FREE Anti-Virus Software...

I thought it is about time for me to cover this again due to the current world-wide credit crunch and fuel, power and food costs soaring. This means many people are looking for ways to cut costs; including costs for protecting their computers. FREE isn't a bad word, but the bad guys and girls have started to make it feel like it ought to be. The phrase Caveat Emptor [Let The Buyer Beware] seems to be more pertinent than ever.

What do I mean by "the bad guys and girls have started to make it feel that it ought to be"? Let me explain:

Look at these for examples of the rather naughty ways that the bad guys and girls are trying to get you to download and use their anti-virus:

First they try scare tactics:



Then they try a little more direct approach:



If you are foolish enough to go to the sites, then this is what you'd currently see:



Looks very professional, doesn't it? Hard to believe that this is a bad site! Want proof? OK, here it is:



That is the very same site [URL] but visited using Firefox 3.x instead.

But that isn't all, this site is also being promoted by a botnet called Asprox. This botnet searches for sites using SQL, and it then tries to run exploit code, which if successful, overwrites all URLs in the database with a single link. If this now 'bogus' link is clicked on a website using the SQL injected database for content, it starts a chain reaction, which often ultimately ends up either on the site shown above, or it may infect vulnerable systems using exploit code that was run as part of the chain reaction. This may include infecting your system and making it part of the Asprox botnet.

But there's more.....

Here's a screenshot of another e-mail I received recently:



The link, if foolishly clicked on, takes you here:



Does it look familiar?

Here's a screenshot of the source of the above page:



Notice how it uses the REFRESH function to popup a download of the executable they offer; no it isn't anti-virus software, it is actually malware!

So, who can you trust if you want FREE anti-virus software?

These are the FREE ones I'd personally recommend include:

• AVG


• Avast


• AntiVir

Please be aware that there are a number of 'bogus' anti-spyware tools out there too and probably even 'bogus' personal firewalls.

You can find all the links mentioned above, and other useful tools, etc. here.

At the end of the day to help keep you system free of net nasties and their kin, you need to ensure that you have a personal firewall, up to date anti-virus installed, anti-spyware tool(s) installed, and last but not least practice 'Safe-Hex'.

Computer problems are bad enough most of the time which means the following anti-stress kit might be useful? However once you add malware to the more usual computer problems it becomes a must have piece of kit, well it stops the common hair-loss normally associated with stress! ;-)





Hopefully, this posting will help you retain your sanity, or at least reduce the cranial damage you may do to yourself using the above anti-stress kit.

Be careful out there, the web is a dangerous place without suitable protection...

If any of you out there in blog land have other security software that you recommend then please feel free to drop me a line or leave the details in a comment.Thanks!

Phishing for Feedback?

According to the e-mail I received this morning HSBC have a customer survey they would like me to take.

For starters here's a screenshot of the e-mail I received:



I'm always willing to give feedback to companies I use, but I am not an HSBC customer, so let us see where we go when the link is clicked?



Looks like a normal survey so far, apart from the dodgy website address [IP dotted]. So let me fake some data and click on the submit button, here goes:



Ah, now I smell something very phishy indeed [even if I didn't before ;-)]. They want some account details; Ker-ching!

Oh, yes and there is no prize money, so don't expect to win, just like the fake lottery notifications that you get, it is just a scam.

Each phishing e-mail I receive is checked; all links are tested against the Netcraft toolbar, and any new ones, that the Netcraft toolbar doesn't yet know about are submitted for inclusion in their database. Nothing too unusual there. However, once in a while I spot something that makes a new phish stand out from the crowd, such as this one.

At the time I tested these links to the bogus [phishy] HSBC survey site it was not detected by the Netcraft toolbar, or even the Firefox anti-phishing functions which are now built into the browser. As I finish up writing this post Netcraft should now have it in their database as I sent them the details.

Just be careful when acting on requests for participating in surveys for companies you use, as they may be phishy and you may get more than you bargained for. In those phishy cases it is likely that your personal data will be stolen and used to make fraudulent transactions on your account.

A Stormy Independence Day...

It seems that the so-called 'Storm Worm Gang' are back and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a 4th of July [American Independence Day] firework show. This latest wave started early this morning:

The subjects of the e-mails I've seen so far include:

America the Beautiful
Celebrating the spirit of our Country
Time for Fireworks
Well done 4th!
Light up the sky
The best firework you've ever seen
Long Live America
Celebrating the Glory of our Nation
American Independence Day

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Amazing Independence Day show
Stars and Strips forever
Well done 4th!
Celebrate the spirit of America
Happy Independence Day
Home of the Brave
Spectacular fireworks show
Long Live America
Amazing Independence Day salute

Here's a screenshot of one of the emails that I've received this morning:



Here's a screenshot of another one of the emails that I've received this morning [Can you spot the difference ;-)]:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



And here is the source of the web page currently in use:



The more eagle-eyed of you may have noticed that the code includes an IFRAME which loads a PHP file called 'ind.php; this is what part of the page source code looks like for that file:



You may notice that this uses an obfuscated JavaScript routine, the end result, if you have JavaScript enabled in your web browser and your anti-malware doesn't detect this malcode, is that a dropper will be written to your hard disk. This is effectively a 'drive-by-download' as you don't have to click on anything on the webpage to download the file hidden in the JavaScript in 'ind.php'. The lower part of the code has been digitally munged by myself, as you don't need to see all of it.

At the time of posting this blog entry the detection of the offered 'fireworks.exe' file was still not complete, with only 20 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different, not in size but the MD5 hash is not the same. I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today.

For those of you celebrating this particular holiday, I would like to wish you a very happy day and enjoy the real fireworks rather than the fake ones being offered in the latest Storm Worm run.

Oh by the way, I forgot to mention that this isn't the first time that fireworks have been used to get people to infect their own computers, anyone remember 'Happy99.exe' (also-known-as 'Ska')?

The Tax Man Giveth....

If you are anything like me you probably can't remember the last time the 'Tax Man' [those from HM Revenue and Customs] told you that you had paid too much tax and that he [or she] would like to return some money to you....Yeah right, like that is going to happen! I think I can honestly say that I have NEVER had any form of refund from them, ever, and I've been working for almost 30 years.

So, when I received the following e-mail [screenshot below] I was already rather sceptical:



The email looks quite believable, doesn't it? Even the link looks real.

If you are foolish/brave enough to click on the link, this is what you will see in your web browser:



Again, very believable, especially if you have no anti-phishing solutions in place.

If you are foolish/brave enough to fill in the requested data and then click on the link, this is what you will see in your web browser next:



Finally, if you are foolish/brave enough to fill in the requested financial data and then click on the link, this is what you will see in your web browser:



Yes, if you clicked on the final page you will be taken from the 'phishy' HMR&C site to the 'real' HMR&C site, none the wiser that you have been 'phished'. The final image [above] is the real HMR&C site.

Usual fare for the Phishers, they want your personal details so that they can steal money from your account or use the details to open new accounts or credit arrangements in your name, so when they default on the loan, you'll be the one being hassled or taken to court for non-payment.

Meanwhile your credit rating will nose-dive, and it will take you weeks, months or even years to recover from the effects. All because you were 'phooled by a phish'.

So, if you get an e-mail stating that you have a tax refund.....be warned as you may end up even more out of pocket than you would if you were dealing with the real HMR&C, at least they are up-front about it! So, to finish the second half of the line used for the title of this posting "The Tax Man Giveth [NOT] and the Phishers Fake it to Take it all!"