Religious sites are more dangerous than porn sites for getting malware.

We all have that one friend/relative/client who seems to get infected with some form of virus or malware every week and those of us who take on the task of cleaning up their PCs every time they do always tell the same joke: This wouldn’t happen if you’d stop visiting all those porn sites.

But it turns out that it’s actually religious sites that are the real malware threat. At least according to a report from the folks at Symantec:

The average number of threats found on religious sites was 115 mostly fake antivirus software. By contrast, pornographic sites had less than a quarter, at around 25 threats per site. Of course, the number of pornographic sites is vastly greater than religious sites.

According to Greg Day, Symantec’s security CTO for Europe, the Middle East and Africa, while trojans may seem more serious, “if you have installed fake AV you may think you are protected, when in reality you are open to all sorts of attacks.”

This does make a certain bit of sense when you think about it. A lot of religious websites are set up and maintained by church people with varying degrees of computer skills whereas most successful porn sites are run by people who know what they’re doing and how to secure their platforms. No one thinks the asshats who put malware out on the net are going to bother with some piddly-ass church site so there’s less concern about updating software or locking down server access even if the person running it has a clue how to do those things. From the hacker’s point of view, however, every PC infected is one more PC in the botnet that can send out spam/DDoS attacks/whatever. A lot of attempted hacks are automated with scripts these days so if it’s trivial to hack a site and install your malware it’s worth doing so even if it only nets you a handful of PCs. Not like the hackers themselves even have to think about it.

Which is why you should always wear a condom when you go to religious websites. You know, just to be safe.

ISPs and FBI warning about a nasty rootkit called Alureon.

I got an email from an SEB regular about an email they got to check their PC to see if it’s infected that directed them to DCWG.org. She wanted to know if it was legit or a scam. I checked it out and wrote back and I thought the info would be useful for others so here’s her original email followed by my reply:

Subject: dcwg scam

Not hate mail, but a query:  Is this dcwg.org computer checking site that the FBI is sending us to legit?

You’re the only computer guy I “know” [and not in the biblical sense!]

And my reply:

I hadn’t heard about it before, but it doesn’t appear to be a scam. Their about page (http://www.dcwg.org/aboutcontact/) says it’s a joint effort between the FBI, Georgia Tech, The Internet Systems Consortium, Mandiant, National Cyber Forensics and Training Alliance, Neustar, Spamhaus, Team Cynmru, Trend Micro, and the University of Alabama at Birmingham. That’s a pretty impressive group and many of them have links back to dcwg.org. They also provide several links to the FBI (http://www.fbi.gov/news/stories/2011/november/malware_110911) and other sources for confirmation, plus there’s a good number of news articles about it (http://www.usatoday.com/tech/news/story/2012-04-20/internet-woes-infected-pcs/54446044/1). On top of that there’s a number of articles about it at various ISP such as Comcast (http://forums.comcast.com/t5/Security-and-Anti-Virus/DNS-Changer-Bot-FAQ/td-p/1215341). The fact that it has pretty good prominence on Google’s search is a good indicator it’s legit as well.

If you were sent a notice from your ISP I’d take it seriously and run a couple of the tests to verify. This is a nasty rootkit that modifies what DNS servers you connect to to resolve domain names (it’s how you get from typing in stupidevilbastard.com to an IP address the computer can understand which for SEB would be 209.240.81.155). The rootkit modifies the hosts file on your PC and can, apparently, even modify some home routers as well (especially if you never changed the default password). One clear sign is if your antivirus software has been disabled, but check the links for more info. It appears it’s the Alureon rootkit which you can read more about at Wikipedia: http://en.wikipedia.org/wiki/Alureon

Don’t panic too much. Even if you are infected and lose connectivity in July your PCs can be fixed. The reason they’re working now is the FBI has seized the rogue DNS servers and replaced them with non-naughty ones, but they’re not going to keep them running forever. When they shut them done in July your PC won’t be able to resolve domain names. It’s not that you’re not connected to the net, just that you’d be limited to typing in IP addresses like the one I gave you for SEB. That bypasses DNS altogether.

Les

Windows 8 will include a whole new way of dealing with file storage.

You really need to read this ArsTechnica article. This is yet another amazing addition to the upcoming Windows 8. Microsoft seems to be pulling out all the stops to make the next version of Windows a major upgrade.

Windows 8 Storage Spaces detailed: pooling redundant disk space for all

When Microsoft killed Windows Home Server's "Drive Extender" technology, we mourned its loss but held up hope that the company would persevere with the concept. The company has done just that with a new Windows 8 feature called Storage Spaces, described in a lengthy post to its Building Windows 8 blog.

With Storage Spaces, physical disks are grouped together into pools, and pools are then carved up into spaces, which are formatted with a regular filesystem and are used day-to-day just like r…

Microsoft’s official write up on Storage Spaces in Windows 8.

If you want to know all the nitty-gritty details then this article gives a pretty in-depth look at it. I'm really looking forward to Windows 8 and getting my hands on some of these new tools.

Virtualizing storage for scale, resiliency, and efficiency

In this post, we are going to dive into a feature in the Windows 8 Developer Preview. Storage Spaces are going to dramatically improve how you manage large volumes of storage at home (and work). We’ve all tried the gamut of storage solutions—from JBOD arrays, to RAID boxes, or NAS boxes. Many of us have been using Windows Home Server Drive Extender and have been hoping for an approach architected more closely as part of NTFS and integrated with Windows more directly. In building the Windows 8…

A small security reminder: Beware of suspicious links!

Even if they come from friends and family on Facebook and other social sites. And always use different passwords on every site!

Worm steals 45,000 Facebook login credentials, infects victims’ friends

A worm previously used to commit financial fraud is now stealing Facebook login credentials, compromising at least 45,000 Facebook accounts with the goals of transmitting malicious links to victims’ friends and gaining remote access to corporate networks.

The security company Seculert has been tracking the progress of Ramnit, a worm first discovered in April 2010, and described by Microsoft as “multi-component malware that infects Windows executable files, Microsoft Office files and HTML fil…

If you have an affected HP printer you’re going to want to apply this firmware update.

If you have an affected HP printer you’re going to want to apply this firmware update.

Sounds like it won’t be too long before we start seeing this exploit show up in the wild. I wonder if anti-virus programs could be made to detect the malicious documents? #google+ #computing #security #HP

Printer malware: print a malicious document, expose your whole LAN

One of the most mind-blowing presentations at this year’s Chaos Communications Congress (28C3) was Ang Cui’s Print Me If You Dare, in which he explained how he reverse-engineered the firmware-update process for HPs hundreds of millions of printers. Cui discovered that he could load arbitrary software into any printer by embedding it in a malicious document or by connecting to the printer online. As part of his presentation, he performed two demonstrations: in the first, he sent a document to …

PCI-E 3.0 and GPU compute will be the next big thing.

PCI-E 3.0 will take awhile before it really bears fruit for early adopters, but within a year or two you’re going to see a big shift in how computational intensive applications are written specifically to take advantage of GPU Compute and PCI-E 3.0.

tl;dr: You think your system is fast now…

Sandy Bridge E & X79 PCIe 3.0: It Works

At the launch of Intel’s LGA-2011 based Sandy Bridge E CPU we finally had a platform capable of supporting PCI Express 3.0, but we lacked GPUs to test it with. That all changed this past week as we worked on our review of the Radeon HD 7970, the world’s first 28nm GPU with support for PCIe 3.0.

The move to PCIe 3.0 increases per-lane bandwidth from 500MB/s to 1GB/s. For a x16 slot that means doubling bandwidth from 8GB/s under PCIe 2.1 to 16GB/s with PCIe 3.0. As we’ve seen in earlier revie…

Beware cold calls from people claiming to be from Microsoft about problems with your computer.

I got a fun phone call this evening. The number was blocked and my initial reaction was to not answer it, but my boss is in town and the phones at work don’t always show up properly on my phone’s caller ID so I went against my better judgement and answered it. The man on the other end of the line had a very thick Indian accent and sounded like he was working in a call center. He claimed to be an official Microsoft Technical Support technician and that they had been alerted to problems with my PC that could result in “very bad” crashes that could result in “total loss of all data.”

Naturally I was very concerned about this newly discovered risk and he helpfully offered to show me where on my computer I could see for myself the dozens of error messages they had been receiving through a “web server” (you could almost hear the double quotes in the way he said it). He had me sit down in front of my PC (I was already there) and gave me step-by-step instructions on how to launch the Event Viewer in Windows. Therein he directed me to the Custom Views and Administrative Events log where there were, indeed, dozens and dozens of error messages and warnings including some that were critical! Oh my!

These generic error messages spell my DOOOOOM!

This is why, he explained as though I were a five-year-old, that my computer was at risk and that I had hit the limit which triggered their contacting me. Not to fear, they could assist in fixing the problem! He asked if I had Internet Explorer, I said I do, so he instructed me to go to a webpage where I should download a product called Ammyy Admin 3 (it’s free!) which would allow them to assist me directly.

It was at this point that I informed him that I was a computer technician myself and that I knew there wasn’t anything wrong with my computer and that they weren’t receiving notifications through a “web server” of problems I might be having and… that’s when he hung up on me.

Now it appears that the Ammyy Admin 3 software is a legitimate product used by a number of folks that asshole scammers have latched onto for this cold calling scam because it’s free and allows them to take control of your PC once it’s installed. There’s even a forum thread on their site about this scam. Not to mention that if you Google the URL you were given you find that immediately after the link to the Ammyy software homepage are links to people reporting on this scam. Word has it that if you go along with the scam they’ll show you some more generic error messages in the Event Viewer logs and tell you it’s because your system is infected with a virus and then they’ll take you to a website where they’ll try to get you to buy an anti-virus software package that probably doesn’t do jack shit. The details vary as does the software — this account from another support professional back in 2005 said they used a remote desktop package called Teamviewer — but the scam is the same. Show you some scary looking logs and convince you to buy their bullshit software.

Here’s the thing, at any given point in time the Event Viewer is almost always going to be chock full of error messages. That’s just the nature of the Windows beast. If you’re familiar with the Event Viewer then it’s not too difficult to figure out that most of these aren’t anything to be concerned about, but for the average Jane or Joe it can look pretty alarming. Folks have said that once they take control of your PC they’ll also do stupid things like list the files in your Temp or Prefetch folder and then tell you that those files are the result of spyware or a virus. Again, if you’re not that familiar with how Windows works it could look pretty scary. One red flag that you’re being bullshitted is the fact that they have you download a free third-party Remote Desktop tool. Windows already has a Remote Desktop tool built in along with a Remote Assistance tool which Microsoft would probably make use of if it was really Microsoft. Which it isn’t because Microsoft would never call you for something like this.

As near as I can tell, the scammers aren’t using the opportunity of having full access to your computer to steal your personal information (e.g. documents, credit card numbers, bank passwords, etc.) but I didn’t dig into too many of the websites that are talking about this so I can’t say for sure that they aren’t. Needless to say, once you’ve given them access to your machine you should probably consider it comprised badly enough to back up your data, erase your hard drive, and reinstall everything from scratch. Hopefully you’ll have read this first and will recognize these assholes when they come calling.

Why it behooves you to have some computer literacy or at least some skepticism.

Pic of Charlie Brown.

I'm right there with you on that one, Chuck.

It seems you can’t even trust your friendly neighborhood PC repair technician anymore (unless it’s me):

Trevor Harwell, 20, a technician for Rezitech Inc., provided home computer services to users with Macintosh computers, said Fullerton Police Sgt. Andrew Goodrich.

Harwell went to elaborate lengths to ensure that he got lurid images, even convincing users through system messages that they needed to take their computers into steamy environments, such as near their showers, Goodrich said.

“While he had physical access to the computers, he would install a spyware-type application that allowed him remote access to the user’s computer and webcam,” Goodrich said.

“Once he had access, he would take photographs of the users, usually women,” Goodrich said. “Often, the female victims were undressed or changing clothes.”

[…] One message mimicked the appearance of a system message and read: “You should fix your internal sensor soon. If unsure what to do, try putting your laptop near hot steam for several minutes to clean the sensor.”

The message led many victims to take their laptops into the bathroom while taking a shower, Goodrich said.

via Computer repairman accused of taking nude pictures of women remotely – latimes.com.

It doesn’t take a genius to know that water, even in the form of steam, and computers don’t really mix well so if your computer is suddenly telling you it needs a steam bath you should probably be at least a little bit skeptical. I could make a snarky comment about the fact that these were Mac users so it’s probably no surprise that they were easily duped — after all, look at how much they’re being duped out of to buy a Mac in the first place — but I’m sure there are plenty of Windows users out there who wouldn’t stop to question their computer’s sudden desire for tropical atmospheres either.

It’s probably a sign of my tendency to over-estimate the intelligence of the average American that I was surprised such a ploy worked at all, let alone for as long as this news items suggests it did. The police are saying that they’ve recovered “hundreds of thousands” of images. Perhaps these folks should consider taking an introduction to computers class at the local college.

Own an iPhone or iPad? It’s been tracking everywhere you go for the past year.

Pic of output from iPhone Tracker app.

A sample of the output. The bigger the dot the more times you've been recorded as being there.

Here’s something you probably didn’t know about your iPhone/iPad: It appears to be keeping a record of everyplace you’ve ever been both the device itself and on your computer if you use iTunes to back up your phone. The folks over at AresTechnica.com have the details:

Researchers Alasdair Allan and Pete Warden revealed their findings on Wednesday ahead of their presentation at the Where 2.0 conference taking place in San Francisco. The two discovered that the iPhone or 3G iPad—anything with 3G data access, so no iPod touch—are logging location data to a file called consolidated.db with latitude and longitude coodinates and a timestamp. The data collection appears to be associated with the launch of iOS 4 last June, meaning that many users (us at Ars included) have nearly a year’s worth of stalking data collected.

In order to drive the point home, the two developed an open source application called iPhone Tracker that lets anyone with access to your computer see where you’ve been.

Now some of you might be thinking this isn’t anything new as these products have long had GPS features that will tell you where you are and they often notify you that they’re doing so when you use them. Yeah, but this is slightly different. This tracking isn’t being done using the GPS, but by triangulating your position relative to cell phone towers:

Users don’t get to decide whether their locations are tracked via cell towers or not—unlike GPS, there is no setting that lets users turn it off, there’s no explicit consent every time it happens, and there’s no way to block the logging. (Nitpickers will point out that you do give your consent to iTunes when you download and install iOS 4, but this is not treated the same way as the consent given to the iPhone every time an app wants to use GPS.) So, whether or not you’re using GPS, if you’re using your iPhone as a cell phone, you are being tracked and logged constantly without your knowledge.

The only way to avoid this tracking is to turn off the cellphone part of the device. Now the problem here isn’t so much that your devices are tracking your every move, but that you’re not being told about it. The good news is that, as near as the researchers can determine, this data is not being sent back to Apple or any other third party. The bad news is that it’s not at all difficult to get access to which means that if you lose your phone or your computer is compromised then anyone with the iPhone Tracker app can call up everywhere you’ve ever been with it. You can bet your ass that law enforcement absolutely loves this “feature” so if you’ve ever been anywhere you don’t want someone to know about, well, hope you didn’t have an iPhone with you.

Of course, this only really matters if you give a shit about people knowing your comings and goings. Something which more and more people seem to have stopped worrying about. In fact, the folks at Gawker are reporting that this discovery has spawned a hot new trend:

When it comes to technology today, there is barely any distance between outrageous privacy violation and cool new feature. When news broke yesterday that Apple has been secretly spying on iPhone users, many people immediately broadcasted the illicit data to everyone.

[…] Holy crap, Apple has been secretly logging our every move for months? Let’s… broadcast it to everyone on the internet! Many techies are now showing off their iSpy maps: “I find myself fascinated staring at this automatically generated record of where I’ve been,” wrote tech blogger Alexis Madrigal. Tumblr and Twitter arefull of them. “I don’t get out of West LA enough,” user aboycommemoi observed.

For its part, Apple hasn’t said shit about this discovery, but there is some indication that this may not have been an intentional breach of user trust. More likely it’s a bug or an oversight in the program. The folks at Gizmodo explain:

As Gruber’s been informed, consolidated.db—the tin-foil-hat-inducing log in question—is a cache for location data. (As Pete Warden and Alasdair Allan’s FAQ about their project implies.) What’s supposed to happen with the cache is that the “historical data should be getting culled but isn’t”—because of said bug or oversight. In Gruber’s words:

I.e. someone wrote the code to cache location data but never wrote code to cull non-recent entries from the cache, so that a database that’s meant to serve as a cache of your recent location data is instead a persistent log of your location history. I’d wager this gets fixed in the next iOS update.

So how freaked out should you be? If you don’t own an iPhone or iPad then this isn’t really an issue for you. If you do then it depends on how much you give a shit if someone could potentially get hold of that data. The chances that you’ll be hacked and have it stolen for some nefarious, but unknown purpose is probably minimal. However that data is something that could potentially be used against you by law enforcement if they should happen to have reason to acquire it.

Given the recent hoopla here in Michigan where the State Police have been accused of extracting data from cell phones during routine traffic stops, that may be something to consider. (Note, the MSP put out a response to the ACLU’s assertions saying that they do not collect cell phone data during routine traffic stops and only do so with a court issued warrant.) And while you may say that you’ve nothing to hide from the police, it’s not like there aren’t cases where circumstantial and coincidental evidence got an innocent person convicted.

Just the same, forewarned is forearmed and it’s better to know what is being collected about you — intentionally or not — than not know.