Smokey's Security Weblog

veritas odium parit

All Google Search Results provided with the label “This site may harm your computer”

Breaking internet news: since today, starting appr. around 15:32 (UTC +1), all web and image searches performed via Google and the subsequent search results are tagged by Google with “This site may harm your computer”. Of course these tags aren’t correct and are all false positives.

Unwelcome effect of the bad tagged Google search results: all links provided by Google aren’t clickable anymore.

Update 16.14 (UTC +1): Google solved/fixed the issue.

Statement Google Inc.:

If you did a Google search between 6:30 a.m. PST and 7:25 a.m. PST this morning, you likely saw that the message “This site may harm your computer” accompanied each and every search result. This was clearly an error, and we are very sorry for the inconvenience caused to our users.What happened? Very simply, human error. Google flags search results with the message “This site may harm your computer” if the site is known to install malicious software in the background or otherwise surreptitiously. We do this to protect our users against visiting sites that could harm their computers. We work with a non-profit called to get our list of URLs. StopBadware carefully researches each consumer complaint to decide fairly whether that URL belongs on the list. Since each case needs to be individually researched, this list is maintained by humans, not algorithms.We periodically receive updates to that list and received one such update to release on the site this morning. Unfortunately (and here’s the human error), the URL of ‘/’ was mistakenly checked in as a value to the file and ‘/’ expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.

Thanks to our team for their quick work in finding this. And again, our apologies to any of you who were inconvenienced this morning, and to site owners whose pages were incorrectly labelled. We will carefully investigate this incident and put more robust file checks in place to prevent it from happening again.

Thanks for your understanding.

Posted by Marissa Mayer, VP, Search Products & User Experience

Source of Google statement:

January 31, 2009 Posted by | Alerts, Downloads, Friends, Malware, News, Recommended External Security Related Links | , , , , , , , , , , , | Leave a comment

Fatal failures Seagate Barracuda 7200.11, ES.2 SATA, and DiamondMax 22 Drives

Normally not an item on my blog, but after reading numerous alarming reports concerning fatal failures in Seagate Barracuda 7200.11, ES.2 SATA, and DiamondMax 22 Drives, with total data lost as result, here an alert for these Seagate Drives.
Seagate is playing down the issue, but reality is different……In particular the 1TB, 750GB and 500GB (ST31000340AS, ST3500320AS, ST3750330AS) units are failing at an alarming rate and prompting outrage from their customers.

According to AtomicPC: A new self-bricking feature apparently resides in faulty firmware microcode which will rear its ugly head sometime at boot detection. Essentially the drive will be working as normal for a while, then – out of the blue – it’ll brick itself to death. The next time you reboot your computer the drive will simply lock itself up as a failsafe and won’t be detected by the BIOS. In other words, there’s power, spin-up, but no detection to enable booting.

RMA and Data Recovery Centres are also reporting that there’s a very high rate of failure on these drives. One user in particular reports having set up a 6 TB drive array and over the course of 1 month having half the drives fail on him. No official stats are available, but at least one RMA middleman has told us there’s about 30-40 per cent failure rates.

According to data recovery experts Seagate has diagnosed the problem and issued a new firmware to address it. However, drives that have already been affected can’t have the firmware applied to them due to their locked-down status.Over a month into the problem Seagate had still not come back to customers with an official solution. Despite the company updating the firmware on newer drives, it has issued no recall on the firmware-defective drives that are still on shop shelves.Drive origin and firmware seem to be Thailand and SD15, but at least one user reports having had identical problems with a unit from the Wuxi(ng) fab and the SD35 firmware.

Urgent advice: update the firmware of concerning drives NOW! If you have the intention to buy a new drive, don’t buy one of mentioned Seagate drives (see survey below)! These (possible) firmware-defective drives are still on shop shelves…..

This alert concern the Seagate drives  ST31000340AS ST31000340NS STM31000340AS ST3750330AS ST3750330NS STM3750330AS
ST3750630AS ST3500320NS STM3500320AS ST3640330AS ST3250310NS STM31000334AS ST3640530AS STM3320614AS
ST3500320AS STM3160813AS ST3500620AS ST3500820AS ST31500341AS ST31000333AS ST3640323AS ST3640623AS
ST3320613AS ST3320813AS ST3160813AS.

Firmware download of mentioned firmware-defective drives:

January 26, 2009 Posted by | Advisories, Alerts, Friends | , , , , , , , , , , , , , , , , , , , , , , , , , | 3 Comments

Safe Computing and Preventing Malware Infections

The current outbreak of the polymorphic worm Downadup, aka Conficker and Kido, and all its variants make very clear that many users don’t act in a responsable and secure way. After all, at the moment 9 (nine) million PCs are contaminated by that worm for reason of a missing Microsoft Security Update for Windows (KB958644). At the same time numerous users don’t posses safe computing and surfing habits, ignore standard precautions, haven’t the slightest idea how to prevent malware and in case they have a PC contaminated by malware they are trying to clean the PC by themselves or by self-declared “security experts”. Keep in mind that malware cleaning/removal isn’t a job for amateurs, it is a dedicated job for well trained and full qualified malware hunters.

Safe computing/surfing and preventing malware is a matter of education. Only well educated users have the reasonable possibilty to remain “clean”. The sole aim of me and my staff on Smokey’s Security Forums is to fulfill this aim by providing the user for free with Education, Support, Help and Advice, and in case the PC of the user is infected by malware to offer malware cleaning/removal by real security experts: comprehensive trained, full qualified HJT/OTListIt2 Analysers/Malware Hunters.

Some basic rules for safe computing, related links at the end of this post:

– Activate the automatic update function in Windows. Always accept and install all updates offered by Microsoft.
– If you don’t like automatic updates, consider to use the Microsoft Baseline Security Analyzer (MBSA). MBSA is an easy to use free tool that helps individuals, small and medium businesses to determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. It will improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems.
– Always install all Service Packs offered by Microsoft.
– Educate and protect yourself, e.g. by visiting my board and reading the FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware.
– In case your PC is infected by malware, adware or any other undesired badware or nasties visit my board to get rid of such crap. Only full qualified HijackThis & OTListIt2 Log Analysers/Malware Hunters will care about these infections and help you in a professional way, of course for free, to get rid of it. Note: only registered board members will receive malware removal/cleaning help, registering on my board is also for free.

Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help


Smokey’s Security Forums
FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware
HijackThis (HJT) & OTListIt2 Log Analysis and Malware Removal/Cleaning Assistance and Services
Microsoft Baseline Security Analyzer (MBSA) Frequently Asked Questions
Download Microsoft Baseline Security Analyzer

Safe computing!

Smokey’s Security Forums is Site Member ASAP

January 17, 2009 Posted by | Advisories, Anti-Spyware, Anti-Virus, Bundleware, Downloads, Friends, Phishing, Recommended External Security Related Links, Toolbarware, Uncategorized, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Outbreak of the polymorphic worm Downadup aka Conficker aka Kido

Posted Jan 15, 2009

– Revision v1.00, Jan 16, 2009: The number of Downadup infections are skyrocketing based on F-Secure’s calculations. From an estimated 2.4 million infected machines to over 9 (nine) million during the last four days…
– Revision v1.01, Jan 16, 2009: Blog post updated for reason of actual occurances.
– Revision v1.02, Jan 17, 2009: Added worm symptoms and a link to the infection calculations performed by F-Secure.
– Revision v1.03, Jan 17, 2009: Added effective protection measures against the worm.
– Revision v1.04, Jan 23, 2009: Worm/malware removal/disinfection tools updated.
– Revision v1.05, Feb 08, 2009: OpenDNS/Kasperky Lab tracking and blocking services added.

The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]

Early Wednesday the in Finland-based security firm F-Secure Corp. estimated that 3.5 million PCs have been compromised by the “Downadup” worm, an increase of more than 1.1 million since Tuesday.

“[And] we still consider this to be a conservative estimate,” said Sean Sullivan, a researcher at F-Secure, in an entry to the company’s Security Lab blog. Yesterday, F-Secure said the worm had infected an estimated 2.4 million machines.

The worm, which several security companies have described as surging dramatically during the past few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft Corp.’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.

The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.

The neat thing about Downadup is the way it “phones home”. As Mikko Hyppönen, chief research officer at anti-virus company F-Secure explains:

It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as and With this algorithm, the worm generates many possible domain names every day. It concern hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. This makes it impossible and/or impractical to shut them all down — most of them are never registered in the first place. The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines.

Anybody can register one of the unused domains and gain access to all of the infected machines. Pretty dumb. However, everyone will sit by and watch the infections happen, because nobody can interfere: unauthorised use of a PC may even be illegal. It’s like watching a small child wandering onto a motorway….

Downadup can also spread by using an autorun file on a USB memory stick, so if you autorun thumb drives on an unpatched machine, you could be vulnerable.

Almost all the infections are of Windows XP machines and, as Microsoft notes, plenty of corporate customers (who are usually not using AutoUpdate) have been caught. F-Secure says:

“A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.”

Either way, security experts are anxiously awaiting the attackers’ next move. They suspect a massive botnet is in the works, but so far the attackers haven’t completely tipped their hand. The mere infection of so many machines that could then be controlled by a third party indicates it is indeed a botnet-in-progress, according to Damballa, a computer security company devoted to disrupting botnets. “It’s a close call. If it has the potential for a remote, malicious third party to do whatever they want, that makes it a botnet,” says Paul Royal, chief scientist for the antibotnet company.

“Whoever is behind this is not ready to deploy his or her code just yet. Maybe they first need to figure out how to get their botnet controller to scale to handle [millions of] nodes,” Stewart, director of malware research for SecureWorks, notes.

One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven’t yet patched for the Windows bug/vulnerability. The perpetrators have been cranking out new variants of the worm to evade detection, and, so far, its main mission has been pushing rogue antivirus software.

According to Damballa, Confickr/Downadup spreads fast like a Slammer, but this one has a command and control channel: “It propagates like a worm and can act like a bot. Perhaps it’s representative of a hybrid that may represent a new class of malware” rather than the social networking or email lures of old.

Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644). Complete and effective protection measures against the worm at the end of this post.

Sources/references of this outbreak alert and background information:

Kaspersky Lab

Symptoms of the worm:–Win32.Worm.Downadup.Gen.html

Removal and disinfection tools:

Kaspersky Lab –
Symantec –

List of domains that are currently distributing the Downadup worm and its variants:

Complete/effective protection measures against the worm, apply all 3 measures:

1. Apply Microsoft patch MS08-067:
2. Provide the administrator account of the computer with a strong password (brute force dictionary attack against administrator password is used):
3. Completely disable the AutoRun function, this is a brutal but highly effective hack:

Free Support, Help and Assistance if your PC is infected by this worm and/or any other piece of malware:,5.0.html

Update Feb 08, 2009: OpenDNS/Kasperky Lab offer free tracking and blocking services.

January 15, 2009 Posted by | Advisories, Alerts, Anti-Virus, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , , , , , | 6 Comments

Troubleshoot driver problems in Vista with the Driver Verifier Manager

Author: Greg Shultz / TechRepublic

If you are encountering unpredictable errors, lockups, or BSODs in Windows Vista, chances are that your system is suffering from the effects of a faulty third-party driver. As you know, the device drivers that come with Microsoft Windows Vista have a digital signature that indicates that the driver has met a certain level of testing and that it has not been altered. You also know that any hardware that carries a Certified for Windows Vista logo will come with drivers that have a digital signature from Microsoft that indicates that the product was tested for compatibility with Windows Vista.

However, not all third-party hardware manufacturers are willing to take the time and effort to submit their products to Microsoft for certified testing and aren’t really interested in having a digital signature from Microsoft assigned to their drivers. And, unfortunately, uncertified drivers are a big source of problems in Vista.

Fortunately, Vista comes with a great utility called the Driver Verifier Manager. While not a new utility (it came with Windows 2000 and Windows XP), the version that comes with Vista has some new features that make it easier to use. In this edition of the Windows Vista Report, I’ll show you how to use the Driver Verifier Manager to troubleshoot driver problems in Windows Vista:

Source / How to use the Driver Verifier Manager: TechRepublic

January 10, 2009 Posted by | Advisories, Friends, Uncategorized | , , , , , , , , , , | Leave a comment

Download and try-out Windows 7 Beta 32-bit (x86) or 64-bit (x64)

Welcome to the Windows 7 Beta Customer Preview Program

Published: January 2009

–  Learn about Windows 7 Beta
–  Test Windows 7 Beta in your lab environment
–  Stay informed on updates and resources

Windows 7 is…
the next release of the Windows client operating system, built on the secure foundation of Windows Vista and Windows Server 2008. Performance, reliability, security, and compatibility are core tenets of this release as we collect your feedback to meet our engineering goals of making Windows 7 the best-performing and most stable Windows operating system to date. New innovations in the product are designed to augment your ability as an IT professional to better provision and manage increasingly mobile PCs, protect data, and improve both end-user and personal productivity.

See Windows 7 for yourself

We are inviting IT professionals around the world to work with the Windows 7 Beta in their lab environments and secondary PCs to help ensure smooth adoption when the final product is available and to gather feedback from real-world settings.

How can you get involved?

1. Take a look at some of the new features and functionality in Windows 7 as part of our Springboard Series guidance on the Windows Client TechCenter on TechNet. As a partner you can also see additional resources on the Microsoft Partner Program portal.

2. Download the Beta for a hands-on trial. For a limited time, Microsoft is making this pre-release version of Windows 7 available to the first 2.5 million people who download. Ready to take a test drive? You can get one by trying the Windows 7 Beta. We think you’ll have the best experience if:

– You are willing to participate as an active beta tester and provide feedback to help us complete Windows 7.
– You have an extra computer available to dedicate to testing beta software.
– You can back up your PC, install and reinstall Windows, and reconfigure your home network connection.
– You’re comfortable troubleshooting your own PC problems. There’s no technical support available for the Beta.
– You understand how to burn an ISO file to a DVD using your computer’s DVD burner.
– You have a system recovery disc and know how to use it.
– You enjoy participating in an interactive community of beta testers, sharing experiences and feedback in real-time.

Microsoft isn’t providing technical support for the Beta and isn’t responsible for business-related downtime. Don’t install the Beta on your primary home or work computer. When the Beta expires on August 1, 2009, you’ll need to reinstall a released version of Windows to keep using your computer. (See Installation Instructions.)

These are the Microsoft minimum hardware recommendations for systems that will be running the Windows 7 Beta. These recommendations are specific to the beta release and are subject to change:

– Processor: 1 GHz 32-bit or 64-bit processor
– Memory: 1 GB of system memory
– Hard drive: 16 GB of available disk space
– Video card: Support for DirectX 9 graphics with 128MB memory (in order to enable Aero theme)
– Drive: DVD-R/W drive
– Internet connection (to download the Beta and get updates)

Note: Some product features of Windows 7, such as the ability to watch and record live TV or navigation through the use of “touch”, may require advanced or additional hardware.

To learn more, see Windows 7 Beta: Frequently Asked Questions.

Thank you for participating in this beta program and helping us build the best operating system for you and your end users.


– this is beta software, use at your own risk
– the downloads are provided via the official Microsoft channels
– downloadlinks are checked and working

Microsoft Windows 7 Beta Customer Preview Program and downloads: Microsoft TechNet

January 10, 2009 Posted by | Alerts, Downloads, Friends, News | , , , , , , , | Leave a comment

Bug in NIS 2009: “user names and passwords AutoComplete” always enabled in IE7

Alert: bug in Norton Internet Security 2009 reported by the Norton Community: “user names and passwords AutoComplete” always enabled in IE7.

Fix: change “HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords” to “no” and change the permission to read-only in regedit.

Advice: before editing the registry, make a backup of it.

Source/more: Norton

January 2, 2009 Posted by | Advisories, Alerts, Friends, Norton Internet Security, Recommended External Security Related Links | , , , , , , | Leave a comment