Archive for category IT

Is the new right hand pane in Adobe Reader DC, messing with your workflow ?

The new Adobe Reader DC looks nice but then when you go to use it, you have less work space. So how do you remove the right hand pane (This contains export pdf, create pdf, edit pdf, etc.) on Reader DC? (It takes up a quarter of the screen and many people don’t even use the tools.)

To remove it temporarily, you can either click the Right Hand Panel bar or you can use the keys Control+H to go into “Read Mode”. Note that “Read Mode” just displays the document and no panels. Also note that “Read Mode” does not stay between documents or sessions either. Opening another document brings the right hand pane back.

If you are an avid reader of PDF’s and do not need the tools, here is a permanent solution.

Open the install directory,
i.e.” C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU” or ” C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU

Create a new subfolder (I used “Disabled”). Move 3 files from the “ENU” folder into the new “Disabled” folder. (Exit Adobe reader first).

Move  –

  • AppCenter_R.aapp
  • Home.aapp
  • Viewer.aapp.

Open a PDF and the Tool Pane is gone. It does also disable some menu items so if you want to still use the tools, read on.

Backup the file called Viewer.aapp. Edit the file with notepad (the file is XML abd located in “Adobe/Acrobat Reader DC/Reader/AcroApp/ENU/Viewer.aapp”)

The file contains a few lines however, edit it so that the following line is the only remaining line.

<Application xmlns=”http://ns.adobe.com/acrobat/app/2014″ title=”Viewer” id=”Viewer” majorVersion=”1″ requiresDoc=”true” minorVersion=”0″/>

Now open Adobe DC and the tools pane is gone but the menu items still work.

Life can get back to some normallity.

Tags: , ,

Cryptowall 3.0

I have had a brush with Cryptowall 3.0.

Imagine this, visiting a website in your latest favourite browser (Any browser, Google Chrome, IE, Firefox, anyone of them) with a PC which has the latest version of everything (Adobe Flash, Java etc.) and up to date current antivirus, but you get hacked within 5 seconds.

No popups, no request to “allow this to download”, “allow this to run”. It just downloads and runs. You don’t feel it. The machine runs normal. (Even bypassed Microsoft UAC)

Then …  28 PC’s on your network, your Dropbox, your server, your NAS backup drives, your interstate user that is using VPN from a university interstate … are all encrypted and held for ransom.

The website you visited was a trusted website you trust implicitly and you buy goods from it. You had no reason to doubt the website. Nothing pops up strange …. until the damage is done.

You call the Company whom the website belongs to, they know nothing about it and pass you to their web developers. The web developers know nothing of this issue. They look further. All of their clients websites on their servers have been hacked. They take the servers offline.

Potentially thousands of people from around where you live use this service, surfing local websites for local businesses all now being held to ransom.

It could happen to anyone. It could happen to you or me.

It sounds like the work of fiction. Maybe an episode of CSI or NCIS ? Nope. That is what happened.

So how did this website attack this person?

We found a back door in the WordPress code that ran the webskite, over the internet to Russia. This back door was used to gain access to the website and then the code was modified to plant the malware onto visiting remote machines.

When figuring out how the website initially got hacked, I learnt that there are specific strings you can type into Google search.

This key search word shows you a list of every website where a certain file is accessible. The file likely used to allow this hack.

A hacker can click on this file and download it to their end. They open the file in something like notepad …. There is the username and password to the website in a “Hash”. They crack the “Hash” and log into the website, edit the code to include the nasty back door to Russia.

So, using Google … and notepad … and a website for the back door to point to, you can hack a large number of websites, inject this code, then let people browse the website and get infected without any indication on how they got infected.

The file size of the website changes very little and you can reset the file date back to an older date. The webmaster does not know they are infecting people and it goes on for several days. All their backups are now full of the malware.

Then the hacker sits back and earns millions of dollars a day in ransom money.

It scares me that malicious code can be put on your PC and run, and you have no idea. It scares me that you can perform the original hack of the website using Google.

So, trying the Google trick myself, I found the passwords to a hospital website and their member logon database.

Very scary. (I will let the hospital know).

We found the original malicious code and set it up on our Malware testing machine.

We setup wireshark to monitor what it does and Sysinternals Process Monitor. We disconnected the internet and ran the virus. Nothing happened. Double clicking made the mouse change cursor but then nothing.

After watching for a while, We connected the internet. Now the virus wakes up. It needed the internet to activate.

We double click the file and it deletes itself. It appears in C:\XXXXX where xxxxxx is the random name of the EXE file. Then it copies itself into the users startup section of their profile start menu. It then looks out over the internet at numerous internet domains, hands over a Cypher (Encryption key) and starts encrypting files.

I had placed some bait in a folder called C:\$fodder. (Some Microsoft Word and Excel files). This virus went alphabetically though my drive letters and folders and encryopted all my useful files leaving behind help_decrypt.html and help_decrypt.txt files in every folder, on the desktop, in my profile startup start menu folder and the deleted the virus executable when done.

I am encrypted and held for ransom :)

Technical details are at http://torblogjp5rjeyhx.onion/mickyj/cryptowall-3-0/

(Yes, it is on Tor. Only advanced computer users will know what to do to get to Tor and on the Tor network, I can post more details).

Tags: ,

There is a new virus and I found it ….. TROJ_CRYPWALL.XXRS

I am as proud as can be. I found an unknown virus and my company was instrumental in it being included in new detection routines as of 23rd June 2015. I am proud to be helping keep the IT world safe, a world I work in everyday and have helped create.

The virus is not named after me but it is my claim to 5 seconds of fame. Now …. to put it into extinction. It has to go. It is a Crypto and dangerous.

I saw several of these viruses arrive in my inbox, with different subjects and senders names. The one common thread was a malformed attachment. Example name “check[1].zip size=16877″

(Contains 6d5770fd.exe(221184 bytes))

If you rename the attachment to a zip file, you can see the exe payload.

An example email:

From: bmack
Sent: Wednesday, 23 June 2015 12:28 AM
To: Michael
Subject: Hope this e-mail finds You well.

Good day!
Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 6489-245 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 495-70-75. Feel free to give a call at any time.

Stacey Grimly,
Project Manager

If you see one of these, update your Antivirus. Delete the email. Don’t play with it.

Now, if you find something odd and your antivirus does not detect it, feel welcome to contact me. I will get it to Trend Micro whom will pull it apart. Once they have worked out how to detect and remove it, they share their info with other Antivirus companies. In the end of the day, everyone of these we knock out, get’s us one step closer to holding back the tide of these things.

Tags: , , ,

Be careful with Telstra Business Bundle plans (e.g. the DOT plan)

We have found that we unable to install SonicWALL firewalls or substitute modems using the Telstra Broadband plan known as DOT.
(Refer the plans http://www.telstra.com.au/small-business/bundles/dot/ (Digital Office technology – DOT) and clients are a Telstra.direct.net broadband client.)

Telstra provided a Cisco SPA504G VOIP handset, Netgear DEVG2020 (ADSL modem, router, PSTN, Wireless etc.) with most of the settings blocked from view. (Customised firmware).

The client does not need the Cisco handset but needs a SonicWALL to SonicWALL VPN setup. I could add a Bridge in place of the DEVG2020 and get line sync (13mbit/1mbit) and I could set LLC PVC 8/35 and PPPOE on the SonicWALL but not raise the PPOE connection.

Basically Telstra have admitted (after 3 months and after many phone conversations) that whilst the connection is PPPOE and should work, it would not work with any other router or modem as it is bound to their provided Telstra hardware to make the Cisco phone handset work.

I asked them if we could revert the account back to normal DSL and remove the Cisco handset and they said changing the plan amounted to breaking the 24 month contract.

So, if you want normal DSL or to use your own equipment, don’t get this plan.

Tags: , ,

HP Intelligent Provisioning version 1.16 and Broadcom drivers ……

We have a brand new server on our bench and are using the Gen 8 HP intelligent Provisioning 1.16 and installing Windows server. It copies all the data from the DVD to the new RAID we have created and reboots and then Windows fails to further install, due to a driver error. We figured it was the RAID card we added and slipstreamed the drivers into the OS install and tried again. It failed. We updated all firmware and drivers, still failed.

The failure happens about 45 minutes into the install so each new attempt takes ages to get to the point of failure.

After 5 or 6 hours of messing about, we called on HP. After their attempts to remote in via iLo and their own firmware checks (and under the hood checks) it was still nto installing Windows.

They spent days on it. Finally, we descided to call time on this adventure. We wasted too much time. We insisted it must be the mainboard.

The HP tech turned up and he started his own tests. He also found that it was a driver fault and after digging, worked out that the broadbom network driver was halting everything.

After another 5 or so hours, he finally replaced the motherboard. now it is all fixesd.

His conclusion is that the older firmware on the mainboard (intelligent Provisioning version 1.15) was more accepting of the Broadcom card and allowed everything to work.

So, if anyone strikes this same issue here are my conclusions

1) Call HP carepack team sooner rather than later. They are paid to fix these things and have the resources.

2) Newer firmware does not mean better

3) Get HP to do as much of the work as possible whilst it is under Carepack as this cost us dearly.

 

Tags: , , ,

Trend Micro TMWF 9 Exchange (Scanmail – Smex) not configurable within the console

When opening the Console, Security Settings, Click the  Exchange server in the list and click “Security Settings” … nothing happens. No popups, no errors, no nothing.

I can’t get into the Antivirus or antispam settings and the agent appears to be offline?

As this console normally opens up http://ExchangeServer:16372/smex/cgiDispatcher.exe?Page=scan/Antispam.htm&Locale=&CurPage=

My first step was to telnet to the Exchange server on port 16372 and, it did not answer.

As Smex runs from within a web server (in my case IIS), I looked at the default website and it  was not running on port 16372.  The port that it was running on did not match the firewall rule.

This means the smex service could not bind to a port when the service starts and as this port did not match the console, I had no hopes of connecting to it.

I change the port in IIS and the firewall rule. Restarted the website and … all fixed !

 

 

Tags: ,