fantom-stranger.com

INTERNET!~ I knew it was the SD card, I knew it! The Vodafone bot vector analysis I mentioned earlier this month was correct. It’s over.

The infection of microSD cards for the HTC Magic with the Mariposa information-stealing client and other strains of malware was first reported after Vodafone Spain supplied a malware-infected Android phone to a Panda worker earlier this month. [From the register]

Users get new microSD cards. Yay, but at what cost did buying the $2 phone really bring? 3,000+ phones infecting every windows machine that they come in contact with, snap. I guess that means more you have to start using Linux or scan your new phones with a Linux machine first. Hey there’s a new service, phone virus removal…

Apparently, there has been a compromise at HTC or Vodaphone. There are rumors on the web that a Vodaphone “HTC Magic” came pre-installed with multiple malware programs. How would someone slip a file onto a phone before it enters an end user’s hands? Any way you look at it, this seems like a hack.

A quick analysis of the malware reveals that it is in fact a Mariposa bot client.

Every android phone *can* be plugged into any PC or Mac via USB. Under windows it works just like any other insert digital medium (CD, DVD, Flash Drive). Upon being plugged in, it opens the folder and executes the file specified in autorun.ini. This would be the vector a bot herder/malware researcher would use to launch it’s “spread” and stay infected. As long as nobody notices the files on the phones, users would just keep getting re-infected every time they plug in their phone to download their photos. One speculation that may be responsible is: “the SD card” since all that someone would need to do is put “files” in the root of the SD card for them to execute. So the question might be instead be: “How would someone slip a file onto a flash card before it’s inserted into a phone?”.

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware.

Why did it take so long for a person to notice malware on the phone? The HTC Magic is one of the most popular smart-phones in the UK. In the US, T-mobile branded this product as the “myTouch 3G“, and that phone has a massive pop. Where is the supporting evidence on the phone? The only “proof” we have so far is a few windows screen shots. I’m intrigued by this and it will be interesting to see what comes to light. I’ll keep you updated when I hear more.

I found a digital guitar creates electronic music and runs Gentoo linux on Hack a day. It looks really fun and I approve of this.

Don’t think “acoustic” or “electric” but “electronic”.

[misa digital]

I can get paranoid about my “local” security quite often and I am a big fan of open source software. I try to go open before anything, really. I had used clamwin for awhile but was interested in a more “active” anti-virus tool because clamwin is only on demand. That wasn’t enough for me; I know it can’t protect you from getting viruses. I looked up open source alternatives that had more aggressive/constant memory scanning protection that wouldn’t stop when I clicked close. I found Moon Secure and I have been installing it everywhere. Moon Secure is an enterprise level active anti-virus scanner for Microsoft Windows, that currently employs clamav scan engine and virus database. The best part about it is that it’s free! The UI isn’t fancy but it’s worth a try if you are sick of controlling n0rton or the buggy resource hogs like mcafee.

This post is for Windows XP and Windows 2003.

If using Windows 2000 and IIS 5.0, you need to disable socket pooling. Here is the Microsoft article for disabling socket pooling in IIS 6.

This info discusses how to change (force) which IP addresses that IIS listens too. There are several scenarios that this would fall into. Most people generally only need to separate services and IIS listens to all IP addresses by default, IP so errors will occur if multiple web servers are using port 80 on the same IP. Example: Your server has multiple IP addresses and you need to run a new apache wordpress blog site on a separate dedicated IP address then your .net survey e-commerce IIS site to avoid any conflicts. (continue reading…)