17 July 2008

SARS e@syFile Employers Manual Backup & Restore

Our HR people had a problem with the new SARS e@syFile Employers application. On opening the program it could pop-up with a window saying
"The application has started from the incorrect icon. Please start e@syFile - employers from the desktop icon"

Even if you open the program from the desktop icon it still gives you this error.
I found that you can do the following to fix this.
  1. goto
    Windows XP: C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
    Windows Vista: C:|Users\{username}\AppData\Roaming\easyFileEmployer.{hash}
  2. Copy the EasyFile.db and easyFile-employer.air files to a safe location.
  3. Uninstall the e@syFile Employer application.
  4. Re-install the program from the setup file
  5. Copy the EasyFile.db and easyFile-employer.air files back to the directory.
    Windows XP: C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
    Windows Vista: C:|Users\{username}\AppData\Roaming\easyFileEmployer.{hash}
  6. Start the e@syFile program again.
All you data will now be back and the application should run fine.

I would suggest that you backup the EasyFile.db and easyFile-employer.air files on another computer/server or removable disk.

You can write an xcopy script that will copy the files to a server or backup disk and create folders named with the date of the backup like so:

MD E:\PAYEBACKUP\%Date:~0,4%-%Date:~5,2%
CD C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
XCOPY *.* E:\PAYEBACKUP\%Date:~0,4%-%Date:~5,2%\

16 July 2008

Music to Malwares Ears?

As reported by Trend Micro there is a worrying new attack vector that malware writers are using to spread their code, multimedia. The malware apparently infects almost any multi-media files which, when opened, ask you to download a codec to play the file. The codec is actually the malware which then infects the computer.

As the Trend article pointed out this could be a massive problem because of P2P networks. Infected multimedia files could soon be flying around P2P networks infecting everyone.

Multimedia files are some of the most shared files and therefore this could be a very problematic attack to prevent. I would suggest that network administrators keep their eyes open and try to discorouge users from bringing multimedia files to the office.

11 July 2008

Windows and OSPF issue

We have been testing OSPF on our network now that our wireless WAN links are a stable. Basically what we are trying to do is get the routers to re-route traffic between our sites via Diginet in the event that our wireless link goes down.

We tested it on our Cisco routers and everything seemed fine, but the Windows clients are not playing the game. Basically we have 2 routers on each subnet, one for Wireless (Mikrotik) and the other for Diginet (Cisco).

When we disconnect the LAN cable for the Mikrotic router the Cisco automatically detects this and then re-routes traffic via the Diginet. The windows clients however do not go through the Diginet.

On closer inspection we noted that in the Windows routing table (route print) on the client machines they have a route to the remote subnet via the Wireless router. The strange thing is that their default gateway set via DHCP is the Cisco router yet they still have this entry in the routing table.

If anyone out there has had something similar could they please help out. We have been scratching our heads for a couple of days now and can not find anything usefull on Google yet. (Clearly our search strings are all messed up!)

The one solution that we have thought of is to put the mikrotik router on its own subnet and set the Cisco's LAN interface to have addresses on both subnets. This would mean that the Wireless equipment will not be directly accessible from the local client subnet and only allow traffic to traverse this link via the Cisco ethernet interface. The only problem with this scenario is that it will result in a lot of network downtime to setup and that there is the possibility that the client connection to the wireless may be limited to the speed of the 10Mbps ethernet port on the Cisco router.

DNS Mega-Poison

According to IT-Web there is a mega flaw in DNS that will allow for DNS poisoning to happen allowing attackers to redirect traffic to almost anywhere.
DNS (Domain Naming System) is the system that converts domain names to IP Addresses. This previously undiscovered vulnerability could lead to massive identity theft due to the fact that users could be redirected to fake websites without their knowledge.


10 July 2008

MSN SPIM - ultimate-stuff.info

Some more SPIM domain names are showing up ...

  • ultimate-stuff.info
  • <msn username>.hostings.info

Please do not enter your username and password in these forms. They will take your account details and start sending links to all your contacts.
If you have entered your username and password in this form please change your password as soon as possible!

My complete list of domain names to look out for are:
  • imagedino.info
  • imagelook.info
  • locatehost.info
  • imagedino.info
  • hostings.info
  • ultimate-stuff.info
If you are a network administrator please block these domains on your proxy server asap.

08 July 2008

More SPIM - locatehost.info, imagelook.info

There seem to be several new domain names that are showing up for the MSN SPIM imagedino.info.

Some of the ones that I have seen so far are:
  • imagelook.info
  • locatehost.info
  • imagedino.info
There are some more listed on this website:

WHAT NEXT? - imagedino.info MSN SPIM

Please change your password if you entered your user name and password into the imagedino.info website.

I have been following the imagedino.info saga since yesterday when I received a link to the site from a contact. Ever since then I have been trying to figure out what the point of this "attack" was. It seems pretty harmless and it also seems to be a rather basic attack, but I did some digging and found this article from Trend that seems to be rather similar form of attack.

The article indicates that once you have entered your user name and password into the form your login details are sent to an email box. The owner of that email box can then use your email account to send out spam mails or malware. This is obviously not a good thing, as it will annoy the daylights out of all your friends and possible infect their machines if your account is used to send out malware!

imagedino.info has Google Analytics
I noticed that if you view the source of the page it has Google Analytics embedded in it! What on earth are these guys doing? Is it some security research project by some students that got into the wild?

Get Firefox 3 to block
Also note that Mozilla Firefox 3 now blocks that domain. I would recommend that if you are using internet explorer rather upgrade to Firefox 3. It has some really good security features that block websites like these once they are identified. This is very usefull if you expect someone else to use your computer that also uses MSN. It will prevent them from being part of this whole attack.

What is SPIM?
I noticed that a lot of people where referring to the messages sent as SPIM. according to wiktionary.org : "SPIM is Unsolicited commercial messages sent via an instant messaging system"

07 July 2008

SOLUTION - imagedino.info MSN Phishing


It would appear as the the MSN phishing outbreak is nothing more than phishing. After running several scans on his computer my "infected friend" found no viruses or malware. After changing his MSN password the messages seemed to stop. (Also verified by Gregg. See link found http://www.avertlabs.com/research/blog/index.php/2008/06/10/now-be-a-good-victim-and-enter-your-login-credentials-in-the-form/)

Lets hope this is just a single vector attack as now these punks have managed to get all the email addresses and msn information of most of the contacts. I would watch out for the next week or so for any suspect looking emails that arrive in your MSN account email address.

imagedino.info MSN Phishing

I recently received a message from a contact in MSN that had a link in it to the domain imagedino.info. It looked suspect, but I thought I might as well see what is going on.
When I followed the link it took me to a rather suspicious login screen that asked me to logon using my MSN Account.
I would suggest that no one do this as this is more than likely a phishing website that will use your account details for no good.
The link was http://.imagedino.info/
Please block this on your proxy server is you have a proxy.
If you have entered your username and password into this form:
  • please change your MSN password as soon as possible.
  • I am not sure if the page downloads anything malicious onto your computer. I would suggest updating your anti-virus and running a full system scan.
    You can get AVG Anti-virus for free from here.
  • Also try using something like spybot search and destroy

Screenshot of the website.