Smokey's Security Weblog

veritas odium parit

[How-to] Vulnerability test Superfish, Komodia, PrivDog & similar

Probably you have heard about the Lenovo debacle, many of their laptop series are preloaded adware/spyware Superfish (you can also call Superfish a dirty piece of malware) that will intercept all your secure connections and this will allow criminals to do it too. Superfish uses an “SSL hijacker” (Komodia Redirector with SSL Digestor) and an untrustworthy Komodia root certificate. Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing. In this way an attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Many other softwares do similar because Komodia sold its malicious kit to other companies as well, some of these companies/vendors are e.g. Atom Security, Inc, Infoweise, KeepMyFamilySecure, Kurupira, Lavasoft, Qustodio and Websecure Ltd. There will be others as well.

Superfish removal can be done via Windows standard add/remove programs utility, find Superfish Inc VisualDiscovery, tick it, and click uninstall. Uninstalling Superfish and other Komodia-type programs does not remove the root certificates, so you need to do this: type certmgr.msc into the Windows search box, right click on the programs name, and select “run as administrator” from the pop-up menu. Subsequent click the action menu item and select “find certificates”. Type Superfish etc into the search box and click the “find now” button. If you find an unwanted certificate, right-click and select delete.

Fwiw never download from unsafe places such as CNet’s Download.com or from Google search ads, downloading software from such places can be really dangerous, in many cases the downloaded software can and will be contaminated with adware, spyware and/or malware.

There’s a simple way to check your machine on the existence of Superfish, Komodia, PrivDog & Co, we advise you to visit the filippo vulnerability test page and perform the vulnerability test: https://filippo.io/Badfish/ Important: do the test with all browsers installed.

Instructions for identifying and removing a root certificate from Windows here: http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates

Finally we know that many AV (antivirus) products will find and remove the Superfish, Komodia, PrivDog and similar crap, despite we still strongly advise to perform the filippo vulnerability test and to check your machine also on the existence of untrustworthy certificates.

Advertisements

March 1, 2015 Posted by | Uncategorized | , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Surf Smokey’s with confidence: all external links in posts are checked and rated by WOT – Web of Trust

Being a serious security board, we take our members web safety very seriously. This is why we have integrated the WOT (Web of Trust) feature on our board Smokey’s Security Forums.
All members will now be able to view the safety of any link provided on our site and will be able to see the trustworthiness, vendor reliability, privacy, and child safety of any site before clicking the link. More about WOT below.

WOT- Web of Trust

WOT warns you about risky websites. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. This is the reason that all external links in posts on Smokey’s Security Forums are from now on checked by WOT and therefore guarantee safe surfing via our board.

WOT is also available as free Internet security addon for your browser. We advice you to download and install this useful addon. It is an free, extra layer of defense against risky websites.

WOT is available as addon for Firefox and Internet Explorer.

System requirements

– WOT Firefox addon:

Operating system: Windows (all), Mac OS X, or Linux
Browser: Mozilla Firefox 1.5 or newer (3.0 recommended)

– WOT Internet Explorer addon:

Operating system: Windows 2000 / XP / Vista (XP or Vista recommended)
Browser: Microsoft Internet Explorer 6.0 or newer (8.0 recommended)

More info about WOT- Web of Trust and addon download: http://www.mywot.com/

Happy surfing, 🙂

Smokey

August 8, 2009 Posted by | Advisories, Anti-Spyware, Anti-Virus, Bundleware, Downloads, Malware, Phishing, Recommended External Security Related Links | , , , , , , , , , , , , , | 3 Comments

AV-Comparatives Review DefenseWall HIPS: 100% Detection Score

Past week the acknowledged testing organization AV-Comparatives published a comprehensive DefenseWall HIPS test/review.
The program is the most important product of SoftSphere Technologies, a company primarily active in the field of information security and its mission is to develop reliable means of protection against existing and future threats, such as viruses, spyware or rootkits.

AV-Comparatives tested the software on 100 current Malware Samples (Adware, Spyware, Viruses, Trojan Horses, Backdoors, etc.) that were not detected by other major Anti-Virus products at time of testing. All the samples were detected or executed as being untrusted or without compromising the system. Excellent test result: a protection rate of 100%!

My congratulations to SoftSphere Technologies, this result underline again that DefenseWall HIPS is a top-notch Host Intrusion Prevention System.

Please keep in mind that the software should be regarded as being a supplement to an Anti-Virus product and not as a replacement.

The full review is available in English and German language.

Links:

AV-Comparatives Softsphere DefenseWall HIPS Review
SoftSphere Homepage
SoftSphere Technologies Support Forums

May 29, 2009 Posted by | Advisories, Anti-Spyware, Anti-Virus, Malware, News, Recommended External Security Related Links, Toolbarware | , , , , , , , , , , , | 1 Comment

Safe Computing and Preventing Malware Infections

The current outbreak of the polymorphic worm Downadup, aka Conficker and Kido, and all its variants make very clear that many users don’t act in a responsable and secure way. After all, at the moment 9 (nine) million PCs are contaminated by that worm for reason of a missing Microsoft Security Update for Windows (KB958644). At the same time numerous users don’t posses safe computing and surfing habits, ignore standard precautions, haven’t the slightest idea how to prevent malware and in case they have a PC contaminated by malware they are trying to clean the PC by themselves or by self-declared “security experts”. Keep in mind that malware cleaning/removal isn’t a job for amateurs, it is a dedicated job for well trained and full qualified malware hunters.

Safe computing/surfing and preventing malware is a matter of education. Only well educated users have the reasonable possibilty to remain “clean”. The sole aim of me and my staff on Smokey’s Security Forums is to fulfill this aim by providing the user for free with Education, Support, Help and Advice, and in case the PC of the user is infected by malware to offer malware cleaning/removal by real security experts: comprehensive trained, full qualified HJT/OTListIt2 Analysers/Malware Hunters.

Some basic rules for safe computing, related links at the end of this post:

– Activate the automatic update function in Windows. Always accept and install all updates offered by Microsoft.
– If you don’t like automatic updates, consider to use the Microsoft Baseline Security Analyzer (MBSA). MBSA is an easy to use free tool that helps individuals, small and medium businesses to determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. It will improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems.
– Always install all Service Packs offered by Microsoft.
– Educate and protect yourself, e.g. by visiting my board and reading the FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware.
– In case your PC is infected by malware, adware or any other undesired badware or nasties visit my board to get rid of such crap. Only full qualified HijackThis & OTListIt2 Log Analysers/Malware Hunters will care about these infections and help you in a professional way, of course for free, to get rid of it. Note: only registered board members will receive malware removal/cleaning help, registering on my board is also for free.

Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help

Links

Smokey’s Security Forums
FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware
HijackThis (HJT) & OTListIt2 Log Analysis and Malware Removal/Cleaning Assistance and Services
Microsoft Baseline Security Analyzer (MBSA) Frequently Asked Questions
Download Microsoft Baseline Security Analyzer

Safe computing!
.

asap1
Smokey’s Security Forums is Site Member ASAP

January 17, 2009 Posted by | Advisories, Anti-Spyware, Anti-Virus, Bundleware, Downloads, Friends, Phishing, Recommended External Security Related Links, Toolbarware, Uncategorized, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Free Online Virus, Spyware, other Malware, Suspicious File, Security Check and System Health Scanners

Like most people know, my board Smokey’s Security Forums is providing Information, Support, Help and Advice concerning all security related issues. As extra service we have also a general Hardware/Software section.

Malware removal/cleaning is just of the many services we offer. E.g. we have a HijackThis & OTListIt2 Log Analysis/Malware Removal & Cleaning Forum (English language) and Hilfe bei Problemen mit Viren, Trojanern, Würmern, Spyware, Adware, Ransomware, Popups und sonstigen Schädlingen (German – Deutsch language), full qualified malware experts will help you to clean your infected PC.

We have also an Online Virus, Spyware, other Malware, Suspicious File, Security Check and System Health Scanners Forum. You will find here 24 free (partial multi-engine) online services for scanning suspicious files and/or free system scanners. Several of these online services will remove malware and clean your PC also. Feel free to use these services, however, in case of an PC contaminated by malware we advice you strongly to ask for personal help in our HijackThis & OTListIt2 Log Analysiis Forum, only qualified malware experts will be able to clean your PC in a satisfying and secure way.

Current online scan services we offer are:

– a-squared Anti-malware Free Online Scan
– Arcabit Free Online Scan
– Bitdefender Free Online Scan
– Eset NOD32 Antivirus Free Online Scan
– Ewido/AVG Malware Free Online Scan
– F-Secure Antivirus Free Online Scan
– F-Secure Free Online security updates indentifier
– Jotti Virus/Malware Multi-engine Free Online Scan
– Kasperky Antivirus Free Online Scan
– McAfee FreeScan Online Scan
– Norton Security Scan Total redirects: 1
– Panda Antivirus TruePrevent Free Online Scan
– PrevX CSI Online Adware scanner
– Secunia Free Software Inspector
– SpywareInfo Spyware/AdWare Free Online Scan
– Symantec Security Check Free Online Scan
– Tenebril Spyware Free Online Scan
– TrendMicro Antispyware Free Online Scan
– WindowSecurity.com TrojanScan Free Online Scan
– Virus Chaser Free Online Scan
– VirusChief Multi-engine Free Online Scan
– VirSCAN Virus/Malware Multi-engine Free Online Scan
– VirusTotal Virus/Malware Multi-engine Free Online Scan
– Virus.org Rogue File Multi-engine Free Online Scan

All services we offer are for free, but please keep in mind that only registered board members will be able to take advantages of these services.

November 8, 2008 Posted by | Advisories, Alerts, Bundleware, Friends, Malware, News, Norton Internet Security, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , , , | 1 Comment

Protect yourself against the Criminal Rackets of Wimbledon crooks!

Computer users should be aware of the importance of scanning all web traffic for malware following the discovery that webpages on the Association of Tennis Professionals (ATP) website have been infected with malicious code.

Pages on the ATP website are just some of the thousands on the internet to have been injected with a malicious script called Mal/Badsrc, according to Sophos experts. The script downloads another malicious script triggering an infection process which ultimately infects the victim with spyware.

Web security experts at Sophos note that by infecting pages on the website the hackers may capitalise on excitement surrounding Wimbledon 2008, one of the four grand slams in the tennis calendar making up part of the ATP tour, as tennis fans will be likely to visit the website keen to find out the latest news.

“The hackers responsible for this attack don’t care what sites they infect, so long as there is a stream of potential victims likely to surf across the net, straight into their trap. The ATP website is just one of many sites to have been exploited by hackers trying to steal information from innocent internet users,” said Fraser Howard, principal virus researcher at Sophos. “With the Wimbledon tournament taking place at the moment, the ATP website will be receiving a spike in visitors – but any tennis fan visiting the infected pages on the site risks being served straight into a crook’s criminal racket.”

Source: SecurityPark

June 28, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , | Leave a comment

HijackThis & OTL (formerly OTListIt2) Log Analysis and Malware Removal & Cleaning

What are HijackThis and OTL (formerly OTListIt2)

HijackThis is a free utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.

OTL is a very sophisticated Log/Report Tool, doing the same as HijackThis and a lot more. You can see it as the successor of HJT.

IMPORTANT: HijackThis/OTL does not determine what is good or bad.
Do not make any changes to your computer settings using HijackThis and/or OTL unless instructed by a member of the HJT/OTL Analyzers/Malware Hunters group of Smokey’s Security Forums.

Procedures before submitting a HJT or OTL log to Smokey’s Security Forums

– Please register on the forum… Here, it is for free.

– Before submitting a HJT/OTL log to Smokey’s Security Forums, we ask that you follow this procedure first as described… Here.

– At the moment you have followed all instructions post your HJT or OTL log on the forum… Here. German – Deutsch customers can post here.
Then please wait for your log to be answered. Answers, help and support will be given by full qualified HJT/OTL Log Analyzers/Malware Hunters. The offered HJT/OTL services are for free also.

See ya, 😉

Starbuck
Team Leader HJT/OTL Analyzers/Malware Hunters

Update 2009-12-11: from now on, Smokey’s Security Forums will only accept OTL logs, HJT logs will not be accepted anymore.

Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help

June 22, 2008 Posted by | Advisories, Bundleware, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , | Leave a comment

Photobucket are not cleaning up their act: continuous malvertizements on their website

Photobucket has been mentioned several times because of malvertizements appearing on the site. The most recent outbreak is proving to be problematic, to say the least.

They have been advised several times that there are malvertizements appearing on their web site. Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements. Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the “advertising team”.

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site?

rlslog.net were able to get rid of the malvertizements reported to them. mininova.org were able to get rid of the malvertizements that were reported to them. Why is it so hard for photobucket.com to clean up *their* act???

For reason of the condemnable ignore attitude/tactics of Photobucket and to protect the user against malware the strong advice:

nobody should visit photobucket.com unless they have software in place that will prevent any advertisements on that site from being displayed on their computer.

This advice stands unless and until the malvertizements are removed AND photobucket.com can reassure that:

1. Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and
2. Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately.

Source: SpywareSucks

May 13, 2008 Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , | Leave a comment

Java Anonymous Proxy (JAP): once a Crook, always a Crook?

Today’s post on DSLReports with subject “JAP” draw my attention.

From Java Anonymous Proxy (JAP) Homepage:

JAP makes it possible to surf the internet anonymously and unobservably.Without Anonymization, every computer in the internet communicates using a traceable Address. That means:

– the website visited,
– the internet service provider (ISP),
– and any eavesdropper on the internet connection

can determine which websites the user of a specific computer visits. Even the information which the user calls up can be intercepted and seen if encryption is not used. JAP uses a single static address which is shared by many JAP users. That way neither the visited website, nor an eavesdropper can determine which user visited which website.

Sound great. Especially because the software and services are free. But after reading the DSLR post my mind about JAP changed.

SUMware mentioned in the DSLR post an 2003 SecurityFocus article about the fact that JAPs anonymity service was (and still is?) back-doored. Sound not good anymore, sound really bad.

Excerpt SF article:

The popular Java Anonymous Proxy (JAP), used to anonymise one’s comings and goings across the Internet, has been back-doored by court order. The service is currently logging access attempts to a particular, and unnamed, Web site and reporting the IP addys of those who attempt to contact it to the German police.

We know this because the JAP operators immediately warned users that their IP traffic might be going straight to Big Brother, right? Wrong. After taking the service down for a few days with the explanation that the interruption was “due to a hardware failure”, the operators then required users to install an “upgraded version” (ie. a back-doored version) of the app to continue using the service.

“As soon as our service works again, an obligatory update (version 00.02.001) [will be] needed by all users,” the public was told. Not a word about Feds or back doors.

Fortunately, a nosey troublemaker had a look at the ‘upgrade’ and noticed some unusual business in it, such as:

“CAMsg::printMsg(LOG_INFO,”Loading Crime Detection Data….\n”);”
“CAMsg::printMsg(LOG_CRIT,”Crime detected – ID: %u – Content:
\n%s\n”,id,crimeBuff,payLen);”

and posted it to alt.2600.

Soon the JAP team replied to the thread, admitting that there is now a “crime detection function” in the system mandated by the courts. But they defended their decision:

“What was the alternative? Shutting down the service? The security apparatchiks would have appreciated that – anonymity in the Internet and especially AN.ON are a thorn in their side anyway.”

Sorry, the Feds undoubtedly appreciated the JAP team’s willingness to back-door the app while saying nothing about it a lot more than they would have appreciated seeing the service shut down with a warning that JAP can no longer fulfill its stated obligation to protect anonymity due to police interference.

A press release from ICPP assures users that JAP is safe to use because access to only one Web site is currently being disclosed, and only under court-ordered monitoring.

But that’s not the point. Disclosure is the point. The JAP Web site still claims that anonymity is sacrosanct: “No one, not anyone from outside, not any of the other users, not even the provider of the intermediary service can determine which connection belongs to which user.”

This is obviously no longer true, if it ever was. And that’s a serious problem, that element of doubt. Anonymity services can flourish only if users trust providers to be straight with them at all times. This in turn means that providers must be absolutely punctilious and obsessive about disclosing every exception to their assurances of anonymity. One doesn’t build confidence by letting the Feds plug in to the network, legally or otherwise, and saying nothing about it.

Telling us that they only did it to help catch criminals isn’t good enough either. Sure, no normal person is against catching criminals – the more the merrier, I say. But what’s criminal is highly relative, always subject to popular perception and state doctrine. If we accept Germany’s definition of criminal activity that trumps the natural right to anonymity and privacy, then we must accept North Korea’s, China’s and Saudi Arabia’s. They have laws too, after all. The entire purpose of anonymity services is to sidestep state regulation of what’s said and what’s read on the basis of natural law.

The JAP Web site has a motto: “Anonymity is not a crime.” It’s a fine one, even a profound one. But it’s also a palpably political one. The JAP project inserted itself, uncalled, into the turbulent confluence between natural law and state regulation, and signaled its allegiance to the former. It’s tragic to see it bowing to the latter.

I don’t know JAPs anonymity service is anno 2008 still back-doored.

Main queustion after the JAP back-doored issue is, can we ever trust JAP again?  My answer is a clear NO. JAP will always have an element of doubt.

SecurityFocus hitted the nail with following remark in the article:

Anonymity services can flourish only if users trust providers to be straight with them at all times. This in turn means that providers must be absolutely punctilious and obsessive about disclosing every exception to their assurances of anonymity. One doesn’t build confidence by letting the Feds plug in to the network, legally or otherwise, and saying nothing about it.

I share SFs opinion. Therefore, stay away from JAP.

April 26, 2008 Posted by | Advisories, Alerts, Downloads, Malware, News, Recommended External Security Related Links | , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Free HJT/OTL (formerly OTListIt2) Log Analyzing and Malware Cleaning Services again available on Smokey’s

After a period of a closed HJT/OTL (formerly OTListIt2) Log Analyzing/Malware Cleaning Forum I am pleased to announce that from now on Smokey’s Security Forums offer again HijackThis & OTL Log Analyzing & Malware Cleaning related Support, Help and Advice.

This (free) help will only be provided by full qualified HJT/OTL Analyzers/Malware Hunters, this for reason of maintaining the high standards of my forums: Help and Support only by qualified people.

Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help

April 25, 2008 Posted by | Advisories, Bundleware, Downloads, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , | Leave a comment

The tendency of (pre-checked) toolbars

At the moment there is heavy discussion on various boards alleging that Grisoft AVG have included the Yahoo Toolbar with their new Security Suite.

It is obvious that money is all that count for several software houses, moral isn’t available anymore. It is a shame that even well respected security companies provide their (paid) software with these toolbars.

March 9, 2008 Posted by | Bundleware, Friends, Recommended External Security Related Links, Toolbarware | , , , | Leave a comment