Internet Security Zone Blog

By Jordy Berson, group product manager, ZoneAlarm products

Gumblar!! 

Is it an outrageously fun new board game that combines Jenga and Cranium to test your right brain, left brain and "Parkinson's-proneness" all at once? No. But this fun-sounding little guy could test your computer security, your identity theft protection and your ability to reformat your computer. And it could definitely bring outrage!

Gumblar is another multi-faceted, everywhere-you-want-to-be online, ninja-quiet Web site attack that can wreak havoc on your life. It begins in what seems to be one or a combination of Russian, Latvian and Chinese kitchens where it is then embedded into vulnerable Web sites.  Which Web sites? So far, ones you've probably never heard of.  But if we know anything about such attacks, we know any Web site can fall victim. Google, Yahoo, and the Miami Dolphins are just a sampling of sites that have been compromised by other attacks. (So yes, it can happen to you.)

So...what's the big deal? 

Well, news says (CNET by Elinor Mills, CBR by Kevin White, plenty more) Gumblar sneaks onto your PC when you visit a Web site, injects itself into your browser and intercepts traffic between you and the Web sites you visit.  That means anything you type is seen (unless it's encrypted, which most reputable bank and shop sites are).  But it can also redirect you to malicious Web sites that look like real Web sites, which can download more malicious code to your PC. The net net?  Play with Gumblar and you can lose your identity, unwittingly attack other computers, definitely lose money and maybe lose your mind! (“Mom, Gumblar won't stop hitting me!”)  

Seemingly contrary to its spunky, extroverted name,

Gumblar won't announce itself when it hits your computer. So you've got to go digging.  The CNET friends give this advice (as reported by Elinor Mills):

To find out if a computer is infected:

1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);

2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;

3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;

4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.

You can also just, you know, "do a full reformat and reinstallation" of your operation system 

That would definitely test your right brain in a way that Cranium can't.  If all this sounds like less fun than a long game of Monopoly, may I and my Check Point ZoneAlarm friends (and your grandmother) use an old adage?  "An ounce of prevention is worth hundreds of megabytes of cure."  In this case, that ounce ranges from 6 MB to about 70 MB depending on the Check Point product (ZoneAlarm ForceField and ZoneAlarm Extreme Security, respectively) but is smaller than the ounces you get from most other security companies.  And in the context of, "not all protection is created equally," this happens to be an area where ZoneAlarm shines. Because we've got ForceField, baby! 

If Gumblar, Conficker, Hungry Hippo or the red-nosed "Operation" guy try to sneak onto your computer, ForceField browser security - with less than a proverbial lift of a finger - is designed to redirect those jokers straight to a sandbox. But in this sandbox, nobody is allowed to play. Sorry, Gumblar! Meanwhile, we'll be gathering more data and will update you on the protection ForceField provides against Gumblar and its variants.  

By Frank Bailinson, Head of Strategic Products

Pardon this commercial posting, but you may want to pass this on to friends/family who need full PC security but thought they couldn’t afford it.

In response to the economic hard times, we wanted to create a give-away promotion because some people may consider PC security a luxury they can’t afford. We believe it’s a basic need.

For 24 hours starting 6am PDT on Tuesday April 14 (Microsoft patch Tuesday), we will reduce the price for ZoneAlarm Internet Security Suite (a full 3-user, 1 year copy) to $9.95.  The offer ends the next day at 6am. We are limiting this offer to new customers only.

We will donate 50% of the proceeds to TechSoup, the technology place for nonprofits.  We hope these funds will allow them to spread security to many other charities. 

Here is the link for the offer: www.zonealarm.com/only24hours

by Albert Sweigart, Consumer Security Development

The well-known security researcher Dan Kaminsky pushed for the adoption of DNSSEC (Domain Name System Security Extensions) in his recent presentation at the Black Hat DC conference. Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address. This would allow the attacker to trick someone visiting YourOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker’s fake website.

That vulnerability has been patched since, but the DNS protocol itself in many ways remains fundamentally insecure:

• DNS is not a secure protocol by itself, and software applications do not rely on it for security. The use of cryptography imposes some computational expense on the server and cause scalability issues. Secure Sockets Layer, the technology that most consumers interact with by seeing the tiny lock icon next to the URL bar in their web browser, mitigates this problem somewhat. A fake website would not be able to reproduce the proper SSL certificate, and web browsers display warnings about accessing web sites with invalid SSL credentials. However, users are amazingly resistant to such warnings, and the “click the button to make the message box go away” mentality causes many users to ignore these warnings.

• Unfortunately, a more common attack would just be not employing SSL at all. Redirecting a user from YourOnlineBank.com (which uses SSL) to the fake replica website (which does not use SSL) would not produce any browser warnings. The cannier user may notice the lack of the “https” in the URL before entering their password, but most would not.

• With the domain name system vulnerable, a website’s “forgotten password” feature also becomes an easy targets to hackers. By hijacking the YourOnlineEmail.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user’s email address (such as BObama@YourOnlineEmail.com). This password would then be intercepted by the attacker when it is sent not to the real YourOnlineEmail.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.

DNSSEC is a proposed protocol (introduced in RFC 2065) that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain. Without a demand from applications, there is little incentive to add DNSSEC.

DNSSEC also has a political problem with the international community and more libertarian proponents of the Internet. The DNSSEC protocol would place the root authority to authenticate the entire domain name system with the U.S. Department of Commerce, including the domain name system of 187 different countries. This centralization of authority would also give the government the power to disable domain names, or perform DNS hijacks themselves.

Kaminsky has always been lukewarm to the idea of DNSSEC, but despite its problems and complexity Kaminsky is for securing the DNS protocol. A fix at this level of the Internet could potentially solve an entire class of security problems. The pressure placed on networks and DNS servers by business and consumer interests provide too large of an incentive to ignore this issue forever. And while the work to simplify the administration of DNSSEC is still far in length, Kaminsky has pointed that the implementations of proposed alternatives to DNSSEC (such as DNSCurve) are far behind.

By Jordy Berson, Group Product Manager, Check Point Software

A vulnerability in Adobe Acrobat is being used to steal business and government secrets.   This exploit entices its victims to open a PDF document, upon which a Trojan is transferred invisibly to the victim's PC.  The Trojan secretly records the keystrokes and allows hackers remote access to the victim's computer. This vulnerability has so far been targeted at business executives and government officials.  I don't know what's scarier - the attacks that target people like you and me directly to steal our identity, or knowing that our goverment and business officials are being spied on. 

The general idea is this: You're surfing the Internet, you land on a Web site, and BAM! Malicious software secretly downloads to your PC.  Most of the time you don't even have to click on anything or even stay on the site for more than a moment.  But when you leave the site, you take an invisible threat away with you that steals your identity and your privacy.

The Adobe attack is just the latest chapter in a dramatic but predictable story. Nearly every week for the past year, it seems a new drive-by exploit is discovered.  Web surfers fall victim.  Identities are stolen.  Secrets are passed.  Virus companies catch up...too late as usual. 

Any Web site will do.  These types of exploits have been hosted on compromised mainstream sites such as Miami Dolphins and Tom's Hardware and on popular banking sites where you'd never expect them, as well as on riskier sites such as free download sites.  The point is that these threats can affect you no matter where you surf and no matter how careful you are.  

How likely are you to hit a drive-by? A study by Google concluded that over 1% of all Web searches contain at least one malicious URL which could be a drive-by.  So out of 100 Web searches, you'll hit at least one of these.  And that's just one of the methods to get you. Phishing sites and other social engineering tactics can land you on a malicious Web site too. And if you do stuff like downloading free screensavers and music and you spend a lot of time social networking, your risks are higher.

So what do you do?  Hide your love away...

Hackers love people who run old versions of their software.  And you don't want to be loved by hackers! When you run outdated software on your PC, you make it dead easy to get hacked.  You're almost asking for it.  So please update all your software now...right now.  And especially if anybody is using an older version of IE or Firefox (or whatever browser you run)...upgrade immediately!  You should be on IE 7 and Firefox 3.  

...and get a good traffic cop.  The traffic cop is one of the few technologies out there that can stop drive-by downloads.  And this one is *the* only one at this time that works automatically (the others require you to change the way you download files and manage your file system). It's our own ZoneAlarm ForceField.  In the time its been out, its stopped 100% of drive-by downloads that we've been able to test - theoretical and actual. It does a lot of other stuff too. Try it for free and please tell me what you think of it.  Love it or hate it, I'd love to know. It's less than 5MB.

Thanks!

http://www.zonealarm.com/security/en-us/trial-download-zonealarm-forcefield-browser-security.htm

Read the Adobe Security Bulletin here.

By John Gable

ZoneAlarm Director of Product Management

Hardly anyone knew about it.

The Los Angeles Angels website was recently hacked overnight with a drive-by download. It tried to download “AntiVirus 2009”, a well known fake security program that actually installs malware, onto visitors' systems. The Angels fixed the problem the next day, but damage was done.

I don’t mean to pick on the American League West Champions. This happens much too often, not just in major league baseball, but also the National Football League (Miami Dolphins), job sites (Monster.com), financial institutions (Bank of India) and plenty more.

What else don’t you know about?  Did you know about …

• the virus/spyware that hit Check Free, the online bill pay service used by many major banks and others, which infected around 160,000 users?

• the latest Internet Explorer 7 vulnerability that gives hackers a hole to silently install malicious software onto your PC?

• the Waledac botnet Valentine email and e-card attack?

I suggest there are 3 good reasons most people don't hear about such incidents.

1. Hackers want to be invisible.  Gone are the “good ole days” when a hacker wanted to become famous. The "I Love You" virus was a big problem, but at least you knew if you were infected. Now hackers go to great lengths to make sure you don’t know anything is happening as they take over your PC.

2. Web sites that have been hacked don’t exactly spend marketing funds to tell the world what happened. Responsible sites, like Check Free, quickly contact any potential victims to help them. But the last thing most sites want is to scare you away.

3. Same logic applies to software vendors, even security companies. Plus, sometimes they don’t want to advertise vulnerabilities because they don’t want to educate hackers how to break in.

Special kudos to the companies that do a good job at communicating threats. Adobe just issued a security bulletin about a buffer overflow issue with Adobe Reader 9 and Acrobat 9.

I’m happy to report that our new ZoneAlarm Extreme Security, which integrates our latest PC security suite with our web browser security and more, is the only security suite that blocked any of the threats I listed above from the very first moment they hit the Web (someone else might have stopped the LA Angeles attack - but I can verify that others missed all the other attacks).

In fact, ZoneAlarm Extreme Security blocks all of them. See our Stops Attacks Others Miss page for more details.

Do you think people need to know about these Web attacks or is ignorance bliss?

by John Gable

Another Valentine's Day special.

You may have been reading how the Waledac botnet, a successor to the Storm botnet, has come to haunt your Valentine's Day.

This botnet is running a Valentine’s Day "campaign" soliciting people with phony Valentine’s themed e-mails and greeting cards. When users click through to a Web site to receive their messages, malicious software is silently and automatically downloaded to their computer. The malicious software can do any number of nasty things such as logging and transmitting everything a user types, stealing their credit card numbers and online passwords, and turning their computer into a launch pad to attack others.

With over 1000 variants in just one day, this is very hard to stop.  Perhaps impossible to stop for typical antivirus software that relies on lists of known threats.

by Laura Yecies

Today, I’m very excited to announce the launch of ZoneAlarm ForceField. We first released ZAFF into beta last fall, and now it’s now ready for primetime. On behalf of the entire ZoneAlarm team, I’d like to extend a very sincere thank you to everyone in the ZA community for your valuable insight and testing help…this is a major milestone not only for our company but in the fight against cybercrime. We look forward to your feedback.

As tempting as it is to delve into all the product details of this new virtualized browser/Web security solution, I think I’d rather talk to you today about a few of the reasons why we built ForceField.

In the past year or so, we’ve seen the consumer threat environment shift rather dramatically. Like the evolution of viruses and spyware, attack vectors have also evolved. The prime target used to be your operating system. So a good firewall, combined with antivirus and anti-spyware, was pretty sufficient protection against hackers looking for vulnerable PCs.

Now, armed with a new arsenal of Web-based attack strategies, hackers no longer need to seek you out. You’ll find them all on your own.

It’s rather easy to accidentally compromise your PC while innocently surfing the Web. Here’s how:

Search Portals: When you search for something on your favorite search engine, like Google or Yahoo, do you automatically assume that all the results are legitimate, safe Web sites? Hackers have found ways to seed search engines with malicious Web sites, or dummy pages that automatically redirect you to a Web site that can automatically download hundreds of pieces of malware without your knowledge. One of the strategies behind ZoneAlarm ForceField was to create an environment where you can make mistakes. You can accidentally click one of these links, and the malware will be contained in your virtualized, ForceField protected browser (and unable to harm your PC).

Random Web sites: Your favorite Web site, yes, the one you visit every day, could send malware your way next time you drop in. And they may not even know it. You see, these perfectly legitimate and responsible sites can become hacked themselves. A vulnerability in an ad server or database can allow a hacker to use the Web site as an otherwise trusted conduit to deliver a malicious payload onto your PC. As I write this, one such SQL Injection attack, using the worm “winzipices.cn,” is believed to have compromised over 4,000 Web sites around the world.

We’re also receiving reports of demographic attacks: hackers compromising specific Web sites that cater to a desirable audience…for example wealthy or older surfers. Like with the search engine attacks, by using ForceField you can confidently surf as usual. Even if your favorite Web site has been hijacked, you stay safe.

Social networking/Web 2.0: Social networking sites, by their very viral nature, are an irresistible attack vectors for hackers. Alicia Keys’ fans learned that the hard way last year when her MySpace page was infected. Facebook, with all its fun apps, proved compelling to adware distributor Zango. Not only can these communities be exploited to spread malware, but they can also fall prey to what we call “man in the middle” attacks. This is where a hacker basically inserts himself in the middle of your upload or other file sharing to steal your password or other sensitive personal information.

Social networking is a great way to stay connected with friends and family and build online communities, but always take precautions and be careful what you share. It’s a lot harder to delete personal information off the ‘Net than to post it.

Gaming/Virtual Worlds: Virtual worlds and games like Second Life and World of Warcraft are a blast. My kids love them. But one security researcher recently claimed that he could compromise your PC if your avatar wandered into his “realm.” If he could see you, he could take over your PC remotely. While we haven’t seen real world reports of this type of breach, we believe it can be done.

So what’s a security-minded Netizen to do? Besides using a comprehensive Web security solution like ForceField (in tandem with your PC security), make sure *all* your applications are patched regularly. Don’t forget your Java, IE, Flash, Quicktime etc. They’re easy to overlook but crucial to an overall Web security strategy. We’ll be posting more tips in the coming days, but in the meantime, we’re interesting in hearing your experiences on Web-based attacks. Have you fallen victim? What steps do you take to avoid falling in a hacker trap on the Web?

We don't normally put promotional stuff here, but since this is a 24 hour opportunity, we thought you might want to know.  You can download and use ZoneAlarm Anti-Spyware for free.  And it's not just anti-spyware freeware, but our full product that won top billing at CNET which has the full anti-spyware deep scan and removal as well as the professional grade Firewall and OSFirewall.  Here are the details:

Offer Page:  http://www.zonealarm.com/patchtuesday/
Media Alert:  http://download.zonelabs.com/bin/free/pressReleases/2007/pr_7.html

UPDATE: OFFER EXTENDED (from Allison, our Director of PR)

As you've probably already seen, today you can download ZoneAlarm Anti-spyware, free. No strings attached. You get the full product, complete with the legendary ZoneAlarm firewall, the rootkit-blocking OSFirewall, Spy Site Blocking, and a year of A/S updates.

We've had some server challenges because of traffic, and so we're extending the offer to 5 p.m. PST tomorrow to accommodate everyone. We sincerely apologize for the inconvenience.

All of us here on the ZoneAlarm team believe more people need to take proactive security precautions by installing essential PC protection AND pay attention to updating their operating systems and browsers when critical security patches are made available. We know it's a pain to download a patch, install it and sometimes even have to restart your PC. But it's important. You can't be complacent because it's an inconvenience. Because...as vulnerabilities are announced and patches released, hackers go straight to work developing exploits and start hunting around the Net in search of unprotected PCs.

Here in the San Francisco Bay Area, when the air gets particularly dirty a "Spare the Air" day is declared. Many public transportation companies such as the commuter trains will offer a free ride to get people off the road. That's the idea behind this ZoneAlarm Anti-Spyware Patch Tuesday offer...the more people who have tough security and an updated PC, the fewer targets for attackers and the Internet becomes a safer place as a whole.

So you get ZoneAlarm Anti-Spyware for free until tomorrow only at www.zonealarm.com/patchtuesday.

And don't forget to also download the free ZoneAlarm ForceField beta to add a "bubble of security" around your browser. It's a cool virtualization-based product that traps drive-by malware and phishing attacks, and prevents keyloggers from tracking your typing. Once you install it on your PC, you'll never want to shop or bank online again without it.

We like using analogies here to explain security principles.  For example, to explain why your firewall must truly protect every port and pass every leak test, we point to a car with only 3 of its 4 doors locked.  How safe is that?  That also works for pointing out why you need a complete security suite, not just antivirus.

Sky King, our fearless leader for ZoneAlarm development, likes to use a different analogy to point out the value of multiple layers of security.  Let’s say you want to build a castle in medieval times.  First, you build on top of a hill.  That way, as attacking forces approach, you stop a lot them as they climb, perhaps with trained archers and elves (sorry, I sometimes get Lord of the Rings and “real” history confused).  Next the forces of Saruman have to cross a moat (water, spikes, more arrows), scale a wall (hot oil from above) or break through a gate (heavily fortified), defeat the forces in the towers and top of the walls (hand to hand), and then enter the center of the castle.  By then, you will have defeated all of the dark forces (mixing metaphors with Star Wars) and can live in peace.  It’s probably a good idea to add intelligence services to catch spies who slip in un-noticed (James Bond movies are cool, too) or use your spider-sense (couldn’t resist).

The moral of the story?  No single layer of defense is perfect or sufficient by itself.  Some fun sites on medieval castles include http://en.wikipedia.org/wiki/Castle, http://www.castles-of-britain.com/castleso.htm, http://tolkiengateway.net/wiki/Battle_of_the_Hornburg.

I'm sure you've seen them -- those pop-up ads that make scary claims:

YOU MAY BE INFECTED!
CLICK HERE TO CLEAN YOUR SYSTEM NOW!

I just ran across one, a friend hit this site, was convinced he was infected and asked how to remove the infection.

My friend wasn't infected. It was a fraudlent anti-virus scan with fake results. This is often called "Scareware" and it amounts to using fear to sell products -- in fact, many of these products will cause more serious problems when you actually attempt to install their "fix" for these fake infections.

There are a couple types of these cons:

• User is dropped on a fake Anti-virus/Anti-spyware scan that detects "false" infections
• User is told their computer is not running properly, download X software to fix it
• User is told their activities are being monitored and recorded, click here to prevent this

Here is an screen shot that shows one of the scanners apparently finding "errors":

In truth, this computer has none of these errors and this is a simple ploy to get you to install their software. In fact, this type of attack and fraud is so common this particular scanner has it's own Wikipedia entry: WinFixer

Here are some of the more interesting quotes:

They display false information with regards to a user's computer, thereby confusing said user into believing their PC is infected with viruses, spyware and/or other forms of malware.

Due to these problems, WinFixer and its sister applications are generally considered scareware spyware.

On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court.[9] KTVU (Channel 2 in Oakland, CA) carried a special report you can view at http://www.youtube.com/watch?v=zBUZHiKhsog.

The best way to protect yourself from these types of scareware attacks is simple: Only install/buy software from companies that are well respected and that you trust. If you aren't sure, use Google to do a quick background check on the company and see what it turns up.

Also, ZoneAlarm products with OSFW will protect you. This scareware often attempts to install to this location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Any process that attempts to write/change this registry key and is not in our SmartDefense Advisor Approved list will create a security alert. The alert below shows me attempting to change the "Run Key" using the Registry Editor: