E-Musings Mon Immorata

Don't Let MyDoom.O Become Your Doom New virus uses search engine strings to harvest email IDs. Learn how encoded text can protect your online identity This time around I'm not going to dismiss out-of-hand a trend to develop software that uses Microsoft's .NET Framework installed. There are many utilities and complete application suites modeled around this framework which provides the common controls and libraries. Leaving developers to concentrate on features and usability. But first an alert about MyDoom.O, a new fast spreading worm. This MyDoom variant includes search-engine strings to allow it to parse online indexes for stored email IDs. The worm code searches .DOC, .TXT and .HTM/HTML files for domain names, then uses the string "e-mail ID + domain" to locate email addresses. The worm also includes its own SMTP engine, and harvests your Outlook Address Book, browser cache, temporary file folder, My Documents folder, as well as your complete hard drive and mapped network drives for email addresses. The worm then forges the message From: address to cloak its real identity. And is intelligent enough to spoof the 'mailer-daemon@' address used to indicate delivery failures. The search engines strings used by this worm are

Lycos - http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s

AltaVista - http://www.altavista.com/web/results?q=%s&kgs=0&kls=0

Yahoo - http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=

Google - http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s

Contrary to media reports that Google was blocking such searches, on July 31, 2004, when I last checked each string was delivering results. And MyDoom.O doesn't stop at being a consumer nuisance. It's also a vehicle to launch a DDoS (Distributed Denial of Service) attack against search engines. But don't worry. Download the free McAfee AVERT Stinger 2.3.7 with a July 30, 2004 build date. This version detects MyDoom.O and BackDoor-CFB. As well as BackDoor-AQJ, BackDoor-CFB, BackDoor-JZ, Bat/Mumu.worm, Exploit-DcomRpc, IPCScan, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, NTServiceLoader, PWS-Narod, PWS-Sincom.dll, W32/Anig.worm, W32/Bagle@MM, W32/Blaster.worm, (Lovsan), W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Doomjuice.worm, W32/Dumaru, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Korgo.worm, W32/Lirva, W32/Lovgate, W32/Mimail, W32/MoFei.worm, W32/Mumu.b.worm, W32/MyDoom, W32/Nachi.worm, W32/Netsky, W32/Nimda, W32/Pate, W32/Polybot, W32/Sasser.worm, W32/Sdbot.worm.gen, W32/SirCam@MM, W32/Sober, W32/Sobig, W32/SQLSlammer.worm, W32/Swen@MM, W32/Yaha@MM, W32/Zafi. I also recommend signing up for the free ChangeDetection service to keep you updated via email about changes to specific page URL; including Stinger. And this blog too (see bottom of right-hand navigation panel :) That viruses are now targeting search engines underlines the importance of hiding (cloaking) your email ID on the Web. You can either encode it using the free E-Cloaker software lets you encode an email ID with message subject and the option of using bland text like Click Here To Send Feedback to hide the mail address. There's also an advanced version MailTo Protector that let's you extend mailtos to CC, BCC with a pre-defined message body into the encoded string. It's available in a free online version that only works with MSIE; the most insecure web browser. And a software version priced at $19.95. If all this is too much for you consider displaying your email ID as an image. But don't make the mistake of setting-up an alt tag giving the real identity details! A downside of the mailto approach is that messages are still sent you by the visitor's default email client. If the sending computer is infected with a worm, you risk of receiving an infected message or having your email ID mapped into the worm. So consider instead a web-based contact form. There are several free-to-us (and often customizable) Perl (CGI) scripts. These are handy if your web host doesn't support server-side scripting languages like CFM, PHP, ASP or ASP.Net. For the few PHP-enabled ISPs that support PHP 5, you could also use the included SQLite mini-database engine OK, now back to interesting freeware. I recently completed an extensive Firefox 0.9.2 evaluation and find that out of the box this browser could use enhancements. CB Mozilla Optimizer is one such tool. But the .NET-powered Flexbeta Fire Tweaker helps change the way the browser tabs look, integrates Firefox into the Windows XP Luna theme complete with styled menus and even changes the side bar position from left to right. You can also enhance, with the option of custom configurations (a feature unavailable in CB Mozilla Optimizer), Firefox's performance including pipelining and improved page render times. Turning this browser into a speed-demon that outpaces both Opera as well as IE. You can also change the way the browser handles tabs and new links. And if you're unhappy about a tweak there's a rollback option too. You can also extend Firefox's usability and feature-set with some really neat Extensions (plug-ins). Now after months of installing over 80% of available Extensions, I find conclude that many work only with specific browser builds. And recent official Firefox releases include the most popular extensions. Cutting-edge Extension development happens at MozDev and its Active Projects list includes plug-ins that work with the 0.9.2 and later branches. And of the many different Extensions available my favorites are

• Mycroft a search engine enhancer
• TabBrowser Preferences to configure new links to open as a tab session or in a new window
• SpoofStick identifies the web site you're browsing is really THE web site you're on
• User Agent Switcher helps spoof some web servers into believing you're using a different browser like MSIE, Opera 7.5x or Mozilla. Includes option to define new strings
• SessionSaver saves open tabs so you can re-visit them the next time you run Firefox. (Similar to Maxthon/MyIE2/Opera save open tabs feature)
• PageRankStatus displays a site's Google PageRank without needing the Google toolbar installed.

There are also extensions to add Mouse Gestures, Web site validators and more. But in the course of testing Firefox I found that many of the "optimized for Windows" third-party builds should be avoided. Recent versions downloaded are either slower than the original, don't support many newer Extensions. Or worse just lockup completely. All the tested builds appeared to be based on the (now-obsolete) 0.9.1 build which suffers several security vulnerabilities. So until further notice I recommend defaulting to the official Mozilla Firebird download. If you don't mind a bit of cutting-edge stuff, check out the nightly builds, available for Windows, Mac and Linux. To experience the power of .Net powered applications, you need the free .NET Framework installed. Included in Windows XP SP-1 and Windows Server 2003, Windows 2000 users need to download it. And Windows 9x/ME/NT can't use it at all. To ensure that you get the correct version for your Windows, Microsoft suggests using Windows Update. That's it for another week. Stay Safe! Click Here to Email Me