Search This Blog

Monday, March 29, 2010

Pictures.library-ms / Music.library-ms / Video.library-ms / Document.library-ms is no longer working

It sound crazy, but there is a very simple solution to this. Basically, open up your explorer and click on "Libraries" on the left side menu. Now you should see the four links on your right. Hightlight them and delete them away.

Oops, all gone. Do not worry, the content is safe. It just remove the link away. Now highlight "Libraries" on the left again and right click. Select "Restore Default Libraries".

Thats all to it. Restore any other links in your libraries if you have them.

Friday, March 26, 2010

ATI Catalyst 10.1 10.2 Control Center does not work

After some digging and checking, I found out the real cause of one of the machine where the following symptoms exist:

There is no errors in installation on Catalyst 10.x. There is a Catalyst Control Center shortcut when you right click on desktop, but when you click it, nothing happens.

If you have the above, you may have the same problem as me.

Are you using a 64 bits OS? Have you previously installed a lower version Catalyst, such as 9.x or below?

Well, if your answer is yes to the above, it is VERY likely you have the same problem as me.

The problem lies in the bad uninstallation. In drivers before 10.x, there drivers were not properly written and installed as 64 bits software. Therefore, you will see some ATI folders and files in the "Program Files(x86)" directory. Inside there includes the faulty Catalyst Control Center. No matter how you reinstall your 10.x driver, it will go to the 64 bits directory "Program Files" instead and is never properly registered to run.

In case you still have no idea what I am talking about. You can do this to solve the problem:
1. Uninstall Catalyst completely.
2. Boot to saf mode if necessary
3. Remove the ATI directories in Program Files(x86) and in Program Files.
4. Remove ATI registry entries from both HKLM and HKCU.
5. Reboot and reinstall.

I can't believe it is such a screw up that had wasted so much of my time trying to troubleshoot this. I suggest a more through testing from ATI part for different scenarios for this installation which in the first place is already not a very clean solution and is often broken...

ATI Catalyst 10.3 is released

At the same time, for those using HD 2xxx, 3xxx and 4xxx card, you may get a "No compatible hardware found" error during the installation of the original driver. In this case, you will need to download the "hotfix" from:
http://support.amd.com/us/kbarticles/Pages/CatalystAGPHotfix.aspx

The other users can download the original driver from:
http://support.amd.com/us/gpudownload/Pages/index.aspx

The changes made for 10.3 includes:

Performance improvements

Aliens vs. Predator

Overall performance increases 5% on ATI Radeon HD 5000 Series products
Battleforge

Improves up to 8% on ATI Radeon HD 5000 Series products
Improves up to 3% on ATI Radeon HD 4800 Series products

Call of Duty: World at War

Improves up to 2% on ATI Radeon HD 5800 Series products
Improves up to 6% on ATI Radeon HD 4800 Series products

Company of Heroes

Improves up to 6% on ATI Radeon HD 5000 Series products
Improves up to 3% on ATI Radeon HD 4800 Series products

Crysis and Crysis Warhead

Improves up to 6% on ATI Radeon HD 5000 Series products
Improves up to 2% on ATI Radeon HD 4800 Series products

Devil May Cry 4

Improves up to 10% on ATI Radeon HD 5000 Series products
Improves up to 6% on ATI Radeon HD 4800 Series products

DiRT 2

Improves up to 30% on ATI Radeon HD 5970 graphics products
Improves up to 20% on ATI Radeon HD 5800 Series and ATI Radeon HD 5700 Series products
Improves up to 10% on ATI Radeon HD 4800 Series products

Enemy Territory: Quake Wars

Improves up to 5% on ATI Radeon HD 5800 Series products
Improves up to 3% on ATI Radeon HD 5000 Series products
Improves up to 2% on ATI Radeon HD 4800 Series products

Far Cry 2

Improves up to 6% on ATI Radeon HD 5000 Series products
Improves up to 4% on ATI Radeon HD 4800 Series products

Left 4 Dead and Left 4 Dead 2

Improves up to 3% on ATI Radeon HD 4800 Series products

S.T.A.L.K.E.R. – Call of Pripyat Benchmark

Improves up to 10% with Anti-Aliasing enabled on ATI Radeon HD 5000 Series products

S.T.A.L.K.E.R. – Clear Sky

Improves up to 2% with ATI Radeon HD 5970 graphics products
Improves up to 2% on ATI Radeon HD 5800 Series products

Resident Evil 5

Improves up to 5% on ATI Radeon HD 5000 Series products
Improves up to 3% on ATI Radeon HD 4800 Series products

Tom Clancy’s H.A.W.X.

Improves up to 15% with ATI Radeon HD 5970 graphics products
Improves up to 20% on ATI Radeon HD 5800 Series products and ATI Radeon HD 5700 Series products
Improves up to 3% on ATI Radeon HD 4800 Series products

Unigine Tropics

Improves up to 5% on ATI Radeon HD 5000 Series products

World in Conflict

Improves up to 5% on ATI Radeon HD 5800 Series products
Improves up to 3% on ATI Radeon HD 5700 Series products
Improves up to 5% on ATI Radeon HD 4800 Series products

Wolfenstein

Improves up to 4% on ATI Radeon HD 5000 Series products
Improves up to 4% on ATI Radeon HD 4800 Series products

New Features

ATI Catalyst™ support for ATI Mobility Radeon™ Premium Graphics solutions

This release of ATI Catalyst™ introduces support for the production version of Windows® 7 and Windows® Vista for notebooks featuring the ATI Mobility Radeon™ HD 2000 Series, ATI Mobility™ Radeon HD 3000 Series, and ATI Mobility Radeon™ HD 4000 Series, and ATI Mobility Radeon™ HD 5000 Series of products.

Supported by most major OEM and ODM notebook manufacturers

ATI Catalyst Control Center - ATI Eyefinity technology enhancements

Display Bezel Compensation

Easy-to-use wizard shows users how to adjust their display layout to remove the pixels occupied by their display bezels
AMD has updated it’s Direct3D (Quad buffer support) driver to enable 3rd party middleware vendors such as DDD and iZ3D to output stereo L/R images at 120 Hz (60 Hz per eye)

Per-Display Color Adjust

Individual Color, Brightness and Contrast controls
Multiple ATI Eyefinity Groups

Create more than one ATI Eyefinity group from multiple displays
Improved Display Configuration switching

Support for ATI Eyefinity groups and the ATI Catalyst™ Control Center profile manager
Easy to toggle between cloned and extended desktop modes
ATI Catalyst™ support for 3D Stereoscopic

Wednesday, March 24, 2010

Western Digital Advance Format Drives

Recently I had the wall with a new technology from Western Digital known as "Advance Format". Well, hit the wall as in I do not think my HDD is performing as it is suppose to be and in fact doing pretty badly at it. The HDD keep chunking and I had been checking for signs for malware or background process. I did not have this issue when I was on my previous Seagate 7200.11. In any case, you will notice what I have here is basically just a string of bad luck.

Firstly, what is Advance Format. It may sound deep, but basically all it means is that it is using 4K cluster instead of the legacy 512bytes which has been like 10 years or so... Thats all to it. Well, if you want the details, AnandTech did a good write up to explain how this will open the door for further larger capacity drives as well as how this can save some space because of using 1 ECC for a 4K block instead of like 8 ECC for 8 x 512Bytes block.

AnandTech on WD Advance Format:
http://anandtech.com/storage/showdoc.aspx?i=3691

OK, strangely, this is already supported in Windows Vista, 7, 2008 but not the older legacy OS based on the Windows 5.x core like Windows 2003, XP etc. Please do not even ask me about Windows 2000... So that means somehow you get very bad performance (due to misaligned sector all the time) or it simply doesn't work at all. WD had came up with a utility (together with Acronis) which in my opinion is nothing more than a tool that checks for 512bytes clusters and basically convert the whole partition to 4K cluster. There is also a version that works in Windows (with Paragon), but it can be 3X slower as indicated by WD. In addition, you can test out your scenario to see if you need to run this at all using the wizard on the right here:
http://www.wdc.com/en/products/advancedformat/

So far from what I see so far, the only affected range of HDD which has the Advance Format functionality is those ending with EARS. I have another drive with EADS, but according to sources it should not be affected. Maybe I should send WD an email to confirm this. Another pressing problem is that Windows 2003 is not affected or supported.

Update : OK here is what I think and understand so far. I had send queries to WD, hope they will give a solid answer.

  • Jumper 7-8 : Only if you are using the HDD as 1 partition. >1 partition, you can forget about this.
  • Windows 2003 : Supported using the Acronis Boot CD. But to what effects, I am not sure. I suppose it will behave like Windows XP
  • EADS drives : Not supported by AF. In short, does not apply to you.
  • WHS : See Windows 2003 above. Also note that because of the dynamic disk, high chance of screwing this up...

Tuesday, March 23, 2010

Bullguard FakeAlert.5 Remedy if your PC is still running

If you have not rebooted and the PC is still running with the bad signature, there is good hope you can save it (with my experience).

1. Do not click on the prompts which indicates files to be quarantine. Just fire up the Bullguard GUI and disable the antivirus component. (YES, this is a REAL bad thing to do...). The prompt will all disappears but the remaining files will NOT be quarantine.

2. Open up your quarantine folder and restore all the files (PLEASE, I DO NOT MEAN THE FILES! JUST THOSE WITH INFECTED BY FAKEALERT.5!) before its too late. Some people claim you can still run a update and get the "patched" signature. For me, it did not work. Check to see that the time of the signature did not change.

3. Now think of any other things you would want to do including backup of important files etc before you go ahead and reboot the machine. Notice I did not use the "patch" issued by Bullguard? You may want to uninstall Bullguard now, but I leave it for now, hoping I can do a update after the reboot so that things goes back into places.

4. Sad thing is after the reboot, most is saved, except Bullguard itself. I am no longer able to update. So its time to finally uninstall it. Do check that there is no more entries in the quarantine that is affected by FakeAlert.5. Do take note to save your settings during uninstall. The only thing that went bad was the antivirus signature, so you can still save your rules etc (IF you still want to use Bullguard...). Reboot again as required by Bullguard. But perhaps before that, grab the latest version of Bullguard (9.0) from their website first so that you can reinstall immediately after reboot.

5. Yes, everything should still work. Reinstall Bullguard, reboot (yes, again), and update the signature again. Everything should work this time.

Now, for me it wasn't so bad. I guess its all about keeping your cool and planning this just like any other disaster recover process.

I just hope everyone was so lucky...

Bitdefender FakeAlert.5 Aftermath

With PC totally destroyed and a mob of raging red angry customer, should Bitdefender pay for this critical mistake? After all, the damage done is probably far worse than any virus we seen (Other than information leakage which leads to other things).

See some angry users from Bullguard:
http://forum.bullguard.com/forum/15/TrojanFakeAlert5-Update-issue_84115.html

and even a Facebook group to discuss about a possible law suite:
http://www.facebook.com/#!/group.php?gid=111067232241441&ref=search&sid=659748374.4122958007..1

and lets not forget the origin of the issue at Bitdefender:
http://forum.bitdefender.com/index.php?showtopic=18786

Lets sit back and see how this unroll. Perhaps we are looking at a first customer-sue-antivirus-company-and-win case.

Microsoft XP Mode no longer needs virtualized hardware

For a while, people using the cheaper end quad core Intel Q series processor find themselves unable to install Windows 7's XP Mode due to a hardware requirement for the VT technology.
While VT speeds up the virtualization using hardware, by no means it is impossible to purely run on software especially if you have quad core or more.

Fortunately, Microsoft had finally realized this and had enabled the option to run XP Mode WITHOUT the VT Technology. This is shown in the 3rd button when you attempt to download Microsoft Virtual PC via:
http://www.microsoft.com/windows/virtual-pc/download.aspx

This is indeed a great news to many including myself who has more than a few Intel Q8200 around.

Firefox and Opera new release to fix issues

Firefox 3.6.2 had been silently released. Some users may actually see a prompt stating that a critical update is available, but unable to download. This is referring to the Firefox 3.6.2 update which address some very critical vulnerabilities. I had not be able to find the exact update file online, but what you can do is to simply go to the download page for Firefox and download 3.6 again. After installation, you will notice that it is now 3.6.2.

On the other hand, Opera has also release 10.51 which address 2 of the high risk vulnerabilities. This should automatically be updated.

Monday, March 22, 2010

機動戦士ガンダムUnicorn UC

劇場版 機動戦士ガンダム00 特報

Google Code release Skipfish

Google Code released a project known as Skipfish.
Documentation:
http://code.google.com/p/skipfish/wiki/SkipfishDoc

In short. This is a web applciation scanner targeting to cover the follow (taken from documentation):

High risk flaws (potentially leading to system compromise):
  • Server-side SQL injection (including blind vectors, numerical parameters).
  • Explicit SQL-like syntax in GET or POST parameters.
  • Server-side shell command injection (including blind vectors).
  • Server-side XML / XPath injection (including blind vectors).
  • Format string vulnerabilities.
  • Integer overflow vulnerabilities.
Medium risk flaws (potentially leading to data compromise):
  • Stored and reflected XSS vectors in document body (minimal JS XSS support present).
  • Stored and reflected XSS vectors via HTTP redirects.
  • Stored and reflected XSS vectors via HTTP header splitting.
  • Directory traversal (including constrained vectors).
  • Assorted file POIs (server-side sources, configs, etc).
  • Attacker-supplied script and CSS inclusion vectors (stored and reflected).
  • External untrusted script and CSS inclusion vectors.
  • Mixed content problems on script and CSS resources (optional).
  • Incorrect or missing MIME types on renderables.
  • Generic MIME types on renderables.
  • Incorrect or missing charsets on renderables.
  • Conflicting MIME / charset info on renderables.
  • Bad caching directives on cookie setting responses.

Low risk issues (limited impact or low specificity):

  • Directory listing bypass vectors.
  • Redirection to attacker-supplied URLs (stored and reflected).
  • Attacker-supplied embedded content (stored and reflected).
  • External untrusted embedded content.
  • Mixed content on non-scriptable subresources (optional).
  • HTTP credentials in URLs.
  • Expired or not-yet-valid SSL certificates.
  • HTML forms with no XSRF protection.
  • Self-signed SSL certificates.
  • SSL certificate host name mismatches.
  • Bad caching directives on less sensitive content.
  • Internal warnings:
  • Failed resource fetch attempts.
  • Exceeded crawl limits.
  • Failed 404 behavior checks.
  • IPS filtering detected.
  • Unexpected response variations.
  • Seemingly misclassified crawl nodes.

Non-specific informational entries:

  • General SSL certificate information.
  • Significantly changing HTTP cookies.
  • Changing Server, Via, or X-... headers.
  • New 404 signatures.
  • Resources that cannot be accessed.
  • Resources requiring HTTP authentication.
  • Broken links.
  • Server errors.
  • All external links not classified otherwise (optional).
  • All external e-mails (optional).
  • All external URL redirectors (optional).
  • Links to unknown protocols.
  • Form fields that could not be autocompleted.
  • All HTML forms detected.
  • Password entry forms (for external brute-force).
  • Numerical file names (for external brute-force).
  • User-supplied links otherwise rendered on a page.
  • Incorrect or missing MIME type on less significant content.
  • Generic MIME type on less significant content.
  • Incorrect or missing charset on less significant content.
  • Conflicting MIME / charset information on less significant content.
  • OGNL-like parameter passing conventions.

Sound like a good alternative compared to the commerical Appscan or Webinspect. I should be beta testing this soon against some of my sites.

Bitdefender update destroys systems

Bitdefender had issued a bad update last night which is named as "Fakealert.5" now. What happens is that it basically start tagging most EXE and DLL as trojans and as a result starts to quarantine the majority of your files from MSN, Skype, Windows components to your Antivirus itself. Now this is bad.

With the files being qurantine, it gets moved and locked away causing the system to crash upon reboot.

Bitdefender site has more information on this issue:
http://news.bitdefender.com/NW1431-en--Trojan.FakeAlert.5-Update-issue.html

Bullguard, which also happen to use the BD engine, had also more information here:
http://bullguard.com/support/live-support.aspx

I suggest that if you are using any of these, please do not reboot yet. Read the above carefully and make the necessary fixes before rebooting in order to save your PC.

Bullguard silent update solve Homegroup and Sharing issue

Bullguard had release a silent update somewhere in the past week or so what resolved the sharing of the Windows 7 Homegroup and share folders on x64 systems.

Well, at least they could had made an announcement. It just "automagically" worked when I click one of the sharing link by mistake.

Friday, March 19, 2010

Blank plastic and holograms

Its quite true that everything can be purchase online nowadays. In fact, it is a myth that credit card creation is a very controlled process. Some people still think it is very impossible to make fake cards, but take a look at these.

Bulk purchase of blank plastic:
http://www.f-secure.com/weblog/archives/00001910.html

And don't forget the hologram:
http://www.f-secure.com/weblog/archives/00001651.html

I know the article had "shown" too much information. Maybe they should tell where to go buy these stuff... Notice some of our fav banks are there too... Like those that never sleep, world's local bank, living, breathing asia etc...

Wednesday, March 17, 2010

Polymorphic in PDF

While files can be polymorph to escape detection, it is also shown that PDF can be easily polymorphed to escape detection by AV. And the best of this doesn't involve complicated mathematics.

This article was based on:
http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

OK, lets start with names. After PDF spec 1.2, basically we can encode all the names (which is followed after the "/") using hexadecimals. For example :

We want to open my blog using the /URI name:

/URI (http://nemesisv.blogspot.com)

But AV may be looking for "/URI", we can encode it into hex by doing this:

/#55#52#49

This is all in hex, but to create more choices, we can have :

/U#52I
/#55R#49

and so on. You get the picture. This will allow us to morph the name a bit.

Secondly, we can also morph the strings values. In this case, its the URL. We have several tricks that can be used here.

Firstly, the "escape new line" method:

/URI (http://nemesisv.blogspot.c\
om)
This can be use to break into new lines (for easy reading maybe). Also, just push this further, we can do this:

/URI (http://nem\
esis\
v.blog\
spot\
.com)

or even more extreme, we can break all the characters. Lets see AV write one rule that can detect that. (I am sure multiple rules can do it, but that's the challenge leave for the AV companies)

How about Hexadecimal? Yes, we can do that too:

/URI (687474703a2f2f6e656d65736973762e626c6f6773706f742e636f6d)

Or yes, even with some space :

/URI (687474 703a2f2f6e656d657369 73762e626c6f6773706f74 2e636f 6d)

Now, that's really going to piss the AV detection off. But hexadecimal is not the only thing we can use for encoding the values. We can use octal decimals as well:

/URI (\150\164\164\160\72\57\57\156\145\155\145\163\151\163\166\56\142\154\157\147\163\160\157\164\56\143\157\155)

To finish this off, PDF even suppose anonymous encryption which the user does not need to know the password to operate the PDF. Now, we are really using the other end of the blade back at the AV. So the whole string will look like some rubbish instead.

Of course, some of the above can be effectively mix and match to morph your PDF payload, but it is very unlikely the encryption can be detected by AV. Unless the AV ban all /URI tags, but until then, PDF is ideal for phishing and other very bad things.

The more you patch, the more you (are suppose to fix)...

I try not to sound Adobe bashing, but the recent fix released by Adobe to address some "unknown" vulnerability had just opened up a bigger can of worms.

Read about it:
http://secunia.com/blog/76/

Basically, the fix to put in place for "something" from 9.3 to 9.3.1 of he Adobe Reader had introduced a TIFF library (which Adobe has control over the format). So, maybe we can say that 9.3.1 may be more vulnerable than 9.3 itself.

But, being said that, I would like to stress that 9.3 is currently very exploitable. Why so? There is a friendly metasploit library which targets basically almost all current version here:
http://packetstormsecurity.org/1003-exploits/adobe_libtiff.rb.txt

I am not saying you should give up using PDF and switch over to XPS, but at least use PDF with a cautious mind.

Tracking web malware

A good and short article points you in the right direction to use Malzilla, jsunpack and Wepawet for analysis of malware URL which can be found in online content such as flash, javascript etc. It's some good knowledge especially if you have absolutely no idea what I am talking about so far:
http://www.h-online.com/security/features/Tracking-down-malware-949079.html

Blazing fast password recovery with new ATI cards

Source:
http://www.net-security.org/secworld.php?id=9021

Elmcosoft has once again demostrated how the GPU can be used to break incredible hard encryption such as WPA2-AES, ipod or iphone encrypted backup. They managed to archive 20x faster even when compare to i7-960, which is the state of the art 8-CPU from Intel. In fact, the result showns that it even beats the commerical super computer grid nVidia Tesla:
http://www.nvidia.com/object/tesla_computing_solutions.html

With GPU improving and new SDK opening up for sending computering to the GPU, it will only be a matter of time. But right now, breaking WPA2-AES within minutes is still a bit far fetch.

Monday, March 15, 2010

Why DRM does not work

Click on the picture below to enlarge and view:


Precisely, long live TPB.

An interview with Bruce Schneier

http://www.simple-talk.com/opinion/geek-of-the-week/bruce-schneier-geek-of-the-week/

It is an interesting interview, but the words I would like to stress are:

RM: Do you think that two-factor authentication, or using methods in addition to passwords, could still be defeated by Trojan horses and phishing attacks?

BS: Of course; there isn’t even any debate. The debate is whether two-factor authentication will turn out to be useless in defending against identity theft because criminals will turn to Trojan horses and man-in-the-middle attacks.
It solves the security problems we had ten years ago, not the security problems we have today.

Despite all my involvement and effort in the past month studying and understanding 2FA, I have simply little or no faith in it. To me, it doesn't matter if it is 3FA or even 10FA. Once something get in between (MITM), that is the end. It is just a matter of more phishing attack to make the user enter or give up their inputs.

My primary concern is that people still does not see that the weakest link in a 2FA solution lies in the channel. And by channels, I do not mean the incoming channels (web + token, or web + handphone), this has to be applied to the outgoing channel as well. What type of security will we be talking about if you key in the multiple inputs all into the browser eventually and all we need is a poisoned proxy or a trojan BHO riding on the browser?

Does this mean I do not use internet banking? Probably not. However, it does help to minimize the risk of doing internet banking by taking more security measures.

Friday, March 12, 2010

Acronis should not be used to create and format drive for Windows Vista and Vista 7

I know this sound funny, lets go back to where it all begins.

First, I got hold of a vanilla machine which comes with the default vendors OS plus one HDD with 1 partition. OK, not entirely true, the OS was downgraded from Vista to XP and the vendor actually have a recovery partition in addition to the normal OS partition. So, if you know me enough, I would love to have Windows 7 on this. And I may not want to kill the original OS. And to make things worth, in this environment, its not OK to burn CD/DVD or use a USB device.

Firstly, we got to make another partition for the new OS. So a few tools comes into my mind. Hiren. Nope, its a boot disc. OK, so we need one that can either work inline or via a reboot shell. Acronis Disk Director 10 was available. So here we have. I reboot and resize the parition and make a new partition for the new OS. The critical mistake I made was I created and formatted the new partition in Acronis. Fatal.

But there were no tell tale sign that something was wrong. Windows 7 can be installed without extracting the files. Just mount the ISO with Alcohol or Daemon Tool, then install to the new partition. Everything went smoothly. Until I started to use Windows 7 and many application starts to give warning error about corruption. One such message came from Live Messenger "MSNMSGR.EXE - File Corrupt". Using chkdsk /f, I manage to find lots of MFT and BITMAP errors. I thought fixing it with solve all the problem. After some reboot, more usage, the error came back again and again. I just could figure out what went wrong.

Now, lets take a look at this thread:
http://board.iexbeta.com/lofiversion/index.php/t63381.html

It seems that such problem exist as far as 2006 and these folk found the answer in 2008. And after 2 years later, I splatter all over the wall with this issue. After some chkdsk /r and reinstall, repair startup option etc, I final found the problem. It is Acronis. Apparently, it create a non-standard partition which create problem for newer OS such as Vista and Windows 7. To fix this, I will have to lose my new partition by removing it, then delete the partition and have Windows Disk Manager to recreate the partition. Everything went smoothly after which.

Although Acronis Disk Director was released in 2007, I believe Microsoft and Acronis should issue a incompatibility warning for this. It could had save me lots of time. I guess both parties probably at some point of time point fingers and did not want to highlight this problem, but I just hope no one else have to hard the wall so I posted this here.

Tuesday, March 09, 2010

Yet another way to break a Lenovo

Lenovo laptop and desktop may install a special driver (know as hot key driver) for controlling and using the special function keys (especially on the laptop). We all know that these are the things most people will never patch, unless you had been following and using the ThinkVantage System Update which I mentioned before in my blog:

http://nemesisv.blogspot.com/2009/03/lenovo-thinkvantage-system-update.html

However, if the target happens to be one of those unpatched one (usually corp laptops), then this is your lucky day. Apparently, the way this program is structure doesn't care too much for security. It relies on a flag in the registry to tell it what to run and this is conveniently available even prior to login. Yes, you probably guessed it, its as simple as changing it to run "cmd.exe" and you have a system shell. Cool? Yes, but you need to somehow still be able to press the buttons, which probably require some social engineering trick if you are attacking a laptop which you do not have physical access to. Otherwise, its just that and you have a system shell which allows you to create havoc and extract information (such as NTLM hashes). The best of all these is none of the known anti malware will actually prevent or even flag changing of the registry as dangerous. 

Now, we all know other brands of computer have hot keys too... Think about it...

Below is the original exploit from packet storm:
http://packetstormsecurity.org/1003-exploits/lenovo-escalate.txt

 

Monday, March 08, 2010

Energizer USB Charger contains trojan!

In the most innocent places, we always find them. Trojans. Sometimes you start to wonder if it was intentional. First, they appears on Seagate, then in some other USB music players (more than 1 company) and now even in a innocent looking USB battery charger from Energizer.

The trojan is from in a file arucer.dll which is installed onto the system32 directory. It basically listens to port 7777 and performs information leakage, windows registry modification and download and execute files (sound like a liveupdate to me).

So, who planted it? This is a good question I suppose CERT and Symantec will be spending the next few sleep weeks on. In any case, the software had been pulled (the Windows version anyway. Who want to bet that there is a trojan in the mac version as well?) so if you had installed any of those software, I strongly suggest you uninstall them and look out for the arucer.dll in your system32 directory.

The full story:

http://www.computerworld.com/s/article/9166978/Energizer_Bunny_s_software_infects_PCs?source=rss_security

Updated CERT Report:

http://www.kb.cert.org/vuls/id/154421


Friday, March 05, 2010

Visual Studio 2010 comes with spyware alike feature for FREE

The Dotfuscator included in Visual Studio 2010 will comes with capabilities to track feature usage and integrate evaluation usage into Microsoft Dynamics CRM to increase win rates, and enterprises will be able to integrate application runtime data into Microsoft Business Intelligence Solutions to improve business agility.

In addition, Dotfuscator Software Services CE also has enhanced capabilities to stream alerts and runtime data to one or more cloud-based services.

Does this sound like spyware capabilities to you?

Source:
http://www.microsoft.com/Presspass/press/2008/oct08/10-27PreEmptivePR.mspx

Western Digital RMA HDD Gone Bad

It's probably me, but a stroke of bad luck had hit a refurbished HDD which I had gotten back from Western Digital. The 2TB HDD had grown 289 bad sectors in just within 14 days. I wondered if they actually QA this HDD. From my experience with Seagate, at least Seagate had gone through with their SeaTool to get it Seagate Repaired Certified prior to sending the HDD back to customer. I just hope WD doesn't keep this up because this is like the 2nd HDD I had RMA in the past month which had errors and I need to actually RMA one of them twice in a row.

Anyway, here is how Hard Disk Sential found and show me the bad sectors:

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008 nemesisv.blogspot.com, All rights reserved.