Internet Security Zone Blog

Unpatched Microsoft Video ActiveX Control Vulnerability

2009-07-10T15:59:40-07:00

By John Gable, Director of Consumer Product Management

There is a new Microsoft exploit that attacks silently in the background (aka, a new drive-by download). Microsoft has not yet deployed a patch and the instructions on how to implement this attack are available online for hackers. Thousands of sites have already been infected with the number increasing.

This vulnerability is within Microsoft DirectShow which runs within the browser via ActiveX. You are vulnerable if you are running Windows XP or Windows Server 2003 unless you have browser virtualization (available in ZoneAlarm Extreme Security. Good anti-virus solutions as standalone or within suites detect and remove the viruses that have so far been delivered through this exploit. Note that this exploit just points to a “hole” in your security – other viruses and malware could be delivered to your PC through this same hole which is why we and others recommend that you take steps to block this hole in the first place. It is not a good idea to rely purely on anti-virus to take care of this.

Of course, you can also just edit your registry. This might be a bit scary and could create problems if you make a mistake. Microsoft has do-it-yourself instructions as well as a “Fix it for me” program you can download to solve the problem.

Lots of news on this, including technical publications like TechWorld and InformationWeek as well as main stream outlets such as USA Today.

For Two Days Only: Follow ZoneAlarm or Check Point on Twitter for a Chance to Win a Copy of ZoneAlarm Extreme Security

2009-07-07T08:45:19-07:00

By Dameon Welch Abernathy

As the popularity of social media sites such as Twitter has increased, so has the number of hackers who prey on the unsuspecting public to launch various attacks designed to gain access to confidential information. You can find more details on how to protect yourself against these Web-based attacks by reading one of our recent blogs. When you follow Check Point or ZoneAlarm on Twitter, you’ll automatically have the chance to win a ZoneAlarm Extreme Security suite. ZoneAlarm Extreme Security combines computer security and browser security into one, using patent-pending technology for powerful protection.

Here are a few eligibility rules:

Follow ZoneAlarm or Check Point Software Technologies on Twitter by July 9, 2009 at 19:00 GMT. Two lucky winners will be randomly selected.

Employees of Check Point Software Technologies and their immediate families are not eligible to participate in this giveaway.

Only one winner per Twitter account will be awarded.

Winner must provide a shipping address where the prize can be mailed.

All decisions regarding a qualified winner will be made solely by ZoneAlarm and are final.

ZoneAlarm reserves the right to terminate or modify the above terms at any time without notice.

Good Luck!

Twitter Viruses, Scams and Attacks - How to Protect Yourself

2009-06-12T10:37:53-07:00

By Daniel Armao, Security Advisor (Guest blogger)

Last weekend, Twitter users were the target of a “Best Video” scam in which they were tricked into clicking a link and sent to a website designed to download malware using an Adobe Acrobat PDF exploit. The malware installed was the scareware software called System Security. System Security is a fake antivirus product that is designed to trick the user into buying it by using scare tactics such as fake scanning results.

A week before that, Twitter users were affected by a phishing attempt called “Twittercut.” If a Twitter user clicked on the link the user was then redirected to a phishing website that asked for their username and password.

The increased popularity of social networking sites such as Twitter and Facebook have unfortunately led to an increase in social engineering attacks. Most importantly, these attacks are used to gain financial information, obtain a large number of credentials and leverage e-mail services for spamming activities.

So, don’t be fooled. Let’s talk about the most common ways users are fooled on social networking sites.

- Links can lead you to malicious material such as hidden drive-by downloads that attempt to silently install software onto your computer without you doing anything or knowing about it.

- Links can also lead you to a phishing site designed by scammers to trick a user into revealing confidential information such as account passwords for banking or social networking sites.

- There are downloads that seem perfectly safe, such as a video, screensaver (screensavers are the most notorious) or some even offer to give you security protection, but they are actually malware.

- A link from a friend might not be safe either. Your friend’s computer could have been infected and now is part of a botnet being used to send malware and dangerous links.

- Tweeters often use URL shortening services such as tinyurl.com to obtain a shorter URL that fits within the 140 characters restriction. This means you don’t know what site your are really going to until you are there.

How to protect yourself:

- Do not click on suspicious links.

- Be smart about what links to trust or not:

· Confirm the link. Hover your mouse over the link to see at the bottom of your browser window where it really goes – the text might say “Wells Fargo Bank” but the link might go somewhere else entirely (for example, the link looks like Google, but it’s not).

· Make sure the URL is correct on the address bar of the browser. The safest thing to do if you are not sure is to type the correct website address manually. Be extra cautious if you receive the link via e-mail.

· Do not download or install any software, not even codecs for viewing videos, from an untrusted site.

- Last but not least, get protection for your computer and for your web browser. These are two different things.

· ZoneAlarm ForceField provides a protective layer around your browser, shielding you from drive-by downloads, browser exploits and phishing attempts.

· ZoneAlarm Extreme Security combines computer security and browser security into one.

- If you are infected with malware, change your passwords immediately and download and scan your computer with a top security suite. Always verify that the security you would like to download is legitimate by going to PC Magazine or other computer publications (if it is not well known or reviewed by a noted security publication, don’t get it.)

Enjoy the web, do what you want to do. Just be smart about it and get the protection you need or your fun might come to a quick halt.

ForceField and Gumblar Step Into the Ring…

2009-06-05T16:03:37-07:00

By Jordy Berson, group product manager, ZoneAlarm products

We just got the results in from our malware testing team. We don’t like to claim victory early, even when we are fairly certain of a win. But now we know (Technical details are in the last paragraph for the “just the facts” folks).

“Are you ready to ruuumble??”

To be sure, it wasn’t the best fight. ForceField won. Easily. There wasn’t even any contact. It made for a snoozer of a fight. But a snoozer is exactly what you want when your identity and security are at risk.

Here’s how it went down:

The victim user went to one of many possible sites. So far, more than 3,000 Web sites have been attacked including a popular entertainment site and sports site. The second the victim arrived on the infected site, Gumblar was waiting. And not for a fair fight.

When you cannot even see the enemy, what chance do you have?

Far from facing its victims, Gumblar sneaks right past you, through a vulnerability in your computer software. Normally, the fight would end here. Gumblar would find a quiet place on your computer and take over. He could then do any number of things as these types of threats do. He could spy on you, watch what sites you go to, record everything you type, open doors to let some of his friends onto your computer, and use *your* computer to attack other computers!

But not this time

The enemy Gumblar faced was ForceField. Not brawny, but definitely wise and clever, ForceField saw right through that invisible cloak and instantly knew Gumblar was an uninvited guest. So when Gumblar snuck onto the victim computer, ForceField did a classic sneak attack of its own. Gumblar ended up on the victim computer, sure enough, but landed straight in jail. Here, Gumblar was completely isolated from the rest of the computer and was unable to do anything at all. This maneuvering on ForceField’s part was done automatically – you as a user had to do nothing to protect yourself.

So were you a victim or not?

· First of all, it is more likely you did NOT hit a Gumblar-infected site than you did**. So take a breath and read on.

· People using ZoneAlarm ForceField as a trial or who own ZoneAlarm ForceField are protected. Right on!

· People using ZoneAlarm Extreme Security get the protection of ForceField as well. But in ZoneAlarm Extreme, you have to activate the virtualization protection as it’s off by default. Go to the Browser Security panel of ZoneAlarm Extreme, click the Settings button, and make sure there’s a checkbox next to “Enable Virtualization.”

· If you are running ZoneAlarm anti-virus: ZoneAlarm anti-virus signatures have been updated to offer an additional layer of automatic protection against Gumblar.

· If you weren’t running ForceField virtualization, see my previous blog “Gumblar – Not a new Parker Brothers game” for details on how to know if you’ve been infected.

**The likelihood of falling victim to a single attack is low. But because there are so many attacks out there, the likelihood you’ll hit one eventually is much greater. So protect yourself! Even if you don’t run ForceField, at least make sure all the software on your computer is always up-to-date!

Gumblar versus ForceField: Just the facts

· We were able to locate an actual Gumblar attack and test ForceField against it. ForceField successfully defended the computer against Gumblar.

· ForceField used virtualization to redirect the automatic, hidden drive-by download so it could not run on the victim computer. It also used heuristics to label the host site as suspicious and warn the user not to download anything from the site or enter personal information into the site (this was done in case Gumblar had a social engineering component to its attack in addition to the drive-by download attack, which in this case it did not).

· Based on this successful test, it is very likely ForceField protects from other variants of Gumblar (though it is the nature of this quickly-evolving business that nobody can ever be 100% certain).

· ZoneAlarm anti-virus signatures have also been updated to offer an additional layer of automatic protection against Gumblar.

· As always, users should ensure they have the latest version of their browser, operating system, Adobe software, and all other software including security software.

Test conditions we used:

1. IE v. 7.0.5730.11

2. Adobe Reader v. 9.0.0

3. ForceField v. 1.3.153.0

Gumblar - Not a New Parker Brothers Game

2009-06-02T09:00:01-07:00

By Jordy Berson, group product manager, ZoneAlarm products

Gumblar!!

Is it an outrageously fun new board game that combines Jenga and Cranium to test your right brain, left brain and "Parkinson's-proneness" all at once? No. But this fun-sounding little guy could test your computer security, your identity theft protection and your ability to reformat your computer. And it could definitely bring outrage!

Gumblar is another multi-faceted, everywhere-you-want-to-be online, ninja-quiet Web site attack that can wreak havoc on your life. It begins in what seems to be one or a combination of Russian, Latvian and Chinese kitchens where it is then embedded into vulnerable Web sites. Which Web sites? So far, ones you've probably never heard of. But if we know anything about such attacks, we know any Web site can fall victim. Google, Yahoo, and the Miami Dolphins are just a sampling of sites that have been compromised by other attacks. (So yes, it can happen to you.)

So...what's the big deal?

Well, news says (CNET by Elinor Mills, CBR by Kevin White, plenty more) Gumblar sneaks onto your PC when you visit a Web site, injects itself into your browser and intercepts traffic between you and the Web sites you visit. That means anything you type is seen (unless it's encrypted, which most reputable bank and shop sites are). But it can also redirect you to malicious Web sites that look like real Web sites, which can download more malicious code to your PC. The net net? Play with Gumblar and you can lose your identity, unwittingly attack other computers, definitely lose money and maybe lose your mind! (“Mom, Gumblar won't stop hitting me!”)

Seemingly contrary to its spunky, extroverted name,

Gumblar won't announce itself when it hits your computer. So you've got to go digging. The CNET friends give this advice (as reported by Elinor Mills):

To find out if a computer is infected:

1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);

2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;

3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;

4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.

You can also just, you know, "do a full reformat and reinstallation" of your operation system

That would definitely test your right brain in a way that Cranium can't. If all this sounds like less fun than a long game of Monopoly, may I and my Check Point ZoneAlarm friends (and your grandmother) use an old adage? "An ounce of prevention is worth hundreds of megabytes of cure." In this case, that ounce ranges from 6 MB to about 70 MB depending on the Check Point product (ZoneAlarm ForceField and ZoneAlarm Extreme Security, respectively) but is smaller than the ounces you get from most other security companies. And in the context of, "not all protection is created equally," this happens to be an area where ZoneAlarm shines. Because we've got ForceField, baby!

If Gumblar, Conficker, Hungry Hippo or the red-nosed "Operation" guy try to sneak onto your computer, ForceField browser security - with less than a proverbial lift of a finger - is designed to redirect those jokers straight to a sandbox. But in this sandbox, nobody is allowed to play. Sorry, Gumblar! Meanwhile, we'll be gathering more data and will update you on the protection ForceField provides against Gumblar and its variants.

Tinyurl.com Blocked, Might Distribute Spyware

2009-05-21T11:15:40-07:00

By John Gable, Director of Consumer Products

ZoneAlarm blocks a web site that you want to visit. For example, some users have noted that ZoneAlarm blocks them when they go to TinyURL.com. Why would ZoneAlarm do this, and what do I do if that happens?

Spyware has occasionally been downloaded from TinyURL.com or a partner site (TinyURL often redirects users to other sites). To protect you from this threat, ZoneAlarm warns you about it and blocks that specific Web site. But people might still want to use TinyURL.com anyway – after all it’s a useful tool for posting short urls on Twitter. Well, you still can.

Go to www.tinyURL.com. If the site is blocked, you should see a balloon pop up in the lower right corner of your screen. If you click on it, you will go to an interface where you can add tinyURL.com as an exception which allows you to access the site. You can also manually get to that interface within the product by doing the following:

1) Right click or double click the ZoneAlarm icon in your system tray.

2) In the ZoneAlarm control screen, click Anti-virus/spyware, and then click “Spy Site Blocking”. If it has blocked you from a website, it will show you the name of the web site with an X showing that it was blocked.

3) If you want to go to that web site, click on top of the web site access and change it from Block to Allow.

That’s it. This way ZoneAlarm can protect you from potentially dangerous downloads but still let you go where you want.

Avoiding the Latest Adobe Acrobat Security Vulnerabilities

2009-05-11T12:06:21-07:00

By Daniel Armao, Security Advisor (Guest blogger)

Adobe has released information that its PDF software Adobe Reader and Adobe Acrobat have two new critical vulnerabilities (CVE-2009-1492 and CVE-2009-1493). If exploited, the vulnerabilities could allow an attacker to take control over victim’s computer and download malware to steal banking information, turn the computer into a botnet, or download fake “antivirus” programs. The vulnerability could be exploited by viewing a website or opening an email attachment.

Adobe recommends disabling Javascript in Adobe Reader and Acrobat by opening Adobe Acrobat Reader>edit>preferences> go to Javascript>uncheck “enable Javascript.” Adobe expects to provide a product update for by May 12, 2009.

Some security experts have recommended using an alternative PDF which can be found at: http://pdfreaders.org/. Other alternatives not listed are Foxit Reader and CutePDF.

The drive by download attacks that take advantage of the Adobe PDF vulnerability in web browsers may be prevented by ZoneAlarm ForceField. ForceField’s technology puts your computer in a “protective bubble” that isolates the browser (Internet Explorer, Firefox, etc.) from the rest of the hard drive preventing drive by downloads from downloading and modifying system files without your consent.

More information will become available at Adobe's security bulletin and advisories at: http://www.adobe.com/support/security/

Earn $30 just for trying Full Disk Encryption?

2009-05-07T16:26:14-07:00

ZoneAlarm is giving away FREE Amazon gift certificates worth $30 to 40 Full Disk Encryption beta users on a first come, first serve basis.

To qualify, all you have to do is:
- Install the ZoneAlarm Extreme Security with Laptop Encryption Beta on your laptop running Windows XP or Vista
- Successfully upload recovery data to ZoneAlarm customer support (easy--the installation process includes this and it takes 3 seconds)
- Use the Full Disk Encryption feature to encrypt your laptop's hard drive (also easy--happens automatically after you install)

The first 40 new users who upload their recovery data will be notified by email within 15 days and instructed on how to receive their gift certificate.

To get started, go to the ZoneAlarm Extreme Security with Laptop Encryption Beta page.

You may also be interested in James Grant's blog post about this new consumer Full Disk Encryption product.

Avoid the "SpywareProtect2009" Scareware Scam and Conficker Payload

2009-04-27T16:17:40-07:00

by Daniel Armao, Security Advisor

The Conficker worm recently received a new update by using a peer to peer network. The new update will download a bogus "antivirus" program called SpywareProtect2009. SpywareProtect2009 will try to trick users into buying the fake antivirus by using scare tactics. The scare tactic is a fake “virus scan” that offers to “delete” nonexistent threats only if a consumer buys the fake antivirus. SpywareProtect2009 will also generate popups that show messages such as “your computer is infected” and will hijack the infected computer's Web browser. There is speculation that Conficker might be using the Waledac, a botnet that spreads by email in the form of fake holiday e-card, to send spam from infected machines and to steal passwords by the use of a keylogger.

If you encounter a scareware popup on the Web do not click on the popup at all, not even the Cancel and X option. To get rid of the popup prior to infection, access the task manager (Ctrl-Alt-Delete) and in the application’s tab click “end task” on your Web browser (Internet Explorer, Firefox, Safari, etc.).

Scareware such as SpywareProtect2009 can also infect a user without Conficker on the Web. To protect yourself against scareware and other malware make sure you have the latest updates from Windows, have your ZoneAlarm Internet Security up to date and use the ZoneAlarm firewall. ZoneAlarm Forcefield will also protect from scareware and other malware by keeping the browser in a protective bubble. Make sure you do not buy SpywareProtect2009 because not only are you out of $49.95, the creators will also now have access to your credit card number…and we all know what that means – unauthorized charges on the card. If you are a victim of scareware tactic, please dispute all charges with your credit card company.

More information on how to detect and remove Conficker can be found at:

http://blog.zonealarm.com/blog/2009/03/the-conficker-worm-signs-protection-and-removal.html

April 14 Only: ZoneAlarm Suite for Under $10---Supports Charity too!

2009-04-09T15:15:24-07:00

By Frank Bailinson, Head of Strategic Products

Pardon this commercial posting, but you may want to pass this on to friends/family who need full PC security but thought they couldn’t afford it.

In response to the economic hard times, we wanted to create a give-away promotion because some people may consider PC security a luxury they can’t afford. We believe it’s a basic need.

For 24 hours starting 6am PDT on Tuesday April 14 (Microsoft patch Tuesday), we will reduce the price for ZoneAlarm Internet Security Suite (a full 3-user, 1 year copy) to $9.95. The offer ends the next day at 6am. We are limiting this offer to new customers only.

We will donate 50% of the proceeds to TechSoup, the technology place for nonprofits. We hope these funds will allow them to spread security to many other charities.

Here is the link for the offer: www.zonealarm.com/only24hours

Could tax software be hacked? Social engineers prey on our humanness.

2009-04-08T11:18:27-07:00

By Jordy Berson, Group product manager, ZoneAlarm products

Social engineering is a cruel hacking technique that plays on our naivete, behavioral patterns, curiosity and general humanness. A few examples:

HACKER SEND US: An e-mail on Valentine's Day with subject, "Someone wants to kiss you!"
WE: Must know who. The woman I spilled my cinnamon dolce latte on at Starbucks? The guy at 7-eleven who bought M&Ms while I bought Reese's Pieces?
RESULT: Click the Web link from the e-mail, go to the Web site, malware secretly downloads to our PR to spy on us.

Or:

HACKER CONTACTS US: Our lost uncle from Britain whom we never knew died (sad) and left us $50,000 (sadness fading a bit). We just need to send in $1000 for handling to get the money.
WE: Send in the $1000 and wait by the mailbox like Linus in the pumpkin patch.
RESULT: The $50,000 (and The Great Pumpkin) never arrives

These scams piss me off more than any other because they take people's dignitiy along with the prize they're after. What pisses me off even more is that hackers around the world are bringing in comfortable six-figure incomes purely by plundering us workers! (See related article that my buddy Frank sent around the office:) http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html?wprss=securityfix

The best way to protect yourself from these online parasites, may they all be caught and jailed, is to use the same street smarts online that you use in the real world. Be suspicious! Don't respond to offers that are too good to be true or seem weird in the least without checking them out first. Never click a Web link from a strange e-mail. Use updated security software to protect yourself. Keep all of your computer programs, browser plug-ins, and your operating system up-to-date at all times.

But it's not always easy! Even the best of us can be tricked because hackers make use of the same processes we've come to use and trust online in order to trap us. I was talking with my fellow blogger James this week about this because a journalist had asked us to consider: What if hackers took advantage of e-mail viral marketing to attack us and our friends? For example, Web sites such as Yelp! and LinkedIn among many others will go into our address book to invite our friends to participate in their services (with our permission). For example:

TRUSTED WEB SITE: Offers to e-mail our address book of friends on our behalf and invite them to use Yelp, Facebook, etc.
WE: Trust them.
RESULT: No harm done. We and our friends have special moments together online through our increased connectedness.

Now we've been trained to trust this technique. So it's ripe for the taking as far as hackers are concerned. A hacker could attack the legitimate Web site we trust; could spoof the Web site we trust (we think it's the legitimate site, but it's a malicious site made to look just like the legitimate site); or could create a brand-new site from scratch. In any case, this same technique could e-mail our friends on our behalf. Our friends get an e-mail from us so they trust it (social engineering), follow the Web link, and KABLAM! Spyware downloads to our friends' computers.

This puts extra stress on our relationships.

Then James brought up a similar scenario that's even more dangerous.

TAX PREP SOFTWARE: Offers to automatically gather our tax info from Fidelity, eTrade, etc. We just need to give it our username and password to each financial site.
WE: Hate taxes, and will do anything to make it go faster and easier.
RESULT: We are sad (if we owe), happy (if we get a refund), but no harm done.

But it's easy to see how the above could have an unhappy ending. I have no doubt the tax prep companies such as Turbo Tax do a great job of ensuring security. And I've yet to hear of any vulnerabilities in this area. But the fact that hackers are highly motivated by their six-figure incomes and the fact that no security is 100% secure makes me think things could go very wrong here. Imagine just handing over the keys to your financial information to a hacker because they've stepped in between you and a trusted Web site or have spoofed a Web site you trust.

The lesson: Think before you give the away the keys to any of your information. Consider the cost/benefit to these types of automated features. Certainly make sure the entity you're trusting is deserving of your trust and is who it says it is. This is not to say you should abstain from these automated features. The risk as of now and as far as I know, is small to nil of getting hacked in this way. We'll see what the future brings.

PointSec Disk Encryption comes to the Consumer Market

2009-04-02T13:52:16-07:00

By James Grant, Team Lead and Senior Developer

PointSec, the product that has been protecting company laptops for years is now available for the consumer market. Pointsec Full Disk Encryption is the defacto standard of disk encryption products, leading others in independent test results:

http://www.checkpoint.com/products/datasecurity/pc/test-results.html

Companies were the first to see the need for data security as their employees took their work outside the company walls. Increasingly, consumers are choosing laptops for themselves. It is the ideal choice for a student on the go, for example. With the price of laptops tumbling, they are very affordable and they take less space than the big box.

The biggest risk of a laptop is having it stolen. The chance of a college student having their laptop nabbed while they are out is higher than the chance of a home break-in. For most of us, the biggest concerns are the cost of the computer and the setback of losing the information that was on it (I really love USB thumb drives as a backup tool for important information, BTW!). For some, there are privacy and identity theft concerns as well. Did you have private email on there? Picture? Your taxes? Anything with your social security or financial account numbers or passwords?

All those concerns are gone with Full Disk Encryption, available here in beta:

http://download.zonealarm.com/bin/free/beta/index.html

The "beta" label is on the user interface and packaging part of the software, not the encryption part. The core encryption tool is the same as is in use on millions of computers around the world, including the one I'm using right now!

As soon as we went to beta, I installed it at home .. on my wife's computer. The result: "Hon, I'm getting a new logon screen when it starts. What should I do?" So I wrote the username and password on a sticky note and stuck it to the screen. Hey, my goal wasn't security as much as seeing it work. It did.

As I saw the PointSec product transform into a Consumer product, my fears of total disaster subsided:

Firstly, I knew rationally that the encrypting part was the same as what I'd used for years at work.
Next, the product doesn't start encrypting until recovery information has been backed up on our servers (the files are encrypted by your password, so they are no use to anyone but you - including us).
Lastly, the product helps you burn a recovery CD so if - just if - something were to go wrong, you could boot off the recover CD and unencrypt the drive. Forgot your password? No problem. Contact our Support team, tell them who you are, answer the security questions and they supply a code that unlocks your computer. (In other words, we can help you reset your password, but we don’t know your password, so you're truly safe.)

So if you've wanted to keep your laptop private in case of theft or break-in, ZoneAlarm's new FDE (Full Disk Encryption) is what you've been waiting for. Let us know what you think. While it is in beta, we are looking for feedback from you.