Archive for August, 2009

Screenshots in Snow Leopard

Monday, August 31st, 2009

In Mac OS X 10.5 and below, the default behavior was to take screenshots (command-Shift-4) by creating a file on the desktop automatically named Picture 1.png. The second file would be created as Picture 2.png and so forth. In Snow Leopard though, the screen shots are named Screen shot followed by the date (YYYY-MM-DD) and then the time (HH.MM.SS). So if I took a screen shot at 3pm today it would be called “Screen shot 2009-08-31 at 3.01.05 PM”. This keeps them showing up in the same order they otherwise would have. At first I wasn’t sure whether I liked this change, but now I’m sure that I do. The defaults commands that were used to change the default image type and the location are still applicable.

Yet Another Spyware Article

Monday, August 31st, 2009

First and foremost, it’s called MS Antivirus, or MS Antispyware:

From Wikipedia:

MS Antivirus has a number of other names. It is also known as XP Antivirus,[2] Vitae Antivirus, Windows Antivirus, Win Antivirus, Antivirus Pro, Antivirus Pro 2009, Antivirus 2007, 2008, 2009, 2010, and 360, Internet Antivirus Plus, System Antivirus, Spyware Guard 2008 and 2009, Spyware Protect 2009, Winweb Security 2008, System Security, Malware Defender 2009, Ultimate Antivirus2008, Vista Antivirus, General Antivirus, AntiSpywareMaster, Antispyware 2008, XP AntiSpyware 2008 and 2009, WinPCDefender, Antivirus XP Pro, and Anti-Virus-1

It can be spread through the following vectors:
Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

* A browser plug-in or extension (typically toolbar)
* An image, screensaver or archive file attached to an e-mail message
* Multimedia codec required to play a certain video clip
* Software shared on peer-to-peer networks
* A free online malware scanning service

Lately, with the infections I’ve seen this year, it seems that it spreads by tricking the user to download a CODEC to play a video. Sometimes the link will appear within a frame (say AOL main web site with an article directed somewhere else). It will also bypass web filtering applications (i.e. Surfcontrol) as long as the site that carries the malware is not banned for any reason . I was reading of an instance where a graphic designer was looking for a CODEC for their software, and downloaded one that they thought was good from a site that hosted Graphic Design templates, and got infect from there.

I also read of an instance in an enterprise environment where a business person was looking for info on an article, and happened to find what he thought was a news video on the subject, and got infected from there.

The following are ways that we can decrease a company as being a target for this infection:
1. Begin updating all Windows workstations with current security patches from Microsoft. And update them regularly
2. User education (especially don’t download codecs!)
3. Keep AV up to date.

Damage control consists of cleaning the computers with free tools we have at hand.

I have had success (meaning clean system with no nuke and pave) using the following strategy:
1. Download and Install CCleaner: http://www.ccleaner.com/. Run it in regular mode and clear out the temp files, and unneeded registry entries.
2. Go to Control Panel, Add/Remove Programs and attempt to remove Malware from there.
3. Turn off system restore to delete all system restores that are probably compromised now.
4. Download and install Malwarebytes http://www.malwarebytes.org/. Open it in regular mode, update it, and then run it in safe mode (no networking). If you can’t run it, go to step 12.
5. Reboot
6. Run Malwarebytes in regular mode until it reports no issues. If there are virii still present, run it in safe mode. If you can’t run Malwarebytes at all or after 3 cleans it’s not fully clean, continue to step 7. If no spyware is present, but Google redirects, skip to step 12.
7. Download Superantispyware: http://www.superantispyware.com/
8. Update it in regular mode for Windows.
9. Run it in safe mode to remove more malware.
10. Reboot
11. Repeat step 6, if step 6 fails, continue to step 12.
12. Download Combofix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix, and update it in regular mode.
13. Run it in safe mode. If Combofix will not run, continue to step 14.
14. Find the Malwarebytes executable by going to the shortcut that it placed on the desktop, and rename the Malwarebytes executable from *.exe to *.com.
15. Boot into regular mode, and update Malwarebytes.
16. Boot into safe mode and see if it will run (ensure it’s still named *.com). Repeat step 6 until it’s clean. Once it is, rename it back to *.exe. If this fails, continue on to step 17.
17. Rename combofix.exe to combo-fix.exe or combo-fix.com. Run it. After it’s finished, repeat step 6.
18. If all of these fail, backup your registry again, and try running Icesword: http://www.antirootkit.com/software/IceSword.htm. Icesword’s GUI is in Chinese, if this is unacceptable, backup, nuke and pave, and reinstall OS plus data, and rejoin to to domain if necessary.

The above steps go from least intrusive software to more dangerous software. Combofix and Icesword being the ones that can cause the most damage if used improperly (can delete needed items in registry, or muck up Microsoft Office Suite applications). Personally, Combfix seems to do the trick, and is the only one that will take care of the Google Link redirects. Icesword is worse case scenario, and I’ve only had to run it once since I first became aware of it 2 years ago.

Links on the subject for your reference:

http://en.wikipedia.org/wiki/MS_Antivirus_%28malware%29

http://forums.mcafeehelp.com/showthread.php?t=223581

Snow Leopard Videos on the 318 YouTube Channel

Friday, August 28th, 2009

You can also view the videos individually by clicking on http://www.youtube.com/view_play_list?p=EFFC3A3FF65CC37D.