Jeff Duntemann's Contrapositive Diary Rotating Header Image

malware

Odd Lots

Jan 23rd, 2009
by Jeff Duntemann.
No comments yet
  • From the Words I Didn’t Know Until Yesterday Department: The Ranters were a wild-eyed seventeenth-century religious fringe group, who were perhaps most notable for incorporating nudity into their worship. (Whatever else they might have been, they sure weren’t Catholic.)
  • From ditto: In modern urban slang, a “butterface” is a homely girl with a great body, as in, “Every part of her was perfect but her face.”
  • And elsewhere on the words front, even William Safire, from whom the scariest words recoil in terror, was unable to determine the origin of that very up-to-date and with-it 90s expression, “it is what it is.” Wikipedia suggests that it was coined by John Locke, circa 1680. So much for being up-to-date.
  • From the Microprocessors I Never Heard of Until Yesterday Department: There was an 80376. It was an embedded variant of the 80386 that did not support real mode, but only protected mode, and was produced from 1989 until 1994.
  • Much angst is flowing about the blogosphere concerning the Conficker worm, but this is the first page about it that I respect at all. I’ve long since disabled Autorun, and in fact, “autorunning” things is one of the worst ideas in computing since DLLs. Make sure you’ve got that November patch they speak of
  • And while we’re talking worms, here’s some news on a piece of malware that comes in on pirated Mac software, evidently with the intent of creating an all-Mac botnet. The dangerous thing here is that a lot of nontechnical people seem to believe that the Mac is immune to malware somehow. OS/X is certainly tougher to infect than Windows, but it can be done, especially when people are sure that it can’t.
  • Carol and I launch our Internet-facing apps under a clever mini-utility called DropMyRights, which basically runs such apps with limited user account privileges instead of admin privileges, even if you’re running as admin. Doesn’t work on Win2K, so I have not used it myself until fairly recently, but I installed it on Carol’s XP box probably two years ago, and she has used it daily without any issues since then.
  • I have tried and failed to make a Linux utility called KGrubeditor work under my instance of Ubuntu Intrepid. When I attempt to launch it, an item appears in the taskbar for about fifteen seconds before vanishing, and nothing else happens. At least one another person I know has made it work correctly, but I just don’t see what I’m doing wrong. I installed it through Ubuntu’s apt-get shell and saw no errors during the process. If any of you are users and are aware of any trickiness in the utility, I’d love to hear more.

Malware from SourceForge?

Nov 8th, 2008
by Jeff Duntemann.
3 comments

I've been chasing something very odd here recently. For about a year nowI have used a FOSS utility called MozBackup to both archive and move my 1.7 GB mailbase around. It has always worked beautifully, but when I used it to restore my mailbase onto my new quad-core machine last week, the mailbase did not come back intact. I was getting weird error messages about the inbox not truncating when messages were moved into the junk folder, etc. which made me wonder what was going on.

Ok. This is a quad-core machine running XP SP3. I deliberately set it up so that AVG 8 runs during the day and not at 2 ayem, because I want to observe what effect multiple tasks in multiple cores has on overall system response. So every day at 1 PM, AVG 8 runs a full scan. It ran a full scan on all drives yesterday, and came up with nothing except warnings about a couple of revenant tracking cookies.

Late yesterday afternoon, I copied the current MozBackup installer file from my installers archive on D: to my “installed installers” folder (where I put installers for software installed on the machine) on C:. Instantly, AVG 8 set up a howl that it had found a trojan in MozBackup-1.4.8-EN.exe, the installer for the instance of MozBackup that I have had installed on the quad-core since June. The trojan was called Generic12.HTC.

That's odd in itself: On all the bazillion-squared pages that Google indexes, there was not a single mention of “Generic12.HTC” yesterday . Nor is there any entry by that name in AVG's virus encyclopedia. This morning, however, I suddenly see five or six mentions indexed during the night. It looks like a false positive, but I'm still a little nervous.

As a test, I went back to SourceForge and downloaded another copy of the file. As soon as it was complete in a temp folder, wham! AVG's “resident shield” utility called it out as Generic12.HTC. Now, I'm not used to thinking that SourceForge downloads can be malware sources, though there's no reason that it's impossible. However, the MozBackup-1.4.8-EN.exe file has been on my hard drive since June, and has passed muster every afternoon that the machine has been powered up. The file's time stamp has not changed. I can only assume that during yesterday's daily update, AVG brought down a signature that matched something inside the fileā€”and that would be a mighty freaky coincidence if true.

The other freaky thing is that after I deleted MozBackup 1.4.8 and installed the previous version 1.4.7 (which is in use on three of my other machines, including my X41 tablet) the mailbase restore worked perfectly. So are there two problems here or one?

The handul of reports surfacing this morning seem to indicate that it's a false positive, which would make sense, given that it's been on this system since June without AVG making noise. So maybe I don't need to warn you against the 1.4.8 version. However, it does look like 1.4.8 doesn't necessarily import an archive created with 1.4.7. Yes, a coincidence, and a weird one.

Newer Posts →