My Online Security

KISS My Firewall is an excellent firewall script for iptables. Unfortunately, it does not work out of the box on later versions of Fedora Core. Trying to run it, you’ll get the following error message:


Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!


The reason for the message is that the files ip_tables.ko, ipt_state.ko and ipt_multiport.ko do not exist on Fedora, even if iptables is installed and working. The fix is simple. Go to line 140 in your kiss script file and comment out the following lines by adding a # hash character in front of them:


if [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.$EXTN" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.$EXTN" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.$EXTN" ]; then
echo "Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!"
exit 1
fi


After commenting these lines out the KISS script should run fine.

Today, the following email landed in our support mailbox:

Honourable trojan hunter. programs during the scan clearly shows that the magnifying glass does not reach the corners of pages. it is possible that computer viruses will remain in parts of the files?

The email had the following image attached:

It seems the user is concerned that files are not getting thoroughly scanned since the magnifying glass in the scan animation doesn’t completely sweep each file icon. Either that or he’s pulling our leg

If your system is infected with the fake antispyware application ThinkPoint you may find yourself greeted with the following screen when restarting your computer:

This is a full-screen window with the lie “ThinkPoint – World’s leading security solution” prominently displayed. Only one button is enabled, and it is labeled “Safe Startup”. Click that, and ThinkPoint will do a dog and pony show that presents your system as infected by various pieces of malware, the solution to which, it claims is to purchase the full version of ThinkPoint. All of this is a lie, of course.

So how does ThinkPoint hijack you computer’s startup screen? It does this by changing the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Windows NT\Shell to point to hotfix.exe (or whatever filename it is programmed to use). Some versions also modify HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Windows NT\Shell in the same way.

The good news is that you can bypass ThinkPoint to gain access to your computer. Simply press Ctrl+Alt+Del and look for a process named hotfix.exe. Right-click on that and select Terminate Process. The ThinkPoint screen should go away. At this point, all you will see is a blank screen, but we will fix that. Go to to File -> New Task in Windows Task Manager and type explorer.exe. Click OK and Explorer should start, giving you access to your computer again. Now is the time to run an antimalware application, such as TrojanHunter to remove all traces of ThinkPoint for good.

We received a new sample in the lab today of a file that claims to be from “Adobe Systems Incorporated” according to the version information and bills itself as “Adobe Updater”. When executed, it became clear that this file is malware.

The interesting part is that the file has a digital signature apparently from Adobe Systems Inc. Take a look at this screenshot:

The screenshot is what you see if you right-click on the file and select the Digital Signatures tab on the Properties page. Most users wouldn’t even do this, but if you do it appears that the file is in fact digitally signed by Adobe. Now take a look what happens when you click the Details button:

You can now see that the digital signature is not valid. But take a look at the “Countersignatures” pane in the bottom half of the window. It appears that the file is counter-signed by VeriSign Time Stamping Services. This is an additional level of deception employed by the malware creator, and is something that could potentially fool even experienced users into thinking that the file has been signed with VeriSign as a counter signer.

When executed, the malware copies itself to the Startup folder and then connects to the Internet. It is a trojan clicker intended to make money for its creator. As of 2010-11-10 the only other program to detect it other than TrojanHunter is Dr Web. TrojanHunter detects this malware as FakeAdobe.100.

Our new product SSH Edit is coming along nicely. The latest beta release includes a number of fixes to make it even more useful, including colored filenames in the directory list box.

http://www.misec.net/products/SSHEditSetup.exe
http://www.misec.net/sshedit/

A new version of MBR Backup has been released. This new version allows you to restore saved backups in the event that your MBR becomes corrupted. (This will need to be done by connecting the drive to another computer.)

Another handy feature is the ability to view the partition which is table contained in the MBR. This new version will also show the MBR on any drive connected to the computer.

Download:
http://www.misec.net/products/MBRBackup.exe

Ran across a piece of malware today (known as Ixu.100 to TrojanHunter) that drops itself as C:\lsass.exe. One side effect of this, and undoubtedly one of the reasons for chosing the lsass.exe name, is that naming the trojan file this way makes it unkillable in Windows Task Manager. Here is what you see when you try to kill the trojan process in Task Manager:

Imagine you’re trying to manually clean a trojan from a system and you run into this dialog box when trying to terminate its process. Scary, right? You’d probably assume that you’ve run into a rootkit that is hooking the process termination functions to prevent itself being killed. The truth is however not quite so nefarious. You see, Task Manager contains a few hardcoded process names that it will refuse to terminate. This is meant to stop users from terminating critical system processes. The list of processes that Task Manager will refuse to kill is the following:

• lsass.exe
• csrss.exe
• smss.exe

You can try this yourself. Simply make a copy of notepad (located at C:\Windows\notepad.exe) and rename it smss.exe. Then start it and try to kill it using Task Manager. You will get the dialog box displayed above.

The problem with this, of course, is that Task Manager does not check the full path of the executable. So instead of only preventing processes whose image path is C:\Windows\system32\csrss.exe from being killed, it will refuse to kill any file named csrss.exe.

The solution is to use an alternate process viewer tool to kill the process. The Process Viewer included in TrojanHunter will do this, or you can use the excellent Process Explorer from Microsoft to do the job.

The first beta version of TrojanHunter 5.3 has been released:

http://www.misec.net/beta/TrojanHunterSetup530B1.exe

Please report any problems in the following forum thread: http://www.misec.net/forum/board/PublicBeta/1267141969 or via email to support@misec.net

New in this version of TrojanHunter:

• Improved bug reporting
• Fixed a problem where the presence of NTFS alternate data streams attached to directories was
  not being reported

• Improved deletion of alternate data streams (now correctly removes directories and is also
  able to delete specific alternate data streams as opposed to all alternate data streams associated
  with a file)

• THCL: Now states “No trojans found” or “%d trojans found” in scan report
• THCL: Copyright year updated