ISPs and FBI warning about a nasty rootkit called Alureon.

I got an email from an SEB regular about an email they got to check their PC to see if it’s infected that directed them to DCWG.org. She wanted to know if it was legit or a scam. I checked it out and wrote back and I thought the info would be useful for others so here’s her original email followed by my reply:

Subject: dcwg scam

Not hate mail, but a query:  Is this dcwg.org computer checking site that the FBI is sending us to legit?

You’re the only computer guy I “know” [and not in the biblical sense!]

And my reply:

I hadn’t heard about it before, but it doesn’t appear to be a scam. Their about page (http://www.dcwg.org/aboutcontact/) says it’s a joint effort between the FBI, Georgia Tech, The Internet Systems Consortium, Mandiant, National Cyber Forensics and Training Alliance, Neustar, Spamhaus, Team Cynmru, Trend Micro, and the University of Alabama at Birmingham. That’s a pretty impressive group and many of them have links back to dcwg.org. They also provide several links to the FBI (http://www.fbi.gov/news/stories/2011/november/malware_110911) and other sources for confirmation, plus there’s a good number of news articles about it (http://www.usatoday.com/tech/news/story/2012-04-20/internet-woes-infected-pcs/54446044/1). On top of that there’s a number of articles about it at various ISP such as Comcast (http://forums.comcast.com/t5/Security-and-Anti-Virus/DNS-Changer-Bot-FAQ/td-p/1215341). The fact that it has pretty good prominence on Google’s search is a good indicator it’s legit as well.

If you were sent a notice from your ISP I’d take it seriously and run a couple of the tests to verify. This is a nasty rootkit that modifies what DNS servers you connect to to resolve domain names (it’s how you get from typing in stupidevilbastard.com to an IP address the computer can understand which for SEB would be 209.240.81.155). The rootkit modifies the hosts file on your PC and can, apparently, even modify some home routers as well (especially if you never changed the default password). One clear sign is if your antivirus software has been disabled, but check the links for more info. It appears it’s the Alureon rootkit which you can read more about at Wikipedia: http://en.wikipedia.org/wiki/Alureon

Don’t panic too much. Even if you are infected and lose connectivity in July your PCs can be fixed. The reason they’re working now is the FBI has seized the rogue DNS servers and replaced them with non-naughty ones, but they’re not going to keep them running forever. When they shut them done in July your PC won’t be able to resolve domain names. It’s not that you’re not connected to the net, just that you’d be limited to typing in IP addresses like the one I gave you for SEB. That bypasses DNS altogether.

Les

Windows 8 will include a whole new way of dealing with file storage.

You really need to read this ArsTechnica article. This is yet another amazing addition to the upcoming Windows 8. Microsoft seems to be pulling out all the stops to make the next version of Windows a major upgrade.

Windows 8 Storage Spaces detailed: pooling redundant disk space for all

When Microsoft killed Windows Home Server's "Drive Extender" technology, we mourned its loss but held up hope that the company would persevere with the concept. The company has done just that with a new Windows 8 feature called Storage Spaces, described in a lengthy post to its Building Windows 8 blog.

With Storage Spaces, physical disks are grouped together into pools, and pools are then carved up into spaces, which are formatted with a regular filesystem and are used day-to-day just like r…

Microsoft’s official write up on Storage Spaces in Windows 8.

If you want to know all the nitty-gritty details then this article gives a pretty in-depth look at it. I'm really looking forward to Windows 8 and getting my hands on some of these new tools.

Virtualizing storage for scale, resiliency, and efficiency

In this post, we are going to dive into a feature in the Windows 8 Developer Preview. Storage Spaces are going to dramatically improve how you manage large volumes of storage at home (and work). We’ve all tried the gamut of storage solutions—from JBOD arrays, to RAID boxes, or NAS boxes. Many of us have been using Windows Home Server Drive Extender and have been hoping for an approach architected more closely as part of NTFS and integrated with Windows more directly. In building the Windows 8…

A small security reminder: Beware of suspicious links!

Even if they come from friends and family on Facebook and other social sites. And always use different passwords on every site!

Worm steals 45,000 Facebook login credentials, infects victims’ friends

A worm previously used to commit financial fraud is now stealing Facebook login credentials, compromising at least 45,000 Facebook accounts with the goals of transmitting malicious links to victims’ friends and gaining remote access to corporate networks.

The security company Seculert has been tracking the progress of Ramnit, a worm first discovered in April 2010, and described by Microsoft as “multi-component malware that infects Windows executable files, Microsoft Office files and HTML fil…

If you have an affected HP printer you’re going to want to apply this firmware update.

If you have an affected HP printer you’re going to want to apply this firmware update.

Sounds like it won’t be too long before we start seeing this exploit show up in the wild. I wonder if anti-virus programs could be made to detect the malicious documents? #google+ #computing #security #HP

Printer malware: print a malicious document, expose your whole LAN

One of the most mind-blowing presentations at this year’s Chaos Communications Congress (28C3) was Ang Cui’s Print Me If You Dare, in which he explained how he reverse-engineered the firmware-update process for HPs hundreds of millions of printers. Cui discovered that he could load arbitrary software into any printer by embedding it in a malicious document or by connecting to the printer online. As part of his presentation, he performed two demonstrations: in the first, he sent a document to …

PCI-E 3.0 and GPU compute will be the next big thing.

PCI-E 3.0 will take awhile before it really bears fruit for early adopters, but within a year or two you’re going to see a big shift in how computational intensive applications are written specifically to take advantage of GPU Compute and PCI-E 3.0.

tl;dr: You think your system is fast now…

Sandy Bridge E & X79 PCIe 3.0: It Works

At the launch of Intel’s LGA-2011 based Sandy Bridge E CPU we finally had a platform capable of supporting PCI Express 3.0, but we lacked GPUs to test it with. That all changed this past week as we worked on our review of the Radeon HD 7970, the world’s first 28nm GPU with support for PCIe 3.0.

The move to PCIe 3.0 increases per-lane bandwidth from 500MB/s to 1GB/s. For a x16 slot that means doubling bandwidth from 8GB/s under PCIe 2.1 to 16GB/s with PCIe 3.0. As we’ve seen in earlier revie…

Beware cold calls from people claiming to be from Microsoft about problems with your computer.

I got a fun phone call this evening. The number was blocked and my initial reaction was to not answer it, but my boss is in town and the phones at work don’t always show up properly on my phone’s caller ID so I went against my better judgement and answered it. The man on the other end of the line had a very thick Indian accent and sounded like he was working in a call center. He claimed to be an official Microsoft Technical Support technician and that they had been alerted to problems with my PC that could result in “very bad” crashes that could result in “total loss of all data.”

Naturally I was very concerned about this newly discovered risk and he helpfully offered to show me where on my computer I could see for myself the dozens of error messages they had been receiving through a “web server” (you could almost hear the double quotes in the way he said it). He had me sit down in front of my PC (I was already there) and gave me step-by-step instructions on how to launch the Event Viewer in Windows. Therein he directed me to the Custom Views and Administrative Events log where there were, indeed, dozens and dozens of error messages and warnings including some that were critical! Oh my!

These generic error messages spell my DOOOOOM!

This is why, he explained as though I were a five-year-old, that my computer was at risk and that I had hit the limit which triggered their contacting me. Not to fear, they could assist in fixing the problem! He asked if I had Internet Explorer, I said I do, so he instructed me to go to a webpage where I should download a product called Ammyy Admin 3 (it’s free!) which would allow them to assist me directly.

It was at this point that I informed him that I was a computer technician myself and that I knew there wasn’t anything wrong with my computer and that they weren’t receiving notifications through a “web server” of problems I might be having and… that’s when he hung up on me.

Now it appears that the Ammyy Admin 3 software is a legitimate product used by a number of folks that asshole scammers have latched onto for this cold calling scam because it’s free and allows them to take control of your PC once it’s installed. There’s even a forum thread on their site about this scam. Not to mention that if you Google the URL you were given you find that immediately after the link to the Ammyy software homepage are links to people reporting on this scam. Word has it that if you go along with the scam they’ll show you some more generic error messages in the Event Viewer logs and tell you it’s because your system is infected with a virus and then they’ll take you to a website where they’ll try to get you to buy an anti-virus software package that probably doesn’t do jack shit. The details vary as does the software — this account from another support professional back in 2005 said they used a remote desktop package called Teamviewer — but the scam is the same. Show you some scary looking logs and convince you to buy their bullshit software.

Here’s the thing, at any given point in time the Event Viewer is almost always going to be chock full of error messages. That’s just the nature of the Windows beast. If you’re familiar with the Event Viewer then it’s not too difficult to figure out that most of these aren’t anything to be concerned about, but for the average Jane or Joe it can look pretty alarming. Folks have said that once they take control of your PC they’ll also do stupid things like list the files in your Temp or Prefetch folder and then tell you that those files are the result of spyware or a virus. Again, if you’re not that familiar with how Windows works it could look pretty scary. One red flag that you’re being bullshitted is the fact that they have you download a free third-party Remote Desktop tool. Windows already has a Remote Desktop tool built in along with a Remote Assistance tool which Microsoft would probably make use of if it was really Microsoft. Which it isn’t because Microsoft would never call you for something like this.

As near as I can tell, the scammers aren’t using the opportunity of having full access to your computer to steal your personal information (e.g. documents, credit card numbers, bank passwords, etc.) but I didn’t dig into too many of the websites that are talking about this so I can’t say for sure that they aren’t. Needless to say, once you’ve given them access to your machine you should probably consider it comprised badly enough to back up your data, erase your hard drive, and reinstall everything from scratch. Hopefully you’ll have read this first and will recognize these assholes when they come calling.

Why it behooves you to have some computer literacy or at least some skepticism.

Pic of Charlie Brown.

I'm right there with you on that one, Chuck.

It seems you can’t even trust your friendly neighborhood PC repair technician anymore (unless it’s me):

Trevor Harwell, 20, a technician for Rezitech Inc., provided home computer services to users with Macintosh computers, said Fullerton Police Sgt. Andrew Goodrich.

Harwell went to elaborate lengths to ensure that he got lurid images, even convincing users through system messages that they needed to take their computers into steamy environments, such as near their showers, Goodrich said.

“While he had physical access to the computers, he would install a spyware-type application that allowed him remote access to the user’s computer and webcam,” Goodrich said.

“Once he had access, he would take photographs of the users, usually women,” Goodrich said. “Often, the female victims were undressed or changing clothes.”

[…] One message mimicked the appearance of a system message and read: “You should fix your internal sensor soon. If unsure what to do, try putting your laptop near hot steam for several minutes to clean the sensor.”

The message led many victims to take their laptops into the bathroom while taking a shower, Goodrich said.

via Computer repairman accused of taking nude pictures of women remotely – latimes.com.

It doesn’t take a genius to know that water, even in the form of steam, and computers don’t really mix well so if your computer is suddenly telling you it needs a steam bath you should probably be at least a little bit skeptical. I could make a snarky comment about the fact that these were Mac users so it’s probably no surprise that they were easily duped — after all, look at how much they’re being duped out of to buy a Mac in the first place — but I’m sure there are plenty of Windows users out there who wouldn’t stop to question their computer’s sudden desire for tropical atmospheres either.

It’s probably a sign of my tendency to over-estimate the intelligence of the average American that I was surprised such a ploy worked at all, let alone for as long as this news items suggests it did. The police are saying that they’ve recovered “hundreds of thousands” of images. Perhaps these folks should consider taking an introduction to computers class at the local college.

Own an iPhone or iPad? It’s been tracking everywhere you go for the past year.

Pic of output from iPhone Tracker app.

A sample of the output. The bigger the dot the more times you've been recorded as being there.

Here’s something you probably didn’t know about your iPhone/iPad: It appears to be keeping a record of everyplace you’ve ever been both the device itself and on your computer if you use iTunes to back up your phone. The folks over at AresTechnica.com have the details:

Researchers Alasdair Allan and Pete Warden revealed their findings on Wednesday ahead of their presentation at the Where 2.0 conference taking place in San Francisco. The two discovered that the iPhone or 3G iPad—anything with 3G data access, so no iPod touch—are logging location data to a file called consolidated.db with latitude and longitude coodinates and a timestamp. The data collection appears to be associated with the launch of iOS 4 last June, meaning that many users (us at Ars included) have nearly a year’s worth of stalking data collected.

In order to drive the point home, the two developed an open source application called iPhone Tracker that lets anyone with access to your computer see where you’ve been.

Now some of you might be thinking this isn’t anything new as these products have long had GPS features that will tell you where you are and they often notify you that they’re doing so when you use them. Yeah, but this is slightly different. This tracking isn’t being done using the GPS, but by triangulating your position relative to cell phone towers:

Users don’t get to decide whether their locations are tracked via cell towers or not—unlike GPS, there is no setting that lets users turn it off, there’s no explicit consent every time it happens, and there’s no way to block the logging. (Nitpickers will point out that you do give your consent to iTunes when you download and install iOS 4, but this is not treated the same way as the consent given to the iPhone every time an app wants to use GPS.) So, whether or not you’re using GPS, if you’re using your iPhone as a cell phone, you are being tracked and logged constantly without your knowledge.

The only way to avoid this tracking is to turn off the cellphone part of the device. Now the problem here isn’t so much that your devices are tracking your every move, but that you’re not being told about it. The good news is that, as near as the researchers can determine, this data is not being sent back to Apple or any other third party. The bad news is that it’s not at all difficult to get access to which means that if you lose your phone or your computer is compromised then anyone with the iPhone Tracker app can call up everywhere you’ve ever been with it. You can bet your ass that law enforcement absolutely loves this “feature” so if you’ve ever been anywhere you don’t want someone to know about, well, hope you didn’t have an iPhone with you.

Of course, this only really matters if you give a shit about people knowing your comings and goings. Something which more and more people seem to have stopped worrying about. In fact, the folks at Gawker are reporting that this discovery has spawned a hot new trend:

When it comes to technology today, there is barely any distance between outrageous privacy violation and cool new feature. When news broke yesterday that Apple has been secretly spying on iPhone users, many people immediately broadcasted the illicit data to everyone.

[…] Holy crap, Apple has been secretly logging our every move for months? Let’s… broadcast it to everyone on the internet! Many techies are now showing off their iSpy maps: “I find myself fascinated staring at this automatically generated record of where I’ve been,” wrote tech blogger Alexis Madrigal. Tumblr and Twitter arefull of them. “I don’t get out of West LA enough,” user aboycommemoi observed.

For its part, Apple hasn’t said shit about this discovery, but there is some indication that this may not have been an intentional breach of user trust. More likely it’s a bug or an oversight in the program. The folks at Gizmodo explain:

As Gruber’s been informed, consolidated.db—the tin-foil-hat-inducing log in question—is a cache for location data. (As Pete Warden and Alasdair Allan’s FAQ about their project implies.) What’s supposed to happen with the cache is that the “historical data should be getting culled but isn’t”—because of said bug or oversight. In Gruber’s words:

I.e. someone wrote the code to cache location data but never wrote code to cull non-recent entries from the cache, so that a database that’s meant to serve as a cache of your recent location data is instead a persistent log of your location history. I’d wager this gets fixed in the next iOS update.

So how freaked out should you be? If you don’t own an iPhone or iPad then this isn’t really an issue for you. If you do then it depends on how much you give a shit if someone could potentially get hold of that data. The chances that you’ll be hacked and have it stolen for some nefarious, but unknown purpose is probably minimal. However that data is something that could potentially be used against you by law enforcement if they should happen to have reason to acquire it.

Given the recent hoopla here in Michigan where the State Police have been accused of extracting data from cell phones during routine traffic stops, that may be something to consider. (Note, the MSP put out a response to the ACLU’s assertions saying that they do not collect cell phone data during routine traffic stops and only do so with a court issued warrant.) And while you may say that you’ve nothing to hide from the police, it’s not like there aren’t cases where circumstantial and coincidental evidence got an innocent person convicted.

Just the same, forewarned is forearmed and it’s better to know what is being collected about you — intentionally or not — than not know.

Beware friends asking for emergency money via Facebook chat.

Pic of Facebook scam logo.Scammers are a clever bunch. They’re always coming up with ways to try and separate you from your cash. Lately it involves hacking Facebook accounts and then scamming friends of the victim into sending them money. The folks over at The Consumerist have two recent examples of the scam being thwarted by vigilant would-be victims:

Kevin was worried. His friend Mike said over Facebook chat that he and his wife and kids were stranded in London after getting mugged. They needed money wired immediately to settle their hotel bill. This was especially worrisome because Mike was supposed to be recuperating in the hospital from head surgery… Then Kevin realized that someone had cracked his friend’s Facebook account and was impersonating him.

If you check out both articles you’ll note that in both cases it shouldn’t be too hard to figure out that it was a scam simply from the rather amusingly bad English coming from the fake friends. Though, considering how poor some American’s typing habits are, I can see how it could be difficult to tell with some people.

Still, the scam tends to follow the same pattern. Said friend is stranded in some foreign country after having been mugged with the thief making off with their wallets and cellphones. Could you, pretty please, wire them some huge amount of money via Western Union so they can pay off their hotel bill and make their flight out of the country that’s due to leave in a couple of hours. No, they can’t call you. No, they don’t want you to send someone to pick them up. Just send them the fucking money and stop asking so many difficult questions like why it was they slept with your step-father in high school (see the first link for that amusing twist).

In short, much like the Windows operating system, Facebook has become a big enough thing that it’s now the target of criminals the world over who hope to take advantage of the trust you may have that the person claiming to be your friend really is your friend. You should always keep in mind how piss-poor most people’s password choices are and the fact that Facebook is like a sieve security-wise before rushing off to lend a hand.