Spyware Sucks

Valueclick and Winfixer continue to be a problem

Mike Burgess was hopeful that Valueclick had cut ties with Winfixer.
http://msmvps.com/blogs/hostsnews/archive/2007/05/25/valueclick-cuts-ties-with-the-winfixer-group.aspx

Unfortunately I have definitive proof that this is NOT the case.

See here - we have evidence of an attempt to infect systems with Winfixer TONIGHT via a malware ad via adfarm.mediaplex.com - this is one of the more *NASTY* ones - we're not looking at just a pop-up, or just a dialogue box.  When the dangerous ad appears the victim is redirected AWAY from www.mobygames.com and dumped at the Winfixer site with no user interaction required.  In short, the user's Web surfing is involuntarily HIJACKED.

Even worse, the bastards behind Winfixer are being tricky - the redirect only occurs once or so per day, *BUT* if you use the Flash console to delete all prior flash content, the hijack will occur again, and again, and again, VERY quickly indeed.

If you want to investigate this infestation, and want to avoid the bad guys' attempts to avoid detection, you need to empty your Flash cache every time the malware hits.  Go here and then click on the option to delete all sites:

Here is my network trace showing the redirect via an advert on www.mobygames.com via adfarm.mediaplex.com.

I first instituted a dialogue with ValueClick via email about the winfixer problem more than a month ago, yet the problem continues.  This is simply not good enough. 

Network captures follow - yes there are a hell of a lot more, but let's be honest here, how many times do we have to prove that there is the problem?

PLEASE SEND ME AN EMAIL IF YOU SEE WINFIXER - I WILL INVESTIGATE, PUBLICIZE, AND NAME AND SHAME ANY AD NETWORK THAT IS CONTRIBUTING TO THE DISTRIBUTION OF SUCH MALWARE.

  Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15349, Total IP Length = 991
+ Tcp: Flags=...PA..., SrcPort=50185, DstPort=HTTP Alternate(8080), Len=951, Seq=3278634856 - 3278635807, Ack=40855410, Win=4262 (scale factor not found)
- Http: Request, GET http://adfarm.mediaplex.com/ad/ck/52500
    Command: GET
  - URI: http://adfarm.mediaplex.com/ad/ck/52500?aid=f0rw9rdx_rdt
     Location: http://adfarm.mediaplex.com/ad/ck/52500
     aid: f0rw9rdx_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://ads.mobygames.com/adserver/adimage.php?filename=h2v_728x90_2.swf&contenttype=swf&
clickTAG=http://ads.mobygames.com/adserver/adclick.p
    Cookie:  svid=7106602301; __utma=183366586.1351200665.1177472688.1177472688.1177495208.2;
__utmz=183366586.1177472688.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Host:  adfarm.mediaplex.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

Followed by:

  Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15351, Total IP Length = 1362
+ Tcp: Flags=...PA..., SrcPort=50192, DstPort=HTTP Alternate(8080), Len=1322, Seq=4010949088 - 4010950410, Ack=2340755632, Win=4016 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/
    Command: GET
  - URI: http://www.drivecleaner.com/.freeware/?p=20&ax=1&ex=1&ed=2&aid=f0rw9rdx_rdt
     Location: http://www.drivecleaner.com/.freeware/
     p: 20
     ax: 1
     ex: 1
     ed: 2
     aid: f0rw9rdx_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://ads.mobygames.com/adserver/adimage.php?filename=h2v_728x90_2.swf&contenttype=
swf&clickTAG=http://ads.mobygames.com/adserver/adclick.p
    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253
Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252
Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Host:  www.drivecleaner.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

Followed by:

  Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15355, Total IP Length = 1230
+ Tcp: Flags=...PA..., SrcPort=50183, DstPort=HTTP Alternate(8080), Len=1190, Seq=2863417415 - 2863418605, Ack=2340276141, Win=16103 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/index.php
    Command: GET
  - URI: http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
     Location: http://www.drivecleaner.com/.freeware/index.php
     p: 20
     ax: 1
     ex: 1
     link: keyin
     ad: f0rw9rdx_rdt_au_en_ed2
     aff: 
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Host:  www.drivecleaner.com
    Proxy-Connection:  Keep-Alive
    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt; link=keyin; cnt=AU; lng
    HeaderEnd: CRLF

  Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15360, Total IP Length = 1036
+ Tcp: Flags=...PA..., SrcPort=50179, DstPort=HTTP Alternate(8080), Len=996, Seq=211796996 - 211797992, Ack=355888886, Win=4037 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/libs/product.js
    Command: GET
  - URI: http://www.drivecleaner.com/.freeware/libs/product.js
     Location: http://www.drivecleaner.com/.freeware/libs/product.js
    ProtocolVersion: HTTP/1.1
    Accept:  */*
    Referer:  http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
    Accept-Language:  en-US
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Proxy-Connection:  Keep-Alive
    Host:  www.drivecleaner.com
    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
    HeaderEnd: CRLF

  Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15370, Total IP Length = 1086
+ Tcp: Flags=...PA..., SrcPort=50187, DstPort=HTTP Alternate(8080), Len=1046, Seq=2230411576 - 2230412622, Ack=3079221333, Win=4212 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/libs/utils.php
    Command: GET
  - URI: http://www.drivecleaner.com/.freeware/libs/utils.php?ad=f0rw9rdx_rdt_au_en_ed2&link=keyin&ex=1&j=0&aff=
     Location: http://www.drivecleaner.com/.freeware/libs/utils.php
     ad: f0rw9rdx_rdt_au_en_ed2
     link: keyin
     ex: 1
     j: 0
     aff: 
    ProtocolVersion: HTTP/1.1
    Accept:  */*
    Referer:  http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
    Accept-Language:  en-US
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Proxy-Connection:  Keep-Alive
    Host:  www.drivecleaner.com
    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
    HeaderEnd: CRLF

Telstra needs to *listen* dagnabit!!!

Frustration levels are high.  *Very* high.  And Telstra is the focus of said frustration.

We got home from work yesterday to discover that there had been a power failure, and that not only was our internet access (which is cable) not working, but Foxtel was down as well.   The Foxtel digital box was reporting that it was unable to lock on to a signal, and the Cable Modem was reporting exactly the same thing.

Now, I'm *real* pedantic about protecting what is some very expensive electrical equipment in this house, therefore the entertainment equipment, and server and everything that hangs off it, are protected by UPS - sure, they're dinky baby UPS at only 700VA, but they're still the real thing - they even come with a $25,000 load protection guarantee.  I knew that even if we had suffered the dreaded brown-out that my hardware was just fine thank you very much.

I already knew, if only because Foxtel was down, that the problem was not on my network, but I went through all the troubleshooting steps to no avail.  The Cable Modem was simply unable to lock on to a signal - my logs were reporting that sm-server simply wasn't there.  The Foxtel box was also unable to lock on to a signal.

Ok, so I phone Telstra to report the problem, and was on hold FOR A WHOLE HOUR before I got to a first level technician - a techician who then proceeded to tell me that nobody else in my area was having a problem (thanks to a "special" programme he was able to use to check who was on and offline in my area - "there are only half a dozen offline and hundreds still working" he tells me).  After much back and forth I am told that the problem must be with our hardware (up to and including the grey box on the external wall to our house) and against my better judgment a technician was booked to attend meaning, of course, that one of us has to take the afternoon off work.  We also booked a Foxtel technician to attend on the same afternoon.

I honestly wasn't surprised when we awoke the next morning to discover that our allegedly faulty hardware had miraculously repaired itself with no intervention on my part.  Foxtel was still down when I left for work, but by the time the kids got home in the early afternoon it had also, miraculously, repaired itself.

Of course, because everything was working I had to phone Telstra to cancel the service call.  I was on hold for nearly 45 MINUTES waiting to speak to a first level technician and cancel the service call - a cancellation which took, may I say, only a minute or two to organise - 45 MINUTES ON HOLD, 2 MINUTES ORGANISING THE CANCELATION.  I ask you, is it any wonder I'm frustrated?

Let's contrast those hold times with our Foxtel experience.  Yesterday when reporting the fault to Foxtel we were on hold for barely 2 MINUTES (compared to a hour with Telstra).. tonight, we were on hold with Foxel for barely 30 SECONDS (compared to 45 minutes with Telstra).

The Foxtel lady said to us tonight that Telstra "must have been doing repairs that they didn't tell us [Foxtel] about".  Well, Telstra must have forgotten to tell their own technical support staffers as well!!

Then, to add insult to injury, I received a phone call from the Telstra techician while I was at work - "you have a service call booked for now" says he.  "No I don't" says I.. "I cancelled it yesterday".

Jeez.

Trend CSM 3.6 and Veritas backup conflict - automatic maintenance of quarantine directories causes Veritas backup to fail

Edit 29 May: the job failed again overnight  

Edit 30 May: we increased the job time limit from 4 hours to 8 hours, which revealed that since enabling the email filtering in the Trend console the time it takes for the Citrix_Exchange_Sql backup job to complete has jumped from 3.30 hours to 5.30 hours.

I've been seeing the following Veritas error over the past few days (note, error edited to remove server name):

"Backup Exec Alert: Job Cancellation (Server: "******") (Job: "***_FULL_Backup_Citrix_Exchange_&_SQL") The job was automatically canceled because it exceeded the job's maximum configured run time."

We had created a new SQL database back in late March, but Veritas had run fine for close to two months before the errors started.

I had enabled various email filters on the day the errors started occurring - specifically profanity, sexual and racial discrimination, hoaxes and chain mail filters, and it is only since then that the problem was occurring.  I also noticed that quarantine maintenance was occurring at 2.30am and the affected Veritas job is set to run at 1.00am meaning the backup and quarantine maintenance were overlapping.

I disabled automatic maintenance and the Veritas error ceased.  Therefore, it seems to be that it is Trend CSM 3.6 that was causing the problem, or more precisely automatic maintenance of the Trend quarantine folders - I'm not sure *why* this would be the case, because the Trend quarantine folders are completely separate to the Citrix_Exchange_SQL directories that are being backed up, but that's what I'm seeing. 

There seems to be no easy way to control *when* the automatic maintenance of the Trend quarantine databases occurs, nor to find out how long the maintenance takes, so for the time being the option will stay turned off - there is only half an hour between one backup job finishing and the next starting, and if I push the failing job out to, say, 3.00am I run the risk of the backup job not being complete when staff start work for the day (which invariably causes issues in and of itself).

If there is a way to control when the automatic maintenance of the Quarantine folders occurs, please let me know - it's the type of job that can run during business hours 

Screenshot of relevant setting:

IE7 may exit unexpectedly when multiple tabs are open, and you close a tab that contains a non-HTML file

This problem occurs when the Yahoo! toolbar is installed, and the version of the toolbar is between 6.0.0.0 and 6.3.4.0.

To resolve this problem, install the following security updates:

• MS07-016: Cumulative security update for Internet Explorer
• MS07-027: Cumulative security update for Internet Explorer

http://support.microsoft.com/default.aspx/kb/932930

HOTFIX: You cannot open a Web page by using IE7 if the URL of the Web page contains non-ASCII characters

You cannot open a Web page by using Windows Internet Explorer 7. This problem occurs if the following conditions are true:

• In the Internet Options dialog box, the Send UTF-8 URLs check box is cleared on the Advanced tab.
• The URL of the Web page contains non-ASCII characters.
• The Web page contains frame contents.
• After the HTTP response is received, each element of the frame is redirected.

http://support.microsoft.com/default.aspx/kb/935729

HOTFIX: A script error occurs in IE6 when you view a Web page that includes a script that is transmitted by using HTTP compression, and the URL that points to the script includes a non-ASCII character

A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows XP service pack that contains this hotfix.

http://support.microsoft.com/default.aspx/kb/924533

Audi Taiwan's official Web site has been hacked

It looks like Asus is not the only site in Taiwan to be hacked and dangerous code inserted on it's Web pages.

Websense reports that Audi's official Taiwan site has also been hacked:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=776

As of 30 seconds ago the site was still dangerous - the iframe code pointing to misofthelp.com was still there.

I and other security focused MVPs have been warning about the dangers of hacked Web sites for a long time.  The problem is finally hitting the popular press.  For example, several sites have picked up on a blog entry by Stopbadware.org which recently identified five web hosting companies with the largest number of infected sites residing on their servers:
http://blogs.stopbadware.org/articles/2007/05/04/stopbadware-identifies-hosting-providers-of-larged-numbers-of-sites-in-badware-website-clearinghouse

As a result of the publicity generated by Stopbadware's report several of the highlighted providers are now working with Stopbadware to clean up the compromised Web sites:
http://blogs.stopbadware.org/articles/2007/05/11/hosting-providers-taking-action-against-badware

Unfortunately, reality is that unless and until these providers work out *how* the sites that they host are being compromised, and address the problems, sites will continue to be hacked.  Are the providers failing to install security updates? Are they running old, vulnerable versions of their software? Are they failing to enforce strong passwords/passphrases?  A combination of all?

Hosting providers have a responsibility to ensure that they provide the best possible security for their clients because once the bad guys get in, those bad guys have access to hundreds, if not thousands, of Web sites with which to spread their dangerous wares - the crooks get the maximum effect for minimum effort.

Column - Better browsing: Internet Explorer 7 offers improved security and productivity

I've been writing articles for Microsoft since 2004, yet I still feel a thrill when they are published.  My latest article, written for the "Windows Help and How-To" site, is lead article for "Spotlight on Vista".

You can find the article here:
http://windowshelp.microsoft.com/Windows/en-US/help/a426bb85-708c-4b75-87e2-874f9be3b4aa1033.mspx

Help and How-To Site:
http://windowshelp.microsoft.com/Windows/en-US/default.mspx

Just because you read it on the Internet, does not make it true

I came across a blog entry about Internet Explorer which draws assumptions about how the program stores 'autocompete' passwords that are simply wrong.

Here is the URL:
http://www.ecommerce-blog.org/archives/internet-explorer-auto-complete-stores-your-passwords-unencrypted/

For whatever reason, the blog's author seems to have come to the incorrect conclusion that because his "password managing program" was able to access and display his stord usernames and passwords that this therefore meant that IE stores autocomplete passwords in "a single flat-file that is unencrypted and can be easily read by a variety of program(s)".

The author's conclusions are incorrect.  IE7 DOES encrypt autocomplete data.  Yes, there are programs out there that can retrieve the stored data, but reality is the data *is* encrypted, and is *not* in a "flat file" (whatever the heck that means).

IE uses Protected Storage (and later Data Protection API (DPAPI)).  To quote a Techet article:

"The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself.

The storage location that is provided by this service is secure and protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user’s master key. This component requires no configuration."

Source: http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx

To give you an idea of how IE stores passwords, have a look at this registry key - yes, that's Protected Storage in action:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

To give you an idea of how IE protects sensitive data, have a look at this registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

A big difference, yes?

So, to reiterate, yes there are programs out there that can retrieve the encrypted username and password data stored by IE, BUT, the data *IS* encrypted and it is *NOT* a "single flat file".

More information about Protected Storage / DPAPI:
http://msdn2.microsoft.com/en-us/library/aa925034.aspx

Microsoft Security Advisory KB927891 - fix for Windows Installer (MSI) problems

Symptoms:

Your system may appear to become unresponsive when Windows Update or Microsoft Update is scanning for updates that use Windows installer, and you may notice that the CPU usage for the svchost process is showing 100%.

When you try to install an update from Windows Update or from Microsoft Update, you experience the following symptoms:

• Your system may appear to become unresponsive when Windows Update or Microsoft Update is scanning for updates that use Windows Installer.
 
• You receive an access violation error in svchost.exe. This access violation stops the Server service and the Workstation service.
 
• A memory leak occurs when Windows Update or Microsoft Update is scanning for updates that use Windows Installer.
 
• Windows Update or Microsoft Update scans take a very long time, sometimes hours, to complete.

The fix is now available on WSUS and via Windows/Microsoft Update, and will require a restart after installation.
 
Source:  http://www.microsoft.com/technet/security/advisory/927891.mspx

Associated KB - http://support.microsoft.com/kb/927891

Anti-Phishing Working Group - March Phishing Trends Report released 14 May 2007

Yes, I know, I'm a little behind on this one.  One last post, and then off to bed I go.

The APWG report which covers phishing activity reported to them during March 2007 can be downloaded from this URL and, as always, makes for interesting reading:
http://www.antiphishing.org/reports/apwg_report_march_2007.pdf

Maybe I am just lucky, but I have been noticing a marked fall-back in the number of phishing emails sent to my various email accounts for a while now - even the spamtraps are receiving few phishing emails - and I haven't seen a Paypal or eBay Phish for a very long time.  There are occasional outbreaks targetting specific banks here in Australia, but those incidents are isolated spikes in an overall downward trend.  We see far more stock spam, and money mule spam, than phishing emails nowadays (note to self; write a decent article about money mules soon).

My personal opinion is that the antiphishing efforts of the most popular browsers - IE, Firefox and Opera - are finally having a positive impact, and that the crooks are starting to look to greener pastures.

Unfortunately, as phishing shows signs of dying away the hacking of legitimate websites to inject hostile code is a growth industry.  iframes and various exploits are being used to install malware on victim machines and yes, that malware does include keyloggers meaning that victims are at risk of exposing not just one username and password, but every single username and password that they have.  I'm also seeing persistent attempts to seed dangerous URLs via blog comments, forum posts and signatures and other "Web 2" type services which allow user interaction and contributions to be published to the Web.

This new trend is going to be harder to neutralise than phishing.  I have seen sites that are hit, sometimes numerous times, by hackers who are at the mercy of Colo facilities whose operators are lax at installing updates and security patches.  Sometimes the sites are maintained by people who are simply inexperienced, or don't want to spend the required money to upgrade.  It is not that hard, nowadays, to set up a Web forum, but it is a lot harder to stay on top of security and the latest exploit affecting your software of choice.

Some big names have been hit by hackers, sometimes more than once.  For example, Asus Taiwan is one site that comes to mind as having been hit more than once.  Yahoo Groups (India) was hacked within a day or so of going live.  Circuit City's support forum was hacked. Spreadfirefox.com was hacked after it failed to install security patches.

The increasing trend towards hacking legitimate sites also introduces a challenge for IT departments.  It is no longer sufficient to warn users away from p0rn sites or the darker side of the internet.  It's no longer safe to assume that just because you stick to 'safe' sites that your network will be ok.

Then there is the danger posed by malware infiltration of advertising networks, meaning that any Web page that displays a Flash banner advert is a potential conduit of infection.

In short, any Web site is a potential danger.  We have to patch, we have to install the latest version of our favorite Web browser. We have to stay informed about the latest exploits and we have to mitigate risk wherever possible.  As part of my daily routine I read sites and services that list the latest in security risks, private forums, early alert services and monitor my network for unusual patterns and spikes or unusual symptoms on any PC on my network.

When you copy text from a Rich Text box in Infopath on a computer that has IE7 installed, the pasted text unexpectedly appears inside a table cell

This issue occurs after you install Windows Internet Explorer 7 on a computer that has Infopath installed. Or, this issue occurs after you install InfoPath on a computer that is running Windows Vista.

To edit XML files, InfoPath uses the XML capabilities in Internet Explorer to perform certain functions, such as the copying-and-pasting of XML objects. Internet Explorer 7 handles copy-and-paste operations differently from pre-Internet Explorer 7 versions of the browser.

http://support.microsoft.com/default.aspx/kb/937053

HOTFIX: On a Windows XP S2 based computer, a small memory leak occurs in IE6 when you call the SAPI SpeakStream method

On a Microsoft Windows XP Service Pack 2 (SP2)-based computer, a small memory leak occurs in Microsoft Internet Explorer 6 when you call the Speech API (SAPI) SpeakStream method.

http://support.microsoft.com/default.aspx/kb/936554

You receive a script error in IE7 on a computer that is running Windows Server 2003 or Windows XP when you include certain characters to specify a window name parameter in the "Window.Open" method

On a Microsoft Windows Server 2003-based computer or a Microsoft Windows XP-based computer that is running Windows Internet Explorer 7, you receive an Internet Explorer script error.

This symptom occurs if the following conditions are true:

• You use the Window.Open method in Internet Explorer 7. 
• You specify a window name parameter in the Window.Open method that includes a character such as Katakana-Hiragana Prolonged Sound Mark (Unicode character code U+30FC).

http://support.microsoft.com/default.aspx/kb/935775

The Magic Folder - a very cool gadget for the Windows Vista sidebar

I'm quite happy to use Vista's default folders when saving documents, movies and images and depend on the use of tags, instead of subfolders, to sort and find my files.  My PC desktops are always very messy, with all sorts of files, screenshots, snippets and sundry documents saved there for easy access.  But, moving the files to the default storage folders once they are no longer needed on the desktop has always been a bit of a pain.

I found a new gadget tonight that promises to become an essential tool on all of my computers.  The author describes The Magic Folder as follows:

"The Magic Folder is a gadget that helps you categorize and move files. When you drag a file to the gadget it will look at the file extension and place Document files (like doc, xls, ppt, etc) in the Document folder. It places image files like (JPEG, PNG, TIFF, GIF, etc) into the Pictures folder. And many more extension types come pre-registered."

Its a brilliant idea that works well once you break yourself of the "I must save my files to sub-folders" habit and get used to using tags and Vista's new way of searching.

So far the gadget has worked like a dream.  Files are automatically saved to the appropriate folder (customisable) and any file type extensions that are not recognised are easily taken care of.  Simply choose a folder.

So far the only bug I have found is that the Gadget itself cannot be dragged to a different position on the Sidebar. Instead, all of the other Gadgets have to be manoeuvered until the Magic Folder icon is where you want it. 

Various screenshots of The Magic Folder are below.  It's well worth a try.

Microsoft Australia *finally* releases a DTS patch for Western Australian users

Michael Kleef says:

"IT Pros in WA! Some good news for your day today! We have completed work on the Exchange 2003 CDO patch that will address the current WADST issues. You can call Microsoft Professional Support on 132058 and request the hotfix under KB article number 929895."

Source: http://blogs.technet.com/mkleef/archive/2007/05/22/wadst-exchange-cdo-patch-finally-released.aspx

I don't blame MS for not getting this update out in time for the first DTS trial here in Western Australia.  After all, it's bad enough that the WA Government, in its infinite wisdom, and despite WA residents rejecting Daylight Savings via multiple Referendums, decided to introduce Daylight Savings on a trial basis - what is worse is the government didn't give us more than, what, a couple of weeks to get ready for the change.  We were left with a registry hack to create a DTS option for the Perth time zone, and a slew of problems affecting Outlook, OWA, Sharepoint and Exchange.  Then there were all the products, like GFI, that started displaying incorrect times thanks to the Government's lack of forethought.

Anyway, enough of that.  At least we will be able to get our servers patched a decent period of time before the next DST trial.

New version of Opera released - includes important Torrent security vulnerability fix

Opera users are notorious for not updating their Web browser, leaving themselves exposed to security vulnerabilities.  Be that as it may, eternal optimist that I am, I am pleased to advise that a new version of Opera that addresses a security vulnerability affecting Torrent files has been released.  Please spread the word and get those who you know to use Opera to upgrade...please... to version 9.21.

Download here.

Why do I say that Opera users are notorious for not updating their Web browser? Check out the Secunia statistics below:

91.17% of Opera 7 users are detected as being insecure as at time of writing - 39 advisories, all patched (for all the good it does when the program's users don't apply said patches/upgrades):
http://secunia.com/product/761/?task=statistics

98.93% of Opera 8 users are detected as being insecure as at time of writing - 15 advisories, all patched (again, for all the good it oes when the program's user's don't apply said patches/upgrades):
http://secunia.com/product/4932/?task=statistics

12.84% of Opera 9 users are detected as being insecure as at time of writing - 6 advisories, all patched (well, at least this time Opera users aren't sitting at 90%+ unpatched):
http://secunia.com/product/10615/?task=statistics

Phishing and keyloggers

I take a peak at phishing Web sites every so often, just to see what they are up to,  I do not recommend that you do the same unless you are using a system that is well protected.

Anyway, after having an arms length peak at a particular phish site I decided to see what else I could find - silly phisher, to leave his site so open to examination.  Have a look at what I found - the presence of a keylogger in the root of a phishing Web site just screams DANGER!!, doesn't it.

The version of Apache being used, 2.0.54, is an older version that is long since superseded, and was originally released back in 2005.

The latest version of Apache is 2.2.4, and the Apache HTTP Project developers "strongly encourage" all users to migrate to 2.2 because only limited maintenance is performed for legacy releases.  At the very least servers should be updated to 2.0.59 if the servers happen to be using add-in modules that are not compatible with 2.2.  2.0.59 is the most stable 2.0.* version,  and including several securiry fixes, including an important one affecting mod_rewrite.

Security vulnerabilities - Apache:

2.2 - http://httpd.apache.org/security/vulnerabilities_22.html
2.0 - http://httpd.apache.org/security/vulnerabilities_20.html
1.3  http://httpd.apache.org/security/vulnerabilities_13.html

Info about Perfectkeylogger:

CA - http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453073333
Sophos - http://www.sophos.com/security/analyses/perfectkeylogger.html

Can any of my gentle readers translate French?

I received this request for assistance today via email:

"J'achete Vista et MSN ne se connecte plus alors qu Internet marche certain sites ne se connecte pas d'autre oui.

Merci de votre reponse.

j'ai home premium

(violation adresse 100069c

dans module odmtf.dll adresse 0000003c)"

----------------------------------

I can't find any information about odmtf.dll which is unusual in itself, and immediately makes me suspect malware    If my rudimentary French is correct, only some Web sites are inaccessible for this user, but I am uncertain about the reference to MSN - MSN as an ISP? And do the sites trigger the error?

Julie Amero - for pity's sake, they've done it again

Edited to change subject line that was offensive to some 

I honestIy can't believe this. Julie Amero's sentencing has been delayed, AGAIN, this time until June 6.

This is the fourth postponement of Julie's sentencing.

Can you imagine the emotional/psychological torture this woman is going through? She is a substitute teacher who was found guilty of four counts of risk of injury to a minor after a computer infested with malware started exhibiting porn pop-ups - the computer in question had no effective antivirus, antispyware or content filtering protection in place.  She is facing up to 40 years in jail and, once again, has no idea what her fate is going to be.

This case has been a debacle and comedy of errors from beginning to end, and I am disgusted at the American legal system for allowing this miscarriage of justice to drag on and on and on.  For pity's sake - sentence the woman or set her free.  Stop putting it off.

For those of you unfamiliar with the Julie Amero story, Sunbelt has posted several articles:

http://sunbeltblog.blogspot.com/2007/01/my-editorial-on-amero-case-published.html
http://sunbeltblog.blogspot.com/2007/01/forensic-expert-on-amero-case-talks.html
http://sunbeltblog.blogspot.com/2007/01/computerworld-julie-amero-is-guilty.html
http://sunbeltblog.blogspot.com/2007/01/is-this-miscarriage-of-justice.html