By now everyone probably knows about the Flamer malware.
There are allot of write ups all over the internet. An interesting read for me was this technical report by “CrySyS Lab”
That got me thinking about another article I had read about, saying it is not effective on systems running under least privilege. Then That got me thinking about a problem that I ran into trying to run a HTA application that worked fine for a long time then all of the sudden it started throwing errors on load, or “A” error actually.
After some investigations I discovered that the reason was that “Something” had re-enabled UAC on my system and also the fact that HTA’s have to run as admin. I have not tracked down the exact time or program that did it because it only completes the change on reboot and I don’t reboot every day. That said everyone knows that sooner or later Windows will need to be rebooted to solve some strange problem. So I have to keep narrowing down the time and then use a strings utility to locate the file. It is also possible it could have been a temp script that was deleted after the change was made.(there are allot of those on a system in several different places)
I would think it was most likely the result of a Windows update as a preemptive move against the new threat before the information was to be released to the general public.
Once the UAC was re-enabled I started to get allot more script errors in IE and found a few things I didn’t even know about.
One of them was that flash player uses Peer-assisted networking (torrent style ?) file sharing for some of the files it stores on your system on a per site basis. It can be disabled, but says that it may be slower. Here is the Link To that help page. And here is a Link for the Administrators guide. One link for shared objects . Link for the Settings Manager Page. This last link list the links for the big control panel for checking the settings.
Here is an excerpt from the page of the first link.
“If you select Remember and Allow, the website will always be granted permission to share your bandwidth, without asking your permission”. dahh ok
Dang,Some don’t have enough as it is.
Well I guess that explains some problems I’ve seen, since I don’t remember ever agreeing to allow that to happen or was just unaware of what it was all about. Of course though once you change the setting or delete the sites then you are harassed with popups asking you to allow or deny the content,(In a tiny box that you may not be able to see what the site is. I had to take a screen shot and Zoom it.)Sometimes there are several different sites to click thru for permissions to just view one file,but on my screen the print is so tiny you can not tell very well that the site name is changing on each click.
After tracing down 1 of the sites with an strange looking web address it turned out to be for the Nielson ratings (they want to track what I am watching online ?).
That Leads me to another one. Everyone likes to watch there favorite show online. Another security warning that has been popping up is, the sites CBS, ABC, NBC want to access Local host , Now why in the world would they want to do that ? That is one I haven’t dug real deep into yet. I need to look at the source code for the page and get the scripts to see what they are after.
If anyone here uses Windows Live Messenger then they get to see all of the great ads that Microsoft pushes thru it (cough cough).
I started getting some script errors and first assumed that it was the web site that I was viewing at the time since messenger wasn’t even open at then. After closer inspection and looking at the error itself it had to do with the add on ,TRUSTe, certain ads would mess with the ad player and throw a script error. So I uninstalled the add on and after some more cleaning of the system I haven’t seen the error for a while(it’s also possible that they actually fixed the problem).
Which brings me to something I thought interesting. While trying to find the Cause of why a Words with friends game failed(gets annoying have to wait for it to expire on its own) I created a program that would search the IE Temp folder for all files containing a Certain string to cut down of the files I had to go thru, I then added the ability to open a selected found file and view the contents in Notepad. Today I added the ability to just go to the file location and highlight the selected file.
The most interesting part came while testing the program I stumbled upon the temp configuration file for the messenger client. I could open the file with notepad thru my program but when I tried to use the go to in my program, it could not find the file. Also when you navigate to the IE Temp folder thru explorer it does not show up, so if my scan didn’t find it chances are I would never even know it was there. Some interesting things in the file are , stuff like
ZombieServerDetectLongDelay, <TrustedDomains> (several listed),<HwBlockList.
Not totally sure what it is all used for at the moment.
That just goes to show even Microsoft is hiding files. Also if it is readable then there is a way to find and access it. A test using an elevated CMD with “dir/a” found the file.
I spend most of my time looking for ways to get information out of systems to solve various problems. These are just a few of the odd things I ran Into.
By the way I did submit to Zynga the reason for that particular problem was that the script did not handle when a value was returned and it was not numeric like it was expecting. If they act upon that information who knows.(It took 3 or 4 emails back and forth to get past the canned problem solving. Then I was the informed it would be forwarded to a developer.)
It is interesting on the things that are trying to do stuff on a system that you would never know about if the script debugging was not enabled ( also the lack of error handling you see.) On the other hand it can be tiresome to keep clicking away the popup messages when you don’t want to mess with them at the time.
Well that’s my ramblings for today I hope you found something useful in this or at least some what amusing.
Have a good day : )
Filed under: RootAdmin