Five days after Henry purchased the product, blvdsoftware.com vanished from the Internet.

Several red flags should have stopped him from making the purchase. Blvdsoftware.com claimed it had been in business since 2005, but a check of the site’s WHOIS registration records showed it was created in late October 2011. The site said that Blvdsoftware was a company in Beverly Hills, Calif., but the California Secretary of State had no record of the firm, and Google Maps knew nothing of the business at its stated address.

Henry said that in years past, he’d always bought a CD version of the software. But this year, he opted for digital download.

“I was going to download from Amazon — they sell a download-only version — and then I saw the cheaper site and went with them,” he said in an email. He installed the program, but said he didn’t enter any of his sensitive data. For one thing, he never received a license key from Blvdsoftware, and the program he installed didn’t request one. Now he’s wondering if the program was — at the very least pirated — and at worst — bundled with software designed to surreptitiously snoop on his computer.

The errant buy was doubly insulting because Henry bought the software using a prepaid debit card, and now finds himself unable to dispute the charge.

Buying software from random sites or companies you know nothing about and haven’t researched is a bad idea all around. But fail to do due diligence on a bargain site that sells tax return software and you could be handing your identity and computer over to cyber thieves.

If you’re in the market for tax software downloads, save yourself the worry and hassle, and stick to known and trusted outlets online. Search for any of the titles listed at the cached version of Blvdsoftware’s site and you will probably discover that after the first page of results the vendors start to look pretty sketchy. Also, avoid using debit cards for online purchases.

If your income is $57,000 or less, you can file your taxes online for free using IRS’ Free File software, available at no charge here. And remember that the IRS does not initiate contact with taxpayers via email. If, however, you do receive a snail mail notice from the IRS about more than one tax return being filed in your name, or that you were paid by an employer you don’t know, someone may be trying to fraudulently file a tax return on your behalf. See this page from the Federal Trade Commission for more information on tax related identity theft.

cc photo credit Tardis by AntToeKnee Lacey on flickr

I guess I’m doing something right as a dad.

Alvis has been hard-at-work babysitting and pinching her pennies.

So the other day when we are at the local GoodPurchase box store collecting some electronica-accessories, she disappeared momentarily, reappearing with DVD and Blu-Ray season six box sets of BBC Dr. Who. “Which one?”  (Alvis is an unabashed Dr. Who (Matt Smith incarnation only thank you very much) Super Fan™).

We settled on the Blu-ray, but only after I gave my acknowledgment that when Alvis strikes out on her own in life, they are going with her. This was going to be super-awesome considering we had been watching the series on regular-def BBC America. Oh the details we would now see!

When we got home she first emptied the DVR of all the still-saved local versions from the BBC run quite a while ago. Then she popped a disk in.

The intros ran splendidly, then we got to the first episode. The Blu-ray quality was extraordinary; super-crisp and detailed. Only when the camera angle would pan, the play-back stuttered horribly.

Retried the disk…same thing. Different episode…same result.

Oh bother.

Feeling a bit of panic as I had advised her of the superior Blu-Ray benefit and running in my head the success/failure possibilities for a Blu-ray return at GoodPurchase box store, I tried to digest the best plan of attack.

We tried another disk from the set. Nope. Same problem.

I next tried waving my Alvis-provided Sonic Screwdriver at the Blu-ray player. That always seems to work for the Doctor.

Alas. Didn’t help this time.

Probably needs to be recharged.

First things second.

Based on previous experiences with our BDP-S360 Blu-ray™ Disc Player from Sony, it seemed the best place to start out was a check on the firmware level for the player.  I strung out our 50’ Cat-6 patch cord down the hall from the router and connected it to the player and checked on-line for firmware updates using the embedded system feature. Sure enough, there was Blu-ray Disc™ Player Firmware Upgrade (version 011).

The update applied successfully. Rebooted the player and re-launched the Blu-ray.

Nope. Same issues. Drat.

I hit the Googles and checked out the customer reviews on the Amazon.com product page for the set. Indeed there were a number of complaints that some users were experiencing playback stuttering with their disks. Maybe it was indeed a bad-press.

Alvis was getting quite dejected now. Not only was her hard-earned investment looking less enjoyable, so was the planned Dr. Who marathon session planned.

Poking around the Amazon page some more led me to a discussion thread. Amazon.com: Customer Discussions: HELP! Framerate problems!

Hmm. That sounded like exactly what we were experiencing. The choppy playback quality is like when you were trying to watch an on-line video and you have streaming/buffering problems. I couldn’t imagine the player didn’t have the hardware capability to process the BBC Blu-ray disk…we haven’t had any quality playback issues with other disks in our collection.

The tips offered mentioned things like deinterlace and motion interpolation issues with British programing transfers for US playback; both apparently related to frame rate processing. Apparently different Blu-ray systems have different feature names for this.

I pulled down the Sony BDP-S360 user’s manual from the website and checked the PDF closely. Nothing seemed to fit exactly what I was looking for.

In the end we decided to try changing the following setting:

• “HDMI Resolution/Component Resolution” got changed from “Auto” to 1080i.

Retried again.

Voilla!

Perfectly smooth and natural video playback from the BBC Blu-ray disk set.

So if you run into this problem as well, you may want to check some of your player settings first. That whole deinterlace/motion-interpolation/framerate thing with BBC disks has some truth in it.

Normally our player is set to “Auto” and runs at the 1080p mode-rate. Dropping it down to the 1080i was all we needed to get the playback running normally again.

Your player settings may vary so dig out your manual and start experimenting.

You may be glad you did!

Cheers!

–Claus V.

And here is a command history of a Cisco router:

What do these results have in common?

Both were produced by analyzing RAM dumps with a new forensic toolkit I’m developing, the Network Appliance Forensic Toolkit, or NAFT.

More to be published soon.

But if you want a beta version now, provide me a Cisco core dump in exchange

• ShiftN – Freeware digital photo tool that corrects “line” convergence. Love it! More overviews of the software here:

• Repair ‘converging line’ perspectives in photographs with ShiftN over at freewaregenius.com,
• ShiftN: Adjust Vertical Line Distortion In Landscape/Building Photos at AddictiveTips blog.

• Access & Export Windows Shadow Copies According To Time – Shadow Explorer – AddictiveTIps blog
• Ripping Volume Shadow Copies – Introduction – Journey Into Incident Response blog
• Ripping VSCs – Practitioner Examples – Journey Into Incident Response blog
• Ripping VSCs – Developer Method – Journey Into Incident Response blog
• Browse Windows System Restore Points – CybernetNews blog

• Looking for a best-in-class screenshot capture program? ‘Screenshot Captor’ might just be it – Review via freewaregenius blog
• LATEST VERSION INFO THREAD – ScreenshotCaptor – v3.0 (!) – DonationCoder.com

For additional malware-bustin’ tips and tools check out these related GSD posts:

• grand stream dreams: Anti-Malware Tools of Note
• grand stream dreams: Quick Malware Notes, Incident Response, and 00-outs
• grand stream dreams: Interesting Malware in Email Attempt – URL Scanner Links

Cheers!

–Claus V.

Network stuff

• IOS: Let Me Truncate That Password For You… – Didier Stevens. IOS password limited to 15 characters.
• CREED (Cisco Router Evidence Extraction Disk) – Extract critical info from your Cisco routers.
• Shrubbery Networks, Inc. – RANCID – Really Awesome New Cisco confIg Differ
• inSSIDer v2.1 – MetaGeek – new release of a great (and free) Wi-Fi scanner.

Tips from Redmond

• Using Resource Monitor to Troubleshoot Windows Performance Issues Part 1 – Ask the Performance Team
• RDS Multiple Server Access – Ask the Performance Team
• Measuring Disk Latency with Windows Performance Monitor (Perfmon) – Ask the Core Team
• Updates: Coreinfo v3.04, DebugView v 4.78, LiveKd v 5.1, Process Explorer v15.13 – Sysinternals

All Outlook

• Tip o’ the Week #96 – Reining back Outlook’s file size – The Electric Wand
• RELEASE: Microsoft PST Capture Tool for Exchange 2010 and Office 365 released – Kurt Shintaku’s Blog

• Microsoft PST Capture Tool for Exchange 2010 and Office 365 released – Bob Hunt’s Blog
• .PST, Time to Walk the Plank – Exchange Team Blog
• Download: PST Capture – Microsoft Download Center
• Microsoft Exchange PST Capture – MSTechNet

• Download: OCAT_Setup.zip – Microsoft Download Center

From the 4SysOps Blog

• Test Group Policy – 4sysops
• Gpupdate, Gpresult, RSoP – 4sysops
• Group Policy – Active Directory problems – 4sysops
• Troubleshooting Group Policy – Part 6: Common problems – 4sysops. If you have missed the previous installments check out this Troubleshooting Group Policy link.
• What are the NTFS permissions? Free NTFS Permissions Reporter – 4sysops.  More details in this AddictiveTips post: Allocate NTFS Permissions Easily With NTFS Permissions Tool.  Download the tool here: Cjwdev | Software

I really thought the software highlighted in the last link, NTFS Permissions Reporter was super-cool. It reminded me of another recent NFTS permission checking/changing tips post for the not-so-much-a-sysadmin crowd, Take Ownership Of Files & Folder And Change Permissions In Windows 8 – AddictiveTips blog.

Tips and Tricks

• HOWTO: Fix Adobe Flash when it’s installed but keeps stating that it needs to be installed/updated – Kurt Shintaku’s Blog
• INFO: File size limits when copying files from SharePoint folders using Robocopy – Kurt Shintaku’s Blog
• Windows 7 in a box – The Ultimate Desktop Tool for Windows 7 – Really handy tweaking and quick-access tool to access all kinds of settings and features with just a few clicks. More info in this Windows 7 in A Box post from Windows7hacker.
• HowTo: USB Thumb Drives -Windows Incident Response Blog – Forensically-focused but still good info on USB devices for admins to be familiar with as well.
• ESXi Command Line Networking Configuration – What the…..? blog.

Cheers,

–Claus V.

As we saw in the previous GSD post, one of the processes that occurs after a Firefox update is automatic checking of Add-on compatibility with the new browser version. I generally don’t have any issues, but for whatever reason I paid it a bit more attention during the 10.0.1 update and noticed that I had two Add-ons that were not updated or compatible; “Search Helper Extension” and “HP Smart Web Printing”.

Both were automatically disabled, and this time, after brief consideration, I decided I didn’t need them. However when I went to remove them, I didn’t seem to have the ability to do so.

Oh noes!

Take two aspirin…

While I could “Disable” the Search Helper Extension, the “Uninstall” button was grayed out. That was an easy fix after reading this How-To Geek blog post: Remove the Search Helper Extension from Firefox. I also read the comments and found like a commenter, I had to delete the “firefoxextension” folder files in two locations on my Windows 7 x64 system after ensuring Firefox was not running:

• C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension
• C:\ProgramData\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension

Once I dumped those out, it no longer appeared in my Add-on list.

The HP Smart Web Printing Add on required a similar approach once closing out of Firefox. Delete the following folder:

• C:\Program Files\HP\Digital Imaging\smart web printing\MozillaAddOn3

These were easy fixes. The next issue was a major headache to track down.

Browser Plug In Updates, Updates, Updates!

First, in case you haven’t noticed, Adobe and Java both have been on a tear releasing security patch updates for their browser plugin software:

• Adobe Shockwave Player and RoboHelp for Word Patches – SANS ISC Diary
• Adobe Flash Player Update – SANS ISC Diary
• Java Update for February – SANS ISC Diary
• New Oracle Java and new Shockwave Player – IT Secure Site

There are lots of ways and means to updating your browser plug-ins. I typically just hop over to FileHippo and get the latest installers there to download and install on our systems. I just find it easier to grab them from here than mucking around on the Adobe/Java sites to get them. I guess it is a one-stop-shopping thing.

• Download Java Runtime Environment @ FileHippo.com – for both Java Runtime Environment 1.7.0.3 32-bit and 64-bit versions.
• Download Shockwave Player 11.6.4.634 @ FileHippo.com
• Download Flash Player 11.1.102.62 (Non-IE) @ FileHippo.com
• Download Flash Player 11.1.102.62 (IE) @ FileHippo.com

Once downloaded, I just run and they get installed/updated and now my system (and Firefox browser) is now using the latest patched version. Simple. Right?

Well…not quite so fast there.

Plug In Update Migraine Time

Last night I read this post Flash Update — Check Your Plugins over at the Firefox Extension Guru’s Blog. That shouldn’t have been a big deal as I had already updated all my plug-in versions.

Only the Guru reminded me (major senior moment) that Mozilla actually provides a link for you to confirm all your plug-ins are actually up to date. Two ways to get to the same place.

1. In Firefox go to Tools > Add-ons and then click the super-tiny link at the top of the plug-in list “Check to see if your plugins are up to date”, or you can simply click the link below right now if you are reading this in Firefox.
2. Firefox Web Browser — Plugin Check & Updates – Mozilla

I’ve since added a bookmark to that link on my main quick-link bookmark bar in Firefox so I won’t forget to check periodically. However, if you are the forgetful type, you could also add it as a second “home page” tab to automatically open when you launch Firefox each time.

Anyway, when I hit the link, a curiously “out of date” item appeared at the top of my list

This was curious as when I checked my Windows installed programs list, I had Adobe Acrobat Reader X installed, and yep, it was also listed there right below showing current and updated. Hmm.

So I launched my installed version of Adobe Reader X directly and manually checked for updates; nothing. It was fully patched and current.

So I uninstalled/reinstalled a fresh version of it. Rechecked the plug-in status in Firefox. Version 9.5.0 still there. Hmmm.

Time to break out the Naproxen

As I’ve already said, I run a semi-custom “portable” version of Firefox, so next I went over and checked in my \FirefoxPortable\Data\plugins directory and checked. Nope. Empty. This is the location where you can dump copies of plugin files (like for Flash/Shockwave/etc.). On my system Firefox was automatically calling them from their installed location on my system, so my directory there was empty although the plug-ins still worked. Back to this later but in my first troubleshooting process, I copied the most recent patched plug-in files for Adobe Flash, Reader, and Shockwave into that location. No fix. For now, you can reference these PortableApps links if you are curious about including “local to the portable Firefox” plug-in options:

• Installing Plugins (Java, Flash, Shockwave, etc.) – PortableApps.com
• Configuring Helper Apps (PDF reader, document viewers, etc) – PortableApps.com
• Mozilla Firefox, Portable Edition Support – PortableApps.com

So if I only had Adobe Reader X installed, why was Mozilla insisting I was still using Adobe Acrobat plugin for Firefox version 9.5.0?

More research led me to these MozillaZine links:

• Adobe Reader – MozillaZine Knowledge Base
• About:plugins – MozillaZine Knowledge Base

Neither of these had a direct-fix but in combination with careful reading it put me on the right track for discovering the issue and fixing it.

1. First I opened up about:plugins in a new Firefox tab. This provided a technical listing of all my Firefox plug-ins.
2. I found that both Adobe Acrobat Reader 9.5.0 and Adobe Acrobat Reader 10.1.2 plug-ins were listed.
3. I knew from the first MozillaZine link that the actual Adobe Acrobat Reader plug-in file I was dealing with is named “nppdf32.dll”.
4. Unfortunately, the default about:plugins view didn’t contain quite enough detail.
5. Using a tip in the second MozillaZine link, I opened up about:config and found the plugin.expose_full_path preference and toggled it to “True”.
6. I then reloaded the about:plugins tab and re-examined the two Adobe Reader plugin entries. Voilla!

If you look carefully at the info in that image, you will find that my portable Firefox build was actually loading both the current Adobe Reader 10.1.2 plugin file from the portable “plugins” folder where I had dropped it. However, it had also found and registered (?) the same Adobe Reader file (but outdated version 9.5.0.270) from an obscure folder location when I had installed a hand-me-down-from-my-brother Adobe Acrobat Pro 9 installation. A really seriously obscure folder location. Gads!

My “fix” was to simply shut down Firefox and wait for all related Firefox processes to terminate. Then I copied the 10.1.2 version of nppdf32.dll over into the same folder that had that old version and overwrite it.

For good measure I also followed the first part of the “method 2” tip on the MozillaZine page for Disabling the browser plugin. This was to Close your Mozilla application, delete the file “pluginreg.dat” from the profile folder location and recheck about:plugins.

Now only the version 10.1.2 Adobe Acrobat Reader plug-in was listed, and as found in my portable “plugins” directory. For the final confirmation I popped over to Firefox Web Browser — Plugin Check & Updates to let it rescan and report.

Success!

All the critical plug-ins were now showing Up to Date.

But that wasn’t the end of the story. Claus was on an Adobe product updating search-n-destroy tear now.

There’s More to the Story Here!

Since I knew the names of a few of these critical Windows plug-ins, I did some system-wide scans looking for those files:

• Flash plug-in (for Firefox): NPSWF32.dll
• Shockwave plug-in: np32dsw.dll
• Adobe Reader plug-in: nppdf32.dll

For the Flash plug-in, I discovered 13 instances of the file on my own system in a total of 6 different versions!

So if you normally run the Adobe Flash update installer (for non-IE versions) and expect it to simply and automatically update your Adobe Flash file system-wide, you may be woefully surprised (as I was) that isn’t necessarily going to be true. I guess I need to now copy the “latest” version myself into all those locations to overwrite the present version…assuming the new version is fully compatible with the applications calling it from those locations. That may not be the case!

The Adobe Flash update for IE versions is much simpler to manage. A check in the IE add-ons manager reveals the IE version of Flash is named “Flash11f.ocx”. I found it installed on my system in only one location…where it should be…and it was current.

More details on Adobe Flash plugins/tips/techncials here: Installation problems – Windows Flash Player @ Adobe

Of curious note, that original version for the Chrome plugin folder was also seriously outdated. One of the benefits of using Google Chrome is that it is supposed to automatically keep its own version of Flash updated; Adobe Flash Player plug-in – Google Chrome Help. The Chrome included version is named “gcswf32.dll” but since “NPSWF32.dll” was showing up for some reason rather than the Google Chrome version, I had to copy/paste the newest “NPSWF32.dll” into the folder to overwrite the outdated version with the current patched version.

One more thing to keep an eye on in my 2nd-favorite browser now. Sheesh.

There is lots of good info on that Google Chrome Flash Player link, so I highly recommend you read it, and then follow the following steps to familiarize yourself with the Chrome Plug ins in use as well:

1. Type chrome:plugins in the address bar to open the Plug-ins page.
2. On the Plug-ins page that appears, find the “Flash” listing.
3. To view additional details on the actual plug ins used and their file-path locations, click Details in the upper-right corner of the page to display more technical file/plug in information on the page.

The Shockwave file “np32dsw.dll” fared better. It was found in just two places on my system, the main install location as well as a copy of that original I had placed in my portable Firefox plugins folder

What about the Adobe Reader plugin file “nppdf32.dll”? Better? Mostly.

It was found a total of eight times system-wide in three different versions. The two older versions were in installation “$PatchCache$” folder locations so those didn’t appear likely to be accessed “live”. All the others were at the current patched version so I guess things are better there. IE and Chrome also use that same file (assuming you use Adobe Reader as your plugin and not a different/alternative PDF reader/plugin solution). You can go through the same processes mentioned earlier in both IE and Chrome to confirm that plug-in file/version if you wish.

Possibly related:

• How to determine what version of Adobe AIR runtime is installed (Mac, Windows, and Linux) – Adobe
• New Oracle Java and new Shockwave Player – IT Secure Site

Flash for Firefox – Sandbox Beta Edition

And if all this (just the mainstream/public versions of Adobe Flash and keeping it updated/secure) isn’t enough, Adobe now has a “special sauce” version for Firefox that introduces a “sandboxing” feature for added security!

• Adobe releases beta version of sandboxed Flash for Firefox – The H Security
• Adobe AIR and Adobe Flash Player Incubator | 3D Flash APIs – Adobe Labs. From that page:

Flash Player Protected Mode Features

The current Incubator release provides access to Flash Player Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems.

Flash Player Protected Mode is a new security enhancement designed to limit the impact of attacks launched from malicious SWF files against Flash Player when running in Firefox on Windows Vista and higher. We are working aggressively to make Flash Player more secure, and Protected Mode is a critical component in our strategy. The current beta targets Windows desktop operating systems. We are working to extend similar protections to other browsers in the future.

Note: The extensive low-level changes made in this beta release may introduce unexpected problems in existing Flash content.

Keeping an Eye on the Updates – Third Party Style

There are a number of third-party tools/sites to also check your system patching for these to various degrees of depth:

• Qualys BrowserCheck – run a plug-in scan on IE, Firefox, or Chrome. Fast and easy. Bookmark this now! On-line scan or browser-specific plug-in versions available.
• The Secunia Online Software Inspector (OSI) – on-line scan for insecure plug-in versions as well as additional common software applications. For a more thorough solution, consider installing Secunia’s Personal Software Inspector (PSI) version.
• FileHippo.com Update Checker – FileHippo.com

I highly recommend you regularly use all of these to do some first-line software patch checking of your Windows system. For a basic starting place, make a note to check all of these locations at least every “Microsoft Black Tuesday” when you are checking for and applying your Windows updates, Mm-kay?

You are checking for and applying your Windows updates right?

Oh bother…

Cheers!

–Claus V.

Fortunately the Mozilla factory has been running overtime hours coupled with its plugin suppliers so there is a lot of material.

Looks like time for a blogpost on Firefox!

If you weren’t paying attention, you might have missed that the main Firefox public release got two rapid-fire updates.

• Firefox 10.0.1/ESR 10.0.1 Released – Firefox Extension Guru’s Blog
• Firefox 10.0.2 Released – Firefox Extension Guru’s Blog (and) Mozilla releases to address CVE-2011-3026 – Mozilla Security Blog
• Firefox Release Notes – Mozilla

Meanwhile additional work continues on future features

• Firefox Roadmap for 2012 Calls for Chrome Catch-up and Better Privacy Tools – ReadWriteWeb
• New theme, top performance, coming to Firefox this year – Mozilla Links
• New Firefox UI Coming Later This Year – Firefox Extension Guru’s Blog

Make Use Of blog has some good pointers on How To Make The Most of Firefox’s Session Manager

Speaking of updating the Firefox browser, looks like that process is getting a much needed update of its own:

• Changes to Firefox ‘Updates’ Coming – Firefox Extension Guru’s Blog
• Improving the Firefox update experience – Lawrence Mandel

Quite some time ago, I was regularly running “Minefield” versions of a Mozilla Firefox x64 build. It was fine until I hit a rocky patch of code updates that made my bookmarking support go wiggy. So I jumped back to the main public build on x32 for stability-reasons and haven’t given much thought to going back to some x64 builds.

So I read with interest recent development work on Waterfox and a few other special projects for x64 versions of developmental Firefox builds.

• Waterfox Home – “The fastest 64-Bit variant of Firefox!”
• Pale Moon – x64 builds- Project home page
• Firefox Nightly Builds – Source to Mozilla’s own x64 version.

Need some perspective on the builds and differences? Check these out.

• Waterfox: Your New & Speedy 64-bit Version Of Firefox [Windows] – MakeUseOf blog
• Fast Firefox faceoff: Nightly vs. Pale Moon vs. Waterfox – NetworkWorld article found via a recent Firefox Extension Guru’s Blog post

One night last week I downloaded the Waterfox build, and then with just a little effort made a portable version of it based on my portable x32 Firefox build (same plug-ins, cookies, Add-ons, etc.). I didn’t experience any issues and all my Add-ons worked fine. No crashes. After a few hours of surfing I was really unable to tell much of a user-level performance difference between it and my x32 public build. So experiment over, I canned it and went back to my x32 build.

That may seem like a harsh thing, but really, in my mind it proves the successful development work these builders are doing in the x64 bit world of Mozilla. According to the NetworkWorld article linked above, there are very slight performance differences between them, but unless you are just a “bleeding edge” user, there just isn’t any compelling reason (IMHO) to make the jump to x64 versions of Firefox…just yet. Give things another year or less, however, and I bet these will all be mature releases and I will be telling you there isn’t any compelling reason NOT to make the jump to x64 Firefox if your OS supports it.

More here related to the browser “speed wars” race. That 2nd IE link is really fascinating!

• Browser Speed Tests: Chrome 17, Firefox 10, Internet Explorer 9, and Opera 11.61 – Lifehacker
• Internet Explorer Performance Lab: Reliably measuring browser performance – Building Windows 8

Now to fixing some Firefox headaches I uncovered…and that will be so big it requires a spin-off GSD post!

Cheers!

–Claus V.

Thanks to a deep-seated enmity between the owners of two of the largest spam affiliate programs, the database for Spamdot was leaked to a handful of investigators and researchers, including KrebsOnSecurity. The forum includes all members’ public posts and private messages — even those that members thought had been deleted. I’ve been poring over those private messages in an effort to map alliances and to learn more about the individuals behind the top spam botnets.

The Zeus author's identity on Spamdot, selling an overstock of "installs."

As I was reviewing the private messages of a Spamdot member nicknamed “Umbro,” I noticed that he gave a few key members his private instant message address, the jabber account bashorg@talking.cc. In 2010, I learned from multiple reliable sources that for several months, this account was used exclusively by the ZeuS author to communicate with new and existing customers. When I dug deeper into Umbro’s private messages, I found several from other Spamdot members who were seeking updates to their ZeuS botnets. In messages from 2009 to a Spamdot member named “Russso,” Umbro declares flatly, “hi, I’m the author of Zeus.”

Umbro’s public and private Spamdot postings offer a fascinating vantage point for peering into an intensely competitive and jealously guarded environment in which members feed off of each others’ successes and failures. The messages also provide a virtual black book of customers who purchased the ZeuS bot code.

In the screen shot above, the ZeuS author can be seen selling surplus “installs,” offering to rent hacked machines that fellow forum members can seed with their own spam bots (I have added a translation beneath each line). His price is $60 per 1,000 compromised systems. This is a very reasonable fee and is in line with rates charged by more organized pay-per-install businesses that also tend to stuff host PCs with so much other malware that customers who have paid to load their bots on those machines soon find them unstable or unusable. Other members apparently recognized it as a bargain as well, and he quickly received messages from a number of interested takers.

The image below shows the Zeus author parceling out a small but potentially valuable spam resource that was no doubt harvested from systems compromised by his Trojan. In this solicitation, dated Jan. 2008, Umbro is selling a mailing list that would be especially useful for targeted email malware campaigns.

Zeus author, selling an email list of presidents, CIOs, etc. The list sold in 5 hours.

It is not surprising that the Zeus author would frequent such a forum; he is well known to have hung out on other exclusive forums where like-minded cyber thieves set up shop. But Umbro’s messages provide the best proof so far that not only was he the author and main proprietor of a sophisticated Trojan that has helped to steal hundreds of millions of dollars from small to mid-sized businesses, but he also maintained his own sizeable botnets.

Spamdot records show that as often as he sold installs, Umbro turned to some of the top botnet authors to rebuild his private botnets. In an April 14, 2010 private message sent to Ger@ — a Spamdot member I identified earlier this month as the miscreant in charge of the massive Grum botnet — Umbro says he is “ready to buy installs,” and prepared to offer a fair price for buying in bulk. In another communication near that same time, Umbro seeks to rent botnet resources from a business partner of “Google,” the nickname of the individual I identified in January as the author of the Cutwail botnet.

Umbro’s public and private communications reveal how frequently he changed his nicknames, email addresses and other contact details — a common tactic used to confuse and elude law enforcement investigators. By the time Spamdot was closed in Sept. 2010, the ZeuS author was using the nickname “Slavik.” He had just announced that he would be bowing out of the business, and that the code that powers his Trojan would be merged with that of SpyEye.

Security researchers at RSA made an interesting discovery at about the same time the ZeuS author was plotting his final disappearing act. They found evidence that the ZeuS author didn’t exactly retire, but rather appears to have gone into the botnet business for himself. RSA’s Uri Rivner said that just before that merger was announced on underground forums, RSA investigators stumbled upon a botnet created in Aug. 2010 with a custom version of ZeuS that was not being sold or distributed in the underground.

That custom version, which RSA dubbed “ZeuS 2,” phoned home to a control server on the Web that the researchers were able to access. They found that between Aug. 2010 and Aug. 2011, more than 200,000 PCs had phoned home to that server, which had helped vacuum up tens of gigabytes of data from host machines. They also learned that miscreants had created four logins that were authorized to access the botnet’s control server: “rootadmin,” “NS,” “chingiz,” and “Slavik” (see screenshot below).

“This ZeuS2 had a lot of improvements, and was created before the ZeuS source changed hands,” RSA’s Rivner told me in an interview last October. “It might be that Slavik decided to move away from selling software and supporting all of his customers to developing infrastructure that can be rented and becoming part of a larger organized crime group.”

According to a security researcher who has access to the same server but asked to remain anonymous, there are now more than a quarter-million PCs compromised by this custom version of ZeuS and reporting home to that same control server.

The ZeuS author's nickname 'Slavik' was among those authorized to log into the unusual ZeuS2 botnet.

Since you know that the user-context of the site has the authority to serve those pages, it -should- be a fairly practical way to verify if your directory traversal is working.  You may even get back source code this way.

• Most operating systems support the use of environment variables/shortcuts for locations such as %home% or ~.  This is useful to remember if there are protections against using a period or two successive periods.
• When dynamic features serve files, they often violate other protections.  In IIS for instance various extensions cannot be served by the server (.config files for instance).  However in most directory traversals you can pull the web.config file out w/o many problems.
• User controlled uploads often get served dynamically because there isn’t a way for the server to know before-hand what the files are.  You can sometimes find directory traversal here by uploading files with weird path’s in their names (or renaming them after upload). 
• Developers sometimes leave clues to file’s physical locations in comments.  I once downloaded a source for an entire site because of this. 
• Image / gallery plugins for CMS’s are notorious for directory traversal.
• Error messages are your friend here.  If you get a system/application error instead of a file not found type error, you can at least use the mechanism to check for existence of files.