Archive for May, 2007

Forwarding emails could be illegal

Published by Sean Et Cetera on May 4, 2007 in Uncategorized. Comment

First, it’s not that getting a forward about a joke or something is illegal, but that the act of passing on an e-mail that is written in assumed confidence could be. I caught wind of this on CNN Money. The research was done on Ned Snow, a law professor at the University of Arkansas.

There are a couple things that spring to my mind in regards to this. The big one is that if bloggers, consumer rights’ advocates, or others are limited in what they can post or make known from e-mails they received, it could be another hurdle for groups to overcome. I’m sure (or just hoping) that there are or would be laws and regulations to allow individuals to make e-mail correspondence known when it is something like this.

I guess the question that needs to be asked is this: what protects, if anything, post mail from being scanned and posted online? Whether there is something or nothing, then I would assume the same hold true for e-mail. I guess the thing that causes the biggest issue is that e-mail has also been used to replaced company memos, newsletters, reports, etc, and that is what makes e-mail different from just regular post mail.

read more | digg story

Malware: My Cv.exe and others

Published by Sean Et Cetera on May 3, 2007 in Uncategorized. Comment

On campus we had a nice piece of malware appear on some computers in the Bowen-Thompson Student Union. My sample required that I open a file that was either on the desktop or on a USB drive, which was made to look like a Microsoft Word document, and unless you had the option to show file extensions, you would assume it was a .doc, but it was actually an .exe. Once this was done, the malware would infect the C:\ drive and the USB drive with at least 3 files I am sure of, apply a handful of policy settings, and make other changes to the registry. One of my student workers, Matt Sigley, assisted me in determining which files and settings were added or changed.

I would have expected Google to give me a better answer, but I was really unable to find anything that met my search criteria. As a result, I’m posting this here so that other’s can see was needs to be done. This is as complete a list of what needs to be done that we were able to determine, and the machine otherwise appears to be clean. I do not take responsibility if you remove files or change a setting you need as a result of these items, but again, it worked for us.

Remove
------------------------------------------------
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableTaskMgr: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableRegistryTools: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\NoFolderOptions: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\LimitSystemRestoreCheckpointing: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\DisableMSI: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Nofolderoptions: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCMD: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\Disable: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\winxp: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet002\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
C:\\WINDOWS\\winxp.exe
C:\\WINDOWS\\winword.exe
C:\\Win Firewall.txt
C:\\The Science of becoming Rich.exe
C:\\My Cv.exe
C:\\The Biography of Adolf Hitler.exe
Also possible: C:\\Database.exe
Also possible: C:\\Tasks.exe

Change
------------------------------------------------
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\exefile\\: "File Folder"
to
HKLM\\SOFTWARE\\Classes\\exefile\\: "Application"

HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe "C:\\WINDOWS\\winxp.exe""
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\winxp.exe"
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000001
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000000

The keys that begin with HKU\S-1-5-21- may have different numbers than those listed above, but just keep going and ignore whatever you have in place of 1482476501-1606980848-1957994488-1003. Also, if you have any other iterations, such as HKU\S-1-5-22-, HKU\S-1-5-23-, etc, check those directories and keys as well.

Some comments about the files it makes

The only .exe files I had were C:\The Science of becoming Rich.exe, C:\My Cv.exe, and C:\The Biography of Adolf Hitler.exe, and the two listed as possible were reported to me by our network security people. The files created by the malware were C:\WINDOWS\winxp.exe, C:\WINDOWS\winword.exe, and C:\Win Firewall.txt. That last one tries to mislead you by listing some information about two pieces of malware, so this one could be a derivative work of either or both of those malware, and based on my Google Web History, I believe they were rontokbro and sircam, as I don’t have a copy of that txt file still around. However, when looking to see what those could do, I found none of their signatures on the computer. There’s also the fact that C:\WINDOWS\winxp.exe is typically related to bagle. This is also one of the few cases where C:\WINDOWS\winword.exe is related to the malware.

The other thign to keep an eye out for is that if you try and runa a program while infected, let’s say Firefox, you may end up with some files in C:\Program Files\Mozilla Firefox or elsewhere on the hard drive. Fortunately, it’s easy to find exactly where they go, as they share the same file size and creation date as winword.exe and winxp.exe, so you may just have to do a search to find all of them.

Overall, we used the following programs to keep track of what was happening and/or resolve things:

  • We did have to use the UBCD in order to get access to these files and the registry, as the malware prevents the use of the registry and .exe files without making it reference the malware. If you would try and boot into Safe Mode, you’d also be using the malware, which would still prevent you from getting to regedit easily. We used RegEdit (Remote) to change the registry.
  • We used Regshot to track what the registry looked like before and after the infection happened, though we did have to use to UBCD to make the change below to run the .exe file first.
  • While it gave much the same information as Regshot, Deckard’s System Scanner was also used in stead of just using HiJack This.
  • We also used a program to fix IE and the explorer shell, just to be sure. I’m not sure if we made it or found it, but we call it FixShell.bat.

Brief comments on the Digg/HD-DVD hack

Published by Sean Et Cetera on May 2, 2007 in Uncategorized. Comments

Someone messaged me to get my opinion on the Digg/HD-DVD issue, and here’s what I quickly came up with.

I have few things to say, but things that make this interesting include:

  • the number of posts that then included “the hack” as either titles, descriptions, and comments
  • the fact that this appears to be a “flash in the pan” meme that is taking off elsewhere on the web, such as the multiple appearances on ytmnd.com and a variety of songs and poems, a la the Streisand_effect
  • that digg did a 180 on their original stance due to the actions of the community
  • that Kevin Rose’s post had over 11000 diggs when I looked at it Wednesday morning, 12000 about an hour later, 27000 when I discussed it with some student workers in the afternoon, and now (11:00 PM EST) sits at 32721 after being initially dugg almost 21 hours and 34 minutes ago by Kevin Rose. (On a side note, it became popular 3 minutes later.)
  • that those on Digg are willing to fight it out now that their users have declared their desire

Those are just some things that spring to mind. Really, I’ve been taking some time away from Digg, and hadn’t checked it as much lately. Even so, I would have missed this entirely if it wasn’t for the attempt to hide the information blowing up in such a tremendous fashion.

Map of Online Communities

Published by Sean Et Cetera on May 2, 2007 in Uncategorized. Comments

Today’s xkcd comic is shown below.

Map of Online Communities (small)Click for a larger view.

Both this and the Map of the Internet are probably going to be ordered today/tomorrow from the online store.

Digg and the HD-DVD hack

Published by Sean Et Cetera on May 2, 2007 in Uncategorized. Comments

Numerous stories about the HD-DVD hack were being posted to Digg yesterday and soon afterwards, Digg was contacted by the owners of the HD-DVD intellectual property with a request to take the posts down. Digg did so, but once users realized what was happening, all sorts of stories were being posted that contained the hack code in their title, description, and in their comments. This prompted Digg to change their stance on the matter, and in his post on the Digg blog, Kevin Rose said

But now, after seeing hundreds of stories and reading thousands of comments, you’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be.

Click here to view/digg the article.

Bad Behavior has blocked 131 access attempts in the last 7 days.