CastleCops

By Robin Laudanski
March 5, 2006

Finally someone from Aluria has decided to respond. In a previous article I mentioned a thread at PCMag wherein some comments were made which basically suggested I was lieing about my attempts to contact Mr. Goldstone. Once again I’ve been called a liar, only this time it was by Rick Carlson former President/CEO of Aluria Software. The thing I find most remarkable about his entire reply is not that I’m being called a liar I expected that from Aluria and it isn’t that Mr. Carlson actually admitted certifying WhenU as being spyware free was a mistake, although it is an enormous step even if the reason given for it being a mistake is misguided in my opinion. What I find most remarkable is that he seems to think I have something against Aluria, that I am attacking a name, when in fact all I’m doing is reporting the fact that information which showed there was once a relationship between Aluria and WhenU has conveniently disappeared. For someone who is leaving the company his response seems rather hostile.

This is taken from the thread at PCMag:

Continued in full…

By Robin Laudanski
March 3, 2006

Earlier today I happen to come across something at another site, which I found quite funny since the comments seemed to be an attempt to discredit CastleCops and myself, by asserting that we didn’t try to contact Mr. Goldstone of Aluria until after I published the Aluria Trys To Whitewash The WhenU Fiasco article. When we publish something we do make every effort to ensure that the information provided is accurate and we also make every effort to ensure that everyone has a chance for their voice to be heard.

You may remember when Aluria first said that WhenU was Spyware Free, we provided them with an opportunity to answer some questions in their own defense for their decision. To my knowledge no one else provided such an opportunity.

Full Story

By Robin Laudanski
March 2, 2006

Some of you might remember back in October of 2004 Aluria Software delisted WhenU and Certified them as being Spyware Safe. Would it suprise you to find out it now appears Aluria is trying to cover their tracks? Isn’t it wonderful the internet has such extensive resources that even when a company or individual tries to cover up something they did it is almost impossible to completely remove it. In previous articles written by CastleCops Staff on WhenU, Aluria and AOL there were many links going back to Aluria both to their support forums and press releases, imagine my suprise when the pages those links pointed to suddenly don’t exist. In some cases the link isn’t dead, rather it points to a new location eg. Aluria_Certifies_WhenU That link should point to the original press release from Aluria, but it doesn’t. All press related material are redirected to the same location in the same manner.

Full Story

Full Source

Last time we wrote about a rebrand of SpyAxe called SpywareStrike, this time we alert you to SpyFalcon courtesy of Sunbelt-Software. First, if you think you’re infected, read our removal tutorial on the whole SpyAxe issue. And there is an interesting twist… the webhost provider is dishing out the WMF Exploit!

This domain was registered on 16-Jan-2006 by David Taylor under the guise of SunShine Ltd. It uses the “ANTISPYDNS.BIZ” domain for its DNS traffic. The domain is hosted by NetcatHosting who owns its IP: 195.225.176.79. What is interesting even more about the netblock is this…

There is a new mass mailing worm that has been infecting many users. Going by some different names, its best known as the Blackworm or Kama Sutra. On February 3rd, this worm is scheduled to overwrite the following file types with bogus data:

*.DOC

*.XLS

*.MDE

*.MDB

*.PPT

*.PPS

*.RAR

*.PDF

*.PSD

*.DMP

*.ZIP

Feb 3rd is just the beginning, because its scheduled to activate on the 3rd of every month. Once someone is infected, the worm visits a webpage at rcn.net to increment a counter. This counter theoretically displays the number of infections. As of the article, that counter states:

Read here for full details.

Microsoft has just released its official patch for the WMF 0-Day. In the Microsoft Security Bulletin MS06-001, Microsoft states in its executive summary:

---

This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

---

Congratulations to all the newest Microsoft MVP for Windows-Security

corrine
coyote
daveai
dvk01
ikeb
jacee
marianna
negster22
oldfrog
swandog46
taz71498

Soon to be added to: http://wiki.castlecops.com/Microsoft_MVP

You all deserve it!  

Source

There is a lot of public information available right now on the WMF Exploit and workaround patches. This article will attempt to answer some basic questions surrounding the WMF Exploit and those patches, including why Microsoft is waiting to release their official patch on January 10th, and rumors of an early MS patch Internet leak.

1. What is WMF?
   Microsoft defines WMF as the Windows Metafile, a 16 bit metafile image format contained both vector and bitmap data.
   
   
   
2. What is the issue with WMF?
   The WMF image is a little different from other images, it can call external procedures — one of which can execute code.
   
   
   
3. How can I get the WMF Exploit?
   The answer to this varies right now, however, one thing is certain, you can get the exploit by visiting an infected web page. Others suggest it can arrive thru email attachments, instant messaging, Lotus Notes, the list goes on.

Continued in full here.

As you’ve read in the security alert concerning the WMF exploit there are very limited tools to patch or catch an exploitable computer system. Ilfak Guilfanov, the author of the Windows WMF Hotfix, has written a WMF Vulnerability Checker. Please read Ilfak’s instructions on using the WMF vulnerability checker. Although a word of caution is offered:

Do not use this check as a definite answer to the WMF vulnerability question. But if your system was vulnerable, it should be invulnerable after installing the hotfix and display the second dialog box. In other words you can use this checker as a means to verify that the hotfix is doing its job. One more word of caution: do not forget to reboot your computer after the installation. If you do not reboot it, the checker will tell you that the system is invulnerable while some systme processes will still be.

Download – View Details

There is a new danger floating around the Internet right now, a zero-day exploit taking advantage of the Windows Media Format (WMF). Its not limited to WMF files, it is taking the shape of images as well. This exploit is currently billed as the worst infection in history. It can hide rootkits, it can even hide itself.

This is not a joke.

Many antivirus companies can not discover this malware at present. Microsoft is not responding fast enough. There is currently no known way to detect if your system has been infected. However, don’t let this stop you from applying two specific workaround patches.

Read the following two articles and install the “Windows WMF Hotfix” followed by de-registering the file “shimgvw.dll”. Then reboot. Now, wait with the rest of us for Microsoft and antivirus companies to officially patch this vulnerability and detect/clean it.

– Install the WMF Hotfix
– De-register the “shimgvw.dll” file