Asus.com Compromised With Exploit Code

Juha-Matti Laurio writes in with news that the Web site of ASUSTeK Computer (asus.com) has been compromised to spread exploit code. The original report from Kaspersky Lab claimed that the compromise lead to code exploiting the recently patched Microsoft Windows Animated Cursor (.ANI) 0-day vulnerability, but sans.org found no evidence of this. Apparently a malicious iframe was added to one of the machines in asus.com's DNS round-robin.

Ouch

[Virgil+Tibbs]

Thats a publicity disaster for ASUS...

Re:Ouch

i-hab-been-haxored-by-asus.com

Re:Ouch

well u sir have just lost ur karma...u evil troll

Re:Ouch

u mispelled 'ebil'.

ur welcme. :)

Re:Ouch

[wolverine1999]

Thankfully I switched to another motherboard last year..

DNS needs improvment...

[B5_geek]

Perhaps now they will finally fix the missing www. entry in their DNS server. I have always hated that they didn't have that patched.

Re:DNS needs improvment...

[The+MAZZTer]

You DO know that www. is just another subdomain, right? The only reason it's special is because most/all websites mirror <hostname> onto www.<hostname>. But it doesn't HAVE to be like that. Slashdot doesn't do it like that, for instance.

It doesn't matter if the DNS entry has www. on it or not, the address is still owned by the same person and will get directed to a machine they specified (or nowhere).

Re:DNS needs improvment...

[IgnoramusMaximus]

Err, but this will not work if the web server on that host is using virtual website configuration, that is it has multiple sites tied to one (or group of) IP addresses. In many such cases the virtual sites are associated with the a full URL, such as "www.asus.com". So by going to "asus.com" you are not only not guaranteed to get the same site but even if you do the first link on that site might turn out to be an absolute one. And back you go to the broken "www" subdomain.

Re:DNS needs improvment...

Uh, yes it does.

----

The request:
GET / HTTP/1.1

Host: www.slashdot.org
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)
HTTP/1.x 301 Moved Permanently

The redirect:
Date: Sun, 08 Apr 2007 00:15:50 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
Location: http://slashdot.org/

----

note: I mask my user agent :P

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070310 Iceweasel/2.0.0.3 (Debian-2.0.0.3-1)

is a bit more information than I'd like to volunteer to most websites.

Re:DNS needs improvment...

[JWSmythe]

    The one that always annoyed me was Promise. That is, when I was still using their hardware. :)

    http://promise.com/ goes to a blank index page.

    http://www.promise.com/ goes to their real content page.

Re:DNS needs improvment...

[nuintari]

This is a whole lot different than what most sites do. Notice how you type www.slashdot.org in, but end up at slashdot.org? Yeah, the line "HTTP/1.x 301 Moved Permanently" means they redirect you away from the www, probably because a lot of us think the www is stupid.

Most sites are configured to accept either the www.domain, or just the domain. Slashdot is not one of them.

Re:DNS needs improvment...

[nevali]

Congratulations on being one of the hoards of people who artificially inflate IE6's market share stats (even if there are better methods than user-agent sniffing out there, they don't necessarily get used...)

Re:DNS needs improvment...

[Professor_UNIX]

Look up the Apache ServerAlias directive. You can alias as many alternate names as you want under the virtual host without creating a separate virtual host definition for that hostname. Technically either way would work, but it's just a lot less work.

Re:DNS needs improvment...

Shouldn't you be picking fights with people over whose coding style is superior, or who knows more about Star Trek?

Re:DNS needs improvment...

[ez76]

This is intentional and symbolizes the company's value proposition, the Empty Promise (TM).

Re:DNS needs improvment...

[IgnoramusMaximus]

That does not matter in this case.

The GP is insinuating that one can "always" go to the 2nd level domain instead to its "www" sub-domain and get to the website. I merely pointed out that in many configurations (specially large, multi-lingual sites) that is not true. If you alias the virtual sites you still haven't avoided the problem because only one of those can be aliased to "mydomain.com" (which in case of such large sites usually goes to the "Wold-wide" site which then asks you to select your country and then redirects onto "uk.mydomain.com" or what not).

All of this is further complicated by use of JavaScript on such sites which accesses all sorts of back-end URLs.

Re:DNS needs improvment...

[sulfur]

I don't think that there really are too many people who change their User-Agent to significantly affect global statistics. I, too, tried to strip off my Referer to enhance privacy and masquerade my User-Agent as Googlebot/2.1, however, there are just too many poorly written sites that are broken by design and rely on those headers. Once my list of exceptions sites grew beyond 10, I thought, "heck with it, it's easier just to leave it as it is."

Re:DNS needs improvment...

[cheater512]

Yeah but quite a few sites dont have a DNS entry for domain.com. They only have one for www.domain.com.
Pain in the ass.

Re:DNS needs improvment...

[deviceb]

ha.... it's nice to see somebody else wondering why a company like Asus can not set DNS right..

Re:DNS needs improvment...

[Dersaidin]

DNS is not the problem here. Servers just need to be configured more friendly.

Re:DNS needs improvment...

[totally+bogus+dude]

Then why don't they put an HTTP redirect on the server which hosts "promise.com"? They already have a web server there, after all.

I reckon it's that empty promise thing. Very deep.

Re:DNS needs improvment...

[Zarel]

That's not as much because they think WWW is stupid as just because of where "Slashdot" comes from: "http colon slash slash slashdot dot org" is supposed to be intentionally confusing, and adding the "www" detracts from the confusion.

Re:DNS needs improvment...

[StikyPad]

they redirect you away from the www, probably because a lot of us think the www is stupid.

Or because "slash-slash-slash-dot-dot-org" is more amusing/confusing than the www-prefixed alternative.

Re:DNS needs improvment...

[nuintari]

Yes this is true, the www does indeed kill the joke, but the www is still very stupid in case.

Re:DNS needs improvment...

[nuintari]

but the www is still very stupid in case.

s/in case/in ANY case/g

Don't drink and /. folks!

Re:DNS needs improvment...

[Big_Al_B]

The GP is insinuating that one can "always" go to the 2nd level domain instead to its "www" sub-domain and get to the website...

First, "www" is (usually) a hostname in a (sub)domain, not a subdomain itself.

Second, you are correct, it is technically possible that "http://www.example.com" and "http://example.com" serve different content. Clueful folks don't set things up that way.

Third, if "http://example.com" responds to HTTP GETs, it DOES usually serve the same content as "http://www.example.com", so you're probably being pedantic for little reason. Your assertion that the opposite is common isn't my experience at all.

Fourth, your replies obfusicate a few unrelated underlying technical concepts. You jump from using DNS for HTTP server name resolution, drop quickly through virtual hosting and land on serving dynamic content via client-side scripting--all at the high cost of context and clarity.

Fifth, on your freefall through all those concepts you implied that large multilingual sites are more prone to respond differently to "http://example.com" and "http://www.example.com". My years of (still purely anecdotal) experience indicate the exact opposite is true. Large sites with mult-national appeal tend to be better executed.

Re:DNS needs improvment...

[IgnoramusMaximus]

Sigh.

$host www.honda.com
www.honda.com A 164.109.25.248

$host honda.com
honda.com A 207.130.95.62
honda.com A 164.109.25.194

That's all I am going to say to that rant. You figure it out.

Re:DNS needs improvment...

[Big_Al_B]

Sigh. Now I said:

Third, if "http://example.com" responds to HTTP GETs, So let's give that a try then, eh?

$telnet www.honda.com 80
Trying 164.109.25.248...
Connected to www.honda.com.
Escape character is '^]'.
GET HTTP/1.0

HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Fri, 13 Apr 2007 15:34:10 GMT
Connection: close
Content-Length: 34

Bad Request (Invalid URL)Connection closed by foreign host.

$telnet honda.com 80
Trying 164.109.25.194...
Connected to honda.com.
Escape character is '^]'.
GET HTTP/1.0
^]
telnet> quit
Connection closed.

Now...did I figure that out okay?

Re:DNS needs improvment...

[IgnoramusMaximus]

You are such a phony.

$ host honda.com
honda.com A 164.109.25.194
honda.com A 207.130.95.62

164.109.25.194 responds to telnet on 80 but it does not serve any web pages (which is clearly visible from your own "rebuttal" where you are bailing out with the telnet escape sequence after it timed out on you). Show the complete HTTP sequence. Or even get an HTTP error 400 to your request like you got with the actual honda site.

207.130.95.62 persistently times out even connecting, which you made sure to avoid showing.

Neither of the honda.com hosts is actually hosting a viable HTTP service (or they might be restricted to Japan based on IP ranges or some such).

Re:DNS needs improvment...

[Big_Al_B]

You are such a phony. Oh? How so?

164.109.25.194 responds to telnet on 80 but it does not serve any web pages (which is clearly visible from your own "rebuttal" where you are bailing out with the telnet escape sequence after it timed out on you). Pretty much my exact point.

I told you that 2LD name resolutions that reply to HTTP GETs usually reply with the same content as the "www" host in the 2LD, IF they respond to HTTP GETs at all.

Your example failed the "if" clause and my test indicated that. You confirmed it by duplicating my test and results. Thanks!

Show the complete HTTP sequence. Or even get an HTTP error 400 to your request like you got with the actual honda site. I showed the complete input and output of the only test connections I tried.

207.130.95.62 persistently times out even connecting, which you made sure to avoid showing Again, I showed you everything from my tests. What rhetorical advantage would I gain from hiding another case that just proves my point more completely?

Third, if "http://example.com" responds to HTTP GETs, it DOES usually serve the same content as "http://www.example.com"... Neither of the honda.com hosts is actually hosting a viable HTTP service Exactly. See how you failed to contradict me?

Re:DNS needs improvment...

[IgnoramusMaximus]

You are comically delusional.

The entire point of my original post was to contradict a dude who was claiming that "example.com" and "www.example.com" are always synonymous.

Following which I gave examples why they are, in many cases, not.

Then you roll in spewing spittle all over about how horribly wrong I am, moaning and bitching incoherently about third level domains being always host names and HTTP redirect requests.

So I show you a rather prominent site which does precisely what I was claiming.

Then you pretend it is not so.

So I demosntrate that beyond any doubt, leaving no room for you to wiggle,

And so in your desperation you now turn to some ridiculous sophistry about the meaning of "if". Something along the lines of: "If hosts do not fall into the frequently occuring cases which you described ... then .... then .... they do not fall into the frequently occuring cases you described!!! Aha!!! You failed to contradict me!! Gotcha!!! Be in awe of my towering intellect!! All look at my gigiantic intellect!!"

I must be a glutton for punishment even replying to this tedious drivel.

Re:DNS needs improvment...

[Big_Al_B]

Or...

I said you were wrong.

Then you tried to defend your position, but instead provided an example of a case I explicitly covered already.

So I pointed that out to you, using sound technical methodology.

Then you repeated my own point back to me, claiming it as your own.

Then I pointed that out to you, using exact and contextually relavent quotes from our previous exchanges.

Finally, the last threads of sanity left you flailing crazily at me, rather than at any point that I've made.

Here's the salient facts:

1) Unless the 2LD has NS records for "www", it's a host--not a 3LD. Usually it's a host.
2) Usually a responsive webserver fronting a 2LD responds with the same content as the "www" host for that 2LD.
3) Your example didn't contradict (1) or (2) above.
4) Your original claim--that (2) is untrue is itself the falsehood.
5) You hate being proven wrong so much it makes you irrational. That's pathetic.

Re:DNS needs improvment...

[IgnoramusMaximus]

I said you were wrong.

Which I was not, since clearly there are major domains where "domain.com" and "www.domain.com" are not one and the same.

Then you tried to defend your position, but instead provided an example of a case I explicitly covered already.

Since my position was only that such sites do exist, existence of even one example is sufficient. You did not "cover" anything since your rambling had nothing to do whatsoever with my point. And still does not.

So I pointed that out to you, using sound technical methodology.

Again, you tried to concoct some fake "evidence" in support of the various strawmen you have created by escaping a telnet session and hoping I won't notice. And then called the process of such fakery and pretense a "sound technical methodology".

Then you repeated my own point back to me, claiming it as your own.

You are losing it. My point is up there at the top of this thread, well above your rant. One would hope you did notice that this establishes the precedence quite clearly. Otherwise you need to take your medication now.

Then I pointed that out to you, using exact and contextually relavent quotes from our previous exchanges.

Err, you quoted yourself again, clearly hoping that by repeating your nonsense over and over you will somehow give it more weight. I do understand that you like the sound of your own voice and reading of your own scribblings but I have to break the sad news to you: neither does constitute "contextually relevant".

Finally, the last threads of sanity left you flailing crazily at me, rather than at any point that I've made.

I simply dismissed the whole of your pretentious, vacuous, self-centered, pointless and completely off-topic ramblings. And that of pathetic fakery. Which naturally would constitute "flailing crazily at you" in your delusional state. I am sure your doctor is also "flailing crazily at you" when he gently tries to talk you out of calling yourself Julius Caesar and out of demanding that your centurions report to you. As a matter of fact I strongly suspect that the entire universe is "flailing crazily" at poor, misunderstood you.

Here's the salient facts:

1) Unless the 2LD has NS records for "www", it's a host--not a 3LD. Usually it's a host.

Something I never denied but which would never stop you from manufacturing such a wonderful strawman out of. I mentioned a '"www" sub-domain' in passing as a reference to another point. I could have called it '"www" host'. Both irrelevant to the actual point I was discussing since the exact classification of the "www" was never part of the discussion and only served as something that you could latch on to dispense spittle. Or point out where I did otherwise. You cannot but yet your first post was "proving" me horribly "wrong".

2) Usually a responsive webserver fronting a 2LD responds with the same content as the "www" host for that 2LD.

More straw for men of straw. You do love them so. Remember, before you showed up to burn straw, I only claimed that "domain.com" and "www.domain.com" are not always one and the same. No mention of any "responsive servers" and the like. Or point out where I claim otherwise. You cannot but yet your first post was "proving" me horribly "wrong".

3) Your example didn't contradict (1) or (2) above.

It did not because ... wait for it ... I never claimed otherwise. Or perhaps you are having difficulty reading my original post? Or point out where I claim otherwise. You cannot but yet your first post was "proving" me horribly "wrong".

4) Your original claim--that (2) is untrue is itself the falsehood.

Re:DNS needs improvment...

[Big_Al_B]

To get this out of the way: the personal insults are a waste of your time and effort. I don't give even the slightest crap about your personal opinion of me. I just barely care enough about the technical discussion to continue this at all.

Also, if you'd stop trying to get your snark on long enough to read my posts properly, you would see that we disagree about some fine points in a fairly large swath of agreement.

Which I was not, since clearly there are major domains where "domain.com" and "www.domain.com" are not one and the same.

On this we simply disagree to the degree of commonality. That's it. You say "many", and I say "few".

Specifically, you said:

in many configurations (specially large, multi-lingual sites) that is not true.

And I said:

Second, you are correct, it is technically possible that "http://www.example.com" and "http://example.com" serve different content. Clueful folks don't set things up that way.

Third, if "http://example.com" responds to HTTP GETs, it DOES usually serve the same content as "http://www.example.com", so you're probably being pedantic for little reason. Your assertion that the opposite is common isn't my experience at all.

Moving on:

Since my position was only that such sites do exist, existence of even one example is sufficient.

Your position was that many such sites exist. So one example is not sufficient to prove your argument. I suspect that proving "many" is untenable, but feel free to try.

Again, you tried to concoct some fake "evidence" in support of the various strawmen you have created by escaping a telnet session and hoping I won't notice. And then called the process of such fakery and pretense a "sound technical methodology".

Sigh. The whole *point* of the escaped telnet session was to show you that the 2LD hosts didn't reply to HTTP GETs. Since that was my whole point, your assertion that I tried to hide it is just bizarre.

And regarding methodology, please explain how displaying different A records for the honda.com 2LD and its "www" host proved anything regarding what HTTP content they each served. Talk about fakery and pretense.

You are losing it. My point is up there at the top of this thread, well above your rant. One would hope you did notice that this establishes the precedence quite clearly.

Are you talking about that nonsensical ramble regarding virtual hosting? There's nothing coherent enough in that post to discuss, much less debate. My only reply to it would be, "What the hell does virtual-hosting have to do with whether there's matching DNS A records for a 2LD and it's 'www' host?"

Since the obvious answer is, "Very f'ing little," I didn't bother.

Err, you quoted yourself again, clearly hoping that by repeating your nonsense over and over you will somehow give it more weight. I do understand that you like the sound of your own voice and reading of your own scribblings but I have to break the sad news to you: neither does constitute "contextually relevant".

I quoted back sections of our discussion in a manner that left their context intact. And since you're either purposefullly or circumstantially obtuse, I had to repeat it several times.

1) Unless the 2LD has NS records for "www", it's a host--not a 3LD. Usually it's a host.

Something I never denied but which would never stop you from manufacturing such a wonderful strawman out of. [snip rant]

Christ man, a simple, "Sorry, I misspoke," would do.

2) Usually a responsive webserver fronting a 2LD responds with the same content as the "www" host for that 2LD.

More straw for men of straw. You do love them so. Remember, before you showed up to burn straw, I only claimed that "domain.com" and "www.domain.com" are not always one and the same.

Further evidence that ...

[Aminion]

... you don't have to visit porn, warez or shady sites to get your computer infected with all sorts of nastiness; "trusted" sites will just do.

Re:Further evidence that ...

[plague*star]

... you don't have to visit porn, warez or shady sites to get your computer infected with all sorts of nastiness; "trusted" sites will just do.

I suspect the actual plan was to infect all the people mis-typing "anus.com"

P*S

I heard rumors

that Investor Village was spreading some "updater.exe" the other day (via ads), so this might have been a bit larger than just the one site?

Re:I heard rumors

[bmo]

"that Investor Village was spreading some "updater.exe" the other day (via ads), so this might have been a bit larger than just the one site?"

It's spyware from an ad service. It's like those "Your computer is infected" ads on a Yahoo page.

The real carrier of the evil is dropspam.com, which pretends to be a spam filtering service. I fired up VMware and installed upgrade.exe out of morbid curiosity. The results are here:

Msg: 26529 of 26688 4/6/2007 6:57:44 AM Recs: 26 Sentiment: Not Disclosed
By: Boyle M. Owl Send PM Profile Ignore Add To Favorites
Posted as a reply to msg 26470 by sco_source_scam

Re: IV advertising malware? Dropspam.com

The tiny program is a downloader and installer. I have run it inside of VMware, the only way to run Windows...

It may be legitimate, but read on, and grok the implications of the license....

3. Licensee's Covenants
(a) The Licensee has read all information pertaining to the operation of the Software and expressly agrees that the Licensor shall be permitted to make any modifications, alterations and re-configurations to the Licensee's computer hardware and software including its email inbox and outbox as required for the normal operation of the Software, including but not limited to the re-routing of emails to the Licensor's server for the purposes of screening emails for spam and viruses and attaching a brief message promoting the Software to all out-going emails of the Licensee.

The licensor can kindly stay the fuck out of my computer, tyvm.

(b) The Licensee further agrees that the Licensor shall be permitted to send emails (Authentication Emails) on behalf of the Licensee to those email addresses which have been stored in the Licensee's computer or which appear as senders in incoming emails, for the purposes of authenticating these email addresses and providing the recipients with an opportunity to update the Licensor with additional authentic email addresses.

"We're going to examine your drive for email addresses, and then we're going to spam the shit out of your friends."

(c) If the Licensee wishes to delete or remove the Software for any reason, such deletion or removal must be carried out using either the program or software removal tool inherent in the Licensee's computer operating system including the Add/Remove tool provided by Microsoft® Windows, or such other similar program or software provided by the Licensor, which will be available to the Licensee through the Licensor's website. The Licensee acknowledges that if the deletion or removal of the Software is carried out by any other manner or by using any program or software other than those described above, the Licensee's email software or system may not be restored fully and/or may fail to start up and function properly, and as a result the Licensee may not be able to receive or send emails.

"Yeah, ya see, our program so severely fucks your system that if you try to remove us with something that might work, we'll break your smtp and pop3 server pointers."

As I wrote this, several other popups came up and want me to install shit. Ahahahah, I'm going to install all this and then I'm going to run a friend's malware scanner to see what it really does.

Ghod...this is what being a windows user is like?! I have forgotten!

--
BMO

Msg: 26531 of 26688 4/6/2007 7:18:35 AM Recs: 25 Sentiment: Not Disclosed
By: Boyle M. Owl Send PM Profile Ignore Add To Favorites
Posted as a reply to msg 26529 by Boyle M. Owl
Re: IV advertising malware? Dropspam.com

I do this shit so you don't have to...

Up until I installed upgrade.exe, the system was pristine except for an installation of OpenOffice and Opera....

BTW, this is just a _part_ of the log that goes on forever...

Checking system programs...

Checking Windows directory contents...
c:\windows\appupdate.exe: Version info not found (Suspicious)
c:\windows\ewwsetup.exe:

Re:I heard rumors

[MichaelSmith]

Anyway, this has basically made the (virtual) computer useless and annoying.

You should put the virtual disk under version control.

Re:I heard rumors

[bmo]

"You should put the virtual disk under version control."

VMware does that. To clean the virtual machine, you can pick any of the older images. I was asked if I tried uninstalling using the spyware company uninstaller and I said no. I picked the April 1 image out of a perverted sense of humor.
--
BMO

Re:I heard rumors

[quacking+duck]

The free VMWare Server only allows a single snapshot, so you can't "pick any of the older images," you can only take a snapshot before experimenting and revert if it fubars it somehow.

Not saying that bmo was necessarily using VMWare Server, of course.

Re:I heard rumors

[Architect_sasyr]

Just FYI: VMWare workstation (only have a windows installer, don't know if it runs on Linux) allows for any number of snapshots.

jpeg or png?

[MichaelSmith]

TFA:

up to no good pointing to another obfuscated javascript and a executable cloaked as a jpg file

Then:

Name: next3.png

So is next3.png the real exploit and are they using "jpeg" to mean an image file? Or is there a jpeg file involved here?

Re:jpeg or png?

[LiquidCoooled]

Does windows even care what the extension is?
It attempts to read a file (of whatever name) and uses the parser which appears to fit.
You can store jpeg data inside a file called *.png and vice versa.

not the least bit surprised

[Indy1]

Most of the motherboard oem's use IIS for their web sites. They tend to be incredibly slow, go down all the time, and often render poorly (or not at all) on anything other then IE.

All signs of poor admins.

Re:not the least bit surprised

[GeRM_007]

I was on their site last weekend, looking for a new BIOS and drivers. Their support web server was completely down. I called up to complain, and their tech support told me that they are aware of it, and have been having problems with it for a couple weeks now as they are changing their infrastructure. A couple weeks!!! Even their tech support couldn't access it, or even tell me what the BIOS version number was. This compromise is probably a result of an incorrectly configured server, which is a result of incompetent admins. All this results in them losing me as a customer. Good riddance Asus.

Re:not the least bit surprised

[LordLucless]

"and often render poorly (or not at all) on anything other then IE"

Because that has a whole lot to do with the admins, or the webserver they run...

Re:not the least bit surprised

[Beryllium+Sphere(tm)]

At least it's IIS 6, according to NetCraft.

Re:not the least bit surprised

[dillee1]

Besides from the shortcomings you have just mentioned, many of these chinese/taiwanese sites are infested with flash. Some put a flash page right as front page with no escape link. Some even have the whole site completely flashified and offers no html alternative.

I browse these sites to look for new product or support, not wasting my bandwidth watching stupid animation. Usually I exit right the way when seeing a site like this. I can't trust anyone's product if they can't even get their website right.

Re:not the least bit surprised

[jez9999]

Asus have a support department??

- Disgruntled Asus customer

Re:not the least bit surprised

[Ilgaz]

Most of the motherboard oem's use IIS for their web sites. They tend to be incredibly slow, go down all the time, and often render poorly (or not at all) on anything other then IE.

All signs of poor admins. I have always wondered if it has something to do with "being nice to Microsoft".

You know, if Microsoft wants to mess with your Intel or AMD motherboard they sure can. After your sales dip, they would happily release a patch saying "apologies".

One of those poor admins killed my motherboard by putting wrong BIOS update back in the day. That is the same company "invented" a true safe (dual chip) BIOS a bit later. That made me bitterly smile when I heard.

Windows is unfit for business uses.

What this actually shows is that Windows is unfit for business uses. Even when using their top-end Windows Server products, it's obviously a very poor choice. Between the great expense, the low quality and the numerous security problems, there's no good reason to be using it.

I can think of one reason why a company would go with Windows-based systems: ignorance. This includes ignorance on the part of the network designers and administrators, who do not stand up and demand to use Solaris, Linux, HP-UX, AiX, FreeBSD, Mac OS X or some other system. This also includes ignorance on the part of the management team that is authorizing the purchase and use of such software.

Re:Windows is unfit for business uses.

[toadlife]

So what exploit in IIS6 do you think let this hack happen?

Re:Windows is unfit for business uses.

[earthforce_1]

Unfortunately, it becomes a chicken vs. egg problem - critical apps that only run under windows, ergo they need windows. And they need windows because all of their customers are using windows, so.....

Convincing your CEO or CIO to switch to FOSS (even if they would dearly love to) is like convincing a hard core gamer to drop microsoft. They will do it the day WOW or Everquest or runs flawlessly under Linux.

Re:Windows is unfit for business uses.

[PPH]

What sort of Windows-speific app do you think Asus has to run on their web servers? All they are doing is distributing divers, technical specs and product literature. From the point of view of a Unix/Linux/Solaris system, these are just binaries and the web servers could care less about the contents.

This is one of the problems I've seen repeatedly with CIOs who have been brought up drinking the Microsoft Kool-Aide. They've never bothered to question the 'one size fits all' sales pitches.

Re:Windows is unfit for business uses.

http://www.securityfocus.com/bid/8244/info
http://www.securityfocus.com/bid/18858/discuss
http://www.securityfocus.com/bid/15067/discuss
http://www.securityfocus.com/bid/13873/discuss

Pick one?

Re:Windows is unfit for business uses.

[toadlife]

None of those are likely, though bad admins make anything possible.

Asus Site Is Always A Mess Anyway

[chromozone]

Many people who like Asus products know the Asus website is awful. No problem on that site would come as any surprise to anyone who goes there for updates or information. I'm glad it's no big deal this specific problem but that is still one dodgey site that needs TLC quite desperately.

Re:Asus Site Is Always A Mess Anyway

[madclicker]

I second that. They use M$ ftp servers with download speeds of 7MB per second. They have an issue since 2000 and never been able to fix their website. What a shame for a company that deals with technology. The funny thing is on their download site they have four locations like: Global, USA, China, Europe, Japan, but all are coming of the same subnet. Morons.

Re:Asus Site Is Always A Mess Anyway

[jandrese]

Yeah, their website is atrocious and they don't seem to care. That's unfortunately not uncommon among motherboard manufacturers.

Re:Asus Site Is Always A Mess Anyway

The funny thing is on their download site they have four locations like: Global, USA, China, Europe, Japan, but all are coming of the same subnet. Morons.

This has nothing to do with networking. These subdivisions serve different markets where the demand for each product is different.

Re:Asus Site Is Always A Mess Anyway

"they have four locations like: Global, USA, China, Europe, Japan,"

Maybe I counted wrong (preschool was a long time ago), but that looks like five.

Re:Asus Site Is Always A Mess Anyway

Uhm, maybe 'Global' not being location as in all of it? Whatever...

Re:Asus Site Is Always A Mess Anyway

[Fred_A]

That's actually how you can tell you've got the right website and not some kind of domain squatter's scam that was quickly setup on a Linux/Apache server on the Azus.com (or whatever misspelled motherboard maker) domain. I personally find it to be a convenient feature.

Advice

[MindStalker]

Ok, friday I reinstalled a Asus laptop. While applying updates I was downloading asus drivers. Should I be concerned that I visited their site without a fully patched system? I hate to do it all over again? Any suggestions in how I can tell if I was infected.

Re:Advice

[lavid]

Isn't "installing a laptop" just plugging in the power supply / battery?

Re:Advice

"The script at the time we looked at it was obfuscated and leads to a VBscript"

so only IE users need to worry.

Re:Advice

[miscz]

Why should you be worried? Oh, you might be using Windows... then yes. But then again you should be worried the moment you plug in the ethernet cable. BTW, it's safe to turn off Security Center service, just memorize "your computer might not be safe", SC sometimes is wrong and says you're OK.

Yup, it's a troll, but I just can't resist having fun at expense of Windows users :)

Re:Advice

Did you check the digital signatures of the drivers that you downloaded?

Re:Advice

[Plutonite]

If you visited their website using IE then yes (and insert a lot of jeering here for using IE) be very concerned. Firefox is immune because it's the IE rendering engine that is exploited.

That said, your file explorer on windows also uses the said engine, so any files you download are a threat as soon as you browse to their location. If you have put these files somewhere you know of, try using the windows shell to move them into a directory you don't like to go to very often. Then wait until spyware/anti-virus removers get updated and you are "safe".

Re:Advice

Some links about this ASUS bit:
writeup&discussion in french
another writeup, this one's in english
siteadvisor mention
dynamoo blog mention
ithome-tw blog mention

Obviously, don't go to the URLs of the unsafe sites (which are mentioned on a few of these pages) from a vulnerable browser/platform. Be warned.
-os

It's not just the admins.

Yes, the admins are to blame. Even as Windows administrators, they should be advocating the use of Solaris, Linux, AiX, HP-UX, FreeBSD, Mac OS X, or some other non-Windows system. Why is that? Because those are secure, reliable, efficient, high-quality operating systems. If the admins don't advocate the use of such systems, and instead suggest Windows, then they are not performing their job correctly. They should be relieved of their duties.

But we can't blame just the admins. We also have to blame the network designers and integrators who actually put such systems into place. Again, if any of them recommends the use of Windows, then they are not performing their job correctly. They should be relieved of their duties.

Furthermore, we also have to blame the management that allows for the purchase and installation of those Windows systems. They should know by now that Windows is not the sort of system that should be used for any purpose whatsover. Again, any manager who in any way authorizes the use of Windows is not performing his or her job correctly. He or she should be relieved of his or her duties.

Re:It's not just the admins.

[sumdumass]

lol. just because windows ships less secure then any of the others OSes doesn't mean that have to stay that way. I have some very secure windows systems that have been running trouble and update free for quite a while now (two years for one).

Now I'm just as much an open source fan as anyone here. A linux box probably would have been a better system to use the a windows one. But there is no technical reason that windows couldn't be used in this way and be just as secure overall.

I dont trust that website anyway

It is slow, poorly designed, and hard to navigate. I have seen recent software/firmware updates appear, then disappear later. These ghost software updates dont work at all or cause problems.

It's not a DNS error-- it's a html page error

[postbigbang]

The Kapersky source material is poorly written. Dig was used to compare DNS servers, but the actual problem was a round-robin home page with outreaching code with little presents inside. At first glance, it sounded like a DNS exploit but it's not-- it's a good old fashion page re-write. DNS has nothing to do with it.

Re:Just assume you're infected.

[Aladrin]

As much as I hate to agree with a troll, he's partially right. It's best to assume you have been infected. Even if all the current anti-spyware doesn't find it, that doesn't mean it won't pop up soon. We don't know enough about this malware to identify what it is and if you have been affected, apparently.

On the other hand, the troll is pretty much wrong about everything else, including "Furthermore, if you use WINE you can run virtually all of your existing Windows applications and games." I have been trying to get windows-based games to run for quite some time, and with the exception of a few favored games (WoW) and some old ones that were really simple, not much works at all, let alone with hours of tweaks. (Actually, I don't even own WoW, so I could be wrong about how well it works as well.)

I'm shocked... SHOCKED!

[Excelcia]

How dare their web site go down when I need a driver? How dare anyone ever have a problem they don't know how to solve in sufficient time to deal with my selfish and entitled demands? Their tech support exists (solely, I might add) to tell me the bios version I need. So bye bye Asus, I consign you to the ash heap of history while I move along to a company that forces its developers to blog for me, whose support staff reads my every web site comment (including the ones on third party sites), and that spends every last dollar it has on server infrastucture. Of course, I don't particularly care that this company will be out of business in no time, because there are a constant influx of new companies who are willing to lose money for a year and fold.

And to top it all off... BAH HUMBUG!

Re:I'm shocked... SHOCKED!

[zippthorne]

To be fair, he shouldn't have to wait three weeks to get a stupid tech support question answered or download a driver. They should have some kind of backup plans in place (or make a new one up, with a three week window, there's even time for that) in the event that the website is going to be down for that long. Especially if they know it's going to be down for that long.

Three weeks is a long time for a total tech support blackout.

Re:I'm shocked... SHOCKED!

[pipingguy]

Not trying to be an asshole or anything, but DARPA invented the net so that there would be no un-recoverable points of failure.

Learn how to do stuff without having to rely on computers.

Re:I'm shocked... SHOCKED!

[Achromatic1978]

For the longest time, I loved my Asus notebook (A7Vc). Heavy fucker, but great. 1.86GHz Pentium M (It's 18 months old), 2GB RAM, 1440x900, ATI Mobility Radeon x700, integrated HDTV. Lots of nice stuff.

But it hasn't seen a driver update from Asus in coming up on a year. Not a single Vista driver? For a notebook that was one of your top-of-the-line models (yeah, yeah, I know time moves fast)? When there are HUNDREDS of posts on your forums about the integrated webcam breaking EVERY video input software under Vista, including but not limited to said webcam itself, HDTV tuner, Windows Media Player and Quicktime.

Fuck you, Asus. My employer gave me a Sony Vaio. It's nice. It's a lot newer, sure, but at least its manufacturer (for all their evils) have updated drivers in the LAST TEN MONTHS.

Re:I'm shocked... SHOCKED!

[Flendon]

Asus is known for their site being down for days at a time, having horrendous javascript, and often breaking in firefox. They are also known for having an unresponsive customer service. The most common answer you get is "look at our forums", yet their own forums indicate the problem is known and unresolved. To pick just one issue I've had with them as an example, due to their buggy firmware my DVD+-RW was recognized as a CD-R for over a year before they finally fixed it, with hundreds of people claiming the same problem. And, even then the firmware update could only be installed using a floppy drive (in 2006!) and required a third party bios flasher. No, this is par for the course with Asus and I laughed when I received my ISC newsletter.

Re:I'm shocked... SHOCKED!

Their tech support exists to tell me the bios version I need. So bye bye Asus,

The customer is king. If a customer is not happy with the services provided by a company, the customer is right to say bye bye to the company. The customer does not have to ask politely for services from the company, the customer has paid for services. The company should politely ask what it can do for the customer. And again, if the company does not want to provide the services, do not be surprised when the customer walks away to another company who wants to.

SANS DID find evidence of an ANI exploit:

[I)_MaLaClYpSe_(I]

From isc.sans.org:

UPDATE #2: That second javascript referred in the vbscript above didn't decode, it seems it's just not encoded right, but when decoding the string with a plain base64 routine, it does decode to what leads to an ANI exploit. You never know what a buggy script and a buggy browser do together.

Use the force?

[GFree]

I'm running Linux right now. If I go to the ASUS site and view the hacked iframe or whatever, will it be like Yoda fighting whathisname where he absorbs the Force Lightning and throws it back at his opponent?

It'll be like: .ANI: Woah, wtf is this shit!
Linux: I ownz you d00d! .ANI: AHHHH!

ASUS.com gets knocked off-line.

That'd be righteous. Or I could lay off the rum.

Re:Use the force?

[guruevi]

Have you ever used the ASUS website? Any of their websites (the US, the European or the Taiwanese one) is always down, or slowed down to a crawl. It's nigh impossible to get anything (let alone information or drivers) from there. I used to surf around for minutes searching other sites to download their shite and their page was still coming in at 1k/s and they seem to have a 3MB large page.

So yeah, it's already off-line, slashdotting it is not going to help a lot.

Re:Just assume you're infected.

[644bd346996]

In other words, that AC was not a troll, just an AC preaching to the choir. Your description of your experience with WINE is not the norm these days. But we don't know the extent of your problems because you don't name any apps that don't work. WINE is an appropriate substitute for many people.

Don't worry!

[Cylix]

Have you actually tried to use their servers?

They are so unbelievably slow and unresponsive you have to use the .tw version.

I don't remember always having those problems, but in the last few years it seems they have not grown to meet the demand.

I think this should guarantee safety for more then a few of us who gave up going back there.

Re:Just assume you're infected.

I have been trying to get windows-based games to run for quite some time, and with the exception of a few favored games (WoW) and some old ones that were really simple, not much works at all, let alone with hours of tweaks.

What games aren't working for you? Remember, just because you can't get it working doesn't mean that it doesn't work just fine for other people. Instead of mislabelling me a "troll", perhaps we can work through your problems with WINE.

The first thing you should try is installing the latest version of WINE, which is currently 0.9.34. It would help if you gave more details about your system, as well. What version of X are you running? What OpenGL implementation do have installed? What version of GCC are you using? What distribution are you running?

Only website affected?

[AndrewM1]

I'm surprised that whomever managed to crack into ASUS's servers only inserted malevolent HTML. Imagine the utter destruction they could have caused if they had *enhanced* the firmware downloads with some sort of (probably boot-sector) virus, or simply modified them to destroy the motherboard... *Shudder*

Why wouldn't they? Are the file images stored separately or otherwise better protected?

Re:Only website affected?

[Durzel]

No money in it, for starters.

The people involved in doing things like this are more than likely part of groups who seek to make money by "selling" comprimised hosts to the various other nefarious computing industries like spammers, etc.

Not to mention of course that modifying binary code, especially BIOS firmware, etc to do the sort of thing you suggest and still actually function is very difficult indeed. Chances are the people who altered the Asus site could've easily used script-kiddy proof-of-concept exploits for both the ANI vulnerability and whatever it was that got them onto the webserver in the first place.

Re:Only website affected?

[m50d]

Imagine the utter destruction they could have caused if they had *enhanced* the firmware downloads with some sort of (probably boot-sector) virus, or simply modified them to destroy the motherboard... *Shudder*

Why wouldn't they?

There's no money in utter destruction. They want the infected machines alive and well and sending out spam - and doing that from the bios code is too much effort.

My experience with Asus

[EkimAW]

I needed to reinstall windows on a box so I went to the Asus website to see if it felt like working today. It was slow as hell as usual but when I finally got to the page for my mobo the links to where the drivers were actually hosted were completely broken. I tired again the next day and still the same thing. I was kinda pissed because I've bought a lot of Asus mobo's as well as several Asus video cards and their website has always sucked but now it's totally non functional. I know all the stuff I need (realtek audio, marvel nic, intel chipset, and the RAID drivers) but it's a pain to track all that down separately and be sure your installing the right stuff. I'd have used the original CD but it was lost in a move. So I phoned Asus support (long distance, no toll-free or LD plan), waited on hold and politely explained the problem I was having with the website and that's it's a chronic problem. So he asked what drivers I needed and I said I needed drivers for my model number (which I gave him, can't remember it now). He then pretty much screamed at me which DRIVERS I needed (like I'm an idiot or something) so I said all of them. I thought it was understood that when reinstalling (which I had already said I was doing) it was implied that one needed the drivers for all the hardware on the board. So then a long pause (checking the website I assume) he started mumbling where I could get a some of the drivers (from non-Asus websites) and said I'd have to wait for such and such. He claimed the problems with the website were due to upgrading for Vista, yea right but I went along. I explained that it really wasn't acceptable to me to have to wait for drivers on my primary computer (my system was non-functional, almost) and asked if there was some other way he could provide me the drivers. I suggested FTP or email. He said he didn't have access to that so I asked if I could speak with a supervisor. After uttering the S-word I was quickly put on hold and then disconnected about 5 min later. All at my expense for long distance. So now I was really quite angry so I phoned back, waited all over again. I didn't raise my voice or curse (just as before) and was as polite as I could be to the next person I talked to. I explained I had just been hung up on by someone else and the person took my name and phone number. I'm not sure what for but I gave it anyway. Then after I explained the problem he gave me a email address I could contact and that they'd email me the drivers within 24 hours. I really needed my computer working so I didn't end up bothering and found the drivers elsewhere on the net. But anyways, my rants pretty much over and my main point is I'm not buying anymore Asus stuff until they fix their website. There's lots of other companies that make just as good mobo's AND are able to host drivers reliably. It really is an important part to the overall product offering and I can't see why a company the size of Asus can't pull off a website that works.

Re:My experience with Asus

[lintux]

Do you also have an Asus keyboard?

Does it have an Enter key? ;-)

Re:I heard rumors (insight please)

[lightversusdark]

But to diff the directory tree?
Quickly?
There must be a tool that does this..

no-www.org

Thought you might appreciate this.

Have you netcrafted them?

[SmallFurryCreature]

They run Windows 2003. Just about says it all doesn't it?

On the other hand, I recently following some live changing events I had to work with three different machines in getting them back up and working. A HP kayak early P3 generation, a self built asus P3 (both dual) and a g3.

Can you guess from wich site I had the least problem getting info?

Yeah the apple site was fast, and constantly telling me about OS-X while the actuall bloody machine ran 8.6, HP had retired much of the data leaving only ASUS to still have all the relevant data simply online. Slow yes, but available without jumping through hoops.

Asus website is a horror, let there be no mistake about that, BUT they do have a track record of keeping all data online and easily accesiable and not constantly trying to sell you something new when looking up info about old stuff.

So let me summarize

[SmallFurryCreature]

You bought a cutrate product and expect firstrate support.

Mmm, do you have any idea how much tech support costs? Do you have any idea for that matter just how little margin there is on products like this?

They just don't want to do personal tech support because it eats away their profits like you won't believe.

Oh, and if you know your device, you can easily find it on their site and then find all the drivers you need.

It is slow as hell, to be sure but you cannot fault them for you not being able to find the required drivers.

No you sound like the typical customer who buys a lada but expects a roll-royce style customer support.

Ain't going to happen, and Asus knows this. They have done it this way for long enough for people to know better and they are still in business, because people like me know and accept the trade-offs.

Re:So let me summarize

[brouski]

That's interesting. I've always seen Asus as a high-end performance enthusiast mainboard manufacturer.

Re:So let me summarize

[EkimAW]

It was the first time I've ever called customer service for any piece of computer hardware (besides a few hdd's, which died within warranty). I don't really want human customer service... I'm totally capable of taking care of myself and finding the drivers elsewhere, which I did as I said. I just think they should fix the support section of their website or take it off-line so customers know they don't offer that kind of service (which they basically don't). It's annoying to hunt down the drivers. You don't think so it seems but I disagree. For example I go with low end Nvidia cards over ATi in the systems I've built for myself and others for no reason other then I've always liked their unified drivers and easy setup. They're not for gaming so it really doesn't matter. That service is part of the product. Also it's a really cheap service to provide. How much would it really cost Asus to get whatever they need (be it hardware, bandwidth, or developers) to make a few improvements?

Re:Just assume you're infected.

[someone1234]

Yeah, wine cannot even run simple mfc applications correctly. It is good as an ad-hoc substitution, but not a real solution. An example: fixme:richedit:RichEditANSIWndProc WM_STYLECHANGING: stub fixme:richedit:RichEditANSIWndProc WM_STYLECHANGED: stub fixme:richedit:RichEditANSIWndProc WM_STYLECHANGING: stub fixme:richedit:RichEditANSIWndProc WM_STYLECHANGED: stub fixme:richedit:RichEditANSIWndProc ECO_AUTOWORDSELECTION not implemented yet! fixme:richedit:RichEditANSIWndProc ECO_NOHIDESEL not implemented yet! fixme:richedit:RichEditANSIWndProc ECO_WANTRETURN not implemented yet!

The iframe issue

[malkir]

I read another commenter talk about how Chinese hackers (given away by the characters) overlapped his entire companies web browsers with iframes and used clever java to capture every keystroke and input, could this be somewhat related? Sorry, didn't RTFA

Re:Just assume you're infected.

[Aladrin]

I'm running 9.33, and 9.34 does solve one of my major issues. (The cursor for Guild Wars.) I'm running Kubuntu and I'm just waiting for the package to update so I can have that. It still has major sound issues, and locks up, though. (I tested with wine-git.)

Morrowind runs, but has no music because wine refuses to play the mp3 soundtrack. Playable, though, I admit, once you use a no-cd patch.

And there's my biggest complaint: You HAVE to use a crack on most games to even get them to start up. There's been patches offered to workaround safedisc, but they aren't even accepted so that people can help work out the bugs in them. They are just flat rejected.

Sid Meier's Alpha Centauri is the one I wanted to play so badly, but I went looking for my CD the other day and I've apparently lost it. I'm not going to purchase another for Windows because I have GameTap (which doesn't even -begin- to work with Wine) and it's in their library. And the Linux one is impossible to find, even on Ebay.

Other games: Rama (Which plays, except the video skips ahead quite often and you miss important information in videos), Pandora's Box, and Septerra Core. The last 2 don't play at all. I have apparently lost quite a bit of my game collection, so I can't test some of my other favorite games like Black & White and all the Quest for Glory games.

FTP

[svallarian]

remember when companies would just have an FTP site (sorted by product model) that you could get in and download the drivers you needed?

Progress, I tell ya, progress.

Re:FTP

[Ilgaz]

remember when companies would just have an FTP site (sorted by product model) that you could get in and download the drivers you needed?

Progress, I tell ya, progress. I bet IE horrible FTP support was one of the reasons. Remember how pathetic IE 4 handled FTP protocol mounting FTP servers to desktop creating totally confused users?

In fact OS X Safari made same error and recent webkits show they moved back to Netscape style FTP browsing.

Re:just a test

no but i wish you were you fucking cunt

What's Asus Doing to Notify Site Visitors?

I was just out on the Asus site and there are no warnings or notices about this event. What happened to corporate responsibility? They've potentialy distributed malicious code to thousands of people who are likely this minute getting their identities stolen and bank accounts drained without so much as a notice on their site.

Asus will never get my business, that's for sure!

Re: www as subdomain, Huh?

[Douglas+Goodall]

www is a host name within a domain zone, not a subdomain. It COULD be done that way, but the domain zone data would be very different...

What's your issue?

[Grendel+Drago]

What would anyone have against the American Nihilist Underground Society?