As noted in a recent MSNBC article:

Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware.

An internal report issued by the airline revealed the infected computer failed to detect three technical problems with the aircraft, which if detected, may have prevented the plane from taking off, according to reports in the Spanish newspaper, El Pais.

Flight 5022 crashed just after takeoff from Madrid-Barajas International Airport two years ago today, killing 154 and leaving only 18 survivors.

So, with dozens, or perhaps hundreds, of applications, browser plugins, and so on, not to mention all of the pieces of Windows itself, how can you be sure that everything is up to date? Sure, Windows itself can be set to automatically download and install updates, and many programs have the option to check for updates as well. But, wouldn’t it be easier to have a “one stop shopping” place to check?

Enter Secunia Personal Software Inspector (“Secunia PSI”).

Secunia PSI is a free (for personal use) utility which examines your system for programs which are out of date, and supplies you with links to download the latest versions of any such programs. As the Secunia web page says:

The Secunia PSI is a FREE security tool designed to detectvulnerable andout-dated programsand plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly “popular” among criminals.

To get it, simply download the installer from the Secunia website and run the installer.

When run, you have the option of using “simple” or “advanced” interface mode. I recommend (and still use) the “simple” mode.  Just click the “start scan” button (assuming it didn’t start automatically), and a few minutes later, you will see the results.

Here is a sample result from one of our computers here (click image to enlarge):

Note the list of “threats” that it has detected due to unpatched programs installed on the system. If you hover over the program name, it will show you the location of the file:

This is useful on systems which may have multiple copies of programs. On one of my systems, the search results were very confusing to me for a while, as it kept insisting that I had an old Adobe Reader installed, despite the fact that Adobe Reader itself told me it was the latest version. Even running the installer, as supplied by Secunia PSI’s results list told me I already had that version installed. It turned out that it had detected an older version within a backup of a client’s system that was stored on the drive. Hovering over the program name showed me the location, and solved the “mystery”.

Next, hovering over the “threat rating” for the program will give you a brief description of the threat, and the opportunity to click on the link to get more details.

Finally, click on the download icon in the “solution” column, and you will be prompted to run or save the update. Note that the download is directly from the manufacturer’s website, and not some mirror run by Secunia. (This should be shown in the run/save dialog that Windows displays.) This ensures that it is the correct install program.

Once you have installed all of the updates, another scan should show a “clean” system. Note that it states that there are programs which might be a problem, but can’t be fixed in the “simple” interface mode. In my case, most are either from customer backups (as confirmed by hovering over the program name to see the path), or from pieces left over when a program was updated, but weren’t removed by the update. You need to switch to the “advanced” interface mode to get the details.

Will this find every unpatched program/file that you have on your system? Probably not. But, it does appear to have an extensive list of applications that it knows about. (Their website claims they handle “programs from thousands of vendors”.)

Of course, the attached HTML document, supposedly a link to a news report about a plane crash, was instead an obfuscated Javascript program which would attempt to download an infection. (I didn’t bother investigating what, exactly, that infection was.)

How can you tell what plugins you have? The method varies depending on the browser, but here are a few:

• Internet Explorer. From the menu, select “Tools”, and then “Manage Add-ons”.
• Firefox. In the address bar, type “about:plugins”.  Or, from the menu, select “Tools” and then “Add-ons”, and select the “Plugins” tab.
• Safari. From the menu, select “Help”, and then “Installed Plug-ins”.
• Chrome. (Sorry, but I don’t currently have Chrome installed.)

In my Firefox browser, I currently have 25 plugins installed.

So, how do you figure out which plugins are current, and which have updates available?

Well, Firefox can check for updates for you from the Tools/Add-ons/Plugins dialog, by clicking the “Find updates” button. But, I don’t see any easy way of doing so in Internet Explorer or Safari.

Fortunately, Mozilla (the authors of Firefox) have created a web page which can do this (at least for most plugins) for you. The web page is <http://www.mozilla.com/en-US/plugincheck/>. And, if it determines that a plugin is out of date, it gives you a button to click to take you to the plugin’s download page to get the latest version.

“But, wait”, I hear you saying, “I don’t use Firefox”. Don’t worry! The page works for all browsers I have tested it on. Sure, the text on the page gives you advice on how to do things in Firefox, but the plugin check works just fine regardless.

Out of the box, Windows defaults to hiding the file extension in folder listings, instead relying on the file’s icon to convey the file type to the user. The “bad guys” have taken advantage of this, by making you think the file is of one type, when it’s really an executable program designed to infect your system.

Is this “report” a document you can view,
or a trojan designed to infect your system?

Fortunately, it’s an easy fix.

Display any folder in Windows (for example, click the “start” button and then select “My documents”, or “Documents”, depending on your Windows version), select “Tools” and then “Folder options” from the menu. A dialog box will appear, with several tabs at the top. Select the “View” tab.

From the list of “advanced setings”, make sure that “hide extensions for known file types” is unchecked.

Now, why is this important? Consider the recent flood of spam I’ve been getting lately, which consists of an e-mail supposedly telling me that the “updated report” is attached. By default, the file will look something like this:

It looks pretty much like a document of some sort, called “report”. Double-click it to “look at the report” and instead, you will run a program which try to infect your system. (Hopefully, it won’t succeed, as you should have all your protections in place. But, why chance it?)

However, with that item unchecked, it will look like this:

Note the “.exe” at the end of the name. That tells you that it’s a Windows executable, and you shouldn’t click it unless you know it’s legit.

To make things worse, the “bad guys” sometimes give the filename what looks like two extensions. For example, they may call the file “naked_lady.jpg.exe”, knowing that it will appear as “naked_lady.jpg” if extensions are hidden, making it appear even more like a picture instead of an executable.

If you check the Windows update status, it will probably tell you that the error code is “80071aa7″, but give no further information. A search of Microsoft”s site (as of today) yields no further information, and a search of the entire Internet finds plenty of others asking how to solve it, but no one giving a solution.

Well, after 2 long evenings of fighting a Vista laptop which failed to install kb953838 (security update for IE7), I finally found a solution.

First, you need to find the exact file on which the install is failing. In order to do this, you need to examine the file “WindowsUpdate.log”, which is in the “\windows” directory, by running this command:

notepad %windir%\WindowsUpdate.log

Then, search (Ctrl-F) for the error number, including a “0x” prefix, such as “0x80071aa7″. You will find a line that looks something like this:

2008-10-06      11:29:23:890    1140    dac     Handler Post-reboot status for package Package_for_KB953838~31bf3856ad364e35~x86~~6.0.1.3: 0x80071aa7.

followed by:

2008-10-06      11:29:23:890    1140    dac     Handler WARNING: Got extended error: “POQ       Operation       HardLinkFile    OperationData   \SystemRoot\WinSxS\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16711_none_fff8e71ba4b3b364\WininetPlugin.dll, \??\C:\Windows\System32\migration\WininetPlugin.dll”

The important thing to notice is the filename at the end. In this case: C:\Windows\System32\migration\WininetPlugin.dll. (Don”t worry about the “\??\” before the filename.)

I have also seen “UnlinkFile” rather than “HardLinkFile”, but the filename was the same in all cases.

If you run a disk scan on drive C: (start / run / “chkdsk c: /f”), it will give you an error on the same “WininetPlugin.dll” filename. Unfortunately, even though is says it fixed the error, it did not. If you immediately run the chkdsk command again, it will give the same error, and tell you it fixed it again.

Typically, in a case like this, I would rename the file out of the way, put another copy there, and retry the install. Unfortunately, there appears to be something “special” about the “c:\windows\system32\migration” directory and/or the “WininetPlugin.dll” file, as I was unable to rename the file out of the way, as even running as administrator, an “access denied” error is given. Even using our old friend, BartPE, the file could not be renamed and/or removed, as the same “access denied” error occurs there as well.

Fortunately, Vista includes the ability to run in a recovery mode, by pressing F8 during boot. The first menu choice will be something like “recover windows”. Don”t worry, it”s not going to ”recover” Windows by wiping the drive and reinstalling it. Rather, it will take you to a special recovery mode of Windows. After booting, you will be given a dialog box with several options. Select “command prompt”. This will open a command prompt window. Don”t worry if you”re unfamiliar with the command prompt — I”ll walk you through it.

First, you need to navigate to the directory (“folder”) in the file you got above, by using the “cd” (“change directory”) command. That is everything up to, but not including, the filename at the end. In this case:

cd /d c:\windows\system32\migration

Now, from within this special recovery mode of Windows, you have the ability to rename to file out of the way:

ren WininetPlugin.dll WininetPlugin.bad
copy WininetPlugin.bad WininetPlugin.dll

At this point, running “chkdsk” will find the same error(s) as before, but it will actually be able to fix them:

chkdsk c: /f

Note that now, if you run “chkdsk” a second time, it will not find any errors.

Finally, type “exit” to exit the command prompt window, and reboot the system. You will now be able to install the update and have it successfully complete upon rebooting.

Well, “the bad guys” saw those, too, and there has been a recent wave of fake “update” programs on scam sites, as well as “hacked” sites.  Sometimes, it will even come in the form of an “important message” supposedly from your bank, credit card company, or other well-known business.

The bad guys know that many people will simply click the link, and ignore any security warnings that come up, since similar warnings would be expected from a real install program.

The problem is that these e-mails and web pages don’t really have any flash content to display. They exist for the sole purpose of getting you to click on their “get the update” link, which, of course, is really a trojan meant to infect your system.

So, how can you tell if you really need to update your flash player (or other browser plugin)?

First, if you do decide to click on the download link (which I recommend against, unless it is a website you know to be “good”), the link should take you to the Adobe website, and not directly download the installer. Anything that attempts to download it directly should be immediately suspect.

Next, when you do finally download the installer, your browser should give you the option to save or run the program, and will include the website the program came from.  If it’s not adobe.com or macromedia.com, again it should be immediately suspect. While there may be mirror sites hosted elsewhere, I am not currently aware of any. All my downloads come from those domains.

Finally, when you do run the program, Windows should ask for confirmation. This dialog box should include a notice that the executable was “digitally signed” by “Adobe Systems Incorporated”. If this is missing, again be very suspect.

Or, you can avoid the whole thing by manually checking your browser plugins to see if they are up to date.  You can visit the Mozilla Plugin Check page. Despite its name, and the fact that it’s hosted by Mozilla, it apparently works in all browsers. (I have tested it in Internet Explorer, Mozilla Firefox, and Safari. The web page says it also works in Opera and Chrome.) If you know that everything is up to date, then any e-mail or web page that claims otherwise is either (a) broken, or (b) a scam.

For example, placing an infected USB stick into the computer on Windows 7 will, by default, ask you what you want to do.  Being a smart person, you know to avoid the “autorun” option, and instead opt for “open folder” choice, to see what sort of files are on it. That act alone will trigger the worm. Same thing with “My computer” and then double-clicking the USB stick, or navigating to any folder with the infection in it.

According to an article from Microsoft:

What is unique about Stuxnet is that it utilizes a new method of propagation. Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction.

The scary part is that it targets industrial control systems. According to a recent article in Security Technology News:

Stuxnet is a virus that has been designed to specifically attack software programs running Supervisory Control and Data Acquisition (SCADA) systems, which monitor automated industrial control systems such as chemical factories, power generators and food processing plants.

The threat carried by Stuxnet worm is that once it infects a computer, it begins to communicate with a remote server that will be able to take control of the computer.

Finally, here’s a link to an article on the ESET blog with further details, and you can get a list of numerous ESET articles on Stuxnet by clicking here.

Another common type of e-mail fraud is called “phishing”. Basically, they pretend to be someone else, in an attempt to get you to reveal personal information, just as login and password, or your social security number. (Or both.) Many of these can be rather sophisticated, mimicking the real website down to the slightest detail.

Some, on the other hand, are so poorly done, you have to wonder why they bother. The reason is simple… because people fall for it. When you send out a million phishing e-mails, it only takes a very small fraction to fall for it to make it worth their effort.

Here is a recent example of a “so poorly done, it’s gotta be obvious that it’s a fake” phishing e-mails:

Subject:  Business Online Banking Account Alert!

—–

You must submit verification documents to continue using your account without interruption. To view the details of this request and submit the required information, click on the following link (or copy & paste it into your web browser):

http://[elided]/Upload_documents_blank.exe

We thank you for your assistance in this matter.

So, let’s take the 30-second “what red flags does this raise” tour:

• There’s no mention of what “online banking account” it’s supposedly referring to.
• There’s no mention of what bank it’s supposedly from.
• There’s no mention of any details of whom it’s supposed to be written to. (Anything from my bank has my name, or the name on the account, in the e-mail. Anything from my credit card company includes the name on the card, and the last 4 digits of the account.)
• The link is not to any bank’s website.
• The link is to download a Windows executable. No legitimate financial institution will include an executable file. (And if you ever get such an attachment from your financial institution without asking for it, complain to them… Loudly, and in no uncertain terms.)

So, once again… Why do they “waste their time” on such “obvious” fake e-mails? Because someone, somewhere, will fall for it.

In this particular instance, the website owner apparently found and deleted the executable which was somehow put on their website, so I can’t tell you what “bad things” would have happened if you did fall for the scam. But, you can be sure that it probably asked you for some personal information, which it would have sent on to “the bad guys”. And, while it was at it, it probably would have installed some nasty bit of malware at the same time.

I just got another “you won the lottery” spam e-mails.  This one was supposedly from “MICROSOFT CORPORATIONS”(sic), and contained the following message:

You have been awarded the sum of £1,625,000.00GBP in the MICROSOFT EMAIL PROMOTI
ON AWARD 2010.Cont Mr Mark Anderson with your names,address,phone and Country to
[elided]@w.cn.cn or call +4470-[elided] for moreinformation on t
his award.

With the exception of removing the username part of the e-mail address, and the rest of the phone number, that is the exact contents of the e-mail, spelling and line breaks as-is.

With so many obvious “this isn’t real” warning signs, I find it hard to imagine that people still fall for this. Yet they do.

• The “from” with “MICROSOFT CORPORATIONS”(sic).
• The e-mail address this was supposedly “from” is an Italian domain, ending in “.it”.
• I am in the United States, yet the supposed award is in British Pounds.
• I never entered a “MICROSOFT EMAIL PROMOTION AWARD” promotion.
• The e-mail address I am supposed to reply to isn’t the “from” address.  (It should at least be the same domain name.)
• The e-mail address I am supposed to reply to is a Chinese domain (ending in “.cn”).
• The phone number starts with +”4470″.  This is a UK prefix that can forward anywhere in the world.  See here for more information.
• The numerous spelling errors, typos, improper word breaks, and so on.

And that’s just a quick 30-second look.

The easiest way to know this is fake is this…  If you didn’t enter your e-mail address into some online promotion, it’s not real!