Sponsored by..

Wednesday 8 August 2007

"Comcast Automated Systems" Trojan

A trojan embedded in a ZIP file this time. It's attempting to use a filename of statement.pdf[lots of spaces].exe


Subject: Important Notice-July 2007 Statement 0000000


PLEASE DO NOT REPLY TO THIS E-MAIL. THIS E-MAIL ADDRESS IS USED BY
COMCAST AUTOMATED SYSTEMS AND IS NOT MONITORED.

Your August 07, 2007 Bank billing statement is ready for viewing. To
view your bill download attached Adobe Acrobat PDF file.

If you would like to discontinue receiving a hard copy billing
statement in the mail, you may do so by selecting the UPDATE STATEMENT METHOD
link once you have logged into your account. From there, simply select
the option for Electronic Statement Only.

You received this e-mail because you enrolled Account feature.
If you no longer wish to receive these e-mails, you will
need to cancel your enrollment. To cancel your enrollment, please log
in to your account and from the Update Profile screen, select the cancel
link from the bottom of the page.

As far as we can tell, the filename enclosed in the ZIP file won't extract properly because there are too many spaces and the filename it too long, but the spammers will probably figure it out eventually.

If you're using Postini, then the attachment manager can be easily configured to block all .exe files, and this also applied to .exe-in-.zip files.

Detections are patchy with some AV products picking up the executable packer. When the .exe files run it will attempt to install other malware, some of which will be picked up by AV products. According to VirusTotal:


File statement.pdf____________________ received on 08.08.2007 17:44:19 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32007.8.3.02007.08.08-
AntiVir7.4.0.572007.08.08TR/Crypt.XPACK.Gen
Authentium4.93.82007.08.08-
Avast4.7.1029.02007.08.07-
AVG7.5.0.4762007.08.07-
BitDefender7.22007.08.08-
CAT-QuickHeal9.002007.08.08(Suspicious) - DNAScan
ClamAV0.912007.08.08-
DrWeb4.332007.08.08-
eSafe7.0.15.02007.07.31suspicious Trojan/Worm
eTrust-Vet31.1.50432007.08.08-
Ewido4.02007.08.08Downloader.Agent.bhl
FileAdvisor12007.08.08-
Fortinet2.91.0.02007.08.08-
F-Prot4.3.2.482007.08.08-
F-Secure6.70.13030.02007.08.08Trojan-Downloader.
Win32.Small.ehe
IkarusT3.1.1.122007.08.08-
Kaspersky4.0.2.242007.08.08Trojan-Downloader.
Win32.Small.ehe
McAfee50922007.08.07-
Microsoft1.27042007.08.08VirTool:Win32/Obfuscator.C
NOD32v224442007.08.08a variant of Win32/Spy.Nuklus
Norman5.80.022007.08.08-
Panda9.0.0.42007.08.08Suspicious file
Prevx1V22007.08.08-
Rising19.35.22.002007.08.08-
Sophos4.19.02007.08.01-
Sunbelt2.2.907.02007.08.07Infostealer.Nuklus
Symantec102007.08.08-
TheHacker6.1.7.1642007.08.08-
VBA323.12.2.22007.08.07Trojan-Spy.Win32.Small.gv
VirusBuster4.3.26:92007.08.08Trojan.DL.Small.Gen!Pac25
Webwasher-Gateway6.0.12007.08.08Trojan.Crypt.XPACK.Gen

Additional information
File size: 13824 bytes
MD5: 38ac63f8b7ef22d9a07138ba73de7178
SHA1: 6337e3178eba2859fd0e2e1188eab8b528696933
packers: UPack


-----

Sunday 5 August 2007

"S-Pharm" scam

Another money laundering/money mule scam, this time from "S-Farm". As before, money transfers of this type are illegal and you will get into serious trouble if you get involved.

Dear Sir/Madam,

S-Pharm is a USA company selling medical and consumer goods. We have
reached big sales volume of pharmaceuticals in the UK and now are trying
to penetrate the European market. Quite soon we will open
representative offices and pharmacies or authorized sales centers in the UK and
therefore we are currently looking for people who will assist us in
establishing a new distribution network there. The fact that despite the
British market is new for us we already have regular clients also speaks for
itself.

WHY YOU?
The international money transfer tax for legal entities (companies) in
USA is 25%, whereas for the individual it is only 7%. That.s why we
need you! We need agents to receive payment for our products (by
electronic money transfer) and to resend the money to us. This
way we will save money because of tax decreasing.

HOW MUCH WILL YOU EARN?
7%-9% from each sale/resale operation! For instance: you receive 1000
GBP to your bank account. You will withdraw the money and keep 70GBP (7%
from 1000GBP) for yourself! At the beginning your commission will
equal 7%, though later it will increase up to 9%!

ADVANTAGES
You do not have to go out as you will work as an independent contractor
right from your home office. Your job is absolutely legal. You can
earn up to 3000 GBP-4000 depending on time you will spend for this job.
You do not need any capital to start. The employees who make efforts and
work hard have a strong possibility to become managers. Anyway our
employees never leave us.

If you are interested in our offer, please feel free to ask for the
general provisions of the Contract.

Best regards,
S-Pharm Manager

Wednesday 1 August 2007

Wheredidyoubuythat.com spam - update

I got a nice comment from the company on this one:

My name is Karine Kong, Director from www.wheredidyoubuythat.com
First of all, please accept our sincere apologies for the inconvenience you are experiencing.
Unfortunately we have never received your email mentionning this spam issue, otherwise we would have responded to you within 48 hours. However, now we are aware of it, our technical team is looking into this to see how & why this is happening.
I would like to reassure you that for security reasons, our database does not hold customers card details so even if some malicious virus have broken into our database, there is little they could do except annoying our customers with spam emails. I shall let you know how this is resolved as soon as possible. In the meantime, do not hesitate to contact me if you have any queries.
Kind regards
I must say that this sounds 100% plausible. It looks as if the email addresses have been harvested off an infected machine.

Incidentally, wheredidyoubuythat.com does have some really nice stuff :)

"Syndey Car Centre" scam


This particular scam has been around for a few weeks now, for a wholly fictitious company called the Syndey Car Centre. Although they do have a website, it's a copy of the legitimate Stratford Car Centre in the UK who are not connected in any way with the scam.

Just to prove that spammers are actually morons, this was sent to the abuse role account.

The scam is the usual money laundering / money mule operation - if you have received one of these delete it, if you have been "recruited" then you need to speak to your local police before they speak to you.

While we may have high expectations of our associates, we also give them high rewards. Imagine being part of a stable organization with a sterling reputation - a place where the Sydney Car Centre is an integral part of all that we do. With our car centre personality, you'll not just succeed - you'll thrive. And, with our strong commitment to promoting from within, you'll definitely enjoy your rise to the top.

Today the Sydney Car Centre is looking for an industrious regional assistant to fasten the process of the delivery of customer payments to the suppliers. The position offered is a part-time job, and will only require from you to be available for 1-2 hours a day.

As a regional assistant, you will be supposed to operate with the payments from those customers, based in your country. You will be expected to accept 2-3 transactions to your bank account every week, make certain calculations about every transaction (you will be precisely instructed about it), & transfer the funds to the suppliers by means of western Union/Money Gram less your fee & the charges of the Western Union/Money Gram. You will be continuously communicating with the manager from the head office, who will instruct you & give advice regarding every new payment.

The ideal candidate will be industrious, goal-oriented person, with the availability of a personal/business bank account suitable to be used for the company needs. Knowledge of English, computer literacy and sociability are appreciated.

The company guarantees to pay NET 10% fee out of the amount of every payment you dealt with and to provide you with the regular income & flexible schedule. All the related expenses you might have (like the Western Union/Money Gram chargers, related expenses on traveling) are covered by the company.

The more detailed information is available on our web-site http://vacancy-024788504.sydncar.kg/vacancies.php, where you can fill in the on-line application form for this position.

We would be glad to welcome you in our team!

We are looking forward to hearing from you as soon as possible!

Yours sincerely, Octavio Mcnair

One odd thing is the use of a .kg domain which is Kyrgyzstan. No doubt the scammers don't come from there, they've just found a registry that is easy for them to do business with. In this particular case, the website was hosted on a compromised DSL-connected machine in the UK.

Tuesday 24 July 2007

Empireonline.com compromised


The popular movie site Empireonline.com was compromised this morning, with a rogue IFRAME - this was around 9am UK time this morning. The site now appears to be fixed.

The IFRAME connects to a page called g.htm on g.ignfile.cn which appears to be a malware server hosted on 61.151.239.13 in China. For obvious reasons, I'm not including a clickable link but see the screenshot of the source below:



g.htm loads a couple of IFRAMES and has a web counter.



014.htm has some nasty obfuscated javascript:



The other IFRAME is called imags1.htm, this leads to a compromised file on a server called sexbb888.com. It is likely that the server has been hijacked, and the site owners are unaware of the problem.



Both appear to be using variants of the MS07-017 vulnerability from April 2007, although the nature of the payload is uncertain.

In any case, the problem appears to be fixed and anyone with a fully patched system should have been protected. Still, it's a good example of how trusted sites can fall prey to malware pushers.

Friday 20 July 2007

Wheredidyoubuythat.com spam II

Another phish sent to the compromised Wheredidyoubuythat.com mailing list, again targetted to the UK. Again, no evidence to say that Wheredidyoubuythat.com is actually sending out these phishing emails, but they're being sent to an address ONLY ever used to buy from their web site.

Subject: Account Update
From: "Halifax Plc."
Date: Fri, July 20, 2007 6:58 am
To: *****************


Security
Center Advisory!





Dear
Customer

Halifax PLC. has been receiving complaints from our
customers for unauthorised use of the Halifax Online accounts. As a
result we are making an extra security check on all of our Customers
account in order to protect their information from theft and
fraud.


Due to this, you are requested to follow the
provided steps and confirm your Online Banking details for the
safety of your Accounts. Please Click Here To Start .


However, Failure to do so may result in
temporary account suspension. Please understand that this is a
security measure intended to help protect you and your account. We
apologize for any inconvenience.
Thanks for your
co-operation.

Fraud Prevention Unit
Security Center Advisory
Halifax PLC.






Please do not reply to
this e-mail. Mail sent to this address cannot be
answered.For assistance, log in to our account and
choose the "Help" link in the footer of any
page.

To receive email
notifications in plain text instead of HTML, update your preferences
here.

Thank you for using
Halifax!

Thursday 19 July 2007

Wheredidyoubuythat.com spam

Online gift shop Wheredidyoubuythat.com had its email database compromised a little while ago. I'm currently getting a spate of fraudulent emails sent to an address only used for Wheredidyoubuythat.com and nothing else. Although I don't believe that they are responsible for the fraudulent spam, equally as well they never responded to my report that they had a security breach. Approach that particular merchant with care.

The fraudsters are currently sending out UK-targetted spam to the addresses which indicates that they know full well where the harvested email addresses come from.

To: ***********
From: LloydsTSB Online Banking
Subject: Account Update

Dear Customer

Lloydstsb Bank has been receiving complaints from our customers for unauthorised use of the Lloydstsb Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.


Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .


However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Lloydstsb Online Banking

Monday 16 July 2007

"Sup-Cables International Limited" scam

"Sup-Cables International Limited" is another money mule scam - the basic operation here is usually laundering stolen money or cashing fake cheques. There is no such company, and any company of a similar name will be unrelated to this fraud.

Note the reverse psychology used with lines such as "if anybody gets away with our money they will definitely get hold of such individual and will face the full wrath of the law".



Dear Sir/Madam,

Sup-Cables International Limited is a Latvian textile company.We
produce and distribute clothing materials such as batiks,assorted
fabrics and traditional costume worldwide.We have reached big sales
volume of textile materials in the U.S and now are trying to penetrate
the Europe market. Quite soon we will open representative offices or
authorized sales centers in Europe and therefore we are currently
looking for people who will assist us in establishing a new
distribution network there. The fact is that despite the Europe market
is new for us we already have regular clients also speaks for itself.

WHAT YOU NEED TO DO FOR US?
The international money transfer tax for legal entities (companies) in
Latvia is 25%,whereas for the individual it is only 7%.There is no
sense for us to work this way, while tax for international money
transfer made by a private individual is 7% That's why we need you! We
need agents to receive payment for our textiles ( in American express,
cashier and official checks) and to resend the money to us via Money
Gram or Western Union Money Transfer. This way we will save money
because of tax decreasing.

JOB DESCRIPTION?
1. Receive payment from Clients
2. Cash Payments at your Bank
3. Deduct 10%, which will be your percentage/pay on Payment processed.
4. Forward balance after deduction of percentage/pay to any of the
offices you will be contacted to send payment to/ or any of our
clients overseas (Payment is to be forwarded by Money Gram or Western
Union Money Transfer).

NOTE: All charges of the WESTERN UNION MONEY TRANSFER will be deducted
from the money, so you are rest assured that you wouldn't spend a dime
out of your personal money.

HOW MUCH WILL YOU EARN?
10% from each operation! For instance: you receive 4000 USD via checks
on our behalf. You will cash the money and keep 200 USD(5% from the
money you receive ) for yourself! At the beginning your commission
will equal 5%, though later it will increase up to 10%!

ADVANTAGES
You do not have to go out as you will work as an independent
contractor right from your home office. Your job is absolutely legal.
You can earn up to 3000-4000 USD monthly depending on time you will
spend for this job. You do not need any capital to start. You can do
the Work easily without leaving or affecting your present Job. The
employees who make efforts and work hard have a strong possibility to
become managers.
Anyway, our employees never leave us. But the problem we have is
trust, we have made arrangement with the FBI in Washington, that if
anybody gets away with our money they will definitely get hold of such
individual and
will face the full wrath of the law.

MAIN REQUIREMENTS
18 years or older,legally capable,Responsible ready to work 3-4 hours
per week.With PC knowledge e-mail and internet experience
(minimal).Please know that everything is absolutely legal.If you are
interested in our offer, please respond with the following details in
order for us to reach you:

# FULL NAME:..............
# CONTACT ADDRESS:..........
# PHONE NUMBERS:(Valid and Working)..........
# AGE:.............
# SEX:..............
# OCCUPATION:........
# MARRIAGE STATUS:.......
#YOUR BANK NAME:(only your bank name and nothing else)........

Thanks for your anticipated action. And we hope to hear back from you.

PETER HARRISON
(Director)

Wednesday 11 July 2007

MS07-039 clarification


Yesterday was Patch Tuesday, and amongst the usual load of vulnerabilities was MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) - however in this case Microsoft are a little vague about exactly which servers are impacted, referring only to "Active Directory Servers".

Well, what are Active Directory Servers? If you're running an AD environment then all servers are members servers of Active Directory. Does these mean that all servers needs patching, or is it restricted to Domain Controller (DC) and Global Catalog (GC) servers only? Patching DCs and GCs isn't too big a deal.. patching all servers for MS07-039 would be a nightmare.

One the clue is in Knowledgebase article 926122 which explains that this really is limited to servers performing the DC/GC role:

A hotfix was created to work around a problem in which the domain controller has to be restarted to let users renew their certificates. However, this hotfix let any user renew a certificate. This security update includes a hotfix to modify this behavior. After you install this security update, authentication is required for certificate renewal.

After you install this security update, only domain administrators and network administrators can renew certificates. Also, an administrator cannot delegate the right to renew certificates.

For such a critical vulnerability, Microsoft's wording is particularly vague. It does seem that it doesn't apply to member servers, but just to Domain Controllers (including Global Catalog servers, FSMO servers etc). These are critical servers, so you should patch them soon before the bad guys get to them.

Tuesday 10 July 2007

Another employment scam


Received a few of these from the faked name "Colin Scowcroft" (you can be assured that no person with that name is involved). It's clearly fraudulent, although the scammer is vague about the exact nature of the job. Typically this will be money laundering, processing fake or bogus cheques or laundering goods obtained from fraudulent online auctions.

Dear employee,
Our International Corporation is looking for new employees on various vacancies.
We suggest you financial Independence right now. Only our corporation can offer you
to gather a good
income in a short period of time. You do not need to invest any sum of money and we
do not ask you
to provide us with your bank account requisites! We are engaged in completely legal
activity and working
in our corporation you can achieve career growth at a permanent job. We are looking
for representatives from
any point of the world. Average earnings of our employee is 3450-4500$ per month,
but you can earn much more. Here is the top 10 of our representatives’ salaries:

Top 10 employees
Per month:
1. 45750 $
2. 42185 $
3. 38590 $
4. 25808 euro
5. 32000 $
6. 15700 GBP
7. 27200 $
8. 24300 $
9. 22750 $
10. 18730 $

It is easy to be in ours Top 10!
Everything is simple enough and it depends only of you.
We are waiting the creative approach and purposefulness from our employees. You can
work full time or part time.
You determine the schedule of you work at our corporation. We pay you for result.
The best regional representative becomes the head of regional office of our company
and receives a full social packet and bonus at a rate of 50 % from
his annual salary. Many of our employees have made excellent career, received full
financial independence and have embodied all their dreams in a reality less than in
2-3 years of working in our company.

The preference is given to employees with knowledge of foreign languages.
If you are interested in our offer please send us the following information:
1) Full name
2) Address of residing
3) Phone numbers
4) Languages
5) Part time job/Full time
Please send this information to our email: sockadverttadvert2k7[at]yahoo.com
Please specify in the subject line: Application for the local rep position. Number
100711

If you are not interested in our offer or you received this email by mistake please
reply with Unsubscribe
in subject line and specify all your emails addresses to unsubscribe44919 (at)
gmail.com.
We apologize In advance.

Yours faithfully,
Colin Scowcroft

Any legitimate job offer should already know most of your contact details, and it wouldn't use a Yahoo! email account. There's no detail on the company name or address, nature of the work, contact telephone number or anything else. Of course, some scammers do go the extra mile with a fake website and phone number, but not in this case.

Monday 9 July 2007

Google to acquire Postini for $625m

Big business, this spam thing. Google has just announced a $625m plan to buy Postini (more here). The deal is an outright cash purchase to be completed by end Q3 2007.

Postini is best know for its corporate spam filtering solution, but it is also active in the areas of instant messaging, compliance and mail archiving. These neatly complement Google's application rangen (especially for products like Gmail/Google Mail). It will also mean that Google will acquire some large Blue Chip corporations that have so far been outside its reach.

Wednesday 23 May 2007

Beborn Beton

One of those things that you discover with Pandora - Beborn Beton is a seriously underappreciated German electronic band, mostly active in the 90's but still nominally around today.

They're a sort of cross between Depeche Mode, the Pet Shop Boys and Kraftwerk.. in the UK their music is very hard to track down, but I ordered their Truth album from amazon.de along with Nightfall - Truth features the sort of peculiar but enigmatic lyrics that only non-English speakers can come up with:

Some are straight and settle in the daylight
Smear face when the rain pours down
I remember the words of a stranger
Live fast and you die with a sound


or

Are we coming to the point of no return
Are we still being fearless taking pride
In the moment the curtain is drawn
We're giving the stuff to the spawn
The show must go on

What the heck does that mean? It's still a fantastic, moody and somewhat paranoid album. All the tracks are in English apart from the quite mellow Eisplanet which is in German.

I can't tell you much about Nightfall.. because the case was empty. If you thought ordering stuff in a language you didn't speak was hard, you should try returning it!

Saturday 19 May 2007

It's 30 for a reason..


I was just about to settle down to Dr Who, some beer and a pizza this evening when then was a horrible sound of a vehicle going out of control and then smacking into the side of my house.

This MG ZR was apparently doing 50-60 mph in the 30 mph zone on the road outside when it came around the corner in the middle of the road to see a bus heading towards it.. it over-corrected and clipped a kerb and then span out of control, smacking into the gate and the corner of the house at some speed. We didn't see it.. we just heard 5 seconds of tortured screeching followed by an impact.

The car actually ploughed into our gate and fence sideways, demolishing it and then hit the corner of the house. As you can see, the side of the ZR (being based on the old Rover 200) is not that strong in a side-impact collision.

There was a passenger in the back of the car who was taken to hospital with what appeared to be minor injuries. Fortunately the 100 year old gatepost gave way and absorbed some of the impact before it hit the wall.

I think the (very young) driver is in enough trouble without me having to name and shame him here. Fortunately, the car missed the bus, some pedestrians and anything really solid. Not quite everyone managed to walk away, but nobody was killed.

Perhaps the driver will pay more attention to 30mph signs when they are finally allowed behind the wheel of a car again.

Tuesday 15 May 2007

Motorola RAZR2 V9 and V8


A couple of new handsets from Motorola which look nice on paper.. the Motorola RAZR2 V8 is a GSM device with the very similar RAZR2 V9 which is 3G with HSPDA. They have just about the largest external display that I've seen, a 2.0" 240x320 pixel panel with a 2.2" internal one. There are some cool looking external media controls too.

On the RAZR2 V8 there's plenty of internal memory, a whopping 420MB expandable with microSD cards, a so-so 2 megapixel camera and lots of multimedia goodies. Talktime is an impressive 8 hours. The 3G RAZR V9 has much less memory and of course a shorter talktime but is otherwise pretty similar.

What's the catch? Well, predictably from the name "RAZR2" these look pretty much like all the other RAZRs you've ever seen. And if (like me) you're fed up with the predictable styling and you hate that nasty RAZR keypad then you'll never buy one.. regardless of all the other features.

The RAZR2 is Motorola's idea of a brand new phone - and if you look under the hood it seems to be rather good. But most customers will just see it as the same old same old and will avoid it in droves.. after all, there are plenty of other 2G, 3G and 3.5G RAZRs on the market which just aren't shifting.

Moto pulled off another trick too and announced four other "new" handsets.. which appear to be four already announced devices with their names changed.

Fundamentally these all seem to be very capable devices but Motorola has made them fashion phones.. and the RAZR is definitely out of fashion. The fact the Motorola have repeated the same mistake with the RAZR2 that they have made several times before tells me that this company is not capable of learning. I certainly wouldn't like to be a shareholder!

Link - Why the RAZR is killing Motorola

Saturday 12 May 2007

Elstow Village Fete



It rained. And then it stopped.. which was nice. This is a picture of the maypole dance on the village green, you can just see the Moot Hall to the right.

Trivial fact learned today: The Slough of Despond is pretty much just outside my front door. Hmmm.

Wednesday 9 May 2007

Patch Tuesday

A number of nasty looking vulnerabilities. These are my takes on the seriousness of these flaws, you should evaluate them against your own organisation.


MS07-026 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
A series of flaws in Microsoft Exchange 2003 and 2007, the most serious of which is a MIME decoding flaw which can allow a remote attacker to take complete control of the system through a specially crafted email message. This is an extremely serious problem because most corporate firewalls will not offer any protection against messages of this type. There are no known current exploits, but these usually come about very quickly after the vulnerability is announced.
Client impact: low
Server impact: high


MS07-029 Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
A critical flaw in the DNS server service can allow a remote attacker to take complete control of a system. This is clearly a significant threat to any servers running the DNS service role and will patching as soon as possible. This is being actively exploited at the moment. Corporate firewalls will mitigate against this somewhat, until an infected machine enters your network.
Client impact: low
Server impact: high


MS07-023 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
A depressingly familiar flaw in MS Office impacting Excel 2000, 2002, 2003 and 2007 and even Excel 2004 for the Mac. WSUS or some other patching method should be used to roll these out to client workstations. Safe server practices should mean that this is not so important for corporate servers.
Client impact: high
Server impact: low

MS07-024 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
Another Office flaw, this time for Word 2000, 2002 and 2003 plus Microsoft Works 2004, 2005 and 2006 - but not Word 2007. This is being actively exploited and should be authorised for rollout as soon as possible.. Office 2000 installations will require manual remediation.
Client impact: high
Server impact: low

MS07-025 Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
A vulnerability in the way Office handles drawing objects can be exploited by a specially crafted Office document (e.g. attached to an email) or an object embedded in a web site. This affects Office 2000, 2002, 2003 and 2007 and also Office 2004 for the Mac - primarily the Excel, Publisher and FrontPage components. It also impacts Excel Viewer 2003. This should be authorised for rollout to clients as soon as possible. Office 2000 will require manual remediation.
Client impact: high
Server impact: low

MS07-027 Cumulative Security Update for Internet Explorer (931768)
Various flaws in IE6 and IE7 on Windows 2000, XP, 2003 and Vista. Safe practice on servers should mitigate against this (i.e. restrict use of IE to Windows Update only). Some of these flaws are being actively exploited, so patch as soon as possible.
Client impact: high
Server impact: low

MS07-028 Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
Well, obviously high if you use this product, else few people will be at risk.
Client impact: low
Server impact: low

Tuesday 8 May 2007

Sony Ericsson P1i


A bit of a surprise this one - the Sony Ericsson P1i appears to be the replacement for the P990i but comes without a full QWERTY keyboard (or the somewhat annoying flip).

I've used the P990i a few times, mostly with BlackBerry software installed. The BlackBerry software is the most reliable part of the old phone.. the rest of it is a bit temperamental.

Hopefully the Sony Ericsson P1i will iron out the P990's bugs. But it's hard to say if P-series fans will warm to the non-QWERTY keyboard. I have to say that I'm not a fan of the keyboard on the P990.. but I don't like the "SureType" arrangement of two letters per key either. In my book, just about the best QWERTY keyboards come on BlackBerry handhelds, something other manufacturers can't quite get right.

It does look very much like the M600 smartphone rather than a P900-series device. It's hard to say if Sony Ericsson are going to make a bigger version (the P2i?) with a full QWERTY keypad. Perhaps it would be a good idea to give customers a choice?

More here: Sony Ericsson P1i

Monday 7 May 2007

Electronic election counting in Bedford

I've just finished a longish article on the Bedford Elections 2007 and the electronic counting fiasco. Bedford took place in a trial of electronic counting systems (using paper-based ballots).. and in the end this took far longer than the old approach and was far less transparent.

In this case a computer system was supplied by Indra of Spain, and it took a staggering 16 hours to come up with the results when the manual process would probably have been six hours or so.

Note that this isn't electronic voting - it's electronic counting. The old paper-based ballot system is still there although now the vote is automatically logged against the ballot paper number.. and the ballot paper number is listed against your name when you sign for it. Secret ballot? Well, just about.

The awful suspicion that I have is that somebody somewhere will use the problems with electronic counting of paper ballots as an excuse to go for an all-electronic system which will be exceptionally difficult to scrutinise.

Saturday 5 May 2007

"Theft Case" spam

Note: there are quite a few people called Eric Rapaport, who are perfectly normal people (such as this this one) Unless you are researching a weird spam email, then this is not the Eric you are looking for.

Some spammers are evil. Some spammers are stupid. In the case of Eric Rapaport of Las Vegas, it looks like this particular spammer needs psychiatric help. (Note, there may be other Eric Rapaports - this one lives in Las Vegas).

My first reaction to the following spam was that it looked like a Joe Job - that is a piece of "fake" spam that is constructed to make it look like it comes from an innocent party in order to get them into trouble. My first reaction when I saw this was that it wasn't sent by Eric Rapaport, but by someone out to cause trouble:

Subject: Theft Case - 50% reward on recovered assets.
From: info@Accounting1st.Com
Date: Fri, May 4, 2007 6:43 pm



Nature50 % reward on money recovered from microsoft Employment Fraud, stolen movies and stolen concert proceeds.

This case can also viewed by clicking on: www.AplusSoftware.NET/Theft.HTM or www.TheftCase.Com

Yes, I am formerly commander and director Rapaport of the CIA. The Central Intelligence Agency fired me so that they could get away with bank frauding me for money I made writing small parts of microsofts product line and for money I made writing various movies, with out being prosecuted.

PS. Maybe I should include this in my emails to lawyers.

I practiced law enforcement for free for the 5 years I was in it part time in order so that they would not accuse me of conflict of interest or accepting gratuities for the money I made in the film, computer and music industries. At this point I would rather sue the military for back pay and for denying that my career ever existed rather than be poor the rest of my life.

If we can get the military to admit this then we should be able to get 5 years part time pay at minimum of 70K per year which = $175,000.00

It's structured a little like a 419 "advanced fee fraud" with the promise of s lice of $175,000. Indeed, PCPlus blogged about it some months back with the same conclusion. However, the truth is somewhat stranger than that.

In fact, this spam does appear to come from Eric Rapaport.. and it isn't an advanced fee fraud scam. Attached to the spam is a long and rambling Word document which is where this really gets strange (feel free to scroll to the bottom when you get the picture!).

50 % reward on money recovered from stolen movies / Microsoft Employment Fraud / stolen concert proceeds.
Most of the lawyers I have contacted on the web do not believe the below enclosed mass theft case. Yes it is unbelievable.
In response to this I thought I would describe verifiable things that made me successful in the entertainment and computer industries.
At 12 years old I was accepted to the Aspen Music Festival and School (at this time the Aspen Music Festival and School was about 50 % Juilliard students - the best classical music school in the world). I attended Aspen for 7 summers.
At 14 years old I started sitting in with the Nitty Gritty Dirt Band, members of the John Denver Band and Al Cooper ( founder of Blood Sweat and Tears) in night clubs in Aspen. I continued sometimes sitting in with bands of this type for the next 15 years.
At 18 years old I went to the Berklee College of music for one semester (perhaps the best rock and jazz music department in the world).
At 19 years old I realized that I might not ever make a good living in the music business and I started Colorado State University as a Computer Science Major (and took computers extremely seriously).
At the same time I was a computer science major I spent a lot of time playing in night clubs and playing small concerts in Colorado and sometimes around the country.
At 25 and 26 years old I sat in occasionally with the band Kingfish (there were some Grateful Dead members in this band).
Every thing above this line should be verifiable. All in all a good start towards possibly making it big in either the computer or music industries.
In 1994 due to my karate ability I started being a body guard for some celebrities in Beverly Hills.
With 15 – 20 million per leading role you can bet that there are Amnesia causing drugs around to keep people from remembering their business meetings or to even keep people from remembering their own names.
The true mass theft case below is extremely unbelievable. As to why no one is responding to me regarding debts or copies of return checks that I need to prosecute thieves, I can only speculate.
From 1994 through 1997 I made a lot of money writing parts of national software packages, scripts for movies, advisor positions, having roles in monster suites and playing concerts. People even willed me money I don’t remember getting paid for.
In response to this someone slipped me some extremely powerful drugs that caused selective Amnesia and stole a lot of money out of my bank accounts. I even spotted some houses recently that I think I owned.
If I split this money with who ever helps me collect, there could be more than 5 million in it for each of us.
If you do not wish to respond but wish to help, you could have a lawyer who specializes in this kind of thing respond.
I have corrupt co-workers and criminals writing letters in my name and even sometimes steeling mail out of my mailbox therefore, I am finger printing all of my letters.
I would like to remind anyone thinking of intercepting this letter that interfering with the federal mail is a federal offence.
Thank you
Eric Rapaport – 626-590-1817
info@AplusSoftware.Net
WWW.AplusSoftware.NET/Theft.HTM or WWW.TheftCase.Com
Houses I believe I am supposed to own include :
- 146 N. Eagle Dr. Big Bear Lake City CA
( I ran Lone Eagle Computer Company out of this house )
- 45760 Baldwin Lake Rd. Big Bear Lake City CA
- 6847 1 st Ave. Phoenix AZ
- 1907 Overland LA CA – apartment complex
- 4647 E. Fransico # 103 Tempe AZ
- 4310 S. Fair Ln Tempe AZ
- 1437 Honysuckle Dr. Albuquerque NM
- 7100 Rio Grande N.W. Ave. Albuquerque NM
- 414 E AABC Aspen CO
- 907 waters Aspen CO ( I received this house for writing
part of the movie mouse hunt and as with the other
properties someone is claiming they own it ). – Universal
pictures is not coming forward.
- 308 Pfister Aspen CO
- Beverly Hills ? Bel Aire ? Scottsdale ? Salt Lake?
Cars I believe I am supposed to own include :

1 1992 Firebird (California plates)
2 Trans Ams
1 1995 Camero, 3 Lexus’s
2 Cadillac Escalades
1 Lincoln mark IV Arizona AHN-491
95 Monty Carlo 2g1ww12mo59232911
97 Monty Carlo 2g1ww12m4v9115480
1 Bonneville
91 – Camero – 1g1fp23exml135038
Nissan Maxima gwz-828 hawaii JNICA21D3WT603610
STS 32V northstar Cadillac g6ky5298ru833791

Software I Helped Write
Windows 98
Visual Foxpro 3.0 - microsoft
Excel 7.0a – microsoft
microsoft Money - microsoft
Advised microsoft with Janna Contact Manager, microsoft Word, Windows 98, Visual Basic, microsoft Cad
and various accounting stuff. For this I received 1.29 million dollars, which was afterwards stolen. Janna Gates and Theifsoft are unavailable for comment.

Main Plots I wrote
The Net, Speed II – Written by Sandra Bullock and I. I need copies of any check that might have been written before I can prosecute thieves.
Practical Magic – never paid
Hope Floats – never paid
Wild Wild West (the movie) – I wrote about 1/3 of this on location and will probably not be paid.
U.S. Marshals – never paid
The Patriot – 1996 – Steven seagull – paid?
The Arrival – 30 K - never paid
Con Air – Main plot written by (Mary Reagan - Ronald Reagan’s Grand Daughter)?? , Jackson Brown and I. - never paid?
Mercury Rising - never paid?
Soldier – This is a take off on the movie IA that I produced and star in and I was told IA was going to go out. Why was this plot stolen ?? The Airforce was supposed to get some of the proceeds from the movie IA.
Ronnin – Main plot written by Robert Deniro and I – 400 K stolen – Speak up Mr. Deniro.
Stargate – It took me an amazingly long time to remember I wrote about 50 % of this main plot and was one of the extras.
The Volunteers - I wrote about 1/3 of this main plot on location in China. Tom Hanks Paid 100k? - afterwards stolen.
The Body Guard – Paid 100K? – afterwards stolen.
The Replacement Killers – I wrote this entire main plot as Mira Sorvino and Chow-Yun Fat knows.
Conspiracy theory – Never paid
Tequila Sunrise – Never Paid
Honeymoon in Vegas – In addition to writing the main plot I was one of the flying Elvis’s and can be seen at time indexes 13:03, 1:26:25 and 1:31:24. MGM Pictures never paid? Speak up Mr. Cage and
Ms. Parker.
Critters – Never paid
Galaxy Quest - Never paid.
Jumangi - I wrote most of this movie in Beverly Hills and on location. never paid?
Starship Troopers Paid 15 K? which was afterwards stolen. Come forward with a return check touchstone pictures.
The movie Twilight Zone – Never paid
Deal of the Century – Never paid
The 3 amigos – Never paid
Star Trek – The Voyager movie and the movie with the Whales – I wrote most of these 2 movies – Never paid?

Advisor positions
Excess Baggage ( I was the advisor for the fighting footage) - paid 50 K? – afterwards stolen
Jaws The Revenge (I wrote most of the sub plots) – never paid
Tuskegge Airmen - paid 40 K – afterwards stolen
Contact – 50 K - paid? – afterwards stolen
La Femme Nikita - This advisor position that I did almost nothing on was supposed to pay well.
- paid? – afterwards stolen
Tomorrow Never Dies – Never Paid? - I was the advisor for the final fighting footage and I did the Halo jump.
The Man Who Knew Too Little – 100k? – afterwards stolen – Speak up Mr. Murray
Men In Black (in addition to writing the sub plots to this movie I also was 2 of the aliens and I wrote a little of the computer graphics at the very end), paid 160 k? which was afterwards stolen. Will Smith did not write this in spite of what the credits say.
What Dreams May Come – Robbin William tripped over my head in this movie - never paid
Patch Adams – never paid
The Water Boy – never paid
Armageddon – never paid?
Boogie Nights - never paid?
Above the Law – 1988 – warner brothers – 100 k paid? – afterwards stolen
The Making of Bobby Fisher
GI Jane – I contribute almost nothing to this movie, but did request 15 K for 2 days of my time. – never paid
Adams Family Maters – I produced the School Play fencing match.
Vegas Vacation – paid – afterwards stolen.
Mouse Hunt – I created Catzilla (w/help) and wrote the plot to the very end of Mouse Hunt when the mouse went in to the gourmet cheese business with the house owners.
Indecent proposals – I suggested that “Mr. Redford take Ms. Moore by helicopter to a party on a luxury yacht for their date and he should be a perfect gentleman in order to make this a clean movie”. – never paid.
Deep Rising – Paid 10 K? – Afterwards Stolen.
The Edge – paid? – afterwards stolen.
Starwars 4 – I wrote the small part of the plot with the floppy eared thing accidentally opening up the container of explosive balls and then I did a double back summer salt and then the explosive balls blew up the enemy tanks.
Alien and Monster Roles
I was 2 of the aliens in Men in Black. – never paid?
I was the alien that got decked by Will Smith in Independence Day, in addition to being the alien in the control booth in the mother ship. – never paid
I was the monster in the movie The Relic. – never paid
I was the alien at the end of Alien Resurrection. Paid?
Concerts
Billy Joel (a full concert tour for $110,000.00 is what I remember. All money was paid to me and was afterwards stolen).
Fleetwood Mac – a small amount of concerts that should have paid well. – never paid
Grateful Dead – At least 8 Concerts. In Addition to this I gave Bob Wier a 30 K check to reform the band with me in it. If the band was not reformed with me in it the 30k was to be given back to me.
Shawn Colvin – a small amount of concerts. – never paid
Mickel Jackson – 2 concerts – 100 K was paid and was afterwards stolen.
Pat Methany
Austin City Limits – never paid
Meet Loaf - 5 concerts - Paid afterwards stolen.
Olivia Newton John – Paid?
Recordings
I wrote most of the music to the 1997 movie the Titanic that John Horner got all credit for.
In addition, I can clearly be seen on the rail to Mr. DiCaprio’s left hand side at time index 2:43:15
Never paid ? Ms. Dion and Mr. DiCaprio – speak up.
Virtual Insanity – piano parts – never paid?
Produced a Whitney Houston Record with several other producers. Paid 10 K which was afterwards stolen. – I probably played most of the Keyboard parts on this record.
Co-writer for the theme song to Adams Family Matters. – never paid
Kenny Loggins – Christmas record – piano parts.
I get knocked out – I wrote the Flugel Horn parts – never paid?
Sheril Crow – Global Sensation – some of the Tenor Sax parts – never paid
I wrote “Don’t go chasing waterfalls” – never paid?
I wrote “Brand New Day” – supposedly by Sting – never paid
Keyboard parts on Phil Collins version of True Colors?
Wills
CIA Agent – Linda Beadling who was murdered willed me 5K, which was afterwards stolen.
The man who was Barney Dinosaur most of the time willed me 400 K, which was later stolen.
Television
I was an alien for about 20 seconds in one Star Trek the Next Generation Episode. The 5k was stolen.
I co-produced one Mellisa know all episode and co-produced one Mellisa the teenage witch episode. Mellisa Hart is denying that she knows me.
I made one brief appearance on Mr. Belvedier. Paid – afterward stolen.
I seem to remember a one episode show called Sandavol. If this aired I was Sandavol. – never paid?
I seem to remember an appearance on the David Letterman Show with Bob Weir and Annitta Baker.
If this aired : Mr. Letterman owes me 20k - 15k.
Stargate – Besides writing about 50 % of the movie Stargate, I wrote the main plot to the episodes with the Pyramid space ship invading earth’s solar system and getting blown up. Co-writer for the virus episode and the cave in glacier episode. Never Paid - Richard Dean Anderson – Speak up.
Advisor to the Bay Watch episode with the gun fight on the glacier, Dolphin episode in Hawaii and Construction workers starting a natural gas leek and accidentally exploding it with a cigarette. Was there an episode with a brown bear? David Hasselhouf feel free to respond. – never paid
Friends – I co-wrote the episode with car trouble in bad weather. Paid 10 K? – afterwards stolen.
I was Barney Dinosaur in 1 or 2 Barney Dinosaur episodes.
Mad TV’s – I wrote Patch Kavorkian. – never paid?
Married with Children – I wrote the Foodies and cruise ship episodes – Never paid.

Dialog
I all most never write dialog. The little bit of dialog I remember writing is.
Patch Adams – I wrote the dialog when Robin Williams was telling the patents that they do not have to worry about paying their bills while wearing a large nose. – never paid
U.S. Marshals – I wrote the dialog when the U.S. Marshals are speaking with the swamp guides. – never paid
90210 – “Shannon La Pu”
Forest Gump’s comment on integrated busing – “We have coon problems at my house. They get in the trash and then ma shoes them off and then they leave us alone for a while”.
I also wrote the shrimp dialog in this movie. – Never paid?

Miscellaneous
- Fluffy Gellars booking agent for Maybaline – paid?
I did buy several Trans Am’s, 2 Cameros, 1 Lincoln Continental, 1 Firebird that were later stolen.
Speak up Pontiac, Crysler, Chevorlet, Lexus, Lincoln Continental and Cadillac.
- I did spend 2 million with Universal on a movie staring myself called IA?
Karate Tournaments
Chuck Norbis vs. Me – 1988 CBS – 1996 un-televised. Where is my money Norbis ?????
Is Norbis thinking ?? – If I don’t pay anyone for participating in tournaments maybe that means that the tournaments?? did not happen?? 6 tournaments X 100 k = 600k – Never paid?
Why are there so many thieves?
If you are listed above and have not paid, please pay.
If you are listed above and have paid, please provide me with copies of return checks so that the thieves may be brought to justice. / ( 50% reward on recovered money).

Final notes: I was planning to spend most of my money on clean fuels research and development. Therefore, this case is also a environmental terrorism case.
I practiced law enforcement for free for the 5 years I was in it part time in order so that they would not accuse me of conflict of interest or accepting gratuities for the money I made in the film, computer and music industries. At this point I would rather sue the military for back pay and for denying that my career ever existed rather than be poor the rest of my life.
If we can get the military to admit this then we should be able to get 5 years part time pay at minimum of 70K which = $175,000.00

As the spam itself say.. yes, it is "unbelievable".

In fact, absolutely everything matches up and points towards Eric Rapaport. The quoted URL of www.AplusSoftware.NET/Theft.HTM also contains a copy of these allegations. That URL is registered to

Eric RAPAPORT
+1.6265901817
Fax:
9109 W. Sahora #105-G12
Las Vegas, NV 89117-5772
US

And it was registered way back in 2002 to a Louise Rapaport. The homepage of aplussoftware.net indicates an unremarkable small computer business operates from that site (although with a California address). The accounting1st.com domain this email has been sent from is also registered to Eric Rapaport, and has been since 2005. The domain theftcase.com is also in Rapaport's name and was registered in April 2006.

The websites for accounting1st.com and theftcase.com are hosted on 64.136.25.175 along with the domains ericrapaport.com, rapaport1.com, medicalsoftware.ws, 1sthighspeed.com, workorderssoftware.com, computerresumes.net, purchaseorderssoftware.com, and gold1st.com (which are also all registered to Eric Rapaport). There are thousands of other sites on 64.136.25.175 which are probably completely unrelated.

www.rapaport1.net is on a nearby server at 64.136.25.171. 1stdiamonds.com is another Rapaport site.

The spam itself originates from 24.234.81.41 which resolves to a Cox Communications subscriber address in Las Vegas.. where Eric Rapaport lives. Everything seems to point to Eric Rapaport being the person behind this bizarre spam.

The spam itself is unusual in that it has been doing the rounds for some time. This sighting is from November 2005, this one from September 2004, this one from September 2006. Vernsblog [nsfw] has even more information running back to April 2005 (use the search function for more).

Eric - if you're reading this.. I think you need some help.

Wednesday 2 May 2007

What's the missing number?

What's the missing number?

09 F9 11 02 9D 74 E3 ?? D8 41 56 C5 63 56 88 C0

a) 145,600?
b) 5B?
c) Thursday?

Calls are charged at £2 per minute.

Here's a clue

Read more

Friday 27 April 2007

"Emirates Industrial Filters LLC" spam

Another baffling spam from the UAE, this time advertising industrial filters. Attached to this spam is a whooping 970KB of attachments covering pictures of.. well, industrial filters. Or perhaps femidoms. It's hard to say.

Dear Sirs,

Below are the details of our product range.

We are an ISO 9001:2000 certified manufacturer of Industrial Filter bags for solid and liquid filtration & separation for either process or environmental industrial applications.

Please look us up if you have any filtration requirements.

Please scroll down for more information and images.

Sincerely,


Emad El-Sakka
Emirates Industrial Filters LLC
eif@eim.ae
Tel: +971 6 743 7093
Fax: +971 6 743 7094
P.O. Box: 2365
Ajman
Unites Arab Emirates


And they didn't just send this spam once, but dozens of times. Looking at the spam, it seems to be part of a directory harversting attack (DHAs) which was blocked automatically. In my book,
DHAs are an attempt to disrupt computer systems and would be illegal in many countries. Connect IP was 213.42.1.90 which is a fairly active one according to NANAS.

So, Emirates Industrial Filters LLC - you're a bunch of evil spammers and I can't see why anyone would want to do business with you.

Wednesday 25 April 2007

BAT/IRCFlood false positive in change.log.2

I've been seeing a few false positives caused by the CA-VET virus scanner used in ZoneAlarm, CA eTrust and the CA ITM products (probably some others too) as follows:

[time 25/04/2007 15:08:22: ID 14: machine xxxxx.xxxxx: response 25/04/2007 15:09:13] The BAT/IRCFlood was detected in C:\SYSTEM VOLUME INF...\CHANGE.LOG.2. Machine: XXXXX, User: NT AUTHORITY\SYSTEM. File Status: Cure failed, file renamed.

This is just a log file that's part of the Windows XP system restore feature - the files are held in C:\System Volume Information in a folder to which users don't usually have access.

I'm pretty convinced this isn't a virus - it's just a log file - and I even ran it through VirusTotal which found nothing at all. I've contacted CA about it to see what they think.. we'll see.

In the meantime, if the antivirus alert is bugging you, you can delete the log file from your System Volume Information folder at your own risk. You will need to change permissions on the folder to do this (see this MS Technet article) and then drill down and delete the individual file in question. Like I said.. do this at your own risk!

Tuesday 24 April 2007

Malware via AdWords


A typical approach to spreading malware is to hack a site and then inject an IFRAME pointing towards some obfuscated Javascript that then eventually connects to a site with an exploit.

From the point of view of an attacker, this is fine. But what if the natural traffic for the site isn't enough?

Here's one I came across today with a completely new twist.

In this particular case, our antivirus software came up with an alert for what appeared to be some variant of the JS/Petch trojan. The machine didn't appear to be infected, but I investigated further. (Just to be clear, it wasn't my machine!)

An analysis of the machine indicated that this particular user had been doing some fairly innocent lunchtime surfing looking for a particular product.. let's say widgets.

In this case, the user went to Google and search for "widgets" and got the usual load of search results complete with a set of ads along the top and down the side - normal Google AdWords ads. This user then clicked on the top ad apparently promiting a company that we will call widgetsgb.com.. which is where is gets interesting.

Instead of being taken to widgetsgb.com, Google directed the visitor to another site. This in itself is not unusual, sometimes different domains are used for tracking or whatever. However, in this case the site was completely unrelated.. say notwidgetsatall.co.uk in which was buried an exact copy of the front page of widgetsgb.com. So the front page of notwidgetsatall.co.uk looked completely normal, but in a subdirectory notwidgetsatall.co.uk/widgets was an exact copy of the other site.

Well, not an exact copy precisely. This version had some IFRAME goodness pointing to an IP in Germany which had the obfuscated javascript pointing elsewhere. It doesn't really matter where.

What was interesting about this whole thing was that the user had clicked on a paid ad rather then a natural search result. Which means that somebody had to pay for the click... and by the looks of things that somebody had to pay a respectable amount to get the number one position. Of course, the bad guys never pay for anything as it would be uneconomic for them, so the indications are that they were using a hacked AdWords account.

What is strange about this whole thing is the amount of effort that the bad guys put into this.. they targetted a niche site without an awful lot of traffic, made a duplicate and then set up an advertising campaign to drive what was presumably not an awful lot of clicks to their IFRAME.

I guess the AdWords account was picked up with a keylogger installed on another hacked machine. It's the first time I've seen AdWords used in this way, but it shows that the bad guys can squeeze the value out of just about anything.

Monday 23 April 2007

Al Mustajer Real Estate - Stupid, stupid criminal spammers


It's been a little while since I've seen a spammer as stupid as Al Mustajer Real Estate who decided to hit me with 500 750kb word documents before my host blocked them.. a stonking 375mb or so of spam. But then their company logo does seem to
feature a penis shaped building, which perhaps says a lot.

Criminal spam? Well, yes, this comes from 67.19.27.226 (resolving to srv2.egraphics.ae) in the US (ThePlanet.com) so this spam is non CAN-SPAM compliant. Also that much
mail effectively constitutes a mail bomb which is also an illegal denial of service attack.

Actually there are two spam messages in this run, the largest of which is an introduction to this dubious firm.

Company Profile
AL MUSTAJER REAL ESTATE


Al Mustajer Real Estate established with a view to display an
enduring property in Dubai and within Emirates. The Company has a
dedicated team of Professionals with immense international
experience in real estate business. Our Company is part of the
growing Al Mahdy Group of Companies such as:
• Said Al Mahdy General Trading
• FILCO General Trading
• Tartoub International Massage Centre

As part of this prestigious Company, our main objective is to conduct at
all times business with utmost good faith, integrity and to maintain the
highest standards of expertise, ethics and financial security. Our sales
executives offer dedicated and incessant attention to every client during
their consultation visits. We maintain international professional standard
and provide consistency in service.
Our sales focus is long ranging- we are interested in establishing
enduring relationships of growth and development with our clients. We are
offering the following products:
• Buying Properties
• Selling Properties
• Leasing & Managing Properties
We have already built and become a bench-mark in managing properties
within Emirates:
• AL QUOZ
• AL MUHEISNAH 2
• JEBEL ALI
• MIRDIF
• JUMEIRAH / UMM SUQUEEM
• AL MIZHER
• DEIRA
• BUR DUBAI
• SHARJAH

Abdul Hakeem
Office Manager
050-7568844

The foooter information reads:

PO Box 39121 Dubai, UAE
+971 50 3787819
+971 4 3937709
+971 4 3937798

Al MUSTAJER Real Estate.
Visit us www.almustajer.com / www.supermobawab.com



info@almustajer.com
www.almustajer.com

Both almustajer.com and supermobawab.com appear to be parked.

The second spam is a Word Document promoting "labour camps". I don't know if they say "Arbeit Macht Frei" on them or not. Quite why this spammer thinks that I'm interested, I don't know. The document itself looks like it has been created by a five year old.



GREAT OFFER

(1) LABOUR CAMP AVAILABLE IN
AL QUOZ
FLEXIBLE PAY MENT MODE, CHEAP PRICE,
GOOD LOCATION

(2)LABOUR CAMP AVAILABLE IN
SONAPUR

FLEXIBLE PAY MENT MODE,CHEAP PRICE,GOOD LOCATION
(3)FULLY FURNISHED VILLA IN JUMEIRAH
AVAILABLE FOR RENT

DAILY, WEEKLY, MONTHLY AND YEARLY RENTL BASIS.

(4)FLAT FOR SALE IN SHARJAH, 1B,2B.

GOOD PRICE, GOOD LOCATION, EXCELLENT PAY MENT MODE.

CALL: 050-3787664
04-3937709



The spam appears to come from JUDE@SMN-ONE.NET which tallies with the sending IP address. The same email appears in the properties of the Word documents, although
in a typical spammer fashion (i.e. "stupid") he also gets confused and
mis-types it as jude@msn-one.net.

Possibly the most stupid spammer I've seen this year.

Tuesday 3 April 2007

ASUS.com web site, infected with .ANI exploit?

I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though.

[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.


It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related)

  • Ipqwe.com
  • Mumy8.com
  • Ok8vs.com
  • Okvs8.com
  • P5ip.com
  • Plmq.com
  • Y8ne.com
  • Yyc8.com

I wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector.

Monday 2 April 2007

easyhost.be spam


I really hate web hosts that spam, and easyhost.be is yet another one sending to scraped addresses, with the usual lie "You have received this email because you are subscribed with.." blah blah blah.

Using SpamCop to LART easyhost.be on 195.95.2.123 just sends the abuse report to the spammer, info@easyhost.be. Upstream provider is a firm called scarlet.be who are located in a nearby building, so if you get spam from easyhost.be, try reporting to ronny.schouteden -at- Scarlet.biz

Another telltale sign of spamming is the line that says "Dear,".. dear who? If I'd have subscribed to the spam list I feel certain that I would have remembered to fill in my name.

Dear,

EasyHost has made partnerships with several Antivirus providers.

Starting from today we can offer several Home/SMB/Enterprise Antivirus solutions.
To celebrate our partnerships we have made a special webhosting promotion.

1. With every NEW LINUX hosting package you buy from 01/04/2007 until 30/04/2007 you get a 1 Year FREE AVG 7.5 Antivirus package.

2. With every NEW WINDOWS hosting package you buy from 01/04/2007 until 30/04/2007 you get a 1 Year FREE Kaspersky 6.0 Antivirus package.

Order you webhosting today at http://www.easyhost.be

If you want to buy other Antivirus solutions please contact us at sales@easyhost.be



Each day, more and more people are discovering that EasyHost domain names provide greater value, more features, are easier to manage and are backed by a readily available, knowledgeable support team. If you are already a domain reseller, and have all advantages of the easy control panel and live registrations, please contact us before ordering.

*Pricing ex 21% VAT and first year only

Best Regards,

EasyHost Sales
sales@easyhost.be
http://www.easyhost.be

195.95.2.0 - 195.95.2.255 is the range to block. I can't imagine that you'd want to get mail from some Belgian spam outfit.

Thursday 29 March 2007

"Internet Explorer 7 Downloads" - IE7.0.exe


Another bit of malware this time masquerading as a terse email message to encourage the downloading of a fake version of IE7. It's a simple graphic pointing to an executable called IE7.0.exe - it looks like the graphic and executable are hosted on compromised Apache servers.

VirusTotal indicates that detection is a bit thin at the moment.



AntivirusVersionUpdateResult
AhnLab-V32007.3.30.003.29.2007no virus found
AntiVir7.3.1.4603.29.2007TR/Proxy.Agent.CL
Authentium4.93.803.29.2007no virus found
Avast4.7.936.003.29.2007no virus found
AVG7.5.0.44703.29.2007no virus found
BitDefender7.203.29.2007no virus found
CAT-QuickHeal9.0003.29.2007(Suspicious) - DNAScan
ClamAVdevel-2007031203.29.2007no virus found
DrWeb4.3303.29.2007no virus found
eSafe7.0.15.003.29.2007no virus found
eTrust-Vet30.6.352203.29.2007no virus found
Ewido4.003.29.2007no virus found
FileAdvisor103.29.2007no virus found
Fortinet2.85.0.003.29.2007suspicious
F-Prot4.3.1.4503.28.2007no virus found
F-Secure6.70.13030.003.29.2007Virus.Win32.Grum.a
IkarusT3.1.1.303.29.2007no virus found
Kaspersky4.0.2.2403.29.2007Virus.Win32.Grum.a
McAfee499503.29.2007no virus found
Microsoft1.230603.29.2007no virus found
NOD32v2215403.29.2007no virus found
Norman5.80.0203.29.2007no virus found
Panda9.0.0.403.29.2007Suspicious file
Prevx1V203.29.2007Covert.Sys.Exec
Sophos4.16.003.29.2007no virus found
Sunbelt2.2.907.003.29.2007VIPRE.Suspicious
Symantec1003.29.2007Trojan Horse
TheHacker6.1.6.08003.23.2007no virus found
UNA1.8303.16.2007no virus found
VBA323.11.303.29.2007suspected of Trojan-PSW.Pinch.1 (paranoid heuristics)
VirusBuster4.3.7:903.29.2007no virus found
Webwasher-Gateway6.0.103.29.2007Trojan.Proxy.Agent.CL

Wednesday 28 March 2007

"The system is not fully installed": Windows XP, WMP 11 and Sysprep


Kudos to lizardking009 for this post at the 2cpu.com forums.

After using Sysprep to prepare a new Windows XP build for distribution to some Dell laptops, I got the a message saying The system is not fully installed when trying to restart the machine.

It turns out that this is due to the presence of Windows Media Player 11 which screws up the Sysprep process somehow. I can't say that I'm a big fan of this DRM-laded stuff, but generally speaking you always load the latest version of everything before resealing the machine to take an image from it.

Microsoft have this knowledgebase article showing how to recover from the problem, although I discovered that this does not work very well on machines that have already been built from a Sysprep (such as Dells). If you're working in a reasonably well equipped environment with another XP machine and a suitable external USB drive enclosure then it's probably easier to edit the registry on the affected PC's hard disk by plugging it into the USB port of another machine, i.e.:

  • Load REGEDIT
  • Select HKEY_USERS
  • Go into File.. Load Hive..
  • Browse to the \WINDOWS\System32\Config\System file on the USB connected drive
  • Name the hive "system" or whatever you like
  • Find the Setup key on the newly loaded hive and locate SystemSetupInProgress.
  • Change the data from 1 to 0.
  • Unload the Hive
Then, once the hard disk is reinserted into the original machine, bring it up in Safe Mode, deinstall Windows Media Player 11 and reboot. This should start the setup process (you can choose to take an image at this point, if you wish).