Christmas Eve in Sydney

The Christmas tree at Darling Harbour, Sydney
Canon IXUS 50, F/2.8, 1/640 sec, 5.8 mm, ISO 50, Pattern Mode, 19:28 24 Dec 2007

The ice Christmas tree at the lobby of Star City (Casino), Sydney
Canon IXUS 50, F/2.8, 1/8 sec, 5.8 mm, ISO 50, Pattern Mode, 21:43 24 Dec 2007

Sydney CBD, the view from Darling Island, Pyrmont, Sydney
Canon IXUS 50, F/2.8, 2 sec, 5.8 mm, ISO 50, Pattern Mode, 22:01 24 Dec 2007

Sydney Opera House, the view from Macquarie St, Sydney
Canon IXUS 50, F/4, 2.5 sec, 12.12 mm, ISO 50, Pattern Mode, 23:01 24 Dec 2007

Sydney Opera House, the view from The Rocks, Sydney
Canon IXUS 50, F/3.5, 2.5 sec, 8.5 mm, ISO 50, Pattern Mode, 23:21 24 Dec 2007

Malware attack redirected from 123greetings.com

I today received a Christmas greeting card from a close friend in China. When I clicked the e-card link in Firefox, the page could not be displayed as I have disabled JavaScript and Cookies in Firefox by default. I then copied and pasted the URL from Firefox to Safari, the only browser having JavaScript and Cookies enabled by default on my iMac.

Something happened then. A page of 123greetings.com flashed on the screen followed by a few splashes showing me an animation of scanning through the system folders of my computer. After that, the following XP style window appeared on my Leopard desktop and forced me to download two PC executable files with randomized filename. The active web page has been redirected to scanner2.malware-scan.com.


As I illustrated in the screenshot above, it was a malware attack.

As for Cookies, only 123greetings.com left several items in Safari's Cookie records, as shown below. malware-scan.com didn't leave its trace.


The downloaded executable files were identical except their filenames. I ran one file in a disconnected Windows 2000 Server box (a virtual machine), the file's process appeared in Task Manager. It seemed nothing happened (of course it's not ture). I ran the executable several times, several individual processes appeared in Task Manager, as follows.


I also noticed that this executable file created a Windows registry item at:

HKCU\Software\Microsoft\Windows\CurrentVersion\ADP = "&swp=1&apx=%s" (where %s is the filename of this downloaded file)

I enabled the network connection on the W2K virtual machine. After a while, a "professional" anti-spyware program, MalwareAlarm 2.1, appeared on the screen, and has already started scanning the system. This bloody scanner reported that I had nine threats, and asked me to buy online in order to activate its Threats Removel function. TCPView showed that this program (MalwareAlarm.exe) was downloaded from 69.50.175.18.


There was a business behind this anti-spyware spyware. It even showed me such a screen.


Now, you should have known how the kind of anti-malware program works, humm? :-)

Futhermore, I did a google search for this, and found that someone already reported the a similar spyware two days ago, on 21 December 2007.

Farm sculptures along Wisemans Ferry Road

Wisemans Ferry Road, Dharug National Park, NSW, Australia (sic passim)
Canon IXUS 50, F/2.8, 1/200 sec, 5.8 mm, ISO 50, Pattern Mode, 18:02 21 Dec 2007

Canon IXUS 50, F/4.9, 1/60 sec, 17.4 mm, ISO 50, Pattern Mode, 18:04 21 Dec 2007

Billy Grech's Farm

Canon IXUS 50, F/2.8, 1/640 sec, 5.8 mm, ISO 50, Pattern Mode, 15:47 21 Dec 2007

2065 Wisemans Ferry Road, Mangrove Mountain, NSW, Australia
Canon IXUS 50, F/5.6, 1/200 sec, 5.8 mm, ISO 50, Pattern Mode, 15:47 21 Dec 2007

The Retreat at Wisemans Ferry

The Retreat, Wisemans Ferry, NSW, Australia
Canon IXUS 50, F/5.6, 1/320 sec, 5.8 mm, ISO 50, Pattern Mode, 12:26 21 Dec 2007

Mailboxes along Wisemans Ferry Road

Wisemans Ferry Road, Dharug National Park, NSW, Australia (sic passim)
Canon IXUS 50, F/2.8, 1/50 sec, 5.8 mm, ISO 50, Pattern Mode, 17:12 21 Dec 2007

Canon IXUS 50, F/2.8, 1/160 sec, 5.8 mm, ISO 50, Pattern Mode, 17:21 21 Dec 2007

Canon IXUS 50, F/4.9, 1/124 sec, 17.4 mm, ISO 50, Pattern Mode, 17:23 21 Dec 2007

Canon IXUS 50, F/2.8, 1/100 sec, 5.8 mm, ISO 50, Pattern Mode, 17:24 21 Dec 2007

Canon IXUS 50, F/2.8, 1/160 sec, 5.8 mm, ISO 50, Pattern Mode, 17:26 21 Dec 2007

Canon IXUS 50, F/2.8, 1/500 sec, 5.8 mm, ISO 50, Pattern Mode, 17:27 21 Dec 2007

Canon IXUS 50, F/2.8, 1/250 sec, 5.8 mm, ISO 50, Pattern Mode, 17:28 21 Dec 2007

Canon IXUS 50, F/2.8, 1/160 sec, 5.8 mm, ISO 50, Pattern Mode, 17:29 21 Dec 2007

Canon IXUS 50, F/2.8, 1/320 sec, 5.8 mm, ISO 50, Pattern Mode, 17:30 21 Dec 2007

Canon IXUS 50, F/2.8, 1/200 sec, 5.8 mm, ISO 50, Pattern Mode, 17:31 21 Dec 2007

Canon IXUS 50, F/4.9, 1/125 sec, 17.4 mm, ISO 50, Pattern Mode, 17:34 21 Dec 2007

Canon IXUS 50, F/2.8, 1/125 sec, 5.8 mm, ISO 50, Pattern Mode, 17:35 21 Dec 2007

Canon IXUS 50, F/2.8, 1/80 sec, 5.8 mm, ISO 50, Pattern Mode, 17:37 21 Dec 2007

Canon IXUS 50, F/2.8, 1/400 sec, 5.8 mm, ISO 50, Pattern Mode, 17:39 21 Dec 2007

Canon IXUS 50, F/2.8, 1/100 sec, 5.8 mm, ISO 50, Pattern Mode, 17:43 21 Dec 2007

Canon IXUS 50, F/2.8, 1/160 sec, 5.8 mm, ISO 50, Pattern Mode, 17:46 21 Dec 2007

Canon IXUS 50, F/2.8, 1/250 sec, 5.8 mm, ISO 50, Pattern Mode, 17:48 21 Dec 2007

Canon IXUS 50, F/2.8, 1/160 sec, 5.8 mm, ISO 50, Pattern Mode, 18:03 21 Dec 2007

Having a cow

Canon IXUS 50, F/2.8, 1/100 sec, 5.8 mm, ISO 50, Pattern Mode, 17:39 21 Dec 2007

Tiger just works. Leopard just not works

Today, I read an article of Oliver Rist, and I pretty much agree with this guy on Leopard, Apple Mac OS 10.5.

PC Magazine: Leopard is the New Vista, and It's Pissing Me Off

It's ture: Tiger just works. Leopard just not works.

Leopard looks wonderful but it has driven me mad. For example, if you enable Parent Control and Fast User Switching at the same time, your dashboard disappears. That sounds ridiculous but it does happen on Leopard. I rang Apple Support at 133MAC for this issue for several times, what they did was only asking me to back up my preferences files and recreate new ones. That did not help at all. The Apple Support engineers even did not know that Apple already published a KB for this issue until I told them.

Tiger is more nice than Leopard, so far.