of this worm has some sophisticated programming knowledge, given the nature of this executableAction must be taken immediately to stop this worm before it grows much larger. We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure two weeks ago, and feel that this botnet was the one which flooded DroneBL.

We are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know. …If you intend to disassemble this botnet, you should note it's UPX-compressed. I estimate that at the time of writing, there is at least 100,000 hosts infected. I suspect that the .sql and .pma exploit tools are used for finding more controllers. But I do not have the controller payload. This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away.”

My worry here is that it is even harder for Internet users to keep their peripheral hardware secure compared to keeping their own computer secure. As users, we don't like the idea of viruses and malware on the computer we use, but it is easier to ignore someone misusing our equipment, as long as it doesn't prevent us from doing what we want.

By Daniel Armao, Security Advisor

Experts believe that the Conficker worm, which has infected millions of PCs, is programmed to change on April 1^st 2009, dangerously increasing the number of domains that infected PCs contact to run an update program. This worm has not delivered a payload yet, but if it does, it could install spyware on the infected machines to steal financial information or conduct a denial of service attack against websites.

The Conficker worm, first discovered on October 2008, infects a PC through a vulnerability in the Windows Server service that was patched by Microsoft Windows security patch MS08-067. (Note that Mac operating systems are not at risk.) The worm tries to find connections to systems that are unprotected by the patch. When it infects a PC, it connects to a rogue web server that is controlled by the Conficker creators.

To protect yourself from Conficker:

·        Make sure you update your PC with updates from Microsoft by using the automatic update feature. Network Administrators must make sure to get the latest security updates by Microsoft.

·        USB drives may get infected by the Conficker worm if Autorun is not disabled. To prevent a USB infection, PC users can download a patch that allows the option to disable the Autorun functionality: http://support.microsoft.com/kb/967715

·        Make sure your PC has active, updated security software and the latest virus signature definition updates to detect:

o        In ZoneAlarm, click Antivirus on the left navigation bar, then click the Update Now button. (ZoneAlarm is set to receive virus signature updates several times a day—you can set them to happen hourly by going to the Antivirus panel and clicking Advanced Options.)

o        To make sure your product is up-to-date, click Check for Updates on the main panel, lower left corner.

o        A strong two-way firewall is also recommended, so a suite that includes a firewall and antivirus is ideal. (For example, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, or ZoneAlarm Extreme. Free trials are available.)

·        Networks with weak passwords can also allow the Conficker worm to infect systems by the use of brute force software which is designed to guess short and simple passwords. To protect yourself, use long and complex passwords that have at least 6 characters, are unique, and include numbers, upper- case letters, and symbols.

Signs you may be infected with Conficker:

·        Windows services are disabled—such as Automatic updates (in System Properties panel), Background Intelligent Transfer Service, and Error Reporting service (in System Properties).

·        Some security-related web sites are blocked. This web page loads several of the security sites typically blocked -- http://eyechart.sie.isc.org/  -- so you can check it to see if you may be infected.

·        You experience a slow response from network domain controllers (i.e., slow security authentication request responses)

·        Your system restore points are deleted

REMOVAL INSTRUCTIONS FROM ZONELARM TEAM:

To detect and remove the Conficker worm:

·        If you do not use ZoneAlarm, please check for removal details at the Web site for your security software.

·        If you have ZoneAlarm, click Antivirus on the left navigation bar, then:

1.     Click the Update Now button.

2.     Click the Scan for Viruses/Spyware button.

3.     If the scan results show a virus with any variation of the names conficker, kido or downadup, remove it immediately with our remover tool. Download tool.