A Homeless man is sentenced to FIFTEEN YEARS in prison for stealing $100 from a bank, and returning it the next day when he felt guilty… Unless the judge was looking to HELP the hapless man by providing some kind of shelter in the form of prison, it could surely be argued that he is simply a complete ****?



By Craig Murray. http://www.craigmurray.org.uk/archives/2009/01/biased_broadcas.html#comments

I am hopeful the public outcry caused by the BBC’s refusal to broadcast the joint appeal for Gaza, will open more eyes to the immense bias in the BBC’s News coverage. As it has slipped off the front page, I think it is worth reproducing this from my blog for 6 January: What is Really Happening I watched BBC World News for a timed hour yesterday. In that time I saw:

Pro-Israeli (including US government) speakers – 17

Pro-Palestinian speakers – 2

Mentions of Hamas Rockets as reason for war – 37

Mentions of illegal Israeli settlements – 0

Mentions of Palestinians killed by Israel during “ceasefire” – 2

Mentions of Sderot – 12

Mentions Sderot used to be Palestinian – 0

If you don’t believe me, try it yourself. The BBC took being banned from Gaza by the Israelis as the excuse to focus a wildly disproportionate attention on the Hamas threat to Israel. Their choice of Sderot as their base of operations was in itself a factor of bias – and their failure to say, even once, that Sderot was once Palestinian was inexcusable. Now journalists can get into Gaza there has been nothing by the BBC that comes close to matching the searing explorations by Channel 4, ITN and yes, Sky News, on the atrocities that happened there. I am particularly outraged by the pusillanimity of my Dundee University and Tashkent colleague Alan Johnston, on whose behalf in his kidnapping I had been attempting to exert what little influence I have to its utmost limit (to no avail, I fear). He appears to have exhausted all his compassion on himself. But what is truly extraordinary is the way that New Labour careerists like Alexander and Bradshaw, who have come out to ask for the appeal to be broadcast, now that Bush has gone are so instantly re-orienting themselves slavishly to follow a slightly different direction. Do not be fooled by New Labour; they have no core beliefs but in their own careers. Stand by for them to explain they were against extraordinary rendition all along. Do not believe an of our Ministers on anything. And should you get close to any of them, I believe personal violence may be justified in this instance.

Tropic Thunder…

January 24, 2009

What a fantastic parody of all that other Hollywood shit… Brilliance…Especially Robert Downey Jnrs character…Right up there with Team America. If you didn’t like it you just didn’t get it – probably best stick with the likes of Cloverfield eh…

Never thought I’d say this but Tom, you the man ;)

OK so it seems to spreading itself fairly rapidly…but I remember when a PAYLOAD actually was something to be concerned about. What the fuck is it that this Conficker does? Ooh, it blocks access to a handful of `security` websites, stops auto backups running and disables system restore  (erm, which most sensible people disable voluntarily because it’s just a vuln in itself which is exploited by other malicious code), and, erm, I think that’s about it. Wow.

So if that sounds scary, then reimage and patch. That’s it.

Calm  down. It’s possibly the most supergay `virus` ever. Just rebuild the box. You got backups anyway, right? ;)

Real viruses used to actually destroy entire O/S or delete files, kill MBR and completely fuck your PCs. This doesn’t.  

Worry more about the backdoors, rootkits and viruses which are NOT being talked about so much, which have very few if any clues as to their presence… www.rootkit.com 

Anyway, if you ARE concerned about Conficker, here’s the overview/details from NAI.

Overview –

This detection is for a worm that exploits the MS08-067 vulnerability as the main vehicle of infection. It also uses other common technique for spreading as underlined in the Method of infeciton section. It also download and execute various files onto the affected system.


  • Worm:Win32/Conficker.A (Microsoft)
  • Crypt.AVL (AVG)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Pakes.lxf (F-Secure)
  • Trojan.Win32.Pakes.lxf (Kaspersky)
  • W32.Downadup (Symantec)
  • Worm:Win32/Conficker.B (Microsoft)
  • WORM_DOWNAD.A (Trend Micro)



Characteristics –

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

New variants have been observed dropping copies of themselfs aslo into:

  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %All Users Application Data%\[Random].dll
  • %Temp%\[Random].dll
  • %System%\[Random].tmp
  • %Temp%\[Random].tmp

Where [random] is a 4 to 8 long letters only random name.

On NTFS filesystems the dropped files do have often modified access permissions. Access is completely removed on the file for all users and groups. This is done to make detection and cleaning more difficult.

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Several variants do remove access to the above registry key by changing the key ACLs. This also in an attempt to make detection and removal of the serive key more difficult. The service name is generated dinamically by associating words from an hardcoded list:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows

It will inject intelf into various running processes. Different variant have been observer injecting into one or more of:

  • svchost.exe
  • explorer.exe
  • services.exe

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website


New variants are connecting to various other hosts.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm. The http connection is performed on a random port and the file transferred will have an extension of

  • bmp
  • gif
  • jpeg
  • png

Later variants of w32/Conficker.worm do attempt to connect to remote hosts using the local credentials and a list of username retrieved from the target system and a long list of hardcoded passwords. In doing so it may lock down domain accounts where the policy is set to allow only a limited number of wrong passwords.

On succesfully exploited remote systems the worm drops a copy of itself in the $sysdir% folder and creates a scheduled tasks to execute it. It may olso create a copy in the remote “Recycle Bin” folder and an Autorun.inf file.

Using these techniques the worm may replicate on to non vulnerable systems or reinfect previously infected systems after they have been cleaned.

The worm hooks system APIs to prevent access to security websites. A list of some of the locked domains is:

  • ahnlab
  • arcabit
  • avas
  • avg
  • avira
  • avp
  • bit9
  • ca
  • castlecops
  • centralcommand
  • cert
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • mcafee
  • microsoft
  • nai
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • sans
  • securecomputing
  • sophos
  • spamhaus
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • vet
  • wilderssecurity
  • windowsupdate

Some security services may also be disabled by the infection.



Symptoms –

  • network portscan on port 445 as per the MS08-067 exploit.
  • Access to the above mentioned domain.
  • Domain accounts being locked due to maximum login attempts.
  • presence of the above mentioned files and registry keys in specific files and registry keys with empty permissions.
  • Scheduled tasks being created.
  • autorun.inf files being created.
  • Access to security related web sites is blocked.


Method of Infection

Method of Infection –

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

It also spread by brute forcing remote systems password and installing scheduled tasks and/or autorun.inf files on the victim.


Removal –

Removal –

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.  


Variants –


Additional Windows ME/XP removal considerations

The Barack Americano…

January 20, 2009

Perhaps a little dark  for some tastes… Certainly unusual! Perhaps they could do a latte version?! Would that work?



Obama’s Change.gov site will close down its internet suggestion box today, after a week of taking suggestions and opinions on the new administration’s executive policy from the web public at large. In standard Web 2.0 fashion, users can vote up or down on existing entries — the theory being that the best schemes will rise to top.

With 70,520 points at time of publication, the the most popular idea by a margin of 10,300 is “Ending Marijuana Prohibition.”

“I suggest that we step back and take a non-biased ‘Science Based’ approach to decide what should be done about the ‘Utter Failure’ that we call the War on (some) Drugs,” one entry reads.

Of course, the Obama team has done a notable job ignoring its top entry. The staff skipped directly to commenting on the second most popular idea in their videos of Obama administration officials addressing the cream of the crop.

Have your say so we can ignore you.

Have your say so we can ignore you.



Original article here >  http://www.theregister.co.uk/2009/01/17/obama_idea_portal_suggestions/