Email practices to follow & use

10.) Plus good email client practices like using .txt mail only, no RTF or HTML mail, not opening or allowing attachments unless I know the person & even THEN, scan it with an antivirus (still gets email scanned though by your resident antivirus email scan component (use AntiVirus programs with these, OR, manually scan ANY attachments before opening them (if you get Microsoft Office .doc, .xls, .ppt etc. files uncompressed? HOLD DOWN THE SHIFT KEY AS YOU OPEN THEM - this stops macros from running & macros are the avenue utilized using VBA script to infect you))

APK

Routers: Both "NAT" &/or "True Stateful Packet Inspecting" types

11.) I also use a LinkSys/CISCO BEFSX41 "NAT" true firewalling CISCO technology-based router (with cookie & scripting filtering built-in @ the hardware level), these are excellent investments for security.

BY THE WAY, IF YOU OWN A ROUTER? TURN OFF THE UPNP FEATURES IN IT!

Why?

Take a read:

Most Home Routers Vulnerable to Flash UPnP Attack:

http://it.slashdot.org/it/08/01/14/1319256.shtml

* Just to be safe...



APK

FOR WINDOWS SERVER 2003 ONLY: "SCW" (= Security Configuration Wizard)

12.) Windows Server 2003's SCW was run over it FIRST (this only exists on Windows Server 2003, not on 2000/XP or VISTA (you have to install this, it does NOT install by default) first to help security it (SCW = security configuration wizard, & it's pretty damn good believe-it-or-not, (@ least, as as starting point))...

Directions for its installation are as follows:

Start the Add or Remove Programs Control Panel applet.

Click Add/Remove Windows Components.

On the Windows Components Wizard screen, select the "Security Configuration Wizard" check box, as the figure shows. Click Next.

The Windows Components Wizard builds a list of files to be copied and finishes installing SCW. Click Finish.

DONE! Now, run it...

It is very simple to use, and will help even TRIM services you do not need running (which saves Memory, other resources, & I/O to cpu/ram/disk etc. AS WELL AS PROVIDING SECURITY should any services you disable turn up vulnerabilities (this has happened before)).

ALSO, per TPU forums user (username "xvi") @ techpowerup.com forums (software section): Use Microsoft Baseline Security Advisor, a free download from Microsoft as well to check your system for security holes, patch updates, etc. (be wary of the fact it does require various services running though, iirc, Terminal Server Services Client - I do NOT keep that running here anymore, & this program failed on me because of that (would not initialize @ all))

APK

P.S.=> Ms' Baseline Security Advisor has been updated, & now has VISTA support... so, do consider its usage, if you have VISTA! apk

AN IMPORTANT SET OF POINTS TO SECURE YOUR WEBBROWSER, EMAIL PROGRAMS, & MORE:

STOP JAVASCRIPT USAGE IN YOUR BROWSERS (along with ActiveX & JAVA) On the PUBLIC internet, PERIOD (well, with SOME exceptions on sites that demand you use it, OR those that cannot function properly without it, some examples below)!

Why? Well, read on:

Fact is, that today? Well... Javascript's dangerous & can be used AGAINST you, as well as help you... it truly is, or can be, a 'double-edged sword'...

(For example - if you follow security related news, you will see that JavaScript is the key avenue being used against you in today's attacks (even thru adbanners!)). Some examples:

http://www.wired.com/techbiz/media/n...11/doubleclick

&

http://apcmag.com/5382/microsoft_apo...e_to_customers

If you MUST use Javascript (for instance, on a particular site like banking or shopping oriented ones)?

Try "NoScript" (the .xpi addon for FireFox/Mozilla/NetScape 9 etc.) & let it let YOU decide sites to use it on, & then DISABLE JAVA/JAVASCRIPT globally...

(& if you use IE, trying to do the same can be a nightmare (as IE will "nag you to death" if you turn off javascript on sites that use it)).

Opera has similar functionality, ALBEIT, built into it by default as a NATIVE tool!

I.E.-> The ability to GLOBALLY block scripting tools like Javascript, BUT... to also allow it for sites you MUST use it on as exceptions to the GLOBAL rule set in Tools, Preferences menus it has on its menubar.

Opera has the NATIVE BUILT IN ABILITY to allow you to use it on sites you visit IF you must, via rightclicks on the page & "EDIT SITE PREFERENCES" popup menu submenu item that appears.

Either way? It works, & I STRONGLY recommend this.

----

DISABLE INDISCIMINATE USE OF ADOBE FLASH:

From Mike567 (giving credit, where credit's due):

http://forums.windowsforum.org/index...ic=33716&st=20

[quote name='Mike567' date='Jun 12 2008, 11:28' post='267753']You need to disable the plugins, where flash is located.[/quote]

&, he's right... I "overlooked/omitted" that much!

Why is this important?? Well, take a peek here (very recent, 05/28/2008, as of the date of this posting):

Adobe Flash Zero-Day Attack Underway:

http://it.slashdot.org/article.pl?si...38247&from=rss

----

I also recommend Opera for these reasons (less security holes period, & the 1 it had yesterday? Patched yesterday too... fast!)

=====
SECUNIA DATA ON BROWSER SECURITY (dated 06/26/2008):
=====

Opera 9.27-9.50 (new release) security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

----

FireFox 3.x security advisories @ SECUNIA (100% unpatched):

http://secunia.com/product/19089/

----

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (37% unpatched):

http://secunia.com/product/12366/

----

Those %'s are the latest for FireFox 2.0.0.14, Netscape 9.0.0.6, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.27... all latest/greatest models.

So, as you can see?

Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?

It's faster too, on just about ANYTHING a browser does, & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:

http://www.howtocreate.co.uk/browserSpeed.html

AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:

http://nontroppo.org/timer/kestrel_tests/

NEW NEWS/NEWSFLASH: FF3 is "king of the heap" here now, in javascript parsing speeds, but of what gain is this? Security risks abound in running javascript on "every site under the sun"... limiting it to sites you absolutely NEED it for is the way, IF you wish to stay safer online that is.

Opera's just more std.'s compliant - for example, having passed all the ACID (2/3 before anyone on the latter & one of the first for the former no less), plus it's faster + MULTIPLATFORM, & more secure than the others out there - thus, it's an "all-around" overall best solution!

QUESTION - So, "where do you want to go today?"...

ANSWER = Opera (if you're into speed, security, & std.'s compliance + using a webbrowser that runs on most any platform out there for computing is where).

----

ALSO - HOW TO SET THE "KILL BIT" ON ACTIVEX CONTROLS:

(I.E.-> This is how to stop an ActiveX control from running in Internet Explorer)

http://support.microsoft.com/kb/240797

In case you have "problematic" or security vulnerable ActiveX controls, per this RealPlayer example thereof:

http://service.real.com/realplayer/s...007_player/en/

APK

Better, Safer, & F A S T E R DNS Servers

DO NOT USE THIS WITH A HOME or BUSINESS LAN THAT HAS ActiveDirectory going (because, for example - it will mess up things like FULL Outlook binding to EXCHANGE SERVER for instance, because of INTERNAL DNS SERVER dependencies AD has (ActiveDirectory is HEAVILY dependent on DNS resolutions is why)

That said & aside?

I found something VERY cool, as regards online security, that I stumbled onto during my meanderings online today!

ScrubItDNS:

http://www.scrubit.com



* GREAT IDEA, & it WORKS, painlessly... AND F A S T, too!

OpenDNS Servers are another viable alternate, but, they are NOT quite as easily setup for things parents may like: Taking out Pornographic content... for those of you that LIKE that, ScubIT's NOT FOR YOU, but for parents with kids? Probably the right idea!

APK

P.S.=> Take a read of what it does, how EASY it is to implement (lol, they even give a GUI to do the job for you, because digging into your network connection MIGHT be a "bit much" for some folks, to make it easy for anyone really... 2 clicks!) & YOU DECIDE...

I have tried it, & it DOES work, by filtering off sites thru it that are 'dangerous' OR 'offensive' (like ones you might find that are involved with the above exploit, or others like GOOGLE + SPYBOT Search & Destroy help you with) - PLUS, Pr0n sites (some of you, lol, may NOT like that "feature" though).

Still, bottom-line - For layered security? This is a GOOD idea, this "scrubit" DNS server... imo, so far @ least... apk

HOW TO REMOVE MALWARE INTRODUCTION & STEPS + TOOLS:

(Virus/Trojans/Spyware & some rootkits) - just like NIST recommends in their guides also (a malware removal procedure):

NOW, after ALL of the above? IF you do find yourself "infested" though, one day??

(Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click & run a bogus email attachment, OR, by turning on Javascript & IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run) OR, via a vulnerability in your applications OR Operating System that needs patching (I note this in the init. post of this thread in fact in this latter point now)).

YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why & this all worked for he, until he violated javascript usage rules I mentioned above).

E.G.-> I have had users violate that/those "rule(s)" from above & that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain!

I.E.-> I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched & hardened per the above as of this date) since early 2003, running "110% bulletproof & bugfree" because of following the rules & suggestions noted above!

ANYHOW - Malware infested? TRY THIS SET OF TOOLS & TECHNIQUES:

How to clean yourself up?

This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes:

==========

1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence.

----

2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup).

----

3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated):

a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).

ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES & %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident

You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, & on IE options screen, use the "Browsing History" group in IE7, & delete things as necessary from IE's browser caches etc. & for OS + app level %temp% & %tmp% environmental values' areas? Type SET @ a DOS prompt to see where you located those, & burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement.

b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE.

c. DOWNLOAD & INSTALL SpyBot 1.51x

d. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ComboFix (don't run it yet - there is no installer, it IS its own install + run package)

COMBOFIX MAY HAVE SOME "MINOR SIDE EFFECTS" though, & here are 3 I have noted, & HOW to fix them:

1.) IE homepage: No big deal to "fix this". You go to Start Button -> CONTROL PANEL (use CL***IC VIEW, it's easier imo) -> Internet Options -> General Tab & HOMEPAGE (here is where you change that).

2.) System Time (rightclick on timeclock in lower righthand side of your screen, & from its POPUP menu, use the Date/Time tool)

3.) Desktop wallpaper (easy to fix: Rightclick on Desktop, use properties menu, & the desktop tab, change your background wallpaper there)

e. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package)

An alternate here, is LSPFix.exe...

----

4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).

----

5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too).

(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)

----

6.) Then, run SmitFraudFix (or, as an alternate, LSPFix)

(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)

----

7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.

----

8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan).

Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well.

* @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"...

==========

NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).

ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this?

Boot your system from the OS install CD, & go to RECOVERY CONSOLE!

There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!

Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.

****

It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...

You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.

(This ia ***uming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)

That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...

Using Process Explorer can help!

(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).

****

The easier/simpler route?

My first suggestion:

Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet.

TO INSTALL RECOVERY CONSOLE AS A BOOTUP MENU OPTION:

1.Insert the Windows XP CD into the CD-ROM drive.
2.Click Start, and then click Run.
3.In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
4.A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.
5.Restart the computer. The next time that you start your computer, "Microsoft Windows Recovery Console" appears on the startup menu.

(Alternately, you may bootup from your XP/Server 2003/VISTA install media, & run it there (via bootoptions menus choices then))

Then once you are booted & logged into it, use:

FixMBR

&

DEL (filename)

Once in the folder/directory (via CD dos command) where those rogue files are, burn them, in RC... using DEL.

NOTE/IMPORTANT:

You MAY have to use SECPOL.msc & give yourself rights to folders other than %windir% & its subordinates though, if the rogue files aren't underneath Windows itself... because RC's default ACL to those things is just %windir% & its subordinate folders only.

Start in Left-hand side pane of secpol.msc -> Security Settings -> Local Policies -> Security Options (now right-hand side pane of secpol.msc) -> Recovery Console: Allow Floppy Copy and Access to all drives and folders

APK

P.S.=> Rootkits & how to blow THOSE out? Guess what your "best pal" is, yet again?? Ah, you guessed it - RECOVERY CONSOLE & FixMBR command!

HOWEVER - FixMBR ONLY works on (only) BOOTSECTOR ORIGINATED TYPES though...

There are other kinds (driven by drivers &/or kernel mode API 'hooking' & more)... Soon, & I am NOT the only person theorizing this (because I saw BIOS flash code @ rootkit.com over more than a year back no less & IMMEDIATELY said "oh boy, here comes bios flashing malware")??

Soon you'll have BIOS flashing attacks via malwares (virus/trojans/spywares) & rootkits too (as rootkits typically ride "under the OS" or make themselves invisible to it, via interception of even kernel mode API calls, doing something called "hooking')...

How so??

Well, an example (a legit program I built this year for the fine Sci-Fi series from the BBC in the UK, called "Dr. Who" (longest running Sci-Fi show there is, huge fan here since the 1970's in fact)):

----------------------------------------------------------------------
APK Doctor Who ScreenSaver 2008++ version 1.0:
----------------------------------------------------------------------

http://www.drwhodaily.com/community/...?showtopic=386

----------------------------------------------------------------------

I store its .avi it plays back, INSIDE of the .scr executable, as a 'resource' I point to & playback from RAM, not disk, via a child thread (it's multithreaded design)...

That said - now, consider this:

Since ASUS & GIGABYTE have tools that 'flash' your BIOS, that now operate inside Windows itself?

Well, what is stopping a "blended/combined package" threat malware from using not only "std. attack methods" but, also using rootkit techniques too!

(Once more - means a "malware type" that literally "rides beneath the OS" literally, from out of the BIOS, or from a bootsector spawning (only kind I know how to kill in fact, via Recovery Console FixMBR) or, via kernelmode API intercept hooking (ability to 'fake out' what API's do or report back to you in laymen's terms))

What is stopping malware makers from doing the SAME thing I do in that program above to 'disguise' their evil machinations? Well... Not much!

Especially considering you can not only store .avi files, but pretty much anything, including a BIOS IMG file & a "Plug-N-Play" driver to make this happen!

(PnP drivers = A driver that can start from usermode/Ring3/RPL3 where you run programs from, vs. Ring 0/RPL0/kernelmode where most drivers traditionally run from)...

Food for thought... you get one of these types (afaik not here YET)? OR, rootkits of other kinds (not bootsector killable, but instead memory resident)?? Backup your data, & "repave" is the typical recommendation... I have no idea how I would kill one, & afaik? Nobody else does either, aside from starting fresh, OR trying to "overwrite" your current setup w/ a backup (***uming it is clean too, & that might NOT be a good ***umption)... apk

The "RBN" (Russian Business Network) & how to avoid them infecting you

As regards the "Russian Business Network" (RBN) who has been @ the heart of MANY online attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.

(RELIABLE/REPUTABLE SOURCE USED = http://www.spamhaus.org/rokso/eviden...kso_id=ROK7465

----

FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1"

(That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)).

SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE!

----

USING NOTEPAD.EXE

ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory):

# === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===
0.0.0.0 rxpharmacy-support.com
0.0.0.0 ns3.cnmsn.com
0.0.0.0 thecanadianmeds.com
0.0.0.0 officialmedicines.com
0.0.0.0 psxshop.com
0.0.0.0 10000xing.cn
0.0.0.0 222360.com
0.0.0.0 adslooks.info
0.0.0.0 bnably.com
0.0.0.0 eqcorn.com
0.0.0.0 familypostcards2008.com
0.0.0.0 freshcards2008.com
0.0.0.0 happy2008toyou.com
0.0.0.0 happysantacards.com
0.0.0.0 hellosanta2008.com
0.0.0.0 hohoho2008.com
0.0.0.0 kqfloat.com
0.0.0.0 ltbrew.com
0.0.0.0 mymetavids.com
0.0.0.0 obebos.cn
0.0.0.0 parentscards.com
0.0.0.0 postcards-2008.com
0.0.0.0 ptowl.com
0.0.0.0 qavoter.com
0.0.0.0 santapcards.com
0.0.0.0 santawishes2008.com
0.0.0.0 siski.cn
0.0.0.0 snbane.com
0.0.0.0 snlilac.com
0.0.0.0 tibeam.com
0.0.0.0 tushove.com
0.0.0.0 wxtaste.com
0.0.0.0 yxbegan.com
0.0.0.0 iframedollars.biz
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 RUSOUVENIRS.COM
0.0.0.0 RBNNETWORK.COM
0.0.0.0 NS1.INFOBOX.ORG
0.0.0.0 NS2.INFOBOX.ORG
0.0.0.0 NS1.RUSOUVENIRS.COM
0.0.0.0 NS2.RUSOUVENIRS.COM
0.0.0.0 NS1.RUSOUVENIRS.NET
0.0.0.0 NS2.RUSOUVENIRS.NET
0.0.0.0 SBTTEL.COM
0.0.0.0 AKIMON.COM
0.0.0.0 AKIMON.NET
0.0.0.0 EEXHOST.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 NS1.4USER.NET
0.0.0.0 NS1.AKIMON.COM
0.0.0.0 NS1.EEXHOST.COM
0.0.0.0 NAME1.AKIMON.COM
0.0.0.0 NS1.RBNNETWORK.COM
0.0.0.0 NS2.4USER.NET
0.0.0.0 NS2.AKIMON.COM
0.0.0.0 NAME2.AKIMON.COM
0.0.0.0 NS2.RBNNETWORK.COM
0.0.0.0 NS2.EEXHOST.COM
0.0.0.0 VALUEDOT.NET
0.0.0.0 ns0.valuedot.net
0.0.0.0 ns1.valuedot.net
0.0.0.0 1000WATT.BIZ
0.0.0.0 2SOVKA.NET
0.0.0.0 AIDEN-GROUP.COM
0.0.0.0 AKIMON.COM
0.0.0.0 ALEKC.NET
0.0.0.0 ANDREY-STUDIO.INFO
0.0.0.0 AUTOKUBAN.INFO
0.0.0.0 AVIATRAVELAGENCY.COM
0.0.0.0 AVTOMOBILEY.NET
0.0.0.0 BAGATITSA.COM
0.0.0.0 BAIKERGROUP.COM
0.0.0.0 BALTICDOORS.COM
0.0.0.0 BALTMONOLIT.COM
0.0.0.0 BRIGADA-EL.COM
0.0.0.0 CARPRIVOZ.COM
0.0.0.0 CHILLERU.COM
0.0.0.0 CVETOVODSTVO.COM
0.0.0.0 E-GOLD-CHANGER.COM
0.0.0.0 ELECTRONOV.NET
0.0.0.0 FASHIONER.BIZ
0.0.0.0 FFFFFF.ORG
0.0.0.0 FIFACUP06.INFO
0.0.0.0 FISHTORG.COM
0.0.0.0 FKGARANT.COM
0.0.0.0 FOTORETUSH.COM
0.0.0.0 FREGATSOFT.COM
0.0.0.0 FROLROMANOFF.COM
0.0.0.0 FULLVER.INFO
0.0.0.0 GAKKEL.COM
0.0.0.0 GARANTSERVICE.ORG
0.0.0.0 GDEDENGI.INFO
0.0.0.0 GLAZKI.NET
0.0.0.0 GOLD-DRAGON.INFO
0.0.0.0 GORODM.COM
0.0.0.0 GRAYZI.NET
0.0.0.0 GRIFFINFLY.COM
0.0.0.0 HEAT-ENERGO.COM
0.0.0.0 HITEMA.NET
0.0.0.0 HYIPREVIEW.INFO
0.0.0.0 HYIPSMAP.COM
0.0.0.0 ILOXX.ORG
0.0.0.0 IMYA.INFO
0.0.0.0 INFODOSKA.COM
0.0.0.0 INTERNETWORLDBOOK.COM
0.0.0.0 KLIMATA.NET
0.0.0.0 KOMOV.NET
0.0.0.0 KOSMETICHKA.NET
0.0.0.0 LIDTRADE.COM
0.0.0.0 LIFE-RU.ORG
0.0.0.0 LPSPB.COM
0.0.0.0 M-OST.NET
0.0.0.0 M-UNLOCK.COM
0.0.0.0 MAMRU.COM
0.0.0.0 MAPSERV.COM
0.0.0.0 MASTERDOKS.COM
0.0.0.0 MIRMED.COM
0.0.0.0 MOOSEMUSE.COM
0.0.0.0 MOREPRODUCT.NET
0.0.0.0 MUSEMOOSE.COM
0.0.0.0 NESTRONICS.COM
0.0.0.0 NESTRONICS.NET
0.0.0.0 NOFUN.INFO
0.0.0.0 OIL-GAS-MINERALS.COM
0.0.0.0 OKOSHKA.NET
0.0.0.0 OPTIMUS.BIZ
0.0.0.0 OTKRITKI.NET
0.0.0.0 OTKRITOK.NET
0.0.0.0 PARALLELSIXTY.COM
0.0.0.0 PASSOMONTANO.COM
0.0.0.0 PETROBALT.NET
0.0.0.0 PHARMACY-MD.COM
0.0.0.0 PISKUNOV.NET
0.0.0.0 POIGRAI.INFO
0.0.0.0 PROETCONTRA.ORG
0.0.0.0 PSOLAO.ORG
0.0.0.0 ROSEL.INFO
0.0.0.0 SBTTEL.COM
0.0.0.0 SECONDAPPROACH.COM
0.0.0.0 SMARTSOFTLINE.COM
0.0.0.0 SMESHNOY.COM
0.0.0.0 SQUAREDREAM.COM
0.0.0.0 STROIINFORM.COM
0.0.0.0 STROYBRIGADA.COM
0.0.0.0 TANK-HOBBY.COM
0.0.0.0 TECHNONORDIC.COM
0.0.0.0 TELEUNITED.NET
0.0.0.0 TEPLOCOM.COM
0.0.0.0 THERMOCAUTERY.COM
0.0.0.0 TIARU.COM
0.0.0.0 TRADEFINANS.COM
0.0.0.0 TRADEFINANS.NET
0.0.0.0 TRAININGS-TRIUMPH.ORG
0.0.0.0 TSAR-SUVENIR.COM
0.0.0.0 UEFACUP08.INFO
0.0.0.0 UMNIKSOFT.COM
0.0.0.0 UNDERCOOLED.NET
0.0.0.0 VALIDBIT.COM
0.0.0.0 VERESC.ORG
0.0.0.0 VOROLAIN.COM
0.0.0.0 WHITENIGHTSHOSTELS.COM
0.0.0.0 WORLDFONDS.NET
0.0.0.0 XRUST.NET
0.0.0.0 YAHOCHU.COM
0.0.0.0 Z-GROUP.INFO
0.0.0.0 ZDRAV.INFO
0.0.0.0 ZHESTOV.NET
0.0.0.0 ZOOSPB.COM
0.0.0.0 goldenpiginvest.com
0.0.0.0 goldenpiginvest.net
0.0.0.0 pharmacy-viagra.net
# === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS ===

Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe & going here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters

& checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc

In the DataBasePath entry, in the right-hand side pane of regedit.exe....

(That is, UNLESS you KNOW that YOU move it, as I do!)

I move mine INTENTIONALLY to another disk here that is less used & faster on seeks!

That is just so it init.'s faster since the HDD is not contending with other programs loading etc.
or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example).

----

FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage):

I.P. address block for Russian Business Network:

81.95.144.0/20 #SBL43489
(81.95.144.0 - 81.95.159.255)

And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon:

85.255.112.0/20 #SBL36702
(85.255.112.0 - 85.255.127.255)

69.50.160.0/19
(69.50.160.0 - 69.50.191.255)

194.146.204.0/22 #SBL51152
(194.146.204.0 - 194.146.207.255)

Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China:

193.
194.
195.
213.
217.
62.64.
62.76.

(AND, A few major Internet providers that provide services to RBN including)

Tiscali.uk
SBT Telecom
Aki Mon Telecom
Nevacon LTD
Frame Cash
76service
Noc4Hosts

APK

P.S.=> So you all know WHY I put up info. on the "RBN" (Russian Business Network) in my last post above?

Well, I strongly suspected (& proved correct) "they're @ it again" & here is why:

Cyber-attack launched from 10,000 web pages:

http://itnews.com.au/News/71994,cyberattac...-web-pages.aspx

"A single entity is likely to be behind this attack, since the malicious code on all these pages came from the same server in China."

(AND, the "RBN" is KNOWN to 'hop between' China & Russia regularly, as needed, & I suspect they are the ones behind this, but the article offers NO discrete IP Address ranges or IP's so, we have to wait on the specifics, but it is a GOOD guess based on their prior track record w/ Zlob, which I see nearly every day @ times on the job)... apk

More "RBN" info. ... apk

"New NEWS": Well, it appears I was correct in my "assumption/guess" above (about my suspecting the "RBN being @ it again") 2 posts up, which are NOW verified, per this quote from the above source:

SECOND MASS HACK EXPOSED:

http://www.itnews.com.au/News/72214,second...ck-exposed.aspx

AND, the source I used for this list:

http://ddanchev.blogspot.com/2008/03/more-...ame-attack.html

And, the salient portion that notes that my suspicion was correct:

"if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN"

So, with that said? Here are those URL's from the list above, albeit altered to 0.0.0.0 equations, for your CUSTOM HOSTS FILE, that shuts out RBN (these appear to be their newly acquired domains list) & the servers they use:

START OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.:
0.0.0.0 do-t-h-e.com
0.0.0.0 rx-pharmacy.cn
0.0.0.0 m5b.info
0.0.0.0 hotpornotube08.com
0.0.0.0 hot-pornotube-2008.com
0.0.0.0 hot-pornotube08.com
0.0.0.0 adult-tubecodec2008.com
0.0.0.0 adulttubecodec2008.com
0.0.0.0 hot-tubecodec20.com
0.0.0.0 media-tubecodec2008.com
0.0.0.0 porn-tubecodec20.com
0.0.0.0 scanner.spyshredderscanner.com
0.0.0.0 xpantivirus2008.com
0.0.0.0 xpantivirus.com
0.0.0.0 bestsexworld.info
0.0.0.0 requestedlinks.com
END OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.:

FOR THOSE INTERESTED (or, those that need actual IP addresses to add to firewall rules tables OR IE restricted zones etc.), here are the actual IP addresses of the bogus servers:

do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)

Also - These you won't be able to block via HOSTS file filtering methods, but still can be blocked via other means (IE restricted zones, firewall rules tables, etc. et al):

89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21



* Enjoy, stay safe, & keep surfing!

APK

SECURING Adobe Acrobat Reader .pdf files, vs. JavaScript exploits

For users of Adobe Acrobat Reader (of any version or patch level today - safety hint):

Since it has been attacked so much recently (via its ability to place javascripting into its .pdf document format, & javascript that bears truly "ill will")?

Well, update to the latest/greatest version... HOWEVER, if you don't trust that, as I do not, FULLY?

(I say this, & simply because browser makers have been trying that left & right since "time immemorial" online, & more of those types of attacks pop up of differing nature that evades new patches vs. it, keep popping up regardless of the patches!)

Plus, like I had stated earlier in this guide?

I suggested turning off using javascript for EVERY SITE online, in your webbrowser (& only keep it for ones that demand it (or, become useless w/out it, like many shopping &/or banking sites - this lessens the possibility of being poisoned by bad adbanner OR site code & also lessens the attack surface area + limits the possibles to the sites you left javascript on for, ONLY))??

Try this FOR ADOBE ACROBAT READER ALSO:

TURN OFF JAVASCRIPT USAGE IN ADOBE ACROBAT READER!

Simply to be safe vs. attacks in it that are javascript-based in nature!

• Use Adobe Acrobat's EDIT menu

• PREFERENCES submenu

• Javascript section (in left-hand side column of options)

& uncheck "Enable Acrobat Javascript" in the right-hand side option for that.

APK

P.S.=> That assures you are "bullet-proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them for exploiting you online today!

NOW - the only hassle here is that SOMETIMES, there is so much javascript in them, ADOBE MAY "nag" a lot about it, & should have a feature to turn that off (imo @ least)... apk

Applications Vulnerability Scanners & more

More security tools/info. (04/28/2008), for APPLICATION LEVEL SECURITY:

(I.E.-> For checking for apps you have that may be security vulnerable OR have been patched vs. said vulnerabilities, etc.):

----

SECUNIA PSI (checks for outdated OR apps that are known to be insecure):



https://psi.secunia.com/

NEW VERSION (released very recently too).

A good program, by a trusted & WELL-KNOWN security-oriented website online (I tried version 1 earlier on last year, it needed work. This one is solid though, so far @ least, imo!)

(It works, & sometimes catches things FILEHIPPO UPDATE CHECKER below, won't - good "2nd Doctor's opinion" etc.)

----

FileHippo's Update Checker (checks for outdated OR apps that are known to be insecure, supplement's PSI above):



http://filehippo.com/updatechecker/

Decent program as well, & good to use as a supplement to the SECUNIA PSI Tool as well (from a well-known file downloads site also in filehippo).

(It works, & sometimes catches things SECUNIA PSI above, won't - good "2nd Doctor's opinion" etc.)

----

APK Registry Cleaning Engine 2002++ SR-7:



http://www1.techpowerup.com//downloa...oglehappy.html



* Yes, "shameless plug" on MY part on the last one, but, it does have "security benefits"...

(& more than potentially useful forensics ones, because it shows you what files a user calls upon via its lists (it does check recently used filelists, but, will also list those files the user attempted to delete (this assumes he may have been attempting to hide them)))... it is 100% proven SAFE on all 32-bit versions of Windows (see its description & feedback by users on the download page) 9x-VISTA as well)).

APK