Author Archives: Magnus

Babylon adware hijacks your search engine

Today we added strong generic detection for Adware.Babylon to TrojanHunter. This is a piece of adware that is often “bundled” with legitimate installers. If you happen to run such an installer, Babylon will hijack your default browser search engine (doesn’t matter if you use Internet Explorer, Firefox or Chrome, it will hijack all of them). This is what you will see when you search from within a hijacked browser:

Babylon, of course, is an inferior search engine, and it will insert loads of sponsored ads into the search result. Each time you click such an ad you will generate revenue for the creators of Babylon. Babylon runs a revenue-sharing scheme, so the person who created the malicious installer will get a cut of the revenue. This is done through an “affiliateid” query string that gets logged every time you run a search.

Babylon comes with an uninstaller (very helpful!) which you can run by going to Control Panel->Add/Remove Programs. You can of course also use TrojanHunter to remove it.

Adobe’s code signing certificate has been stolen

Adobe

So it appears that a build server at Adobe was compromised, and the criminals managed to make off with a code-signing certificate bearing a shiny “Adobe Systems Inc.” string.

The code signing certificate has already been utilized to sign malware. Adobe say they will shortly revoke the certificate and have it added to Verisign’s certificate revocation list.

Full details at http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html

The best regex to validate an email address

Validating an email address using a regular expression can be tricky. If you wanted to follow the official RFC you would have to use the following monstrosity:

(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])

Obviously, that is a regular expression that is impossible to understand the meaning of, let alone a practical one to use in a real life web application. Consider that 99.9% of all email addresses use the following formats:

[email protected]
[email protected]
[email protected]

Throw in a few special characters that should be alloed, namely - . + and _ and we can create a regular expression to match almost any email address in use today. This is what we come up with:

[-0-9a-zA-Z.+_]+@[-0-9a-zA-Z.+_]+\.[a-zA-Z]{2,4}

This will match a character in the group [-0-9a-zA-Z.+_] one or more times, followed by an @ sign. Then we have the same group again, and a final dot followed by the top-level domain. We allow a top-level domain between two and four characters, upper case and lower case.

If you wanted to use this regular expression to verify an email address in PHP, it’s as simple as this line:

if (!preg_match("/[-0-9a-zA-Z.+_]+@[-0-9a-zA-Z.+_]+\.[a-zA-Z]{2,4}/", $email)) die("Invalid email address");

Enjoy, and leave any feedback you have in the comments section!

Internet users in Sweden hit with “porn surfing fine”

Swedish media today reports that several thousand Swedes have been tricked into paying “porn surfing fines” after their computer is held hostage by blackmailers.

The scam works by tricking web surfers into believing the Police is after them for engaging in smut surfing. A notice is displayed that the user must pay a fine of 150 USD within 24 hours, or the case will be handed to a prosecutor. Oh, and the use of their computer is made impossible until they have paid the fine.

This is another example of the increasingly popular ransomware malware class that sees criminals make good money extorting computer users. As ever, a good anti-malware program should be your first line of defense.

A look at the future: What’s new in Windows 8

Windows 8 is due to be released soon - the general release date has been set to October 26, 2012. In this post we will look at some of the new features of Microsoft’s latest operating system.

The big new thing is the Metro interface, a new user interface optimized for use on table PCs. Take a look at the screenshot to get a feel for what this will look like. If you’ve ever used a Windows Phone you’ll notice the similarities immediately.

There will be four major versions of Windows 8 available. These are:

  • Windows 8
  • Windows 8 Pro
  • Windows 8 Enterprise
  • Windows RT

The last one, Windows RT, is for use on tablet computers that use the ARM architecture (a special platform that uses a reduced instruction set processor). Windows 8 Enterprise and Windows RT will not be available for sale directly to consumers - the former only via volume licensing programs and the latter only if you buy a tablet computer with Windows RT preinstalled.

Metro design language

New applications using the new Metro design language will be available only through the Windows App Store. This move sees Microsoft adopting the strategy of Apple and their App Store. Developers will need to use a programming language that supports the new Windows Runtime application architecture. The applications will run inside a sandbox and will have restrictions on which APIs they can make use of. The full Windows API will not be available to application developers.

What this means is that many apps that could be developed on the old Windows API will not be deployable on the Windows Metro platform. For example, API calls such as VirtualAlloc() and VirtualProtect() will not be available to Metro applications.

New Features

Windows 8 features a new login screen. New login options optimized for tablet computers are a four-digit PIN and “picture password”, which allows you to login by drawing a gesture on an image.

Microsoft have also integrated with their Microsoft account to allow users to store data in the cloud, thus making files and personal settings available on any computer where users log in to their Microsoft account.

The new File Explorer replaces the old Windows Explorer and uses a ribbon-interface to make it easier for users to perform file and folder actions. File Explorer allows users to mount ISO, IMG and VHD files as virtual drives without the use of any third-party applications or drivers.

In summary, Windows 8 will be quite a shift from the old Windows XP/Vista/7 versions. Microsoft is moving towards a “walled garden” with their new Windows App Store. Whether this will ultimately benefit users and developers remains to be seen.