April 2008 - Posts
The e-Week cartoon above is excellent in illustrating the dangers of using a "good worm" to clean-up perhaps the top botnet infection in the world. While DV Labs might be able to accomplish this, there are always dangers that the bad guys might be able to manipulate this worm, plus if something were to go wrong with either individual PCs being cleaned there might be unintended consequences, even for a good deed.
A better idea is for DV Labs to work with MSRC and share the Kraken encyption techniques so that it may be included in a future version of MSRT ... And as previously shared, there is no such thing as a good worm
QUOTE: We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In our specific case however we have the ability to cease at any point. It is simply a one to one relationship.
AVERT Labs notes that Kraken continues to improve it's ability to hide and evade AV detection:
A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents.
A major wave of automated SQL Injection attacks are occurring. These have been designed and coded for the IIS and SQL-Server environments. There are no new vulnerabilities in these products.
Attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the web servers)
Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best practices for secure implementations of their website. Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection.
Huge SQL Injection attacks infect 500,000 pages
QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages. We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.
IIS Blog - SQL Injection Attacks on IIS Web Servers
QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.
MSRC Blog - Questions about Web Server Attacks
QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.
BEST PRACTICES - How to protect against SQL Injections
-- Learn how SQL injection attacks work.
-- Constrain input to prevent SQL injection.
-- Use type safe SQL command parameters to prevent SQL injection.
-- Use a least privileged account to connect to the database.
-- Learn additional countermeasures to further reduce risk.
What are SQL Injection attacks?
QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
The most recent Government Computer newsletter is warning of a new well-designed IRS phishing scam. This attack appears to related to the upcoming IRS rebates that are part of the 2008 Government Stimulus Package. While the email looks official and the social engineering is well done, it is important to recognize that the IRS and banks do not use email as a method of contacting individuals. They usually will call or conduct official business by mail only. Please avoid these attacks, as entering your bank account information into the realistic but false website could mean real losses of money from these criminals. It could also take months to clean up activity after an individuals credit or bank account information has been compromised.
Phishing scam uses IRS rebate line to reel in victims
QUOTE: The tax filing season is past, the economic stimulus rebate season is upon us, and the phishers are changing their bait. The lure this time is the $600 rebate ($1,200 per household) that the Internal Revenue Service will begin sending to taxpayers in May and a supposed opportunity to speed up the process. E-mails purporting to be from the IRS are arriving in inboxes with instructions to recipients that if they visit the linked Web site and provide bank account and routing numbers their rebate can be deposited directly to the account more quickly. To add an element of urgency, the message includes a deadline — April 24 — for providing information, but that is likely to change.
Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.
EXAMPLE OF NEW PHISHING ATTACK:
SUBJECT: 2008 Economic Stimulus Refund.
Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.
Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.
The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.
Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.
Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.
The IT Security website features a good categorized list of free security utilities. Some of these a trial versions, limited versions of the full product, or web based facilities. Even folks on a very tight budget can protect their systems well with many of these free tools.
IT Security website - 103 Free Security Utilities featured
QUOTE: Competition drives prices down, regardless of the industry. With a crowded field of vendors jockeying to be the trusted source of computer security for your home and office, prices for many of the essential elements of your security system have reached zero. Free downloads, free trials, free scans and freeware is everywhere. If you’re willing to go without premium features like phone support, you can have a simple version of powerful software that large companies pay big bucks for.
XSS scripting flaws are a common weakness in many websites. From a web development standpoint, secure designs and programming techniques are essential. It is always important to keep IE and all other browsers on the latest version and security patches. This is especially important, as phishing attacks are increasing and may even appear genuine at times.
Hackers use XSS flaw to attack Barack Obama's web site
QUOTE: A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.
The Obama hack used a cross-site scripting flaw in the site to redirect users from Obama's Community Blogs section to HillaryClinton.com. XSS bugs are getting far more attention lately than they had been in the past, perhaps because they are so widespread. And since the answer to them is good programming practices rather than running some security product, they can be difficult to snuff out.
Good overview of XSS redirect issues
QUOTE: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.
The storm worm attacks continue to change change as they use malicious blog or U-tube like streaming video links in order to trick users. Everyone should be as cautious with URLs found in an email attachment as they are with attachments. Clicking on these links can lead to possible infections, as the malware agent is advanced (e.g., root kit) and highly polymorphic (i.e., MD5 based signatures change almost hourly).
Storm Worm - Blog Attacks
Storm has once again turned its eye to the blogging community, specifically the Blogspot.com community. Several blogger sites with random or very quirky names have been sporting a love theme, Storm style. These sites appear to have been created solely for Storm's purposes and no legitimate blogger site has of yet been reported as infected.
Visiting these sites will lead you to another page, while keeping the Blogger menu at the top. Clicking the site's image downloads a file called love.exe while clicking the link will provide withlove.exe.
Storm Worm - Codec based Video Attacks
QUOTE: Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business. Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.
TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:
If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.
Adobe is working to promptly correct this security issue. Users should be careful in loading image files into the Photoshop environment (esp. from email, USB devices, or any other untrusted sources)
Adobe Products BMP Handling Buffer Overflow Vulnerability
QUOTE: Successful exploitation may allow execution of arbitrary code via a specially crafted BMP file. Reportedly, the vulnerability can also be exploited when a malicious storage device (e.g. USB drives, cameras) is being attached to a vulnerable computer. The vulnerability is reported in Adobe Photoshop Album Starter Edition 3.2 and Adobe After Effects CS3. Other versions may also be affected.
Solution: Do not process untrusted BMP files using the affected applications. Do not connect untrusted storage devices to the local computer.
Original Advisory - Adobe:
The latest versions of the Internet Information Services (IIS) facilities have enjoyed an excellent track record in the area security. Recently, a new vulnerability was discovered that could allow user privileges to the manipulated and escalated in an unauthorized manner.
Additional resources are noted below, including a highly technical overview on Token Kidnapping. Thankfully, the details related to this exposure have been confidentially shared with Microsoft in a responsible manner. Currently, there are no known exploits related to this vulnerability circulating in the wild.
Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
QUOTE: Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.
Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
IIS Vulnerability Documented by Microsoft - Includes Workarounds
Token Kidnapping and Impersonation - by Cesar Argeniss
I enjoyed this article and agree in principle with most of the recommendations. While leaders must manage by walking around and inspecting work, they should also allow the team members some space as professionals to do their job well.
Folks who are constantly watched and critiqued on every move they make will become nervous and less effective in their work. They may withdraw ideas and participation from the manager and team, that can help make essential differences on the project.
Article: If you micromanage, no one wins
QUOTE: So do you want to break the micromanaging habit? The Dallas Morning News offers this list of tips to avoid micromanaging:
Part 1 - Methods to change leadership styles
* Focus on communication and trust.
* Assign tasks that include clear, specific, and time-bound expectations.
* Allow employees to figure out how they’ll accomplish the task.
* Set up status reports that fit the scope of the assignment but aren’t too burdensome.
* Let employees know that you’re trying to change and give them a safe way to point it out if you slip.
Part 2 - Be a leader
Leadership skills bring more value and will increase satisfaction for everyone, including you. Options include:
* Investing in each employee through coaching, challenging work, and development.
* Removing barriers to success that your team members face.
* Expressing a meaningful vision to your employees.
Below is also an additional related article:
Article: Can a Micromanager be cured
Apple has just released critical security updates for the Windows version of Safari that should be applied promptly for folks using this complementary browser in the Windows environment.
Apple Safari 3.1.1 for Windows - Critical Security Release
Windows XP or Vista Safari -- CVE-ID: CVE-2007-2398
Impact: A maliciously crafted website may control the contents of the address bar
Description: A timing issue in Safari 3.1 allows a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1. This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated. This issue does not affect Mac OS X systems.
Windows XP or Vista Safari -- CVE-ID: CVE-2008-1024
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.
As Firefox is a popular complementary or stand-alone browser, users should apply this fix and stay up-to-date. Most users will be automatically updated and they should apply this update if prompted.
Firefox 188.8.131.52 - Security release
Fixed in Firefox 184.108.40.206
This new facility provides tracking of malware developments and is recommended to be added to Favorites or Bookmarks for folks in the security profession.
Malware Threat Center - General Information
MAIN SITE FOR MONITORING MALWARE DEVELOPMENTS
QUOTE: MENLO PARK, CA - SRI International, an independent nonprofit research and development organization, today announced the launch of the Malware Threat Center (http://mtc.sri.com), a website dedicated to fighting malware. SRI's Malware Threat Center posts daily updates of firewall filters, malware-related domain name system (DNS) names, antivirus statistics, intrusion detection system (IDS) signatures, and malware binary data to help network administrators understand current and emerging computer security threats and provide key network defense information that can be configured into security products to help network administrators fend off the latest malware threats.
DBAs and Admins should deploy these patches expediently after lab testing, to ensure the best levels of security and information protection
QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 41 new security fixes across all products. The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Supported Products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied. Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at any of the following locations:
Oracle Technology Network
Oracle, PeopleSoft and JD Edwards products
The next four Critical Patch Update release dates are:
July 15, 2008
October 14, 2008
January 13, 2009
April 14, 2009
Based on ISC and Symantec's warnings below, it appears that MS08-021 is being actively exploited in the wild It is advised that folks apply the April updates as quickly as possible using the Windows Update process
Microsoft April Security Updates - MS08-021 Exploit in-the-wild
QUOTE: The ThreatCon is currently at Level 2. The DeepSight honeynet has observed in-the-wild exploit attempts targeting a GDI vulnerability patched by Microsoft on April 8, 2008. The malicious image appears to target the Microsoft Windows GDI Stack Overflow Vulnerability (BID 28570).
At least three different sites are hosting the images; two different malicious binaries are associated with the attacks. Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability.
We are still investigating as to why this may be the case. Users are advised to apply the MS08-021 patches immediately. These attack attempts highlight the severity of this issue -- it is only a matter of time before new images that successfully trigger the issue are observed in the wild.
AV researchers have recently discovered a new botnet that may be as large and as sophisticated than the Storm Worm network. This new botnet uses some of the following advanced techniques:
-- encrypted communications (to evade firewall, IDS, and AV detections)
-- encrypted payloads (to evate AV detections)
-- polymorphic droppers (malicious web based downloads that constantly change)
-- multi-threaded spam engine (over 500,000 spam entries observed to be sent from one "zombie" PC owned by this network)
-- command-and-control server redundancy (when a master server is taken offline by authorities, new master servers are automatically re-hosted)
There are still many unknowns at this point. Only 20% of AV vendors are estimated to have coverage at this point, but this is expected to improve as more technical details of this new threat emerge.
Kraken - Large sophisticated botnet discovered
QUOTE: There is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA.
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.
Kraken's bots and command and control servers communicate via customized UDP and TCP-based protocols, he says, and the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. "And the actual payload is encrypted," Royal says.
Kraken is thought to be infecting computers by using social engineering methods similar to those used by Storm. The malicious code is believed to be posing as an image file to the user, although this has yet to be confirmed. At the time of writing, the Trojan is serving up debt consolidation and gambling-related spam linking to Chinese sites.
Security is always a predominant concern for any Internet or Intranet hosted application. Corporate developers should carefully research how information, web applications, and users would be protected in this environment. While security controls are built into the new facility, Google is one of the attacked sites on the Internet due to it's popularity.
Below are some recent security concerns:
1. Google needs to continue improving privacy protection:
2. Sunbelt continues to note recent issues, as Google is one of the most popular sites on the Internet and it is subject to constant attacks:
3. Google poisoning attacks have taken place, where the cloud has been seeded with malicious web links. Google has quickly cleaned these up in the past.
Google’s App Engine lets you run your apps in the Google cloud
QUOTE: Google on Tuesday launched its App Engine, which allows developers to run their Web applications on the search giant’s computing cloud. With Google App Engine, developers can write web applications based on the same building blocks that Google uses, like GFS and Bigtable. Google App Engine packages those building blocks and provides access to scalable infrastructure that we hope will make it easier for developers to scale their applications automatically as they grow. This means they can spend less time dealing with system administration and maintenance, and more time building and improving their applications.
Google App Engine - Home Page
Google App Engine - New Blog
Google App Engine - Details including Security controls
QUOTE: SANDBOX SECURITY CONTROLS -- Applications run in a secure environment that provides limited access to the underlying operating system. These limitations allow App Engine to distribute web requests for the application across multiple servers, and start and stop servers to meet traffic demands. The sandbox isolates your application in its own secure, reliable environment that is independent of the hardware, operating system and physical location of the web server. Examples of the limitations of the secure sandbox environment include:
* An application can only access other computers on the Internet through the provided URL fetch and email services and APIs. Other computers can only connect to the application by making HTTP (or HTTPS) requests on the standard ports.
* An application cannot write to the file system. An app can read files, but only files uploaded with the application code. The app must use the App Engine datastore for all data that persists between requests.
* Application code only runs in response to a web request, and must return response data within a few seconds. A request handler cannot spawn a sub-process or execute code after the response has been sent.
Microsoft has released several important monthly updates that improve the security of Windows, IE, and Office. These should be applied promptly to protect against malicious exploit developments that could surface later. So far, these updates are working well on my two XP based systems at work.
Microsoft Security Bulletins - April 2008
Microsoft Security Bulletins - Additional Resources
ISC provides excellent updates on issues or exploit developments
MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)
Summary: This security update resolves a privately reported vulnerability in Microsoft Office Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Affected Software: Project 2000, 2003
MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
Summary: This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Impact: Remote Code Execution
Affected Software: Microsoft Windows
MS08-022: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
Summary: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Impact: Remote Code Execution
Affected Software: Microsoft Windows
MS08-023: Security Update of ActiveX Kill Bits (948881)
Summary: This security update resolves one privately reported vulnerability for a Microsoft product. This update also includes a kill bit for the Yahoo! Music Jukebox product. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer.
MS08-024: Cumulative Security Update for Internet Explorer (947864)
Summary: This security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer.
MS08-020: Vulnerability in DNS Client Could Allow Spoofing (945553)
Summary: This security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS clients and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.
Affected Software: Microsoft Windows.
MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)
Summary: This security update resolves a privately reported vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Impact: Elevation of Privilege
Affected Software: Microsoft Windows.
MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)
Summary: This security update resolves privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Affected Software: Microsoft Visio
Emails with the subject line of "Critical Patch Released: Microsoft Security Bulletin MS08-64738" should be deleted as malware could be automatically downloaded and silently installed on vulnerable PCs.
Email Attack Targeting Microsoft's April Security Bulletin Release Cycle
QUOTE: US-CERT has seen reports of an email attack targeting Microsoft's April Security Bulletin release cycle. This attack arrives via email messages with the subject line "Critical Patch Released: Microsoft Security Bulletin MS08-64738." These email messages contain a link to a fraudulent Microsoft Update web site that hosts malicious code or contains an attachment that is embedded with malicious code. Users who follow the link or open the attachment may become infected with a Trojan.
More Posts Next page »