travis' brain dump

So, I open up my email this morning to see what appears to be a nice new approach to getting people to willingly install malware on their computer. A word to the wise people. If you get an email concerning a Microsoft Update, it IS an attempt to install something on your computer which is most definitely not an update. DO NOT EVER INSTALL AN UPDATE FOR YOUR OPERATING SYSTEM THAT YOU DO NOT GET THROUGH WINDOWS UPDATE OR DOWNLOAD YOURSELF FROM MICROSOFT.COM! Can I make that any more clear?

Supporting Links:

http://isc.sans.org/diary.html?storyid=5159

http://www.scmagazineus.com/Fake-Microsoft-email-contains-backdoor-virus/article/119306/

The message is obviously a fake as it came from the computer of some chinese punk using his/her hotmail account. The following message is as followed (headers included):

Received: from 254-190.78-83.cust.bluewin.ch (254-190.78-83.cust.bluewin.ch [83.78.190.254]) by progressive.ginetx.net (8.13.7/8.13.7) with ESMTP id m9B9EgDM092724 for <*************>; Sat, 11 Oct 2008 09:14:45 GMT (envelope-from QWGMBD@hotmail.com)

 Received: from [83.78.190.254] by mx1.hotmail.com; Sat, 11 Oct 2008 10:14:45 +0100
Message-ID: <01c92b8a$2ef41880$febe4e53@QWGMBD>

From: “Microsoft Update” <customerservice@microsoft.com>
To: <*************>
subject: *** SPAM ***Security Update for OS Microsoft Windows
Date: Sat, 11 Oct 2008 10:14:45 +0100

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed;
      boundary=”—-=_NextPart_000_0006_01C92B8A.2EF41880″

X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2741.2600
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Return-Path: <QWGMBD@hotmail.com>

 —–Original Message—–
From: Microsoft Update [mailto:customerservice@microsoft.com]
Sent: Saturday, October 11, 2008 3:15 AM
To: ********************
Subject: *** SPAM ***Security Update for OS Microsoft Windows

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

 If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

—–BEGIN PGP SIGNATURE—–
Version: PGP 7.1
7JL77FQNW5KG43VGW5UF19GG974RFBF06CLN3DM1MCSLBVOIV297D3VHYQ0A8FNUB
DN46XLFGQIJ9AFF56RL1TLXRDYBE767RGVPOZZJQ429FH9UPNRYV431Q40HVQFN6V
3ENU0PQFNKDQ9O1H6QRD4C1VNOC77RT3PNTSD670Y7VCXBLG4JJXTBOAKOSSHCAM7
PWQU9FV965AKOIKXZF6D41VXAK2OQR8NJ3QFWX4951ZX79CLN75M6RK7A464RHLGD
U39ERVVW238FYK21MBAY3V6U50C3EACLLPD==
—–END PGP SIGNATURE—–

When you tell people the best suggested courses of action to resolve their problems and they don’t want to follow your advice. They instead still want to bitch and complain that your IT department isn’t doing their job right. Can I choke you please?

I mean seriously. What’s the point of having an IT department if you won’t listen to them?

I also love it when you’re told you can’t use a network pipe to do your job, but that’s another story.  %(*#)(*%#@)(

*stomp* (whiny voice) I hate Myke Reinhold … 🙂

accidently delete your entire photo gallery instead of individual albums photos.

Indeed… I became one of those morons I rant about in the tech world on a daily basis. yay for me! I seriously forgot my helmet. Backups? lol yeah funny thing about those… so lets tell the story. 🙂

You see my server, being FreeBSD and having no real money for a good solid backup solution for such an operating system did what any good admin would do. at least make regular tarballs, gzip them and ship them offsite. While this does suffice as a good backup strategy for the most part, it does not however save even myself from a failure spot. So Sunday, I was doing some cleanup and wiped out my backups from over a month ago. Keep in mind a month ago is when I installed NextGen Gallery for my wordpress blogsite software and decided to discontinue use of my previous Gallery for personal reasons. (security mainly) When I did so, I also changed my backup selections to include the new paths for the new gallery and left off the old gallery since I fully intended on porting over my gallery as quickly as possible. (can you smell the failure here?) so, Sunday I go about maintenance and cleared out all my old backups from over a month ago not even thinking for a second that later in the day I would need them.

I logged into my old gallery sometime in the afternoon and decided to clean out the albums I had already ported to get a better view of what I still needed to port. Instead of deleted selected galleries, I deleted the entire thing. Before I had realized what I had done, it was …. GONE. Now when I say GONE, I mean it. Anyone who knows UFS2 file systems (freebsd) knows that there is no recycle bin unless you make one for yourself and script it, blah blah… when you delete a file, the pointer is wiped and the open space becomes territory for destructive over-write. 😉

I’d say that 95% of my pictures I have a backup for already on my server at home, but it was those 5% that I didn’t have anymore (but do now) that sent me a feeling I never want again.

Did I panic? no. Did I lose control of my bodily functions? Almost. Did I find a new hero on the internet? YES.

Christophe Grenier at cgsecurity.org, you are my new hero. LOL

He’s got a handy little tool out there called photorec which I have to say is probably the biggest life saver should you ever shoot yourself in the foot. It scours the entire drive for whatever you wiped out from top to bottom and leaves no stone (or block) unturned. 6 hours of running on the /home partition (it’s pretty darn big) and it recovered every one of my lost photos. (as well as everyone elses… BAD BAD BAD ARTIFICIAL!!)

Moral of the story? Make sure you have a good recent backup before you click delete on ANYTHING and don’t be a complete tard. IT people will laugh at you as I laugh even at myself. 🙂

So, I’m not sure if any of you have run into this (if I were a betting man I’d say yes) but the latest round of malware distribution is taking the net by storm in the form of fake CNN news items. You may notice some items in your inbox that have the following subject line:

“CNN.com Daily Top 10” & “CNN Alerts: My Custom Alert”

 While opening the mail doesn’t actually do anything to your system, following the links can set you up for disaster. Once clicked the link will take you to a fake cnn.com page that will prompt you for an install of a viewer. Typically flashupdate.exe; get_flash_update.exe and watchmovie.mpg.exe. Once installed it leaves your systems open to a variety of issues.

 Be on the lookout people. As usual, don’t install things you don’t know about, don’t install stuff you think you’ve already installed and if you’re in any way confused. Click cancel and email or call your IT support.

—

Also something to be aware of. There has been a rash of similar type installations being prompted on social networking sites such as myspace.com and facebook.com. The same rules as above apply. Be smart, be safe!

—

 post mirrored on: techtalk.homerun-networks.com