SoCal IT Pro Association Newsletter                           Volume 3  Number 4
Southern California Information Technology Professional Association        April 1, 2005

Welcome Members, Visitors and Friends!
Oh boy, are you gonna love this! Outlook & IE are in jeopardy, and our first presenter this month discovered the fault! See you at the meeting! Read on...
Inside this Issue:
SoCal IT Pro Association announces its New Online FORUM!
Critical flaws in IE and Outlook discovered
Instant Messaging Threats on the Increase!
Meeting Announcement: presents:
Previous Meeting: Stonefly Networks and
Article: Damned Spyware... by 00111
Feedback from the Readers
Final Notes…
Email the Editor

And Now, The News...

SoCal IT Pro Association announces its New Online FORUM!

By Golly, they've finally done it! We now have an Online FORUM! Now (well finish reading the Newsletter, first!) you can register and log into our Online FORUM, and read the latest news, the most recent posts, or post your own items. Start a thread by posting a question. Get help from any of our highly qualified professionals! You may even wish to be a moderator for a specific discussion group. Don't miss out! Be a part of our Online FORUM experience! To get to the new Online FORUM, GOTO http://www.SoCalITPro.org and follow the link on the front page!

Top

CRITICAL FLAWS IN MICROSOFT'S IE AND OUTLOOK DISCOVERED!

In a ZD-Net News article, by Dawn Kawamoto of CNET News.com, published on April 1, 2005, serious critical flaws were discovered in Internet Explorer and Outlook by eEye Digital Security.

"The vulnerabilities allow for remote code execution with no actions from the computer user, eEye said. Although the flaws would not allow self-propagating worms to infiltrate a system, there is the potential of attackers installing backdoor Trojans without a person's knowledge, Ben Nagy, an eEye senior security engineer, said Friday."

Fortunately, we have eEye Digital Security presenting "Vulnerabilities" at our April meeting! You'll be able to ask them directly about this new problem. If you would like to read the full story on ZD-Net, click this link!

Top

Instant Messaging Threats on the Increase!

Matt Hines, CNET News.com, reports on April 5, 2005, that Instant Messaging threats are sharply increasing this year.

"According to a report issued Tuesday by the IMlogic Threat Center--an industry consortium led by security software maker IMlogic--the quantity of instant messaging threats increased 250 percent in the first quarter of 2005, compared with the same period last year. The research, which tracks viruses, worms, spam and phishing attacks sent over public IM networks, also contends that reported incidents of newly discovered IM threats have grown by a whopping 271 percent this year."

To get the full story, click this link!

Top

Meeting Announcement: Thursday, April 14, 2005:

April's first presentation by Storage Tek, http://www.storagetek.com will be "All Data are Not Equal." Lifecycle Management (ILM) and different tiers of storage for DAS, NAS, and SAN environments.

Next, eEye Digital Security, http://www.eeye.com will discuss "Vulnerabilities: The Weakest Link in Network Security". Security vulnerabilities are everywhere. In addition to the countless number software patches platform vendors push out on a daily basis, configuration errors also contribute to an organization's overall attack surface, opening up an enterprise to countless attacks. eEye Digital Security, the leaders in proactive network security, will discuss the most prevalent types of vulnerabilities, how to assess your overall security posture and best practices for managing vulnerabilities across any size organization. As an added bonus, one of eEye's most heralded researcher's Barnaby Jack, will discuss eEye's vulnerability research methods and agenda.

This month's MCT Corner presented by QuickStart is yet to be announced, but will begin at 6:30 pm.

Now, once again, we present this exciting offer:

VALUABLE NEWSLETTER COUPON

FOR SoCal IT Pro Association MEMBERS ONLY

PRESENT THIS COUPON WHEN YOU SIGN IN AT THE ADMISSIONS TABLE TO RECEIVE

1 FREE EXTRA RAFFLE TICKET

A SECOND CHANCE TO WIN A FABULOUS DOOR PRIZE!!!
That's right!, cut out the above coupon, and present it at the admission table, and receive your extra, FREE Raffle Ticket! As always please RSVP on the http://www.SoCalITPro.org website (it helps us to know how much PIZZA to order). The link is on the lower left hand side of the home page.

Top

At the Previous Meeting...

At 6:30 pm, QuickStart Intelligence presented its MCT Corner. This month's presentation was on .NET Remoting. Using the .NET framework, you can create communications program applications for your network. .NET can use either TCP or HTTP protocol stacks, although TCP Binary is the fastest, while HTTP-SOAP is the slowest. A demonstration showed how a few lines of code could create pop-up communications windows. It was quite fascinating. You really should have been there. I know you'll want to be on time, at 6:30 pm this month for QuickStart's next MCT Corner!

Trend Micro's Neil Gipson, Sr. Pre-Sales Engineer, neil_gipson@trendmicro.com, presented "Malware." First, he provided us a taxonomy of these nasty critters and some definitions of each, as shown below:

Definitions:

  • Malware:    A program that performs malicious actions.

  • Trojan Horse:    A malware that performs unexpected or unauthorized actions.

  • BackDoor Trojan:   A malware that opens up a computer for remote access by other users.

  • Virus:   Viruses replicate (infect) other files by four methods:
          A. Append
          B. Insert
          C. Overwrite          
          D. Prepend                A        B        C        D

  • Worm:   Worms spread functional copies of themselves:
          A. via E-mail (E-mail Worms)
          B. via P2P (P2P Worms)
          C. via IRC (IRC Worms)
          D. via Network (Network Worms)

  • Spyware:     A software application that monitors a user’s computing habits and personal information, and sends this information to third parties without the user’s authorization or knowledge.
          This include key loggers, event loggers, cookies, screen captors, a.s.o., or a combination of all of the program mentioned above.
          Impact of these programs is system slowdown, system instability, and computer crashes. It can also:
    • Track the sites you visit
    • Monitor keystrokes
    • Scan and read cookies
    • Relay information to a third party
    • Bombard you with Pop-ups
    • Change browser settings
    • Create unwanted icons and links on your desktop
    • Grayware:   These are Potentially Unwanted Programs. Grayware exists as a quasi-legal form of malware, because it is either purchased for use by corporations, or written by programmers paid by the corporation. Supposedly, graywares' aims are altruistic, merely aiding the corporations' marketing efforts. Grayware includes adware and spyware that are, supposedly, non-malicious in nature.
    Trend Micro has noted a marked increase in the number of spyware scan patterns during the month of February, 2005, from 3,700 to more than 34,000, a nearly 10-fold increase! Obviously, it is becoming more prevalent, and if you stay abreast of the news, you'll find that corporations are beginning to run into serious problems because of it. So, how do you stop it?
    1. Block spyware before it enters your network.
    2. Prevent spyware from installing on the client.
    3. Block “phone home” attempts at the gateway.
    4. Provide multiple cleanup options.
    How, you ask? For a definitive answer, visit Trend Micro, http://www.trendmicro.com! If you don't think this is important, read the next article!

    Top

    Damned spyware...

    by 00111

    The Infection
    I hear a cry from my roommate "there's popups, fix it!" What do I see other than MANY popups, so numerous that one can no longer surf the web. She had been using Internet Explorer, in conjunction with an antivirus program. This did not protect her from the spyware and Trojan horses which subsequently installed on her system.

    The Problem
    I don't know which hostile site she visited, but there were Trojan horses and spyware installed. I definitely had my work cut out for me when the results from the Webroot Spysweeper scan indicated 50 items and over 800 traces of spyware. What was found?

    iexplor.exe - the mass mailing worm w32.blatic
    stubinst.exe - runstubinstaler - stubby Trojan downloader
    spyuh.exe - reinstalled itself - spyware?
    elitewfu32.exe - elitum.elitebar
    agfkvpw.exe - A better internet - websearch toolbar

    ... just to name a few.

    Research found a 900# dialer that had also been installed on the system. The homepage for internet explorer had been hijacked.

    My definition of spyware/adware is anything that reinstalls itself after you have removed it or disabled it in the registry.

    The solution (I hope)
    First, I DISCONNECTED from the internet. Then I made sure that the system recovery was turned off on this XP system. Then I ran Spybot. I was curious to see how it handled items in memory. Then I checked what was running in Task Manager and found some of the items Spybot identified. After cancelling those items, I downloaded some current utilities onto another computer and burned a CD. I then booted to SAFE MODE. Ran Spybot again. Reboot. Ran Spybot again. Some items kept returning. What to do, what to do...

    If at first you don't succeed...
    I installed a trial version of Spysweeper from Webroot. It was at this point in time I realized the scope of the problem. There were still 50 items of spyware/adware/Trojans left. About 15 items could be removed, and then reappear. Something was reloading them, but what? OK, do a search for *.pf, kill all prefetch of the spyware/adware/trojans. Hmmm... time to check the services, see if anything is weird. Nope, nothing there. Perhaps something is hiding in the temp files or the cache. Run Spybot, then Spysweeper. Reboot. Still not connected to internet.

    After installing Spywareguard and Spywareblaster, I knew it was time to connect to the internet. I connected, proceeded to Windows update, updated Spywareguard, Spywareblaster, Spybot, and the antivirus program. Then on to Panda's ActiveScan online. It found adware and Trojan horses. It removed the following Trojan horses from the system: downloader.BJG, downloader.AYV, dropper.DA, bck/paci.A, downloader.AWZ, startpage.SJ, small.GZ. Again, I disconnect from the internet.

    Will it ever end?
    After this experience, I ran regedt32, and proceeded to hunt for some of the names of the adware/spyware. I found some, and was cognizant of where I was in the registry so as not to remove information used by Webroot or any other program that quarantines/identifies spyware. So I renamed the occurrences of links to spyware. Why didn't I delete them? If I deleted them, they may have been recreated later. I left the folders intact so the contents would have a link to a non-existent file. I renamed the file to which it points, in the registry. The goal was to generate "file not found" and witness the failure of the spyware/adware to reinstall itself. This strategy seems to have worked. I also renamed the spyware/adware files to from .exe to .exx. This also helps if one identifies something as spyware/adware and it wasn't. You can recover the file easily.

    The phoenix rises
    So now I am left with one critter - Elitum.Elitebar. The thing won't uninstall via add/remove programs, deleting it from the registry has no effect, deleting the file itself from the hard disk has no effect. Somewhere, it is reloading itself. The Internet provided me with information on DLLs that were registered with XP that need to be unregistered. A definite procedure must be followed to remove this nasty. However, the zip file with the code did not work completely. This is the only critter left. An incomplete attempt at Trojan removal COULD cause system problems. I hope the cure is not worse than the disease.

    Then it struck me. What about examining the Internet history of IE? It should show me what web sites were connected to recently. Upon examination, I edited the Hosts file and entered the suspect web sites so they would reference 127.0.0.1. After running Spybot and Spysweeper, I ran Spysweeper again to find that there were no offending files. So... is it gone? Try an antivirus scan from TrendMicro. No items found. I think it's gone.

    What a pain in the A$$. In my opinion, the spyware writers should get 20 years.

    00111
    AKA: Dean Sowers

    Editor's Note: Dean mentioned that it took the better part of three days to resolve the spyware problem on one computer! How many computers do you have at your company? And how much time do you have to waste fighting spyware? What do you think is the most practical solution for your situation? Isn't this a topic worthy of discussion on our new Online FORUM?

    Top

    Feedback from the Readers

    In our last issue, we mentioned how Microsoft was entering the SuperComputing Market with its latest offering, the Windows Server 2003 Compute Cluster Edition. Member Allan Der writes:

    "Apple did this years ago on their OS based on UNIX."

    I know, and people have be using linux for it for the SETI@Home project (Search for Extraterrestrial Intelligence project) for many years, as well. Better late than never, I suppose. --Editor

    Top

    Final Notes…

    >Question: What's the difference between a Hacker and a Network Administrator?

    >Suggestions: An organization is always more efficient when its members pitch in. We want suggestions for products, vendors, or technical presenters YOU would like to see at our meetings. If you have ideas for things you think we should be doing, let us know! After each meeting, Suggestion/Evaluation forms will be available. Alternatively, you may email suggestions to Brad Fischl, brad.fischl@quickstart.com, or to the Editor (see below) or you could make your suggestions on our new Online FORUM!

    >Answer: A Paycheck!

    >Submissions: If you any ideas for an article that you might like to write for this Newsletter, or about any third-party software that you would like to share with our members, please submit your article to the Editor, contact information below. Please use the Rich Text Format (.rtf file) for your article, and in the subject line of your email, put the word, Newsletter, so I don't accidently delete your email. (I tend to delete emails from people I don't know unless the subject line clearly indicates something important.)

    See you at the meeting on Thursday, April 14, 2005, enjoy!

    Robert Holtzman, Editor
    rholtzman@socalitpro.org

    Top

    SoCal IT Pro Association Newsletter                              Volume 3 No. 4                               04/01/2005

    End of Transmission