Archive for April, 2009
Exchange 2010 blocks Linux from using Premium OWA.
by Carl Farrington on Apr.19, 2009, under News & Reviews, Tips & Tricks
I have just installed the beta of Exchange 2010.
It seems that when accessing OWA through Firefox or Epiphany on Linux, we’re only given the option of OWA Light, therefore exactly the same experience as with Exchange 2007.
Firefox on Win32 works as expected. How obviously intentionally lame.
Fortunately we can override the useragent in both Firefox and Epiphany (my preferred browser due to FF’s annoying right-click Linux bug).
Go to about:config in the address bar, click on the “I’ll be careful” thing to carry on, and right-click, create a new String, called general.useragent.override with the following as the data:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
Close and reopen Epiphany or Firefox and Exchange 2010’s OWA Premium works perfectly 
Note: you must close all Epiphany or Firefox windows for this to take effect.
Even better is that you can use Prism to launch OWA “as an application”. You will need to edit /usr/share/prism/default/preferences/webrunner-prefs.js and add the following line:
pref(“general.useragent.override”, “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8″);
See screenshot below:
OWA Premium from Exchange 2010 launched through Prism on Ubuntu Jaunty
Curious phishing rootkit modifies banking webpages in-line, requesting full password instead of select characters.
by Carl Farrington on Apr.03, 2009, under Computer Stuff, News & Reviews
I’ve just come across something concerning that I haven’t seen before.
Customer’s computer appears to be infected with something.
Banking websites such as rbsdigital.com , lloydstsb.com, hsbc.com , well, the website displays perfectly except that the security phrase box asks for the whole phrase instead of just particular characters from the phrase.
It’s as though something is intercepting and re-writing the page as it’s displayed (url and cert look fine, DNS of sites resolve fine).
Computer has various infections on it by the looks of it – twext.exe which I’ve come across enough times, and various random .dll’s fired up through rundll32.
What’s concerning me is how the page is modified in-line and the url and certificate are spot on.
Here’s the analysis results for the .dll, called through Run -> rundll32. Doesn’t look good for detection.
http://www.virustotal.com/analisis/9ec1b577f2bf5688597dc1c911bea47d
Here are the results for twext.exe, called through Winlogon -> Userinit.
http://www.virustotal.com/analisis/ae4eda13de80161b65b3a18122ead92f
c:\windows\system32\a.exe , doesn’t appear to be called from anywhere that I’ve noticed yet, but obviously suspect filename and file date. Same file as twext.exe.
http://www.virustotal.com/analisis/ae4eda13de80161b65b3a18122ead92f
c:\windows\system32\userinit32.exe , called via addition to Winlogon > Userinit, hidden from Windows API and only visable with icesword, but registry modification was re-creating itself after removal. File timestamp on this one is 2004-08-11 , same as most stock XP files.
http://www.virustotal.com/analisis/cf0b882c689a513443845f3edea5cb16
Microsoft Antivirus (whatever that is) misses this one.
c:\windows\usebexuyiruburu.dll – can’t remember where this was called from. Think it was HKCU -> Run, whereas others were HKLM -> Run
http://www.virustotal.com/analisis/4407b4eb1474268be3033b8268608877
Again Microsoft Antivirus does well while nearly all the other 38 antivirus programs fail.
