Spyware Sucks

Ok, I've joined the dark side... been borgified... assimilated... absorbed... whatever you want to call it.

Put in an order today for a brand spanking new SBS server via a good friend, Wayne Small, SBS MVP.  Ahhhhh, some are so disappointed that I succumbed so easily to the siren-call that is SBS.... but I digress ;o)

BORING!!!!! say my patient readers.. "not really" says I.... there is a point to this article....

Coincidentally, I received an email today via www.ie-vista.com today asking for assistance with an SBS2003 network.  All users use the same username/password... but the 'bosses' on site have their own IDs... and all are power users.  All use Sharepoint for essential calendar sharing etc.

The question; how do we block internet access for the general users, but not the doctors - remembering they are all part of the same security group ... this could be fun.

Imagine... everybody is power user... theoretically, all it takes is *one* employee, going to *one* bad site, and your network is owned......I don't care how busy you are.....are you so busy unique log-ins are too much bother?

This article caught my eye a short while ago; Alun is a regular commentator in my blogs, and invariably has something interesting to say:

AOL, Yahoo introduce "pay to spam" service (5 February 2006)
http://msmvps.com/blogs/alunj/archive/2006/02/05/82634.aspx

I agree with Alun's opinions on AOL and Yahoo's idea - but one thing does occur to me.  About four years ago I walked in to a new job, only to discover that the mail server (they were running Novell and GroupWise) was set as an open relay - so much crap was being pumped through that server (the spammers were smart enough to send their wares outside of business hours), and the NDR load was so great, that the poor server was being brought to its knees every night.  This server was being actively cared for by an IT outsourcer... damned if I know why they didn't spot what the hell was going on.

At the sort of volume I saw on that poor server, paying AOL and Yahoo could get expensive very quickly. 

The last time I looked into this sort of thing, popular opinion was that around 90% of all spam was being sent out via compromised home PCs... Mum and Dad or Grandma and Grandad's PC with a broadband internet connection and no firewall, or firewall neutralised by malware infection.  The heavy duty spammers who use open mail relays and compromised home PCs won't bother paying AOL and Yahoo 1/4 or 1 cent per mail when they can pump the stuff out for free.

...see, I don't read the Microsoft Switzerland Security Blog just because I'm Swiss... they come up with gems that don't appear on their US equivalent's site...

http://blogs.technet.com/ms_schweiz_security_blog/archive/2006/02/26/420586.aspx

Those of you who have been reading my Blog for a while will remember how my very first nephew, Jordan Blake, was born my emergency caesarean back in October last year, and how I made a flying visit to Melbourne to see him, and his Mum and Dad... just in case....

Flashback picture

Young Jordan is doing brilliantly - just look at him now - a much loved little boy:

Jordan, photo taken the day before my 40th birthday

Windows Update is the classic update service that only offers updates for Windows.  Microsoft Update extends this service to cover other Microsoft programmes including, but not limited to, Office, Exchange and SQL (disclaimer: if you use Office 2000, or if your copy of Office was installed in "per user" mode, you will need to continue using Office Update- more information at the URL below):
http://support.microsoft.com/Default.aspx?id=907380.

How do we tell if we are using Microsoft Update or Windows Update?

First, if you are using Microsoft Update there will be an extra entry in your Program Menu.  The Microsoft Update menu option will only appear in the Program List if it is in use. 

If you are using Microsoft Update, it should be noted that the Windows Update link will also take you to Microsoft Update.  This behaviour sometimes causes confusion, with a user recently saying in an email discussion I took part in that that because she had clicked on the Windows Update link she expected to be taken to Windows Update, and did not realise she was actually at Microsoft Update - it was her confusion that prompted this article.

Second, we can look at the picture immediately above the Express and Custom scan buttons:

 
Microsoft Update graphic

Windows Update graphic

The difference is subtle.  Perhaps MS should include some color cues or a different icon to cater to those who skim the content of a page.

Swapping between Microsoft Update and Windows Update

Swap from Windows Update to Microsoft Update

Click on the Microsoft Update link as displayed in this screenshot:

or... click on the option to right of screen:

Click on Start Now, then Continue.  You may next be prompted to change your Automatic Update settings (not compulsory), then click on Check for Updates.

Swap from Microsoft Update to Windows Update

Click on the Change Settings menu item:

Scroll all the way down and put a tick in the box.  Click Apply changes now.  You'll be asked if you're sure, confirm your choice and then you're done.  The Microsoft Update entry will be removed from the Program Menu.

http://www.microsoft.com/windowsvista/features/forhome/mail.mspx

Phishing filter
Quick Search (Word Wheel)
Junk Mail Filter

The phishing filter is seriously cool, as is Quick Search (which works the same way as the search pane used by Internet Explorer 7 when displaying RSS)

Here's hoping the powers that be will get serious now that the IRS is being impersonated.... the bad guys are getting overconfident if they feel safe impersonating Government departments like the Department of the Treasury - screenshot at link below:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=372

Castlecops also have a writeup (no screenshot):
http://castlecops.com/a6537-IRS_Phish.html

This isn't a new phish - you'll note the Websense alert is dated December - its a resurgence ;)

http://australianit.news.com.au/articles/0,7204,18245495%5E15306%5E%5Enbv%5E,00.html

"GOOGLE infringed copyright by posting thumbnail photos from other websites on its search results pages, a US judge has ruled."

http://www.sophos.com/pressoffice/news/articles/2006/02/inqtanafix.html

Ok, so Sophos says "this update was flawed, and Mac OS X users may have been mistakenly warned by Sophos Anti-Virus for Mac OS X that some files on their computers were infected with the worm"

What an exquisite understatement for the chaos this stuff-up caused .... here's what some affected users say:
http://my.simmons.edu/services/technology/archives/2006/02/this_is_an_aler.shtml

"Users of Simmons Macintosh computers should immediately disconnect their computers from the network.

There is a virus spreading throughout campus that disables Microsoft Office (Excel, PowerPoint and Word). We do not yet know how the virus is spreading. Sophos Antivirus has an update that identifies the virus, but does not yet disinfect.

Because we do not know how it is spreading, the only prevention we have is for Macintosh computers to stay off the network."

Followed by...

http://my.simmons.edu/services/technology/archives/2006/02/mac_users_shut.shtml

"Whether you are using a Simmons Macintosh, or your own Macintosh computer, please stop using your computer, and shut it down immediately.

There is a virus spreading throughout the Internet and the Simmons network. It appears to affect the Microsoft Office suite, but Sophos Antivirus may be misidentifying some files as infected that are not infected. This misidentification further complicates the problem and may result in disabling your computer."

Then....

http://my.simmons.edu/services/technology/archives/2006/02/mac_users_start.shtml

"Unfortunately, while Sophos Antivirus was malfunctioning, it may have “broken” some of the software on your computer. Once the Sophos update is done, please try to use the software on your computer that you normally use. You may find that one or more applications no longer work. For example, Microsoft Word may tell you that a component of the software is missing and you have to reinstall."

And this:

http://groups.google.com/group/comp.sys.mac.comm/tree/browse_frm/thread/12ab6933b337173c/3ce08e746b457230?rnum=1&q=sophos+false+positive&_done=%2Fgroup%2Fcomp.sys.mac.comm%2Fbrowse_frm%2Fthread%2F12ab6933b337173c%2F3ce08e746b457230%3Flnk%3Dst%26q%3Dsophos+false+positive%26rnum%3D1%26#doc_3ce08e746b457230

"The results of the false positives are, in some cases, disastrous... Many of our campus computers have lost access to their Microsoft and Adobe products. We're having trouble reinstalling them because they immediately get re-infected. ... Sophos' AntiVirus software is generating false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues...it destroys office 2004... even with a reinstall, office doesn't work"

Sophos did not just "mistakenly warn" users that some files were infected on computers.

I'm seeing reports that not only was Office 2004 affected, but also Office X and some Adobe products.

By the way, that bit where Sophos says "less than two hours later".. accordingly to those affected by this problem, it was over four hours...

It sure as hell isn't a legitimate site anymore... please, don't go there unless you're using IE7, or a well patched IE6... better still... add www.msnbc.co.uk to your Restricted Sites zone before going anywhere near it (hyperlink neutralised).  I don't know what may happen if you visit that site unprotected (or the links it advertises) ... better to be safe than sorry.

Believe me, this is not the first URL that has been grabbed by search engine purveyors hoping to cash in on "guess-timates" about the URLs of legimate sites.  Ages ago a site targetting MSN Groups (legitimate URL being groups.msn.com) actively attempted to infect users with malware.  The site in question, thanks to my efforts, and the efforts of other anti-malware fighters, was shut down... Another popular site, macemail, that supported users of MAC computers, was taken over by a "pop up stopper" years ago, as was a well known Publisher (or was it PowerPoint) support site.

Please guys, be careful out there ok?  The bad guys will try every trick in the book to fool you into visiting them.. phishing... taking advantage of mistyped URLs... whatever they think will work.

Those of you that own popular domains ... protect them.  Make sure that nobody can steal it from under you, because if the bad guys can grab your domain when it falls due for renewal, they will... and you won't get it back unless you're willing to pay $$$$$ for it.

Very interesting reading:
http://robertmoir.com/blogs/someone_else/archive/2006/02/21/2109.aspx

Check out this thread:
http://www.msghelp.net/showthread.php?tid=55990&page=1

It contains the most amazing bullshit... is it surprising that malware has such a hold when such justifications.... such bullshit... ok, I'm getting grumpy here.. hands off keyboard.

Look at this:
http://msmvps.com/blogs/spywaresucks/archive/2005/12/05/78084.aspx

Let me tell you something... Patchou's version of lop.com may, according to him, be modified, and "harmless" according to some of the we-love-patchou naivettes in his forum, but I tell you right now that it isn't modified enough to stop underage kids being exposed to the crap exposed in my blog entry above.  Patchou has my email address.  Those behind lop.com have my email address - I know - I have emails that prove that they know how to get in touch with me - so, *if* they have fixed things there is no excuse for not emailing me to tell me.

Do you think it is ok to hide behind an EULA?  I don't.

Honestly, the msgplus thread above is indicative of the ridiculous, inane, uninformed, uneducated commentary that is the norm for msgplus supporters.

I ask you, in all of the crap in that thread.. the insults about how the OP was bored with "Mimesweeper"and all the other inane insults ... how often is the actual issue addressed.... the issue being the *fact* that msplus uses lop.com as a sponsor... forget all the Paris Hilton bullshit..how many concerns have been addressed and how many have been yelled down by http://redwing.hutman.net/~mreed/warriorshtm/howlers.htm or http://redwing.hutman.net/~mreed/warriorshtm/swarm.htm.

Patchou says that "the lop package, in general, is safe to install".  All I can say is BWWWWWWWWWWWWHAHAHAHHAHAHAHAHA. Just who are you kidding?"