DDOS attacks against Estonian Government websites

I originally spotted this article thanks to Harry Waldron's blog, and what I read there saddens me.

Many of us have known for a while that the primary reason the bad guys infect our computers has changed from "I've got the biggest schwang because I infected the most PCs" script kiddy bragging to financially and criminally motivated goals.  The bad guys want to 0wn our computers so that they can use our broadband connections to distribute spam, so that our computers can be used as involuntary hosts of warez and other crud, and to harness our computers to be used as zombies in attacks against various Web sites.

I know that computer owners do not realise their lovely new machines may be used to score points in a political war on distant shores, but that is the reality of the Internet world - and I hate it.  What happened to the brave visions for "the Internet" back when it was a babe? What happened to the visions of the global good - the ease of communication, the spreading knowledge, and education - empowering users, teaching them and strengthening them?

I've heard some analysts suggest that up to 98% of all spam is being sent via infected computers, and the bad guys don't care if those computers are owned by business, or grandma and grandad in the local retirement home.  You can be a passifist, you can be anti-war, you can be pro-peace, you can be on the other side of the world and completely unaware of what is going on in distant countries you never think of and will never visit, but your computer may still be used in somebody else's "war".

I wish for the "good old days" when malware did no more than add a toolbar to IE, change your Search Engine and home page, and throw up pop-up windows advertising stuff you wouldn't buy anyway.

Unrest in Estonia:
http://www.f-secure.com/weblog/archives/archive-042007.html#00001181

Update on the Estonian DDoS attacks:
http://www.f-secure.com/weblog/archives/archive-042007.html#00001183

msfeedicon version 2.3 has been released

I love this little programme, which is a free RSS plugin for IE7.  It adds an icon to your system tray and displays when you have unread posts in your subscribed RSS feeds.  It can be downloaded here:
http://www.wictorwilen.se/msfeedicon.aspx

msfeedicon offers the following features:

• Icon in the system tray indicating status of you feed subscriptions
• Displays notifications when a feed contains new posts (customisable)
• Automatically marks a feed as read (customisable)
• Force an update on all feeds
• Star a notification for later reading
• Mark as read without viewing the feed
• Cancel subscription from notification window
• Searching the new posts for specific Tags so you can select which posts are interesting to you
• Feed statistics
• Install and uninstall program
• Shows notifications when a new version of msfeedicon exists (customisable)
• Enable or disable the automatic synchronization of Windows RSS platform
• Presentation mode aware (Windows Vista only)

Personally I prefer msfeedicon to Feeds Plus (even though Feeds Plus was developed by the IE RSS team) because Feeds Plus just didn't behave well on my system and it isn't as feature rich as msfeedicon, but if you want to compare the products, Feeds Plus can be downloaded here:
http://www.enhanceie.com/ie/feedsplus.asp

You can find my previous comments about Feeds plus here:
http://msmvps.com/blogs/spywaresucks/archive/2007/01/26/521121.aspx

IEAK web site 0wn3d.

Update: the ieak.microsoft.com/1.0/... links are M.I.A as at 5.59pm 29 April, Perth local time.

Go here:
http://www.microsoft.com/technet/prodtechnol/ie/ieak/license/default.mspx

Click on "look up customization code" to go here:
http://ieak.microsoft.com/1.0/lookupcode.asp

Then click on "License and Registration Page" link:
http://ieak.microsoft.com/1.0/newlicensee.asp

The following has been inserted into the page's source code:

<body onload="document.body.innerHTML='<p align=center><font size=7>Own3d by Cyber-Terrorist</font><img src=http://c2000.com/gifs/billgates.jpg><p align=center><font size=7>--Cyb3rT--</font></p>

The code results in what looks like a redirect, but isn't. What you see instead of the Microsoft's intended content for the page is:

As far as I can tell, this incident was originally reported in the blogosphere by: http://www.alex-smith.me.uk/?p=76

Unfortunate placement of a Yahoo advertisement

Too funny:
http://www.irintech.com/x1/blogarchive.php?id=954

McAfee Site Advisor versus Trend Micro's TrendProtect..

I have just finished reading the latest entry on the McAfee Site Advisor blog that says, as introduction:

"For the past couple of weeks, we've been seeing an increase in spam advertising a fake application called WinFixer."

Yay them. I've been noticing a massive increase in spamming, especially via blog comments, for several months.

McAfee then go on to say:

"Another variant of the same application goes under the name of PrivacyProtector. The PrivacyProtector website is currently rated green by SiteAdvisor, because it hasn't had any downloads for us to test. However, we'll be overriding that to red shortly, based on its association with WinFixer."

Ok, so here's a problem with McAfee's Site Advisor, something that has bothered me for a long time.  Site Advisor's reputation tests suffer from a very basic flaw if a rip-off site like PrivacyProtector is not listed simply because it has no downloads available for testing.  What about the fact that PrivacyProtector shares an IP address with some very shonky sites?  Check this out:

Pinging www.errorsafe.com [66.244.254.64]

Pinging www.winantispyware.com [66.244.254.64]

Pinging www.winantivirus.com [66.244.254.63]

Pinging www.privacyprotector.com [66.244.254.63]

At the time of writing, McAfee Site Advisor is *still* listing PrivacyProtector as green, whereas Trend's competitor product, TrendProtect, is listing the site as red.

So why is Trend ahead of the game on this one?  Because Trend is a "real time" service, and it uses additional checks not included by McAfee when assessing a site's reputation. 

When people ask me what service I advise be used as an additional layer of reputation information to compliment to IE7's phishing filter and extended validation certificate support, I direct them to TrendProtect (available at http://www.trendsecure.com/portal/en-US/free_security_tools/trendprotect.php?page=download)

Too weird: buy a poodle - get a sheep

Just what does this say about Japan's education standards, at least when it comes to what is a sheep, and what is a dog...

Thousands of Japanese have been swindled in a scam in which they were sold Australian and British sheep and told they were poodles.

The scam was uncovered when Japanese film star Maiko Kawamaki went on a talk-show and wondered why her new pet would not bark or eat dog food.

She was crestfallen when told it was a sheep.

Source: http://www.news.com.au/story/0,23599,21629305-2,00.html

New: the Microsoft Malware Protection Portal

Open to the public for preview and feedback purposes:
http://www.microsoft.com/security/portal/

More important security related announcements from Microsoft here:
http://blogs.technet.com/rhalbheer/archive/2007/04/25/three-microsoft-announcements.aspx

Julie Amero sentencing delayed.... again....

For heavens sake, just withdraw the charges and have done with it!

Julie Amero's sentencing has been delayed, for the third time, this time until 18 May.  Apparently the reason for the latest delay is that "The state has not completed a full examination of all the issues which may affect its position at the sentencing hearing,".

Source: http://www.norwichbulletin.com/apps/pbcs.dll/article?AID=/20070425/NEWS01/704250301

Winfixer and ValueClick – an oft appearing association

My regular readers will remember my various articles about the Winfixer infiltration of the AOL and MSN advertising networks that happened not long ago.  Winfixer infiltration of Web site advertising (as well as forum and comment spam) continues to be problematic, and one name that keeps on popping up over and over again is adfarm.mediaplex.com (Mediaplex is owned by ValueClick).  The problem seems to be so endemic that any web site, forum or Web comment that utilises links that redirect to adfarm.mediaplex.com are potentially placing their visitors at risk of a Winfixer infection.

Over the past couple of months I have had in-person and telephone conferences with representatives and technical staff at MSN and AOL as a direct result of the Winfixer infilitrations of various advertising networks.  They have learned a lot from the events of the past few months, as have I.  I don't think any of us realised how widespread the problem was, or just how sophisticated the bad guys were getting, until we started taking a close look.

Mike Burgess and I have been having a close look at adfarm.mediaplex.com.  I have tried to contact ValueClick regarding the adfarm.mediaplex.com problems using their “contact us” page on their Web site, but as of yet have received no response (and those of you that know me well know that a failure to respond is sure to intensify the attention that I pay to a problem advertisement network).  I will be contacting them directly via an email address given to me by an associate as soon as this article goes live, and will report on their responses, if any.

Edit 26 April: There has been no response from ValueClick

Edit 27 April: ValueClick have responded to advise they are investigating

Edit 8 May: ValueClick report that they are still investigating

Why is Winfixer bad?

The Winfixer group of products is listed as a “Rogue Security Product” in the latest Microsoft Security Response Report.  The Microsoft Security Intelligence Report can be downloaded here:
http://download.microsoft.com/download/f/d/a/fda5850e-269f-40a3-9708-c60eb837456f/MS_Security_Report_Jul-Dec06.pdf

Microsoft’s definition of “Rogue Security Products” is:

A worrying statistic from the Rogue Security Products table that specifically mentions Winfixer products is that 55% of users who have WinSoftware.WinAntiVirus installed, and 31.3% of users who have WinSoftware.WinAntiSpyware installed chose to *ignore* the detection, with only 30.6% and 37.6% respectively choosing to remove the software.  I can only assume that the victims of these products are choosing to believe that the various Winfixer offerings are legitimate products instead of heeding the warning being given by Windows Defender. 

In contrast, 75.7% of Windows Defender users choose to remove the “potentially unwanted software” C2.LOP (aka C2Media, aka Circle Distribution, and the software commonly known as the Messenger Plus! Sponsor Program).

Now, all of us are entitled to earn an income, all of us are entitled to advertise, and companies such as Mediaplex and ValueClick are entitled to offer a service to advertisers.  BUT, I believe that a line is crossed when deceit is practiced – when the advertisers that Mediaplex and ValueClick are "enabling" via their services try to automatically download and install their product on to your system (thank heaven for IE’s info bar that stops such things from happening automatically), when an advertisement tries to trick you into thinking that your computer system is having issues or that your privacy is at risk, or when the software being touted falsely reports infections where none exists – companies such as ValueClick and Mediaplex should run, screaming, from such clients.  Slowly but surely I'm seeing a move towards forcing advertisers, and those who use their services, to ensure that those they associate and do business with are ethical and above board, as distinct to just making sure that their own actions are ok.  In short, saying "but it wasn't me" and "but I didn't know" isn't the end-of-responsibility argument that it used to be.

Winfixer prevalance

Just how pervasive is the spamming, pimping and touting of Winfixer domains?  How many adverts are out there pushing people to such sites, and how many potential infectees are there?  Well, let’s have a look at the Alexa Traffic Ranking of various Winfixer sites:

Drivecleaner.com:
http://www.alexa.com/data/details/traffic_details?url=www.drivecleaner.com
(rank 587) (570 on 26 April)

Systemdoctor.com:
http://www.alexa.com/data/details/traffic_details?url=www.systemdoctor.com
(ranking 966) (929 on 26 April)

Errorsafe:
http://www.alexa.com/data/details/traffic_details?url=www.errorsafe.com
(ranking 1,001) (990 on 26 April)

Winantivirus:
http://www.alexa.com/data/details/traffic_details?url=www.winantivirus.com
(ranking 1,630) (1,574 on 26 April)

Winantispyware:
http://www.alexa.com/data/details/traffic_details?url=www.winantispyware.com
(rank 4,793) (4,539 on 26 April)

Errorprotector.com:
http://www.alexa.com/data/details/traffic_details?url=www.errorprotector.com
(ranking 7,636) (6,966 on 26 April)

Gomyron.com:
http://www.alexa.com/data/details/traffic_details?url=www.gomyron.com
(ranking 214,212) (197,535 on 26 April)

By way of comparison with legitimate security products, mcafee.com has a ranking of 932 (954 on 26 April), symantec.com has a ranking of 218 (222 on 26 April), ca.com has a ranking of 3,148 (3,262 on 26 April) and trendmicro.com has a ranking of 2,335 (2,361 on 26 April).

How is ValueClick involved in the spread of Winfixer?

ValueClick owns Mediaplex, and Mediaplex is an oft-spotted contributor to the spread of Winfixer malware.

Just some adfarm.mediaplex.com URLs that redirect to Winfixer and Winfixer like sites include:

hxxp://go.errorsafe.com/MTUwNzE=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45684?mpt=1177402585&aid=swp_ers&lid=5590&affid=pp_841427153&p=ers&ax=1&ed=1&ex=1

hxxp://go.winantivirus.com/NTIzMw==/2/3224/ax=1/ex=1//
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177404112&aid=swp_wa7p&lid=3224&affid=pp_2131627152&ax=1&ex=1

hxxp://go.winantispyware.com/MTUwNjU=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177473791&aid=swp_was7&lid=5590&affid=pp_117727353&p=was&ax=1&ed=1&ex=1

hxxp://go.winantispyware.com/NTY2Mg==/2/3345/ax=1/ed=1/ex=1/af6/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177485361&aid=swp_was7&lid=3345&affid=pp_669127382&p=was&ed=1&ex=1

hxxp://go.privacyprotector.com/MTUwNjc=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49988?mpt=1177473894&aid=swp_pp&lid=5590&affid=pp_181027351&ax=1&ed=1&ex=1

hxxp://go.winantivirus.com/MTUwNjg=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177474037&aid=swp_wa7p&lid=5590&affid=pp_271427354&ax=1&ed=1&ex=1

hxxp://go.drivecleaner.com/MTUwNjk=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45688?mpt=1177474361&aid=swp_dc&lid=5590&affid=pp_469727351&ax=1&ed=1&ex=1

hxxp://go.errorprotector.com/MTUwNzA=/2/5590/ctx=1/in=1/epp=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49487?mpt=1177474589&aid=swp_erp&lid=5590&affid=pp_619327354&ctx=1&in=1&epp=1

hxxp://go.systemdoctor.com/MTUwNzI=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45686?mpt=1177474773&aid=swp_sdr&lid=5590&affid=pp_737127354&ax=1&ed=1&ex=1

hxxp://gomyron.com/MTUwNzM=/2/5590/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/7412-39608-16292-6?mpt=1177475141&aid=swp_ron&lid=5590&affid=pp_944227352&

Mike Burgess writes about hard-core adult sites with images of underage boys that use adfarm.mediaplex.com content
http://msmvps.com/blogs/hostsnews/archive/2007/04/22/more-on-Winfixer-and-valueclick.aspx

He also writes about false claims of TRUSTe certification (again with adfarm.mediaplex.com content)
hxxps://secure.drivecleaner.com/payment/?ad=keyin&link=keyin&site=169&product=452&aff=

<body onload="setSelected()">
<IMG SRC="hxxps://adfarm.mediaplex.com/ad/bk/7412-39614-2054-1?Get=1&mpuid=" BORDER=0 HEIGHT=1 WIDTH=1>
<IMG SRC="hxxps://adfarm.mediaplex.com/ad/bk/7390-42400-2054-1?1-PaypageEntrance=1&mpuid=" BORDER=0 HEIGHT=1 WIDTH=1>

The above is the same exact code as is displayed here:
http://msmvps.com/blogs/hostsnews/archive/2007/04/23/Winfixer-and-valueclick-in-the-uk.aspx

Then there is this report by Mike:
http://msmvps.com/blogs/hostsnews/archive/2007/04/20/are-advertisers-promoting-malware.aspx

And this:
http://msmvps.com/blogs/hostsnews/archive/2007/04/21/more-on-Winfixer.aspx

My sincere hope is that Mediaplex and ValueClick come to the attention of the FTC, and that the FTC takes action, if Mediaplex and ValueClick to not take comprehensive action to clean up their service and make sure that the problems discussed here do not recur in the future.

Do ValueClick enforce their antispam policy?

ValueClick says:

“It is our policy to prohibit the sending of unsolicited or "Spam" e-mail by ValueClick or any of its marketing partners.” (cite: http://www.valueclick.com/privacy.html)

Hundreds of spam messages have been posted on various forums in contravention of the above policy:

http://www.google.com/search?q=drivecleaner.com&hl=en&safe=off&start=40&sa=N$
http://www.google.com/search?q=go.sexprofit.com&hl=en&safe=off&start=10&sa=N

A typical spam post can be found here:
http://www.splinecage.com/forums/archive/index.php/t-1550.html

Every single one of the links in that forum post route thru adfarm.mediaplex.com.

My own blog is being hit by hundreds of spam comments every week – in fact, I have 2095 comments awaiting my attention right at this very moment, all of which are marked as spam, and 99% of which are submitted by a very prolific “author” under the pseudonym “…” (yes, I know, the author is a bot – I’m being facetious). 

Anyway, all of the comments submitted by author “…” have a myriad different URLs as the author’s Web site, virtually all of which redirect to Winfixer sites via adfarm.mediaplex.com.  Yes, I could list all of the URLs that I am seeing in my blog comments, and provide definitive proof of adfarm.mediaplex.com involvement, but I think this article will prove beyond a doubt that there is big problem at Mediaplex even without those specifics.

To give you an idea of just how endemic the problem of adfarm.mediaplex.com being used as a conduit for winfixer malware is, check out the list of adfarm.mediaplex.com URLs below, all of which redirect to Winfixer, Winfixer related or Winfixer type sites at the time of testing.  I noticed as I was working my way through the various adfarm.mediaplex.com URLs by changing (for example) 45678 to 45679 then 45680 and so on and so forth, that I was hitting very few “legitimate” Web sites using this test routine, which is very worrying and makes me wonder just how widespread the Winfixer infiltration is at ValueClick.  I suspect that if I kept checking, and testing, that I could continue to add to that list, but let's be honest, I'm already at the stage where I am thinking "enough already - I get it - there's a big problem here".

I have already tried the "Contact Us" facility at http://www.valueclick.com/about/contact.html and received NO RESPONSE - not even an acknowledgement that my approach had been received, despite my including this URL - hell, if potential underage porn doesn't get their attention, what the hell will???
http://msmvps.com/blogs/spywaresucks/archive/2007/04/22/857830.aspx

It will be very interesting to see what reaction, if any, we get from Mediaplex and ValueClick when they see this article.  You see, they need to do more than get rid of the rogue content that is already there; they have to stop future occurrences and reassure everybody who uses their content that Mediaplex and ValueClick can be trusted to stay clean going forward, but here is the kicker… will they want to, especially if Winfixer and Winfixer type clients are a major part of any sector of their income stream? 

hxxp://adfarm.mediaplex.com/ad/ck/45678
hxxp://adfarm.mediaplex.com/ad/ck/45682
hxxp://adfarm.mediaplex.com/ad/ck/45684
hxxp://adfarm.mediaplex.com/ad/ck/45686
hxxp://adfarm.mediaplex.com/ad/ck/45688
hxxp://adfarm.mediaplex.com/ad/ck/49487
hxxp://adfarm.mediaplex.com/ad/ck/49686
hxxp://adfarm.mediaplex.com/ad/ck/49688
hxxp://adfarm.mediaplex.com/ad/ck/49690
hxxp://adfarm.mediaplex.com/ad/ck/49694
hxxp://adfarm.mediaplex.com/ad/ck/49696
hxxp://adfarm.mediaplex.com/ad/ck/49698
hxxp://adfarm.mediaplex.com/ad/ck/49700
hxxp://adfarm.mediaplex.com/ad/ck/49702
hxxp://adfarm.mediaplex.com/ad/ck/49704
hxxp://adfarm.mediaplex.com/ad/ck/49706
hxxp://adfarm.mediaplex.com/ad/ck/49708
hxxp://adfarm.mediaplex.com/ad/ck/49710
hxxp://adfarm.mediaplex.com/ad/ck/49712
hxxp://adfarm.mediaplex.com/ad/ck/49714
hxxp://adfarm.mediaplex.com/ad/ck/49717
hxxp://adfarm.mediaplex.com/ad/ck/49719
hxxp://adfarm.mediaplex.com/ad/ck/49720
hxxp://adfarm.mediaplex.com/ad/ck/49725
hxxp://adfarm.mediaplex.com/ad/ck/49727
hxxp://adfarm.mediaplex.com/ad/ck/49729
hxxp://adfarm.mediaplex.com/ad/ck/49735
hxxp://adfarm.mediaplex.com/ad/ck/49737
hxxp://adfarm.mediaplex.com/ad/ck/49739
hxxp://adfarm.mediaplex.com/ad/ck/49741
hxxp://adfarm.mediaplex.com/ad/ck/49743
hxxp://adfarm.mediaplex.com/ad/ck/49746
hxxp://adfarm.mediaplex.com/ad/ck/49748
hxxp://adfarm.mediaplex.com/ad/ck/49791
hxxp://adfarm.mediaplex.com/ad/ck/49793
hxxp://adfarm.mediaplex.com/ad/ck/49795
hxxp://adfarm.mediaplex.com/ad/ck/49799
hxxp://adfarm.mediaplex.com/ad/ck/49806
hxxp://adfarm.mediaplex.com/ad/ck/49811
hxxp://adfarm.mediaplex.com/ad/ck/49816
hxxp://adfarm.mediaplex.com/ad/ck/49827
hxxp://adfarm.mediaplex.com/ad/ck/49831
hxxp://adfarm.mediaplex.com/ad/ck/49836
hxxp://adfarm.mediaplex.com/ad/ck/49837
hxxp://adfarm.mediaplex.com/ad/ck/49988

Error message when you try to open an ActiveX control-bsed MIME handler in IE7: "Invalid character"

When you try to open a Microsoft ActiveX control-based MIME handler in Windows Internet Explorer 7, you may receive the following script error message:

Line: Line number
Char: Character number
Error: Invalid character
Code: Code number

Line: Line number
Char: Character number
Error: Object expected
Code: Code number

For example, you may receive this script error message when you try to open a Macromedia Shockwave Flash (.swf) file or when you try to open an Audio Video Interleaved (.avi) file.

This problem occurs if the following conditions are true:

• The file is located in the Internet Web zone or in the Intranet Web zone.
• The Allow active content to run in files on My Computer check box is selected in Internet Explorer 7.

Note To locate this check box in Internet Explorer 7, click Internet Options on the Tools menu, and then click the Advanced tab. Under Security, you can see the Allow active content to run in files on My Computer check box.

Source:  http://support.microsoft.com/default.aspx/kb/934366

FIX: The content of a Web page does not appear to update as expected when you use the document.open method in IE7

You use the document.open method with the replace parameter in Windows Internet Explorer 7. In this scenario, the content of a Web page does not appear to update as expected. When you click the Back button, the updated content appears.

Source: http://support.microsoft.com/default.aspx/kb/933182

HOTFIX: A Web site cannot set a cookie if the Domain attribute is in uppercase characters and has an odd number of characters in IE7

In Windows Internet Explorer 7, a Web site cannot set a cookie if the following conditions are true:

• The Domain attribute is in uppercase characters.
• The Domain attribute has an odd number of characters.

Note:  If the Domain attribute starts with a dot, this dot is not included in the number of characters. For example, if the cookie tries to set the .EUROPE.CORP.CONTOSO.COM domain name, the cookie cannot be set. This domain name has 23 characters.

Source: http://support.microsoft.com/default.aspx/kb/932044

HOTFIX: A Web site cannot set a cookie if the Domain attribute is in uppercase characters and has an odd number of characters in IE6

In Microsoft Internet Explorer 6, a Web site cannot set a cookie if the following conditions are true:

• The Domain attribute is in uppercase characters.
• The Domain attribute has an odd number of characters.

Note: If the Domain attribute starts with a dot, this dot is not included in the number of characters. For example, if the cookie tries to set the .EUROPE.CORP.CONTOSO.COM domain name, the cookie cannot be set. This domain name has 23 characters.

Source: http://support.microsoft.com/default.aspx/kb/932043

The best retro keyboard I have ever seen

"My goal with this project was to build a retro keyboard that was fully functional and of a sufficient quality that it could be used everyday by a touch typist.  In order to achieve this I chose a high quality (though widely available) keyboard as my starting point.  This is an IBM Model M "Clicky" keyboard.  They were made starting in the mid 1980's and a version is still manufactured today.  This particular keyboard was made in 1989 and shipped with and IBM PowerStation 530, a UNIX box the size of a kegerator." 

I wonder if he builds to order...

Source: http://steampunkworkshop.com/keyboard.shtml

Changes to Spyware Sucks

Yoda (the msmvps.com server) had some surgery overnight so things are a bit messy around here.  My favorite skin is missing in action for the time being.  Please forgive me while I play around and tidy things up. Unfortunately Secunia Statistics seem to be broken at the moment. I'm working on sorting that out.

All in all, the upgrade seems to be going well.  No missing pictures this time ;

As always, thanks to Susan and Nick for all the hard work they do around here,

So now we know... the story behind a "limited attack"

Australian IT news has an interesting report about the story behind an attack against a US State Department using a previously unknown Word vulnerability which was later patched by Microsoft.

The article describes what was a targeted attack on the State Department's Bureau of East Asian and Pacific Affairs via an employee based in Asia - a Department which coordinates diplomacy in countries including China, the Koreas and Japan.  The unfortunate employee opened what seemed to be a legitimate email with content relevant to the State Department's role - the email included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, and that Word document was the key to the attack - it contained code that allowed the hackers to break into the victim network although, reassuring, the security compromise was detected very quickly.

Source: http://australianit.news.com.au/articles/0,7204,21583854%5E15841%5E%5Enbv%5E,00.html

Regular readers of the Microsoft Security Response Centre blog (http://blogs.technet.com/msrc/default.aspx) will occasionally see reference to the discovery of a new vulnerability which has been used in limited, targeted attacks.  Often some areas of the press will pick up on the story from various sources, and will publish "OMG its another unpatched zero day" articles lamenting how we are all at risk, and how we should stop using Microsoft products etc etc etc.  Invariably there will be complaints from some commentators about how long it is taking to patch said vulnerability, and FUD (fear, uncertainty and doubt) related to how Microsoft is putting so many people at risk by not patching the vulnerability quickly enough will quickly spread.

The story described in the Australian IT article is a peek being the secrecy curtain at the reality of limited, targeted attacks.  The virus writer's world of today is not what it was in the early days.  It used to be that the biggest problem we had was viruses that were designed to infect as many computers as possible, as quickly as possible.  The goal was not financial gain, or espionage, or targetted attacks like it is today - instead the goal was notoriety and fame for the virus writers, and that fame was not based on how good their code was, or what it could do, but was more about body count - their code could set off such a cacophony of symptoms that only the most blind would not see there was a problem, but that did not matter.

Compare the goals of the script kiddies who were only trying to prove they've got the biggest anatomical appendage to the goals behind the attack against the US State Department.  Whoever it was that had discovered the vulnerability and used it was not out to infect the world.  They wanted to get in to a particular network very quietly, and to evade detection as soon as possible.  Often they do not want the world to learn what the vulnerability is that they are using, because when *that* gets out, we adapt, we start watching out for the exploit, we mitigate risk and we devise protections, so that the mystery vulnerability that the bad guy may have paid good money for is suddenly of limited use.

In the end, it all boils down to perceived risk versus real risk, and that is what MS deals with when deciding what to do about limited attacks like the one described above.  Reality is that the chances of the 'man in the street' being sent a Word document with the code embedded that was received by the US State Department is minimal to nil, which Microsoft is well aware of.    You're at far greater risk of being hit by Winfixer via remiss services such as ValueClick than you are of being hit by the Word exploit discussed here.  Remember that when next you read about the latest limited, targeted attack involving Word or Powerpoint and see somebody agitating about how negligent MS is for not pushing out an immediate patch - sure, they could do that "just in case", but what if it breaks thing else, badly... all to protect you from a risk that you're in all likelihood not exposed to anyway?

TrendProtect from Trend Micro - a competitor for McAfee Site Advisor

Today I attended a seminar entitled "Web Threats: Challenges and Solutions" held by Trend Micro. The speaker was David Perry, Trend Micro’s Director of Global Education, a gentleman who has been fighting the good fight against the bad guys for quite a few years now  - he has a Wikipedia page (http://en.wikipedia.org/wiki/David_Perry_(Trend_Micro)) and his professional bio is online at MySpace (http://blog.myspace.com/index.cfm?fuseaction=blog.view&friendID=143854625&blogID=237987725&MyToken=4bcf2fd4-bc31-4848-ba74-835b57f145af) assuming you can view it because you haven't taken my advice and blocked MySpace access on your networks.

Anyways, the presentation itself was excellent, although it did not teach me much that I do not already know, and it pretty much confirmed what I've been thinking and saying for the past few years about the move away from schwang shaking script kiddies who are trying to prove that they have the biggest one by infecting as many systems as possible, with no concern for stealth or high quality coding, to professional coders, financially motivated crime and tightly targeted or small release attacks that slip under the radar of traditional 'find a sample, update your signatures, push out detection antivirus protection'.  Not only that, the full cooked breakfast was very nice - sausages, hash browns, bacon, scrambled eggs, coffee, orange juice, but I digress

It was actually very interesting to watch the audience's reaction to David's presentation (it was a small, dare I say select, audience) - one thing that I found to be exquisitely ironic was that there were seated at my table a couple of representatives from the company that made such a horrific mess of the IT infrastructure of my current employer... you know, the company that allowed tape backups to fail for 4 months, antivirus to remain unupdated for two months, oversaw an Exchange database that was within 500 meg of shutting down completely, it was that close to the maximum database size.. I'll be honest, I looked at those guys and thought to myself, what the hell are they doing here, worrying about internet security, when they can't even get the basics of network maintenance right.

David seemed surprised when I raised my hand as the only person in the room who tries to clean up malware infestations instead of simply wiping a PC and starting afresh.  For me, what I can *learn* about an infection is of critical importance.  It is of no use to me to wipe a system and reload if I don't know *what* caused the infection, if I can't study what it does, and if I can't learn from the incident how to prevent infection in future.

One of the products that was highlighted during the seminar was TrendProtect, an Internet Explorer and Firefox add-in that provides a visual warning about the safety and reputation of a Web site, also overlaying services such as Google Search results pages with safety recommendations. 

Information about TrendProtect can be found here:
http://www.trendsecure.com/portal/en-US/free_security_tools/trendprotect.php

TrendProtect is in pretty much direct competition with McAfee's Site Advisor, and Trend offers a real time reputation service when assessing the risks associated with a particular site.  It looks at many different criteria when making a judgment about how safe or otherwise a site is that McAfee's Site Advisor does not consider, and I suspect this will give Trend's product a distinct advantage.

Be warned though, Trend Micro are serious when they don't mention Vista in their list of compatible operating systems.  For fun, I tried out the install on my Vista x64 system.  The install seemed to work just fine, but the toolbar is not available for display.. and guess what happens when I try to uninstall TrendProtect via Add/Remove Programs...

That's ok, I can rip the stuff out by its roots if need be...

I am currently testing TrendProtect at the office and am hoping to post a comprehensive discussion of the product, what it does and how it works, some time in the near future.  Watch this space.  There is more I can share about how TrendProtect works, but I'm not yet sure exactly what is public, and what is not, so will hold off on discussing in too much detail until Trend gets back to me re specifics of what can and can not be publicised.

My primary concern is that *visual* security cues have traditionally been doomed to failure - users click through warning dialogues and ignore colored address bars. In my limited tests so far, my instinct is that TrendProtect is not "in your face" enough during casual surfing, although the search results overlays willbe more successful because users *must* click on them to get to the sites in question.

The ongoing winfixer saga

So, what do we do about an advertising network like ValueClick that will not clean up its act? A network that has been implicated, over and over, in the spread of malware? An advertising network that was involved in the infiltration of the Windows Live Messenger banner advertisement by winfixer malware?

Wayne Porter notes that ValueClick was implicated in the Windows Live Messenger banner advert infiltration:
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/

Mike Burgess of MVP Hosts file fame reported on another three incidents where ValueClick has been used as a conduit to infect victims with winfixer:

http://msmvps.com/blogs/hostsnews/archive/2007/04/20/are-advertisers-promoting-malware.aspx
http://msmvps.com/blogs/hostsnews/archive/2007/04/21/more-on-winfixer.aspx

and this (fraudulently claiming eTrust membership?)
http://msmvps.com/blogs/hostsnews/archive/2007/04/23/winfixer-and-valueclick-in-the-uk.aspx

and, disgustingly (I don't know about you, but I think the chances are high that we're looking at some underage kids):
http://msmvps.com/blogs/hostsnews/archive/2007/04/22/more-on-winfixer-and-valueclick.aspx

Perhaps it is time for the FTC to get involved, and for the big names that have been hurt by ValueClick in the past (Hello MSN?) to refuse to have any dealings with ValueClick, or any other company that uses their content.  Mike On Ads says "The last thing I want is a crusade against AOL, MSN, or any ad-network for running these ads. EVERYBODY is running them — and EVERYBODY needs to work together to stop them." but I don't agree with him on this.  When we see a network that exhibits an ongoing tendency to distribute malware, then we do need a "crusade".  ValueClick is not the first company I have said this about, I said the same thing about the company that Mike currently works for, being Right Media (Right Media was implicated in the distribution of winfixer malware via the Messenger Plus! Live Sponsor Program).

The other side of the coin: Why is this happening?

We know ValueClick is a recurrent participant in the distribution of hostile SWF.  But are they victims or collaborators?  I honestly don't know. 

Often hostile Flash ads infiltrate a network via what are called "rogue affiliates" who use "bait and switch" and other nefarious tactics to fool services such as ValueClick.  But, although ValueClick may (I hope) be innocent victims who have been fooled into allowing the affiliates into their network, it has become glaringly obvious that there is something basicly wrong with ValueClick's checks and balances.

Then again, maybe ValueClick are not innocent - cite this article:
http://www.shoemoney.com/2007/03/29/what-does-valueclick-have-to-hide/

I have contacted ValueClick via their Contact Us page (http://www.valueclick.com/about/contact.html).  Time will tell if they respond, and I will post their comments here.

The problem of hostile Flash ads is endemic.  MSN has been hit, AOL has been hit, MySpace has been hit - that equates to hundreds of millions of potential victims.  Those behind errorsafe/winfixer are not only creating their own software and domains, they are also creating fake advertisements for known legitimate sites such as getsafeonline.org, Priceline and Travelocity (source: http://www.mikeonads.com/what-is-errorsafe-and-how-do-we-stop-it/ and http://www.mikeonads.com/2007/04/05/ironic-errorsafe-advertising-for-getsafeonlineorg/)

Mike On Ads has some succinct advice about how to fight back against rogue affiliates at (http://www.mikeonads.com/what-is-errorsafe-and-how-do-we-stop-it/)  In the comments of the blog entry, Mike states:

"In essence, there are two key things the flash files do:

#1 - Check the geo of the user. Since GeoIP databases are too large to store, the file has to request this info from a third-party server.

#2 - Uses javascript to check all sorts of browser parameters. E.g., the timezone of the browser. If the buy is with a US based ad-network, no browser with a US timezone would trigger the active-x."

I've known about the geo checks for a while now - we saw evidence of that back when we were fighting winfixer outbreaks on the Messenger Plus! Live sponsor program's advertising network.  The goal seems to be to evade detection by the advertising networks for as long as possible (and, I suspect, avoid the US Justice system as well).  But I think we am seeing even more.  The AOL outbreak was extremely interesting.  Not only was it geo specific, but the hostile SWF advert was only appearing on my PCs once per day - almost as if the SWF was not only checking IP for geo, but also for previous exposure to a particular IP address.  But the sample SWF that was grabbed using my network capture data was click dependent - there was nothing to indicate that the SWF would cause a redirect or anything else without user interaction, so how was this happening?  Are the hostile SWF being swapped out regularly to reduce the chances of detection even further, forcing us to rely on video and network captures to prove misbehaviour?

My thinking at the moment is that the only real solution to this problem is for end-advertisement networks to directly host creatives, and stop third parties from having control of what those creatives will be.  Yes, it is more expensive, but I think the basic reality of the situation is that as long as somebody else controls what is being distributed via your advertising network, your network is at risk of being used as a conduit for malware.

Alternatives? Dump Flash adverts altogether but the advert networks (and their clients) don't want to do that; colour and movement draw the eye and the mouse clicks far more than static pictures can.

Oops: an upgrade from Trend Micro CSM 3.5 to 3.6 goes bang

One of my goals for this week was to upgrade an installation of Trend Micro's Client Server Messaging Security Suite from v3.5 to 3.6.  Being a minor points upgrade, with no big changes under the hood, I was confident that it would be another smooth upgrade.  Feedback from other Trend aficionado seemed to indicate that the upgrade was unremarkable with no issues being reported, and I am also hopeful that the upgrade will fix the irritating authentication errors affecting Trend's .notaccount.

Silly me - I forgot that computers are designed to keep us humble - the minute we get too confident in our own abilities they will do something to bring us right back down to earth.

Despite having a comprehensive disaster recovery protocol in place for the DC and terminal server that can get things up and running again in a very short space of time, I still feel a cold shiver when something goes wrong on a DC - downtime is a bad thing when it affects the server off which all else hangs - if minutes of downtime extends into hours or even days the financial loss to a business can be crippling.  As much as I love SBS, it can be a real disadvantage to have an entire business infrastructure dependent on the one everything-but-the-kitchen-sink server if something bad happens to that server.

The first visible issue encountered during the upgrade was a fatal error during installation of the Messaging Security Agent on the DC.  Before the fatal error, "uninstalling SMTP hook" had been on screen for roughly 10 minutes.  One irritating thing about the Trend installer at this stage of the proceedings is that there is no cancel button - you're committed to the install and stuck waiting for it to succeed or fail, with no way out apart from forcing the install to halt via Task Manager.

Apart from the visual errors, there were also things going wrong in the background.  It looks like the installer was not able to shut down Trend's running services cleanly during the upgrade.  I note the following Trend related error occurred at the time of the upgrade (only noted in the error logs - nothing appeared on screen) "Faulting application PccNTMon.exe, version 7.6.0.1095, faulting module PccNTMon.exe, version 7.6.0.1095, fault address 0x00012513". 

The upgrade notes do not recommend that Trend related services be stopped manually before an upgrade; in fact I have seen upgrades fail if services are not running when an installer expects them to be running, but considering what I saw yesterday it is worth doing a little experimenting to do to see what happens if Trend's services are stopped before an upgrade, because it looks like the installer is not coping well if it hits a difficulty when managing a service.

Anyway, the failed installation of the Messaging Security Agent left things in a bit of a mess.  Not only was the Messaging Security Agent not installed on the DC, but all email flow had stopped, including internal mail.

The following steps were required to get the Messaging Security Agent installed and running.

1. Open Add/Remove Programs
2. Uninstall "Trend Micro End User Quarantine" (note that the Messaging Security Agent was not listed in add/remove programmes, having failed to install). 
3. Start Trend Micro Security Dashboard. 
4. An attempt to uninstall DC from the console failed.  Therefore I had to simply remove DC (Security Settings Tab) and then add it back, installing the MSA.

I then had to re-do all of the custom settings including attachment directories, spam filtering, attachment filtering, content filtering settings etc.

We tracked down the cause of the stop in email flow which, thankfully, was not as a result of a major breakage.  The default SMTP Virtual Server was not running which is quite likely related to the delay I saw when Trend was removing its SMTP hook.  Thankfully, all was that needed was to start the Default SMTP Virtual Server via Server Management.

The next problem to tackle was a failure when the client was auto-updating on some desktop PCs after the server upgrade - on my network 3 out of 25 machines have so far been found to be affected by the failure (with another 4 yet to log on and upgrade) which I consider to be a barely acceptable strike-out rate. 

Symptoms:  Windows XP Security Centre Red shield alert warning of no antivirus on the machine. No entry in add remove programs. No Trend processes running.

Attempts to install the new client via %servername%\ofcscan\autopcc.exe failed - the CMD window appeared, then nothing.  Attempts to install the client via the log-in page for the Trend Micro Security Dashboard ("Click here to start installing the Client/Server Security Agent to your computer") also failed with the error "Agent already installed".

Fix:  Manual removal of what was left of the client from the desktop PCs using the instructions at http://esupport.trendmicro.com/support.viewxml.do?ContentID=EN-127417

I've only had a look at one of the affected PCs so far - the only one that is used to access the Internet or email - listed below is what I found; the rest of the PCs will be checked on Monday morning.

Step 1 of KB: missing services - Trend Micro Client/Server Agent Listener; Trend Micro Client/Server Agent RealTime scan.  Trend Micro Client/Server Agent Personal Firewall service listed but not running.

Step 3 of KB: Programs entry did not exist

Step 5 of KB: All keys existed

Step 6 of KB: Key did not exist

Step 7 of KB: Key did not exist

Step 8 of KB: Only ofcpfwsvc key existed

Step 12 of KB: No devices existed.

Step 14 of KB: Folder and contents existed.

Running %servername%\ofcscan\autopcc.exe now completed successfully.

Restarting Default SMTP Virtual Server using Server Management

Advertising advertising everywhere... even in the ladies' loo...

Now I really *have* seen everything.

Yesterday was 'hair and nails' day, so off I went to my local shopping centre for some well earned pampering.  Imagine my amazement when I noted a new piece of equipment in the ladies' loo - the hand dryer had been replaced with a new fangled, fancy schmancy piece of equipment with built in monitor screen.  The darned thing plays an advertisement every time somebody dried their hands.  Apparently it's called an iVision.

1. The volume is too damned loud for such a small area - you can hear it in the corridor outside the ladies' toilets for chrissakes.
2. The rotten thing plays the same advertisement over and over and over.

When I consider the iVision, and the recently announced trial use of cell phones during Qantas flights, I'm begin to wonder what bastions of peace and quiet we are going to be left within a few years.  One of the things I truly enjoy about travel by plane is the fact that, at least for a while, I am out of reach, and I am also safe from some guy (and yes, it is invariably a guy) talking over-loudly on his cell phone about something that is of world shattering importance to him, but of absolutely no interest to me.  Yes, at the moment the trial is restricted to text and email, but I predict that voice calls will eventually be allowed.

The iVision