My Online Security

So you’re using Firefox and have cleared out your browsing history and cookies. Now no one can see where you’ve been on the web, right? Wrong.

A little known fact is that Flash movies and applications can store their own “Flash cookies” which are entirely separate from normal cookies. There is no way to delete or even view these cookies in your web browser, and they can be used to see what sites you’ve visited even if you’ve deleted all your history and normal cookies.

Some sites even use Flash cookies as a “backup” for normal cookies. What this means is that these sites are able to restore your regular cookies even after you’ve deleted them. The site simply reads your Flash cookies, notices that your regular cookie has been deleted and then proceeds to reinstate the normal cookies using the data stored in the Flash cookies.

So how can you delete Flash cookies? They are normally stored in C:\Documents and Settings\[Username]\Application Data\Macromedia\Flash Player\#SharedObjects\[Random Name]. This directory will contain sub-directories, one for each site which uses a Flash cookie. The cookie data is stored in files with a .sol extension. You can manually delete the directories for the sites which you don’t want to keep Flash cookies for.

Another options is to go the the Flash Player Settings Page at Adobe. This will start a small Flash application that allows you to delete Flash cookies. There is however a big problem with this method, and that is that this only deletes the .sol file that contains the actual data – the directory which contains the name of the site you’ve visited is retained. This means that anyone can still see which sites you’ve visited even if the actual data is gone.

The best way to remove this data is thus to manually delete the directories as outlined above. Note that on Windows Vista and Windows 7 C:\Documents and Settings is just a pointer (junction) to C:\Users. Most of the time you will not have permission to access C:\Documents and Settings on these Windows versions (unless you want to modify the permissions manually). Therefore, try the path C:\Users\[Username]\Application Data\Macromedia\Flash Player\#SharedObjects\[Random Name] instead.

If you find that you cannot get access to C:\Users\[Username]\Application Data you can run the “Take Ownership” .reg file available from here and then right-click on the folder and select “Take Ownership”. This should allow you to get access to the folder and hence view and delete the Flash cookie directories.

Currently working on a new application that takes advantage of information “in the cloud” from a large number of users to identify malware. Can’t say too much at this point as the program is still in the development stage, but as soon as a testable version of it is ready I will post more information on this blog. Stay tuned for screenshots and more.

TrojanHunter 5.2 has been released!

Download: http://www.misec.net/products/TrojanHunterSetup.exe

________________________________________________
TrojanHunter 5.2 Build 987 (Released 2009-08-27)

* Added detection of hidden Internet Explorer processes launched via COM automation
* Added trojan mutex detection
* Added bug reporting option if TrojanHunter crashes
* Added detection of suspicious svchost processes
* Added “This is a list of all the trojans TrojanHunter currently detects” label to Trojans page
* The Exit button is back
* Fixed bug with TrojanHunter Guard appearing at desktop center when using two monitors

We found a new one today that’s pretty interesting.

Detected by TrojanHunter as TrojanClicker.VB.395, this piece of malware purports to be an updater for your Adobe Flash installation. When run, it goes through the motions of updating the Flash player, and most users will think nothing of it. The installer for this seems to be spread via forum posts that use JavaScript to link to the malware.

Update: This is what the malicious pop-up looks like:

Cheekily, the malware asks you to shut down Firefox if it’s running during the installation. The reason for this is that it installs a Firefox plugin. Upon restarting Firefox after the malware is installed you will see this:

This shows that a new Firefox extension has been installed. And it does look pretty legitimate, doesn’t it? The GUID for the extension is 191d3f14-ff4c-4895-bdea-db54526cb49a and the extension’s name and version number is “Adobe Flash Player 0.2″.

So what does this extension do? It, in conjunction with a trojan executable named smc.exe, monitors all your Google searches and sends them off to the server msjupdate.com where the keywords you search for will be stored in a database. The Firefox extension will inject ads into the web pages you view based on the keywords, but the bigger threat to privacy is of course that anything you search for will be recorded at a malicious server. Many users will Google their own name from time to time, which makes it possible to identify individual users along with their search queries.

So how do you know if you have this trojan on your system? Any of these signs indicate that you’re infected:

• A running process named smc.exe Edit: Sygate Firewall also uses this process name so this is not a reliable indicator of infection.
• A Firefox plugin named “Adobe Flash Player 0.2″
• Having recently installed a file called install_flash_player.exe or Install_Flash.exe from an unknown source

Of course, TrojanHunter detects this as well so you can use it to check for and clean out any infection.

Update: Further research has shown that this malware also monitors all URLs you visit in Internet Explorer and submits them to the malware creator’s server. So this is worse than we initially thought. If you have this on your system then you basically have no privacy left.

Just a heads-up to let you know that TrojanHunter 5.2 will go into beta soon with a final version release hopefully before the end of August. Just to give you a taste of what’s changed, here’s an excerpt from WhatsNew.txt:

________________________________________________
TrojanHunter 5.2 Build 9xx (Released 2009-)

* Added detection of hidden Internet Explorer processes launched via COM automation
* Added trojan mutex detection
* Added bug reporting option if TrojanHunter crashes
* Added detection of suspicious svchost processes

Came across a variant of Antivirus XP today that uses a particularly nasty way to ensure reinfection. It adds new subkeys to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. The subkeys are the names of common programs such as notepad.exe or zonealarm.exe. It then adds a debugger value for each file, like so:

  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\zonealarm.exe\Debugger = "svchost.exe"

This means that everytime you try to launch ZoneAlarm.exe, svchost.exe will be launced instead – and in this case that is a trojan executable.

Thinking of adding TrojanHunter detection for any Image File Execution Options sub-key that has a Debugger value… it’s not that common on user systems.

Currently working on the next TrojanHunter version. It will feature detection of hidden Internet Explorer instances. Malware will often launch hidden IE instances via COM automation to download files or reload pages with ads to make a commission.

A vulnerability affects WordPress installations with a version number of 2.8.3 and below.

When you want to reset your admin password (because you have forgotten it), you get sent a link by WordPress that looks like the following: http://yoursite.com/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsiu

The key argument is there to ensure that only the person who received the email can reset the password. The exploits consists of sending a request string that looks like key[]=. This passes an array to the WordPress PHP script and thus bypasses the need for the key.

Technical details on the exploit are available over at seclists.org

In a post on the same blog that revealed the Kaspersky SQL injection vulnerability, it is now revealed that the BitDefender site suffers from the same vulnerability. The post shows a successful SQL injection exploit against the BitDefender site, complete with screenshots of customer names, email addresses, postal addresses and phone numbers.

http://hackersblog.org/2009/02/09/hackedbitdefender-portugal-exposes-sensitive-customer-data/