Otto?!? I thought the season was over?
Issued 4 PM EST TUE NOV 30 2004
[National Hurricane Center (Atlantic)]
Tuesday, November 30, 2004
TROPICAL STORM OTTO Public Advisory Number 1
Tuesday, November 23, 2004
First Treo 650 hack: Enable the Bluetooth dial-up networking profile
Hehe, I did the PDA to PPC-6601 yesterday... It was fun.
That was hella fast. The Treo 650 has been in people’s hands for what, like five or six days, and somebody’s already hacked the Bluetooth so you can use it as a wireless modem with your laptop (or if you’re super geeky, another PDA). This is despite Sprint’s best attempts to preempt anyone from doing this by announcing they were going to add the DUN profile to Treo 650 sometime next year, too. Apparently you don’t even need to install PDAnet, anymore either, but just make sure you don’t stream too much audio or video or host your website on your Treo or else you might arouse the interest of Sprint’s bandwidth police (they forced us to stop hosting Engadget on a cluster of Treos several months ago).
[Thanks, David]
[Engadget]
Monday, November 22, 2004
Back online!
One of my favorite sites is back online! See what Dale has to say... And add this site to your aggregator! :)
[mobilePASSION]OK, I got tired of waiting for my website to get back on-line so in the interim a good friend of mine suggested I just start blogging!
I am trying to re-point the old DNS to this blog so I am not exactly sure how long it will take. I think it may take up to 48 hours. Let's see who the first is to get on and post a comment? ;)
At least we won't have to look at this any longer...
Our apologies for the unscheduled maintenance that has temporarily taken www.pocketpcpassion.com offline. Due to a monitored drive failure in the RAID system, we have taken the opportunity to not only to replace the affected drive, which normally does not affect website availability, we have also opted to update the operating system to Windows Server 2003 for improved security. A long awaited upgrade.
We apologize for the inconvenience, and appreciate you bearing with us as we strive to improve the quality & security of our Remote Hosting service. Your site should not be affected for long as we swap operating system images and configure.
Please check back later today when the system should be back online. Thank you.
Is the Treo 650 a Weakling?
Ouch! I wonder how much usable memory there is in the PPC-6601.. Oh yeah, it's 128Mb.... :)
Consumer logic dictates that the Treo 650 should be a country mile better than the Treo 600, right? At least in terms of key specs like memory. But some eagle-eyed users are claiming that PalmOne's playing some serious sleight-of-hand with the 650's storage. Treonauts does the math, and it ain't pretty: "Existing users will have 30 percent less memory to use when compared to the Treo 600, thus bringing the 'true' user-available memory down to only 16MB."
Ouch. I guess there's no smart-phone-storage corollary to Moore's Law, huh?
The Treo 650 Memory Debate [Treonauts]
[Gizmodo]
PowerFilm rollable solar-powered battery charger
Didn't we talk about this, oh, 5 years ago? It would be nice, but I bet it doesn't catch on.. We are *so* deap-rooted to the notion of bringing stinkin' batteries with us everywhere...
PowerFilm have created a roll of solar material that allows one to recharge cellphones, cars, and other rechargeable electronics with a rollable solar panel. They’re made by Iowa Thin Film Technologies and are available in three sizes with varying power outputs. The largest, at 12 x 73-inches, will put out 1.2 Amps and only weighs 1.9 pounds. Available connectors include cigarette lighter, battery chargers, and daisy chain connectors. Prices start at about $150. MMmmm. Sun juice.
[Via TRFJ]
[Engadget]
Friday, November 19, 2004
Xcelis unlimited cellphone calling plan
Hey, this looks cool. It's not available yet for Sprint but when it is I may try it.
Since many cellphone carriers offer unlimited minutes for calls to users on the same network, Xcelis has capitalized on this and is offering a $10 per month plan that (in addition with your regular cellphone service fees) lets you call anywhere in the US and Canada for as much as you want. After calling one of the Xcelis network phone numbers and entering in the phone number you wish to call, they route the call over the Internet via VoIP or a landline, which is why they claim they’re able to offer unlimited calling for such a low price. It’s all a bit on the dodgy side, (all those cruddy pixelized graphics sure don’t help), but they are offering new users a free 7 day trial, so we’ll leave it up to you guys to be the guinea pigs here.
[Thanks, Marc]
[Engadget]
Thursday, November 18, 2004
Rumor: T-Mobile and Sprint Launching Ringback Tones
Hehe, I can't wait... Ringringring, bananaphone!!!!
Everybody is a lot more excited about these ringback tones than I expected. I'm sort of dreading them, myself, as I'll now be forced to endure everyone's humorous or nostalgic choices of music as I try to call them. On the bright side, it gives me an excuse to hang up on them faster, preventing the dreaded voice communication.
But Verizon isn't the only one jumping in with the ringback tones, I've heard. An anonymous source just dropped this bit in my lap and I thought I'd pass it on.
I have been looking into the ringback tones, and word from an analyst is that certain providers will allow you to voice your own messages over the songs you select for your ringback. Word is that the T-Mobile announcement is "immanent" and Sprint is expected in Q1 '05.
Slim Devices' Squeezebox now in four delicious colors
They also came out with 5.4.0 on the server software which is quite nice. They added better support for other music formats. They also are offering a deal where you ship them your CDs and they will rip them all onto DVD-ROM for you..
The Squeezebox, Slim Devices’ iTunes-compatible network player is now as colorful as an iPod Mini. See, it now comes in four delicious colors: Rhapsody in Blue, Tangerine Dream, Purple Haze, and Triple Platinum, dude. In a bid to create some hype around the Christmas season, the limited edition color players can only be purchased from their website for $209 ($289 for wireless). They ship next week.
[Thanks, Greg]
[Engadget]
Tuesday, November 16, 2004
mGALSync 1.0.0
Super cool!!! I am downloading this right now. :)
For you smartphone folks this should come in quite handy.
[MS Exchange Blog]"Automatically synchronize your Outlook GAL to your Pocket PC!
mGALSync allows you to synchronize your Outlook Global Address List (GAL) to the Contacts folder on your Pocket PC device. Benefits include:
Contact details include all standard Microsoft Exchange Server fields, including: Name, Job title, Department, Phone numbers, Email address, Notes and many more.
Contact details are stored in your Pocket Contacts database.
Email addresses are displayed using SMTP format not X400.
Distribution Lists and Custom Recipients are also Sync'ed.
GAL Contacts can either by Sync'ed direct to Pocket Contacts on your Pocket PC, or into your Outlook Contacts folder for Sync'ing via ActiveSync.
GAL Contacts are added to a new 'GAL' Category, making them easier to manage."
Sunday, November 14, 2004
Windows Mobile passes Palm in PDA sales
This may not be news to some of you but hey, it's early and I wanted to let you folks know I was still out here.
With PDA sales essentially flat, we’re practically at the point where they’re squabbling over a dead carcass of a market, but Microsoft just swiped the title of most popular PDA operating system away PalmSource. A full 48.1% of all non-smartphone PDAs sold in the third quarter of this year run on some flavor of Windows CE (mainly the Pocket PC operating system), while Palm-powered PDAs accounted for only 29.8% of sales, a pretty significant decline from the same period last year. Windows Mobile and Palm are still dwarfed by Symbian when it comes to the ever more important market for smartphones, but any way you slice it, the Palm OS is hurting, with Sony killing their Palm-powered line of Clie handhelds everywhere except Japan, and former conjoined twin palmOne supposedly flirting with a Windows Mobile version of the Treo.
[Engadget]
Friday, November 12, 2004
Averatec C3500 Windows XP Tablet Edition Notebook Review
This one is for my buddy Noggin who was just asking me about which TabletPC to get.... I haven't used it myself, but it looks good..
"While other second generation convertible Windows XP Tablet PCs are priced at or over $2000, the Averatec C3500 sells for only $1350. What can you expect from a tablet that has such a low price? Quite a lot. The Averatec has an AMD 1.2GHz mobile Athlon XP-M 2200+ processor with a 60GB hard drive, 512MB memory, a bright and contrasty screen with a wide viewing angle, built-in 802.11g wireless and ample ports. It runs Windows XP Tablet Edition and...
Monday, November 8, 2004
Electric Monday
To keep the "current" thread going for today, I figured I would turn you on to the shock jacket. :) This would be kind of cool.
Basically reinventing the No Contact Jacket that came out a couple of years ago, some students at the National Institute of Fashion Technology in India have developed a jacket that uses metal embroidery in order to conduct 100 volts of shock to molesters. A button on the waistband allows wearers to trigger the shock, and insulation protects you from shocking yourself. It’s not available yet, but if the model version is any indication, it won’t be taking off here any time soon, because, after all, looks trump function any day. Unless you’re talking about Ugg boots, but that’s another story.
[Engadget]
Electric Shock Treatment?!?
You can darn sure bet I would show marked improvement in verbal skills if you even *thought* about getting near me with electrodes!!!
Volunteers show marked improvement in verbal skills after a research team runs a weak current through their foreheads. The researchers say it could lead to innovative therapies for patients with brain injuries. By Amit Asaravala.
[Wired News]
Friday, November 5, 2004
Burn a DVD in Two Seconds
2 seconds?!?
[Gizmodo]Just saw this little tidbit from yesterday and thought it was worth mentioning, although there's very little in the way of details. The gist (actually, the whole of the information available) is that Pioneer and TDK are collectively developing a DVD-R capable of burning a disc in two seconds. Two seconds. Mommy?
Movie Pirate Dream Machine: Burn 30 DVD-Rs Per Minute [TheRawFeed]
Keep tabs on your car via cellphone with Directed Electronic's Viper auto tracking system
This was just too cool to not post. :)
Using GPS and the already-in-place cellphone network, Direct Electronic’s Viper car tracking system allows users to “call” their car to do anything from warm up the engine to see if it has left a predetermined area. You can also set it up so it’ll send warnings if it has driven above a particular speed, has left a specific area (like if you want to make sure your wily teenager is only taking the car to school and back). you don’t trust the person driving the car), or you can just check where the car is and at what speed it is driving. This paranoia device will set you back $699, and can be coupled with other devices that will allow you to lock doors or shut off the engine if you want to spend a little more.
[Engadget]
A story about malware
Please, if you like having a clean system, at *least* do the following...
1: Install AdAware from Lavasoft
Run it once a week and update it often.
2. Install Spybot S&D
Update the definition files, turn on the memory resident portion and dont forget to imunize your system. I can't tell you how many times I go to a page and get a "Doubleclick Detected" pop-up. This keeps sooooo much crap off of your machine.
3. Install an anti-virus program on your computer. I recoment AVG Anti-Virus only because it is free and has updates just as good as the comercial ones. If you use a different one fine, just make sure to update the virus definitions AND engine.
4. Install ZoneAlarm from ZoneLabs. I know it is chatty at first but you can't believe how much safer your system is if you do this. If you don't know what a process it, deny it from accessing your network connection.
5. If you have kids using the computer while you are not around... Install something like NetNanny . this one costs money but it is to protect your kids.
Anyway. Just in case you don't want to follow another link, here is the clip from the SANS ICS about malware... Be afraid. Be VERRY afraid!
Follow The Bouncing Malware, Part III
Note: Most of the links in the following are not "clickable" on purpose. Think of it as a warning...
Before we begin our tumble down the rabbit hole once more, just a few brief words:
For those of you who have been following this little excursion: thank you for your patience. It’s probably difficult to completely understand the amount of time that each of these little essays takes to research and write. While I’ve been working on this particular installment, there were also the distractions of family, job, the daily “stuff” coming in at the SANS ISC, MS04-028, GDIScan, turning the ISC into the GDIScan helpdesk (sorry gang!), windsurfing the halls at NS2004 in Vegas, etc..., etc... You have my sincere apologies for the wait, as well as my fervent hope that it was worth it.
With that out of the way, why don’t we “warm up” by quickly retracing the path we’ve already trod? Perhaps now would be a good time to take a bathroom break and grab a fresh container of your favorite adult beverage, ‘cause once this caravan rolls, we ain’t stoppin’. Go on, I’ll wait...
Ready? Good. Let’s go!
In the beginning, there was Joe Average. And Joe didst buy himself a computer and conneceth it to the Internet. And with his computer, Joe did surfeth, and readeth email, and playeth many games. And Joe looked upon the Internet, and it was Good.
But while Joe did possess knowledge of the Internet Good, he did not understand that Evil too lived on the Internet. And he patcheth not.
Then one day, Joe didst unknowingly go to a Bad Place, and much Evil befell his shiny new computer.
How Evil? Very, VERY Evil:
From Follow The Bouncing Malware, Part I
(http://isc.sans.org/diary.php?date=2004-07-23 ):
1) Joe's homepage had been changed. It is now set to:
http://default-homepage-network.com/start.cgi?new-hkcu
2) Joe’s default search page has been set to:
http://server224.smartbotpro.net/7search/?new-hkcu
3) Search assist has been turned off.
4) "TV Media Display" has been installed on Joe's machine.
5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.
And, from Follow The Bouncing Malware, Part II
(http://isc.sans.org/diary.php?date=2004-08-23 ):
6) Joe’s computer, at the behest of the Addictive Technologies malware, downloaded “instructions” from F1Organizer.com
7) Following those instructions, new “Favorites” were added to Joe’s browser, and two new “gifts” (SplWbr.dll and ezbdlLs.dll) were installed on his computer.
8) The installation of SplWbr.dll dumped an “Ad Destroyer and Virtual Bouncer” from SpyWare Labs, Inc. and “TopRebates.com AutoTrack software” onto Joe’s computer.
9) The installation of ezbdlLs.dll dropped a “Utility for downloading files and upgrading software” from “ABetterInternet”, a utility to “Make Your Internet Browsing Simple, Exciting, and Personal” from the fine folks at “ezULA”, and an affiliate ID hijacker called SAHAgent onto Joe’s PC.
10) Finally, the file hp1.exe was downloaded and executed via a .CHM exploit.
That’s where we stopped last time, with my promise that the file “hp1.exe” was “a real piece of work.”
So... let’s take a look at hp1.exe.
The file hp1.exe contains 49,152 bytes o’ Visual Basic goodness (guffaw). The file’s version information claims that it was created by a company called “df”, with an internal name of “bigs104”. Launching this beastie begins bringing down a veritable rain of malware on a machine. Sit back and try to keep up as we follow the bouncing malware:
First, it contacts "http://mmm.roings.com/bundle.php?aff=bigs104" and downloads 1449 bytes of some sort of data:
388
{}{}{}wrds======ckkcha*gki+waevgl9uxwaevgl*}elkk*gki+waevgl9tx
}elkk*gki+v+w|+.9txv`w*}elkk*gki+9txwaevgl*iwj*gki+vawqhpw*ewt9ux
eqpk*waevgl*iwj*gki+vawqhpw*ewt9uxc*iwj*gki+9ux
ekhwaevgl*gki+ekhgki+waevgl9uqav}xwaevgl*ekh*gki+ekhgki+waevgl9uqav}x
ehhplasaf*gki+waevgl9uxsaf*ewo*gki+saf9uxkravpqva*gki+`+waevgl9Oa}skv`wx
gkjpajp*kravpqva*gki+`+waevgl9Oa}skv`wxiw|ih*mjbkwtega*gki+lkia+`kc9uosx
mjbkwtega*gki+lkia+`kc9uosxwaevgl*japwgeta*gki+jw+waevgl9uqav}x
japwgeta*gki+jw+waevgl9uqav}xehpermwpe*gki+saf+vawqhpw9ux
waevgl*h}gkw*gki+`abeqhp*ewt9uqav}xh}gkw*gki+waevgl*ewt9uqav}x
waevgl*aevplhmjo*jap+pvego9uxwaevgl*hkkowievp*gki+t+waevgl9up
{}{}{}doms======faewp}wtkvpeh*2|*pk9995xxxgavmeh~*gki9996xxx
`vmjoi}*gki9995
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe’s machine’s IP address)
{}{}{}phases======`veckjfehh~9995xxxgvegow9996xx
mb$}kq$qwa$plmw$wmpa9995
{}{}{}sewers======wa|$bkv$bvaa9995xxxwa|9996xxxikva$wa|$bkv$ia9995
12
{}{}{}outers======
175
xxxxxi}a|a999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+hke`w+999i}a|a999999EHHx
JQHHxxxxxerepev999lppt>++sss*erepevvawkqvgaw*gki+`mwp+ewp[0[ii*a|a999ewp[0
[ii*a|a999ewp[0[ii*a|a999QWxAFxEQxGExCFxxxxx
a6cmra999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+Ia`meIkpkv61*a|a999Ia`meIkpkv61*
a|a999Ia`meIkpkv61*a|a999QWxGExxxxx
qjwpeh999lppt>++qtw*vkmjcw*gki+wkbp+qjwpehh*a|a999qmjwpehhav999999EHHx
JQHH
f
{}{}{}reg======
5c
xxxxxkg|5<999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+ii64*kg|999ii64*kg|999ii64*kg|
999EHHxQWxGExAF
6
{}{}{}
0
(Note: the data has been reformatted to display better in the Diary.)
Well, what the heck does all of that mean? Hmmm... it’s obviously a “generated on the fly” data file, because the file contained, in plain-text, the IP address of the NAT firewall that Joe’s machine was behind. It also appears to have been “encrypted” in some manner.
Given some time, and several pieces of paper wadded up and thrown at the cat in frustration, your intrepid author cracked the code, and wrote the following program to decrypt the data:
#include
int main(int ac, char **av) {
FILE *in, * out;
char buffer[80], *c, val;
int cont = 1;
if(ac != 2){puts("Usage: df_decrypt filename"); return 1;}
if((in = fopen(av[1], "r")) == NULL){puts("Cannot open input file."); return 2;}
if(!(out = fopen("output.txt", "w"))){puts("Cannot open output file."); return 3;}
while(cont){
if(fgets(buffer, sizeof(buffer), in)){
c = buffer;
while(*c){
if(*c != '\n'){
val = *c & 7;
if(val < 4) *c = *c + 4;
else *c = *c - 4;
}
c++;
}
fputs(buffer, out);
} else cont = 0;
}
fclose(in); fclose(out);
return 0;
}
Filling the decrypted data back into the file alongside any original data that is obviously “keywords” results in the following unencrypted file:
388
{}{}{}wrds======google.com/search=q|search.yahoo.com/search=p|
yahoo.com/r/sx/*=p|rds.yahoo.com/=p|search.msn.com/results.asp=q|
auto.search.msn.com/results.asp=q|g.msn.com/=q|aolsearch.com/aolcom/search=query|
search.aol.com/aolcom/search=query|alltheweb.com/search=q|web.ask.com/web=q|
overture.com/d/search=Keywords|content.overture.com/d/search=Keywords|
msxml.infospace.com/home/dog=qkw|infospace.com/home/dog=qkw|
search.netscape.com/ns/search=query|netscape.com/ns/search=query|
altavista.com/web/results=q|search.lycos.com/default.asp=query|
lycos.com/search.asp=query|search.earthlink.net/track=q|
search.looksmart.com/p/search=qt
{}{}{}doms====== beastysportal.6x.to===1|||cerialz.com===2|||drinkmy.com===1
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe’s machine’s IP address)
{}{}{}phases====== dragonballz===1|||cracks===2||if you use this site===1
{}{}{}sewers====== sex for free===1|||sex===2|||more sex for me===1
12
{}{}{}outers======
175
|||||myexe===http://bins2.media-motor.net/soft/loads/
===myexe======ALL|NULL
|||||avatar===http://www.avatarresources.com/dist/ast_4_mm.exe
===ast_4_mm.exe===ast_4_mm.exe===US|EB|AU|CA|GB
|||||e2give===http://bins2.media-motor.net/soft/MediaMotor25.exe
===MediaMotor25.exe===MediaMotor25.exe===US|CA
|||||unstal===http://ups.roings.com/soft/unstall.exe
===uinstaller======ALL|NULL
f
{}{}{}reg======
5c
|||||ocx18===http://bins2.media-motor.net/soft/mm20.ocx
===mm20.ocx===mm20.ocx===ALL|US|CA|EB
6
{}{}{}
0
After downloading this “control data” file, Joe’s computer then contacts "http://www.mastermind.com/a?l=PeAyF1sgrZYw&i=aaa.bbb.ccc.ddd" on TCP port 8010 (where aaa.bbb.ccc.ddd is Joe’s computer’s IP address) and has three lines of data returned: “2”, “US”, “0”.
This ties in with what appear to be “country codes” found within various portions of the unencrypted data file. It appears that the malware will react differently depending on the country where the infected machine is located. The script at www.mastermind.com takes the IP address and returns a country code. The other two codes (“2” and “0”) appear to control different aspects of the malware’s behavior.
Immediately upon receiving the “US” country code from mastermind.com, Joe’s computer contacts "http://bins2.media-motor.net/soft/mm20.ocx" and downloads, installs, and registers this 61,440 byte OCX. Examining this file, it appears to be an OCX version of hp1.exe. It contains many of the same strings, and appears to offer the same functionality. I would assume that it acts as a resident version of hp1.exe.
Next, hp1.exe contacts "http://bins2.media-motor.net/soft/loads/8-24.exe" and downloads a 40,960 byte executable. The “8-24” name is derived from the date at the time of the download (August 24th).
Based upon the “marching orders” within the unencrypted datafile, Joe’s computer now contacts "http://www.avatarresources.com/dist/ast_4_mm.exe" and downloads a 129,152 byte executable. It then contacts "http://bins2.media-motor.net/soft/MediaMotor25.exe" and downloads a 9,056 byte executable.
Both of these files are launched, and MediaMotor25.exe immediately initiates a download from "http://64.7.220.98/downloads/IeBHOs.dll" which is a 129,536 byte long BHO (Browser Helper Object) that is installed into (duh) IE (Internet Explorer). IeBHOs.dll is a known component of adware from “e2give.” Because it is installed into IE and becomes, essentially, part of the browser, it is in the perfect position to monitor the URLs being “surfed” and to change Joe's browser's requests when going to specific sites in order to “direct” affiliate commissions to e2give. According to the e2give.com website, “e2give will donate a portion of each qualifying purchase to the e2give charities network.” This, of course, makes it perfectly fine for them to install their software onto Joe’s machine without his permission. (Yes, that was sarcasm.)
The ast_4_mm.exe file from avatarresources.com is a Wise installation executable. As it installs, it phones home to let the fine folks at avatarresources know that it has found a new place to live:
"http://www.avatarresources.com/count/count.php?&mm2_us&mm2_new_nocpr"
The Wise installation has it’s own downloading engine which contacts the interestingly named “www.wenksdisdkjeilsow.com” and accesses the URL “http:// www.wenksdisdkjeilsow.com/config/?v=5&n=mm2&i=” which, despite the fact that it generates errors, sends back more configuration information (sheesh guys, if you’re going to go through all the trouble to set this stuff up, at least set the permissions correctly on your scripts...)
566
Warning: SAFE MODE Restriction in effect.
The script whose uid is 500 is not allowed to access
/usr/local/psa/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/log owned by uid 10011 in/usr/local/psa/home
/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 24
Warning: fopen("/usr/local/psa/home/vhosts
/wenksdisdkjeilsow.com/httpdocs/config/log", "a") -
Inappropriate ioctl for device in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/index.php on line 24
Warning: fputs(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 25
Warning: fclose(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 26
[URLS]
2,http://tt2.avres.net/tt/remove_spyware.exe
2,http://tt2.avres.net/tt/curgsi.exe
3,http://searchlocate.com/toolbar/searchlocate.exe
[VERSION]
5
[PROGRAM URL]
http://www.wenksdisdkjeilsow.com/files/ast_5_main.exe
[ID]
ArKJ9t9HzRnbf0GineJhq
[PRIORITY]
1,http://tt2.avres.net/tt/cpr_mm2.exe
2,http://tt2.avres.net/tt/ab1.exe
3,http://tt2.avres.net/tt/tvm_bundle.exe
4,http://tt2.avres.net/tt/cpr_mm2.exe
0
That’s just really BAD programming: you MUST check that those handles returned are valid when you open a file... dang... that’s Programming 101 Stuff. But I digress...
Hey! Look there! I see more URLs pointing to executable files. Gee, I wonder what’ll happen...?
Anyway... we now manage to round out the list of files that was in our original encrypted configuration data, and Joe’s machine goes out and grabs a file from "http://ups.roings.com/soft/unstall.exe." This actually does appear to be some sort of uninstall program, written in Visual Basic, and weighing in at 45,056 bytes. It only seems targeted at the files directly installed by the hp1.exe file, though.
But, lest we forget, we still have a Wise install running in the background. And, you guessed it, in “PRIORITY” order, it downloads:
"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes)
"http://tt2.avres.net/tt/ab1.exe" (500,869 bytes)
"http://tt2.avres.net/tt/tvm_bundle.exe" (53,738 bytes)
"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes - ????????)
Yes, you read that correctly. It DID download the exact same file twice. (It must be a personality trait of the morally bankrupt that they can be both clever and inane at the same time. The authors of these programs really do pull off some amazing stuff... but then they follow that up almost immediately by doing some amazingly STUPID stuff. Consistency guys, consistency...)
While all of that is happening, hp1.exe (Remember that file? It’s the one we started this installment with...) phones home to tell the folks at roing.com that all is well in malware-land, that it has done everything it was supposed to do, and that it deserves a big ol’ digital pat on the back:
"http:// logs.roings.com/log3.php?c={D358D17F-0D1A-4A98-A98D-810B01216183} &what=newinstall&aff=bigs104&country=US&ocx18=1&myexe=1&avatar=1&e2give=1"
“See! Look what I did! I installed ‘ocx18’ (mm20.ocx), ‘myexe’ (8-24.exe), ‘avatar’ (ast_4_mm.exe), and ‘e2give’ (MediaMotor25.exe) on this poor schmoe’s computer! Aren’t you proud of me?”
Not to be outdone, our Wise installer needs to phone home and let everyone know what a good job it did too:
"http://www.avatarresources.com/count/count.php?&mm2cpr_new"
So where does this leave us?
Well, Joe’s computer now has had so many fun and exciting “additions” installed I’m beginning to lose track. Let’s see: Joe’s computer now has two “affiliate buck” redirectors (SAHAgent and e2give), it’s had stuff from avatarresources.com installed, as well as all of those files from tt2.avres.net. And there’s more... trust me, there’s more.
Remember: this is all the result of visiting a SINGLE website with an unpatched machine.
If you ever need to explain to someone the pitfalls involved in not patching, all you need to do is point them to this listing:
The score card thus far (and I’m only counting executable content):
hp2.exe (16,384 bytes)
tvmupdater4bp5.exe (195,072 bytes)
AtPartners.dll (96,256 bytes)
SplWbr.dll (454,656 bytes – expands out to 3 files making up 892,288 bytes)
ezbdlLs.dll (151,040 bytes – expands out to 4 files making up 314,880 bytes)
hp1.exe (49,152 bytes)
mm20.ocx (61,440 bytes)
8-24.exe (40,960 bytes)
MediaMotor25.exe (9,056 bytes)
ast_4_mm.exe (129,152 bytes)
IeBHOs.dll (129,536 bytes)
cpr_mm2.exe (270,415 bytes)
ab1.exe (500,869 bytes)
tvm_bundle.exe (53,738 bytes)
and of course cpr_mm2.exe (270,415 bytes) again...
The shameful total (thus far... there’s more to come):
15 files – 2,428,141 bytes downloaded
20 files – 3,029,613 bytes on disk
And, no doubt, I missed a few...
I started Part II of “Bouncing Malware” by saying that Joe’s PC was no longer his own. With over 2 MB of software downloaded, installed, and executed without his permission, I would say that there is little doubt that Joe ISN’T the guy running the show. But who is?
In the next installment, I want to finish up looking at some of the software installed on Joe’s PC and then turn my sights to finding out a little more about the folks responsible for the deluge of spyware and adware that assault our machines and networks on a daily basis. Stay tuned... it’s gonna be fun.
Fat People Cost Airlines Big Time
Wow. I can remember when people used to cringe when I got on the plane. You could almost see them saying "please don't sit next to me, please don't sit next to me, please don't sit next to me" as you got closer. I used to have some fun and pass my seat by two or three rows and then come back. The look of relief turning to horror was almost worth the 2 to 3 hours of discomfort at being squished into a seat.
Since the surgery though things are much better. I can actually fit in a row with two other folks. It is still snug, but at least I fit without an extension and can have the arm rails down... :)
And you thought the biggest problem with overweight people on airplanes was that one might sit next to you and overcrowd your tiny seat. Turns out a much bigger issue for the airline industry may be that fat people are a drag... literally. The growing obesity problem in the US means that planes fly heavier, and that's costing big bucks in fuel. In fact, a new report suggests that this... um... weighty issue meant 350 million extra gallons of fuel in the year 2000 (it took them this long to get these stats?!?) costing approximately $275 million. No wonder the airlines are going bankrupt. Maybe some of these newer airlines need to set up exercise rooms in the airlines, rather than comfier seats. Get people out of the seats and moving around... It's for the good of the industry.[Techdirt]
Thursday, November 4, 2004
New Jersey Smart Guns Move Forward
This looks neat. I would want to make sure that it was 100% full proof. They could even have something that tests the blood-alcohol levels. :)
[Gizmodo]New Jersey Institute of Technology just got another $1.1 million to continue testing their 'smart gun,' a handgrip system for firearms that prevents non-authorized users from using the weapons. By using a series of sensors along the grip, the gun can determine who is holding it and can even support multiple users.
However you feel about 'smart guns,' in general, the technology is worth keeping an eye on, as touch-based biometrics look to start showing up all over the place, including the steering wheels of cars and the pommels of swords and stuff.
NJIT's smart gun moves closer to completion with $1.1 million grant [Eurekalert]
StarWars Episode 3 Trailer
Grabbed this from somewhere..... I need to get the whole thing on DVD 1,2,4,5 and 6 and do a marathon weekend or something.
Am I the only one who becomes instantly 10 again when you hear the theme music and Darth Vador's breathing? Lunch box, action figures, the whole 9... Ahh the good old days.
Round-Up Ready Coca Plants
I found this a very interesting read. Not because I know anyone at any of the companies mentioned, or that I used to kind of work with/for such companies, but that the farmers were able to selectively breed the plants to be resistant to Round-Up. That dude who go sued by Monsanto should have claimed selective breeding... But then, I guess his plant would have had the signature of manipulation in it.. Anyway, a good read if you are into gene manipulation
Closing comments on old entries
David Raynes has a script that will close old comments. Go get it here..
Wednesday, November 3, 2004
5th grade math?!?
A collection of goats and ducks have a total of 99 heads and legs between them. There are twice as many ducks as there are goats. How many of each is there?
Don't google it! That's cheating...
Took me a while but I figured it out... Answer tomorrow! That is, unless someone else answers it first. :)
Winner gets a big ole kiss this year at the Howard Hootenanny!
Bush won!!!!
BREAKING NEWS Sen. John Kerry calls President Bush to concede presidential election,
iPod Altoids battery pack
This looks cool. I know a few folks who have an iPod so maybe they will get a use out of this.
Ok, we should note that you could probably turn just about anything that’s the right shape and size into a DIY external battery pack for the iPod (like that one made out of a deck of playing cards), but the latest to pop up is a pack that’s been squeezed into an Altoids tin and’ll give you an extra ten hours of precious playing time.
[Via hackaday][Engadget]
Tuesday, November 2, 2004
palmOne to make Microsoft Windows Mobile Treo?
Ooooooh, this could be cool. But I am still holding out for a PPC6601!
First that team wins that thing, now this—palmOne (PalmSource’s biggest customer and maker of the Treo 650) appears it really might be planning to use Microsoft’s Windows Mobile OS in its Treo line of smartphones (they’d keep making Palm-powered Treos). No comment from Microsoft on this yet, when it’ll be out, carrier, specs or even which flavor of Windows Mobile it will be, but we’re guessing Pocket PC Phone Edition if it’s going to be in a Treo form factor. A few weeks ago palmOne hooked up with Microsoft to better provide Microsoft exchange support, we mentioned there might be something bigger coming.
[Thanks, Jacek]
[Engadget]
Monday, November 1, 2004
MSN Remote Record lets you program your Media Center PC to record TV from anywhere
This is cool. BeyondTV has this already but it is good to see that MS is doing it too.
It’s a feature that’s already found in several other digital video recording software packages, but Microsoft says they’re going to add a new service called MSN Remote Record that’ll let you use any browser to remotely schedule a PC running Windows XP Media Center Edition 2005 to record shows (useful if you’re on vacation or are at work and think of a show you’d like to have waiting for you when you return home). If you can’t wait, there’s a plug-in that’s already available called AllMiMedia that let’s you do this with Media Center PCs (and that even works on smartphone browsers).
[Via Digital Media Thoughts][Engadget]