Spyware Sucks

Ok, I've joined the dark side... been borgified... assimilated... absorbed... whatever you want to call it.

Put in an order today for a brand spanking new SBS server via a good friend, Wayne Small, SBS MVP.  Ahhhhh, some are so disappointed that I succumbed so easily to the siren-call that is SBS.... but I digress ;o)

BORING!!!!! say my patient readers.. "not really" says I.... there is a point to this article....

Coincidentally, I received an email today via www.ie-vista.com today asking for assistance with an SBS2003 network.  All users use the same username/password... but the 'bosses' on site have their own IDs... and all are power users.  All use Sharepoint for essential calendar sharing etc.

The question; how do we block internet access for the general users, but not the doctors - remembering they are all part of the same security group ... this could be fun.

Imagine... everybody is power user... theoretically, all it takes is *one* employee, going to *one* bad site, and your network is owned......I don't care how busy you are.....are you so busy unique log-ins are too much bother?

This article caught my eye a short while ago; Alun is a regular commentator in my blogs, and invariably has something interesting to say:

AOL, Yahoo introduce "pay to spam" service (5 February 2006)
http://msmvps.com/blogs/alunj/archive/2006/02/05/82634.aspx

I agree with Alun's opinions on AOL and Yahoo's idea - but one thing does occur to me.  About four years ago I walked in to a new job, only to discover that the mail server (they were running Novell and GroupWise) was set as an open relay - so much crap was being pumped through that server (the spammers were smart enough to send their wares outside of business hours), and the NDR load was so great, that the poor server was being brought to its knees every night.  This server was being actively cared for by an IT outsourcer... damned if I know why they didn't spot what the hell was going on.

At the sort of volume I saw on that poor server, paying AOL and Yahoo could get expensive very quickly. 

The last time I looked into this sort of thing, popular opinion was that around 90% of all spam was being sent out via compromised home PCs... Mum and Dad or Grandma and Grandad's PC with a broadband internet connection and no firewall, or firewall neutralised by malware infection.  The heavy duty spammers who use open mail relays and compromised home PCs won't bother paying AOL and Yahoo 1/4 or 1 cent per mail when they can pump the stuff out for free.

...see, I don't read the Microsoft Switzerland Security Blog just because I'm Swiss... they come up with gems that don't appear on their US equivalent's site...

http://blogs.technet.com/ms_schweiz_security_blog/archive/2006/02/26/420586.aspx

Those of you who have been reading my Blog for a while will remember how my very first nephew, Jordan Blake, was born my emergency caesarean back in October last year, and how I made a flying visit to Melbourne to see him, and his Mum and Dad... just in case....

Flashback picture

Young Jordan is doing brilliantly - just look at him now - a much loved little boy:

Jordan, photo taken the day before my 40th birthday

Windows Update is the classic update service that only offers updates for Windows.  Microsoft Update extends this service to cover other Microsoft programmes including, but not limited to, Office, Exchange and SQL (disclaimer: if you use Office 2000, or if your copy of Office was installed in "per user" mode, you will need to continue using Office Update- more information at the URL below):
http://support.microsoft.com/Default.aspx?id=907380.

How do we tell if we are using Microsoft Update or Windows Update?

First, if you are using Microsoft Update there will be an extra entry in your Program Menu.  The Microsoft Update menu option will only appear in the Program List if it is in use. 

If you are using Microsoft Update, it should be noted that the Windows Update link will also take you to Microsoft Update.  This behaviour sometimes causes confusion, with a user recently saying in an email discussion I took part in that that because she had clicked on the Windows Update link she expected to be taken to Windows Update, and did not realise she was actually at Microsoft Update - it was her confusion that prompted this article.

Second, we can look at the picture immediately above the Express and Custom scan buttons:

 
Microsoft Update graphic

Windows Update graphic

The difference is subtle.  Perhaps MS should include some color cues or a different icon to cater to those who skim the content of a page.

Swapping between Microsoft Update and Windows Update

Swap from Windows Update to Microsoft Update

Click on the Microsoft Update link as displayed in this screenshot:

or... click on the option to right of screen:

Click on Start Now, then Continue.  You may next be prompted to change your Automatic Update settings (not compulsory), then click on Check for Updates.

Swap from Microsoft Update to Windows Update

Click on the Change Settings menu item:

Scroll all the way down and put a tick in the box.  Click Apply changes now.  You'll be asked if you're sure, confirm your choice and then you're done.  The Microsoft Update entry will be removed from the Program Menu.

http://www.microsoft.com/windowsvista/features/forhome/mail.mspx

Phishing filter
Quick Search (Word Wheel)
Junk Mail Filter

The phishing filter is seriously cool, as is Quick Search (which works the same way as the search pane used by Internet Explorer 7 when displaying RSS)

Here's hoping the powers that be will get serious now that the IRS is being impersonated.... the bad guys are getting overconfident if they feel safe impersonating Government departments like the Department of the Treasury - screenshot at link below:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372

Castlecops also have a writeup (no screenshot):
http://castlecops.com/a6537-IRS_Phish.html

This isn't a new phish - you'll note the Websense alert is dated December - its a resurgence ;)

http://australianit.news.com.au/articles/0,7204,18245495%5E15306%5E%5Enbv%5E,00.html

"GOOGLE infringed copyright by posting thumbnail photos from other websites on its search results pages, a US judge has ruled."

http://www.sophos.com/pressoffice/news/articles/2006/02/inqtanafix.html

Ok, so Sophos says "this update was flawed, and Mac OS X users may have been mistakenly warned by Sophos Anti-Virus for Mac OS X that some files on their computers were infected with the worm"

What an exquisite understatement for the chaos this stuff-up caused .... here's what some affected users say:
http://my.simmons.edu/services/technology/archives/2006/02/this_is_an_aler.shtml

"Users of Simmons Macintosh computers should immediately disconnect their computers from the network.

There is a virus spreading throughout campus that disables Microsoft Office (Excel, PowerPoint and Word). We do not yet know how the virus is spreading. Sophos Antivirus has an update that identifies the virus, but does not yet disinfect.

Because we do not know how it is spreading, the only prevention we have is for Macintosh computers to stay off the network."

Followed by...

http://my.simmons.edu/services/technology/archives/2006/02/mac_users_shut.shtml

"Whether you are using a Simmons Macintosh, or your own Macintosh computer, please stop using your computer, and shut it down immediately.

There is a virus spreading throughout the Internet and the Simmons network. It appears to affect the Microsoft Office suite, but Sophos Antivirus may be misidentifying some files as infected that are not infected. This misidentification further complicates the problem and may result in disabling your computer."

Then....

http://my.simmons.edu/services/technology/archives/2006/02/mac_users_start.shtml

"Unfortunately, while Sophos Antivirus was malfunctioning, it may have “broken” some of the software on your computer. Once the Sophos update is done, please try to use the software on your computer that you normally use. You may find that one or more applications no longer work. For example, Microsoft Word may tell you that a component of the software is missing and you have to reinstall."

And this:

http://groups.google.com/group/comp.sys.mac.comm/tree/browse_frm/thread/12ab6933b337173c/3ce08e746b457230?rnum=1&q=sophos+false+positive&_done=%2Fgroup%2Fcomp.sys.mac.comm%2Fbrowse_frm%2Fthread%2F12ab6933b337173c%2F3ce08e746b457230%3Flnk%3Dst%26q%3Dsophos+false+positive%26rnum%3D1%26#doc_3ce08e746b457230

"The results of the false positives are, in some cases, disastrous... Many of our campus computers have lost access to their Microsoft and Adobe products. We're having trouble reinstalling them because they immediately get re-infected. ... Sophos' AntiVirus software is generating false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues...it destroys office 2004... even with a reinstall, office doesn't work"

Sophos did not just "mistakenly warn" users that some files were infected on computers.

I'm seeing reports that not only was Office 2004 affected, but also Office X and some Adobe products.

By the way, that bit where Sophos says "less than two hours later".. accordingly to those affected by this problem, it was over four hours...

It sure as hell isn't a legitimate site anymore... please, don't go there unless you're using IE7, or a well patched IE6... better still... add www.msnbc.co.uk to your Restricted Sites zone before going anywhere near it (hyperlink neutralised).  I don't know what may happen if you visit that site unprotected (or the links it advertises) ... better to be safe than sorry.

Believe me, this is not the first URL that has been grabbed by search engine purveyors hoping to cash in on "guess-timates" about the URLs of legimate sites.  Ages ago a site targetting MSN Groups (legitimate URL being groups.msn.com) actively attempted to infect users with malware.  The site in question, thanks to my efforts, and the efforts of other anti-malware fighters, was shut down... Another popular site, macemail, that supported users of MAC computers, was taken over by a "pop up stopper" years ago, as was a well known Publisher (or was it PowerPoint) support site.

Please guys, be careful out there ok?  The bad guys will try every trick in the book to fool you into visiting them.. phishing... taking advantage of mistyped URLs... whatever they think will work.

Those of you that own popular domains ... protect them.  Make sure that nobody can steal it from under you, because if the bad guys can grab your domain when it falls due for renewal, they will... and you won't get it back unless you're willing to pay $$$$$ for it.

Very interesting reading:
http://robertmoir.com/blogs/someone_else/archive/2006/02/21/2109.aspx

Check out this thread:
http://www.msghelp.net/showthread.php?tid=55990&page=1

It contains the most amazing bullshit... is it surprising that malware has such a hold when such justifications.... such bullshit... ok, I'm getting grumpy here.. hands off keyboard.

Look at this:
http://msmvps.com/blogs/spywaresucks/archive/2005/12/05/78084.aspx

Let me tell you something... Patchou's version of lop.com may, according to him, be modified, and "harmless" according to some of the we-love-patchou naivettes in his forum, but I tell you right now that it isn't modified enough to stop underage kids being exposed to the crap exposed in my blog entry above.  Patchou has my email address.  Those behind lop.com have my email address - I know - I have emails that prove that they know how to get in touch with me - so, *if* they have fixed things there is no excuse for not emailing me to tell me.

Do you think it is ok to hide behind an EULA?  I don't.

Honestly, the msgplus thread above is indicative of the ridiculous, inane, uninformed, uneducated commentary that is the norm for msgplus supporters.

I ask you, in all of the crap in that thread.. the insults about how the OP was bored with "Mimesweeper"and all the other inane insults ... how often is the actual issue addressed.... the issue being the *fact* that msplus uses lop.com as a sponsor... forget all the Paris Hilton bullshit..how many concerns have been addressed and how many have been yelled down by http://redwing.hutman.net/~mreed/warriorshtm/howlers.htm or http://redwing.hutman.net/~mreed/warriorshtm/swarm.htm.

Patchou says that "the lop package, in general, is safe to install".  All I can say is BWWWWWWWWWWWWHAHAHAHHAHAHAHAHA. Just who are you kidding?" 

Side note: Hey Rocky!! I'm procrastinating again!!!

{laughing}  A very dear friend of mine, who is in the midst of writing a book entitled "Michigan Cuisine: A Semi-Exhaustive Guide" pinged me this evening to let me know that he'd found a 'man hater' recipe that he thought I would probably love....

Ok, so I've had a few bad experiences centered around those with a preponderance of testosterone but there are no men in my current circle to whom the following recipe could be applied ...

"Pan-Fried ... errr ... WHAT???"

Ok... guys... you know who you are... you can uncross your legs now... honest.... all knives are safely stored in the bottom drawer in my kitchen, and even if they're not, I use anaesthetic  <big grin>

I'll admit... I'm a terrible troublemaker and I adore teasing my two teenagers .... when cooking ox tongue I get my kids to wash and prepare the tongue ... the look on their faces is a classic.... all those ox sized tastebuds have the most exquisite effect on their sensibilities.... and I absolutely adore thinly sliced calf liver which has been crumbed and pan fried... my local restaurant serves up the most amazing chicken livers in sherry sauce... but this.... I'm not sure about this....

It happens every time a new version of Internet Explorer is released... Web sites break.

Why do they break? Because the sites are coded to detect up to a certain version of IE.  Anything newer than whatever browser version was public at the time a site was coded is either rejected out of hand, or served a CSS script that breaks in IE.

Even my own blog is affected.  If I manipulate my computer's registry to impersonate Internet Explorer 6 then Community Server works just fine, as you can see from this screenshot...

But, if I reset my computer to Internet Explorer 7's default registry settings, blogging breaks - note the code in the composing window and missing formatting toolbar.

The same thing happens with www.qantas.com.au.  If I set my computer to impersonate IE6 the Awards Booking page works just fine; as soon as I set my system back to IE7 I am refused access ('sorry, but we don't support Netscape')... cripes, they can't even get right the type of browser I am using.

There is absolutely no TECHNICAL reason for the sites in question to detect, and support, only IE6 and a few earlier versions.  Community Server does not break in IE7, and the Qantas site has only very minor CSS issues which, btw, aren't fixed by pretending to be IE6 - sometimes sites will break unnecessary by serving up inappropriate CSS... Qantas has some minor display issues - note the cut off text:

I've seen **far** worse examples of borked CSS - check this out:

Ok, so the fix for Qantas and Community Server is simple.. instead of coding for up to Internet Explorer 6, code for a particular version of IE and later. As for the site which is using the now mangled CSS... they've got a LOT more work to do.

I have information about how to work around the problems caused by sites that mistreat us based on browser version at this URL:
http://www.ie-vista.com/sites.html

The URL also includes links to information useful to Developers.  Come on guys, let's *try* and get this sorted out before IE7 hits gold.  I find it irritating in the extreme that I have to have faff around with my registry all the time just so that I can get sites to work that don't even break in IE7 anyways.  The man in the street isn't going to understand what is wrong or know how to fix things.

Update: ICSAN says it is worse than first though:
http://isc.sans.org/diary.php?storyid=1138

"This actually looks more serious then we initially thought it is. The workaround specified above will prevent Safari from automatically executing the PoC file, but it looks like your machine is still vulnerable and it doesn't need Safari to run this file at all."

Original blog article:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/21/84348.aspx

Edit: Secunia have caught up :)
http://secunia.com/advisories/18963/

Richard Harper spotted this little nasty and sent a heads-up to a mailing list I monitor ....

http://www.heise.de/english/newsticker/news/69862

"The demo attempts to open a Terminal window to display the contents of a folder.  If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly."

Cross-reference - Mac OS X viruses disclosed:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/17/83978.aspx

Check out this thread started by "Calamity Jane" :
http://www.dslreports.com/forum/remark,15508219

So, it seems the Aussie golden boy Dale Begg-Smith has made his money via some pretty shady dealings.... 

As a person who deals on a far too regular basis with the end-result of PC hijackings, and has had to deal with the end result of underage kids being confronted by porn-themed hijackings, I can only hope and pray that all the attention Mr Begg-Smith is going to receive leads to a major change of attitude on his part.  And, if he wants to join the rest of us in the trenches where we try to get rid of the crap that companies like AdsCPM dump on unsuspecting victims, then his conversion will be welcomed.   I'm betting, though, that he won't cut it - not if he puts money before ethics.

Ok, so Dale managed to ski down a hill real fast... that ain't gonna help him now.  He's been outed.  And the pressure is going to be unrelenting... spyware fighters are known for their tenacity, and a lack of mercy when it comes to going after the bad guys.

Add to that the fact that two major newspapers, the Australian and the Sydney Morning Herald, and news.com.au have picked up the story the unable-to-be-contacted Dale isn't going to be able to hide for too long:
http://australianit.news.com.au/articles/0,7204,18182697%5E15331%5E%5Enbv%5E15306%2D15318,00.html
http://spamkings.oreilly.com/archives/2006/02/asterisk_on_popup_moguls_gold.html
http://lukewelling.com/2006/02/17/dale-begg-smith-spam-man-wins-gold/

Here is the whois for adscpm.com - note it was updated on 15 February 2006 - 5 days ago ... if anybody knows how to retrieve the pre 15 February 2006 data, feel free to comment:
http://www.dnsstuff.com/tools/whois.ch?ip=adscpm.com&cache=off

Mr Begg-Smith would like people to focus on his Olympic achievements... ummmm, nope, that ain't gonna happen - not in the circles in which I walk. 

Oh, and if you want to see what the adscpm.com company site was like before it disappeared... look here:
http://web.archive.org/web/*/http://www.adscpm.com

Check this out:
http://web.archive.org/web/20020206051809/adscpm.com/faq.php
"We accept all sites, no matter what."

According to web.archive.org, adscpm.com was last updated in January 2005... at the moment it is not accessible... I wonder why....

On 1 February 2007 adscpm.com was "under construction":
http://64.233.179.104/search?q=cache:QryJmcrPwOgJ:www.adscpm.com/+adscpm&hl=en&ct=clnk&cd=1

Dale, you can run, but you can't hide.  The internet being what it is, you can't change nor hide from history.  Google, web.archive.org and the internet at large make it impossible.

It really isn't that hard... honest... so why do so many techies mess it up?

Luv ya Susan:
http://msmvps.com/blogs/bradley/archive/2006/02/10/83206.aspx

Seriously....on my server, OWA and RWW had not been touched by the previous support company...  here is this kick-ass remote email facility and it isn't touched.... months of grief were endured while "they" tried to get Nfuse and other third party applications working... and the whole time there was OWA, sitting quietly in the background waiting to be noticed... you've gotta wonder what the hell they were thinking.

When I add a new user, I get the option to 'assign' a pre-existent computer to a new user ... and guess what, only those computers which I have added to the domain using connectcomputer are accessible... all others trigger errors centered around the fact that wizards were not used to add them to the domain <sigh>.  Life could be so much easier....

I know... I know... I should be working.. but hey, I'm *always* working!! Cut me some slack here ;o)

Y'all know I did the Star Trek Quiz and ended up as a Picard...
http://msmvps.com/blogs/spywaresucks/archive/2006/02/13/83400.aspx

My perfect ship crew is, apparently, those who grace the Millennium Falcon <LOL>
http://quizfarm.com/test.php?q_id=111863

"The world around you is at war. Fortunately you know how to handle that with the greatest of ease. You are one of the best at what you do and no one needs to tell you that. Now if only the droids could be quiet for five seconds."

I must admit, I had one heck of a crush on Han Solo when I was a teeny-bopper... never did like that blonde wimp Skywalker <gd&r>

I'm trying to find a new IT support provider for my place of work, and its proving to be a challenge.  My current employer seem to have drawn the short straw with their last two choices, and this time we have to get things right.

As noted in my previous blog, when [company name removed to protect the less than innocent] built our SBS server last year they made every employee Domain Admin which is a massive security risk, but that's only one of the problems.

Applications disappear from *within* a terminal session.  The Citrix session itself keeps running; remote desktop continues to run but the programs being run via remote desktop simply drop out (quite a mystery.... network issues? apps themselves crashing as distinct to be being a Citrix issue per se?)

User profiles are all over the place... some are roaming, some are local, and there is no consistency in their setups.  Various INI files are required for applications to work, but different users have different ini files, in different places.. its like trying to untangle spaghetti  (groan... where would *you* start)

Some profiles are broken - user specific settings disappear.. printer settings change without warning, everybody's default printer will suddenly change to the photocopier or Adobe PDF Distiller.  Default paper size will change from A4 to Letter. (Mostly fixed, but for a few users still comes back to bite me in the butt - AND, if I reboot my SBS box and Windows 2000 Server hosted terminal servers, nearly everybody gets hit :o(  )

Word toolbars disappear, macros suddenly stop working, integration between various apps suddenly breaks then the next day start working again with no intervention from me (can't work out what's wrong here...)

Application integrations work on one server, but not on the other, but different things are broken depending on the user (or here)

Lots of little workarounds have been set up for individual users but there is no documentation about what was done or why. 

Am I tearing my hair out trying to work out WTF is going on?  Hell yes.

VPN was implemented, but in such as way that ADSL was broken... Instead of the ADSL modem controlling the connection they made the modem a bridge, and handed control over to ISA (which left me with an "ADSL has limited or no connectivity" alert in my System Tray).  Also, right from the minute the change was made it was noted that if ADSL dropped out for any reason, more often than not it would not automatically reconnect (which, of course, is a bad thing over the Christmas break when people want to work remotely) but things were left as they were.  By rights the changes should have been rolled back.  VPN wasn't a critical requirement - maintaining an always-on connection was. (Now fixed...took 30 minutes to do...)

The internal tape drive in the new SBS server was plugged into the RAID controller instead of a SCSI card, leading to inevitable write errors that remained unresolved for FOUR MONTHS.  Imagine, four months with no backups.  (Also fixed... cause of error took 5 minutes of googling to find ... the previous IT company was not able to work out what the problem was because????)

The IT support guy for one particular piece of software that we use expressed his frustration to me when he complained that the problem I had come to him for assistance with had been a regularly recurring one caused by a basic misconfiguration.  His exact words? "I have told your last two IT providers not to do ********* but it keeps on happening anyway"... (that just says it all, doesn't it).  He wasn't reassured by my promise that everything is now being documented, and that the problem won't recur, and I can't blame him for his cynicism.

How I'd love to flatten the SBS server (and everything else) and start from scratch, but the reality is a major financial investment was made to build it less than a year ago, and despite the fact that a terribly bad job was done, asking a business to shell out *twice* in less than 12 months for the same thing ain't gonna win any friends.  With no documentation about how things were done, or why, or about problems encountered, or the reasons behind various tweaks, or what *shouldn't* be done, we'd truly be starting from scratch.

My tale of woe about badly built servers, sloppy implementation of software and hardware, and a lack of documentation is not an isolated incident.  I was at a BBQ last week and got into an interesting conversation with an accountant.  He tells me that a big topic of conversation at any get-together he attends is IT providers because, as he said, everybody is having problems with "bad" support.  Invariably the bad experiences recur when they change providers.

From what I've seen of what's available in my town, there is a real problem with the quality of IT support.  There's book learning, and an understanding of theory, but the ability to properly apply said knowledge is often lacking.  Too often technicians address individual symptoms without going after the source of a problem - they're reactive instead of proactive.  There is an awareness of the various features and abilities available with various software products, but too often technicians don't seem to think things through or ask themselves if their ideas are what is best for the business.  I mean, why overcomplicate things and mess around with Citrix ICA, VPN, published applications, remote desktop and Nfuse simply so that somebody can read their email from home, when you have a brand new, well specced SBS server with OWA already built in?  Is it a lack of experience? Is the standard of education and training lacking?  Are we missing experienced mentors who are willing to take trainees under their wing and teach them how to do things well, to see the big picture, and be proactive instead of reactive? 

Another guest at the BBQ said to me that he'd never been able to understand why I didn't go into business for myself to try to improve the standard of technical support.  I'll be honest.. my area of expertise is very specialised and I don't have the skill-set required to go into business for myself.  I bring value to my employers because I am lucky enough to know, and am honored to be able to claim as my friends, the best in the business when it comes to supporting various Microsoft products - I can call them in to help me get things sorted - I'm more cat-herder than fixer.   

Sadly those I consider to be the best of the best are all based thousands of miles away.  Now if *they* came to town I'd go into business with them in a heartbeat - we'd really shake things up.  In the interim, though, the search continues for a local IT support provider that I can trust to do a good job.