Bits and Bytes

Scott Henry scoured the Web for a good deal on buying tax preparation software. His search ended at Blvdsoftware.com, which advertised a great price and an instant download. But when it came time to install the software, Henry began to have misgivings about the purchase, and reached out to KrebsOnSecurity for a gut-check on whether trusting the software with his tax information was a wise move.

Five days after Henry purchased the product, blvdsoftware.com vanished from the Internet.

Several red flags should have stopped him from making the purchase. Blvdsoftware.com claimed it had been in business since 2005, but a check of the site’s WHOIS registration records showed it was created in late October 2011. The site said that Blvdsoftware was a company in Beverly Hills, Calif., but the California Secretary of State had no record of the firm, and Google Maps knew nothing of the business at its stated address.

Henry said that in years past, he’d always bought a CD version of the software. But this year, he opted for digital download.

“I was going to download from Amazon — they sell a download-only version — and then I saw the cheaper site and went with them,” he said in an email. He installed the program, but said he didn’t enter any of his sensitive data. For one thing, he never received a license key from Blvdsoftware, and the program he installed didn’t request one. Now he’s wondering if the program was — at the very least pirated — and at worst — bundled with software designed to surreptitiously snoop on his computer.

The errant buy was doubly insulting because Henry bought the software using a prepaid debit card, and now finds himself unable to dispute the charge.

Buying software from random sites or companies you know nothing about and haven’t researched is a bad idea all around. But fail to do due diligence on a bargain site that sells tax return software and you could be handing your identity and computer over to cyber thieves.

If you’re in the market for tax software downloads, save yourself the worry and hassle, and stick to known and trusted outlets online. Search for any of the titles listed at the cached version of Blvdsoftware’s site and you will probably discover that after the first page of results the vendors start to look pretty sketchy. Also, avoid using debit cards for online purchases.

If your income is $57,000 or less, you can file your taxes online for free using IRS’ Free File software, available at no charge here. And remember that the IRS does not initiate contact with taxpayers via email. If, however, you do receive a snail mail notice from the IRS about more than one tax return being filed in your name, or that you were paid by an employer you don’t know, someone may be trying to fraudulently file a tax return on your behalf. See this page from the Federal Trade Commission for more information on tax related identity theft.

Surely, somewhere in all this linkage you can find something useful.

• ShiftN – Freeware digital photo tool that corrects “line” convergence. Love it! More overviews of the software here:

• Repair ‘converging line’ perspectives in photographs with ShiftN over at freewaregenius.com,
• ShiftN: Adjust Vertical Line Distortion In Landscape/Building Photos at AddictiveTips blog.

ShadowExplorer – tool to browse “Shadow Copy” stores in Windows Vista/7. Lots more information on both Shadow Copies and Volume Shadow Copies below:

• Access & Export Windows Shadow Copies According To Time – Shadow Explorer – AddictiveTIps blog
• Ripping Volume Shadow Copies – Introduction – Journey Into Incident Response blog
• Ripping VSCs – Practitioner Examples – Journey Into Incident Response blog
• Ripping VSCs – Developer Method – Journey Into Incident Response blog
• Browse Windows System Restore Points – CybernetNews blog

Foundstone HTML5 Local Storage Explorer – Add-on for Firefox that “…allows for viewing, modifying and deleting of data items stored in the browser’s LocalStorage. LocalStorage is a client side storage technology introduced in HTML5.”

CRegistry Comparison – SourceForge.net. Useful utility to watch and capture differences in the registry over time or events. Spotted via AddictiveTips blog: CRegistry Comparison: See Changes To System Registry Over Certain Time

SMARegisTry Backup – Selective Registry Backup and Restoration Utility. Neat little program (portable) to back up and restore selective Windows Registry keys. Super-handy when pushing a set of configuration settings across systems. Spotted via AddictiveTips blog: Backup And Restore Windows Registry Hives & Keys With A Click – SMARegisTry Backup

Disk Investigator Info and Download page – not your standard hex/sector editor & viewer! Spotted via AddictiveTips blog: View MFT Zone, Check Raw Data Saved On Disk Sectors & Clusters – Disk Investigator

Screenshot Captor – by Mouser @ DonationCoder.com. I’m a Greenshot fan now but Screenshot Captor is super-hard to beat in terms of features.

• Looking for a best-in-class screenshot capture program? ‘Screenshot Captor’ might just be it – Review via freewaregenius blog
• LATEST VERSION INFO THREAD – ScreenshotCaptor – v3.0 (!) – DonationCoder.com

Sublime Text – This is an interesting text editor. The beta is free but ongoing use requires license purchase. Check out this Windows7hacker post for a feature walkthrough: Sublime Text is THE BEST Text Editor For Windows

AutoSensitivity – Neat utility to define different mouse speeds for both the touchpad and the physical mouse. My Dell has this problem.  Spotted via CybernetNews post: Independently Adjust Sensitivity for Mouse and Touchpad on a Laptop

Quickpost: Disassociating the Key From a TrueCrypt System Disk – Didier Stevens gets all super-clever!

VideoLAN – VLC 2.0 Twoflower – new version release of this alternative media player.

FreeFixer – version 0.61 released Feb 07.  This is a new (to me) general purpose utility to clean a system of unwanted software, adware, and various malware. It’s pretty interesting and updated regularly. See this extensive User’s Manual for details as well as this AddictiveTips post for some more info: FreeFixer : Remove Locked Files & Apps Left Over Data, Check Viruses

Spybot-S&D! Version 2.0 (Beta release 5) – I haven’t used S&D for a very long time. However it always was a great go-to tool to clean a system of tracking cookies, malware, etc. So it is great to see that development continues on this legendary tool.

Ad-Aware Free – Likewise, you rarely could speak of Spybot S&D without mentioning its constant malware-busting/cleaning companion Ad-Aware. It also has seen considerable evolution and improvements.

Malwarebytes : Malwarebytes Anti-Malware Free – This product seemed to be in its infancy when Spybot and Ad-Aware roamed the lands. Now it has fully matured and stomps malware along with the best of them. I really like this program.

For additional malware-bustin’ tips and tools check out these related GSD posts:

• grand stream dreams: Anti-Malware Tools of Note
• grand stream dreams: Quick Malware Notes, Incident Response, and 00-outs
• grand stream dreams: Interesting Malware in Email Attempt – URL Scanner Links

Cheers!

–Claus V.

Coming out of my work and browser poking during the previous Firefox post, I discovered some annoying things under the Firefox hood that I had no idea existed until I found them, then decided they MUST BE FIXED™ at all costs (despite causing no apparently direct negative impact to the browser from my end-user perspective).

As we saw in the previous GSD post, one of the processes that occurs after a Firefox update is automatic checking of Add-on compatibility with the new browser version. I generally don’t have any issues, but for whatever reason I paid it a bit more attention during the 10.0.1 update and noticed that I had two Add-ons that were not updated or compatible; “Search Helper Extension” and “HP Smart Web Printing”.

Both were automatically disabled, and this time, after brief consideration, I decided I didn’t need them. However when I went to remove them, I didn’t seem to have the ability to do so.

Oh noes!

Take two aspirin…

While I could “Disable” the Search Helper Extension, the “Uninstall” button was grayed out. That was an easy fix after reading this How-To Geek blog post: Remove the Search Helper Extension from Firefox. I also read the comments and found like a commenter, I had to delete the “firefoxextension” folder files in two locations on my Windows 7 x64 system after ensuring Firefox was not running:

• C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension
• C:\ProgramData\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension

Once I dumped those out, it no longer appeared in my Add-on list.

The HP Smart Web Printing Add on required a similar approach once closing out of Firefox. Delete the following folder:

• C:\Program Files\HP\Digital Imaging\smart web printing\MozillaAddOn3

These were easy fixes. The next issue was a major headache to track down.

Browser Plug In Updates, Updates, Updates!

First, in case you haven’t noticed, Adobe and Java both have been on a tear releasing security patch updates for their browser plugin software:

• Adobe Shockwave Player and RoboHelp for Word Patches – SANS ISC Diary
• Adobe Flash Player Update – SANS ISC Diary
• Java Update for February – SANS ISC Diary
• New Oracle Java and new Shockwave Player – IT Secure Site

There are lots of ways and means to updating your browser plug-ins. I typically just hop over to FileHippo and get the latest installers there to download and install on our systems. I just find it easier to grab them from here than mucking around on the Adobe/Java sites to get them. I guess it is a one-stop-shopping thing.

• Download Java Runtime Environment @ FileHippo.com – for both Java Runtime Environment 1.7.0.3 32-bit and 64-bit versions.
• Download Shockwave Player 11.6.4.634 @ FileHippo.com
• Download Flash Player 11.1.102.62 (Non-IE) @ FileHippo.com
• Download Flash Player 11.1.102.62 (IE) @ FileHippo.com

Once downloaded, I just run and they get installed/updated and now my system (and Firefox browser) is now using the latest patched version. Simple. Right?

Well…not quite so fast there.

Plug In Update Migraine Time

Last night I read this post Flash Update — Check Your Plugins over at the Firefox Extension Guru’s Blog. That shouldn’t have been a big deal as I had already updated all my plug-in versions.

Only the Guru reminded me (major senior moment) that Mozilla actually provides a link for you to confirm all your plug-ins are actually up to date. Two ways to get to the same place.

1. In Firefox go to Tools > Add-ons and then click the super-tiny link at the top of the plug-in list “Check to see if your plugins are up to date”, or you can simply click the link below right now if you are reading this in Firefox.
2. Firefox Web Browser — Plugin Check & Updates – Mozilla

I’ve since added a bookmark to that link on my main quick-link bookmark bar in Firefox so I won’t forget to check periodically. However, if you are the forgetful type, you could also add it as a second “home page” tab to automatically open when you launch Firefox each time.

Anyway, when I hit the link, a curiously “out of date” item appeared at the top of my list

This was curious as when I checked my Windows installed programs list, I had Adobe Acrobat Reader X installed, and yep, it was also listed there right below showing current and updated. Hmm.

So I launched my installed version of Adobe Reader X directly and manually checked for updates; nothing. It was fully patched and current.

So I uninstalled/reinstalled a fresh version of it. Rechecked the plug-in status in Firefox. Version 9.5.0 still there. Hmmm.

Time to break out the Naproxen

As I’ve already said, I run a semi-custom “portable” version of Firefox, so next I went over and checked in my \FirefoxPortable\Data\plugins directory and checked. Nope. Empty. This is the location where you can dump copies of plugin files (like for Flash/Shockwave/etc.). On my system Firefox was automatically calling them from their installed location on my system, so my directory there was empty although the plug-ins still worked. Back to this later but in my first troubleshooting process, I copied the most recent patched plug-in files for Adobe Flash, Reader, and Shockwave into that location. No fix. For now, you can reference these PortableApps links if you are curious about including “local to the portable Firefox” plug-in options:

• Installing Plugins (Java, Flash, Shockwave, etc.) – PortableApps.com
• Configuring Helper Apps (PDF reader, document viewers, etc) – PortableApps.com
• Mozilla Firefox, Portable Edition Support – PortableApps.com

So if I only had Adobe Reader X installed, why was Mozilla insisting I was still using Adobe Acrobat plugin for Firefox version 9.5.0?

More research led me to these MozillaZine links:

• Adobe Reader – MozillaZine Knowledge Base
• About:plugins – MozillaZine Knowledge Base

Neither of these had a direct-fix but in combination with careful reading it put me on the right track for discovering the issue and fixing it.

1. First I opened up about:plugins in a new Firefox tab. This provided a technical listing of all my Firefox plug-ins.
2. I found that both Adobe Acrobat Reader 9.5.0 and Adobe Acrobat Reader 10.1.2 plug-ins were listed.
3. I knew from the first MozillaZine link that the actual Adobe Acrobat Reader plug-in file I was dealing with is named “nppdf32.dll”.
4. Unfortunately, the default about:plugins view didn’t contain quite enough detail.
5. Using a tip in the second MozillaZine link, I opened up about:config and found the plugin.expose_full_path preference and toggled it to “True”.
6. I then reloaded the about:plugins tab and re-examined the two Adobe Reader plugin entries. Voilla!

If you look carefully at the info in that image, you will find that my portable Firefox build was actually loading both the current Adobe Reader 10.1.2 plugin file from the portable “plugins” folder where I had dropped it. However, it had also found and registered (?) the same Adobe Reader file (but outdated version 9.5.0.270) from an obscure folder location when I had installed a hand-me-down-from-my-brother Adobe Acrobat Pro 9 installation. A really seriously obscure folder location. Gads!

My “fix” was to simply shut down Firefox and wait for all related Firefox processes to terminate. Then I copied the 10.1.2 version of nppdf32.dll over into the same folder that had that old version and overwrite it.

For good measure I also followed the first part of the “method 2” tip on the MozillaZine page for Disabling the browser plugin. This was to Close your Mozilla application, delete the file “pluginreg.dat” from the profile folder location and recheck about:plugins.

Now only the version 10.1.2 Adobe Acrobat Reader plug-in was listed, and as found in my portable “plugins” directory. For the final confirmation I popped over to Firefox Web Browser — Plugin Check & Updates to let it rescan and report.

Success!

All the critical plug-ins were now showing Up to Date.

But that wasn’t the end of the story. Claus was on an Adobe product updating search-n-destroy tear now.

There’s More to the Story Here!

Since I knew the names of a few of these critical Windows plug-ins, I did some system-wide scans looking for those files:

• Flash plug-in (for Firefox): NPSWF32.dll
• Shockwave plug-in: np32dsw.dll
• Adobe Reader plug-in: nppdf32.dll

For the Flash plug-in, I discovered 13 instances of the file on my own system in a total of 6 different versions!

So if you normally run the Adobe Flash update installer (for non-IE versions) and expect it to simply and automatically update your Adobe Flash file system-wide, you may be woefully surprised (as I was) that isn’t necessarily going to be true. I guess I need to now copy the “latest” version myself into all those locations to overwrite the present version…assuming the new version is fully compatible with the applications calling it from those locations. That may not be the case!

The Adobe Flash update for IE versions is much simpler to manage. A check in the IE add-ons manager reveals the IE version of Flash is named “Flash11f.ocx”. I found it installed on my system in only one location…where it should be…and it was current.

More details on Adobe Flash plugins/tips/techncials here: Installation problems – Windows Flash Player @ Adobe

Of curious note, that original version for the Chrome plugin folder was also seriously outdated. One of the benefits of using Google Chrome is that it is supposed to automatically keep its own version of Flash updated; Adobe Flash Player plug-in – Google Chrome Help. The Chrome included version is named “gcswf32.dll” but since “NPSWF32.dll” was showing up for some reason rather than the Google Chrome version, I had to copy/paste the newest “NPSWF32.dll” into the folder to overwrite the outdated version with the current patched version.

One more thing to keep an eye on in my 2nd-favorite browser now. Sheesh.

There is lots of good info on that Google Chrome Flash Player link, so I highly recommend you read it, and then follow the following steps to familiarize yourself with the Chrome Plug ins in use as well:

1. Type chrome:plugins in the address bar to open the Plug-ins page.
2. On the Plug-ins page that appears, find the “Flash” listing.
3. To view additional details on the actual plug ins used and their file-path locations, click Details in the upper-right corner of the page to display more technical file/plug in information on the page.

The Shockwave file “np32dsw.dll” fared better. It was found in just two places on my system, the main install location as well as a copy of that original I had placed in my portable Firefox plugins folder

What about the Adobe Reader plugin file “nppdf32.dll”? Better? Mostly.

It was found a total of eight times system-wide in three different versions. The two older versions were in installation “$PatchCache$” folder locations so those didn’t appear likely to be accessed “live”. All the others were at the current patched version so I guess things are better there. IE and Chrome also use that same file (assuming you use Adobe Reader as your plugin and not a different/alternative PDF reader/plugin solution). You can go through the same processes mentioned earlier in both IE and Chrome to confirm that plug-in file/version if you wish.

Possibly related:

• How to determine what version of Adobe AIR runtime is installed (Mac, Windows, and Linux) – Adobe
• New Oracle Java and new Shockwave Player – IT Secure Site

Flash for Firefox – Sandbox Beta Edition

And if all this (just the mainstream/public versions of Adobe Flash and keeping it updated/secure) isn’t enough, Adobe now has a “special sauce” version for Firefox that introduces a “sandboxing” feature for added security!

• Adobe releases beta version of sandboxed Flash for Firefox – The H Security
• Adobe AIR and Adobe Flash Player Incubator | 3D Flash APIs – Adobe Labs. From that page:

Flash Player Protected Mode Features

The current Incubator release provides access to Flash Player Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems.

Flash Player Protected Mode is a new security enhancement designed to limit the impact of attacks launched from malicious SWF files against Flash Player when running in Firefox on Windows Vista and higher. We are working aggressively to make Flash Player more secure, and Protected Mode is a critical component in our strategy. The current beta targets Windows desktop operating systems. We are working to extend similar protections to other browsers in the future.

Note: The extensive low-level changes made in this beta release may introduce unexpected problems in existing Flash content.

Keeping an Eye on the Updates – Third Party Style

There are a number of third-party tools/sites to also check your system patching for these to various degrees of depth:

• Qualys BrowserCheck – run a plug-in scan on IE, Firefox, or Chrome. Fast and easy. Bookmark this now! On-line scan or browser-specific plug-in versions available.
• The Secunia Online Software Inspector (OSI) – on-line scan for insecure plug-in versions as well as additional common software applications. For a more thorough solution, consider installing Secunia’s Personal Software Inspector (PSI) version.
• FileHippo.com Update Checker – FileHippo.com

I highly recommend you regularly use all of these to do some first-line software patch checking of your Windows system. For a basic starting place, make a note to check all of these locations at least every “Microsoft Black Tuesday” when you are checking for and applying your Windows updates, Mm-kay?

You are checking for and applying your Windows updates right?

Oh bother…

Cheers!

–Claus V.

The cybercrime underground is expanding each day, yet the longer I study it the more convinced I am that much of it is run by a fairly small and loose-knit group of hackers. That suspicion was reinforced this week when I discovered that the author of the infamous ZeuS Trojan was a core member of Spamdot, until recently the most exclusive online forum for spammers and the shady businessmen who support the big spam botnets.

Thanks to a deep-seated enmity between the owners of two of the largest spam affiliate programs, the database for Spamdot was leaked to a handful of investigators and researchers, including KrebsOnSecurity. The forum includes all members’ public posts and private messages — even those that members thought had been deleted. I’ve been poring over those private messages in an effort to map alliances and to learn more about the individuals behind the top spam botnets.

As I was reviewing the private messages of a Spamdot member nicknamed “Umbro,” I noticed that he gave a few key members his private instant message address, the jabber account bashorg@talking.cc. In 2010, I learned from multiple reliable sources that for several months, this account was used exclusively by the ZeuS author to communicate with new and existing customers. When I dug deeper into Umbro’s private messages, I found several from other Spamdot members who were seeking updates to their ZeuS botnets. In messages from 2009 to a Spamdot member named “Russso,” Umbro declares flatly, “hi, I’m the author of Zeus.”

Umbro’s public and private Spamdot postings offer a fascinating vantage point for peering into an intensely competitive and jealously guarded environment in which members feed off of each others’ successes and failures. The messages also provide a virtual black book of customers who purchased the ZeuS bot code.

In the screen shot above, the ZeuS author can be seen selling surplus “installs,” offering to rent hacked machines that fellow forum members can seed with their own spam bots (I have added a translation beneath each line). His price is $60 per 1,000 compromised systems. This is a very reasonable fee and is in line with rates charged by more organized pay-per-install businesses that also tend to stuff host PCs with so much other malware that customers who have paid to load their bots on those machines soon find them unstable or unusable. Other members apparently recognized it as a bargain as well, and he quickly received messages from a number of interested takers.

The image below shows the Zeus author parceling out a small but potentially valuable spam resource that was no doubt harvested from systems compromised by his Trojan. In this solicitation, dated Jan. 2008, Umbro is selling a mailing list that would be especially useful for targeted email malware campaigns.

It is not surprising that the Zeus author would frequent such a forum; he is well known to have hung out on other exclusive forums where like-minded cyber thieves set up shop. But Umbro’s messages provide the best proof so far that not only was he the author and main proprietor of a sophisticated Trojan that has helped to steal hundreds of millions of dollars from small to mid-sized businesses, but he also maintained his own sizeable botnets.

Spamdot records show that as often as he sold installs, Umbro turned to some of the top botnet authors to rebuild his private botnets. In an April 14, 2010 private message sent to Ger@ — a Spamdot member I identified earlier this month as the miscreant in charge of the massive Grum botnet — Umbro says he is “ready to buy installs,” and prepared to offer a fair price for buying in bulk. In another communication near that same time, Umbro seeks to rent botnet resources from a business partner of “Google,” the nickname of the individual I identified in January as the author of the Cutwail botnet.

Umbro’s public and private communications reveal how frequently he changed his nicknames, email addresses and other contact details — a common tactic used to confuse and elude law enforcement investigators. By the time Spamdot was closed in Sept. 2010, the ZeuS author was using the nickname “Slavik.” He had just announced that he would be bowing out of the business, and that the code that powers his Trojan would be merged with that of SpyEye.

Security researchers at RSA made an interesting discovery at about the same time the ZeuS author was plotting his final disappearing act. They found evidence that the ZeuS author didn’t exactly retire, but rather appears to have gone into the botnet business for himself. RSA’s Uri Rivner said that just before that merger was announced on underground forums, RSA investigators stumbled upon a botnet created in Aug. 2010 with a custom version of ZeuS that was not being sold or distributed in the underground.

That custom version, which RSA dubbed “ZeuS 2,” phoned home to a control server on the Web that the researchers were able to access. They found that between Aug. 2010 and Aug. 2011, more than 200,000 PCs had phoned home to that server, which had helped vacuum up tens of gigabytes of data from host machines. They also learned that miscreants had created four logins that were authorized to access the botnet’s control server: “rootadmin,” “NS,” “chingiz,” and “Slavik” (see screenshot below).

“This ZeuS2 had a lot of improvements, and was created before the ZeuS source changed hands,” RSA’s Rivner told me in an interview last October. “It might be that Slavik decided to move away from selling software and supporting all of his customers to developing infrastructure that can be rented and becoming part of a larger organized crime group.”

According to a security researcher who has access to the same server but asked to remain anonymous, there are now more than a quarter-million PCs compromised by this custom version of ZeuS and reporting home to that same control server.

Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.

In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google –  was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.

Adobe is urging users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris to update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

To find out what version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted. Thankfully, Adobe no longer appears to make you first install its annoying Download Manager to grab the latest Flash version, or at least it didn’t when I fetched the update today.

Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome users should already have this update, as Chrome auto-installs Flash updates — often hours or days before the fixes are publicly released for download.

Oracle has shipped a critical update that fixes at least 14 security vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible.

Java flaws are a favorite target of miscreants and malware because of the program’s power and massive install base: Oracle estimates that Java is installed on more than three billion machines worldwide.

In an emailed advisory accompanying the new release, Oracle urged users to update without delay. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon a possible.”

The new versions are Java 6 Update 31, and Java 7 Update 3. To see if you have Java installed and to find out what version you have, visit Java.com and click the “Do I have Java?” link. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab.

Each time Oracle ships a security update, I urge readers who have this program installed to reevaluate whether they need it at all. Failing to keep Java updated leaves you dangerously vulnerable to attacks. For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative.

Computers running Microsoft‘s antivirus and security software may be flagging google.com — the world’s most-visited Web site — as malicious, apparently due to a faulty Valentine’s Day security update shipped by Microsoft.

Not long after Microsoft released software security updates on Tuesday, the company’s Technet support forums lit up with complaints about Internet Explorer sounding the malware alarm when users visited google.com.

The alerts appear to be the result of a “false positive” detection shipped to users of Microsoft’s antivirus and security products, most notably its Forefront technology and free “Security Essentials” antivirus software.

I first learned of this bug from a reader, and promptly updated a Windows XP system I have that runs Microsoft Security Essentials. Upon reboot, Internet Explorer told me that my homepage — google.com — was serving up a “severe” threat –  Exploit:JS/Blacole.BW. For whatever reason, Microsoft’s security software thought Google’s homepage was infected with a Blackhole Exploit Kit.

I could be wrong, but it doesn’t appear that Google is in fact infected or serving up exploits. Fortunately, clicking the default “remove” action prompted by Microsoft’s antivirus technology did virtually nothing that I could tell; the program reported that it was unable to find the threat (psst, Microsoft…that’s because there isn’t one). Judging from the responses in the Microsoft forum, the company appears to be aware of and responding to the bogus alerts.

False positives happen to every antivirus vendor, and this one was fairly innocuous as these things go: It’s not like it deleted or quarantined essential operating system files, rendering host computers useless, as faulty updates from other vendors have in the past. But Microsoft is probably smarting from this episode: The company is expected to ship a version of its antivirus technology with Windows 8, the next version of Windows due to be released later this year.

If you use Microsoft Windows, it’s time again to get patched: Microsoft today issued nine updates to fix at least 21 security holes in its products. Separately, Adobe released a critical update that addresses nine vulnerabilities in its Shockwave Player software.

Four of the patches earned Microsoft’s most dire “critical” rating, meaning that miscreants and malware can leverage the flaws to hijack vulnerable systems remotely without any help from the user.  At least four of the vulnerabilities were publicly disclosed prior to the release of these patches.

The critical patches repair faulty components that can lead to browse-and-get-owned scenarios; among those is a fix for a vulnerability in Microsoft Silverlight, a browser plugin that is required by a number of popular sites — including Netflix — and can affect multiple browsers and even Mac systems. Microsoft believes that attackers are likely to quickly devise reliable exploits to attack at least a dozen of the 21 flaws it is fixing with this month’s release.

Some Windows users and loyal readers of this blog prefer to wait a day or two before applying these patches, reasoning that the occasional system stability problems introduced by security updates only become widely known after a critical mass of users have applied them. I tend to fall into this camp as well, but given the seriousness of these flaws, I think it’s a mistake to put off patching for long.

Adobe’s Shockwave update is a critical one, but not everyone who has this program needs it, and those who don’t probably don’t need it. It’s easy to tell: Browse to this page. If it says you need to install a plugin, you don’t have it. Otherwise, it’s time to update it (or remove it). The latest, patched version is Shockwave Player v. 11.6.4.634. Updates are available for Windows and Mac systems from this link.

For deeper dives on some of the individual vulnerabilities in this month’s patch batch from Redmond, the SANS Internet Storm Center, McAfee and Qualys  have deeper dives. Summaries of and links to the individual security bulletins from Microsoft are available here.

As ever, please drop a note in the comments to let readers know how your patching went, particularly if you experienced any problems in applying these updates.

Update, 4:10 p.m. ET: Corrected the number of critical updates released by Microsoft.

Late last month I wrote about Citadel, an “open source” version of the ZeuS Trojan whose defining feature is a social networking platform where users can report and fix programming bugs, suggest and vote on new features, and generally guide future development of the botnet malware. Since then, I’ve been given a peek inside that community, and the view so far suggests that Citadel’s collaborative approach is fueling rapid growth of this new malware strain.

A customer who bought a license to the Citadel Trojan extended an invitation to drop in on that community of hackers. Those who have purchased the software can interact with the developers and other buyers via comments submitted to the Citadel Store, a front-end interface that is made available after users successfully navigate through a two-step authentication process.

Upon logging into the Citadel Store, users see the main “customer resource management” page, which shows the latest breakdown of votes cast by all users regarding the desirability of proposed new features in the botnet code.

In the screen shot to the right, we can see democracy in action among miscreants: The image shows the outcome of voting on several newly proposed modules for Citadel, including a plugin that searches for specific files on the victim’s PC, and a “mini-antivirus” program that can clean up a variety of malware, adware and other parasites already on the victim’s computer that may prevent Citadel from operating cleanly or stealthily. Currently, there are nine separate modules that can be voted and commented on by the Citadel community.

Drilling down into the details page for each suggested botnet plugin reveals comments from various users about the suggested feature (screenshot below). Overall, users seem enthusiastic about most suggested new features, although several customers used the comments section to warn about potential pitfalls in implementing the proposed changes.

The customer resource management page also reveals that although the principal authors of the Citadel Trojan treat this as their day job, they try their best to have a life on the weekends. A notice prominetly posted to the Citadel CRM homepage reads:

Please note regarding the Help Desk in the Jabber chat & CRM page:

Daily from 10.00 to 00.30
Sat, Sun — closed, you can write us offline.
All requests and questions will be processed on Monday.

The collegial atmosphere being cultivated by the Citadel authors appears to have hastened the malware’s maturity, according to researchers at Seculert. In a blog post published Wednesday, researchers there said that they’d observed at least five new versions of Citadel since first spotting the malware on Dec. 17, 2011.

Seculert’s Aviv Raff said that means the miscreants behind Citadel are pushing out a new version of the Trojan about once a week.

“The only similar Trojan who got close to this pace was the so called ‘SpyZeus’ Trojan,” Raff said. “Others, including ZeuS itself, took between a month to several months to release a new version.”

Anyone who’s run a Web site is probably familiar with the term “malvertising,” which occurs when crooks hide exploits and malware inside of legitimate-looking ads that are submitted to major online advertising networks. But there’s a relatively new form of malware-based advertising that’s gaining ground — otherwise harmless ads for illicit services that are embedded inside the malware itself.

At its most basic, this form of advertising — which I’m calling “crimevertising” for want of a better term — has been around for many years. Most often it takes the form of banner ads on underground forums that hawk everything from cybercriminal employment opportunities to banking Trojans and crooked cashout services. More recently, malware authors have started offering the ability to place paid ads in the Web-based administrative panels that customers use to control their botnets. Such placements afford advertisers an unprecedented opportunity to keep their brand name in front of the eyeballs of their target audience for hours on end.

A perfect example of crimevertising 2.0 is the interface for the Blackhole Exploit Kit, crimeware that makes it simple for just about anyone to build a botnet. The business end of this kit is stitched into hacked or malicious Web sites, and visitors with outdated browser plugins get redirected to sites that serve malware of the miscreant’s choosing. Blackhole users can monitor new victims and the success rates of the compromised sites using a browser-based administrative panel.

In the screen shot above, the administration panel of a working Blackhole exploit kit shows two different ads; both promote the purchase and sale of Internet traffic. And here is a prime example of just how targeted this advertising can be: The most common reason miscreants purchase Internet traffic is to redirect it to sites they’ve retrofitted with exploit kits like Blackhole.

I wanted to find out how much it would cost to place such targeted ads, so I chatted up the author of this kit — a hacker who uses the nickname “Paunch.” He said an ad that would run on administration panels across the entire Blackhole user base would cost me $700 per month. He declined to say just how many “impressions” that money would buy, or exactly how many Blackhole users there are today.

But it’s probably quite an audience: According to security firm Sophos, Blackhole is now by far the most popular method of delivering drive-by attacks. In its 2012 Security Threat Report, the company found that “in the second half of 2011, 67% of [malware] detections were redirections on compromised legitimate sites. Of these, approximately half are believed to be redirections to Blackhole exploit sites.”

Interestingly, when Paunch doesn’t have ads to run from paying customers, he runs ads for his own ancillary services. In the screen shot below (taken from a different working Blackhole exploit kit) Paunch can be seen pitching his subscription-based malware obfuscation service.

I suppose it’s possible that miscreants could try to place malware-laced crimevertisements in a bid to hijack the browsers of other hackers, but that’s probably unlikely to happen as long as malware authors like Paunch are manually reviewing purchased ads and disallowing anything other than plain text. In the end, crimeware kit buyers may have more to fear from a kit’s author himself: The author of the infamous SpyEye botnet creation kit once acknowledged adding a hidden backdoor to his software that let him remotely access all customer installations.