Andy's Blog

Don't worry. It's just me.
Andy Pedisich Tags Admin2008 Admin2008 Europe Admin2009 Bluescreen Client du jour Domino Admin Expertise wanted Fail Farming Food Funny Geekishness Holiday coming IBM iNotes iPhone Java Lotusphere 09 Lotusphere 2008 Lotusphere 2008 OnLine Lotusphere 2009 Mac Malware Meh Movies MS Patches Music ND 8 ND8 ND8 Blog Template Newbiebess Notes Philosophical Sametime Science Security Shmicrosoft Silly Symphony Technorati Technotics Upgrade Seminar Users VPN Weather Links Andy on Twitter Technotics Chris Miller’s - IDoNotes Mary Beth Raven - Notes 8 Designer Susan Bulloch - Notes Goddess The Brillinator Wild Bill’s Blog Kevin Kanarski assonos Blog Paul Mooney Denny Russell - Sherpa Planet Lotus Ted Hardenburgh Bruce Elgort Jamie Magee Rocky Oliver - Lotus Geek	Andy's Blog Malware My laptop was hijacked by bad guys - but I’m still alive and well Andy Pedisich July 1 2009 08:23:33 AM Let's cut to the chase. Yes, I have anti-viral software. McAfee. Yes, it was up to date as of yesterday afternoon around noon. Yesterday at 3:50 PM I was finishing up a project and decided to take a break and catch up on the news. I was curious about what South Carolina Gov. Mark Sanford saw in his Argentine girlfriend and decided to do a image search on Google, which immediately brought up a handful of thumbnails. Nothing racy, mind you. All were news-type sites. I clicked to read the accompanying text and received a message from McAfee indicating that the site was trying to download a file called install[1].exe to a temp folder in my Windows XP profile, but that it was identified as a trojan and was blocked. I thought I was done. I wasn't. Here's what happened. Behind my back a couple of items were added to the registry. It made an unsuccessful attempt to change my hosts file. But it did not ask about either of the previous changes. At the time, I did not know about the successful changes, only about the blocked one. I still had a warm fuzzy going on. I exited the browser and about two minutes later saw this hovering over the systray exactly where McAfee would put it. Which was followed by this smack dab in the middle of the screen. Same color and style as McAfee, but I didn't fall for it. Since I do not have Antivirus System Pro on my system, I knew right away that I was screwed, and was very careful to take screenshots and lots of notes. I disconnected from the Internet on my laptop and did the research on my desktop. I found I had picked up the FakeAlert virus. Apparently it was a new strain. Research later in the day proved this correct. The original strain showed up in early May, then there were lots of other versions of this vermin. The variant I caught was brand new, released on June 30th, and not yet documented, released just in time for me not to have the signatures. One telltale sign - the addition of C:\windows\sysguard.exe to my system. Then my IE browser started to activate on it's own. Mind you, FireFox is my default browser, but the code activated IE. This varied between the above, V1agra.com, and Adu1t.com and came up about every two minutes. Disconnected from the Internet I saw nothing. Connected to the Internet... well my mom would have blushed and activated Antivirus System Pro, which is a well known piece of crap. A scan of my system using Mcafee with the latest DAT files I could get revealed NOTHING! After two full hours of scanning and screwing around, I decided that I had indeed caught a recent variation and threw in the towel. I engaged McAfee's service to remove the damn thing. My sister's system got one of these things and in the end she had hundreds of crawly bits, necessitating a full blow-away and rebuild of her OS. Since I hadn't clicked Yes to anything I felt I was in the early stages. McAfee's service cost $89.90. The guy connected remotely and knew what he was looking for. He identified 4 files that made up the infection and a couple of registry entries. It required safe mode and the turning of off the system restore function to clear everything out. He cleared a lot of other crap from my system which now has more disk space and is appreciably faster than before. I know what you're thinking. Why should I pay for a service when it should have caught it. For one, I just wanted to have my laptop back. Secondly, I wanted to watch and see what's involved in removing a piece of crap like this. All in all, it was a close one that cost me some dough and a couple of hours. Part of the healing process was deleting all history, so I don't even know where it came from. I suspect that some site was compromised. I put this out here for your entertainment and your edification. An attack like this has never occurred before in my 25 years in IT. Amazing, isn't it? - Andy Location: Comments [6] ND8 SHOW STOPPER: If you’re upgrading from 6.5 to 8.5? Andy Pedisich June 29 2009 11:24:45 AM This one's not mine. It's from Franziska Tanner at the Martin Scott blog. http://www.martinscott.com/MSCBlog.nsf/dx/06292009014018AMFTA8NR.htm This looks pretty darn serious and involves policies. I know there are a lot of folks in the R6.x to R8.5 upgrade position that could be affected. I had heard of some of these error messages clients were getting, but they mysteriously went away after the Notes client is restarted. However if the user is strictly an iNotes user they obviously never restart, so they are b0rked good. But Francie hasn't seen any "automatic corrections" when Notes starts, and I do trust her implicitly. This was caught in pilot, but who needs users getting error messages anyway. I'm just passing this along since the blog doesn't seem to be on Planet Lotus yet. - Andy Location: Comments [2] ND8 Password expiration - The dirty little secret Andy Pedisich June 11 2009 06:00:00 AM There's a fun axiom that states, "Security and convenience have an inverse relationship." The more secure you make your environment, the more inconvenient it is to use. Make passwords weak and guessing is easy, Make them really strong and people will write them on post-its an stick them on their screens. Strong or weak, most domains don't require password to change often enough to suit me. Some don't require changing them at all. In a couple of domains I've had the same password since my ID was created years and years ago. And it hasn't happened only with my Notes id either. I've had corporate account active directory passwords, AIX passwords, and even VPN passwords that are still the same for many years. Clearly, there are enterprises that serious as a heart attack about password management. I do work with shops that do enforce reasonable password strengths and reasonable password expiration periods. Kudos to you. This post clearly isn't about you. If you're an administrator for Notes or otherwise and you and your users are still using the original passwords you handed out when you created their IDs, then shame on you! There are built-in processes for managing passwords in Notes. Open the manual. Read it. Do something about it. Please. Having easy passwords that don't expire is like leaving the key to your house under the door mat. It's just a matter of time before you find an unwanted guest going through your sock drawer looking for spare change. - Andy Location: Technotics World Headquarters Narberth PA Comments [6]	Feeds Content Feed Comment Feed Recent Entries My laptop was hijacked by bad SHOW STOPPER: If you’re upgrad Password expiration - The dirt Faster links to get to those I Let’s move all contacts Recent Comments Beijing madness Beijing madness Beijing madness Archives July 2009 (1) June 2009 (5) May 2009 (2) April 2009 (5) March 2009 (10) February 2009 (9) January 2009 (22) December 2008 (10) November 2008 (5) October 2008 (9) September 2008 (8) August 2008 (15) July 2008 (4) June 2008 (7) May 2008 (5) April 2008 (14) March 2008 (12) February 2008 (29) January 2008 (18) December 2007 (12) November 2007 (10) October 2007 (12) September 2007 (11) August 2007 (10) Andy's Twitter Resources About Me Contact Me