Monthly Archives: October 2016

Mapping a network of malware sites, and a distressing discovery

Posted on by
Reply

Right now, I am in the remote cabin in the woods where we wrote More Than Two, working on two new books: a nonfiction book called Love More, Be Awesome and a novel called Black Iron.

The cabin has very limited Internet access that’s approximately the same speed as old-fashioned dialup, so fetching email is always a bit dicey. Imagine my disappointment at the timing, then, of a large-scale malware attack.

The emails are all very simple: just two lines and a bit.ly URL shortener address. They come from a wide range of IP addresses with a large number of different forged From: addresses, and they all look exactly the same:

The system behind this email, however, is anything but simple.

The Network

The emails all contain a URL shortening address that uses the popular bit.ly URL shortener service. There’s a complex network behind that short URL, that does a number of different things: promotes dodgy products such as supposed “brain boosting” pills, and attempts to download malware and trick people into phoning phony tech support Web sites that scam victims for hundreds of dollars in fake tech support charges (and also dupe victims into downloading more malware).

*** WARNING *** WARNING *** WARNING ***

All the sites mentioned in this post are live at the time of writing this. Most of them will attempt to download malware or redirect you to sites that attempt to download malware. Do not visit these sites if you don’t know what you’re doing.

When you click the link in one of these emails, you’re redirected via several steps to a site called wholesoil.com that then sends you off to one of many, many possible destinations, some of which are typical run-of-the-mill spam sites and some of which are malware sites. The network looks like this:

This chart is not complete; there are many, many other malware sites that you may be redirected to. I charted well over a dozen more such sites before I quit looking.

Clicking on the link contained in the email enters you into a lottery of suck: Will you get spam? Will you get pwn3d? Hard to say!

I’m not 100% certain it’s entirely random. There may be some element of looking at the browser’s user agent or the visitor’s IP address; visiting wholesoil.com repeatedly in a short span of time will tend to result in getting redirected to the same spam URL over and over after a while.

The people behind this network have gone to considerable lengths to hide themselves. For example, one step of the redirection happens via a domain parking service called tracted.net. The redirection script that relays traffic through this site scrubs the referrer header. When you travel from one Web site to another, your browser sends a “referrer header” that tells the new site where you came from; this is how people can tell where they’re getting traffic from. But this network carefully removes that information, so that the owners of tracted.net can not easily detect this traffic.

The most common spam destination is a subdomain on a site called fastgoodforms.com. These subdomains change often: 570-inteligen.fastgoodforms.com, 324-brain.fastgoodforms.com, 923-inteligen.fastgoodforms.com, and so on.

But more often than spam, users will get redirected to a phony tech support page that displays a fake Windows error message. These sites look like this:

These sites attempt to download malware—specifically, a remote control program that allows attackers to take control of an infected computer. They also attempt to prevent the user’sWeb browser from leaving the site, and display popups over and over and over again telling the user that the computer has been infected by a virus and to call Microsoft Support at a toll-free number.

The toll-free number is owned and operated by the scammers. If you call it, you’re sent to a person in India who will attempt to get your credit card number, and will try to talk you into installing software on your computer to “fix” the “problem.” This software is, of course, remote control malware.

How the mighty fall

While I was tracing out this network, I discovered many, many, many of these fake tech support Web sites that are being used to spread malware and try to con users.

And that’s where I noticed an interesting pattern.

The overwhelming majority of these malware sites are hosted, not on dodgy services in China or the Netherlands as you might normally expect, but on GoDaddy.

Not all of the malware sites are hosted on GoDaddy (I found one hosted on One, one hosted on Hostwinds, and one on IX Web Hosting, for example), but the vast majority—literally dozens—are.

I believe that GoDaddy is the choice of malware hosts because their abuse and security teams, which once upon a time had an excellent reputation in the Web hosting industry, have been pared back to the point they can no longer keep up…or perhaps simply no longer care. (GoDaddy was bought out by an investment group a few years back, which is when its reputation began to decline.)

I reported the Hostwinds-hosted malware site to Hostwinds abuse; it was removed about ten hours later. I reported the malware site on IX Web Hosting; it was gone in 17 minutes. But malware and phish sites on GoDaddy remain, in my experience, for an average of about a month before GoDaddy acts, and spam sites remain essentially forever.

Spammers and malware distributors are adaptable. They move Web hosts often, leaving hosting companies that take rapid action against them and congregating on tolerant sites that permit spam and malware. I suspect the fact that so many malware and fake tech support sites are hosted on GoDaddy is a consequence of the indifference or inability of their abuse and security teams.

To be fair, if you make enough noise, GoDaddy will eventually act. I have engaged with GoDaddy on Twitter, and when I do that, they will generally take down a site I complain about within a few days. The dozens of other sites, however, remain.

I am currently a GoDaddy customer. I do not use GoDaddy for Web hosting, but I do have a large number of domains registered there. I intend to begin removing my domains from GoDaddy, because I do not like supporting spam-tolerant companies. (Ironically, this was the reason I left Namecheap to go to GoDaddy; Namecheap is owned by a company called Rightside, that has become notorious for willingly hosting some of the biggest players in the spam business.)

So if you have a domain registrar you use, please leave a comment! I would love to find a replacement for GoDaddy and pull all my domains away from them. (If you’re using GoDaddy for Web hosting or domains, I advise you to do likewise, unless you fancy staying with a company whose approach to security and malware is so lax.)

I would also like to invite GoDaddy representatives to offer their side of the story in the comments as well.

Two Chaosbunnies in the Desert: Bodie, part 3

Posted on by
Reply
Part 1 of this saga is here. Part 8 of this saga is here.
Part 2 of this saga is here. Part 9 of this saga is here.
Part 3 of this saga is here. Part 10 of this saga is here.
Part 4 of this saga is here. Part 11 of this saga is here.
Part 5 of this saga is here. Part 12 of this saga is here.
Part 6 of this saga is here. Part 13 of this saga is here.
Part 7 of this saga is here.

Bodie, California was a Victorian-era gold mining town high in the mountains between California and Nevada. The Victorians weren’t very big on human rights, or treating workers well, or sex, or just about anything else, but there is one thing they liked very much, and that was technology.

At some point, today’s cutting-edge tech will look as hopelessly antiquated as the detritus littering the ruins of Bodie. But tech always starts somewhere, and the Victorians were all for embracing the bleeding edge, especially where it making money.

One of the many places Bodie kept up with the state of the art was transportation. When the town was founded, horses and stagecoaches were the order of the day, but that changed as the automotive arts gained ground. Today, the ruins of ancient cars lie scattered all over what’s left of the town.

The residents of Bodie were willing to adopt any new technology that offered to make their lives better or, more to the point, more productive. They may not have had a sewer system, they may have dug their wells directly downstream of their outhouses, but they were on top of mechanization as soon as it was out of beta.

And the trend of abandoning old tech where it lay and replacing it with new didn’t end with mining or stamping machines. The derelict wrecks rusting quietly into the hills span years of the automaker’s art.

They also used whatever worked. In the winter, snow in Bodie could get two stories deep. If that made it most practical to let the horseless carriages get buried and break out the sleds in winter, that’s what they did.

Some of the abandoned cars look personal; others look like working vehicles.

There’s a certain sleek beauty to the lines of this one, I think.

Compare that to the severe utilitarianism of this (possibly horse-drawn?) ore cart.

But they weren’t technofetishists. Their approach to technology was relentlessly, brutally practical. If it worked, they used it. As many of the vehicles dotted about Bodie are old tech as new.

This is a different relationship to technology than many of us have today. They wanted things that worked, not things that were new. If it helped them get gold out of the ground, they used it, and that was that. It’s hard to imagine that utilitarian a mindset today. “New iPhone? Why? My phone makes calls just fine.”

One of the creepiest and most splendid things about Bodie is the fact that when the gold left, so did the people, sometimes with such abruption it seems as thought they forgot to pack.

In reality, it’s more like they didn’t bother to pack. It’s difficult to get up and down the mountain even today; in a time when the only way in our out was by stagecoach (on a toll road!), there would be little incentive to take anything with you that could easily be replaced when you got wherever you were going.

So the buildings in Bodie have rooms that look like their owners stepped out a half-century ago to pop on down to the store for milk and eggs, and never came back. It’s both unsettling and marvelous.

The cast-off child’s toy in this room is a reminder that people raised their kids here, in this inhospitable mining town with its brutal heat and bitter cold and chimneys belching mercury fumes.

Bodie had its own post office, which doubled as the postman’s living quarters.

This was someone’s home. Someone cooked meals here, sang songs here, experienced joy and sorrow here, lived here.

It’s hard to forget that countless lives played out here, from beginning to end. These people lived in an inhospitable place, in a different time, but they lived here, and they experienced the same range of feelings that you and I feel.

This was, first and foremost, a working town. The town had a blacksmith. Apparently, according to the tour guide, this was it. I have no idea what those things on the table are.

The general store looks very much like it did when the town was at its peak, at least if you ignore the film of dust that has fallen like a funeral shroud over it all.

I bet the aspirin was a guaranteed best seller.

The plaster bandages too, I reckon. Industrial accidents in the stamping mill were horrifying.

The Bodie Hotel is one of the best-preserved buildings still remaining. The sign says “meals at all hours,” and I believe it. This place probably never slept.

This room still has a bunch of toys, long abandoned, and what looks like it might be a proto-skateboard of some description.

I wonder if the child these belonged to was sad to give them up.

This room looks expensive to me.

The headline is less interesting to me than the article beneath it: “Blast at magnesium plant injures 22.” There are people today who want to abolish OSHA. How short our memories are.

Bodie at its peak was home to many, many taverns. Today only one remains.

Next door to the sole remaining tavern is a gym. And you want to know something freaky? The cabin where Eve and I wrote More Than Two has that exact same model of hob.

Seriously. The exact same model. Check this out:

Freaky!

One of the guides explained that this was a “buggy,” as opposed to a “stagecoach.” There’s a big difference, apparently (and in fact the toll road into town had different tolls for buggies, wagons, coaches, and freight wagons).

We left Bodie as the sun grew low, and headed out to…well, that is a story for next time.

“But I’m changing it from within!”

Posted on by
Reply

Many years ago, I had an online conversation with a woman who was a devout, practicing Catholic.

She was also a polyamorous, pro-choice sex activist in a live-in relationship with her boyfriend, to whom she was not married.

When I asked her about the contradiction between these two things, she said that she recognized that Catholicism was behind the times on issues like women’s rights and nontraditional relationships, but that she remained Catholic because she wanted to change the Church from within.

I was reminded of that conversation recently when i had another online conversation with a guy who claims to be pro-gay rights and pro-gay marriage, who professes horror at the Republican Party’s treatment of women, who says he is appalled at the way the Republican party uses fear of immigrants and sexual minorities to raise votes, and who says that anti-Muslim sentiment is morally wrong…but who is still a member of the Republican Party and plans to vote the Republican ticket this November.

I asked him how he can, in good conscience, be a part of an organization whose values are so antithetical to his own. He said the same thing: “I want to change the Republican party from within.”

He and the woman I talked to all those years ago had one other thing in common besides saying they wanted to change the groups to which they belonged from within: They were both rather thin on details about what work they were willing to do to make that happen.

Both of them said they want to change these groups from within, but neither one of them was working to make that happen.

Which, in my book, is dishonest.

Changing a large, entrenched organization from within is hard. It requires serious work and serious commitment. It requires sacrifice. If you are a pro-life Catholic or a pro-immigration, pro-gay Republican, you will suffer if you make those beliefs known. You will face condemnation. You will face ostracism.

Working to change an organization takes dedication. If you actually want to change a political party, that means getting involved, deeply. It means showing up at the party’s national convention. It means becoming a delegate or an activist. It means voicing objections when the party attempts to make a platform plank out of hate and fear.

If you actually want to change the Catholic Church, that means becoming part of the church hierarchy. It means going to seminary. It means becoming a respected theologian and integrating yourself into the church’s structure.

Steering a ship requires getting on deck and putting your hand on the wheel.

Neither of the people I spoke to, all these years apart, were doing any of these things. Just the opposite, they were doing exactly what the rank and file are expected to do: go to church, tithe, vote in a straight line for every name with an (R) after it.

This is not how you change a group from within. This is how you signal the group that what it is doing is working.

It does no good to toe the line while secretly disagreeing within the privacy of your own head. If you do that while claiming to be “working for change from within,” you’re being dishonest. You’re running away from the genuine hard work and the real social cost of change.

You do not fight segregation by docilely sitting at the back of the bus like you’re told, then grumbling about it on the Internet. You fight segregation by sitting at the front of the bus, getting arrested, and inspiring others to do the same.

“I am changing things from within” is, all too often, a bullshit justification, a wimpy self-rationalization for complicity in atrocity. If you can not point to direct, tangible things you are doing to create that change, even when–especially when!–it costs you, you are not part of the solution, you are part of the problem. You are not a force for change; you are a participant in the very structures you claim to want to change.

No bullshit, no evasion: if you’re working to change the world, ask yourself, what have I done to make that happen?

Email o’ the Week: Beta Male

Posted on by
Reply

This just landed in my inbox from the More Than Two contact page. Formatting as in the original.

To: Franklin <franklin@franklinveaux.com>
From: Mrkoolio [email address redacted]
Subject: New Message From More Than Two – Contact Us

Dude…Buck up and have a back bone. When she wants to see other people it is because you are not fulfflling a need or you are not the one. It is exactly what you feel when you are not in love. This never works unless everyone is banging around at the same time. This is, “I want to screw other people, but if they dump me …it will be great to run back to you and you can help pay the bills too. If she meets a guy that does it for her, she will all of a sudden become monogamous. I can tell you are a beta by looking at you. Hand out with the alpha males a copy them. And the next time a chick says “I am poly.” You say,” good for you ….I am gone”. Or you can do the laundry while she is out banging around. Don’t be a pussy. Deep down…girls want a tough confident man….listen to Tom leykis. Let me guess, u were raised by a single mom who taught you all this bs….grow a pair….it will be so much better

I am a beta. He can tell by looking at me. So now you know.

The revolution is Nigh…Impossible

Posted on by
Reply

As part of the ongoing development of the bionic cock project I’m working on, I’m in the process of teaching myself 3D modeling and 3D printing. We’re using 3D printing to make positives for molding silicone prototypes.

3D printing is amazing. It offers incredible potential for people everywhere to be able to make whatever they want on demand, as long as “people everywhere” means “people with access to computers and the Internet and 3D printers and spools of plastic, and the cognitive ability to be able to design things and operate the equipment.” So not really people everywhere, but no matter, right?

3D printing is also incredibly stupid. The state of the art is so appalling. The software is deplorable–a throwback to the bad old days of obtuse design usable only by the select few.

The first time I tried to make a print, I was horrified by what passes for design in the world of 3D printing. It’s a case study in why Linux has never made significant inroads into the desktop, despite being free. Open source software is still software made by developers for developers, with no thought (or sometimes, with active contempt) for users who either don’t want to or don’t have the time to learn every small detail of the way their systems work.

By way of comparison, if color inkjet software worked the way 3D printer software works, every time you hit the Print command on your computer, you’d be confronted by something like this (click to embiggen):

A twisty maze of confusing ad indecipherable options poorly laid out

This…is why we can’t have nice things. The open source community isn’t democratic; it’s elitist.