Smokey's Security Weblog

veritas odium parit

OZO’s WU6.bat file for controlling Microsoft Update & BITS

Today i found on DSLReports an interesting article about WU6.bat. Author of the program is OZO, he have made some other free nifty programs too.

What is the purpose of the batch file WU6?

SUMware on DSLR: WU6.bat file allows to connect to Microsoft Update site and to retrieve all necessary updates from there as usual. Additionally, the rest of the time it keeps unnecessary services (“Microsoft Update” – wuauserv and, if required, BITS service) stopped and with startup type set to ‘disabled’, eliminating extra resource usage and stopping unwanted updates that may be pushed on computer via different Automatic Update mechanisms.

WU6.bat will work with Windows XP, and is IMO a useful program to eliminate unnecessary background processes and/or services. At the same time it will stop pushed unwanted Microsoft updates.

Other free OZO programs

LCD-Saver™ utility – real screen saver for LCD and CRT monitors
Mouse Hider™ – watches your mouse activity and hides it after some period of idle time
Mouse Rescue™ – add-in for IE, helps restore right and/or left mouse click functionality in IE web browser in case if some unfriendly web site tries to take it from you
Zap Plugins™ – add-in for IE, helps remove annoying plugin ads from web site you’re browsing
Google Search Helper – add-in for IE, it does simplify search requests
Real time HTML editor – edit HTML in real time
Morphases – makes a face

….and some other stuff too, you are invited to vist OZO’s webpage gate2.net for full desription of his programs and for downloading the most recent versions.

OZO’s webpage: gate2.net

August 31, 2008 Posted by Smokey | Advisories, Downloads, Friends, Security, Uncategorized | , , , , , , , , , , , , , , , , , | No Comments Yet

Disgusting: Hurricane Gustav Scam Preparations Begin

It looks like the most unscrupulous among us are preparing to rip off innocent victims of Hurricane Gustav and the well-meaning who want to help them.

The following Gustav-related domains have been registered in the last 24 hours:

aidforgustav.com
gustav-recovery.com
gustav08.com
gustavcharities.org
gustavcharity.org
gustavcontractor.com
gustavdonation.org
gustavdonations.com
gustavdonations.org
gustavfund.org
gustavjamaica.com
gustavsecurity.com
gustavsupport.com
gustavupdates.com
gustavvictims.com
gustavvolunteers.com
hurricanegustavrecovery.com
hurricanegustavresponse.com
isurvivedgustav.com
killergustav.com
officialhurricanegustav2008.com
reliefforgustav.com
trackgustav.com
trackgustav.net
victimsofgustav.com

Update

aid4gustav.com
cleanupgustav.com
cleanupgustav.info
cleanupgustav.net
cleanupgustav.org
contributegustav.com
contributiongustav.com
donate2gustav.org
donationgustav.com
givetogustav.com
givetogustav.org
gustav08.info
gustavadjuster.com
gustavadvocacy.com
gustavadvocacy.net
gustavadvocacy.org
gustavaftermath.com
gustavaftermath.info
gustavaftermath.net
gustavaftermath.org
gustavaid.us
gustavaidnow.org
gustavalert.com
gustavangels.org
gustavassistance.com
gustavcare.com
gustavcare.org
gustavcleanup.com
gustavconstruction.com
gustavcontractors.com
gustavcontractorsstore.com
gustavcontribution.com
gustavcuba.com
gustavdestruction.com
gustavdisaster.com
gustavdisasterfund.org
gustaverelief.com
gustavevacuation.com
gustavevacuation.info
gustavevacuation.net
gustavevacuation.org
gustavevacuations.com
gustavfund.net
gustavgear.com
gustavgetaway.com
gustavgive.com
gustavgive.org
gustavhelp.info
gustavhelpers.com
gustavhelpers.info
gustavhelpers.net
gustavhelpfund.com
gustavhelpfund.org
gustavhelpinfo.com
gustavhelpinfo.org
gustavhouston.com
gustavimages.com
gustavinfo.org
gustavla.com
gustavlive.com
gustavlouisiana.com
gustavmississippi.com
gustavmodels.com
gustavnow.com
gustavpeoplesearch.com
gustavpeoplesearch.net
gustavpets.com
gustavphotos.com
gustavpics.com
gustavpublicadjuster.com
gustavreferrals.com
gustavreferrals.info
gustavreferrals.net
gustavreferrals.org
gustavrefugees.com
gustavrefugees.net
gustavrefugees.org
gustav-relief.com
gustavrelief.net
gustavrelief.us
gustavreliefhelp.us
gustavreport.com
gustavsolidarity.org
gustavstorm.biz
gustavstorm.us
gustavsucks.com
gustavsurvivor.org
gustavsurvivors.com
gustavtrack.com
gustavupdate.com
gustavvictims.info
gustavvictims.org
gustavvictims.us
gustavvideo.com
gustavwiki.com
hannaclaim.com
hannaclaimhelp.com
hannaclaimshelp.com
hannafund.com
hannasurvivor.org
help4gustav.com
help4gustav.org
helpgustav.com
helphurriancegustav.org
helphurricanegustavvictims.com
huracangustav.net
huracangustav.org
huricane-gustav.com
hurricane-gustav.info
hurricanegustav2008.net
hurricanegustav2008.org
hurricanegustavaftermath.com
hurricanegustavaid.org
hurricanegustavblog.com
hurricanegustavcare.com
hurricanegustavcontractor.com
hurricanegustavdisaster.com
hurricanegustavfacts.com
hurricanegustavforum.com
hurricanegustavfund.com
hurricanegustavhelp.com
hurricanegustavhelp.org
hurricanegustavinfo.com
hurricanegustavinfo.org
hurricanegustavinformation.com
hurricane-gustav-recovery.com
hurricanegustavrelieffund.com
hurricanegustavstories.com
hurricanegustavstory.com
hurricanegustavvictims.com
hurricanegustavvictims.net
hurricanegustavvideo.com
hurricanegustavvideos.com
hurricanevictimsgustav.com
hurricangustav08.com
neworleansgustav.com
rebuildinggustav.com
rncgustavfund.com
rncgustavrelief.com
rncgustavrelief.net
rncgustavrelief.org
stormhanna.com
supportgustavvictims.org
survivedgustav.org
thegustavblog.com
tsgustav.com
waitingforgustav.com
wwwgustav.com

Observation made by Marcus H. Sachs/SANS: several of the sites are just parked with a “for sale” sign on them, it’s only a matter of time before the “donate here” buttons start showing up.

Be on the lookout and if you want to give or receive help, go through reputable agencies like the Red Cross.

Sources: PCM Security Watch, SANS Internet Storm Center

August 31, 2008 Posted by Smokey | Advisories, Alerts, Friends, News, Security, Uncategorized | , , , , , , , | No Comments Yet

Some improvements on Smokey’s Security Forums

My security board, Smokey’s Security Forums, is in a continuous process of evolution and improvements, this with the aim to serve the user in the best possible way with support, help and advice concerning all security and malware related issues.

This is the reason I have added several new services to the board:

- a new forum called “Is this an infection?”: http://www.smokey-services.eu/forums/index.php/board,139.0.html
This forum is part of the HijackThis & OTListIt2 Logs / Malware Removal Forums, here can you post if you think that the problems you are experiencing are due to malware. My HJT Staff help decide what your problems are and, if necessary, will take suitable action to solve your problems.
Of course our HijackThis/OTListIt2 Log Analyzing and Malware Removal & Cleaning Forum remain unaltered, like in the past you can post here your HJT logs.

- the up to date Internet Storm Center Infocon Status: http://www.smokey-services.eu/forums/index.php/topic,19805.0.html
The ‘Infocon’ is a service provided by SANS, the largest source for information security training, certification & research in the world. The intent of the ‘Infocon’ is to reflect changes in malicious traffic and the possibility of disrupted connectivity. In particular important is the concept of “Change”. Every host connected to the Internet is subject to some amount of traffic caused by worms and viruses. However, once a worm has been identified and the number of infected machines is no longer increasing, this traffic is not likely to cause any disruptions.
The ‘Infocon’ is intended to apply to the condition of the Internet infrastructure. SANS do not monitor particular nations or companies.

- up to date Security Alerts, Advisories and access to a Threat Database: http://www.smokey-services.eu/forum/viewtopic.php?f=64&t=19802 All these services are provided by Symantec. These Symantec services are an addition to our existing Alerts and Advisories.

We hope you will appreciate our efforts :)

August 30, 2008 Posted by Smokey | Advisories, Alerts, Friends, Malware, News, Security, Vulnerabilities | , , , , , , , , , , , , , , , | No Comments Yet

Brief Review MBAM – Malwarebytes’ Anti-Malware

On regular base I test anti-malware programs, most recent test concerned MBAM – Malwarebytes’ Anti-Malware. About the detection capabilities I can be short: great, as claimed by the developers, many times it discovered malware like rootkits, worms, trojans, viruses, spyware and other malicious programs that weren’t detected by other anti-malware programs like anti-viruses and anti-trojans. I am even more enthousiastic about the cleaning capabilities of MBAM, all discovered malware was cleaned/removed 100%, without leaving any traces.

MBAM offer support for Windows 2000, XP, and Vista, and is free. However, the full (paid) version unlocks realtime protection, scheduled updating and scheduled scanning. If you like the program, I advice to opt for the full version. Price: a one time fee of $24.95.

Remark: MBAM was also able to detect the recent XP Antivirus 2008/2009 malware programs and removed this crap entirely.

More info about MBAM (free version and how-to buy): malwarebytes.org
Recommended review MBAM: Web Worker Daily

Update 2009-06-03: recent, extended Softpedia Review MBAM – Malwarebytes’ Anti-Malware: http://smokeys.wordpress.com/2009/06/02/profound-malwarebytes-mbam-anti-malware-scanner-review/

August 23, 2008 Posted by Smokey | Advisories, Bundleware, Downloads, Friends, Malware, Security | , , , , , , , , , , , , , , , , , | 12 Comments

Multiple highly critical vulnerabilities reported in Opera

In all Opera versions prior to v9.52 are multiple highly critical vulnerabilities reported.
These vulnerabilities have to be considered as serious, therefore we advice you to update to Opera v9.52 asap.

Sources/more info:

http://www.opera.com/docs/changelogs/windows/952/
http://www.opera.com/support/search/view/892/
http://www.opera.com/support/search/view/893/
http://www.opera.com/support/search/view/894/
http://www.opera.com/support/search/view/895/
http://www.opera.com/support/search/view/896/
http://www.opera.com/support/search/view/897/

Download Opera v9.52 here.

August 22, 2008 Posted by Smokey | Advisories, Alerts, Downloads, Malware, Security, Vulnerabilities | , , | No Comments Yet

New, dedicated home for the CLSID + other forum/anti-malware helper lists

Article updated 2008-08-29

Announcement made by Javacool:

I’m happy to announce a new, dedicated home for the CLSID + other helper lists: http://www.systemlookup.com/

The list maintainers, contributors and I have been working on this site non-stop, and enough features are up and running to get it in the hands of the people that need it.

Although global search of all lists isn’t yet up, you can browse and search by list: http://www.systemlookup.com/lists.php

The following lists are currently available, with more coming soon:

* CLSID List – BHOs, Toolbars, SHs, Explorer Bars
* O9 List – Internet Explorer Buttons
* O10 List – Layered Service Providers
* O18 List – Extra protocols
* O20 List – AppInit_DLLs & Winlogon Notify
* O21 List – ShellServiceObjectDelayLoad
* O22 List – Shared Task Scheduler
* O23 List – Services

We look forward to continuing to improve the site and building some great new features to make things even easier.

But for now – Enjoy!

Best regards,

Javacool & the List Maintainers and Contributors:

TonyKlein
miekiemoes
Metallica
random/random
nasdaq
teacup61
Marckie
Zupe

Addition made by TonyKlein:

Note that the search function per List is slightly different than what you were used to, in that you need to specify whether you’re searching for a name, CLSID or filename; this to reduce the number of irrelevant search results.

Please feel free to blog this, and/or post this announcement anywhere else at this board if you feel a certain section is better suited, as well as at any other board you frequent and which we may be forgetting!

Addition made by Metallica:

Also available now: Startup List

And a completely new list: ShellExecuteHook List

All available through: http://www.systemlookup.com/lists.php

August 20, 2008 Posted by Smokey | Alerts, Downloads, Friends, Malware, News, Security, Uncategorized | , , , , , , , , , , , , , , , , , , | No Comments Yet

Advice: don’t use WMP – Windows Media Player anymore….

…. because a critical vulnerability in WMP is still unpatched, and Microsoft have no workaround or precautions to deal with the issue.

Some background information:

“Ryan Naraine / ZDNet – posted today: Lost in the shuffle of this month’s Patch Tuesday barrage is the fact that a critical vulnerability in the ever-present Windows Media Player (WMP) was not fixed “because of a last minute quality issue”.

Microsoft originally listed the WMP update in the advance notice for August but, when the patches dropped on Tuesday, it had slipped because of patch-quality concerns.This effectively means that millions of Windows users — WMP ships with every version of the desktop operating system — are exposed to a critical, code execution vulnerability that will not be fixed for at least another month.”

“EGeezer / DSLR – posted today: I was intrigued by this Microsoft Technet blog entry, which referenced a patch that was not released for quality reasons. However, the poster did not provide any information on what was missing or what measures users could take until the patch was issued. While it’s goodness to remove flawed patches, the vulnerabilty information and workarounds(if any) should not also be removed.

Since the information on the missing patch was removed in the advisory, we as users only know that there’s a critical vulnerability in WMP out there that’s still unpatched, and have no workaround or precautions to take beyond simply not using WMP.”

August 16, 2008 Posted by Smokey | Advisories, Alerts, Friends, Malware, News, Security, Vulnerabilities | , , , | No Comments Yet

New Rogue Domains/Threats reported

Post updated August 22, 2008

Past days I noticed multiple reports from several sources, e.g. Calendar of Updates, concerning the following rogue Domains/Threats:

Antivirusdoc.net
Systemantiviruspro.com
Websurfsecure.com
Antivirusdoc-scanner.net
Systemantiviruspro-scanner.com
Antivirus-xp-2008.net
2008antivirusxp.com
Antivirus-2008a-pro.com
Antivirus-2008y-pro.com
Msantivirusxp.com
Msscanner.com

As precaution Calendar of Updates adviced to add mentioned domains to your HOSTS file, Blocklist or Restricted Zone. Of cource i support this call.

And probably superfluous to mention: don’t visit these domains!!!

August 15, 2008 Posted by Smokey | Advisories, Alerts, Downloads, Malware, News, Security | , , , , , , , , , , , , , , | No Comments Yet

Control the Windows Vista inbound- and outbound connections

On my daily internet “surveillance tour” I discovered a handy freebie: Vista Firewall Control.

PCWorld description of the program:

“the outbound filter in Windows Vista is, in essence, turned off by default. And as a practical matter, it’s impossible to manually configure it to block malware making outbound connections. That’s where the free Vista Firewall Control comes in. Install it, and whenever an application tries to access the Internet, a screen pops up, with the application name, the publisher, and similar information, as well its path and file name. You can enable or disable inbound or outbound connections it tries to make, either permanently, or just this one time.”

This free version also include Windows Security Center Integration, Removable Drive application support and Ipv6 support and is available in 32 and 64-bit versions.

More info and download: Sphinx Software

August 9, 2008 Posted by Smokey | Advisories, Downloads, Friends, Security, Uncategorized | , , , , | No Comments Yet

An Illustrated Guide to the Kaminsky DNS Vulnerability

Some time ago i mentioned already the Kaminsky DNS Vulnerability, e.g. in my post DNS Exploit Means Quick Patches Are Critical: patch immediately!

Today I found an interesting contribution about the issue on DSLR, it concern a paper that describe this vulnerability in great detail.

The author of the paper, Steve Friedl, describe the paper in this way: “designed for the computer-savvy person who nevertheless may not really know how DNS works: lots of diagrams to make the point and guide an understanding”.

Thanks Steve for your great piece of hard work!

Take a look at the paper here.

August 8, 2008 Posted by Smokey | Advisories, Alerts, Friends, Malware, Security, Vulnerabilities | , , , , , | No Comments Yet

Microsoft Security Bulletin Advance Notification for August 2008

Published: August 7, 2008

Microsoft Security Bulletin Advance Notification issued: August 7, 2008
 Microsoft Security Bulletins to be issued: August 12, 2008

This is an advance notification of security bulletins that Microsoft is intending to release on August 12, 2008.

This bulletin advance notification will be replaced with the August bulletin summary on August 12, 2008. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

Bulletin Information

Executive Summaries

This advance notification provides the software subject as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical (7)

Bulletin Identifier Windows 1 Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows.

Bulletin Identifier IE Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
The update requires a restart.
Affected Software: Microsoft Windows, Internet Explorer.

Bulletin Identifier Media Player Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
The update may require a restart.
Affected Software: Microsoft Windows.

Bulletin Identifier Access Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
The update does not require a restart.
Affected Software: Microsoft Office.

Bulletin Identifier Excel Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
The update does not require a restart.
Affected Software: Microsoft Office.

Bulletin Identifier PowerPoint Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
The update does not require a restart.
Affected Software: Microsoft Office.

Bulletin Identifier Office Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
The update does not require a restart.
Affected Software: Microsoft Office.

Important (5)

Bulletin Identifier Windows 2 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure
The update requires a restart.
Affected Software: Microsoft Windows.

Bulletin Identifier Windows 3 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution
The update requires a restart.
Affected Software: Microsoft Windows.

Bulletin Identifier OE Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure
The update may require a restart.
Affected Software: Microsoft Windows, Outlook Express, Windows Mail.

Bulletin Identifier Messenger Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure
The update requires a restart.
Affected Software: Microsoft Windows, Windows Messenger.

Bulletin Identifier Word Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution
The update does not require a restart.
Affected Software: Microsoft Office.

Other Information

Microsoft Windows Malicious Software Removal Tool

Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

August 2008 Security Releases ISO Image

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Source/full bulletin: Microsoft TechNet

August 2008 Security Releases ISO Image

This DVD5 ISO image file contains the security updates for Windows released on Windows Update on August 12th, 2008. The image does not contain security updates for other Microsoft products. This DVD5 ISO image is intended for administrators that need to download multiple individual language versions of each security update and that do not use an automated solution such as Windows Server Update Services (WSUS). You can use this ISO image to download multiple updates in all languages at the same time.

Important: Be sure to check the individual security bulletins at http://www.microsoft.com/technet/security prior to deployment of these updates to ensure that the files have not been updated at a later date.

Quick Details ISO image file

File Name: Windows-KB913086-200808.iso

Version: 913086

Security Bulletins: MS08-022 MS08-050 MS08-049 MS08-048 MS08-047 MS08-046 MS08-045

Knowledge Base (KB) Articles: KB944338 KB946648 KB950974 KB951066 KB952954 KB953733 KB953838

Date Published: 8/12/2008

Download Size: 1292.1 MB

*** Full details and download: Microsoft Download Center

August 7, 2008 Posted by Smokey | Advisories, Alerts, Downloads, Friends, Security, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , | 1 Comment

What’s up in Security Land – Some info about me and my aims

Many people know I am since long time active in the security community, not only as Site Owner Smokey’s Security Forums, but as (Staff) Member of security related organistions and boards (e.g. Site Member ASAP – Alliance of Security Analysis Professionals) and regular contributor in security forums (like DSLReports – Smokey Bear) also. Beside, my security board is Partner Board Gladiator Security Forum.

I always try to perform my acts in a professional way, this with the sole aim to serve the user -common users, companies and enterprises- in an optimal manner by means of support, help and advice concerning all security related issues. Malware is evolving, threats become very complicated, privacy issues are “hot” and under attack, therefore providing adequate advice and help is not always easy (anymore).

Many times we only can try to limit the dangers and it’s effects. It is my personal opinion we only can reach our aims in an acceptable way when we perform following actions:

- comprehensive co-operation security boards
- extended information, education, advice and help direction user
- spreading the word all over the net
- security professionals should always stay open and prepared for new development and insights, no matter what it concern

And last but not least: 100% dedication to our security jobs and tasks. Today these have reached such a level of complexity there is almost no time available for other issues. Anyway, not when we take our aims and tasks serious.

August 2, 2008 Posted by Smokey | Bundleware, Friends, Malware, Security, Vulnerabilities | , , , , , , , , , , , | 1 Comment

Microsoft Security Advisory (954960): Microsoft Windows Server Update Services (WSUS) Blocked from Deploying Security Updates

Published: June 30, 2008 | Updated: August 1, 2008

Microsoft has completed the investigation into public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954960. Microsoft encourages customers affected by this issue to review and install this update.

Notes:

The issue affecting System Center Configuration Manager 2007 first described in Microsoft Security Advisory 954474, where System Center Configuration Manager 2007 systems were blocked from deploying security updates, is separate from the issue described in this advisory. However, there are similarities in the contributing factors in both issues.

Customers who wish to verify that the update has been installed properly can check that their version of Microsoft.UpdateServices.WebServices.Client.Dll, located at %ProgramFiles%\Update Services\WebServices\ClientWebService\bin\, is 3.1.6001.66.

The update detailed in Microsoft Knowledge Base Article 954960 cannot be uninstalled through Add or Remove Programs. Customers who wish to remove this update must uninstall Windows Server Update Services as detailed in Microsoft Knowledge Base Article 954960.

Revisions:

• June 30, 2008: Advisory published.

• July 9, 2008: Advisory updated to reflect availability of fix.

• July 10, 2008: Advisory updated to reflect specific installation and uninstallation procedures for the update for Windows Server Update Services running on Windows Server 2008.

• July 16, 2008: Updated the example workaround steps for running the update to Windows Server Update Services 3.0 Service Pack 1 on Windows Server 2008 as an administrator.

• August 1, 2008: Added Frequently Asked Questions entry to communicate re-release of the update to fix known installation issue with Windows Server 2008 systems.

Source/full advisory: Microsoft TechNet

August 1, 2008 Posted by Smokey | Advisories, Alerts, Downloads, Security | , , , , , , , , | No Comments Yet