Tag Archives: Malware

Heartbleed is the name of a bug, not a virus

The Heartbleed Bug was a major story not that long ago. Lists of affected websites circulated with instructions to change your passwords if you had accounts at those websites.

In the whirlwind of online news articles, a lot of jargon got tossed around that the average computer user may not be familiar with, and any time there is a knowledge gap, scammers can and do take advantage of it. Spam emails began to circulate claiming to include a Heartbleed removal tool that was, naturally, a malicious program itself. The attachment, if opened, installed a keylogger on victims’ computers, which could transmit sensitive information to criminals. Symantec has a fine article about this particular attack.

Of course, if you’re an old hack hand at Computer Stuff like myself, you already knew that Heartbleed was a bug affecting servers, not a virus. But not everybody is familiar with all these terms, so I decided it would be useful to explain some of these concepts in layman’s terms.

DATA is digital information. If you’re looking at a website, your computer is taking data and presenting it in a readable, watchable, or listenable way. You’re looking at data, which happens to be mostly in text form, right now. When you have an account at Amazon or Facebook (for example), your username and password are part of your personal data, which is the stuff you don’t want being accessed by anyone but yourself. Websites keep this kind of data on servers that use various software to make it (hopefully) impossible to access by unauthorized people.

SERVER is a big computer where data is stored. When you watch a video on YouTube, the digital information that makes up that video is stored on an incredibly large computer, which transmits that data to your computer, which turns it into a video you can watch. Companies such as Facebook and Google have multiple servers that fill entire buildings. Your employer may have a smaller server that looks like a regular desktop computer, which hold all the business’s customer data, and only employees have access to it. Same concept, different scale.

OpenSSL is a particular type of server software that was affected by the Heartbleed bug. You know how your desktop computer runs Windows or MacOS, and your phone runs Android or iOS? OpenSSL is pretty much the same type of thing for servers. Your home computer uses Windows or MacOS to do home computer things, some (but not all) servers use OpenSSL to do server things, like store huge customer databases.

BUG is a flaw in a piece of software. You know how sometimes you download some goofy free app on your phone, and it works for a few seconds then crashes? That app has a bug that makes it function improperly. In the case of Heartbleed, the bug was a security flaw that potentially opened up account information (such as encrypted passwords) to hackers.

ENCRYPTED data has been scrambled in a way that unauthorized persons cannot access it. Servers don’t just store your username and password in text form because it would be too easy for someone to just steal the file and open it. They use complicated methods to make sure that, even if someone got the file, they wouldn’t be able to read it. (At least, this is how it would always work in a world without security bugs like Heartbleed; this is why you had to change your passwords at affected sites after the bug was fixed.)

HACKER: a person who breaks into computer networks. This in and of itself does not make them bad…many are actually hired to break in, in order to highlight security flaws so they can be fixed. Some use their skill for criminal purposes.

These are pretty simplistic explanations, but I think it’s important to at least have a concept of what these terms mean, so that when you read an article that says “security bug affecting servers running OpenSSL versions etc…” you can at least understand that they’re talking about software you’re NOT running on your home computer, and to ignore any emails offering a fix because Heartbleed wasn’t a virus in the first place.

But you’re not going to open attachments in any unsolicited emails, anyway, are you? If nothing else, remember this First Principle: “If you didn’t ask for it, don’t click on it.”

This is why I don’t use ad-blocking plugins: so I can point out stuff like this

Today I checked out the weather forecast at Weather.com, mostly to confirm my suspicions that yes, this winter is going to be eternal and that it’s never going to rise above four degrees for the rest of my life.

(Okay, the actual forecast wasn’t that bad, and it’s actually going to get a little warmer very soon, but still.)

I noticed this banner ad in the right-side column where Weather.com usually puts them (among other locations):


Looks important, don’it? Like your security software is telling you something is wrong, right?

Yeah, well, it’s not. It’s an advertisement. Good thing the ONLY indication is the little Google AdWords logo in the upper right corner, eh?

Now, I don’t know exactly what this advertisement leads to, but as far as I’m concerned, they’re using deception to trick people into clicking on it. That makes me think of ransomware, because it’s almost the exact technique used by makers of that type of malicious software. Click on it and you may find your computer locked down until you pay $80 or more to some crook.

I wish I could issue “just never click on anything” as a general rule, but it’s sort of hard to use the Internet without clicking on something now and then. I would suggest this, though: if you see an ad like this on a major website, click on that little triangle AdWords logo (click carefully…you don’t want to click on the ad itself!) and use the submission form to tell Google about it. Google’s AdWords system is great because it allows access to online advertising for businesses of all sizes, but that wide-openness also means a lot of scammers get their greasy little banner ads through. It’s like those “work at home” scans in the old print newspapers, only a couple hundred million times larger in scope.

2 people are not spying on you

Have you seen this (or something similar) show up on a website lately?

I said DON'T click on it!

If you use MyFitnessPal, WeightWatchers Online, YouTube, or any of about a million other sites, chances are that you have.

Here are some things about which you can rest assured:

  • It’s just a stupid banner advertisement
  • It seems to be showing up a lot more often since this whole mess with the NSA started and got everyone paranoid about their online privacy
  • Nobody is spying on you*
  • It probably leads to a website that will infect your computer with spyware, at which point someone will be spying on you
  • Even if it doesn’t, you don’t want what they’re selling
  • It tells EVERYONE they have “2 people” spying on them
  • YouTube, MyFitnessPal, WeightWatchers, etc., have no way of knowing whether anyone is spying on you or not
  • Do not click on it, whatever you do

*Actually, there might be people spying on you. I mean, I have no idea who’s reading this. Spies do exist, right? You might be involved in all kinds of international espionage, sabotage, subterfuge, the works. You might be tuning in to those weird “numbers stations” every night and actually have the key to decode them for all I know. But in that case, you’d probably say, “Two? Ha! More like two hundred!” if you saw this particular ad.

Alert for businesses: beware of fake BBB complaint emails

I received an email recently that highlights the importance of business owners and employees being aware of various types of fraud activity:

From: Better Business Bureau <[redacted]@newyork.bbb.org>
Subject: Case #28475466

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.

In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by January 17, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.


BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region

There was a 102KB file attached to the message named “Complaint Case  #28475466.zip”. Except for the fact that it appeared to come from a Better Business Bureau office a thousand miles away, it looked pretty legitimate.

However, looks can be very deceiving.

According to a report from Cisco, the attachment is an executable file that contains malicious code. They don’t specify what that malware is, but given the nature of the message I would guess it’s designed to log keystrokes or use some other method to steal online banking credentials from businesses. Once they’ve got account numbers and passwords, they wire thousands of dollars out of payroll, expense and other accounts, then use their network of (unwitting and witting) money mules to launder the ill-gotten funds.

So here’s the lesson today: if you receive a message like the one above, do not under any circumstances open the attached file. If you think there might be a legitimate complaint from the Better Business Bureau, contact them directly. It’s a general rule, but in this case it applied more specifically to business owners and their employees.

Beware LinkedIn phishing emails

Here’s a screenshot of an email message I got the other day (click to enlarge):2012-10-17-fpu-01

There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:

  1. The yellow “Accept” button
  2. The white “Ignore Privately” button
  3. “Marva Leonard”
  4. “Unsubscribe”
  5. “Learn why we included this”

Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):


I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.

If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.

Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:


Unless you know who the message is from and what it contains, never click on that box.

Email Scam/Malware Alert: “Corporate eFax message”

I received this message yesterday afternoon (links have been removed, but are shown in blue):

*   *   *

From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages

Fax Message [Caller-ID: 680-973-3656]

You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.

* The reference number for this fax is min1_20121003222219.1055179.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home | Contact | Login

© 2011 j2 Global Communications, Inc. All rights reserved.

eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

*   *   *

eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?

By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.

In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!

  1. min1_20121003222219.1055179: www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
  2. Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
  3. www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
  4. Home: egelisanfen.com/v2WPTAhV/index.html
  5. Contact: christianharfouche.net/Q1uRBnn/index.html
  6. Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
  7. eFax® Customer Agreement: happlications.com/phjbPEB/index.html

You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”

Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.

Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.

Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.

What to do about DNSChanger

It’s a long, long story. It starts with the arrest in November 2011 of six Estonian cybercriminals who managed to infect millions of computers with malicious software known as DNSChanger.

This malware would compromise search results, direct infected PCs to rogue websites, compromise antivirus software and insert rogue advertisements into legitimate pages. These guys made a load of money before they were nabbed.

However, even after the arrests, plenty of computers remained infected. The FBI set up temporary servers for infected PCs, but those will be coming down on July 9, 2012. In other words, if your computer or router is infected, you won’t be able to connect to the Internet, starting Monday.

(“Five Years” by David Bowie just popped into my head, but in this case, you’ve got about three days.)

The first thing you need to do is check to see of your machine is infected. The DNSChanger Working Group provides a list of sites that check your computer here. If it says you’re good to go, no additional action is required.

However, if you get a red light, you’ll have to fix your computer. The DCWG provides instructions here, along with links to tools that specifically remove the malware, but you may need to take your PC to a professional computer repair shop.

I’ve heard that about 70,000 computers are still infected (this one’s clean!), so it’s not as if the entire Internet is going to die on Monday (as some of the jumpier news sources have implied), but you still don’t want to find yourself unable to connect and cut off from solutions to the infection.

How to make sure you’ve got the latest version of Java (Windows users)

According to the excellent website Krebs on Security, a new Java exploit is set to go completely mushroom cloud on computers worldwide with outdated Java installations within the next few days.

The BlackHole Exploit Kit is used by cybercriminals for purposes various and nefarious, and is currently the most common web threat around. However, we won’t go into too much detail here about the malware itself. Instead, let’s talk about how to keep your Windows-based computer safe.

The first thing you need to do is find out if you have Java installed on your computer at all, and which version you’ve got. The easiest way to accomplish this task is to visit java.com and click the “Do I hava Java?” link. This takes you to a page with a big “Verify Java version” button:


Click the button and the site will tell you if you’ve got the recommended version of Java installed, which currently (as of July 6, 2012) is either Version 6 update 33, or Version 7 update 5. If it tells you to update, follow the on-screen instructions.

(If your computer is set up like mine, your web browser will ask you for permission to run the Java content on this page. At this point, you’ll know you’ve got it installed, but you still need to verify which version you’ve got. Click the “Run this time” button when prompted, and it will let you know if you have the recommended version.)

What if the site says you don’t have Java installed? Should you install it?

Naturally, the java.com website will suggest you do, but if you’ve been using your computer without it so far, I’d recommend not installing it at all. Java is currently the most popular channel through which exploits like the BlackHole pack are used, and new security holes are discovered all the time. If you’ve come this far without Java, there’s really no good reason to install it.

If you’ve got Java installed and want to keep it (there are still some websites that rely on it), make sure you’ve got the software set to check for updates at least once a week, but I recommend taking it a step further and checking daily. Here’s how.

1. Click the “Start” button, then select “Control Panel.”


2. Find the “Java” icon in the Control Panel window and double-click it.



3. Click the “Update” tab, then the “Advanced” version.


4. Select “Daily” and check what time of day it will check. I left mine on 11:00 PM. Click “OK.”


5. Click “Apply” and “OK.” You’re done!


Note: if the updater detects that a new version of Java is available, most of the time you’ll have to manually install the update. Your computer will prompt you when it’s time.

Virus/Scam Email: BEQUEST NOTICE

From: Harry Lucas (Advocate) [mailto:harry-lucas@lawyer.com]
Sent: Saturday, April 28, 2012 4:22 PM
To: undisclosed recipients:
Attach: bequest.pdf

Attention! BEQUEST NOTICE, open attachment for details.

I’m going to venture an informed guess here and say that, should you receive a message like this one, whatever else you do, you really, really should not open that attachment. Whatever is in it, you don’t want it.

The “Slow Computer” Scam

Does your computer seem to be running slower lately?

You’re not alone. Over time, computers tend to get bogged down. For example, you install a piece of software to accomplish some task you only perform every now and then, but the program requires that a component of itself be running in the background at all times. Or you upgrade your antivirus software—the new version does a better job of filtering out malicious software, but it also needs more system resources to do its job.

Perception also plays a role—the “new” wears off a computer pretty quickly, and what seemed like blinding speed a year ago now feels like you’re trudging through treacle every time you want to fire up a web browser, even if the machine is running just fine.

The net result is that a lot of people think, “Hey, this thing isn’t running as fast as it used to—something must be wrong!” Enter the Slow Computer Scam. It generally targets seniors, but anyone with a computer could fall for it.

It begins with a phone call from a stranger who claims to work for Microsoft. The caller tells the victim that the company has received notification that their computer has been running slowly or is infected with spyware, viruses or other problems.

At this point, if the victim agrees, the call will go one of two directions. In the first variant, the victim is instructed to go to their computer, then fed step-by-step directions by the caller that are supposed to fix the problem. What is actually happening is the victim is handing over control of their computer to a criminal, allowing them to search for files containing personal information, install spyware designed to harvest any data the victim enters, or link the computer to a botnet used to transmit data for organized criminals.

In the second version, the victim will be told that the caller can fix the problem, but only for a fee. They will be instructed to use Western Union to wire a few hundred dollars as payment.

There is a recent double-dip version in which the scammers call the same victim again a few weeks later. This time, they inform the victim that they are from Dell (or whoever manufactured the victims computer), the earlier call from Microsoft was a scam, and that their computer was infected with malware by the scammer. They offer to fix the computer for a fee of several hundred dollars, again to be wired via Western Union.

This may be one of the easiest scams to recognize. If your telephone rings, and someone is on the line telling you that there’s something wrong with your computer, that’s your cue to hang up.

Microsoft does not have a giant control room that keeps tabs on the performance of every computer in the world. Nobody is sitting at a monitor going, “Whoa. Some guy out in Indiana has a slow computer. Perkins! Get on this!”

The same goes for Dell and other computer hardware manufacturers—they don’t have a giant database of who owns their computers or how they’re running. If there’s a problem with your hardware or software, or if your machine is infected with malware, it’s basically on you to figure it out and fix it.

There is also no scenario in which Microsoft, Dell, or any other tech company is ever going to require payment via Western Union. Keep your antivirus software up-to-date, and when a stranger calls to tell you there’s a problem with your computer, hang up.