Spyware Sucks

Errorsafe does it again via the Messenger Plus! sponsor program

Messenger Plus! users are still being exposed to malware/infector advertisers via Patchou's Sponsor Program.

The adultfriendfinder.com and passion.com ads are there, and seem to be getting more risque as the days go by.

My primary concern tonight, though, is the re-emergence of Errorsafe.

Note the completely blank window... there is no addressbar (which in IE7 is unusual - that shouldn't be happening with my settings) nor is there any text in the title bar...

Important note: Do NOT click on OK or Cancel.. click on the red x to close the window and prompts.

What do we see if we close the window/prompt?  Errorsafe are as persistent as ever...

And if you click on the red x again? This is what you will see.  The determination to get ErrorSafe on to the victims' computers is very obvious  Note: there is no Cancel button.  Click on the red x, do not click on ok.

Then there is the Web page that appears, which again tries to install Errorsafe... systems with older versions of IE, or system with reduced security settings, are at risk of being infected with no user interaction.

Note there is no addressbar in the window, and that the Window cannot be resized... that makes it kind of hard to report them...but do not fear, we have ways and means....

A close check of my system reveals just one unexplained connection... to 28.101.232.72.reverse. layeredtech.com

http://www.dnsstuff.com/tools/whois.ch?ip=28.101.232.72

Once again, I can only hope Patchou takes a serious look at the dangers his users are being exposed to if they install the sponsor program.  It seems this stuff is going to keep on getting into the advertising system supplied by the Sponsor, and his users are going to continue being placed at risk.  I've told Patchou that I will be blogging to warn of the dangers, and will send him a link to this blog as soon as it goes live, but it shouldn't be up to my associates and I to monitor this stuff and pass on what we see to Patchou and by extension his Sponsors.  *They* should be doing it.  If I, with a small 5 PC network and half a dozen pairs of eyes, can monitor what is happening and report it, then so can the Sponsors.

Uninstalling IE7- updated (and installing)

PLEASE GO TO THIS LINK FOR THE LATEST INFORMATION ON HOW TO UNINSTALL IE7:
http://www.ie-vista.com/kbase2.html

The following information is out of date.

The way that we remove IE7 changes depending on what version we are running.

For IE7 Beta 3 and 2, we can remove IE via add/remove programs without turning on "view updates".  The IE7 public preview and earlier builds, on the other hand, appeared in add/remove programs as a Windows Update, and were only viewable if "view updates" was turned on.

If IE7 does not appear in add/remove programs, the uninstaller path differs depending on what version of the Web browser you are running, as follows:

Beta 3:  %windir%\ie7beta3\spuninst\spuninst.exe
 
Beta 2:  %windir%\$NtUninstallie7beta2$\spuninst\spuninst.exe
 
Beta 2 Preview - March:  %windir%\$NtUninstallie7b2pmx$\spuninst\spuninst.exe
 
Beta 2 Preview - January:  %windir%\$NtUninstallie7bet2p$\spuninst\spuninst.exe
 
Beta 1:  %windir%\$NtUninstallie7beta1$\spuninst\spuninst.exe
 
If the installer starts, but install/uninstall fails to complete, try Safe Mode with Networking Support.

If that doesn't work, follow the instructions at this URL to remove IE7 via recovery console:
http://support.microsoft.com/default.aspx?scid=kb;en-us;917964

Some software (for example ccleaner) deletes uninstaller directories such as those described above.  Some people may manually delete the folder because they want to save disk space (silly - very silly - if you don't know what a folder is for, and it seems that most people hit by this problem did not understand the implications of deleting the folder, you should not delete it).  If the uninstaller folder is empty, or has been deleted completely, whether by third party software or manually to preserve disk space, you will not be able to remove IE7 via Add/Remove Programs or the commandline. 

Microsoft have released an Uninstaller Kit which  "Forces uninstall of Internet Explorer 7 Beta 2 using default files and settings.   This toolkit will uninstall Internet Explorer 7 Beta 2 using default files and settings from Microsoft. It is only intended for use if normal uninstallation methods failed. See KB 923721 for more information."

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=671baf16-52a3-410c-85a8-931ea6de5ff8

The MS uninstaller will run on releases besides Beta 2, it won't be an exact uninstall because other releases backed up a slightly different set of files and reg keys than beta 2.  Therefore, it is not recommended that the uninstaller be used with anything other than Beta 2.

Regarding the error message "Error message: IE7 must be uninstalled from the User Account that installed it", there are two suggested fixes, both involving the same registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

Right click the Internet Explorer folder in the left pane, and try the following:

Create a DWORD  called "InstalledByUser".  Set its value to 00000000

or

Create a new STRING calle "InstalledByUser".  Set the value to the User account name used to install IE7.

If your computer is part of a domain, and you originally installed IE7 when logged on locally, you will see the error "must be uninstalled from the User Account that installed it".  The opposite also applies. So, if your system is on a domain, try logging in locally and vice versa.

If you are not running IE7 Beta 2, and if running System Restore does not resolve the situation for you, then your safest choice is to stay with the Preview, or format your PC and install Windows afresh.  Rumour is that if you are in an area of the world that qualified for free technical support for IE7 Beta 3, then the support team *may* remote into your system, and recreate the uninstaller directory for you.  But this is by no means definite.  I've seen *one* report by *one* user saying that this is what happened for them.

You will not be able to install any future builds of IE7 while any Beta build is is installed, nor will you be able to run a Repair Install of XP.

Some are suggesting taking a copy of the missing uninstall folder from another PC to replace the lost data, and even offering a folder for download. I cannot recommend that people take this step.  The results are too unpredictable.  Things are a bit less dangerous now that IE7 installs compulsory security patches, but there may still be file type mismatches that could mess things up.

Putting aside the question of whether or not it is legal to redistribute MS files in such a way, the danger of sourcing a replacement uninstall folder from third parties is:

1.  Potential for system damage (immediately obvious or appearing later) thanks to DLL Soup.
2.  Potential exposure to hostile assembly hacking, or viruses or trojans.

The golden rule when working with betas is that you should not install them if you are not willing or able to reformat the machine on which it is being installed.

Regarding the warning that appears when we uninstall IE7 mentioning programs that may stop working if IE7 is removed, that warning is related to the dangers discussed here.  I agree, the warning is confusing too many users and I am inclined to feel that the warning should be removed as too confusing/frightening.  I'll be interested in your feedback on that.

One last hint, if you are uninstalling a previous beta of IE7 in preparation for installing Beta 3, please reboot TWICE... yes, TWICE.  It *does* make a difference.  That is because on first boot after uninstalling IE7 there are several processes that occur before Windows finishes loading.  Sometimes things don't *quite* get cleaned up properly, and that second boot ensures that we're working with as clean a slate as possible and that there are no left over tasks hanging around that may mess things up.

Before installing IE7 (and before *uninstalling*), it is important to complete the following steps.

1. Set a restore point (just in case)
2. Disable antivirus, antispyware, crashguards etc.
3. Shut down all other running programmes (except for firewall) - that includes Messenger, Windows Defender, OneCare - don't forget to exit via systray icons as well.
4. Turn off Automatic Updates until you have uninstalled all you want, rebooted twice, installed what you want and rebooted twice - once you've done that, turn Automatic Updates back on (believe me, you'll thank me later)

A piece of good news is that IE7 Beta 3 will remember previous Web Feed subscriptions and settings.

IE7 Beta 3 is out

Lots of people said Internet Explorer Beta 3 would not be released until August... they were wrong!!!!

IE7 Beta 3 has been released and is available for download now at the Internet Explorer Home Site, and at www.microsoft.com/downloads.

Yes, you will still have to go through Windows validation, and the Malicious Software Removal Tool is run as part of the installation.  Also, required updates will be installed.

Please note that this build is intended for technical enthusiasts.  Be aware that *I* expect you to be ready, willing and able to reformat your system if things go wrong - therefore, if you come to the groups and say "IE7 killed my machine but I have no backup and can't reformat, I hate Microsoft" you won't be getting much in the way of sympathy from me ;o)

This upgrade to Internet Explorer 7 focuses primarily on bug and compatibility issues and is currently available in English for XP SP2, x64 and Windows Server 2003 SP1 on June 26, 2006.  Other languages are to come soon (German, Japanese, Finnish & Arabic).

Uninstallation instructions - these are quite different to what has gone before. 

IE7 Beta 3 creates this directory:

C:\WINDOWS\ie7beta3

In that directory is an spuninst folder.  Inside that folder is spuninst.exe as well as a very interesting document called spuninst.txt which details exactly what will be deleted and replaced with older copies during uninstall of IE7 Beta 3.

Now, in the past some have offered their own copies of the uninstall directory when others have foolishly deleted their own copies, or third party software has done it for them.  But be warned, there is more to removing IE7 Beta 3 than just that directory.  A directory called C:\WINDOWS\$hf_mig$ is also edited/created during the installation of IE7 Beta 3, and it is full of various security update folders.  The potential for damage if you take somebody else's C:\Windowsie7beta3 and install it on your own system to remove the beta is incalculable.  On my system $NtUninstallKB915865$ and $NtUninstallKB904942$ were also created/updated.

There are a few changes on the surface, mostly cosmetic, but one BIGGIE!!!  We can now drag tabs into different positions.  And, we can add an email button to the toolbar.

In a pristine installation, Windows Live Search is the only provider now, not MSN Search.

The only pre-populated RSS fees are the Internet Explorer team blog, and Microsoft Feeds.  Also, the Favorites icon has changed slightly - don't like that very much.   The page button icon has also changed.

There will be unlimited phone support for the USA, Germany and Japan.

RSS change: "Automatically mark feed as read when reading a feed" has been added.

The text in the new tab window has changed slightly..

I've decided my karma must be very bad... IE7 Beta 2 was released while I was in transit from Code Camp (and broke www.ie-vista.com).. now, IE7 Beta 3 is released while my laptop, on which my life is stored (including my ability to update my web sites) is at Hewlett Packard Hospital for repairs

Microsoft using Citrix?? Where am I??

Microsoft is offering a 'test drive' of Office 2007:
http://www.microsoft.com/office/preview/beta/testdrive.mspx

The test drive uses a Citrix Browser plug-in....

Citrix...the bane of my worklife...

Citrix... the product that two high profile IT companies could not get to work reliably on my network - whether on site or remotely (can somebody please explain to me why Citrix would be of *any* benefit to an office worker sitting 10 metres away from the primary domain controller???? 

Citrix... that resellers will push on to potential clients even if it doesn't suit the client's environment (after all, they have to maintain their sales levels, y'know)...

Citrix... which is easily replaced by Remote Web Workplace ("RWW")  in SBS networks.  Look at my own situation - RWW is working just fine for our network but Citrix is not, because we're having a few "issues" (translation: likely f**k ups by predecessors) that are stopping VPN from working.  No VPN means no Citrix Remote Desktop.  As my miracle man said, all we need to do is find the right spanner to hit the network with - damn it, we shouldn't have to clean up such a mess (for what its worth, the new network is running as sweet as can be... so much pain was experienced while we persevered with Citrix...all that pain is gone now... all we have to do is get the Terminal Server for remote access and VPN sorted out).

RWW, on the other hand, just works via a Web browser.  Just last night I used RWW to hook into my own office PC.  I then used VNC to jump from that box to another machine that was having issues (the user needed to see what I was doing and not lose any work, yet at the same time I needed to control that box).. there's no *way* Citrix can do that.

I don't like Citrix... I don't need Citrix... Citrix is simply an unnecessary complication - and that is *before* I start discussing and considering the security risks introduced by VPN.

Office 2007 test drive using Citrix is almost as bad as Bill Gates using a Macintosh as his primary computer

Everybody wants to make a buck, but why put your hand in a hornet's nest?

Perhaps because you didn't know the hornets were there? 

A shyster by the name of Leo Stoller has tried to assert trademark rights over the word "Castle" and has gone after www.castlecops.com.

I've seen the Castlecops crowd when they're mad... that Stoller guy has no idea what he has stirred up...  Nick may call me the best in the business when it comes to taking aim at shysters (just think, I tamed down that article.. you should have seen the original text), but the Castlecops gang, and their supporters, don't do too bad either

To say that this guy has a history of sharkish behaviour (and *terrible* artistic skills when designing his 'trademark' displays) is an understatement.

Stoller says to Castlecops (translation: gimme money!!!):

"Prior to filing our Notice of Opposition, the potential opposer is placing three reasonable settlement proposals on the table which would amicably resolve this controversy when accepted by your client. The first is an express abandonment, attached hereto, in which your client agrees to abandon its trademark application. The second is a 2% royalty-based Trademark license Agreement which will allow your client to use the said trademark under License. If your client would like to receive a draft of the said trademark license agreement, we will be happy to provide it. The third agreement is a consent to register, attached hereto. Your client is invited to make a reasonable monetary settlement offer as consideration for the said consent to register agreement."

I'm not going into the nitty gritty of the legal shenanigans and reputation of Mr Stoller - its enough that I send you to these blogs (hmm, perhaps Hornets Nest is an understatement...)

http://www.castlecops.com/a6615-Leo_Stoller_targets_CASTLECOPS_Trademark.html
http://sunbeltblog.blogspot.com/2006/06/castlecops-under-attack-from-trademark.html
http://blogs.securiteam.com/index.php/archives/479
http://netrn.net/spywareblog/archives/2006/06/27/trademark-troll-leo-stoller-targets-castlecops/

Limited online time for a few days

My laptop is being picked up by HP today so that they can do some repairs (don'cha love those extended on site warranties).

This means limited online time. See you on the flipside.

Already receiving interesting emails about the network rollout.

I've got an email here that says, basically, "what the hell makes you better than the 'IT outsourcing companies' you want to sue - you're a stuck up b*tch with an ego the size of the USA continent".

Another message: "Am I the only one who thinks that building a network of this size should not take so long".

Fine, you build a network with half a dozen mission critical applications that need to be run in a local installation *and* terminal services environments with minimal documentation, and an SBS server that is badly built, not using wizards, and see how you go.

I'll tell you what makes me and my miracle workers better than the companies that were on site before us.  SKILL, ETHICS, INTEGRITY and the balls to stand up and speak honestly about the real situation on a network.  No more, no less.

There was a Cisco switch that was manageable but unmanaged.

When I was employed the Exchange server was within days of being shut down because it was so close to its 16 Gig database size limit.

The antivirus protection had not been updating for months because the antivirus product, and SQL were set to use the same port.

There were severe performance issues on the network - maybe that was because of the *hubs* in the switch cabinet, and the 10Mbps hubs that were being used to share single network ports between at least 3 pieces of hardware .. yes, that's right 10Mbps - in a terminal services environment ... what the hell use are 100Mbps or 1000Mbps network cards in computers if they're plugged into 10Mbps hubs?

There were 25 users, but only 10 user licences for mission critical software.

Other mission critical software was run on a terminal server using a single user home licence...

The terminal server was a cheap and nasty white box.  How did the previous IT company manage an imminent RAID failure?  They swapped drives between different bays and hoped for the best... <jeez, where do they find these people???>  Me?  I told the powers that they were at risk of imminent hardware failure and please, spend some money - they listened.

The tape backups had been failing for *4* months when I started because my predecessors had plugged the tape drive into a RAID controller installer instead of a SCSI card.  Me?  5 minutes of googling and I had a cause and fix.. you explain to me why the previous IT companies could not do that.

When the RAID hardware on a mission critical terminal server started throwing up unrecovereable errors they tried to tell me nothing was wrong and that the error was a false flag... I argued against that diagnosis, to no effect... within weeks the RAID suffered a catastrophic failure... bye bye server.  I hate to say "I told you so", but "I TOLD YOU SO!!!". Well, at least when I speak nowadays people listen.

 I can give you a myriad other reasons why my miracle workers are better than those who went before, but it boils down to this.  Companies trust us (IT support providers) to guide them, advise them, and speak honestly to them when bad decisions are being made.  You can either go the cheap path, the path ordered by those without the IT skills to understand the consequences, or you can stand up and say "you are wrong.. this will happen". 

The willingness to stand up and say "you are wrong this bad thing will happen" is what separates my miracle workers from the crowd of IT providers who look no further than their monthly payment cheque.  For example, I am not willing to accept that a 40 Gig tape drive is sufficient to back up a 160 GIG database... you either purchase a larger tape drive or I walk.  Its that simple.  I am not going to be the bunny who is feeding backup tapes into a drive all day, and I am not the bunny who is going to try and use those split tapes to recreate a network.

As promised.. the saga of the network roll-out

Alternate title - "The weekend miracle" (shaddup Wayne)

Imagine this.. a network teetering on the edge of failure - one terminal server dead - the other already teetering on the edge of death and having barely survived a virus infection; a slew of seriously old hardware (including Windows 95 boxes with 16 meg of RAM).  Hubs where there should be switches.. switches that are barely capable of doing what is asked of them.  Single network points shared out between three or four pieces of equipment via dinky little 10Mbps 4 port hubs...

Imagine pulling together hardware sufficient to rebuild an entire network infrastructure in the space of a week - all that would remain of the old network is one server, one switch, the printers and two computers.  Who did that?  Dean did that

New stuff rolled out over four intense days

A new terminal server, new UPS, new switch, new hubs, 17 new computers and 10 others reassigned.  A disaster recovery plan.  Implementing WSUS.  Upgraded and new software, licensing checks and purchasing what's missing; designing log-in scripts to automate what is a complicated software infrastructure as much as possible, all software being pushed out as published applications to the desktops (we're running Windows SBS2003). 

The network uses Worldox, Hotdocs, Lawdocs and OpenPractice, all tightly integrated as well as sundry other software.  Some users are running Office2002, some are running Office2003 and the two different versions require different *.dot and *.ini files to suit the different environments and integrate with the document management system.  Therefore, Dean and I had to effectively design two networks, one to suit Office2002, and one to suit Office203.

Want to know how complicated this got?  We went from zero GPOs and security policies to this - all designed in a few days (more to come below picture):

Some have asked for before and after screenshots and pictures of the work in progress.  Here we go.... remember, all this was done by just two people over four very intense days...

Before shot: cabling cabinet (what a mess) - I still can't believe the previous IT company deemed this acceptable.

Dean hard at work:

After: cabling cabinet - note the black box - that is a new UPS to protect the switches,

Ripping out the old network

These pictures were taken Sunday afternoon/evening - remember, only two people did all this... a really super karate black-belt fit bloke and, well, me.. who gets puffed walking up a slight incline BTW, those few PCs you see in the second photo were the ones that were going to undergo hard drive reformatting before being donated to staff... all the rest were trashed...

I think the funniest part of the weekend was when a lawyer turned up at the office at 8.00pm on the Sunday night, took one look at that mess, and said "We *are* going to be ready to go Monday, yes?"  He was chased out of the office by threats of having to help move all that stuff  

Building the new network ..... vvrroomm...

Lots of boxes.... lots and lots and lots of boxes... 17 computers, 17 monitors, one server, a UPS, 3 x Maxtors, 17 x 500M memory sticks, SCSI card for domain controller, 16 port KVM, DVD drives, all sorts of lovely toys...

We like mess... mess is good

Hard at work

Sorry gang, no photos of me 'cause I'm the one wielding the camera If you're *real* lucky (or unlucky, depending on the perspective) Dean may have a photo or two of me getting my hands dirty too.

Dean was getting ready for the17 PCs roll-out when this shot was taken, I think, on the Saturday after two days of preparation/designing - that's my laptop on the left, Dean's on the right.  Dean's using a kick-ass 16 port Belkin KVM switch that I tried really hard to persuade him to let me keep... alas, I'm left with my dinky little 4 port KVM.  Poor Dean, he looks like he's been working awfully hard, check out that midday shadow on his cheeks 

There was a method to all that cable madness....

I'll let Dean blog about the technical details of designing the new network and building the terminal server ... I seriously considered reproducing the user log-in script that has been written to cover various scenarios, operating environments and software versions, but will let him have the pleasure if he so chooses.  Dean handled building the terminal server, designing the GPOs, log-in script and all other server side stuff, as well as commissioning the new Cisco managed switch... What did I do?  I did the grunt work getting all the PCs on the network, taking care of all the software installations and handled the software integration side of things and its inevitable problems - remembering we were moving from a pure Citrix terminal services environment to local installations in house and terminal services when off site.

It was wonderful how smoothly things went thanks to Dean's careful preparation and design time.  After a PC was added to the domain Office 2003 or XP was automatically installed on the computer, as was Access if it was assigned.  Shortcuts appeared on each PC desktop for all assigned applications that could not be installed automatically so it was simply a matter of double clicking each shortcut to install - all shortcuts (except for IE7 Beta 2) disappeared from the desktop automatically as soon as the software was successfully installed.  The PCs were assigned various combinations of OfficeXP or 2003, Phillips Digital dictation and transcription software, VNC, IE7 Beta 2, Hotdocs, LawDocs, OpenPractice, Worldox, RealForm, 21st Century DOLI forms, NitroPDF and QuickTime.

The assign Applications to Client Computers Wizard rocks!!

The end result....

Server room "before" shot - the nearly dead, cheap 'n' nasty white box terminal server is the white box on the left.. the well specc'd domain controller is the black box, and you can barely see two dinky little emergency UPS on the floor near the wall.. the original UPS's batteries died - probably because they were five years old and nobody bothered to tell the company that such batteries have a 3 year life span.  I have never wanted to sue IT outsourcing companies as badly as I have wanted to sue the two that have taken care of this network.  The sides of the old batteries were so badly bulged we could not get them out without breaking the rivets holding the UPS body skeleton together.  The old UPS  was trashed and we purchased a new one because of evidence of overheating.  Thanks to my hubby and his rivet gun, dismantling the UPS body skeleton and putting it back together again was not a problem, but there was a small plastic bumper that had melted on the back of the primary circuitboard.  That was enough for me to say I was not willing to leave the old UPS in commission.

The black UPS boxes actually belong to me; one has been reassigned to protect the Cisco switches, the other has gone home with me, and is now protecting my small home network.

Next photo is the server room after we were finished - sorry its not the best picture - I think Dean has a better one - working from right to left we have the new UPS, the original domain controller, the new terminal server that Dean built over the weekend, and the original document management systems indexing server (which people kept forgetting about because it was off in a different room)  One day some auditors came in to do their yearly check of our accounts, and were plonked into the same room as the indexing server because it had a spare desk.  A junior auditor pulled the power cable for the indexing server out of the wall because he wanted the power point for his laptop - he thought the server was not running.. um, no, the monitor had been turned off (quietly whack junior auditor upside of the head).  The Maxtor eternal drive on the shelf is part of our disaster recovery protocol.  There are also sundry bit and pieces like a KVM (yes, a third one), the ADSL modem, the tape drive for night tape backups.

The server room has since been moved, again, and I've improved things even further - unfortunately I can't get the servers off the floor, or replace them with racks, but the hardware is now in an area on its own that the staff are not allowed near, and I've used a couple of large melamine sheets, and careful positioning of furnishing like cupboards and filing cabinets to minimise the amount of dust gathering around (and therefore getting into) the servers.  I'll post a picture later when I get a chance.

The new disaster recovery system is three 300Gig Maxtor external hard drives and Acronis.  Nightly images of the server are dumped to one of the Maxtor hard drives.. the other two driver are in the possesion of myself and one other staff memberand the drives are rotated on a daily basis - if the worst happens and a server dies or is stolen, we can recreate the network within hours.

The staff were greeted by the following desktop when they turned on their sparkling new computers for the first time....

Alas, the Welcome Baby was retired just today, to be replaced by a boring corporate logo... but don't you worry.. I have *plans* to spice things up every so often... ah, the power of being a network admin...

All in all, I lost 5 kilos in 4 days and put in 25+ hours overtime in two days ... we filled a 4 cubic metre miniskip to the brim with trash and old computers and monitors and I went through $150 worth of petrol with my car filled to the brim, driving back and forth between office and miniskip (which had been dumped on my front lawn).  Hubby was tasked with unloading the car while I had a quick drink or bite to eat, and 16 year old son was tasked with taking the hard drives out of the old PCs before the old PCs were put into the miniskip for disposal.

This is bad: international police investigation compromised by the loss of a USB memory stick

What the heck were they doing storing such data on something so easy to lose???
http://australianit.news.com.au/articles/0,7204,19588463^15306^^nbv^,00.html

"The details of 3500 customers from 18 banks, including names and account numbers, were lost when a classified computer dossier on Russian mafia "phishing" scams was misplaced by the Australian High Tech Crime Centre in April last year."

The memory stick was not encrypted or password protected

Sometimes I really don't like computers...

Yes, I know I kept dropping in and out on IM.. blame the wireless network card in my laptop - speed kept dropping away to 24Mbps or even 1.0Mbps and it played havoc with my connection.  I've just set the router to 802.11g only (sorry John, 802.11b is simply too slow) and so far things seem stable - here's hoping the older wireless cards in the house support 802.11g ... I'll soon find out enough when the kids get home and try to go online.

Yes, I know some message times/dates have been screwy - blame that on reformatting my laptop yesterday and not setting date/time properly.

Yes, I know some of my promised emails didn't arrive - I don't know *why* that happened - I did send those messages .. honest.. they're right there in sent items - maybe the wireless problems screwed something up during send.  Will stick with Webmail for a while until I'm sure that network speed is going to stay stable - just in case.

Messenger Plus! after 12 hours

Note I am using IE7 - behaviour may be different on older systems.

There's no toolbar... my home page has not been changed.  IE's pop-up blocker is compromised by the installer adding exceptions to the pop-up blocker protection. 

The uninstaller allows you to remove just the sponsor, or the sponsor and Messenger Plus!

I haven't seen any adultfriendfinder soft p0rn advertisements this time, but what difference does that make when they have been replaced by advertisements for passion.com?? Edit: Strike that.  Adultfriendfinder.com popups just appeared - so far the graphics are tame compared to last time - let's see how things develop 

There are advertisements for casino sites that require "software" downloads before playing, and the fraudulent "you are infected" pop-up that got me so angry at the sponsor program last night.  You'll note from the screenshot in my previous blog post that the pop-up tried to download and install an activex control - somebody using an older version of IE is at risk of being infected with betrayware with no interaction.

I get so frustrated when I see betrayware peddled.  I get so frustrated when hopes are raised by the disappearance of adultfriendfinder, only to be disappointed by the appearance of passion.com.

So much grief is being caused to innocent/naive users by betrayware.  I deal with its victims every day.  They are truly frightened when they see pop-ups such as the one I saw within minutes of installing Messenger Plus! last night.  They don't realise that they are being lied to, and they hand over money that they sometimes cannot afford in an attempt to remove infections that don't even exist! 

Messenger Plus! is extremely popular, and is (according to Patchou's figures) being used by 10,000,000 people - that's 10,000,000 potential malware/betrayware victims.  How many of those 10,000,000 users are of an age that exposure to passion.com is inappropriate? 

Maybe Patchou doesn't know about what his users are exposed to when they accept the installation of his sponsor, but assuming that Patchou believes, like me, that exposing people to betrayware or malware, and earning an income from same, is unethical, immoral and just plain wrong, if he doesn't know what his sponsor exposes users to, then he needs to do more to monitor and control the advertisements, and if they can't be controlled, I wish he would consider sourcing alternative sponsorship support - with such a large user base he'd be welcome just about anywhere.  Patchou could make a real difference by refusing to deal with companies that permit betrayware or malware advertisements.

This coming Saturday I am booked to clean a betrayware and malware infected PC that the owner has already spent $650 on to try and get it fixed.  Betrayware and malware cause financial and emotional pain.  I wish that everybody who earns an income from malware or betrayware advertisements would consider the pain that is being caused to so many people and decide that, yes, earning an income is important, but not if it involves deceit - even if that deceit is not directly practiced by you personally.

Ok, so now that Windows Live Messenger has been released...

Messenger Plus! and Patchou and his sponsor are as bad they ever have been.

Crooks.... shysters... rip-off merchants... con artists... call them whatever the hell you want.

Ok, here is the situation.

Pristine installation of XP SP2.... no exposure to the internet *AT ALL*.  I used an HP  provided disk to install XPSP2 to install the operating system, and an HP provided disk to install all drivers.

Then, I install Messenger Plus!  Within minutes I am exposed to crapware. 

There are people who tell me that I am among the BEST IN THE WORLD when it comes to malware and viruses - I may not be high-profile, but I was out there fixing this crap before malware became "popular" and even now I will bypass automated cleaners in preference to a protocol that requires me getting my nails dirty.. no easy automated shortcuts for me ...  I tell you now.. there are **NOT** 180 viruses on this system.   There is not ONE virus.  This system is clean.  So, you tell me... are the advertisers honest, or ARE THEY LYING?  AND WHAT ARE YOU GOING TO DO ABOUT IT???

Give me a server or PC with a previously undetected and unknown malware and I *will* track it down and wipe it out.  I will rip it out by its roots.  If I am unsure, I can call on the best brains in the business.  Do *not* mess with me.   Do not tell me there is even *one* infection on my system... to try to do so is a declaration of WAR!!

Got it? Good.  Because the bad guys made a BIG misake in trying to fool me or my users into thinking they may be infected.

Dell, HP and IBM are not companies to be messed with.  This is a brand new HP system - a pristine installation with only HP approved software installed directly from their own disks ... HP and Dell will not take kindly to any suggestion that their pre-approved install/recovery disks contain any sort of malware.

The sponsor advertisers are frauds... they are impersonators... they are crooks..they are rubbish-dreggers trawling the bottom droppings of the internet... how can anybody feel it is righ to earn an income from their shenanigans... if the Messenger Plus! "sponsor" cannot control their advertisements, then it is time to find a new sponsor.

It seems I'm a glutton for punishment....

This weekend's task - and here's me with only a dinky little 4 port KVM to work with - its going to be a long day.

And next weekend, two malware infested PCs are booked in for some care and attention.  Methinks I need to start charging for my time...

You know you've arrived when people start searching for vulnerabilities in your product

Opera draws attention.

JPEG flaw uncovered in Opera browser (8.54)
http://www.vnunet.com/vnunet/news/2158971/jpeg-flaw-uncovered-opera

Proof of concept - Opera 9
http://www.critical.lt/?vuln/349

Thanks Ian! I enjoyed the giggle :)

One of my loyal readers pointed me to this site, coincidentally after reading my blogpost about the Bit9 assessment which placed Firefox 1.0.7 as the most dangerous non-malicious software out there:
http://www.cweiske.de/

It seems the owner/author doesn't like IE and is blocking access to IE users. That's his prerogative but its awfully short sighted.  Why? Because IE7 is a massive improvement in security and CSS compliance - because Firefox is becoming a bigger target and the bad guys are targetting it more often and if not kept right up to date leaves its users at risk - because even Opera is exploited (recent example)

On further thought, although I did giggle when I first saw the page, now that I've thought further about it the giggling has stopped.

The author says Opera and Firefox are "better" - how are they better?  Better CSS compliance?  IE7 has taken great strides in addressing that problem.  Are the alternative browsers "safer"?  No they are not.  As has been said in the past, all the bad guys need is *one* exploit.  Firefox and Opera can be and have been targeted - in fact just recently there was a hostile circulating that was targetting IE *and* Firefox exploits.

It is dangerous to tell somebody to stop using IE because it is a "paradise for virus programmers" and point them to Opera and Firefox without also warning them to regularly check for security updates for those browsers and practice safe hex.  Firefox and Opera are also subject to exploits and vulnerabilities - it concerns me when I see sites that forget to mention that fact.  At least with Internet Explorer, if you have Automatic Updates enabled you will be notified of the latest security updates.

The fanboys need to stop saying "use this - its better".  They need to say "use this - its better - but make sure you check back regularly for security updates and patches, and always practice safe hex".   Windows Update does not patch Firefox or Opera or any other alternative browser.  You have to look after yourself.  Remember that.  If your friends are using an older version of Firefox, especially one that does not have an inbuilt update ability, warn them that they have to go out and get those updates.

Bit9 says malicious software is not your biggest threat

This is an interesting way of looking at security risk.  Bit9 put together a list of the 15 most "dangerous" software products that are not malicious software.  To make it on to this list, the software:

• is well-known in the consumer space and frequently downloaded by individuals;
• is not classified as malicious software by enterprise IT organizations;
• contains at least one critical vulnerability registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database;
• has a severity rating of between 7.0 - 10.0 (high) on the CVSS scoring system;
• relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

Top of the list - that is, the most dangerous software - is reported as Mozilla Firefox 1.0.7, followed by Apple iTunes 6.02, Quicktime 7.0.3 and then Skype internet phone 1.4.

Internet Explorer does not appear in the list of 15 products   You can see the full report here:
http://www.bit9.com/docs/15VulnerableApps.pdf

Windows Genuine Advantage troubleshooting page

The Windows Genuine Advantage Diagnostic Site helps users work out why their PC is having problems with the Windows Genuine Advantage check.  Often problems are caused by a misconfiguration and are therefore easily resolved.

http://www.microsoft.com/genuine/diag/

The IE7 team sets Technet ablaze, but not in the way they planned ... ;o)

Ok, I admit, this had me giggling:
http://blogs.technet.com/windowsvista/comments/435992.aspx

I'm not sure how a laptop made it into the story... perhaps a misunderstanding of what a "notepad" is?

"Sucks for the person who's laptop that belonged to."
http://hive.net/Member/blogs/the_insider/archive/2006/06/14/The-IE-Team-is-_2200_on-fire_2200_-at-TecEd.aspx

New Excel exploit using an undocumented vulnerability....

An incident has been reported in an incidents mailing list and on a couple of MS security blogs warning that there has been one report of a previously undocumented vulnerability in Excel being used in a hostile attack.  This means that you do *NOT* need to panic and switch to OpenOffice because the sky is falling.

This incident is what you could call a "zero day" exploit - that is, an exploit that is used by bad guys *before* being discovered by good guys, instead of being discovered by good guys and *then* being used by the bad guys.

The exploit worked because somebody opened an attachment received via email.  Going on the assumption that the attack was targeted, it is possible that the email content was written in such a way as to make it extremely difficult, if not impossible, to spot that it was not legitimate. 

If you are not *expecting* an attachment, do not open it.  Phone the sender and ask them if they sent it.  Reply to the email and ask them if they sent it.

Its a pain, but I think that as a community we are simply going to have to put into place new protocols to verify the legitimacy of emails that we receive.

Limited information about the exploit incident and Excel vulnerability is below:

Reports of a new vulnerability in Microsoft Excel http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx

Microsoft Excel Unspecified Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/18422

Trojan.Mdropper.J
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mdropper.j.html

Downloader.Booli.A
http://securityresponse.symantec.com/avcenter/venc/data/downloader.booli.a.html