Spyware Sucks

Windows Live Mail will be reducing advertisements.

While we're on the topic of the cost of security...

A brief article has just gone live at the Handlers Diary at the SANS Internet Storm Centre with by-line "Relay Reject Woes"
http://isc.sans.org/diary.php?storyid=1299

Pity that poor guy putting all that time and effort into fighting the spam-bots. 

The article brings to mind my experiences about 6 years ago; I'd just started taking care of a server running Novell and GroupWise.  Every night their server had been crashing and/or running extremely slowly and their current IT provider were unable to work out what the problem was.  They threw money at that server - more RAM, bigger hard drives, upgrading software, etc to no avail.

It didn't take long for me to work out what was going on; mail relaying was enabled on the server (back in those days mail relaying was enabled by default) and said server was being brought to its knees every night by the spam load being pumped through it and the inevitable NDRs that were being generated.  The server was on every blacklist in existence and, of course, postmaster@ was not being monitored.  Damned if I know how the situation could have escaped the attentions of the IT support provider.

Ok, so I turn mail relaying off, but that did not resolve the situation.  Sure, it stopped the spam from being relayed, but it didn't stop the stuff from being accepted in the first place and dumped into the BAD directory.  The server was STILL under an amazing load, and guess who had to pay the cost of the bandwidth being used.

Fast forward to current day and another server, this time running SBS.  This time there is no mail relaying enabled but we are still the recipient of ridiculous loads of spam.  Again, time and effort is devoted to trying to stem the flood - users a complaining about the level of spam getting into their inbox.  Now that Exchange has mail filtering the job is easier, but it still takes up way too much time.  Being a law firm, no email can be automatically deleted.  Every single filtered message must be checked to ensure it is not a legitimate email and NDRs must be enabled :o(

It irritates me that so much spam is getting to me unimpeded.  It irritates me that so much of that spam is coming from spam-bots owned by home users.  But there is little that *I* can do to solve the problem.  The problem has to be solved at the source, not the destination.

Then there are the baddies trying to log into my server for nefarious purposes using names like 'webmaster' or 'postmaster' or 'admin' or 'asdfasdf' (yeah right, like that last one is gonna work) or 'Pete' or 'Fred' or 'Sam'. 

It irritates me that so much time and effort and cost is expended fighting the bad stuff.  Go..away..and..leave..my..server..alone.

Ransomware and lazy coders

I've just been reading this article about the latest "ransomware" to hit the streets:
http://www.viruslist.com/en/weblog?weblogid=185454886

I'm sure Kapersky will forgive me for quoting the sections pertinent to this post:

"I think we have an interesting development going on here, I think there are two different types of ransomware.   Real ransomware, which encrypts your data or does other nasty stuff.  And malware which claims to do all sorts of nasty stuff but actually doesn't. It's bluffing, like bluff poker.
...
Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code."

Writing difficult code... its a good point.  Its amazing how much stuff out there nowadays is being created by script kiddies using various tools to generate their wares.  There was a virus generator around for a while (not sure if it it still is) and a rootkit generator as well.  But, when push comes to shove, those script kiddies ain't that good - without the generators they use they wouldn't be able to do what they're doing.

The capabilities of malware, and of malware writers, have been a high point of focus for me lately.  Its been said that if we lock things down in one way the bad guys will simply find a way around our defences.  But, when I read things like the Kapersky article it reminds me that a lot of the stuff out there that won't adapt to new defences.

The quick money.. the easy money.. that's what the vast majority of bad guys are after.  Sure there are "professionals" out there (popular sentiment placing them in Russia and other eastern bloc countries) who write very sophisticated malware that can be extremely difficult to remove, and a small percentage of such malware is able to get through our firewalls, but what percentage of the bad guys out there have such abilities? 

It has been said that if we introduce a particular security feature, then the bad guys will see that feature and bypass it anyway.  I've been thinking about the sentiment over the past few days.  I've come to realise its a pervasive mindset, but its one that I'm finding hard to settle in my mind as ok.   Are we correct to *not* block 95% of the bad stuff via outbound filtering simply because 5% may get through anyway?  If we do block that 95%, how long will it take before that it adapts and neutralises our measures?  Will it adapt at all?

I can understand how forcing the bad guys to increase their level of sophistication is a bad thing - as the bad guys get better at what they do, and bypass more and more of our security measures, then things get harder and harder for us in the battle to win.  But, at the same time, without that crossing of swords we wouldn't have seen the security improvements that we now have the benefit of - a lot of software either would not come to be, or would not have been improved.

Two new Internet Explorer KB articles.

Error message when you start Internet Explorer 6 on a Windows XP-based computer: "Runtime Error! Program: C:\Program Files\Internet Explorer\IEXPLORER.EXE"
http://support.microsoft.com/default.aspx?scid=kb;en-us;916245

(I am wondering if the above should refer to iexplore.exe, not iexplorer.exe - there is malware that uses an executable called iexplorer.exe, but that doesn't seem to be the target of this article despite the reference to running a spyware check at the end of the article).

*****************

FIX: An access violation may occur when you use Internet Explorer 6 to visit a Web page that uses HTML Components to do DHTML scripting
http://support.microsoft.com/default.aspx?scid=kb;en-us;910645

When does self-responsibility kick in?

The Web site www.itnews.com.au has highlighted a Russian 'smartbomb' for purchase that allegedly targets unpatched PCS:
http://www.itnews.com.au/newsstory.aspx?CIaNID=31952

According to itnews, Websense has reported that 1,000 sites are using the smartbomb, which can be purchased for as little as US$10.00.

The worrying thing that caught my attention about the report is that according to the statistics from just one attacker site, over 1,770 PCs were successfully compromised via a vulnerability that was patched back in April 2003!!!  I find it amazing that there are still computers out there that are vulnerable to an exploit that was patched three years ago.

The second most successful exploit for the highlighted attack site was one that targeted createTextRange, which was patched on April 11 - Websense reports that 1,507 PCs were compromised via that vulnerability.

There is only so much that we, as computer professionals, can do to protect people from themselves. Sooner or later every computer owner has to take responsibility for their own PCs, for their own security, and for their own education.

We're having an interesting discussion in a security focused mailing list at the moment about reports that Windows Vista's outbound firewall abilities will be disabled by default because the corporate end of town want it that way.

Some of the reasons given for why the decision is ok are, to me at least, staggering - for example:

1. The average user is not going to be interested or will freak out;
2. Stuff may get through anyway;
3. If you force them to learn they'll start using another OS;
4. The public doesn't want to be educated;
5. Computer manufacturers/ISPs won't like the cost of supporting confused users.

So.... computer manufacturers/ISPs won't like having to wear the cost of support calls - big deal.  Let's think about cost.  How much money do you think is spent fighting, for example, spam? Spam that comes from compromised home computers?  How much money has been and continues to be spent by corporations and private citizens paying for the bandwidth absorbed by said spam?  How many corporations have had to spend money on various attempts to ward off spam whether it be software or hardware solutions.  How many have had to upgrade their hardware to cope with the demand?  How much money do you think has been spent is fighting denial of service attacks from compromised home machines? How much money is spent fighting to take down phishing sites on compromised home machines? How much money has been lost to the criminals behind phishing sites? (the last report I read mentioned losses running into the millions).

Users who are not willing to educate themselves are a risk to themselves and other internet users.  Their compromised machines pump out spam; their compromised machines are used for denial of service attacks; their compromised machines are used to host phishing websites.

I am a finite resource; my associates are a finite resource; sooner or later we have to say "listen, you're harming the community at large, get with it or get out'.

Therefore, if forcing users to 'get educated' ends up with their choosing a different operating system, then I'll show them the way and shut the door behind them.  Its one less thing to worry about.  If forcing users to learn about and use things like firewalls and patching leads them to choose a different operating system - there's the door.

If home users are not educated - if they will not take responsibility for their own machines - then spam will not go away, denial of service attacks will not go away, phishing web sites will not go away.  That's the reality folks.

Another article at Eweek from earlier this month noted that "recovery from malware [is] becoming impossible:
http://www.eweek.com/article2/0,1895,1945808,00.asp

I have met Mike Danseglio (the guy who was interviewed for the article) - I attending training sessions that he held back in April 2005 in Singapore and still have his business card on my desk.  I remember how we left his sessions thinking "we're screwed".  I also remember that we wanted to cancel all the other sessions for the rest of the day so that we could continue working with and learning from Mike.

When I look at the risk to the internet community at large from compromised machines spewing crap I wonder how the heck people can say that not pushing for user education is ok. 

CSS improvements in IE7 - nobody said it was going to be easy...

Boy... Monday was the sort of day that I don't want to have to go through again any time soon.

As we all know, IE7 has been 'layout complete' since the March release, but, as the last few days have shown, sometimes things can go wrong.

Check out how my site looked in IE7B2 - nasty, yes?

 
IE-VISTA as displayed in IE7 Beta 2 before the CSS was fixed

Such embarrassment - one of the premier IE7 sites, if not *the* premier IE7 site, could not be viewed in IE7 Beta 2.  Even more embarrassing, it was an IE Program Manager at Microsoft who first spotted the problem and let me know.

Unfortunately I was travelling on the day of the Beta 2 release, heading back to Canberra from Wagga after spending a few days at Code Camp 2006 and my wireless broadband CDMA modem was only delivering 12Kb - I was hardly able to do anything.  And, it was the Anzac Day holiday in Australia.

I don't know enough about CSS to be able to fix this, but thankfully I have lots of knights in shining armour around me who were willing to assist. 

Brian Madsen, MVP knocked up a quick hack that improved the situation a little - note how we have gone from an overlap problem to the left column content falling off to the far left - well, at least its readable.

 
IE-VISTA as displayed in IE7 Beta 2 and IE6 after the first attempted fix

Brian kept working on the problem but couldn't get it fixed.  Dave at Microsoft was still online (despite it being quite late for him) and was testing various attempts to fix the problem as they were uploaded - no joy.

Dave, Bob and Marcus at Microsoft really went to bat to try and help get the site fixed as quickly as possible.  From what I understand, Bob and Marcus basically dropped everything to concentrate on working out what went wrong, and how to resolve the issue.  And I tell ya what.. they came through for me.

By the time I awoke on the Tuesday morning there was an email in my inbox with a snippet of code that the guys at Microsoft thought might fix the problems at www.ie-vista.com.  It did fix the problem in IE7 Beta 2 but some issues still remain in IE6 and earlier.

 
IE-VISTA as it appears now in IE6 and earlier - note the missing content in the left column.

So far, we have not been able to work out why the content is missing in the left pane - the required space has been allocated, but some of the content is missing.  Thankfully the navigation menu itself is still there albeit off screen in the above shot.

Ok, so where do we go from here?  Well, I'll be moving away from Frontpage over the next week or so to an ASP solution, using Visual Studio instead of FrontPage to build and maintain my site.  I have also advised the owner of Ruthsarian Layouts of the problem, but as of yet have not received a response.  I've also been trying to get in touch with site authors that I know are using the same CSS templates from Ruthsarian so that they can also apply the fixes that have been used on www.ie-vista.com.

My grateful thanks go to Brian Madsen, MVP as well as Dave Massy, Bob and Marcus at Microsoft for dropping everything to help get www.ie-vista.com fixed.

Oh yes... I should tell you what caused the problem.  There is a known bug that sometimes hits when CSS uses negative margins.  That's what got me.  I don't pretend to understand the mechanics of the problem, but will try and get specifics for those who are interested.

Microsoft to brand pirated copies of Windows...

http://star-techcentral.com/tech/story.asp?file=/2006/4/25/prodit/14029720&sec=prodit

"Starting tomorrow, the software giant will permanently flag personal computers that are not running a genuine copy of Windows."

I think now is the time for a quick holiday... I think I'm glad to be going out of town this weekend...

Sometimes being Australia based really sucks...

Tony Chor blogged about a dinner he attended which was held at Frisson in San Francisco just prior to the IE7 B2 launch ... so many photos.. so many familiar faces... sometimes living on another continent, and even worse, living in the most isolated city on said continent really sucks.

Photos of the party here...
http://www.flickr.com/photos/tags/ie7b2/

Nice to see Tony is into whiskey - must make a point of booking Tony for an evening of alcoholic criticique; oh, and I can also claim credit for introducing Robert Scoble to the pleasures of quality single malt whiskey - well I share that achievement with Alex Nichol MVP who passed away just over a year ago and is much missed.

By the way Robert... cool t.shirt... nice to see you are still not at all shy about making a statement ;o)

912945 versus Outlook Web Access...

Yes, I know, we seem to be talking an awful lot lately about IE, Windows and OE patches and the problems they are causing - what can I say - its been a bad month.

MS has released a KB article addressing problems that users of Outlook Web Access may experience after installing the EOLAS patch (aka 912945) as well as problems experienced by users of Windows Vista
http://support.microsoft.com/default.aspx?scid=kb;en-us;911829

Thankfully there is a hotfix available - far preferable to uninstalling the patch.

What's this? You have to PAY people to push Firefox...

<<<laughing>>> I'm sorry, but this is ***so*** funny.

"For each person you switch, Google gives you $1, Microsoft loses marketshare, and an angel gets its wings. "
http://www.explorerdestroyer.com/

Ok, so now we're *they're* people to push Firefox? What? It can't stand on its own merits?  ;o)

Problems with MS06-016 - Outlook Express

It has not been a good week for Microsoft.

MS06-016 has been causing problems for some users who have been experiencing errors when attempting to open their addressbook and even losing all email contacts.  Some users are unable to send or reply to emails and are being prompted to reinstall OE:
http://support.microsoft.com/kb/917288

There is a workaround available for those of you affected by the address book problems - it works, but you will lose any contact groups that you have created.

1.. Uninstall KB911567

2.. Make a copy of C:\Documents and Settings\<user>\Application Data\Microsoft\Address Book\<user.wab> and save it under a new name (backup.wab) to C:\Documents and Settings\<user>\Desktop\backup.wab where <user> is your Windows user name.  (Make sure there is no <user.wab> file on your Desktop)

3.. Delete C:\Documents and Settings\<user>\Application Data\Microsoft\Address Book\<user.*> (that is, any file in that directory called user.* - the star being a wildcard)

4.. Run the Windows Address book as you would normally. It will start up with no contacts present.

5.. Now Click on File | Import | Address Book (WAB) and import from the backup.wab file present @ C:\Documents and Settings\<user>\Desktop

6.. Re-install KB911567

Another issue caused by MS06-016, but which is "by design" is that it prevents saved unsent message *.eml files from being opened as unsent messages. Instead, they open as sent messages and cannot be resent. Outlook Express behaviour has been changed so that it now ignores the unsent flag in the message headers, so the message opens as a sent message, even though it has not been sent.

The only workaround for this behaviour change is to uninstall the security patch.  To be clear, this change does not affect messages saved to the OE drafts folder.  It only affects emails saved outside of OE (such as home-made templates).

There are risks to removing the patch and you will have to balance your desire for each access to templates with the risk of removing the patch - as for me, I say keep the patch and work out a different way of doing things if you like to use sound and motion templates for OE.

http://www.microsoft.com/technet/security/bulletin/ms06-016.mspx

Internet Explorer 7 Beta 2 is released

Its a real pity I didn't get to announce this at Code Camp... sorry guys.

Internet Explorer 7 Beta 2 has now been released for download and evaluation by all Technology Enthusiasts.  This is the **REAL** Beta 2, not just a **PREVIEW**.

For the IE7 Beta 2, Microsoft is providing consumer customers with unlimited phone support at no charge to users in North America and soon in Germany and Japan! They are doing this to encourage adoption because we feel that IE7 – even in the beta stage - will help keep customers safer online and provide them with an improved browsing experience.

Also, IE7 Beta 2 is available in English and will now run on Windows XP 64-bit Edition and Windows Server 2003 SP1 in addition to Windows XP SP2.

New! IE7 Beta 2 for Windows XP Fact Sheet: http://www.microsoft.com/presspass/newsroom/winxp/IE7XPSP2FS.mspx

New! IE7 Add-on Site: www.ieaddons.com

You can find the IE7 Beta 2 Preview here:
http://www.microsoft.com/windows/ie/downloads/default.mspx

Release notes:
http://msdn.microsoft.com/ie/releasenotes/default.aspx

Installation tips:
http://www.ie-vista.com/known_issues.html

Please remember that this is a Beta build, and some stuff may still be broken.  There is a risk to downloading and installing beta software.  Please do not install it if problems are going to cause a crisis for you.

Note:  The activex update commonly known as the 912945 update is an integral part of IE7 Beta 2.  Please review this Blog post to familiarise yourself with the changes to activex behaviour:
http://msmvps.com/blogs/spywaresucks/archive/2006/03/04/85409.aspx

Reminder: Microsoft is re-releasing MS06-015

MS06-015 has been "re-engineered" to address some very specific problems being experienced by some Windows users.  The re-engineered patch will be released via Windows/Microsoft/Automatic Updates today (today being 25 April 2006).

Important points:

1. The re-engineered patch is being re-released to address specific problems - that is, problems experienced by users who have HP's "Share to Web" application installed, and users who have NVIDIA drivers installed (version 60.00 to 64.99).
   
2. The only change to the patch is that it adds the above affected software to an exception list.
   
3. If you have already installed MS06-015 and you do not have the targeted software installed you will NOT be offered the re-engineered patch.
   
4. If you have already installed MS06-015, and you are are experiencing the problems described here, and you do NOT have the targeted software installed, then the re-engineered patch will NOT fix things for you.  The only change that has been made is that the re-engineered patch automatically creates the registry entries described in this KB article.

If number 4 applies to you, please post about your problems to the Internet Explorer newsgroups.  If you using IE6, please post to IE6 Browser group.  If you are using IE7, please post to the Internet Explorer General group.  The MVPs and other users will do their best to help you work out what software is involved in the problems on your system.

As Rove McManus would say.... WHAT THE!!

I'd love to know what the heck type of ActiveX control would allocate more than 4GB of memory...
http://support.microsoft.com/default.aspx?scid=kb;en-us;911064&sd=rss&spid=2073

Everybody wants Quick Tabs

Cite: http://www.itnews.com.au/newsstory.aspx?CIaNID=31844&eid=3&edate=20060421

The browser also boasts support for BitTorrent, an advertisement- and image-blocker, search engine customization, and thumbnail previews of pages open in the tabbed interface.

Do you own an HP or Compaq laptop? There's a world-wide battery recall

Microsoft are re-releasing MS06-015

Microsoft are going to re-release MS06-015 to address the problems being experienced by some users of HP Share to Web software and older NVIDIA cards.

The re-release is scheduled to take place on Tuesday 25 April and will be automatically pushed out to all affected users via Windows Update, Microsoft Update and Automatic Update.

If you don't have the affected software you will not be offered the update. 

A win for the good guys - the first successful prosecution under Washington's 2005 Computer Spyware Act

A name that may go down in history - Zhijian Chen of Portland Oregan is the first person to be successfully prosecuted, and fined, under Washington's 2005 Computer Spyware Act.

What Chen and his co-accused (Seth Traub, of Portsmouth, N.H.; and Manoj Kumar, of Maharashtra, India) did was use Messenger Service (net send) alerts to fool victims into believing that their computers may be infected with spyware or other nasties (by the way, the Messenger alerts being discussed here is not not the chat programme - rather, we are talking about the Messenger Service most often used by network admins to send pop-up messages to all users on a network - you can find more information about Net Send here) . 

Victims would click on an embedded link in the Messenger Service alert, and ended up at a Web site promoting "Spyware Cleaner".  A free online scan was offered, the victim was told they are infected with spyware (even if no spyware existed on the scanned system) and then stung for US$49.95 to "clean" their systems.

The company behind Spyware Cleaner was called "Secure Computer"... uh, yeah, right...

Chen has been ordered to pay US$16,000 in restitution to users who bought Spyware Cleaner (no, not US$16,000 per victim - US$16,000 in total), US$US24,000 in fines, and close to US$44,000 in attorney fees - all up, US$84,000.00.

Fake antispyware products are big business - check out spywarewarrior's ever growing rogue antispyware list:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

For what its worth, a firewall will invariably stop external net send alerts, and the Messenger Service is disabled by default from XP SP2 onwards.

The name of this now infamous fake antispyware application brings to mind another Blog entry that I wrote back in February:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/13/83396.aspx

I see the same nonsensical advice still exists (despite MS being able to change the page enough to change the reference to "Microsoft Antispyware" to "Windows Defender".

So, let's say it once more.. legitimacy is not guaranteed just because a programme calls itself an antispyware product, or uses the words "spy," "spyware," or "antispyware" in its name or Add/Remove Programs entry.  Its hard to believe such inane advice is being offered under the by-line "Security Essentials".

Firefox to introduce a regular patching cycle and a mega-patch

Firefox patched 24 vulnerabilities last week, 11 of which are "critical" (meaning your computer can be infected with no user interaction required), 4 are "high," 2 are "moderate" and 1 is "low."

In what some are calling a 'catch up' with Microsoft's "Patch Tuesday", Firefox have announced that they will introduce a regular patching cycle.  How regular? Apparently every six to eight weeks.

I strongly recommend you update to version 1.5 of Firefox, not only for security reasons but also because it addresses another bugbear of mine - Firefox have *finally* introduced an automatic update mechanism meaning that users are no longer left in the dark about critical updates.  I never considered it acceptable that Firefox users had to make the effort to regularly visit the Firefox site and search for security  updates.

Explorer error fix..

Problem example:

Right click My Computer, select Explore.

Click on search on the toolbar, then on "Other Search Options".

Click on "search the internet".

Place cursor at top of pane - you may see the 912945 'click to activate or use this control' hover.

Click on customise.  Page is stuck on "loading search settings" and any attempt to select a radio button the window throws script errors.

Fix: Run the following command:

regsvr32  /i  shdocvw.dll

The first time you try to use the "explore" context menu there may be an extended delay, with the system frozen, before the window opens.  Give it a minute or two.

Thanks to Rob A who mentioned he'd been able to fix a problem with his "Search the Internet" feature by registering that file - don't know what his precise problem was, but what the hey, it works :o)