Newsletter Archives

• US PCs march to the sound of a botnet drummer

  Posted on October 16, 2010 at 07:14 CDT by woody • Comment in the Forums

  Microsoft’s latest Security Intelligence Report contains interesting information about malware worldwide. The cleaning reports for botnet infections are particularly enlightening.

  See my InfoWorld Tech Watch report.

  Windows Patches/Security botnet, Conficker, Security Intelligence Report, ZeuS

• Conficker: the Inside Story

  Posted on June 13, 2009 at 08:43 CDT by woody • Comment in the Forums

  Jim Giles at New Scientist has just posted a fascinating look at the beginnings of the fight against the Conficker worm.

  Despite an unprecedented collaboration against them, Conficker’s accomplished creators have been able to bluff and dodge to gain control of machines inside homes, universities, government offices and the armed forces of at least three nations, establishing a powerful and lucrative network of “zombie” computers.

  Good read. Accurate, too.

  Other Conficker

• MS-DEFCON 4: Get patched, but avoid these stinkers

  Posted on June 5, 2009 at 06:09 CDT by woody • Comment in the Forums

  With ten patches on the way next Tuesday, and many of the problems with older patches fixed, it’s time to get patched up. Unfortunately, there’s a long list of  problematic patches that you should studiously avoid.

  Here are the ones I suggest you pass by:

  Windows Vista Service Pack 2/KB 948645 is causing problems. Dennis O’Reilly talks about some of them in the latest Windows Secrets Newsletter. There’s no pressing need to install Vista SP2, and the PC you toast may be your own. Hold off for now. If you really want to install SP2 and it isn’t offered by Automatic Update, check out KB 948343 for a list of potential problems. Worth noting: that KB article is up to version 14.0. And you trust this stuff?

  Office 2007 Service Pack 2 / KB 953195 has a few problems – just look at the “Known Issues” list at the end of the KB article. Again, there isn’t enough new stuff to justify putting your computer at risk. Patience.

  KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. The Knowledge Base article is up to version 5.0. This is the one that includes the drive-by installation of a difficult-to-remove add-on for Firefox. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

  KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

  KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

  I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

  I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

  Sorry to leave you with such a patchwork quilt of good and problematic patches, but I think you’d be well advised to apply all outstanding patches except the ones listed above.

  Office Patches/Security, Windows Patches/Security ActiveX killbit, Conficker, IE 8, Internet Explorer 8, KB 936929, KB 948343, KB 948645, KB 950718, KB 951847, KB 953195, KB 960715, KB 967715, NET Framework patch, Office 2007 SP2, Vista SP2, Windows XP SP3

• Microsoft will disable AutoRun and change AutoPlay

  Posted on April 30, 2009 at 06:48 CDT by woody • Comment in the Forums

  Remember all the angst over Windows AutoPlay and AutoRun? (For a detailed discussion of the differences between AutoPlay and AutoRun, start with this Wikipedia article.) AutoPlay was a major infection vector for Conficker. It’s always been a huge security hole in Windows.

  Microsoft just announced that it’s disabling AutoRun in Windows 7, and changing the way AutoPlay works. The details are a bit hard to follow – the terminology is more than a bit obfuscating – but here’s what’s happening:

  As I explained in my Windows Secrets column in January, it’s very easy to create a file called autorun.inf that can confuse the living daylights out of people. If you stick this custom-made autorun.inf on a USB drive or burn it on a CD, the commands in that file will cause Windows to display a (potentially infective) program on the AutoPlay menu, the menu that appears every time you insert a USB drive or CD into your computer (see screen shot).

  In fact, autorun.inf controls what appears on the AutoPlay list if you stick it on any kind of removable media – USB drive, CD, DVD, SD card (so a card from your camera could infect other computers), and so on.

  Microsoft is changing Windows so it behaves in two different ways, depending on whether the autorun.inf file is stuck on (1) a CD/DVD, or (2) any other kind of  media, notably a USB drive or SD card.

  In the future, when Windows finds an autorun.inf file on a USB drive or SD card, it ignores the file. Nothing happens. You can create the most diabolically clever autorun in the history of mass infections, put it on a USB drive, and if someone sticks the drive in a properly patched Windows machine, it won’t do squat. AutoPlay doesn’t list anything from the autorun.inf, and nothing runs automatically.

  In the future, when Windows finds an autorun.inf file on a CD or DVD, it shows the contents of the autorun.inf in the AutoPlay window, but the new, revised AutoPlay window warns you that the entry associated with autorun.inf is from the CD, not from Microsoft. The AutoPlay warning says “Install or run program from your media.”

  And no matter where the autorun.inf file comes from, it can’t launch its own program. You have to do the clicking – point the gun at your own foot and pull the trigger.

  The recently leaked Windows 7 Release Candidate, which should be widely available next week, already has those changes to AutoRun and AutoPlay. In addition, says Microsoft, “we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.”

  It’s about time.

  Oh. There’s one little caveat. For those of you who suffer with U3 – the technology built into some USB drives that makes part of the drive look like a CD drive – Microsoft hasn’t figured out how to treat the whole USB drive like a USB drive. Instead, the CD part will be subject to the same handling as a CD. Quoth the Softies, “It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see Wikipedia for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level.”

  Windows Patches/Security autoinf, autorun, Conficker, u3, Windows 7

• Conficker back in the news – but the sky isn’t falling

  Posted on April 28, 2009 at 08:53 CDT by woody • Comment in the Forums

  I keep getting questions about Conficker and its supposed April 1 “doomsday” update. I’ve talked about that many times before. The simple fact is that April 1 came and went without incident. The press had a field day. The antivirus companies made a lot of money. I warned you – and about a zillion researchers warned you – that the April 1 date wouldn’t bring any devastating problems. It didn’t. Tell me if  you’ve heard that story before?

  The people who control Conficker are very smart, and they aren’t going to do anything to raise too many hackles or too many alarms. But they’re going to keep quietly using Conficker to make money.

  Bet on it.

  The press is now agaga (can I Google “agaga”?) over Conficker. Again. MSNBC – which, being a division of Microsoft, should know better – posted a sensationalistic piece about an hour ago. The Associated Press has a much more accurate (and refreshingly brief) take on the new developments. Except, uh, what the AP says isn’t new at all.

  The bottom line hasn’t changed one iota: if you or your Great Aunt Martha is running Windows XP, take a look at the Conficker Eye Chart. If you’re infected, you’ll see in a second. If you aren’t infected, read up on the known problems with patching, then get patched up and get on with your life. Do it now, before Microsoft releases another bunch of patches.

  One interesting side-note: AP now quotes a Cisco rep as saying “up to 12,000,000 personal computers” are infected with Conficker. Fecund little guy. But I’d take the number with two grains of salt.

  Windows Patches/Security Conficker

• Conficker lurking in updates?

  Posted on April 15, 2009 at 21:36 CDT by woody • Comment in the Forums

  JB writes:

  Dear Woody,

  
  Is it good to take Adobe Flash player updates? And is AVG 8.5 Free better than AVG 8.0 Free? How do we know these updates aren’t polluted with conficker?

  Yep, it’s always best to install Flash Player updates, Adobe Reader updates, Java updates, and the like, when they’re offered. Why? If they’re screwed up they generally won’t bring your computer to a grinding halt, and the manufacturer typically gets new updates out quickly. I won’t mention QuickTime by name.

  If you use AVG 8.0, you should upgrade to AVG 8.5.

  I can’t imagine any way Conficker could get into any of those updates.

  Other Acrobat Reader, Adobe Flash Player, AVG, Conficker, Java, QuickTime

• Conficker waking up?

  Posted on April 9, 2009 at 22:27 CDT by woody • Comment in the Forums

  A bunch of coincidences.

  At this moment, the Conficker Working Group web site is down.

  There are stories popping up all over that Conficker is starting to update – to morph – using P2P technology, not the 50,000 web sites originally thought to be the most likely source.

  If you want to follow along, avoid the senational stuff being published and keep an eye on the definitive story with the SANS Internet Storm Center.

  By the way, if you’re Googling to find info about removing Conficker, don’t believe everything you see, OK? Ryan Naraine at ZDNet reports that many of the Conficker-related web domain names have been taken over by cretins selling “scareware” antivirus programs.

  UPDATE: Looks like everything is back to normal with the Working Group site. SANS hasn’t raised any red flags. There’s even some doubt as to the nature of the P2P update. Conficker remains a huge threat – reasonable estimates of the number of infected Windows XP machines ranges from 1 million to 15 million – and everybody should check their machines for infection. But at this point the sky isn’t falling.

  Windows News Conficker, Scareware

• MS-DEFCON 4: Apply all outstanding patches except 951847 and 960715, and watch out for other problems

  Posted on April 5, 2009 at 06:00 CDT by woody • Comment in the Forums

  It’s time to get patched up.

  Last month’s crop of Black Tuesday patches turned out pretty good. One of them, KB 959772, is a CYA patch that lets people play music they’ve already bought from Microsoft. None of the three seems to be causing undue heartache.

  I still recommend that you HOLD OFF on these patches:

  KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in.

  KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

  KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

  I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

  I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

  That brings us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

  To get patched up, click Start, All Programs. Near the top of the list you see either Windows Update or Microsoft Update. Click on that and tell Windows Update that you want to perform a “Custom” update. Be prepared to spend ten to fifteen minutes – longer, if you haven’t patched in a while. When you’re done, make sure you have Automatic Updates set to “Notify but don’t download or install” by clicking Start, Control Panel, Security Center.

  My general admonition about applying hardware driver patches still applies: Ain’t broke, don’t fix. That is, unless you have a very specific reason for installing a new driver, don’t do it.

  Windows Patches/Security .NET Framework, 936929, 950718, 951847, 958690, 959772, 960225, 960715, 967715, ActiveX, Conficker, IE8, MS-DEFCON 4, WinXP SP3
• « Older Entries