Spyware Sucks

A brief article has just gone live at the Handlers Diary at the SANS Internet Storm Centre with by-line "Relay Reject Woes"
http://isc.sans.org/diary.php?storyid=1299

Pity that poor guy putting all that time and effort into fighting the spam-bots. 

The article brings to mind my experiences about 6 years ago; I'd just started taking care of a server running Novell and GroupWise.  Every night their server had been crashing and/or running extremely slowly and their current IT provider were unable to work out what the problem was.  They threw money at that server - more RAM, bigger hard drives, upgrading software, etc to no avail.

It didn't take long for me to work out what was going on; mail relaying was enabled on the server (back in those days mail relaying was enabled by default) and said server was being brought to its knees every night by the spam load being pumped through it and the inevitable NDRs that were being generated.  The server was on every blacklist in existence and, of course, postmaster@ was not being monitored.  Damned if I know how the situation could have escaped the attentions of the IT support provider.

Ok, so I turn mail relaying off, but that did not resolve the situation.  Sure, it stopped the spam from being relayed, but it didn't stop the stuff from being accepted in the first place and dumped into the BAD directory.  The server was STILL under an amazing load, and guess who had to pay the cost of the bandwidth being used.

Fast forward to current day and another server, this time running SBS.  This time there is no mail relaying enabled but we are still the recipient of ridiculous loads of spam.  Again, time and effort is devoted to trying to stem the flood - users a complaining about the level of spam getting into their inbox.  Now that Exchange has mail filtering the job is easier, but it still takes up way too much time.  Being a law firm, no email can be automatically deleted.  Every single filtered message must be checked to ensure it is not a legitimate email and NDRs must be enabled :o(

It irritates me that so much spam is getting to me unimpeded.  It irritates me that so much of that spam is coming from spam-bots owned by home users.  But there is little that *I* can do to solve the problem.  The problem has to be solved at the source, not the destination.

Then there are the baddies trying to log into my server for nefarious purposes using names like 'webmaster' or 'postmaster' or 'admin' or 'asdfasdf' (yeah right, like that last one is gonna work) or 'Pete' or 'Fred' or 'Sam'. 

It irritates me that so much time and effort and cost is expended fighting the bad stuff.  Go..away..and..leave..my..server..alone.

I've just been reading this article about the latest "ransomware" to hit the streets:
http://www.viruslist.com/en/weblog?weblogid=185454886

I'm sure Kapersky will forgive me for quoting the sections pertinent to this post:

"I think we have an interesting development going on here, I think there are two different types of ransomware.   Real ransomware, which encrypts your data or does other nasty stuff.  And malware which claims to do all sorts of nasty stuff but actually doesn't. It's bluffing, like bluff poker.
...
Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code."

Writing difficult code... its a good point.  Its amazing how much stuff out there nowadays is being created by script kiddies using various tools to generate their wares.  There was a virus generator around for a while (not sure if it it still is) and a rootkit generator as well.  But, when push comes to shove, those script kiddies ain't that good - without the generators they use they wouldn't be able to do what they're doing.

The capabilities of malware, and of malware writers, have been a high point of focus for me lately.  Its been said that if we lock things down in one way the bad guys will simply find a way around our defences.  But, when I read things like the Kapersky article it reminds me that a lot of the stuff out there that won't adapt to new defences.

The quick money.. the easy money.. that's what the vast majority of bad guys are after.  Sure there are "professionals" out there (popular sentiment placing them in Russia and other eastern bloc countries) who write very sophisticated malware that can be extremely difficult to remove, and a small percentage of such malware is able to get through our firewalls, but what percentage of the bad guys out there have such abilities? 

It has been said that if we introduce a particular security feature, then the bad guys will see that feature and bypass it anyway.  I've been thinking about the sentiment over the past few days.  I've come to realise its a pervasive mindset, but its one that I'm finding hard to settle in my mind as ok.   Are we correct to *not* block 95% of the bad stuff via outbound filtering simply because 5% may get through anyway?  If we do block that 95%, how long will it take before that it adapts and neutralises our measures?  Will it adapt at all?

I can understand how forcing the bad guys to increase their level of sophistication is a bad thing - as the bad guys get better at what they do, and bypass more and more of our security measures, then things get harder and harder for us in the battle to win.  But, at the same time, without that crossing of swords we wouldn't have seen the security improvements that we now have the benefit of - a lot of software either would not come to be, or would not have been improved.

Error message when you start Internet Explorer 6 on a Windows XP-based computer: "Runtime Error! Program: C:\Program Files\Internet Explorer\IEXPLORER.EXE"
http://support.microsoft.com/default.aspx?scid=kb;en-us;916245

(I am wondering if the above should refer to iexplore.exe, not iexplorer.exe - there is malware that uses an executable called iexplorer.exe, but that doesn't seem to be the target of this article despite the reference to running a spyware check at the end of the article).

*****************

FIX: An access violation may occur when you use Internet Explorer 6 to visit a Web page that uses HTML Components to do DHTML scripting
http://support.microsoft.com/default.aspx?scid=kb;en-us;910645

The Web site www.itnews.com.au has highlighted a Russian 'smartbomb' for purchase that allegedly targets unpatched PCS:
http://www.itnews.com.au/newsstory.aspx?CIaNID=31952

According to itnews, Websense has reported that 1,000 sites are using the smartbomb, which can be purchased for as little as US$10.00.

The worrying thing that caught my attention about the report is that according to the statistics from just one attacker site, over 1,770 PCs were successfully compromised via a vulnerability that was patched back in April 2003!!!  I find it amazing that there are still computers out there that are vulnerable to an exploit that was patched three years ago.

The second most successful exploit for the highlighted attack site was one that targeted createTextRange, which was patched on April 11 - Websense reports that 1,507 PCs were compromised via that vulnerability.

There is only so much that we, as computer professionals, can do to protect people from themselves. Sooner or later every computer owner has to take responsibility for their own PCs, for their own security, and for their own education.

We're having an interesting discussion in a security focused mailing list at the moment about reports that Windows Vista's outbound firewall abilities will be disabled by default because the corporate end of town want it that way.

Some of the reasons given for why the decision is ok are, to me at least, staggering - for example:

1. The average user is not going to be interested or will freak out;
2. Stuff may get through anyway;
3. If you force them to learn they'll start using another OS;
4. The public doesn't want to be educated;
5. Computer manufacturers/ISPs won't like the cost of supporting confused users.

So.... computer manufacturers/ISPs won't like having to wear the cost of support calls - big deal.  Let's think about cost.  How much money do you think is spent fighting, for example, spam? Spam that comes from compromised home computers?  How much money has been and continues to be spent by corporations and private citizens paying for the bandwidth absorbed by said spam?  How many corporations have had to spend money on various attempts to ward off spam whether it be software or hardware solutions.  How many have had to upgrade their hardware to cope with the demand?  How much money do you think has been spent is fighting denial of service attacks from compromised home machines? How much money is spent fighting to take down phishing sites on compromised home machines? How much money has been lost to the criminals behind phishing sites? (the last report I read mentioned losses running into the millions).

Users who are not willing to educate themselves are a risk to themselves and other internet users.  Their compromised machines pump out spam; their compromised machines are used for denial of service attacks; their compromised machines are used to host phishing websites.

I am a finite resource; my associates are a finite resource; sooner or later we have to say "listen, you're harming the community at large, get with it or get out'.

Therefore, if forcing users to 'get educated' ends up with their choosing a different operating system, then I'll show them the way and shut the door behind them.  Its one less thing to worry about.  If forcing users to learn about and use things like firewalls and patching leads them to choose a different operating system - there's the door.

If home users are not educated - if they will not take responsibility for their own machines - then spam will not go away, denial of service attacks will not go away, phishing web sites will not go away.  That's the reality folks.

Another article at Eweek from earlier this month noted that "recovery from malware [is] becoming impossible:
http://www.eweek.com/article2/0,1895,1945808,00.asp

I have met Mike Danseglio (the guy who was interviewed for the article) - I attending training sessions that he held back in April 2005 in Singapore and still have his business card on my desk.  I remember how we left his sessions thinking "we're screwed".  I also remember that we wanted to cancel all the other sessions for the rest of the day so that we could continue working with and learning from Mike.

When I look at the risk to the internet community at large from compromised machines spewing crap I wonder how the heck people can say that not pushing for user education is ok. 

Boy... Monday was the sort of day that I don't want to have to go through again any time soon.

As we all know, IE7 has been 'layout complete' since the March release, but, as the last few days have shown, sometimes things can go wrong.

Check out how my site looked in IE7B2 - nasty, yes?

 
IE-VISTA as displayed in IE7 Beta 2 before the CSS was fixed

Such embarrassment - one of the premier IE7 sites, if not *the* premier IE7 site, could not be viewed in IE7 Beta 2.  Even more embarrassing, it was an IE Program Manager at Microsoft who first spotted the problem and let me know.

Unfortunately I was travelling on the day of the Beta 2 release, heading back to Canberra from Wagga after spending a few days at Code Camp 2006 and my wireless broadband CDMA modem was only delivering 12Kb - I was hardly able to do anything.  And, it was the Anzac Day holiday in Australia.

I don't know enough about CSS to be able to fix this, but thankfully I have lots of knights in shining armour around me who were willing to assist. 

Brian Madsen, MVP knocked up a quick hack that improved the situation a little - note how we have gone from an overlap problem to the left column content falling off to the far left - well, at least its readable.

 
IE-VISTA as displayed in IE7 Beta 2 and IE6 after the first attempted fix

Brian kept working on the problem but couldn't get it fixed.  Dave at Microsoft was still online (despite it being quite late for him) and was testing various attempts to fix the problem as they were uploaded - no joy.

Dave, Bob and Marcus at Microsoft really went to bat to try and help get the site fixed as quickly as possible.  From what I understand, Bob and Marcus basically dropped everything to concentrate on working out what went wrong, and how to resolve the issue.  And I tell ya what.. they came through for me.

By the time I awoke on the Tuesday morning there was an email in my inbox with a snippet of code that the guys at Microsoft thought might fix the problems at www.ie-vista.com.  It did fix the problem in IE7 Beta 2 but some issues still remain in IE6 and earlier.

 
IE-VISTA as it appears now in IE6 and earlier - note the missing content in the left column.

So far, we have not been able to work out why the content is missing in the left pane - the required space has been allocated, but some of the content is missing.  Thankfully the navigation menu itself is still there albeit off screen in the above shot.

Ok, so where do we go from here?  Well, I'll be moving away from Frontpage over the next week or so to an ASP solution, using Visual Studio instead of FrontPage to build and maintain my site.  I have also advised the owner of Ruthsarian Layouts of the problem, but as of yet have not received a response.  I've also been trying to get in touch with site authors that I know are using the same CSS templates from Ruthsarian so that they can also apply the fixes that have been used on www.ie-vista.com.

My grateful thanks go to Brian Madsen, MVP as well as Dave Massy, Bob and Marcus at Microsoft for dropping everything to help get www.ie-vista.com fixed.

Oh yes... I should tell you what caused the problem.  There is a known bug that sometimes hits when CSS uses negative margins.  That's what got me.  I don't pretend to understand the mechanics of the problem, but will try and get specifics for those who are interested.

http://star-techcentral.com/tech/story.asp?file=/2006/4/25/prodit/14029720&sec=prodit

"Starting tomorrow, the software giant will permanently flag personal computers that are not running a genuine copy of Windows."

I think now is the time for a quick holiday... I think I'm glad to be going out of town this weekend...

Tony Chor blogged about a dinner he attended which was held at Frisson in San Francisco just prior to the IE7 B2 launch ... so many photos.. so many familiar faces... sometimes living on another continent, and even worse, living in the most isolated city on said continent really sucks.

Photos of the party here...
http://www.flickr.com/photos/tags/ie7b2/

Nice to see Tony is into whiskey - must make a point of booking Tony for an evening of alcoholic criticique; oh, and I can also claim credit for introducing Robert Scoble to the pleasures of quality single malt whiskey - well I share that achievement with Alex Nichol MVP who passed away just over a year ago and is much missed.

By the way Robert... cool t.shirt... nice to see you are still not at all shy about making a statement ;o)

Yes, I know, we seem to be talking an awful lot lately about IE, Windows and OE patches and the problems they are causing - what can I say - its been a bad month.

MS has released a KB article addressing problems that users of Outlook Web Access may experience after installing the EOLAS patch (aka 912945) as well as problems experienced by users of Windows Vista
http://support.microsoft.com/default.aspx?scid=kb;en-us;911829

Thankfully there is a hotfix available - far preferable to uninstalling the patch.

<<<laughing>>> I'm sorry, but this is ***so*** funny.

"For each person you switch, Google gives you $1, Microsoft loses marketshare, and an angel gets its wings. "
http://www.explorerdestroyer.com/

Ok, so now we're *they're* people to push Firefox? What? It can't stand on its own merits?  ;o)

It has not been a good week for Microsoft.

MS06-016 has been causing problems for some users who have been experiencing errors when attempting to open their addressbook and even losing all email contacts.  Some users are unable to send or reply to emails and are being prompted to reinstall OE:
http://support.microsoft.com/kb/917288

There is a workaround available for those of you affected by the address book problems - it works, but you will lose any contact groups that you have created.

1.. Uninstall KB911567

2.. Make a copy of C:\Documents and Settings\<user>\Application Data\Microsoft\Address Book\<user.wab> and save it under a new name (backup.wab) to C:\Documents and Settings\<user>\Desktop\backup.wab where <user> is your Windows user name.  (Make sure there is no <user.wab> file on your Desktop)

3.. Delete C:\Documents and Settings\<user>\Application Data\Microsoft\Address Book\<user.*> (that is, any file in that directory called user.* - the star being a wildcard)

4.. Run the Windows Address book as you would normally. It will start up with no contacts present.

5.. Now Click on File | Import | Address Book (WAB) and import from the backup.wab file present @ C:\Documents and Settings\<user>\Desktop

6.. Re-install KB911567

Another issue caused by MS06-016, but which is "by design" is that it prevents saved unsent message *.eml files from being opened as unsent messages. Instead, they open as sent messages and cannot be resent. Outlook Express behaviour has been changed so that it now ignores the unsent flag in the message headers, so the message opens as a sent message, even though it has not been sent.

The only workaround for this behaviour change is to uninstall the security patch.  To be clear, this change does not affect messages saved to the OE drafts folder.  It only affects emails saved outside of OE (such as home-made templates).

There are risks to removing the patch and you will have to balance your desire for each access to templates with the risk of removing the patch - as for me, I say keep the patch and work out a different way of doing things if you like to use sound and motion templates for OE.

http://www.microsoft.com/technet/security/bulletin/ms06-016.mspx

Its a real pity I didn't get to announce this at Code Camp... sorry guys.

Internet Explorer 7 Beta 2 has now been released for download and evaluation by all Technology Enthusiasts.  This is the **REAL** Beta 2, not just a **PREVIEW**.

For the IE7 Beta 2, Microsoft is providing consumer customers with unlimited phone support at no charge to users in North America and soon in Germany and Japan! They are doing this to encourage adoption because we feel that IE7 – even in the beta stage - will help keep customers safer online and provide them with an improved browsing experience.

Also, IE7 Beta 2 is available in English and will now run on Windows XP 64-bit Edition and Windows Server 2003 SP1 in addition to Windows XP SP2.

New! IE7 Beta 2 for Windows XP Fact Sheet: http://www.microsoft.com/presspass/newsroom/winxp/IE7XPSP2FS.mspx

New! IE7 Add-on Site: www.ieaddons.com

You can find the IE7 Beta 2 Preview here:
http://www.microsoft.com/windows/ie/downloads/default.mspx

Release notes:
http://msdn.microsoft.com/ie/releasenotes/default.aspx

Installation tips:
http://www.ie-vista.com/known_issues.html

Please remember that this is a Beta build, and some stuff may still be broken.  There is a risk to downloading and installing beta software.  Please do not install it if problems are going to cause a crisis for you.

Note:  The activex update commonly known as the 912945 update is an integral part of IE7 Beta 2.  Please review this Blog post to familiarise yourself with the changes to activex behaviour:
http://msmvps.com/blogs/spywaresucks/archive/2006/03/04/85409.aspx