Jul 07

DNS Changer Malware. Make sure you don’t lose internet access on July 9th 2012.

The DNSChanger Malware was a Trojan Virus that infected millions of computers from 2007 until 2011. Once the malware infected a computer, it changed the computer’s DNS configuration to point to some rogue DNS Servers.  The rogue servers redirected certain websites to advertisers, injected advertisements on most websites, and, among other things, blocked access to antivirus software websites or sites that helped with the disinfection of the computer.

Last year, in November 2011, the FBI seized these rogue DNS servers. The FBI was concerned that millions of people would lose internet access if they just shut down these servers. So they obtained a court order allowing them  to contract with the Internet Systems Consortium to install some interim servers that could handle DNS requests from infected computers.

The FBI intends to bring these temporary DNS servers offline on July 9th 2012. This means that any computers still infected with the DNS Changer Malware will not be able to reach a DNS Server to resolve names, and thus will not be able to reach any websites. More information can be found on this FBI.Gov page.

To detect if your computer has been infected with the DNS Changer Malware see the information on the following Link.

Alternatively you can visit the following site http://www.dns-ok.us/

If you think you are infected, the information on the following link will help you clean your computer http://www.dcwg.org/fix/

What’s worked for me in the past is a combination of Kaspersky’s TDSSKiller and Malwarebytes. If you are infected, you probably won’t be able to download the tools. So you may need to get those tools using a computer that isn’t infected. Once you get the tools, boot into safe mode and run TDSSKiller. Once the computer restarts run Malwarebytes.

If you encounter problems or need help removing the infection, let me know, and I may be able to help.

Until next time.


May 14

Add multiple backup destinations to Windows SBS 2011 when not all backup devices are available (onsite).

The Small Business Server 2011 backup usually works pretty well. It meets the basic backup needs of most small businesses, and, in my opinion, it is an improvement over the SBS 2008 backup. It is usually pretty straight forward to set up and configure. Most end users should have no problems configuring the backup schedule and setting up the backup with an external USB drive.

If you want to add multiple backup destinations, it is also simple as long as you have all backup destinations connected to the server. There are certain situations when this may not be possible or ideal. You may not be able to connect more than one backup device to the server at the same time, some backup devices may not be available (they are stored off site), or you simply may not want plug in every single backup device just to add another backup destination.

Whatever the case may be, if you try to add a backup destination when not all the backup devices are connected to the server, you will get an error message, and you will not be able to complete the procedure. This behavior is by design. When the wizard completes, it verifies the currently listed backup disks. If any of the disks are missing, you will receive an error message, and the operation will not complete.

To add multiple disks when not all disks are available or connected to the server you will have to use the command line. Plug the hard-drive in to the server. Log in to the server using an account with administrator privileges. Click on the start menu, click on All Programs, click on accessories, right click “Command Prompt” and click “Run as Administrator.” This will open an elevated command prompt. On this command prompt type the following commands:

  • wbadmin get disks <—- use this command to determine the Disk Identifier of the new disk. Examine the output and locate the disk that will be added to the backup schedule. Make note of the disk identifier.
  • wbadmin enable backup -addtarget:Disk Identifier – make sure you include the brackets <— This command will add the new disk to the scheduled backup.

Once you run the last command you will receive a series of prompts. Type Y to accept all of them, and you are done.


Dec 09

TDSS Rootkit – TDL4 Version Uses Unpatched Windows Vulnerability.

Since Monday, we’ve repaired and cleaned about 6 computers infected with rogue antivirus software. They all were infected with the TDSS rootkit. The TDSS rootkit family is one of the most sophisticated rootkits circulating at this time. It first appeared in 2008, and it’s been improving since then. The creators are constantly patching, changing, and improving the rootkit to keep up with antivirus companies. The latest version of the rootkit – called TDL4 – was discovered earlier this month and takes advantage of a 0 day vulnerability on the Microsoft Windows Operating system to escalate privileges. Kaspersky Lab published an article about it that you can read here.

From the article:

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.

Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. [...] Interestingly, the rootkit’s installer has a dedicated code allowing it to bypass some proactive protection tools. Some proactive protection tools hook the function NtConnectPort in SSDT to prevent TDL4 from injecting into spoolsv; if the port name is “\RPC Control\spoolss”, they return a notification stating that there was an attempt to penetrate the print spooler process. The creators of TDL4 came up with a simple “solution” to this problem: they hook ntdll.ZwConnectPort in the TDL4 process and check the value of the parameter ServerPortName sent to the function (a UNICODE string); if it is “\RPC Control\spoolss”, they replace it with an analogous one containing a symbolic link to the root directory of the object manager namespace.

TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.

You can also read a thorough analysis of this threat here.

TDSS is a tough one to get rid of, but it’s not impossible.  Kaspersky Lab has a utility called TDSSKiller. Run the utility following the  instructions on the page, and you’ll more than likely be able to rid your computer from this rootkit. At the time of this writing, their tool is able to remove the most recent version of TDSS.

I use a slightly different technique to get rid of most TDSS infections. I pull the hard-drive out of the computer and attach it to a VM running an up to date Version of Kaspersky. I scan the hard-drive and remove any infection found. This usually removes the infected files and any traces of the rootkit. I then install the hard-drive back on the computer, turn it on, and run some scans with other antimalware tools to get rid of any other infections. I usually use tools like Malwarebytes, Super Anti Spyware, and an up to date, reputable, antivirus. I do some other things and run some other tools to get rid of any traces of the infection. Explaining  exactly how I clean an infected computer  is out of the scope of this post though. Every infection is a bit different, and some special considerations need to be taken. If you need help just email me. A good source to learn about disinfecting computers is the Bleeping Computer site or the Major Geeks Malware Removal Forum.

That’s it for today. Until next time.

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.
Sep 13

Configure Remote Access (a VPN Connection) to your SBS 2008 Network.

I believe Small Business Server is a wonderful solution for small and medium sized businesses. It offers many great features and technologies at an affordable price. My consulting business caters towards small and midsized businesses, and most of my customers are running on the Small Business Server platform.  Once the platform is properly set up and businesses start taking advantage of the technologies offered by it, they become more efficient and can do their job faster. Let’s face it – I am happy when my customers are happy.

One of the technologies offered by SBS 2008 that makes my customer’s lives easier is Remote Access. SBS 2008 makes it simple to set up remote access. Just follow the next steps:

This guide assumes that your server is properly set up for internet access and that you have registered and configured your public domain so it resolves to your server’s public IP address.

  1. Log in to your server using an administrator account.
  2. Open the Windows SBS Console and click the Network tab.
  3. Under the Network tab click the Connectivity tab. Check the status of the Virtual Private Network. It should be off. If it’s on, it means it’s already configured.
  4. Under Tasks (Tasks is the right pane on the Windows SBS Console) click Configure a virtual private network. This will open the Set Up Virtual Private Networking wizard.
  5. Click the Allow Users to Connect to the Server by Using a VPN option. This will start the configuration, and the server will do all the required tasks for you in the background. It will configure RAS for you and set up the right permissions, and, if your router is UPnP compatible, it will configure it for PPTP pass through. If your router isn’t UPnP capable, you will have to configure it manually.
  6. Once the wizard finishes successfully click finish to close the wizard. The wizard may give you a warning if your router isn’t UPnP compatible. This means that you will have to set up the router for PPTP pass through manually. This is accomplished differently depending on your router and your network topology, and doing this is beyond the scope of this guide. If you need help just let me know in the comments and I will try to help. In essence, you will have to make sure that your firewall/router allows inbound traffic to your server on TCP port 1723 and IP protocol ID 47 (for PPTP and GRE respectively).
  7. Once the wizard finishes, your server is ready to accept incoming VPN connections. Now you just need to allow users to connect to the server via VPN. To do this click on the Users and Groups tab.
  8. Under the Users and Groups tab make sure the Users tab is selected and select the user you want to allow to connect remotely.
  9. Under the Tasks section click the Edit  user account properties option. This will open the user’s properties window.
  10. On the User account properties window select the Remote Access option and select the User can access virtual private network check box. Click OK. By selecting this check box, you are adding the user to the Windows SBS Virtual Private Network Users group. Users have to be members of this security group in order for them to be able to access the network using the VPN we just set up.
  11. That’s it. Your server is ready to receive connections, and your users are ready to connect.

To establish a VPN connection from a client running Windows 7 follow the next steps:

  1. Click the Start Menu, click Control Panel, click Network and Internet, and click Network and Sharing center.
  2. Click Set up a new connection or network under change your network settings. This will open the Setup a Connection or Network wizard.
  3. Select Connect to a workplace and click Next.
  4. If you already have a dial up connection set up, the wizard will ask you if you want to use that connection or if you want to create a new one. Select create a new connection. If you don’t have an existing dial up connection configured skip to the next step.
  5. Select use my internet connection on the how do you want to connect window.
  6. For the Internet Address type the public domain that resolves to your server’s public IP address (example: remote.domain.com)
  7. Type a name for the connection (It can be anything descriptive) and click Next.
  8. Type the user account name and password and the internal domain of your network.
  9. Click connect, and you should be able to connect to your network. To connect or disconnect in the future, click on the network icon on your system tray and select the connection and click connect/disconnect.

To connect to the network using Windows XP follow the next steps:

  1. Open the Control Panel and go to the Network Connections.
  2. Start the New Connection Wizard and click next until you get to the New Connection Type.
  3. Select Connect to the Network at my Workplace and click Next.
  4. Select Virtual Private Network Connection and click Next.
  5. Type a name for the connection and click Next.
  6. Type the public domain that resolves to your server’s public IP address and click Next.
  7. Click Finish to complete the Wizard.
  8. The connection window opens. Type a user account name and password and click Connect.

Microsoft makes it simple to connect Windows XP and 7 to the VPN. Running the network connection wizard with the default settings is enough to establish a connection.

One thing you should note if you are going to have more than 5 users connecting remotely to your SBS network, is that by default the server limits the amount of PPTP connections to 5. This limit can be increased. Just be sure to have the limit in mind when setting up users for remote access.

To increase the connections limit follow the next steps:

  1. Open Routing and Remote Access on your Small Business Server.
  2. Expand the server name, right click on Ports and click Properties.
  3. Select the WAN Miniport (PPTP) and click the Configure button.
  4. Under the Maximum Ports section adjust the port limit to a number that fits your needs.
  5. Click OK twice to close the properties windows and close Routing and Remote Access.

That should be all you need to do to set up Remote Access to your SBS 2008 Network.

Jun 26

Are you backing up your data?

I often come across customers who have lost their important  documents to a computer disaster. Most times they didn’t have a backup strategy in place, or they did, but they weren’t implementing it. I always stress this to my customers. Backup your data. Set up a backup strategy and stick to it. One key aspect of a successful backup strategy is keeping your data in as many places as possible.

Most operating systems include some sort of backup feature that allows you to set up a backup schedule. There are also services that backup your important documents online (services such as Mozy Backup or Carbonite for instance). You can always purchase an inexpensive external hard drive and copy your files manually or with a backup utility. Anything you choose to do is better than not doing anything.

If you are running any flavor of Windows 7 on your computer, you have access to an easy to use and reliable backup utility. It takes a few minutes to set up, and you just need to plug in an external hard drive. Getting two external hard drives and alternating between the two is not a bad idea either. As I said, keeping your data in as many places as possible is a key part of a successful backup strategy.

If you run a business, it is a good idea to hire a professional to help you come up with a reliable backup strategy that fits your business needs and policies. You can always give us a call. I may post something related to business backup strategies in the future.

On your personal computer, a backup strategy is something simple to set up.You just need to use a backup utility to set up a schedule and make sure the backup runs.

You can always use a third party utility or copy the files your self, but, if you are running any version of Windows 7, you can set up the backup schedule in a few easy steps.

Click on the start menu and type “Backup” in the search box. One of the items you will find is called “Backup and Restore” – click on it. This will open the Backup and Restore center. In this window you can check the status of your existing backup schedule if you already have it set up. You can also modify the backup settings or set up up a new backup schedule.

Plug in your external hard drive or thumb drive (make sure there is enough space to hold your data or complete system drive). Click on “Setup Backup.” This will open the Setup Backup Wizard. The wizard is pretty straight forward. Just select the destination on the first section (the external hard drive.) Select what you want to back up (you can let Windows choose for you or select the option to choose yourself if you want to add locations outside of your libraries – documents, pictures, videos, etc). Modify the schedule on the next window. Then click save settings and run backup. That’s pretty much it. Now you just have to make sure the computer is on and the hard drive is plugged in whenever the backup will run.

Jun 24

Find out what caused a Blue Screen of Death in Windows.

If you’ve used a computer with any flavor of the Windows Operating System, you’ve certainly experienced the infamous Blue Screen of Death (BSOD). These BSODs or Stop errors, as Microsoft calls them, occur when the Operating System detects a problem with either hard-ware or software, and it “stops” to prevent damage to the system. Depending on the computer configuration the computer may restart or simply wait for your input. It also writes a file to the hard-drive. This file is called a memory dump file, small memory dump file, or minidump file. This file contains information that may help you identify why your computer stopped responding.Your computer has to be configured to write this memory dump. It also needs to have a paging file of at least 2 MB on the boot drive.

To verify that your computer is set to write the minidump file and that the paging file is the correct size and in the right location follow the next steps:

  1. Click the Start Menu, Right Click “Computer” or “My Computer” and click “Properties…” Alternatively you can press the Windows Key and the Break key at the same time. This will open the System Properties.
  2. Click the “Advanced Tab” if you are using Windows 2000, Windows XP, or Windows Server 2003, or click “Advanced System Settings…” if you are using Windows Vista, Windows 7 or Windows Server 2008.
  3. Click the Settings button under the performance section.
  4. Click the Advanced tab and click the Change button under the Virtual Memory section.
  5. Make sure the boot drive is selected and that the size of the paging file or virtual memory is 2 MB or more. I like to set it at 1.5 times the size of your RAM or 4096 MB, whichever is less. It is also safe to let Windows manage the paging file for you.
  6. Click Set and then OK to set the paging file size.
  7. Click the Settings button under Startup and Recovery.
  8. Select “Small Memory Dump” under debugging information and click OK.

Microsoft offers tools to read and debug this memory dump file (Dumpchk.exe, WinDbg, and KD.exe), but there are other tools available that are a lot easier to use. One of the tools I like to use is called Blue Screen View. This utility is lightweight and easy to use. You run it and it detects and debugs the memory dump files for you. The information provided in these dump files is really useful when troubleshooting these kind of errors. Most of the times you will be able to find out what driver was causing the problem. The next step would be to remove or update the driver that caused the BSOD. Some times the cause of the problem may not be so clear even when looking at the contents of the minidump file. In these cases, more tests will be required, but that is a conversation for another day. These simple steps should help you pinpoint the cause of the issue if the issue is caused by a bad or corrupt driver – most stop errors are. When the errors are caused by a hard-ware malfunction, running a hard-ware diagnostic utility will usually help you pinpoint the problem (Memtest to test the memory modules for instance.).

You can get the Blue Screen View utility from the www.nirsoft.net website.