Beware of fake Kaspersky beta installer emails

Today I received a Trojan email that bears the same handwriting as the recent fake Google Chrome installer emails. Both emails are in German, offer an attached RAR file with what supposedly is an installer for a beta test version of new software from a well-established software company:

Sehr geehrter Nutzer,

heute möchten wir Sie zu unserem Aktuellen Betatest des neuen Kaspersky© 9.5.710 einladen.
Unser neues Produkt besticht durch seine überarbeitete Scanroutine sowie die schnelle und effektive
Aufspürung von Viren, Trojaner und anderer böswilliger Maleware.

Für ihren persönlichen Zugang haben wir ihnen ein Beta Account eingerichtet welchen Sie bei der
Installation angeben müssen, um den Webinstaller sowie das Programm an sich nutzen zu können.

Benutzername: kis_aX9535
Passwort: c3VF5gg8

Diese Daten werden bei der Installation abgefragt. Notieren Sie sich diese Daten bitte genau,
da diese auch für ihren Zugang auf unserer Seite erforderlich sind.

Zum Ende des Betatests bekommen Sie eine Volllizenz und können somit Kaspersky© ein
Jahr kostenlos für ihre Sicherheit nutzen.

Sollten Sie Fragen oder Probleme haben, so schreiben Sie und eine Mail an: beta-team@kaspersky.de

Wir wünschen Ihnen nun viel Spass mit unserem neuem Produkt und hoffen auf eine Positive Wertung
von ihnen auf unserer Website.

Mit freundlichen Grüßen
Ihr Kaspersky Beta Team

Copyright © 1997 – 2008 Kaspersky Lab

Industry Leading Antivirus Software

Message headers:

Received: from mo-p05-ob.rzone.de (mo-p05-ob.rzone.de [81.169.146.182])
by mail.joewein.net (Ogose Mail Daemon) with ESMTP id 818CC10DCC78
for <419@419scam.org>; Sun, 21 Sep 2008 21:43:45 +0000 (UTC)
X-RZG-CLASS-ID: mo05
X-RZG-AUTH: :L2MKYUGrb9+s7Ys+/C6cdNboKaxR22vZQHQdVrAeYnDdBsCFdpW1J0sdHw==
Received: from [77.21.44.13] ([62.159.230.93])
by post.webmailer.de (fruni mo40) (RZmta 17.4)
with ESMTP id L03273k8LKd8yb for <419@419scam.org>;
Sun, 21 Sep 2008 23:43:17 +0200 (MEST)
(envelope-from: )
Date: Sun, 21 Sep 2008 23:40:54 +0200
Mime-version: 1.0
Subject: [PR] Kaspersky Betatester Programm
From: Matthias Franken
To: <419@419scam.org>
Message-Id: <9212340.EDWNJLIN@kaspersky.de>
Original-recipient: rfc822;419@419scam.org
Content-Type: multipart/mixed; Boundary="--=BOUNDARY_9212340_SIIK_IDLO_OFNM_KSKB"

At the time of writing this blog posting, Kasperksy’s online malware scanner did not yet recognize the Trojan Kaspersky.9.5.7.1.exe in archive file Kaspersky.9.5.7.1.rar.

As I already stated in my posting about the fake Google Chrome installer, do not install software attached to or linked from emails you didn’t request.

The real Kaspersky software is highly regarded and trial versions are available on the Kasperky website.

Vacuum your PC

A friend of mine who has been selling PCs mostly to industrial customers for many years long ago told me that twice a year he opens his customers’ computers and gives them a good cleaning with a vacuum cleaner. It prevents many problems, mostly due to overheating when dust builds up on top of computer chips.

I remembered this piece of advice when my wife’s computer started to sound more and more like there was a hairdryer inside. The CPU fan kept running at full speed, even when it was just sitting there with the Windows desktop, not just running any CPU-hungry applications. It hadn’t always been so.

What is it about computer fans and dust? As processors got faster, they consumed more and more power and consequently, produced more heat. Thus the need for fans, which draw in not only air for cooling, but also the dust that comes with it and which tends to build up. As the dust obstructs the airflow, the fan keeps having to work harder and the less effectively cooled parts get hotter, which can shorten their lifespan.

My wife’s machine is a Dell Dimension 3100C, a low-budget machine based on the Intel Celeron D 330. This CPU is a low-end version of the Pentium 4, whose power-guzzling technology has since been abandoned by Intel in favour of the more energy-efficient Centrino / Core architecture that was derived from the older Pentium III.

Even the lowly Celeron D 330 has a Thermal Design Power (TDP) of 73 W. To cope with this heat output, it has a massive heat sink through which a fan blows air from outside the chassis. When I opened the box I found that the metal grill in front of the air intake of the CPU fan was clogged with a 5 millimeter layer of dusty fluff.

After undoing two screws that hold down the heatsink cover I could flip the hinged heatsink by 90 degrees and remove it, allowing me full access to the inside of the fan, so I could blow air against the dust with a plastic straw from inside. I vacuumed the entire motherboard and both sides of the fan air intake, while brushing and blowing the dust loose. An old toothbrush and a plastic straw or a can of compressed air for blowing away dust can be helpful. Also, put a narrow plastic tip on the vacuum cleaner, for use in tight corners.

When all was done and I put the heatsink back, closed the box, reconnected the power cord and switched the computer on again, it ran nicely quiet – almost like new!

I definitely recommend vacuuming your PC at least once a year, more if you live in a dusty environment or if the fan blows a lot because you like to use CPU-intensive applications such as games.

Eee Box B202 – What happened to Linux?

When ASUS announced its Eee Box B202 back in May, there were going to be three models:

  • the base model running Linux version with 1 GB of RAM and a 80 GB hard disk for $269,
  • a Windows XP Home version with the same 1 GB of RAM and 80 GB of disk for $299 and
  • a Linux version with 2 GB of RAM and 160 GB of disk for $299

Four months later only one of these three versions is available and it’s neither the cheapest nor the best equipped of the three anounced configurations: Only the Windows version hit the stores, at $50 more than previously announced (it’s around $350).

Meanwhile the Linux versions are nowhere to be be found, though rumour has it that they will become available later this year.

Considering that ASUS shipped it trailblazing Eee PC notebook with Linux first, before following it with a Windows version, this turn of events with their desktop is somewhat surprizing. Low prices are a major reason why their machines are attractive, but every Windows machine shipped means royalty payments to Microsoft, which is why the XP version was going to be $30 more expensive than the base model (Linux is royalty-free). By opting for only shipping XP, ASUS is also preventing its customers from buying a 160 GB version, as Microsoft refuses to let OEMs ship XP with machines with more than 80 GB of disk space.

To get a 160 GB Eee Box with 2 GB of RAM and Linux (the configuration I was interested in) you would have to buy an 80 GB model with 1 GB of RAM and XP, only to discard the 80 GB drive, the 1 GB SIMM and Windows XP (which you’ve all paid for) and then install a separately purchased 160 GB drive and 2 GB SIMM and a (free) copy of Linux.

When the Eee PC was launched, I was very excited by the prospect of low-energy, low cost computing, but wanted to wait for the desktop as I would use them mostly as unattended servers and had no need for an LCD screen. Like many other potential ASUS customers, I will keep on waiting now.

I currently use a set of four machines to process external spam feeds for the SURBL Multi JP blacklist. Since these machines are on 24 hours a day, seven days a week I would like to minimize power usage and Intel’s Atom processors with a TDP of less than 5W sounded like a very attractive upgrade path for me. I use some older machines with sub-1 GHz clock speeds that draw relatively little power, but these old motherboards have some drawbacks. First of all they are limited to a maximum of between 256 and 512 MB of RAM, while Atom boards support up to 2 GB. Secondly, their motherboards are 7 to 10 years old and they won’t work forever.

I had a look at Intel’s Atom 230-based Mini-ITX desktop board, which can be found for under $70 and fits existing ATX-based machines like my ancient eMachine eTowers. At first glance that looked attractive. However, even though the CPU is efficient, the Northbridge support chip of the Intel 945GC Express Chipset on that board burns about five times more power than the Atom CPU itself. The Eee Box sounds like a much better choice in the long term, as it uses an Atom 270 with the much more efficient Mobile Intel 945GSE Express Chipset. The catch is, you can’t currently buy an Eee Box without paying the “Microsoft tax”, i.e. a Windows XP license that you pay for whether you have a use for it or not.

The decision by ASUS to push back on the Linux version makes no sense to me. I suspect Microsoft made ASUS an offer they found hard to refuse, in order to establish the Eee Box as a Windows-only machine. It will cost ASUS sales and it won’t make Microsoft any more popular. It’s not good for the planet either if people buy power-hungry desktop hardware instead of one of the more economical computers available.

Beware of fake Google Chrome installer emails

Barely had Google announced its new browser Chrome, that malware senders responded by sending out fake emails claiming to provide an installer for the new software. Here is a German message I received:

From: “Steffen Neukirch” <beta-team@google.de>
To: spamtrap-email-address
Sent: Friday, September 05, 2008 09:26
Subject: [PR] Neuter Webbrowser Chrome erhältlich

Sie benötigen einen JavaScript-fähigen Browser, um diese Software herunterzuladen. Klicken Sie hier, um Anleitungen zum Aktivieren von JavaScript in Ihrem Browser zu erhalten.

Google Chrome (BETA) für Windows
Google Chrome ist ein Browser, durch den die Nutzung des Internets beschleunigt, vereinfacht und sicherer gestaltet werden soll. Dabei bietet der Browser eine hohe Nutzerfreundlichkeit.

Für Windows Vista/XP

Ein Eingabefeld für alles
Bei Eingabe von Text in die Adressleiste erhalten Sie Vorschläge zu Such- und Webseiten.

Miniaturansichten Ihrer am häufigsten besuchten Websites
Rufen Sie Ihre Lieblingsseiten von jedem neuen Tab aus blitzschnell auf.

Verknüpfungen für Ihre Anwendungen
Starten Sie Ihre am häufigsten verwendeten Webanwendungen über Desktop-Verknüpfungen.

Zögern Sie nicht den neuen Webbrower zu testen, im Anhang finden Sie die neuste Version des Chrome
einfach installieren und sofort loslegen.

©2008 Google – Startseite – Über Google – Datenschutzbestimmungen – Hilfe

I checked the attached 705 KB ChromeSetup.rar file with Kasperky’s online virus scanner:

Scanned file: ChromeSetup.rar – Infected
ChromeSetup.rar/ChromeSetup.exe – infected by Trojan-Dropper.Win32.VB.efh

Do not install software attached to or linked from emails you didn’t request. The real Google Chrome (Beta) browser is available at http://www.google.com/chrome

DD-WRT on Buffalo WHR-HP-G54

Today I installed the open source router firmware DD-WRT on a newly purchased Buffalo WHR-HP-G54 broadband router. I’m very impressed with its rich feature set and ease of installation.

Months ago a friend had recommended OpenWRT, another open source solution for low cost broadband routers, but following the old “don’t try to fix it if it ain’t broken” mantra, I had stuck with my standard NEC Aterm WR6650S WarpStar router (firmware revision 8.72) .

A few weeks ago I started having random problems connecting to the internet. When I clicked on links in the browser, either it was very slow or it returned an error or timed out on me. When I investigated I noticed that the internal log of the NEC WarpStar was full of error messages like these:

2008/08/24 18:09:29 NAT TX-ERROR List Create Error : UDP 192.168.1.102 : 31320 > 201.29.227.157 : 7701 (IP-PORT=1)
2008/08/24 18:09:29 NAT TX-ERROR List Create Error : UDP 192.168.1.102 : 31320 > 99.227.142.5 : 9205 (IP-PORT=1)

A router reset (briefly pulling the power cord) would cure it for a few hours to two days at most, but then the problem always came back. The router firmware obviously had trouble tracking which entries in its Network Address Translation (NAT) table could be discarded and the table would overflow, making connections to the outside world hit and miss, as NAT entries are essential for replies to requests sent to servers out there to get back into the LAN.

Of the 8 PCs and Macs in my home and office that are sharing a cable internet connection, at least four are on all the time, crunching spam data received from around the world day and night. So you can imagine that whatever router I’m using is always getting a good workout. I can’t afford it to be unreliable.

So I started doing a bit of research on OpenWRT and its cousin DD-WRT and what sort of routers that are compatible with them I could get locally here in Yokohama, Japan.

The Linksys WRT54G was the first router fitted with open source firmware, but Yamada Denki, the biggest electronics store in my part of town, does not sell any Linksys products. They were selling mostly NEC and Buffalo, but none of the models I found on the shelves appeared on the list of supported hardware.

I searched Google for the WHR-HP-G54, a supported Buffalo router, for pages in Japanese and found it on kakaku.com, a price search website. It was available for 6,500 yen from Mr. Direct, a company based in Hiroshima. Less than 48 hours later the router arrived at my doorstep by takkyubin (parcel service), for about $70 including tax and shipping.

Installing DD-WRT on the router turned out to be so easy, it actually took less time to do it than to get my Windows Vista notebook working with the new wireless security keys afterwards!

Here’s what I did:

  1. First I downloaded the firmware (v24-sp1 / Consumer / Buffalo / WHR-HP-G54 / dd-wrt.v24_mini_generic.bin) and saved it on my local hard disk. Update 2009-05-25: Do not use any DD-WRT V24-sp1 builds dated in between 030309 and 051809, these builds have known problem that didn’t exist in the March 3, 2009 version and was fixed in the May 18 2009 version.
  2. Next I verified the router was working with its default firmware. I hooked my notbook to one of the LAN ports by ethernet cable and accessed 192.168.11.1 with the browser. The Japanese factory firmware came up (user: root, blank password).
  3. I added the tftp program in the Windows Vista control panel (Programs and Features / Turn Windows features on or off)
  4. I opened two command prompt windows. In the first I executed
    ping -t 192.168.11.1

  5. In the second command prompt window I went into the folder where I had saved the downloaded DD-WRT firmware and then typed the following, without hitting Enter:
    tftp -i 192.168.11.1 PUT dd-wrt.v24_mini_generic.bin

  6. Unplug the power cable from the back of the router, then reconnect it.
  7. As soon as you see the router responding to the PING command in the first window, hit enter on the second window (tftp command). The diag LED will flash for a number of seconds and tftp will report that the file was transferred.
  8. When the LEDs on the router are quiet, the update will have finished. Renew your IP (or reboot your PC), because the router will now be at 192.168.1.1. Access it with the browser and you’re ready to configure your new DD-WRT router!

Malware: “Por favor veja isso!!!”

Today I received a couple of near identical emails in Portuguese that differed only by the (forged) sender address:

From: “Fernanda” <fernandinha@globo.com.br>
To: <joewein@pobox.com>
Sent: Thursday, September 04, 2008 06:29
Subject: Por favor veja isso!!!

Você acredita que essas coisas ainda acontecem no Brasil?

Eu não posso acreditar…

Se você quiser, assine e repassse!

Tratamentos Desumanos.wmv (153,0 KB)

Google translation:

Subject: Please see that!!!

Do you believe that these things still happen in Brazil?

I can not believe …

If you want to, sign and pass on!

Inhumane Treatment.wmv (153.0 KB)

The link to what looks like a Windows movie file will try to run a malware installer.

The link in one of the emails goes to http://ceubba.org.ar/chat/data/web/~/anexo/video.wmv, which is actually a directory created by the malware senders on a hacked website. For any directory, the browser resends the request with index.html, index.htm and a few other typical default document names. The criminals named their Windows malwale index.html and placed it into that folder. Because the file starts with an executable program header, Windows will try to run it, rather than using the Windows media player to play it as a video.

Be very careful when clicking on links or attachments in unexpected mail sent to you. Use common sense or a good anti-malware program, ideally both!

Gmail “Never send it to spam” and IE 6

Earlier this summer a friend told me about a way to keep emails out of the Gmail spam filter, which unlike that of Yahoo! Mail can not be disabled. By setting up a filter rule (say, the email contains certain words) and specifying the “Never send it to spam” action for messages that match the rule, these emails will never get caught in the spam folder.

I collect a lot of spam for building my spam blacklists and would have liked to use my Gmail accounts for that, so this sounded useful. By using a filter rule I could ensure that the spam emails I wanted to analyze would either end up in the Inbox, from where my spamfilter can extract them via POP, or would be forwarded to another email address for retrieval.

However when I tried it, the new option wasn’t there. I found many blogs talking about the feature, but none of the Gmails accounts I tried gave me that option. What was I missing?

The mystery seems to be related to the browser I use: When I use Internet Explorer 7 on a Vista machine, the new option was indeed available. However, with Internet Explorer 6.0 on two XP machines it wasn’t there. When I installed and ran FireFox 3 in parallel on one of those XP machines, the option appeared too.

Therefore, if like me you use IE 6 and don’t want to switch browsers just yet, set up the Gmail filter from another machine running IE 7 or install FireFox as an additional browser (not the default) on your IE 6 machine. Unlike IE 7, FireFox will coexist happily with IE 6 and upgrading to it is not a one way street as it is with IE 7.