Safemail Network
Dedicated to making consumer-level security information available and accessible to the average netizen. We are currently compiling links to network resources that will help ordinary netizens improve their chances against Internet predators, and a dictionary to translate many geekisms (spambot, rootkit, "in the wild") into common English.

Snipping Out the Spammers

They said it could not be done, but for at least one day authorities managed to cut the level of spam on the Internet by 50%. The feat was accomplished not by shutting down the servers of the target ISP, but by arranging for the ISP to be disconnected by it's neighbors on the Internet. Since the Internet is really a network of network using common protocols, if no network lets the bad guys connect then the bad guys finished. StrategyPage has a writeup on the takedown, and on the spectacle of a half million spambots frantically trying to reconnect to their pharmers. The Washington Post's Brian Krebs broke the story of McColo's sudden disappearance from the Web on the 13th.

The China Connection

That stack of spam in your mailbox may be an attempt to get your credit card number or bank account, or it could be a link in creating the next big blackout. The National Journal Magazine today reports that, among other things, two major East Cost power outages, including the largest blackout in North American history, were likely the result of Chinese intrusions by the People's Liberation Army. The lengthy article discusses China's Cyber-Militia, military, government, and private elements in the People's Republic of China organized and supported by the government to engage in internation cyber-warfare.

The Chinese are not alone on this battlefield, of course. Russia has been accused of cyber-attacks on Estonia, and the US Air Force is standing up its Cyberspace Command to address cyberattacks and cyberwarfare head on.

There is no end to the number of people who want to put you computer to bad use. Be careful out there.

The Great Compromise

iTnews is reporting an attack that has compromised approximately 200,000 web sites according to McAfee estimates. This attack targets phpBB vulnerabilities to establish a Javascript link to a pornography site. phpBB is commonly used forum software. When the user attempts to access the content, they are prompted to accept a codec to support viewing site content. The codec is malware. The user will be told the codec could not be downloaded once the malware payload has been delivered.

Other exploits may be less obvious than a porn link, and even otherwise familiar and reputable vendors may be victimized by such exploits. Just last week 10,000 web sites built on Microsoft ASP technology were compromised. In that attack, there was no social element, users were silently redirected to a web site with a variety attacks to probe the user's browser.


  1. Don't enable Javascript for sites that don't need it. Internet Explorer and Firefox both provide security features to assure this.
  2. If available, use plug-ins to frustrate cross site scripting attacks, including that silent redirect trick.

The Noscript plug-in for Firefox offers protection in both of these areas.

The Man Who Would Be King

Take heart! Robert Soloway was once pegged as the eighth biggest spammer in the world, and crowned "Spam King" by Federal prosecutors. We find in the Seattle Times that Mr. Soloway:

...pleaded guilty Friday to felony mail fraud, fraud in connection with electronic mail and failing to file a tax return in 2005, the year he made at least $300,000 through his junk e-mail business.

We are pleased to note that tanj, the curse from Larry Niven's Known Space stories signifying "There Ain't No Justice" and so often applicable to the world of spam, is not entirely applicable to at least one case. Mr. Soloway is scheduled to be sentenced in June, and is facing up to 20 years. We also hope that the judge takes a long hard look at his inbox in arriving at the proper sentence.

Digital Picture Frame Threat

You have heard about the deadly pet food and the lead laced children's toys, now the mainland Chinese appear to be deeply involved in the latest successful malware penetration into consumer peripherals, digital picture frames. These devices connect to your computer and look like traditional picture frames, but they are able to infect your system undetected by Windows-based anti-virus software and, in the only exploit published so far, sends your online game passwords "home". Interestingly enough, home is usually turning out to be a privacy proxy in the People's Republic of China.

That targeted capability (spying game passwords) is highly specialized, implying that any exploit type is possible via this path. The only action required to infect the PC is to plug in the frame device. Currently, the attack is only effective against Windows machines. The San Francisco Chronicle reports here.

Recommendations: without more information on the attack vector, the assumption is that USB connections to new devices are exploitable. Cheap, off-brand USB devices would be the easiest to infect (like the digital picture frames sold through major chains like Target and Walmart). If infected, the only treatment is to reformat your hard drive, reinstall your operating system and applications, and restore your data from backup.

Adobe Acrobat Alert

Didn't find a lot of detail on this, but the "buzz" at Jerry Pournelle's Chaos Manor here is that there is an aggressive new Adobe Acrobat virus making the rounds and all versions prior to 8.1.2 are susceptible. Two recommendations: 1) these things get circulated in web ads and spam, if you uninstall the Adobe Acrobat plug-in from you browser and email client, PDF content won't be loaded until you download it; 2) update to Adobe Acrobat 8.1.2 here.

Flash Vulnerabilities Threaten Web Users

Vulnerabilities were discovered last summer that revealed Flash player, one of the most popular animation/user interface technologies on the web, to be a significant threat to the systems and data of the web browsing community. Flash is used heavily on upscale web sites like and for ad content on popular sites like Google and Yahoo. Even my bank uses bits of Flash content to spice up their web site. Other sites, especially in the entertainment promotion and gaming realms, require Flash be enabled to use the site at all.

This is a developing story. The vulnerabilities were discovered last summer and talks begun with Adobe, the makers of Flash. The fixes have not been quick in coming and none are included in recent patches from Adobe. Details about the vulnerabilities and how developers can avoid them do not appear to be available yet, but more information is expected in an upcoming book.

The Register sounds the warning here. The Slashdot crowd is even more profane than usually in their observation here. The discoverers have a book coming out that will include further details.

Choices to mitigate your vulnerability are to either uninstall the Flash players from your system or, if you can't get around using a site that requires Flash, use the Firefox browser with the Flashblock extension here.

Narrow, Targeted Phishing Attacks Elude Antivirus Scanners

A employee had his company credentials stolen, leading to the compromise of the customer list. A wave of targeted emails personalized with the customer info followed, and some passwords were compromised as a result. Then a wider range of attacks featuring malware hooks followed.

A related phish attack impersonated the FTC and was able to compromise 500 customers, resulting in a key stroke logger and screen-monitoring software being installed. The screen monitor allows the bad guys to see what is on your computer screen live, in real time. Like when you visit your bank site or your retirement fund.

Always remember to check email and web addresses before responding to an email, or better, don't. Attacks have been around for years that use downloads, even graphics, embedded in your email traffic to plant malware, steal identities, use Windows boxes to transmit spam, and much more. Graphics formats tend to allow embedded code to support special effects, and such code has been used in malware schemes for the last several years as well.

The Washington Post coverage is here and here, those cynical Slashdotters weigh in here.

Mac Porn Users Targeted

Reports of a possible Macintosh OS X exploit in the wild. From SC Magazine:

The trojan, a DNS changer that can be used to hijack search results and divert traffic to the hacker's website of choosing, has been spotted on numerous pornography sites, according to Intego. Attackers have attempted to navigate users to the malicious sites through comment spam posted to Mac forums. The trojan masks itself as a QuickTime plug-in.

ZD Net throws in a sample of the kind of requester you might see when encountering this malware on your Mac. The short answer when asked by your Mac if you want to download a codec is no. A codec is a protocol for handling multimedia data streams, and your Mac usually gets all it needs from updates of products like Quicktime. Accepting a site-offered codec is effectively allowing the site to download and run any software it likes.

The usual nerds at Slashdot drag out the usual quips and barbs in celebration of a likely first, a 0 day exploit in the wild for Mac OS X. Of course, Steve has a loooong way to go to catch up with the competition in this category, this would make one every 6.5 years.

"Storm" Shrinking?

The Storm Worm we covered on August 10th is shrinking claims PC World. Speaking to the University of San Diego's Brandon Enright, the botnet that the Storm Worm has produced has been significantly reduced since he started tracking it in July. He estimates that 15 million Windows computers have been infected at some point in the last nine months, of which 1.5 million were active in July, 200,000 of which might have been connected the web at any one time. His current estimates are 160,000 botnet members with 20,000 online at any given time. He cites much improved detection of Storm by industry virus scanners and Microsoft's September 11 inclusion of Storm support in their Malicious Software Removal tool.

The Slashdot take can be found here.

Carnegie Mellon Studies Cyber-Crime Counter Measures

Carnegie Melon working in concert with other institutions to study cyber-criminal behavior and develop countermeasures. The article describes the cyber-black market that revolves around intrusions, root-kits, and bot farms. From the article:

Carnegie Mellon University's Adrian Perrig and Jason Franklin, working in conjunction with Vern Paxson of the International Computer Science Institute and Stefan Savage of the University of California, San Diego, have designed new computer tools to better understand and potentially thwart the growth of Internet black markets, where attackers use well-developed business practices to hawk viruses, stolen data and attack services.

The usual gang at Slashdot comments on the article and the topic.

Rumors of the AOL Virus Worm's "Death"...

...have been greatly exaggerated. Slashdot pieces together the story of how the worm AOL said was foiled in the latest beta client wasn't, and the usual wags weigh sententiously on the matter. ZDnet's Ryan Naraine provides a compelling report and recommends that, if you are using AOL's AIM client, uninstall the client from your PC right now! The worm exploits vulnerabilities in Internet Explorer libraries used by the AIM client to present HTML.

There are 3rd party clients for the AIM service, such as Trillian, that are not affected and can be used until the situation with the AIM client improves.

Search Engine Privacy Competition

The Center for Democracy and Technology has released a report comparing the privacy-related policies of major search engines. With stories in the press about Google being nominated for the Big Brother Award in 2003 (they didn't make the cut for finalist) and Yahoo sending users email based on their search behavior, search engine users may want to know how their engine stacks up against the competition. The World Privacy Forum provides the following tips on keeping search engine use private.

Storm Worm Update

Network World has an update on the Storm Worm virus that appeared last January. Storm Worm may have assembled a botnet of 250,000-1,000,000 Microsoft Windows Internet hosts based on analysis of a recent surge in attacks. The Storm Worm spreads via e-mail using harvested addresses and the usual subject lines ("Worm Alert!"-type or news story headlines).

iPhone Exploit in the Lab

Some folks at Independent Security Evaluators have created a proof of concept exploit, capable of obtaining total control of an iPhone. The attack pathology requires that the user either

1) passes within range of a wireless access point using the same name as an access point in the iPhones trusted list and request a web page, or
2) visits a web site containing malicious code (via browser or email link).

Once established on the iPhone, the code runs with administrative privileges, capable of performing any malice. (Although the iPhone uses Mac OS X, the Macintosh user model is not fully implemented on the iPhone. On an OS X Macintosh computer, the exploit would be limited to the user's privileges. On the iPhone, the browser, Safari, is run under the UNIX root user ID with full privileges.)

Exploits in the lab do not usually convert directly to exploits in the wild (for example, exploits that are actively operating on the Internet). "White hat" organizations will often seek out vulnerabilities and develop exploits to keep their staffs in fighting trim and to gain publicity.

Does this mean that OS X is no longer exploit free? This is actually a trick question, there have been several exploits in the lab developed for OS X. Occasionally this has even led this or that tech commentator to declare that the Mac is now just as susceptible to malware as Brand X. But there have been no reported exploits in the wild that are effective against an up to date OS X system, a record envied by Brand X.

Issues with Firefox Password Manager

Heise Security reports a continuing vulnerability with Firefox's Password Manager. Of special concern to those visiting user-content type web sites such as MySpace, black hats can use JavaScript in their content to gain access to your user name and password for that site. The JavaScript invisibly prompts for the login fields and Password Manager obliges. There are related vulnerabilities in the Mozilla and Safari browsers.

We also generally recommend avoiding features like Password Manager because they store account information on disk, where a bad guy might find it. While such features generally encrypt the password, cracking commercial quality encryptions is quicker with each new CPU generation. The best way to protect passwords is to avoid writing them down or storing them electronically.

We also recommend installing the Firefox NoScript add-on as mentioned in the article. Using NoScript, you can prevent all sites from running JavaScript, and turn on JavaScript for just those sites that really require it and are important to you as you go.

For geek takes on the article, go here.

Beware of Electronic Greeting Cards

The Chaos Manor mails today include a warning about a botnet recruiting exploit disguising itself as a greeting card. The email, spreading the Storm Trojan, tries several strategies to compromise the recipient's system. The attack tries compromises via Javascript, QuickTime, and WinZip exploits, among others, to download ecard.exe. Ecard.exe renders the victim system a zombie spambot, a system that sends spam email at the direction of a bot herder. According to SANS, only a quarter of 30 different virus programs identified the ecard.exe download as suspect. As of June 28 Microsoft, Symantec, McAfee, Kaspersky, and ClamAv were among the scanners unable to detect the trojan in ecard.exe. AntiVir, eSafe, F-Secure, Norman, Sunbelt, and Webwasher-Gateway caught that there was a concern with the file. The Storm Trojan in ecard.exe has been known to be active "in the wild" since January.

Macintosh and Linux systems are not vulnerable.

We've seen a dozen emails that fit the description in the last week, so you probably have too. If you clicked on the email, seek assistance. SANS puts the victim list in at least the tens of thousands. Victims may (or may not) find a file named C:\WINDOWS\system32\windev-peers.ini on their systems. The best course is usually to reformat the hard drive(s), do a clean install, and restore your files from backup.

DoD: The Cyber War

Home users are not the only ones being compromised, of course. StrategyPage outlines a big ramp up in DoD anti-malware efforts, the 46% increase in attacks on DoD web sites, and describes some of the better known recent attacks.

FBI Operation Bot Roast

StrategyPage is reporting on an FBI operation that has identified over a million compromised systems on the Internet. The FBI press release even names some names of individual "bot herders" that they accuse of having compromised tens of thousands of systems.

Windows Update Exploit

The Beeb is reporting a new Windows exploit, Jowspry, that uses the file transfer capability in Windows Update to bypass firewalls and download malware. The exploit has been found in emails. Windows users should be using a virus checker, should update their virus databases, and delete emails suspicious emails.

We also strongly recommend connecting to the Internet via an appliance firewall device with virus checking, available to consumers for under $200, to assure detection of malicious Windows Update downloads. Appliance firewall devices are much harder to compromise than your PC (they are not opening email and browsing sites) and will detect and notify you of suspicious inbound and outbound traffic, regardless of level of trust assigned to the software by Microsoft.

A few days ago I was building a new Windows box and, despite normal precautions, was compromised after less than 12 hours of up time. My mistake was probably using a search site with advertising before the last security update was installed (the updates appeared complete at the time), but a Windows Update based attack cannot be ruled out. Since the attack was made through my appliance firewall, it is likely new. I noticed the attack because it disabled my Windows-based security software. I scrubbed the drive and started over.

Possible Zero-Day Exploit for Mac Wins Hacker Contest

As good as OS X's track record has been on security the last six years, Mac users who are feeling impervious have new reason to take precautions today. CNET is reporting that Dino Dai Zovi and Shane Macaulay won the PWN to Own Hack-a-Mac contest at the CanSecWest Conference in Vancouver.

The attack succeeded against a MacBook with all security patches applied (including those released this week), but with no additional security products installed. The attack was able to exploit a Safari bug that may be previously unexploited, making it a "zero-day exploit", meaning that the exploit is created before the good guys have identified and begun work on the vulnerability. Most exploits are based on analysis of software patches to find vulnerabilities that were fixed in the patch. Exploits created in this way are easier to develop but will only work against unpatched systems. Zero-day exploits are considered the most dangerous malware because it may take weeks or months to develop an effective patch.

There are several good security options for OS X. ClamXav is a freeware virus scanner that will also cheerfully alert Mac users when a foreign virus has found its way to the system. The NSA site under Resources includes a short book on securing Macintoshes. There are also commercial security products for firewall, virus scanning and spyware detection. Little Snitch is an affordable shareware alternative that can be configured to warn you when an application attempts to make a network connection. A while back when Apple hired a third party to monitor the playing habits of iTunes customers, Little Snitch warned me that something was up.

Mac users have every right to feel safer than their Windows brethren, but a kilobyte of prevention is worth a gigabyte of cure.

Sony's DRM Madness Drags the Brand Down Again

A number of consumers are put out today, finding that their new Sony DVDs of Stranger Than Fiction, Casino Royale, and The Pursuit of Happyness unplayable. Compared to rootkitting 6 million consumer computers, shipping defective disks is a relatively good day for Sony. Of course, that story took weeks to develop, with customers and state attorneys general discovering that even selecting the option provided not to install Sony's software included on their CD offering did not prevent installation of a rootkit. compromising user's operating systems and leaving backdoors for other bad guys to exploit. All in the name of protecting Sony's intellectual property.

A spokesman for Sony indicated that it is actually the DVD players that are defective, breaking Sony's new DVD's Digital Rights Management (DRM) software. Many of the DVD players in question are manufactured by Sony. According to posters at Slashdot, the news for nerds site, the problem can be circumvented using the sorts of readily available toolkits that make vendors using DRM apoplectic.

The Sony Rootkit Scandal is described on Wikipedia here.

[Note: In a story dated April 17, 2007, Sony announced it would replace the affected disks. Customers can call 800-860-2878 for replacement disks.]

Why a consumer-oriented site?

There are legions of voices seeking the professional information technologist's ear, but not so much the consumer. Certainly there are a steadily rising number of security products targeted at the consumer, first virus scanners, then firewalls, spam managers, and spyware detectors just to name the major categories targeting the consumer. There is no way Ma and Pa Kent are making sense out of the zoo of increasingly complicated security issues. Network security is a game of cops and robbers for even the best network operations, and the software tools available to the bad guys are amazingly sophisticated. Rival powers and terrorists are in the game as well as the script kiddies and phishers. The BBC has published here that up to one quarter of the 600 million hosts on the Internet may be captured in botnets.

ISP Hampered Sites

A fundamental concept at the core of the Internet has been access for everyone to everything. In 2000 two Virginia providers were caught blocking sites and rescinded the practice. The most notorious counterexample is China, where the government vigorously censors and blocks sites. Backbone providers the last few years have made noises about charging "premium" sites for "premium" access, threatening those sites (e.g., Google, Amazon) with slower transmission times across their net if they didn't pay up. This move was counter to the prevailing service model and enraged veteran Internet professionals. Since a handful of backbone providers carry most inter-city traffic, the threat is very real. A typical packet bringing you a bit of web site will make 15-40 "hops" on the way from the web site to you, passing through equipment owned by 2-5 providers.

Over the holidays, I had very slow access to a handful of sites I routinely use, including my bank's site. I looked at every aspect of my network and even performed tests with one site owner before finding the answer. I had made a change last summer to my Internet account and started using my ISP's firewall in addition to my local firewall box as a belt and suspenders measure. I had initially discounted a firewall as the source of the problem because the typical firewall either permits or prevents access, and I was seeing access slowed to a crawl (up to an hour to render my bank's site). When I turned off my provider's firewall the bank site rendered in under 10 seconds.

This is not to suggest that my provider was engaging in "premium" practices, the sites involved seemed unlikely targets of such attention. There have always been snafus in Internet traffic owing to traffic fluctuations, changes in traffic composition (e.g., video and voice-over-IP traffic increasing bandwidth share over HTTP and email), provider mistakes and provider equipment failures. Even attacks by high school students and regional powers have affected Internet service.

The concept of "net neutrality" has been making the rounds in Congress lately. Net neutrality is an attempt to make lawwhat has been the custom among Internet providers for decades, that packets not be treated differently on the basis of "whose" packets they are. The legislation drafted so far tends to complicate the issue dramatically with little prospect of enforceability.

The best chance for protecting net neutrality appears to be in press vigilence and consumer education. The Internet's current usefulness is in part a product of the fabric of practices and conventions that have grown up around this new technology. If there is packet discrimination, then there will be retaliation. A backbone provider denies Google equal access, Google's provider denies access to packets routed from the backbone provider, and what is currently (in the free world at least) known as the Internet becomes segmented, and the whole concept of a net between nets is lost to a million turf battles and extortion schemes impacting what percentage of your personal traffic completes its journey.

Featured Definition: Spambot - n. 1. a network host that has been compromised for the purpose of sending junk e-mail ("Spam") on the Internet; 2. (loosely) a network host that has been compromised to exploit its Internet resources. There are millions of spambots and other "owned" bots on the Internet, typically consumer Windows systems that have been compromised on exposure to the Internet, though other operating systems are also victimized.