Sunday, November 27, 2005

One of these things...

...is not like the others!

Growing up I had one of these books. "Richard Scarry's Best Word Book Ever". Kokogiak posted a looksie on Flicker that shows how the 1991 edition differs from the 1963 original. It is a fun romp through political correctness and modernization. I believe mom even made a hand-stitched Lowley Worm plushie for my brother. Hint, assuming your browser is properly configured, you should be able to hover your cursor over his pictures and highlight the changes.

Don't expect anyone but die-hard manga and anime freaks like us to get this one, but a very creative individual posted a flash movie takeoff. They took the opening credits to Azumanga Diaoh anime series and rebuilt it for the Yotsuba&! manga characters. Very well done if you've familiar with either one.

More Mozilla tips:
  • If you are using SAGE for your RSS feeds, you can customize the templates the feeds are displayed it. It isn't obvious from the extensions page. You need to go directly to the SAGE site. Check out the Styles link and follow the previews/instructions. I really like the dual-pane display, but am using the "Hicks" style sheet since the colors better match those I'm using in my Firefox browser (Outlook 2003 Blue).
  • Paul Stamatiou outlines how to change the Firefox "throbber" button to link to any-other link of your choice. It seems so obvious now.
  • Rumors on the net seem to suggest that next week, Mozilla will make a final release of Firefox 1.5 Right now they are sitting on RC3. I have been very happy with it. Only 3 crashes. I just wish my favorite extensions would catch up to this release for compatability.
  • Speaking of Extensions for Firefox I've been running "No Script" for the past week now. I saw it referenced on SANS and thought I would give it a try. It basically prevents JavaScripts from running during your browsing sessions unless you allow the site to run them (trusted location). JavaScripts are not necessarily evil, and are required on some sites for features to function properly. However, they can be used to install malware or redirect you to undesired locations. The only thing I don't like about it right now is that it is kinda "noisy". I've configured the notification to show for only 5 seconds, but may need to set it to zero. You can allow scripts to run temporarily or set the site to always allow them. The more I get configured, the quieter it is, but it does kinda intrude on the surfing experience. Hmmm. Do I want web-safety or speed?
Songbird Media Player--coming soon. Found this while trolling the net. My very first thought was "Sheesh. Looks just like iTunes. Hope they don't get sued by Apple." Looking at it though, It could be a really nice media player/organizer for those who don't have iPods but want to manage Podcasts and such. Will have to keep an eye on it for now.

In Firewall news--it looks like Symantec is about to kill off Sygate Firewall. Sygate recently got gobbled up by Symantec. They offered a free firewall for personal use. First we lost Kerio, now Sygate. Who next? I use ZoneAlarm and have since day one, but like to have alternatives to propose to individuals. My father-in-law's Win98 pc eventually refused to play nice with ZA so I switched it to Sygate since it was one of the last that supported Win98 OS.

Speaking of firewalls...should you get a hardware firewall instead of using a software firewall? Or maybe use both? Since I am a pretty parinoid person when it comes to pc security, I have been considering dropping in a physical firewall/hub device between my cable router and pc. The benefit of a hardware firewall is that it provides an additional layer of protection for your network and is not OS linked, so if your system is compromised, it would (hopefully) not be and still provide some protection. I haven't made a final decision yet. One more article.

I like lists. Here is a good one: Scott Hanselman's 2005 Ultimate Developer and Power Users Tool List. Some is freeware--much is not. Some is useful...much is for software developers. But it is a good list anyway.

The Houston Chronicle website just did a major rebuild. I know the team worked hard on it and it shows. I just am an "old-school" guy and miss the old site layout. Too many graphics now and it is challanging to navigate. I find I am making lots of bookmarks to favorite sites instead of just browings to the main page and going from there. Oh well....

Special blog feature

Opening up a can of malware spanking on
gjhdumf.exe!

Last week I had a real malware smackdown at work. Got an assignment to look at a user's pc that had a bad network client software upgrade. Got that fixed easy enough. (Good tip#1--know was MSGINA.DLL does and how to use it to your advantage!) So then I started doing the usual MS Automatic Update configuratations using the gpedit.msc tool running the malware scans/cleans (found a ton to clean). Then I downloaded and ran the latest MS AntiSpyware tool. As part of this whole thing, you have to agree to an ActiveX download to validate the OS first. So when I got an ActiveX popup, like the 1000's times before I just robotically clicked "OK" but in that horrible second after you do, I realized what I had read but not processed. That wasn't the MS ActiveX window (which popped up a second later). So I had to pull that first ActiveX out. What is going on? I paused and looked at the pc. Several popunder windows had appeard that I didn't notice. I reran all the malware scanner tools and the MS Antispyware. Clean. But I was still getting pop-unders. HiJackThis showed a clean registry as did SysInternals Autoruns. Hmmm. I ran CWShredder. Ok. Cleaned one more off. Rebooted. Everything looked clean after another full check. Browsed with IE and bam. More pop-unders. Checked the system processes but everthing there was normal. Hmmm. Rootkit? Possibly.

So I rebooted and ran SystInternals FileMon and RegMon applications (concurrently). Then I fired up IE and started browsing. Soon enough I was getting pop-unders again. Once I was sure I got enough I closed IE and went back and examined the logs. Soon enough both showed that once IE was launched, a process/file called gjhdumf.exe was kicking off--calling to the registry, etc. I browsed to the location it was in C:\WINNT\system32 but didn't see it. Ah! I know what to do! I opened a command prompt session and did a dir gjh*.* And promptly found four "super-hidden" files! (I know that you can set the View Files opens in Windows Explorer" to show all these files, but from experience, some still don't always display except in DOS.) There was gjhdumf.exe along with gjdumf.dat, gjhdumf_navps.dat and one more I forgot to write down. I renamed all the files with an additional ".bad" extension and rebooted. Browsing once more in IE, no more pop-unders! I went back and deleted all those files. Ran a Rootkit Revealer scan. Nothing to see. Case closed.

I usually save the files and examine them in PE unpackers but was too busy to take the time to save them. So how did the malware know to run only with IE and not be listed in the registry as startups? I can only guess that an additional registry hook had been placed in a such a way that tied into IE. So that when IE launched/ran it would trip over that extra registry call and fire up the malware file when then generated the pop-unders.

Bonus link for you malware fighters--thanks paperghost!
Japanese TV celeb Kaori Manabe was named "spyware extermination squad" leader in a Tokyo press event Thursday. Story here.
Hoping your skies are clear!
--Claus

No comments: