The World of Computing and Solutions

SYMANTEC REPORTED RECENTLY ON A Tojan horse that mimics the Microsoft I Windows activation interface. Called trojan.Kardphisher, it doesn’t do most of the technical things that Trojans usually do: It’s purely a social-engineering attack, aimed at stealing credit card information.

In a sense, it’s a standalone phishing program. Once you reboot, Kardphisher asks you to reactivate your copy of Windows, citing piracy issues at and telling you that another user has activated your copy. Though it assures you that you will not actually be charged, it asks for credit card information. If you don’t enter the credit card information, Kardphisher shuts down the PC.

The Trojan also disables the Windows Task Manager, which makes it more difficult to shut the malware down.

Running on the first reboot is clever. It makes the process look more like a legitimate message coming from Microsoft, and it won’t seem to occur as a result of the user clicking on a new file. The program even runs on versions of Windows that were made prior to XP and do not require activation. That’s a bit of a red flag, although I bet there’s a strong correlation between people running pre-XP versions of Windows and people who aren’t as well educated about malware as they could be.

With a nearly 1MB executable. Kardphisher is not a sneak attack. But if you find yourself infected, disable the Trojan in Windows Safe mode by removing the Registry keys described in Symantec’s write up (at www.symantec.com. search on the malware name) and deleting the program they point to. Updated anti-virus software should also remove it.

Question
With all the current emphasis on new worms, Trojan horses, viruses, and other malware, I have a quesion about Microsoft Outlook Express. I’ve shut off the preview pane to prevent someone from owning my PC, but evey time I’m purposely viewing my e-mail and elect to delete it, the next message in my queue opens up. I really want the application to go back to the inbox view. I haven’t a clue how to do that, nor have I found anything in the Help file. Any idea how I can make that happen? My Windows XP is fully upto date.

Answer
By turning off the preview pane and deleteing the suspect mail without opening it, you greately reduce the possibility that an HTML-based message could exploit some security flaw and compromise your system. You also foil any attempts to snag private information that’s sorted in the Web browser cookies using a “web bug” image.
It’s true that when you delete the current message, the next message in the queue will take its place. Fortunately, there’s a simple solution: Scan your list of messages starting at the bottom. Delete any that don’t look right and read the ones from your known correspondents. If you delete the last message in the list, you’ll go back to the Inbox view, as requested. And if the mesage you deleted is not the last, the one that takes its place will be one that you’ve already approved, since you’re working up from the bottom.

Whether they call them canaries, monkeys, or guinea pigs, more security companies are using virtual PCs to protect users.

Miners learned to love the humble canary. After a mine fire or explosion, miners would descend with the birds to possibly dangerous areas. The canaries’ high metabolism made them the first succumb if significant amounts of carbon monodixe or methane were present, thus giving miners warning of unsafe areas so they could escape alive.

Security companies are now applying the same theory into the online world.
Using thousands of virtual Pcs, systems whose processors, memory, and hard drives are all emulated in software, McAfee’s SiteAdvisor, Mircosoft’s research arm, and other groups have automated the process of going into the unsafe areas of the Web. If a site hosting malicious code compromises one of the virtual PCs, the site’s address is recorded for further investigation, the virtual machine is erased, and a new virtual machine is set up in its place. Pretty neat stuff eh?

Some security companies refer to the virutal PCs as canaries or guinea pigs, or by the technical term, client-side honeypots. Microsoft calls them honeymonkeys in reference to the million-monkeys theorem. The theorem says that a million monkeys typing random characters on a million typewriters for an infinite period of time can evenutally produce the complete works of William Shakespeare…lol

Though it’s unlikely that a million monkeys could every write a Shakespares’ play, they most certainly could help to secure the Web. Today, tens of thousands of virtual machines are crawling the Internet, clicking on untrusted links, getting compromised, being deleted, and the doing it all over again. How cool is that?

Various Companies are pursuing different plans for the technology. Mircosoft uses its honeymonkey system to research threats to Windows and map out the links connecting to malicious Web sites - a part of the Internet that its researchers refer to as the ExploitNet. McAfee’s SiteAdvisor ues the resulting database of bad sites as one component of its Web site ratings, accessible through free plug-ins for Internet Explorer and Firefox.
Easy, cheap virtualisation software is the key to the technology. Mircosoft and SiteAdvisor both run thousands of virtual PCs with management servers capable of cataloging sites. The virtual PC, which almost always runs Mircosoft Windows, appears to malicious software to be a normal, albeit vanilla, PC. The latest Trojan horses, spyware, and the Web viruses infect the virtual system without detecting that it is really a sterile environment that will quickly be deleted. How sweet is that.

Yet the attackers are adapting to security methods such as virtual PCs. Some are working on ways to detect virtual machines by creating software for exactly that purpose; if a virtual machine is detected, they avoid infecting that system in order to delay exposure. Other attackers are identifying major Web sites that have a type of flaw known as cross-site scripting. This essentially allows an attacker to load malicious code on a victim’s machine from another Web site while the user believes he/she is still browsing safely on the orginal trusted Web site.

Despite the arms race that continues between attackers and defenders, virtual PCs promise to automate the patrol of the Web for malicious Web sites. In the end, we may come to appreciate the automated monkeys of the Web as much as miners appreciated the canary.