Perth IT Bloggers

SharePoint training in Perth - Professional MOSS 2007 Solutions by Readify [Brian H. Madsen - .Net Powered by Caffeine]

Brian Madsen — Thu, 28 Aug 2008 04:16:16 -0500

Wow - finally some SharePoint training in Perth, WA that steps up and presents something other than the typical "Boot Camp".

It's a four (4) day, intensive training program which you'd be nuts to miss out on.

Here's an outline of what's on offer for those four days:

Day 1

SharePoint 2007 Developer Roadmap

Architectural overview of SharePoint and the Office 2007 system

WSS as a collaboration solution

WSS as a server-side development platform

Overview of MOSS components and services

Creating and testing your first WSS feature

SharePoint Architecture

WSS Integration with ASP.NET 2.0

The configuration database and content databases

Configuring the web.config file for a Web application

Understanding site pages versus application pages

Pages and Site Branding

Understanding page parsing and Safe Mode restrictions

Creating a feature with custom page templates

Designing page templates using controls and Web Part Zones

Understanding the standard default.master page template

Creating a feature to apply branding at the site collection level

Understanding and extending the CSS classes in core.css

Day 2

Developing Web Parts

Creating, deploying and debugging ASP.NET Web Parts in WSS

Designing Web Parts with persistent properties

Web Part Description files and the Web Part Gallery

Creating a feature to import Web Parts into the Web Part Gallery

Backwards compatibility with WSS V2-style Web Parts

Lists and Content Types

New WSS 3.0 enhancements to lists and document libraries

Defining site columns, custom field types and content types

Provisioning document libraries using a feature

Defining a custom list type using a feature

Creating event handlers using custom event receiver classes

Forms Services with InfoPath 2007

Creating input forms with InfoPath

InfoPath integration with WSS forms libraries

Forms Services Architecture

Designing server-side forms with InfoPath 2007

User deployment of server-side forms versus administrator deployment

Day 3

SharePoint WorkFlows

Windows Workflow Foundation (WF) Primer Creating WF programs in Visual Studio with the workflow designer

Creating, deploying and debugging workflow templates for WSS

Creating workflow associations and workflow instances

Developing workflows which create and wait on WSS tasks

Creating workflow input forms for MOSS using Microsoft InfoPath

Extending MOSS Portal and Search

Shared Service Provider (SSP) Architecture Creating sites from the MOSS Collaboration Portal site template

User Profiles and Audience Targeting

MOSS infrastructure for creating MySites Configuring and extending MOSS Search

The Business Data Catalog (BDC)

Working with BDC Application Definition Files Application, Entities, Methods and Associations

Surfacing backend data using BDC Web Parts BDC integration with MOSS search

Creating custom Web Parts that execute BDC queries

Day 4

Web Content Management

Customising sites creating from the MOSS Publishing Site template

Creating content types and custom page layouts for Web content

Understanding the MOSS content approval process

Converting Office documents into Web-ready formats

Optimizing performance with MOSS caching features

Excel Services and Report Center

Introduction to Excel Services

Publishing Excel spreadsheets that render in the browser

Trusted locations, connections and user-defined functions (UDFs)

Creating Dashboard pages with Report Center Creating Key Performance Indicators (KPIs) and filters

MOSS integration with SQL Reporting Services and SQL Analysis Services

WSS/MOSS Security

Trust Levels, Web Parts and Code Access Security (CAS)

Windows Authentication versus Forms Authentication

WSS Identities and Security Contexts

Escalation of Privilege

Delegating User Credentials

Using the MOSS single sign On (SSO) Service

For more information on this fantastic offer, go here: http://www.readify.net/Default.aspx?tabid=271

To register (be quick, i'm positive this will sell out fast), click here: http://www.readify.net/book+now!.aspx?ctl=RBS%20Registration&mid=1467&CourseID=29&Type=NormalReg

These types of training sessions does not come along often enough - maybe we'll see more coming out from Readify?

Thanks to Andy Lamb for informing us about it!

Technorati Tags: SharePoint 2007,Training,Readify

ALERT: Please treat content from adservdb.com with extreme caution [Spyware Sucks]

sandi — Thu, 28 Aug 2008 01:43:39 -0500

Malicious destination URL: security-scan-pc.com

Malicious campaign URL: adservdb.com/ads/?id=d3

The id=d3 URL completes various checks (browser version mostly) and then redirects to this URL: adservdb.com/tmp01.asp

The tmp01.asp URL sets a cookie, and completes various checks (Year, Month, Date, Hours, Minutes, Milliseconds, browser version) and, if the PC passes the test, we are redirected to this URL: adservdb.com/tmp02.asp (more country and time zone checks) (there is also a tmp03.asp)

We also see:

j.maxmind.com/app/geoip.js (reports county code, country name, city, region, region name, latitude, longitude, postal code)

j.maxmind.com/app/geoip_city (ditto)

adservdb.com/stats.asp?...<<removed>>
adservdb.com/tmp03.asp?...<<removed>>
adservdb.com/redirect/redir.asp...<<removed>> <--- it is this URL that redirects to security-scan-pc.com

----------------------------------------------

adservdb.com - IP: 74.217.128.234
Registrar: Netfirms, Inc
Created 23 June 2008

WHOIS: Hidden behind Domain Privacy Group

No obvious fraudware connections are found via Reverse IP, shared IP etc.

IP, NS and WHOIS history also unrevealing.

Nothing untoward is revealed by a web search (until I send this article live, that is...).

At time of writing, www.adservdb.com, which you would assume is the most logical "home page" for adservdbcom, contained little more than Google Analytics javascript.

This is the first time I have not been able to find definitive evidence of past bad behavior, or a connection with known bad actors, when investigating a malvertizing incident. That being said, adservdb.com is definitely the source of the malvertizement that I saw today.

IE8 Beta 2 has been released... [Spyware Sucks]

sandi — Wed, 27 Aug 2008 09:39:00 -0500

Enjoy:
http://www.microsoft.com/windows/internet-explorer/beta/

Upgrading notes:

PLEASE READ THE RELEASE NOTES!!!
Compability issues: HP Smart Web Printing (some versions); Google Toolbar (some versions); DriveLetterAccess (Roxio) (some versions); Skype add-in (some versions); Visual Studio .NET Version 7; Real Player 11; Windows Live Mail; Netflix; VB6.0 ActiveX Controls; Window-Eyes; Hotmail log-off - details are in the Release Notes, but I know some of you won't read them 'cause they're too long or you're too busy, or too impatient, or whatever...
The IE8 Beta 2 installer *should* remove IE8 Beta 1 automatically *if you are running Windows XP or Windows Server 2003*. There will be two reboots - one after removing IE8 Beta 1, one after installing IE8 Beta 2.
There is 1 update that should be installed before IE8 Beta 2 on multi-core XPSP2 x86 computers. It will be installed automatically if you select “Install the latest updates” option in IE8 Setup Wizard.
If you are running Windows XP or Windows Server 2003, and you have IE8 Beta 1 installed, and you have Automatic Updates turned on, IE8 Beta 2 *will* be offered for installation via Automatic Update.
If you are running Vista or Server 2008 you will need to manually remove IE8 Beta 1 before installing IE8 Beta 2. There are 3 required updates that should be installed before installing IE8 Beta 2 - again, this will happen automatically if you have selected the option to install the latest updates.
IF YOU INSTALLED XP SP3 AFTER INSTALLING IE8 BETA 1 IT IS RECOMMENDED THAT YOU REMOVE WINDOWS XP SP3, AND THEN IE8 BETA 1 BEFORE INSTALLING IE8 BETA 2. IF YOU DO NOT DO THIS YOU WILL NOT BE ABLE TO REMOVE IE8 OR WINDOWS XP SP3 AFTER IE8 BETA 2 HAS BEEN INSTALLED.
RECOMMENDED STEPS: REMOVE XP SP3, REMOVE IE8 BETA 1, REINSTALL XP SP3, INSTALL IE8 BETA 2
If you use WSUS to manage security updates, you may be offered security updates relevant to IE7 after removing IE8 Beta 1 and installing IE8 Beta 2. These updates are not necessary and will probably fail if you try to install them. Affected computers will stop prompting to install the updates as soon as the PC synchronizes with WSUS.

There is a LOT of new stuff in IE8 Beta 2, so this is going to be a very brief run-down. More detailed information will be posted on this blog, and at www.ie-vista.com, as time goes by.

Web slices: The icon has changed from this to this .

Find bar: Opened via Ctrl F.

Add-Ons:

To enable an add-on such as a toolbar, right click on the Command, Favorites or Menu Bar and turn on the toolbar that you want. Note the warning about enabling "related add-ons":

Add-on toolbars have a close button - click on the X to quickly and easily disable the add-on - again, you will see a dialogue window:

Suggested Sites: Note - turning on Suggested Sites is also turning on Automatic Feed Synchronization on my test system - you will be asked if you want to turn on Suggested Sites the first time that you run IE:

This open is enabled by turning on Suggested Sites:

InPrivate:

I've been reading some of the recent discussion on various sites about what some are calling "porn mode", and about how advertisers are worried that InPrivate may block some advertisements.

I admit to some concern about this feature; I have always said that every (wo)man deserves his wage, and I have always spoken out against wholesale blocking of advertising. It is certainly possible to quickly block services such as Google Adsense using InPrivate's "block and allow" feature. I'm still experimenting with this feature and am not sure what InPrivate will block, or how long it will take before blocking occurs, *if the user does not take advantage of the "manually block" option*.

Compatibility View:
IE7 Compatibility View is, by default, per site. If a site does not display properly, click on the Compatibility View Button:

If the Compatibility View Button does not appear (it is dynamic), use the menu option (Tools, Compatibility View Settings):

Note that you can set IE to display all intranet sites in Compability View, or all web sites.

Changes to about:Tabs

about:Tabs is the default URL for new (empty) tabs. Note that about:Tabs contains a lot of new content, including the ability to open previously closed tabs from that browsing session, start InPrivate Browsing, or use an Accelerator.

Tab groups:

This is cool - note the different colored tabs. Each color indicates an separate tab group - it is probably easiest to describe them a parent and child tabs.

Tab group controls:

Accessed by right clicking on any tab:

Close This Tab Group: will close the tab that is currently open, and all others of the same color.

Ungroup This Tab: Ungroups the tab and changes it to the default color.

Duplicate Tab: Opens a new tab at the same URL.

Smart Address Bar:

Note that the search results are divided into categories. It makes it a heck of a lot easier if, for example, you're trying to find something you read via an RSS feed, as distinct to a web page.

Search Suggestions (with images):

There are lots of new Search Providers choose from, and many include the new Search Suggestions. I recommend you visit the Internet Explorer Gallery to choose some new providers. Note that if you have already installed a Search Provider, and that Provider has introduced support for Search Suggestions, then you will need to upgrade that Provider - that can also be achieved via the Internet Explorer Gallery.
http://www.ieaddons.com/en/searchproviders/

Example of Search Suggestions:

Note: When you install the Search Provider, make sure the option to "use search suggestions from this provider" is enabled. If the Search Provider already exits, an "Upgrade Provider" button will appear instead of"Add Provider":

Also, note this setting, accessible via Manage Add-Ons, which was not enabled by default on my system. You may want to turn that option on:

Smartscreen Filter: I hold great hopes for the feature - I can see it making a big difference in the fight against Rogue Security Software:

This is soooo a %^&%$%^& hat [Brian H. Madsen - .Net Powered by Caffeine]

Brian Madsen — Wed, 27 Aug 2008 08:11:39 -0500

Just teasing a friend of mine who loves his hats...the guise of trying it on was "i could get a bowl of soup for free" :)

anyways, he really loves this hat...i'm now going to send him free entry tickets to the Love Parade :)

he hehe

ALERT: please treat all content from admarketcenter.com with extreme caution [Spyware Sucks]

sandi — Tue, 26 Aug 2008 09:13:26 -0500

admarketcenter.com have been implicated in the distribution of malvertizements.

AdMarketCenter.com - IP: 216.195.62.169

Registrar: Godaddy.com
Date created: 15 November 2006

WHOIS
Registrant, admin and technical contact: bert_205@hotmail.com

hostnames sharing ip with a-records:
excursionglobe.com
mypussyworld.com

sharing mailserver IP:
Nil

sharing name server:
lots

Excursionglobe.com is a known bad actor. See this blog entry:
http://msmvps.com/blogs/spywaresucks/archive/2008/01/13/1459605.aspx

Note that the script mentioned in that blog entry has been changed. mypussyworld.com has a similar script.

Microsoft Urlscan Helps to Filter SQL Injection Attacks [Mitch Wheat - Treat the cause, not the symptoms!]

noreply@blogger.com (Mitch Wheat) — Tue, 26 Aug 2008 06:54:08 -0500

Microsoft recently re-released an improved version of a security filter for IIS that is designed to help thwart SQL injection attacks by restricting the types of HTTP requests that IIS will process. UrlScan 3.0 is an IIS add-on that provides real-time validation of HTTP server requests, potentially blocking SQL injection exploits.

UrlScan has actually been available for several years, but Microsoft added some new features in this 3.0 release, including support for query string scanning.

winningsurveys advertisement - potential malvertizement [Spyware Sucks]

sandi — Mon, 25 Aug 2008 21:38:41 -0500

Created using Fuse.

mediamate malvertizements - several samples [Spyware Sucks]

sandi — Mon, 25 Aug 2008 21:19:59 -0500

I received three separate samples of a mediamate malvertizement today, all with different names.

First sample

This time it hit googiesindication.com - IP: 217.150.254.47

Registrar: TLDS, LLC DBA SRSPLUS
Creation date - 26 November 2007

Registrant, administrative and billing contact: Jon Lod (mail@googiesindication.com)

domains sharing nameservers (there are some old names here - all known bad actors)
aboutstat.com
adlbrite.com
akamahi.net
entrerrenglonadura.com
newstat.net
officialstat.com
quinquecahue.com
stat-diagnostic-imaging.net
statetstr.com
stathisranch.net
stathome.net
staticglobalsources.com
staticglobalsources.net
station-appraisals.com
station-appraisals.net
statnation.net
statsla.net
statworld.net
thetechnorati.com
vozemiliogaranon.com

Second sample

This one hits officialstat.net - IP: 92.62.100.7

Registrar: COMMUNIGAL COMMUNICATIONS LTD
Creation date - 1 February 2008

Registrant, administrative, technical and billing contact: Serg Moon (moon.serg@gmail.com)

Third sample:

This one hit staticglobalsources.com - IP: 92.62.100.14

Registrar: COMMUNIGAL COMMUNICATIONS LTD
Creation date - 1 February 2008

Registrant, administrative, technical and billing contact: Serg Moon (moon.serg@gmail.com)

Free SQL Server Tools [Mitch Wheat - Treat the cause, not the symptoms!]

noreply@blogger.com (Mitch Wheat) — Sun, 24 Aug 2008 06:55:26 -0500

I meant to blog and bookmark this great list of SQL Server resources a while ago: Free SQL Server tools that might make your life a little easier by Mladen Prajdić.

Did you know there is a free SQL profiler available for SQL Express? It's just one of the very useful tools listed there (direct link here).

CAB WorkItem Visualisation Tool [Mitch Wheat - Treat the cause, not the symptoms!]

noreply@blogger.com (Mitch Wheat) — Sun, 24 Aug 2008 06:41:36 -0500

This is probably old hat to those people familiar with CAB: there is a debugging aid hosted on CodePlex that can show the WorkItem hierarchy, Workspaces, SmartParts, Commands, Events, State and Items: http://www.codeplex.com/WorkItemVisualizer/. Only drawback is that it seems to slow things down a fair bit.

I'm also getting old fast..Keepass is probably the way to go [Brian H. Madsen - .Net Powered by Caffeine]

Brian Madsen — Sun, 24 Aug 2008 03:58:54 -0500

Since i'm nearly in the same boat as James McCutcheon, i'm also getting old(er) by the day. James McCutcheon (from nSquared (new'ish joint venture between Nick Randolph and Dr. Neil Rodyn), blogged about keepass - an open source solution for remembering your passwords and such.

it integrated with IE so i'll definitely give it a go.

Here's a link to James's blog post about keepass: Started using Keepass « myblog = new james.mccutcheon.blog();

p.s. James, thanks for the twitter link to the Windows Live Developer Tools - appreciated!

Lessons learned from a %^&%*$#!! mistake [Brian H. Madsen - .Net Powered by Caffeine]

Brian Madsen — Sun, 24 Aug 2008 01:17:17 -0500

Yeah well - i've just learned a new lesson. Earlier on i blogged about the need for a RSS feed reader client that could hold at least 1000 feeds without becoming bogged down.

I've been trying out a few of them, and the choice finally went with FeedDemon. I wanted to install everything from the start so i'd have a fresh copy to work with. Took my time copying my OPML file over to a USB stick (as i was moving the OPML between machines) and had just uninstalled a failed rss client (wont mention which one this was).

this uninstall also cleared my OPML but "luckily" i still had my trusted USB stick..right...enter murphy's law number %^*&^%&*!# and what do you have? a USB stick that now suddenly doesn't work. yay...OPML file gone..everything gone. hmmm..

so lesson learned here is: don't trust a USB stick with anything vital..ARGGFFFF!!!

this might have been a good thing - i now get to start all over again, collecting blog feeds...it also cleaned out those i didn't really read any more or had become dormant..

Windows Live - getting there.. [Brian H. Madsen - .Net Powered by Caffeine]

Brian Madsen — Sun, 24 Aug 2008 00:55:15 -0500

I'm going crazy at the moment - hooking up all kinds of services and have so far gotten most of my "life" organised via "Live" services.

At the moment i've gotten the following hooked together:

- Windows Live ID http://www.live.com
Pretty much any service i use these days are hooked in to a Live ID (Windows Passport Service).

- Live Mesh http://www.mesh.com
got my desktop all virtualised and can now get documents/files/notes etc from anywhere - excellent

- Live Mail http://home.live.com
The old "Hotmail" got a revamp and is now "Live Mail". My Outlook is hooked up (see previous post).

- Live Writer http://get.live.com/WL/config_all
Best blogging tool i've yet to try out and people keep making new plug-ins for it.

- Office Live http://office.live.com
got myself an easy way to share documents now.

- Live SkyDrive http://skydrive.live.com
Virtual storage for both personal and public files. Again, brilliant way to get hold of documents/files from anywhere.

- Live Listas http://listas.labs.live.com
I've become very much a "list" type person. I can be terribly disorganised and found that i function best if i have a "list". This can be simple to-do lists, invites, events, grocery shopping etc..my life is run by lists these days.

- Live Calendar http://calendar.live.com
Again, hooking up my Outlook calendar with my Live calendar means i can now keep a check on events and meetings even when i'm not on my laptop.

So, basically you CAN live your life with Live :)

Question now is - what other Live services can i hook up that's cool??

Totally off topic!! [Spyware Sucks]

sandi — Sat, 23 Aug 2008 07:48:02 -0500

How cute is my little nephew? He is reading THE most important section of the newspaper - Cars for Sale - he's going to be a car fan, just like his daddy (no, that's not his daddy in the picture, that's one of his uncles). He's the only almost-3-year-old I know who, when asked what a car sounds like, says "brrrmmm... hiiissssss" (yep, his daddy owns a turbo).

He adores his daddy, and is his uncle's little shadow when daddy (who is in the navy) is away on a tour of duty.

For those of you who weren't around back then, here is how that young man was introduced to the world on this blog, 6 weeks premature and putting up one heck of a fight...

Outlook is back in the fold again..Windows Live Mail is out [Brian H. Madsen - .Net Powered by Caffeine]

Brian Madsen — Sat, 23 Aug 2008 02:40:42 -0500

After having used Windows Live Mail (for my live mail account..derr) for a while it started getting a little bit annoying and i've now swapped back to Outlook.

But, since i lost my domain (because BankWest decided to put a block on my attempts to pay GoDaddy...yeah, GoDaddy payments must be fraudulent...who'd ever heard of them?) i haven't used Outlook and swapped most of my email registrations back to my live account.

but, how was i going to get my Live mail (aka. Hotmail) from Outlook? Easy, quick search on MSFT gave me Microsoft Office Outlook Connector..created exactly for that purpose.

Microsoft Office Outlook Connector: http://www.microsoft.com/downloads/details.aspx?familyid=7aad7e6a-931e-438a-950c-5e9ea66322d4&displaylang=en

Microsoft Office Outlook Connector 12.1 Beta: http://www.microsoft.com/downloads/details.aspx?FamilyId=9A2279B1-DF0A-46E1-AA93-7D4870871ECF&displaylang=en

And who said the Office developer guys weren't smart cookies?

Technorati Tags: Office Outlook Connector,Microsoft Office

Anatomy of a malware scam - The evil genius of XP Antivirus 2008 [Spyware Sucks]

sandi — Fri, 22 Aug 2008 21:51:19 -0500

Love the title Jesper!

http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

Jesper's article includes a description of a browser hijack intended to dump its victim at a fraudware site. It also takes a close look at the fraudware itself - its installation, its behavior after install, and how it tries to convince victims to part with their hard earned cash by purchasing the full version of the software.

And, he takes a quick look at its removal using legitimate anti-malware software.

The article is well worth a read.

Management Studio Improvements in SQL Server 2008 [Mitch Wheat - Treat the cause, not the symptoms!]

noreply@blogger.com (Mitch Wheat) — Fri, 22 Aug 2008 21:32:07 -0500

Brad McGehee has posted a very useful article on the Management Studio Improvements in SQL Server 2008 over at the Simple-Talk blog.

Another potential malvertizement - so new, it's still warm from the oven.... [Spyware Sucks]

sandi — Fri, 22 Aug 2008 11:46:12 -0500

Not confirmed, but suspicious - generated using Fuse:

Your questions answered: fraudware infection vectors [Spyware Sucks]

sandi — Fri, 22 Aug 2008 11:30:38 -0500

I received this email a few days ago:

Dale's email is certainly worth answering; I'll do my best ;o)

Fraudware such as XP Antivirus 2009 (or 2008) and its myriad stablemates does not come in strictly via the Clipbook vector. On the contrary, my opinion is that the clipboard trick is one of their least effective tactics when it is compared with their standard modus operandi. Why? Because hijacking the clipboard and forcing a malicious URL to be pasted into online posts is all well and good, but they still need somebody to click on the link for anything further to happen.

What other vectors do those behind the fraudware use to distribute their wares in addition to the clipboard hijack? Well, there are the Flash based malvertizements that are featured so often on this blog and which are by far the most popular, and effective, tool that they have. Malicious SWF require no user interaction to be effective, a lack of user interaction that is often facilitated by the use of the ubiquitous Flash (that I described as, and still describe as, "the Typhoid Mary of the Internet"). Unfortunately, there is no way for the end user to control the functionality that allows the fraudsters to misuse Flash without disabling Flash entirely and the bad guys (who are experts in social engineering and adapting their wares to suit the average human psyche) *know* that the average man in the street will not give up on using Flash (and will turn off software features that block Flash).

On a side note, I find it ironic that Adobe have acknowledged on their blog, and admit publicly, that they are trying to work out how to address the problem of clipboard hijackings when *browser* hijackings are so much more prevalent, and *FAR* more dangerous to the end user. The cynic in me is whispering that the only reason Adobe have made a public statement about the clipboard hijacking is because there has been so much attention within the popular press. Oh well, let's hope that if they "fix" the clipboard problem that they will do so by allowing users more granular control of what SWF is and is not allowed to do without explicit user approval or interaction. After all, Flash can be set to ask permission before accessing a computer's microphone or camera or if a site tries to use "older security settings". I see no reason why it can't be designed to ask permission before hijacking a web browser (I have not, as yet, seen a Silverlight based malvertizement, but the use of Silverlight simply isn't widespread enough to be of interest to the crooks, and I am therefore unable to make a fair comparison).

There are also non SWF advertising attacks where networks allow a middle man to use a geographically targeted redirect to lead victims straight to the fraudware site. The attack that I reported here used only "authorized" redirects - no SWF was used to get the victim to the fraudware site, nor were browser exploits used. You would think that such basic attacks should be easy to detect, but they are not - on the contrary, staff at host advertising networks, and the staff responsible for the victim web sites, will invariably not experience a fraudware hijack and will instead end up at a legitimate web site (not only do the bad guys use geographical targeting, they also often block specific IP ranges - IP ranges that are owned by victim web sites and hosting advertising networks and, invariably, antivirus and antispyware companies, and well known security researchers).

How can victim advertising networks and web sites (and security researchers) get around such problems? Well, we have caught some pretty big campaigns when staff at an affected web site or ad network have checked things when they were at home. Or, you can use one of the myriad web proxies on the net to anonymize your IP and/or pretend that you are in a different country (www.proxy.org is a resource that I point people to if they want to use such services). The bad guys are known to block most of the, dare I say it, popular proxies therefore the trick is to find one that is new, and/or low profile. Be warned though, web proxies are invariably of no use if you need to gather evidence about a malicious redirect - web proxies invariably encrypt network traffic making it well nigh impossible to gather evidence sufficient to shut down a malvertizing campaign. As for me, I prefer services such as TOR and a few other less common tricks ;o)

The bad guys also use splogs, which may be indexed by the popular search engines (blogger.com/blogspot.com and myspace are popular targets). The mitigating factor in such attacks is that they require the end user to click on what are often obviously nonsensical search results to access the dangerous site, at which time the blog loads and the victim is redirected to the fraudware site (again, no SWF required). Splogs that regurgitate content from legitimate blogs, verbatim, are more difficult for the end user to detect :o(

Email spam - which they use to entice the user to a splog, or a hijacked web site.

Comment spam, guestbook spam, mailing list spam, registration spam, trackback spam and forum spam. The crooks find it highly amusing to use one of my email addresses as the reply or registration address for a lot of crud - thank heavens for spam filters and Magic Mail Monitor. I love Magic Mail Monitor. My fetch and filter protocols get rid of the worst of the spam, and I get rid of the rest by viewing the headers of all emails using MMM *before* they are downloaded to my local machine. I sort by Subject and then by Sender and delete the unwanted stuff - little time is wasted, and *very* little bandwidth. There was a time when a troller-prat decided he was going to use a compromised PC to send me a stack of emails with very large attachments - MMM fixed that problem quick smart :o)

There is a bright side to all of the spam that I get - it is a wonderfully rich harvest of up-to-the-minute malicious domains that are very useful in my day to day research. The same applies to comment spam on this blog which is also a wonderfully rich source of research material - another reason why I don't use CAPTCHA - I have no interest in blocking anything other than trolls ;o)

Hacked legitimate web sites (non-SQL injection attacks) - this is not as common as some of their other trickery has been but it is a growing trend, and I am certainly receiving (and have been able to confirm) reports of hacked web sites with malicious iframes inserted that expose viewers to fraudware.

SQL injection - yep, they use that too.

Successfully detected malvertizing samples are flooding in... [Spyware Sucks]

sandi — Fri, 22 Aug 2008 08:57:21 -0500

Featuring....

Careerbuilder.com... (hits newstat.net, profitabill.com and adverdaemon.com)

Skype (hits statsgroup.net, profitabill.com and adverdaemon.com)

mediaman (hits statsgroup.net, profitabill.com and adverdaemon.com as well as stats.sellmosoft.net and stats2.reliablestats.com)

nielsen and bighip

Heh. [Spyware Sucks]

sandi — Fri, 22 Aug 2008 00:28:00 -0500

Source: http://xkcd.com/466/

ALERT: please treat all content from eosads.com with extreme caution [Spyware Sucks]

sandi — Thu, 21 Aug 2008 23:39:46 -0500

eosads.com - IP: 216.195.62.169

Registrar: Estdomains (enough said)
Date

created: 8 February 2007

WHOIS
Registrant, admin, technical and billing contact: Daniel Adams (ddarkmaster@gmail.com)
hostnames sharing ip with a-records
alice-cms.com
cstur.com
mail.alice-cms.com
mail.cstur.com
mail.eosads.com
mail.freeebayguide.net
mail.kxtrlive.com
mail.phentermine375noprescription.com
mail.zummedia.com
phentermine375noprescription.com
tatushki.info
zummedia.com

sharing mailserver IP:
alice-cms.com
cstur.com
freeebayguide.net
phentermine375noprescription.com
zummedia.com

greatvideo3.com - IP: 84.16.252.73
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. (another well known name)
Date created: 12 August 2008
WHOIS hidden behind privacyprotect.org
hostnames sharing ip with a-records
3gigabytes.com
84-16-252-73.internetserviceteam.com
antivirus-download3.com
internet-defense2009.com
mail.antispyguard-scanner.com
mail.onlinexpsecurity.com
myfreespace3.com
update-direct.com
windows-defense.com
xp-protectsoft.com
sharing mailserver IP:
84-16-252-73.internetserviceteam.com
antispyguard-scanner.com
antivirus-2009pro.com
antivirus2009-software.com
antivirus2009professional.com
onlinexpsecurity.com
xp-registration.com

EOSADS

Note the IP 72.36.217.26 above - now note the (expired) SSL Cert noted below for that IP:

GREATVIDEO3.COM

ALERT: Please treat content from the following domains with extreme caution [Spyware Sucks]

sandi — Thu, 21 Aug 2008 21:30:06 -0500

Thanks to Matt for the heads-up warning that the following domains are implicated in the facilitation of malvertizing and other nefarious behavior...

Matt warns us about...

paymentforad.com - IP 58.65.237.115
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com) <-- a name we recognize, yes?
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

extrabigad.com - was 58.65.237.114, now 69.50.131.86
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com)
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

extrafreead.com - IP 58.65.237.113
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com)
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

ads4flower.com - IP: 58.65.237.116
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com) <-- a name we recognize, yes?
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

advertpanda.com - IP: 58.65.237.117
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com)
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

If I dig a little deeper, I also find...

whoisadvert.com - IP 58.65.237.217
Registrar: TLDS, LLC DBA SRSPLUS
Registrant: Serj Moondy (moon.serg@gmail.com) <-- a name we recognize, yes?
Administrative, technical, billing contact: Alex Ferguson (moon.serg@gmail.com)
Domain created: 3 July 2008

At time of writing, moon.serg@gmail.com was associated with 111 different domains. I'm very tempted to dig up and publicize every single one of them.

Ok, so let's see what other domains we can find in that IP range that have an advertiser-ish feel to them or which are similar to past fraudware domains (as I keep saying, the bad guys are lazy - they keep using the same registrars, they put too many eggs into the one basket and sometimes feel the need to hide behind 'bulletproof' hosting):

traffomer.com - IP 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 9 July 2008

BZZZZZ.ORG - IP 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 18 August 2008

adminkos.net - IP: 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 17 July 2008

BTW, another name that keeps on cropping up in association with "bad actor" domains is the unattractively named "fuckdns.com".

fuckdns.com - IP: 58.65.237.49
Registrar: Estdomains, Inc
Creation date: 9 July 2008

Also be careful here...

upkteam.com - IP 58.65.237.121 <--- DON'T GO THERE, there's script in the source code of the page:
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Creation date: 11 October 2007

That will do for now - the more we dig, the more we find. HostFresh in Hong Kong (58.65.237.*) has a (deservedly) bad reputation.

http://ddanchev.blogspot.com/2008_06_01_archive.html
http://ddanchev.blogspot.com/2008/02/geolocating-malicious-isps.html

Determining Poorly Performing Queries for Tuning from SQL Server Workload Trace Files [Mitch Wheat - Treat the cause, not the symptoms!]

noreply@blogger.com (Mitch Wheat) — Thu, 21 Aug 2008 19:59:16 -0500

Whenever you gather workload traces to identify poorly performing queries, you need to import this data into a database table, and to "normalise" and aggregate this information to identify the worst offenders. This can be done in a variety of ways. One way is to define a regular expression such as this SQL CLR method based on work done by Itzik Ben-Gan and modified by Adam Machanic:

[Microsoft.SqlServer.Server.SqlFunction(IsDeterministic = true)]

public static SqlString sqlsig(SqlString querystring)

    return (SqlString)Regex.Replace(

       querystring.Value,

       @"([\s,(=<>!](?![^\]]+[\]]))(?:(?:(?:(?:(?# expression coming

       )(?:([N])?(')(?:[^']'')*('))(?# character

       )(?:0x[\da-fA-F]*)(?# binary

       )(?:[-+]?(?:(?:[\d]*\.[\d]*[\d]+)(?# precise number

       )(?:[eE]?[\d]*)))(?# imprecise number

       )(?:[~]?[-+]?(?:[\d]+))(?# integer

       )(?:[nN][uU][lL][lL])(?# null

       ))(?:[\s]?[\+\-\*\/\%\&\\^][\s]?)?)+(?# operators

       )))",

       @"$1$2$3#$4");

Recently I’ve been trying out ClearTrace, a free tool based around Read80Trace (described and downloadable here). Read80Trace was originally part of a Microsoft PSS engineer’s internal toolkit, but was released to the public in Dec 2007 (RML Utilities for SQL Server). ClearTrace is extremely simple to use, imports files (including rollover) very quickly and the results are good. The project is being supported so if you find a SQL statement that isn’t normalised/parameterised correctly, you can click a button and report it.

The larger RML Utilities toolkit for Microsoft SQL Server was released here.

The RML Utilities can help you answer the following questions:
Which application, database or login is consuming the most resources, and which queries are responsible for that.
Whether there were any plan changes for a batch during the time when the trace was captured and how each of those plans performed.
What queries are running slower in today's data as compared to a previous set of data.
You can also test how the system will behave with some change (different service pack or hot fix build, changing a stored procedure or function, modifying or adding indexes, and so forth) by using the provided tools to replay the trace files against another instance of SQL Server. If you capture trace during this replay you can use the tools to directly compare to the original baseline capture.

If you decide to install and experiment with the RML Utilities toolkit, be warned that the tools are provided as is, and the install process is neither easy nor particularly pleasant!

Remember what I said about trolls? [Spyware Sucks]

sandi — Thu, 21 Aug 2008 17:57:58 -0500

This one seems to be having a bit of a problem with the concept of moderation... :o)

Visual Studio 2008 SDK 1.1 [Professional Visual Studio]

Keyvan Nayyeri — Thu, 21 Aug 2008 07:21:30 -0500

Yesterday Microsoft Visual Studio Extensibility team announced a new update in Visual Studio 2008 SDK and released version 1.1 to public.

For VSX developers, this is important news because there are some major updates to improve the extensibility features especially around Visual Studio Shell development. This new version works on .NET Framework 3.5 and Visual Studio 2008 Service Pack 1.

Quan To has outlined these updates on VSX team blog but major updates are a reduction in the size of VS Shell package installers that no longer hold .NET Framework 3.5 data and also there is an update that lets you develop VS Shell applications as a normal Windows user that wasn’t possible before.

You can download Visual Studio 2008 SDK 1.1 from here.

Avert Labs 5365 DAT Issue Emergency Notice [Spyware Sucks]

sandi — Thu, 21 Aug 2008 00:40:32 -0500

Thanks to Jurren for the heads up...

"Avert Labs is issuing an emergency notice for the 5365 DAT files. The reason for this Emergency DAT release is due to a false detection for New Malware.bm.

Known files impacted by this emergency are:
Large AutoIT packed files (samples seen have been over 16MB in size)
Avert Labs will be releasing the 5366 DATs early to resolve this issue and notification of this release will come via the DAT Notification service (http://vil.nai.com/vil/signup_DAT_notification.aspx) and through the Technical Support communication channels."

Thank you for your well thought out contribution... [Spyware Sucks]

sandi — Thu, 21 Aug 2008 00:24:58 -0500

It is because of trolls like the following that I have no interest in using the oft-broken CAPTCHA, preferring to use spam filters and moderation of *every* comment.

Below is just one of the dozens of unsavory comments that have been submitted to my blog over the past 24 hours.

Yes it takes valuable time to trawl through comments; sometimes legitimate comments are trapped by the spam filters; and legitimate comments can take a while to be approved if submitted during the middle of my night, but the effort is worth it, if only to stop flame-storms and charmless correspondents such as "nesmes".

Argue a point with me if you are so inclined, disagree with me all you want. If you stick to addressing the topic at hand, and do not attack the messenger instead of the message, then your comment will in all likelihood get through - but if you get personal, or you denigrate end users, or you participate in a flame-storm, then in all likelihood your comment will not get through. Such are the charms of an autocracy ;o)

Check out the translation:

ALERT: Please treat adtrafficserv.com with extreme caution [Spyware Sucks]

sandi — Wed, 20 Aug 2008 23:30:24 -0500

I have found a bad URL that redirects viewers to the fraudware domain systemscanner2008.com page, being:

adtrafficserv.com/?ref=md&aff=tr.

This URL in turn redirects to:

3gigabytes.com/soft.php?aid=<<removed>>&d=3&product=XPA

and from there the viewer is led to:

systemscanner2008.com/2008/3/freescan.php?aid=<<removed>>.

adtrafficserv.com shares A-Record IP with the site winerrorfixer.com. It also shares IP with adnovations.com and winsolution.org.

Such redirects are often geographically targeted. Do not be surprised if you end up at a different fraudware site when testing the URL, or if you end up at a "safe" site.

MVP Theatre Agenda for TechEd 2008 Australia [Brian H. Madsen - .Net Powered by Caffeine]

Brian Madsen — Wed, 20 Aug 2008 08:45:39 -0500

For those lucky enough to actually go to TechEd 2008 in Sydney, Australia this year, you can find an addition to the TechEd agenda happening.

The MVP Theatre will host a range of MVPs presenting on some seriously hot topics.

There's a limited number of seats available (and it's open to all delegates..err...and MVPs as well of course) so you have to be quick on the trigger to get in.

Not only will you get an opportunity that's limited to the elite (well, hey, if you're going to TechEd YOU ARE THE ELITE!!) but you get to rub shoulders with some cool guys!

Here's some info:

MVP Theatre Agenda at Tech Ed Australia
If you are registered for Tech Ed Australia this year, come along to MVP Theatre to watch MVPs delivering sessions ranging from 20 minutes to the full 75 minutes. There are only 20 seats in MVP Theatre, so you need to be quick getting to the Expo Hall if you’re serious about catching an MVP Session. The Agenda for MVP Theatre is here (please watch it for last minute updates). To attend, you must be a registered delegate, so if you haven’t bought your Tech Ed ticket yet, you can register here.
I’m presenting <Insert session title here> on <day> at <time>.
Seated attendees to MVP Theatre each receive an MVP Logo wind-up torch keyring (no battery!), so you need to be quick!
You can’t pre-register for MVP Theatre sessions; it’s first in first seated.

Enjoy and i hope to see tons of blogging come out of TechEd this year!