Short, evil URLs

A business plan for black hats with a modicum of patience

1. Wait for one of the URL-shortening services that has no revenue model to go under.
2. Buy it for $1
3. Buy an exploit for which there’s no patch yet (or wait for a patch release, hire someone to compile it)
4. Insert a new advertising interstitial page with the malware payload, so everyone who hits http:/evilu.rl/as29_1 gets pushed to the malware page and then on to their destination
5. Ta-da! The internet’s deep reservoir of existing unverifiable links now feeds directly into your malware factory and only the most paranoid users (who are likely not clicking on blind links anyway) will stay away.

For added evilness, load the malware only on the redirect to certain sites, which will then be blamed.

The great thing about this is that it’s hard to buy up an existing domain with as wide of an existing link exposure, and really hard to build that kind of link network naturally. It’s almost worth building something like is.gd and shaving one or two characters, launching it, and then waiting.

Until someone implements the short URL RFC or otherwise standardizes trustworthy short URLs, this is going to be tempting bad people.

Good writing is horribly painful

From Caren’s excellent post “What I Have Learned Reading Slush” which I recommend in total. One of them, though, demands further commentary:

10. This line, while usually meant well, is almost always a bad idea: “I hope you enjoy reading this as much as I enjoyed writing it.” This is because I, too, am a writer, and my personal experience is that everything I have ever enjoyed writing personally was always really, really bad. If you have more fun than I do—that’s great. But telling me is going to make me suspicious when I first start reading.

Yeah. Here’s the dirty secret about writing: it’s a fucking horrible experience if you’re doing it well. Writing, say, “Usurpers” I typed, randomly took notes longhand, thought about the story all the time, and felt this world-destroying anxiety about it. To get the rhythm (and the rhythm breaks) down I read it out loud to myself over and over. By the time it went to Asimov’s, I’d read the story out loud to myself 50, 60 times. And every time during a reading I’d tick off a mark each time the flow broke, and each mark would end up being an intense and sometimes far-reaching re-write. That story’s written within an inch of its life, and by the time I was done I had to step away for a while to gain any perspective on whether it was worth sending out or not.

Or my book — when I was done with revisions, there was a point where I wanted to discard it entirely. I’d read the stories so many times they seemed worn, the jokes didn’t survive a hundred readings, and my editor’s assistant told me “Well Derek, no book is truly finished until the author is disgusted with it.”

There’s joy and satisfaction in a piece well-written, but it’s a job, a fucking job, where re-writing is more important than inspiration. The sword-maker doesn’t say “woo-hoo!” when they pull that steel out of the forge and then hope people think it’s awesome. That’s only the start of the work, pounding and folding and shaping, and absolute concentration.

My best writing involved me fighting anxiety the whole time about whether it would turn out awful or great, if I was putting too much of myself into it and would be embarrassed, if I’d gone too far. It’s a scary constricting feeling in the chest, difficulty swallowing, and a massive tightness of stress across my shoulders. If I want glee and happy fun smile time, I’ll go read something. That’s not what writing’s for.

I wouldn’t ever write “I hope you enjoy this as much as I enjoyed writing it”. I wouldn’t wish that on anyone.

Wherein I suffer so you don’t have to

I’ve been trying to figure out some PC issues for a while now and I’ll push this to the cloud so some future generation doesn’t have to face this.

Symptoms:
– lot of blue-screen errors
– lot of dead processes, many of them off on rundll32.exe
– weird connectivity issues (DNS timeouts, pages not loading)
– then this week, a couple of weird pop-up issues

Now here’s the thing… I run full antivirus, firewall, the whole kit and kaboodle, and I practice safe computing. I haven’t had any kind of issue like this in ten years, easily.

Interestingly, because I don’t use IE much, I didn’t notice what was going on for a long time, because that’s where it fires off all the pop-up windows (etc).

Anyway, the tale continues.

There are many weird entries in my startup:
yodokuge, rundll32.exe c:\windows\system32\yodokuge.dll”,b
yojinafi, rundll32.exe c:\windows\system32\yojinafi.dll”,s
yodokuge, rundll32.exe c:\windows\system32\yodokuge.dll”,b
munemume, rundll32.exe c:\windows\system32\munemume.dll”,a

Information on this is scant. Here’s a McAffe post on the last one. This is intentional, of course: they’re using randomly-generated names to make them harder to detect and, presumably, harder to troubleshoot.

And it’s all over the place. When I run Hijack This!, there’s a ton of this:

O2 - BHO: (no name) - {4c9e468c-2390-4182-91ff-0f82b3d9ee48} - C:\WINDOWS\system32\vupeteho.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\hewalote.dll c:\windows\system32\femawiko.dll c:\windows\system32\munemume.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\munemume.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\munemume.dll

That thing wants to be run in the worst way.

I believe that this is “Vundo.H” which is… well, check out Google… there’s a lot of people who are just hosed.

First, and I can’t recommend this highly enough, if you have a clean box, use it to do the research and potentially the downloading/CD burning/etc you’ll require. There’s going to be a lot of rebooting ahead of you.

Figuring out what you’ve come down with
– crack open task manager, and look for any strange rundll32.exe processes you see.
– scan the process list for any other unfamiliar process names
– open up msconfig (windows-R, type msconfig) and look through the startup list. You should see a bunch of weird rundll32 items.
– if you’ve got it, run Hijack This! which will produce a sweet log file you can scour.
– scour that log file

Optional
– Fix yourself a cold beverage, because this is going to take a while

Tools
Hijack This!
– I used Malwarebytes’ Anti-Malware 1.36

Fixing (how I finally got it to work, your mileage will vary)
1. In task manager, try and kill off the weird rundll32 processes. You may have no success as they spawn new ones, but if it works it’ll save you a lot of trouble down the line
2. Run your anti-malware tool of choice. The first time through, you’re probably not going to make much progress, so do the quick scan, it’ll find like ~20 things in memory/startup/whatever. Fix them. It’ll ask you to reboot. Don’t.
3. If you can, run a full anti-virus scan, with updated definitions and everything. Hopefully it’ll turn up a metric ton of files with names like wuwuaua.dll.bak and so on, and be able to nuke them.
4. Reboot in safe mode. Run a set of full scans. Fix everything.
5. Repeat step 4 until nothing comes up. This will take a couple of cycles.

It took me pretty much a whole evening to fix, though obviously you’re not involved the whole time. I watched a baseball game. Each time you go through the cycle, you’re eliminating places the files can live, ways it can load, and closing off places it can go.

And some of the loops… like the extremely thorough virus scan I just did, take a long, long time (35h). But it finally came up clean.

Anyway, so yeah, future generations: be persistent, patient, and you can win. But if you just wipe, reinstall everything, and go on your merry way, well, I wouldn’t blame you.

My new word: sbig

Sbig (ess-big or sp-eeg) adj.

1. “So Bad It’s Good” 2. transfinxifying out of horror or embarrassment for others, like a car accident or a public breakup (not yours). Sbig is a term used in public where talking about the ironically amusing qualities of the object would not be socially acceptable.

For example, if you’re attending a convention and while surrounded by teenage girls you want to tell a friend the amusement value of a panel on “Twilight” that promises to be an absolute train wreck, you would say “I want to go see ‘Literary Analysis of the lab scene’ it’s going to be sbig.”

Questioned, you should claim that sbig means “super-big”.

No response from Bellevue on killing people

w/r/t installing traffic cams without other changes, which will increase accidents

I don’t get it. If you’re going to make traffic changes, particularly large ones which might in a real sense kill people, doesn’t that require some degree of caution, vigilance, and willingness to listen to other thoughts? They should at least have said “oh we’ve got that covered” or “we looked at that and you’re full of it” or “we’ll check this out”.

If nothing else, people who get rear-ended in accidents at newly-camera-ed intersections will be able to sue the city, and that’s not going to go well.