From The Erbo Files
Wednesday, September 26, 2012


  • Def Leppard, engaged in a dispute with their former label Universal Music Group over digital royalties from their classic hits, have gone back into the studio to re-record those hits and make those tracks available for download. They've released two so far: "Rock of Ages" (from Photograph) and "Pour Some Sugar On Me" (from Hysteria). I downloaded them; they have more of a "classic rock" sound than the originals, and the production quality is very good, even if Joe Elliot can't quite do the screams anymore. Overall, the best new recordings of 80's music since Journey brought in Arnel Pineda as their lead singer. Recommended.

  • Hey, I take computer security seriously--I went through a bunch of security training recently at IQNavigator--but this is ridiculous.  (And a satire, obviously. Via JWZ.)

  • Recently, I kept the Weather Channel Desktop app from installing the Ask Toolbar on Sabrina's laptop. Toolbars, in general, are pretty synonymous with "viruses" these days, as this Cracked article will tell you. The Ask Toolbar, in particular, does some pretty underhanded things. In brief: avoid. (The latter article comes via Jeff.)

  • If you want to have a look at some deep magic, code-wise, Fabien Sanglard is your guy. He has code reviews up for the code behind Doom 3 and Quake III Arena, among many other things. (All of which is now open source. WIN.) He also has an article on there about doing 3D graphics in Java using LWJGL...the same library Minecraft uses.

  • The More You Know: Sometimes you may actually have a legitimate reason to send a takedown notice or a DMCA notice to a Web site. Ken at Popehat offers his advice for doing so while minimizing the risk that your request will go viral and bring the Streisand Effect into play. Basically: don't be a dickhead.

  • Amazon, which previously fought against paying state sales taxes, seems to have reversed their stance. But why? This Slate article alleges that what they really want to do is set up same-day delivery warehouses everywhere. If they can make it work, this will bury most retailers. (Don't worry, Sabrina, I'm sure Walmart will survive...)

  • Some of these might make good new additions to ESR's Jargon File. (HT: Several IQNavigator developers.)

  • What. The. Fuck. Portland school sees racism in peanut butter and jelly sandwiches. The school principal asks us to think, "What about Somali or Hispanic students, who might not eat sandwiches?" Seriously, what the fucking fuck? Last I heard, anybody could eat a sandwich if they want one. I swear, some of these libiots could find "racism" in a dial tone. (And I'm sure they'll think I'm racist, too, for pointing this out, because shut up, you racist racisty racist!)

  • This one's making the rounds: An official Playboy Club Bunny Manual, circa 1968. We could have used this with our club hostesses in Second Life...although, even though Playboy Bunny costumes are available, to my knowledge, no one has done a proper animation of the Bunny Dip.

  • Some people will do anything to get attention for their startup...even show up at a major trade show crossdressed in a wedding dress. Cofounder Duncan Seay is pitching the new wedding app from his company Evergram (which, despite the name, is not a mashup of Evernote and Instagram), which may in fact be a good idea. But I really don't think he should have gone strapless here, and that train's a bit long for a trade show floor. :-D

  • One of the engineers from the Raspberry Pi Foundation writes on Wired.com about the tradeoffs that went into making the $35 credit-card-sized computer, which forced them to "sellout a little to sell a lot." So far, the marketplace seems to have validated their decisions. I have one, and will be engaged in some experimentation with it.

  • Chris and Melody Byrne have been adopted by a stray kitten...not long after Chris got a massive dose of radioactive iodine to combat thyroid cancer. The cat seems to like Chris; I hope she doesn't absorb too much of his radioactivity, as radioactive cats have 18 half-lives. (Rimshot!)

Thursday, February 9, 2012

I got an odd E-mail from an old friend of mine the other night; no subject line, a number of other people on the To: line, and the text body consisting of just one thing: a URL from a site with a .cz domain (the Czech Republic).  Anyone who's been on the Internet for more than a week should either have alarm bells going off in their subconscious at this point, or shouldn't be allowed out without a keeper.  Best hypothesis: her machine or E-mail account was compromised somehow and is sending this mail out as an attempt to infect others.


Actually clicking on a link you get in an E-mail like this is about as wise as wandering down Skid Row, grabbing a hypodermic needle from a random junkie you find passed out on the sidewalk, and jamming that needle into your own arm. Fortunately, I have some techniques that are the equivalent of working from behind leaded glass and fishing at it with tongs, namely, using the wget command on a Linux box to fetch the contents at that URL to a file without executing it, and then using a text editor to open the file, again without executing it.


The contents of that first file I pulled from behind that URL were roughly like this:


<head>
<script type="text/javascript" src="(another Czech URL)"></script>
<meta HTTP-EQUIV="REFRESH" content="0; url=(a URL in Russia)">
</head>

Right away, it's obvious someone's trying to play games. That <meta> tag is trying to force the browser to read from another site almost immediately. Trying to pull from the Russian site, however, got no results; the site returned no data and timed out.


But what about that JavaScript?  Pulling it revealed some other trickery:


if (top.location.href==self.location.href) {
document.writeln('(an entire HTML document, pretty much)');
}
document.write('<script type="text/javascript" src="(a Google Analytics JavaScript URL)"></script>');
document.write('<script type="text/javascript" src="(a URL loading a script with the same name, but from a Czech site)"></script>');

More deliberate obfuscation, and what looks like an attempt to hijack Google Analytics, perhaps to make the site seem more popular than it is. (Any function declared in the presumably-legit Google Analytics script, but then re-declared in the Czech script, would use the latter definition.) The document being written in that first document.writeln() call contains a lot of obfuscation, too. (The most obvious obfuscation was that it was written all as one line, defying easy viewing; I had to pass the script text through fold -80 to get it into a state where I could read it.) It has a lot of CSS styles, both in an embedded stylesheet and inline; many of the styles are marked as !important, meaning they override any built-in stylesheet the user has set up in the browser. (This could also be a trick to divert attention from the rest of the contents of the file.) Some of the links in this file have code like this attached to them:


onmousedown="javascript:void(myImage = new Image());void(myImage.src = \'(a PHP URL with some query string parameters)\');"

This is pretty obviously click-tracking. Ignore the use of an Image object here; the important part is to generate a GET from the browser to that URL whenever someone clicks down on the link. There's also more conventional calls to a JavaScript function urchinTracker from within onClick handlers.


There are some foreign-language strings visible in the text, too: a quick check with Google Translate found that they were, indeed, in Czech, reading something like this:



  • Sports betting on the Internet - Get up 1000 Kc!

  • Original gifts and gadgets for men and women!

  • ACTION! From November 14, 2011 fantastic prizes domain!

  • Mona furniture co. - furniture and special offers with 40% discount

  • Dedicated server for 450 Kc

  • Download and send files for FREE!

  • File download FREE!


Various sales pitches, in other words. ("Kc" is most likely the abbreviation for the Czech koruna, the local currency.)


To sum up: Classic spam E-mail, with a lot of deliberate obfuscation to try and evade spam-detection schemes. And who knows what other stunts this site is likely to pull, with all that garbage in the way?


I sent an E-mail to my friend warning her that her machine had been compromised, and she should either check it out or get it checked out. This would be a good time to point out that downloading and running just two programs will clear up almost any malware installed on a Windows system: Malwarebytes, and Spybot Search & Destroy. Also, make sure your antivirus is up to date. The More You Know.™


"Surfing safety."
"Keep breathing."
Roadkill and Y.T., Snow Crash, Neal Stephenson

 
 
Copyright © 2012 Eric J. Bowersox, All Rights Reserved.
Made with Roller and Bootstrap. Social media icons by icondock.com.
Any and all trademarks used in the above text are owned by their respective owners.

Connect on Social Media

[About.me] [Facebook] [Twitter] [LinkedIn] [Google+] [Quora] [/.] [Pandora] [GitHub] [Amazon.com] [E-mail]

Calendar

« December 2024
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today

Search


Recent Entries


Recent Comments


Erbosoft Blog Network

Blogroll


Categories


Feeds


Admin Controls