Tuesday, June 22, 2010

sk..., sk.., SKKKKKK...

[Older post that I forgot to publish.]

Last night I had the telescope out to look at planets - is that huge bright thing Mars or Saturn or Venus? I think Mars. Anyway I had positioned it and was letting Terri have a look and while she was looking a creature appeared on the sidewalk (We were on the front lawn.)

At first I thought cat then the movement was all wrong, then a raccoon no that's not either, then what could it b.. EEK.

It was right out of a cartoon. Grabbing Terri's arm and trying not to be alarmist and trying completely unsuccessfully to be calm. Sk, Sk, Skkkk..unk She looks up from the telescope and it's of course gone. HOW? It was right there.

Thursday, June 17, 2010

The Lowly Parentheses: Its important job in email

The parenthesis servers a surprisingly vital role in determining where email really comes from. In the email "headers" are a series of Received lines. The email server inserts vital information about an email's origin inside the parentheses. It is the one bit of information you can rely on.

For example:
This is a falsified Email Received line:
Received: from 89.210.237.165 by autotec.com.inbound15.mxlogicmx.net; Fri, 18 Jun 2010 02:01:56 0200

The parens are missing completely.

This is a real one;
Received: from ppp089210237165.dsl.hol.gr (ppp089210237165.dsl.hol.gr [89.210.237.165]) by ahost.somedomain.com (8.13.5/8.13.4) with ESMTP id o5HN38he003988;


Another common thing is for a scammer/spammer to falsify the origin of an email, but the Received line rats them out:

A real, but modified example:

Return-Path: 
Received: from mx1.mytiolo.info (mailhost.dwdtechllc.com [74.119.64.217])
by host.domain.com (8.13.5/8.13.4) with SMTP id o5HLswgI022584
for ; Thu, 17 Jun 2010 14:55:11 -0700

The spammer claimed to be from mytilol.info but it really came from dwdtechllc.com because it's what's inside the parens of the Received line that is correct.

These falsifications are sometimes legit (not everyone owns their own email server) but are often not.

Hurray for the parentheses.

Tuesday, June 15, 2010

Fake virus scanners which are really viruses

My work has been getting a blizzard of viruses sent in email recently. It's not a problem as we just block them at the firewall but the intensity is a bit daunting.

They are all of the same flavor.
They send out a very obscurely written Javascirpt (sometimes encoded) and if the person clicks on it when running windows and has administrative privileges then the browser goes off to a site that's been compromised and has the actual virus on it (the Javascript is just a trigger). Downloads and installs the virus.

In the case I've seen it installs a fake virus scanner that claims to find a lot of fake viruses and for a more $50 you can get the "license key." If you don't payup then your computer continues to pop up a million windows and pretty much won't let you do anything. Symantec and other virus scanners are disabled and the task manager won't run. We call this "Ransomware."

One of these little creatures is called Protection Center which is stolen from a Microsoft Product, but it's not from Microsoft. You can see a picture of it here:
http://www.spywares-remove.com/remove-protection-center-protection-center-removal-help

Best way to deal with it is to reboot into Safe Mode by restarting and pressing F8 repeatedly and then running a virus scan. There are faster ways to kill it by using msconfig.msc and manually deleting it and the associated registry keys but that takes more know how.

While it's actually a very interesting virus I don't fully understand it enought to really expound on it - most of it is non-functional crud and the web addresses have a lot of extra characters that are taken out at the last second. it is very obfuscated but with a little effort you can read it. There is an excellent analysis of it here:
http://garwarner.blogspot.com/2010/06/more-twitter-spam-html-attached-threats.html

If you have a copy of the base64 virus you can run it through an online base64 decoder and then decode the resulting javascript. What you're looking for is the line that generates the web site. Once I figured out where it was going I stopped but the above link goes further.

As with most things it's better to prevent it from happening in the first place.

Prevention
If you are a Windows User:

- Don't click on weird links or attachments
- Run as an unprivileged, non-administrative user
- Disable Java in your browser
Firefox 3.0.6: Tools-options - click on Content and uncheck Enable Java
Seamonkey 2.0.4: Edit-preferences - click on Advanced and uncheck Enable Java
internet Explorer 8.0.6001: Tools-internet options - Click Programs, click manage add-ons, click on Java and click disable (along with any associated java add-ons).

Friday, June 04, 2010

"Hanging Out" on Shasta?

I had one of those synchronicity experiences today that you just don't plan on.

I was up at Shasta and the weather was icky and rainy and I had decided not to go on my trip since I had a second trip planned also in June (because this isn't the first time I've been rained out). I was down in the fantastic local mountaineering store asking for an explanation of the confusing topic of Randonee Skiing gear (I'm much less confused now), and the store staff was chatting about a Shasta Mountain Guides trip and I tossed in a bit of info that I knew.

One of the people involved in the conversation was an SMG guide and looked right at me and said "Hey I know you. We hung out together - on the West Face." Now while I go to Shasta a fair bit there are very few people there who recognize me and I wasn't initially familiar with the location, but she looked familiar so I played along for a moment, with the brilliant response of "Really?" "Yeah you do dog shows right?" Oh God she's right obviously. Then I thought to introduce myself and she told me her name and it all came back. I'm totally impressed that she remembered me from a year ago because she guides a lot of people in a season.

The West Face is above Hidden Valley and I've only been there once on an SMG trip, so I wasn't immediately familiar with the term even though it's an obvious feature. It was during that trip where I realized that my altitude issues now prevent me from keeping up with a group. This guide, let's call her L, stayed with me when I fell behind. She was so patient with me. What really amuses me now is that "hang out" is the last thing I'd call my struggling with not enough oxygen in my non-responsive muscles. We did spend some time together and I'd love to hire her as a private guide sometimes. I do hang out when I'm on Shasta but it's at Horse Camp when I'm casually relaxing and chatting with others. Her using the term makes me laugh because of its deliberate absurdity.

What was amazing was when I finally decided to turn around she went back with me (they kinda have to), and then she turned right around and booked back up the incline to catch up with the group. It was still early enough that we were all using headlamps (Travel on snow is easiest when the snow is frozen and that's in the very wee hours.) and I could follow her remarkable progress. She openly admits to being a calorie burning junkie and I can relate to a much smaller extent. The endorphins are hard to beat.

Anyway I mentioned the possibility of maybe hiring her to do a private climb of the lower part of the Cassaval ridge or other routes and she said that they often do things like that.

I so admire good guides. They usually love what they do and it shows.