The DNS Changer: End of the Internet–or not

There has been a lot of talk in the news about this DNS Changer worm, and how it will cause people to lose their internet connection on Monday. I wanted to take a moment to clear some things up, as the news basically points you to the FBI’s site (and their information). The link to their information is here.

So, here we go…

  1. Originally there were over 14 million estimated computers infected with these worms. Through the FBI and ISP’s sending out warnings, that number has decreased dramtically. RIght now, in the US, it’s estimated that only 70,000 devices are infected. (Worldwide stats are available from the FBI.) This is why they’re shutting down the servers.

  2. The FBI set up it’s own DNS Servers at the “rogue” IP Addresses, because with so many infected computers, it would have been catastrophic to shut the sites down cold. Imagine waking up to find that over 14 MILLION people have lost internet access suddenly.

  3. Basically what’s happening is this: DNS is like calling directory assistance and getting someone’s phone number. Your browser does this, when it doesn’t know the address (think phone number) of a website. That virus changed those “Directory Assistance” numbers to it’s own set. So it’s as if you were calling a special number for Directory Assistance, and they gave you what numbers they wanted you to dial (not necessarily the number to the person you were calling). Or they gave you a number that would charge your phone bill on their behalf (like using a Phone card to call).

In terms of DNS, your browser would either get sent to an ad site, porn site, or something else, when you typed in a site name. Or if you did a search, it would fake the results of the search with malicious sites (where you could be infected with other viruses), or it would replace the ads on a legitimate site (since your browser had to get the ads from somewhere), with their own ads. It was hinted that the viruses would also capture your passwords, but I haven’t seen anything openly saying that. Although if someone’s infected with any virus, they’ll want to change their passwords after fixing their computer.

** Another common analogy for DNS is like sending a letter through the Post Office, but to be honest, I’m not sure how this would play out in that scenario.

How do you know if you’re infected with the worm?

The easiest way to check your computer is to visit this site for their steps. They have a page which will tell you (via a green or red background on a picture) if you’re infected or not. One drawback is if your ISP “fixes” or alters DNS entries, it may look like you’re clean, when you’re really not.

As for what to check on your computer, here’s what to do:

For Windows Users:

  1. Click the Start orb, and type cmd in the bottom box (where it says “Search”).
  2. Click on Command Prompt (or cmd) in the results at the top.

** These instructions are for Windows Vista/7 users mainly. In older versions of windows, it would be the start button, then Run… and type cmd, or (in all versions of Windows) you can also press the Windows Key and the R key at the same time, and type cmd in the “Run…” box that pops up.

  1. Type in ipconfig /all (or copy and paste from this post).

You’re going to get a lot of information on the screen. What you’re looking for will say something like this:

Local Area Connection (Ethernet)
IP Address: 192.168.x.x (could be something like 192.168.2.100)
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.x.1 or 192.168.x.254 (whatever the IP Address from your modem or router is)
DNS Servers: xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx

*Those are what you’re looking for ***

What the link said to do was look at the first set of xxx’s in each DNS server. If it’s in their table, then look at the second set of xxx’s in each server. If that’s in the table, look at the third set, and so on. If at ANY point, you find a set of xxx’s that’s not listed in their table, you can stop. Even if it’s one number.

Here is the table that they are referring to.

Rogue DNS Servers

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

If your DNS Servers are the same as your “Default Gateway” up above, then you need to log into your modem and check them from it. If you have just a modem, then you’ll probably want to call your ISP for help with this. Unless of course, you’ve logged into it enough times that you know what to do. If you have a separate router (like a Linksys, Cisco, or Netgear router for example) that your computer is plugged into, you should be able to go to their site and get information on how to log in. The steps here are general (as the pages and passwords are different for each router).

  1. In your browser, type in the IP Address for your Default Gateway and hti enter.
  2. On the screen that comes up, type in the username and password for your router (NOTE** if you haven’t changed these from the default (usually admin for both), YOU NEED TO DO THAT!!!!!!!!!!!)
  3. You will be presented with the setup screens for your router. You want to look for the DNS information screens (first look at your Status screens, and if the DNS Entries aren’t there (or are the rogue entries) then look for how to configure them).
  4. If your DNS Entries are the rogue entries in the table, then you need to change them back to “good” ones (or follow whatever steps are needed to have your ISP automatically provide them). Personally, I recommend using Public DNS entries (like 208.67.222.222 and 208.67.220.220 for OpenDNS or 8.8.8.8 and 8.8.4.4 for Google DNS), but it’s your decision whether to use your ISP’s or not.

Apply the changes, and restart your computers after the modem/router restarts. You should be all set for Monday.

For Linux users, you’ll either want to check your /etc/resolv.conf file to see if it has the rogue DNS servers or manually edit your network connections (or router/modem).

And for Mac users, you’ll want to check the instructions from the FBI’s website link.

If your computer is/was infected, you need to take steps to clean it. On the link that I provided above for detecting whether you’re infected, they have links to tools for cleaning your computer. After running these tool(s) and making sure your comptuer is clean, you most defiinitely want to change ALL of your passwords. This goes without saying for any malware that’s on your computer (not just this one).

Good luck, and I’ll see you on Monday (hopefully).

Have a great day:)
Patrick.

Some Lessons to be Learned from Stuxnet

There’s a lot of talk going around about the Stuxnet worm, who may have created it, how it spread, and why. The reality is that it boils down to “human nature”. It’s human nature to be curious, which is probably what started the infection in the first place. The main theory is that someone dropped an infected USB thumb drive in a place where their “target” would find it. Curiosity about what was on the drive prompted the “target” to infect their computers. And so on and so on.

It’s time to retrain human nature again. This could have been prevented if three simple rules had been in place (and followed).

  1. Do not insert thumb drives in any company computer unless you either a) pulled it out of the shrink-wrap yourself or b) know the person who pulled it out of the shrink-wrap.
  2. Do not insert thumb drives into your company computer that have been inserted into any NON-company computer (this includes your home computer)
  3. Do not insert anything into a SCADA or other “non-Internet” or “special networked” computer that is not directly authorized by your company.

Now I realize that it’s hard (if not impossible) to change human nature. And I realize that no Company Policy in the world will change human nature. Let me ask you this though: When is the last time that your company warned you about picking up USB Thumb Drives (or anything else like that) and putting them in company computers? Along that line, did they just say “Don’t do it” or did they tell you about the risks?

It’s time to rethink and retrain our human nature. After all regardless of who created Stuxnet, they counted on human nature to get the infection rolling. They had to get it inside of the target network, and most likely a USB Thumb Drive was the way to go. They didn’t even have to get it near their target, because they knew the person who initially found the drive would infect their computers (and consequently any thumb drives that they inserted into those computers). And that’s all it would take.

At the very least, if you can’t stop Human Nature, then mitigate it. Either figure out a way to run the thumb drive in a sandbox, or run it on an operating system (like Mac OS or Linux) that isn’t easily infected.

Also it should be noted that if the virus is implanted on the drive at the manufacturer’s level, then it won’t matter who unwrapped it from the packaging. But, that’s a very rare situation (only a handful of cases have been made public).

Have a great day:)
Patrick.

Why Industrial Process Controllers shouldn’t have any access to the Internet

A Silent Attack, But Not a Subtle One

This is another article about the Stuxnet worm. It’s becoming more apparent that the actual target was the Nuclear Program in Iran. However, the worm is spreading throughout the world affecting virtually any Siemens Industrial Controls.

This underlies a problem that plagues most manufacturing plants around the world: computers which are used to control processes that have access to the Internet. According to this article, it’s estimated that industrial plants have about 90 days before hackers start using the worm (and the vulnerabilities that it targets). The first 30 to 45 days should be spent isolating the process control systems from the Internet (and from any Internet capable computers).

This will require them to reconfigure routers and switches and the computers themselves. Sort of creating a network inside of the network. In theory, the easiest way to do this is to create a subnet (and Virtual LAN) that is specifically used for the Process. At the router levels, create ACL’s which deny any traffic between that subnet and the outside world. Then in the offices and control rooms, configure one set of computers to use that subnet, and another set for the regular plant’s networks. The only exception to the ACL would be a server which is used for VPN access into the network.

For access outside of the plant, engineers and other authorized persons would have a laptop that VPN’s into the subnet for the process OR the plant subnet–but not both at the same time. The security of this system can be maintained through a combination of means.

  • For instance, Microsoft created a networking system which refuses connections from devices that are not updated completely. This could be used to ensure that the laptop isn’t infected (or potentially infected).
  • Secondly, as of right now, the Unix/Linux Operating Systems are virus free. So, the worms which are infecting Windows computers (and then the Process Control Systems via the network) will be rendered useless. ***Note this is a double-edged sword***
  • Finally, company policies which prohibit the use of their laptops for personal business (read as surfing the Web, playing videos and music, etc) and prohibit the use of Thumb Drives or other non-company approved devices on the Process Systems, would go a long ways towards slowing this. Not only do the Policies need to be in place, but they need TEETH. If an employee signs a paper which specifically states that they are personally liable for any damages resulting from violations of the policy, they’re less likely to violate the policy.

I mentioned that the second means was a double-edged sword. This is because as of right now, there are virtually no viruses or malware aimed at the *nix Operating Systems (this includes Unix, Linux, Mac OS, and BSD variants). However if they are being used for Process Controls, you can bet that virus writers will start targeting those operating systems. So, the people in charge of securing them need to step up NOW to make sure that their tag-line of the “secure operating system” holds true.

Have a great day:)
Patrick.

A Few Words about Fake Antivirus and Fake AntiSpyware (aka Rogue AV and Rogue AntiSpyware) Programs

A few minutes ago, I was reading an article about how one of the Rogue Antivirus programs is offering “Live Technical Support” as a way to con-vince people that it’s a legitimate program (the dash is meant to emphasize the fact that they are conning the users).  At one point in the article they mentioned how the Rogue Antivirus programs are still making a dent, because people are getting pop-ups that say your computer is infected (so they download the “fix”).

It boils down to one simple mentality.  If you are NOT (I repeat NOT NOT NOT) on a site that is related to Internet Security, antivirus programs, antispyware programs, or firewalls, then it’s a scam.  If you ARE on one of those sites and the product is not sold/offered by the company who’s site you’re on (or endorsed in the text of the articles or company’s links), then it’s a scam. 

Legitimate companies are not going to resort to placing pop-ups on other websites to promote their product.  They don’t need to.  If they’re legitimate, then chances are you’ll hear about them from magazines, blogs, recommendations from other websites, or word of mouth.  If they’re new to the game, then they will submit their product to sites for review.  They will get the word out—without having to “CON”vince you that you need it.

In short, we need to all get the word out to the average users.  “IF you are not LOOKING for information on Antivirus, Internet Security, Antispyware, or Firewalls; and a pop-up or Instant Message suddenly appears offering you these things, DO NOT ACCEPT THE OFFER!!!!! IT IS A SCAM.”

Please help spread the word.  It’s our responsibility to help the people who aren’t familiar with these scams to avoid being victims of them.

Have a great day:)
Patrick.

Ransomware – Buy Back Your Own Files – F-Secure Weblog : News from the Lab

Ransomware – Buy Back Your Own Files – F-Secure Weblog : News from the Lab

The people over at F-Secure have analyzed the latest in “Ransomware” (viruses which encrypt your data and charge you a “fee” to unlock it).  In the end, they came up with a pretty profound solution to this problem—ok, it’s not profound, it’s something you should be doing anyhow.

Their opinion is this.  If you are following a good backup strategy, and are infected with one of these worms, you have two choices 1) pay the money (which is a bad idea) or 2) delete the file and restore it from a backup.

Online backups services like Carbonite, Mozy, iDrive, Dropbox, and Amazon S3 (to name a few) may cost you more than the "Ransom", but in the end knowing that your data is safe—be it virus, fire, flood, or 2012, it’s worth the money.

Have a great day:)
Patrick.

What Is A Rootkit?

What Is A Rootkit?

If you’ve heard of the Sony/BMG fiasco with rootkits installed on some of their CD’s, or you’ve seen things like “Anti Rootkit” in your anti-virus program and are wondering what that is, this article explains the concept.

I discuss the history of rootkits, some popular ones, and what exactly it is.  Plus I touch on how to detect and remove them.

For a little more information on the removal of rootkits, please check out the link at the end of my article.  I’ve added it here as well.

Free Anti-Rootkit Applications for Windows.

Have a great day:)
Patrick.

Malicious software and why would you want it anyhow?

Regardless of the title of this, I’m mainly aiming this at the copies of Windows 7 RC that are being distributed via .torrent files.  Yes I know there have been “leaked” copies of Windows 7 out, but the Release Candidate is available from Microsoft now.  So, my question is what do you have to gain by downloading it via .torrent files?

Do you get an extended license key? I doubt that highly.  The keys that you get from the public download are good until June 2010 (at one report).  And the Release Candidate is going to be essentially the same thing as the RTM version (unless there are “show-stopper bugs” in it).  Since Microsoft is allowing you to use the keys for 13 months, they’ll update the release candidate along with the RTM versions that you’ll buy.

Do you get an advanced copy that “no one else has”?  Um…  NO. You may have gotten an advanced copy that people who are willing to wait for didn’t have.  But, unless you were the FIRST person to receive a copy of the file, you aren’t getting something that “no one else has”.  You’re getting something that your friends may not have.  But truthfully, if your friends weren’t already running the beta version, they probably don’t care.

Are you getting a hacked copy that will run on anything?  Well now, we’re getting closer to the mark here.  But sadly, no.  You’re getting the same copy that everyone else has (with a little more).  You aren’t getting something with the “Blue Badge” (which unlocked features in the pre-Beta 1 versions).

So, what are you gaining by downloading Windows 7 RC from a .torrent file?  You’re gaining a system that will be PwN3d from the moment that you hook it to the Internet.  See one version of the .torrent file has two files in it.  One is a  setup.exe file, and the other is a virus.  The setup.exe file has been “hacked” to automatically call (and install) the virus as part of the Windows 7 installation.

What does this mean?  It means that if you’re upgrading from your Vista or XP computer, then there’s a good chance that all of your passwords and other information are being given out.  And if you’re doing a clean install, then your passwords and other information are SLOWLY being given out (slowly because you’ll have to reenter them one at a time).

And you’re not “Sticking it to the man” either.  Why?  Because there’s a really good chance that whatever “key” you installed with is going to expire in June, 2010 along with everyone else’s.  Not counting that if you get caught seeding the file,  Microsoft can sue you for a lot of money.  And given the legal status with Copyrights, you could end up in jail.  It’s doubtful, but really now, is it worth the risk?  For something that you can get at Windows 7 anyhow…

Have a great day:)
Patrick.

First worms from MS08-067 are in the wild.

If you don’t remember what MS08-067 is, it’s the emergency “out of band” update that Microsoft released on October 23, 2008.  Not even two weeks later, the first worms that take advantage of this vulnerability are out in the wild.

Internet Storm Center is reporting that the first worm appeared this weekend.  F-Secure, Sophos Antivirus, and Microsoft Antivirus are able to detect this worm.  And if you are running Snort rules, it is able to detect the worm also.

According to Snort, the worm actually triggers two Microsoft Security bulletins.  It triggers the MS08-067 vulnerability that was just released, and it also triggers MS06-040 which was a vulnerability for Microsoft Windows 2000/XP/2003 that was released in August of 2006. 

This means that if you haven’t patched your computer for that vulnerability, then this worm can still get through to you.  The bright side of the coin is that if you are running Snort’s detection rules, you were protected from this first worm already.  But it’s time to update the rules, and it’s most definitely PAST time to update your computer with Windows Update (or Microsoft Update).

What you need to worry about more than anything is that as of today, only three antivirus programs are detecting this.  However if your antivirus updates today, there’s a slim chance that it will recognize the worm.  Watch the Internet Storm Center for more information as companies start releasing signatures for it. I’ll post updates as I receive them as well.

Also, if you want to see how your computer stands up to Microsoft’s security advice, I highly recommend their Microsoft Baseline Security Analyzer located here and downloaded from here.

Have a great day:)

Patrick.

SecuriTeam Blogs » Microsoft Windows RPC Vulnerability MS08-067 (CVE-2008-4250) FAQ – October 2008

 

SecuriTeam Blogs » Microsoft Windows RPC Vulnerability MS08-067 (CVE-2008-4250) FAQ – October 2008

SecuriTeam has a post up that clears up a lot of the questions about the emergency patch released on Thursday.  Why you should update, what active worms are exploiting this, and information about files that may be infected (or part of the exploit).

I urge you to check this site out for more pertinent information about this and other vulnerabilities.

Thanks to the Internet Storm Center for posting about this in their daily diary.

Have a great day:)

Patrick.