Ajit Gaddam: TechNews and Security

Remove url.cpvfeed.com

Url.cpvfeed.com is part of the Adware zedo and is a browser hijacker. Url.cpvfeed.com pop ups are extremely difficult to remove manually and can cause computers to freeze.

Are you seeing this scenario where whenever you start Firefox or Internet Explorer page, you start to see pop ups beginning with url.cpvfeed.com or Powered by Zedo pop ups. Usualy IE7 would show a “page cannot be displayed” but occasionally you are directed to an unknown site. Would they take your search term if you try to do a Google search and display a popup ad showing Ebay or some other site? You are infected by the core.sys Rootkit

I usually consider myself pretty good at removing these nasty spyware and rootkits but this one definitely stumped for a while. The javascript that was producing these popups was part of several ad networks including zero dot com, aavalue dot com and the biggest url.cpvfeed.com

With regard to internet explorer, I started off by trying to add url.cpvfeed.com to my list of blocked sites. Google Toolbar and Firefox were not blocking these popups.

I started off with

a. Downloaded Lavasoft AdAware SE personal. It did its usual scan but did not detect anything that would stop the url.cpvfeed.com popups or remove the core.sys rootkit.

b. I then got Spybot and ran it in safe mode. Again, no detection and the result was a clean system.

c. I tried to run Avenger, but it would not run of Windows Vista

I used other tools including CWShredder, VundoFix and other tools in my spyware disc but nothing could remove this infection. I then moved to online scanners such as Panda ActiveScan and also Kaspersky Online Scanner… nothing. Any removals through these tools, the spyware keeps coming back

Finally, I go get PC Tools Spyware Doctor which is part of Google Pack. You can also including the PC Tools Spyware Doctor. You might want to go ahead and download this as we will be using this for the rest of our disinfection process.

Read the rest of this entry »

Working in Computer Security, one of the biggest threats we face today is the threat of an Insider, an Employee who might casually walk in with his 4 GB USB Flash drive, plug it in to their computer within the corporate network and walk away with valuable data. I have seen solutions ranging from expensive Intrusion Prevention Systems to disabling access to the USB drive all together.

In the first scenario, a company might not have enough financial resources for such an expensive IPS solution. The second scenario is impossible to implement in a corporation, think about the external USB keyboards, mouse or a LCD screen.

Prevent a user from writing to a USB drive

In this scenario, let us think that a corporation has migrated to Windows Vista from Windows XP. It does not wish to use an expensive solution but at the same time lock down users from having access to the WRITE capability with regard to a USB device.

1. Open Notepad and copy the following

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“EncryptionContextMenu”=dword:00000001

2. Save the file as USBNoWrite_Vista.reg

Read the rest of this entry »

This is a new form of Spam Email I am seeing. In this email, apparantly a seconday email address has been added to my Paypal account. This email could definitely jump out for most people as most of us have a secondary email address which we enter when we sign up in case we forget our primary account user name which would be an email address at Paypal and/or our password. The email lacks proper formatting, etc. I have received two such emails with the same PayPal Email ID of PP025197. The email address I am supposed to reply to varied. The links used to sign in have been removed

Following is the content of this email

You’ve added an additional email address to your account.
If you don’t agree with this email orkydork2<at>hotmail.com and jrwiz4rd<at>msn.com and if you need assistance with your account,
click here and login.

To make sure you can use your PayPal account the next time you make a purchase,
all you need to do is confirm or not your email address.
If your email program has problems with hypertext links,
you may also confirm your email address by logging in to your account.

Thank you for using PayPal!
The PayPal Team
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance,
log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

PayPal Email ID PP025197

Read the rest of this entry »

In this Blog, I give out a lot of examples of Spam Email. The most popular discussion takes place at the Microsoft Lottery Award Spam. Spammers use many evasive tactics like using University Message boards for hosting spam and looks like their methods are being successful.

However, lets go back into the ages, May 1, 1978 to be exact to learn about the first spam email ever.

On this day, 29 years ago, Gary Thuerek, a marketer for Digital Equipment Corporation sent out the first spam email to more than 400 people with mail they did not correspond to. And yes, the email was send in all CAPITAL LETTERS ughhh!!!

Mail-from: DEC-MARLBORO rcvd at 3-May-78 0955-PDT
Date:  1 May 1978 1233-EDT
From: THUERK at DEC-MARLBORO
Subject: ADRIAN@SRI-KL
To:   DDAY at SRI-KL, DAY at SRI-KL, DEBOER at UCLA-CCN,
To:   WASHDC at SRI-KL, LOGICON at USC-ISI, SDAC at USC-ISI,
To:   DELDO at USC-ISI, DELEOT at USC-ISI, DELFINO at USC-ISI,
To:   DENICOFF at USC-ISI, DESPAIN at USC-ISI, DEUTSCH at SRI-KL,
To:   DEUTSCH at PARC-MAXC, EMY at CCA-TENEX, DIETER at USC-ISIB,
To:   DINES at AMES-67, MERADCON at SRI-KL, EPG-SPEC at SRI-KA,
To:   DIVELY at SRI-KL, DODD at USC-ISI, DONCHIN at USC-ISIC,
To:   JED at LLL-COMP, DORIN at CCA-TENEX, NYU at SRI-KA,
To:   DOUGHERTY at USC-ISI, PACOMJ6 at USC-ISI,
To:   DEBBY at UCLA-SECURITY, BELL at SRI-KL, JHANNON at SRI-KA,
To:   DUBOIS at USC-ISI, DUDA at SRI-KL, POH at USC-ISI,
To:   LES at SU-AI, EAST at BBN-TENEX, DEASTMAN at USC-ECL,

……

YEH@LLL-COMP
YONKE@USC-ISIB
YOUNGBERG@SRI-KA
ZEGERS@SRI-KL
ZOLOTOW@SRI-KL
ZOSEL@LLL-COMP
DIGITAL WILL BE GIVING A PRODUCT PRESENTATION OF THE NEWEST MEMBERS OF THE
DECSYSTEM-20 FAMILY; THE DECSYSTEM-2020, 2020T, 2060, AND 2060T.  THE
DECSYSTEM-20 FAMILY OF COMPUTERS HAS EVOLVED FROM THE TENEX OPERATING SYSTEM
AND THE DECSYSTEM-10 <PDP-10> COMPUTER ARCHITECTURE.  BOTH THE DECSYSTEM-2060T
AND 2020T OFFER FULL ARPANET SUPPORT UNDER THE TOPS-20 OPERATING SYSTEM.
THE DECSYSTEM-2060 IS AN UPWARD EXTENSION OF THE CURRENT DECSYSTEM 2040
AND 2050 FAMILY. THE DECSYSTEM-2020 IS A NEW LOW END MEMBER OF THE
DECSYSTEM-20 FAMILY AND FULLY SOFTWARE COMPATIBLE WITH ALL OF THE OTHER
DECSYSTEM-20 MODELS.

Read the rest of this entry »

Okay, so I am watching the NFL draft. Yes, I can’t believe people spend 15 min, especially in the first round for each pick.

However, this is turning out to be a very interesting high tension drama. I honestly thought that Brady Quinn was the best QB in this years draft and the #2 prospect overall in this draft behind C.J. So let the Brady Quinn sweepstakes begin…

Its pick # 13 so far and we have Rams on the clock.

#14: Panthers — Panthers have Jake as their QB. I don’t think they need a QB right now

# 15: Steelers — Steelers have Big Ben

#16: Packers — Although this might be Favre’s last season, they have Aaron Rodgers waiting. The only if, is if they trade like next yrs #1, this yrs #2 and Aaron Rodgers for Randy Moss. Then they sit and pick Brady Quinn

#17: Jaguars — Byron Leftwich and David Garrad.

#18: Bengals — Palmer rules

#19: Titans — Vince Young’s the man here

#20: Giants — although shaky, Eli’s still the apple of NY

#21: Broncos — Jay Cutler

#22: Cowboys — Tony Romo

#23: Chiefs — second yr QB Brodie Croyle getting the call… ok the chiefs might snag Quinn. I hope they pass him.

#24: Patriots — whoa . Brady Quinn is still available. And guess who calls the best coach of all time. Coach Belichick gets a call from his former def cood Romeo Crennel. Pats trade this pick for Cleveland’s #1 next yr, #2 this yr and maybe a #4.

Sweet Deal I think

Google is promoting a new service today called the Google Web History Service. While technically this feature has been around for a long time, Google for the first time is promoting this service. You need to have a Google Account to sign in and be able to use this service.

With the Google Web History Service, you would be able to

a. View and manage your web activity. You can view and search across the full text of the pages you have visited with this service enabled including your Google web serarches, web pages, images, videos and news stories.

 b. Improve your Google Search results. Since you are letting Google profile you and your online activity, based on your incoming email, the web sites you visit most often etc, Google can provide you with a more accurate and relevant search results. At the same time, you are also letting Google serve you with better targetted ads than ever before.

c. Notice trends in your web activity. You can see interesting trends such as your most visited site or times when you are most active online etc

How to enable the Google Web History Service

1. Visit the Google History webpage. Once you sign in using your Google Account, you are asked to agree with Google Terms of Service.

2. To include the web pages you visit in your web history, you need to install the Google Toolbar with PageRank enabled. . Having PageRank enabled will send information about the pages you visit to Google and associate it with your Google Account.

Read the rest of this entry »

Absolutely love this picture. Check it out on a *nix console

Google Adsense referral program allowed publishers and webmasters the opportunity to earn additional revenue by exposing their visitors to high quality products offered by Google. Traditionally such product referrals included Google AdSense (Ad revenue for web publishers), Google AdWords (Targeted online advertising), Google Checkout (A faster, safer way to shop online), Google Apps (Communication and collaboration tools for businesses and organizations including Gmail and more), Firefox plus Google Toolbar (Improved web browsing) and Google Pack (Collection of essential software)

Now, it seems that Google is expanding the product it is offering through its referral program. The image below is a screenshot I took this morning while looking under the Adsense Products. Note that these products do not get any CTR yet… but very interesting. Some very lucrative products that you can refer include the Microsoft XBox, shared web hosting etc…

Read the rest of this entry »

Google Sitemaps is an excellent tool used by a lot of webmasters out there including us at AskStudent.  As a webmaster, you would always want to exercise greater control over what is indexed by the search engines. For this purpose, most of use a robots.txt file or robots meta tag to tell the search engine spiders what we don’t want indexed. But sometimes, you like to remove content that was already indexed.

As an example, at AskStudent, couple of months ago we had .html then .php static pages serving content before we moved to WordPress to serve out content. What happened during this move was that a lot of static .html pages from AskStudent were already indexed. This resulted in errors such as the ones shown below showing up for the search engine crawlers.

So how do you remove such content that’s already been indexed? Well…. Google Sitemaps has added a brand new tool today which will allow webmasters to expedite the removal of outdated links instead of waiting for the next crawl.

In your webmaster tools account, under the Diagnostic tab, you will see a new option called URL Removals. To get started, click on the URL removals link, then New Removal Request and then choose the option that matches the type of removal you want to persue.

Individual URLs

You can choose to remove an individual URL or an image using this option. According to Google, in order for the URL to be eligible for removal, you must meet one of the following criteria.

• The URL most return a status code of either 404 or 410.
• The URL must be blocked by the site’s robots.txt file.
• The URL must be blocked by a robots meta tag.

Read the rest of this entry »

Spam comes in a variety of forms, including fraudulent messages. This mass-messaging is called ’spoofing’ or ‘password phishing.’

Such fraudulent practices involve messages that appear to be from a legitimate source, or the creation of an official-looking webpage that asks you to provide your username and password or other personal information. Such messages or pages could ask for your Social Security number, bank account number, PIN number, credit card number, mother’s maiden name, or birthday.

Spammers often ask for this information in an attempt to steal your email account, your money, your credit, or your identity.

Many email clients including Google, Yahoo and MSN provide services which identify a phishing email. Besides that, when using Internet Explorer 7 or Firefox as your browsers, they actively monitor the sites you visit and flag them if you visit a suspected phishing site. 

Most email client’s phishing alerts operate automatically, much like spam filtering. A spam filters automatically divert smessages that are suspected of being unwanted messages into ‘Spam’. Similarly, phishing alerts automatically display warnings with messages that are suspected of being phishing attacks so that users know to take care before providing any personal information as shown in the image below

You should always be wary of any message that asks for your personal information, or messages that refer you to a webpage asking for personal information.

Here’s what you can do to protect yourself and stop fraudsters:

    * Make sure the URL domain on the given page is correct, and click on any images and links to verify that you are directed to proper pages within the site. For example, the URL is http://yourbankname.com/ or, for even more security, https://yourbankname.com/. Although some links may appear to contain ‘yourbankname.com,’ you may be redirected to another site after entering such addresses into your browser.
Read the rest of this entry »