I woke up today around 4 AM when one of our cats jumped on my stomach.  By now, it’s a pounce and jump operation because he knows if I catch him, I’ll throw him across the room and bounce him off a wall.  So he pops up from the floor to the window pane, pounces on my stomach from above my head, then flies off the bed, all in less than one second.  It’s an effective technique to wake me up, not so good to persuade me to feed him.

Some days, I really don’t like cats.

Since I was awake, I staggered out to the other room to do some computer work.  As I sat down in front of this Windows 7 system, I saw a window on the screen that made my blood run cold.  There, right in front of me, was a window telling me this computer had several virus infections and a “click here” button to clean them all up.  I lost count of the number of fake AV systems I’ve cleaned over the years, but this one was right here at home.

Fake AV, or fake antivirus, is a great scam.  Here is how it works:  Vicki the virus author decides she wants to make some illicit money.  So Vicki writes an evil program that pops up a window on a computer screen with an alarming and official looking message about dozens or hundreds of viruses found.   But the whole thing is a lie, designed to entice naïve users into giving up sensitive information.

Vicki will probably craft her program to display a reassuring ”Click here” button with a promise to make it all better.  When the user “clicks here”, her program will probably prompt for a credit card number, with the promise of a $24.95 download to take care of all the problems.  When the user enters the credit card number, the program will send the data back to Vicki, and Vicki can either have a great shopping spree at the credit card holder’s expense, or sell the credit card number in an underground market.

Vicki’s program may also leave behind a key logger or other malicious software designed to track user mouse clicks and keystrokes and send the results back to Vicki.  Vicki can mine this data at her leisure, stealing anything of value she wants.

It’s serious business.  If you “clicked here” for one of these programs, and especially if you gave a credit card number, stop reading this right now, call your credit card company, and cancel the credit card.   Also call your other credit card companies and your bank and sign up for a credit watch service.   Pull your computer off the Internet and have a trusted professional thoroughly clean it.  Don’t mess around with this – identity theft can make your life miserable for the next several years.

But Vicki has a distribution challenge – how does she distribute her evil program to millions of potential victims?  Enter many of today’s popular news, weather, sports, and gaming websites.   These sites make money by selling ads.  When a user visits, say, www.espn.com, that website will also download several banner ads from all over the Internet.   Those ads do not come from ESPN, they come from advertisers who pay ESPN.

So when you visit the ESPN website, you also visit several other advertiser websites who display their ads in areas ESPN assigns.  Any one of these can download programs to your computer for, say, displaying animation, touring the advertiser client products, or displaying a popup window claiming you have dozens of virus infections.   ESPN cannot possibly vet all its potential advertisers and must depend on the advertisers to keep their own websites clean.

I purposely picked on ESPN because ESPN had a well documented incident a few years ago, but all websites that sell third party ads have the same potential issue.  If any one of these ad websites are compromised, and that ad happens to display on your computer, your computer is in danger.  From the users’ point of view, it’s like a game of Russian Roulette.

From Vicki’s point of view, there are hundreds, maybe thousands of these ad websites.  Vicki only needs to find one with poor security so she can inject her program and make it act as an unwitting distribution point.

Vicki no doubt subscribes to an automated underground service that constantly probes these websites, looking for vulnerabilities.  When she finds an eligible candidate, she injects her payload, compromises the website, and sits back and waits for the credit card numbers to flow in.

Vicki’s evil payload eventually found its way to one of my computers when my wife visited an Internet game site the other day.

If you find such a program running on your computer, do not immediately shut down and reboot – this will generally trigger these programs to deliver their evil payload and they will own you after the reboot.  Instead, launch your Task Manager, find the offending process, kill it, find the offending program on your hard drive, delete it, then do a thorough virus scan using a reputable tool.  Or call me and I’ll guide you over the phone.

Curiously, this fake AV program was a little different than most.  This one claimed it was a Norton virus scanner and a quick trip into my Windows Task Manager found a process named nss.exe.  NSS.exe is, in fact, the name of the free Norton Standalone Scanner.  But in this case, it was an evil program pretending to be the real nss.exe.  I killed it and the fake AV window went away.

Next, I searched my hard drive for any file named nss.exe.  I found two occurrences, both in folders with Norton in the name, under C:\Program Files (x86).  Looking at these folders, I found dozens of .DLL, .exe, and other files.  This was definitely not a typical virus scenario.  Most directories containing malware programs have a single, hidden program with a random name.  This one was different – this one went to a lot of trouble to look like a real Norton installation.  The creation date for nss.exe was May 7, 2013.  The creation date for the directories I found were from July 28, 2013 at 5:39 PM.  The time as I write this is around 4:30 AM on July 30, 2013.

This gets even more interesting.   Looking at Control Panel…Programs and Features, I found references to two packages claiming to be Norton virus scan tools.  When I right-clicked and selected the “Remove” option, a new window popped up asking me if I wanted to install the Norton virus removal tool.  I also heard my hard drive rattle a little bit, suggesting to my paranoid mind this virus may have delivered its payload.

Nice try Vicki, but you failed to solve two problems:

1. I never installed anything from Symantec or Norton on this computer, although it’s possible my wife may have done so.
2. Even if somebody else installed this stuff without my knowledge, why would a removal option instead prompt me to install something new?

I think, with help from my wife,  I stumbled across a new variation on an old theme.  I’ll bet a zillion dollars, this is a particularly sophisticated fraud.  I think my hypothetical Vicki ripped off the Norton Standalone Virus Scan installation and replaced the main program, nss.exe, with an evil program of the same name.  It probably found its way to a compromised ad website, where my wife inadvertently downloaded it from the free Internet game site she likes to visit.

To be safe, I did a System Restore and restored that system to its state 4 days ago before the last Windows Update, or 2 days before the fake Norton installation.  After a reboot, Control Panel…Programs and Features no longer shows anything claiming to be a Norton product.  I deleted the offending directories and started up a full virus scan in another window using a popular tool named Malwarebytes.  The scan took one hour and 14 minutes to finish and I am pleased to report this desktop is clean.

With hindsight, I probably should have taken some screen shots and quarantined those directories so I could present it all in this blog post.   But, just like most users, this desktop is a tool and I need it up and running.  I didn’t think about documenting it all until after I removed it.

For my non-technical friends, the moral of all this?  Just like with your car, be on the lookout for unusual behavior.   If your car flashes the “Check Engine” light or exhibits unusual behavior, you look into it, right?  If your computer starts to act differently, you should also look into it.  Call me or Contact Us if the problem looks complicated.  You have important data inside that computer and believe me, you do not want criminals across the Internet messing around with your identity.

For my more technical friends, I think the malware arms race just ratcheted up a notch.  This looks like a new level of sophistication.  Watch out for variations on this theme as Vicki’s friends craft other pieces of malware to imitate other free virus scan products.

Vicki found the wrong user to mess with this morning.  Hopefully, you can also stop Vicki and her friends cold when their programs try to invade your computer.  Be vigilant.

I just finished wading through 471 new comments from the past 3 days on my blog post from late March titled, “How to spot a phishy email”.   The good news, I guess, is my blog post found its way onto the search engines and is getting some visibility.  The bad news – every single one of those 471 comments, along with nearly all the hundreds of comments before it are automated spam solicitations.  The overwhelming bulk of those are for drugs of some kind.  Ambien and Tramadol seem popular.  I have no clue why.

A few comments are designed to stroke my ego.  This one is typical, coming from IP Address 83.49.115.185 somewhere in Spain:

Its like you learn my thoughts! You seem to understand a lot about this, such as you wrote the e-book in it or something. I feel that you simply could do with some percent to force the message home a little bit, however other than that, this is magnificent blog. A great read. I will certainly be back.

Notice how the text is highly complimentary and also vague.  The email addresses are always from Hotmail or Gmail or Yahoo or one of the other free services, and the names are always random characters and numbers.

I am an advocate of open and vigorous discussion and I participate in several technology forums and email groups.  I contribute lots of comments and I help others troubleshoot problems online.  I like to think that’s what community is all about.

But here, on my own website, I find I am wasting time wading through drug and porn and SEO pitches and evaluating whether each comment came from a real person or a spambot, and whether the comment is even remotely connected to the subject matter.

This is not what community is all about, this is a few parasites trying to freeload and use my website to sell their questionable and illegal junk.

I’ve had enough.  I am turning comments off.  My time is too valuable and I’ve worked too hard to build a high quality website and blog to allow runaway spam to consume my time.  If you want to sell drugs and porn and questionable SEO over the Internet, you’re not welcome here.  Shoo.  Go somewhere else.

If you are a real person reading this and want to weigh in with an opinion or comment, even a hostile one, then  fill out the Contact Us form.  If it’s on topic, I’ll post it and give you credit for it.

In part one of our computer detective saga, the story opened with a few users unable to access their emails. Similar to a Hollywood detective story, we followed the clues through several unexpected twists and turns, with each clue answering questions and generating new questions.  Continuing in the style of great whodunit detective mysteries, we eventually uncovered the culprit, a rogue DHCP server.  This changed everything.

And now the conclusion.

DHCP – Dynamic Host Control Protocol – is the reason we can connect our laptops and tablets and smartphones to the Internet.  DHCP servers assign all the attributes our devices need to enable communications.  Think of the Internet as similar to the telephone network, but with one important difference.  In the telephone network, your phone number stays the same no matter where your phone travels. On the Internet, an IP Address defines your device.  But unlike phone numbers, IP Addresses change, depending on where your device is located.  That’s why we need DHCP servers, to assign IP Addresses and other attributes to devices when they attach to an office network or the Internet.

Here is how DHCP works.  When you connect your device to a network, your device sends a broadcast to anyone on the local network who will listen.  It’s essentially a cry for help.  (Help!  Load me with what I need so I can talk to the world.)  The DHCP Server listens to the broadcast and downloads an IP Address and other attributes to the requesting device.  This is called an IP Address lease, and the lease expires after a settable amount of time, called a TTL (Time to Live).  Once the device acquires its IP Address lease, it can interact with the world.

DHCP is a thing of beauty when set up properly and works so well, only a few hard-core IT people think about it anymore.  Except when things go wrong.  And one of the worst things that can go wrong is a rogue DHCP Server wreaking havoc on the network.  When this happens, random devices get the wrong attributes and lose all ability to communicate.  Depending on how long the lease TTLs are set, sometimes the passage of a few hours can cure the problem, or sometimes make it worse.  The problem can “hop” from device to device as leases expire and new leases come online.  Sometimes devices can end up with duplicate IP Addresses that come and go and interfere with communications.  This can be maddening to troubleshoot.

The usual culprit in an office network is a wireless router somebody brought in from home.  This happens all the time as end users decide they want to build their own private wireless networks, but don’t think about the consequences to everyone else as their wireless router hands out home IP Addresses to random devices across the company network.

Obviously, the cure for a rogue DHCP server is to find it and get rid of it.   The challenge is how to find it?

Enter structured cabling.  Essentially, a structured cable plant runs network cables from stations all over the building to a central patch panel in the server room.  Each cable is labeled, preferably with the labels on both ends of the same cable matching.   All buildings should have a structured cabling.  Unfortunately, many don’t.  Fortunately, this one did.  And that proved to be a tremendous aid finding my rogue DHCP server.

Instead of walking the entire building and looking for a device that looked out of place, I set up a laptop near the patch panel and assigned the laptop a hard IP Address to fit the rogue DHCP server scheme.  After warning everyone their network connections may be disrupted briefly, I set up the laptop to continuously ping the rogue DHCP server IP address while I disconnected and reconnected each network cable.

The idea – one of those cables had to lead to the rogue DHCP server.  I would find the cable leading to my rogue DHCP server by watching for pings to stop responding when I disconnected that cable.  Once I found the correct cable, I could walk to the other end of that cable with a hammer and put the rogue DHCP Server on the other end out of its misery.

I eventually found it, chased it to the other end of the cable, and disconnected it.  It turned out, my friend James brought in a wireless router over a weekend to help with some work he needed to do.  He forgot to disconnect it and that was why my users started complaining on Monday morning.

The moral of the story?  These things happen and that’s why good troubleshooting techniques are invaluable.

After more than 20 years of Microsoft producing a product named Office, by now everyone knows what it includes – a spreadsheet named Excel, a word processing program named Word, an email client named Outlook, a presentation package named Powerpoint, a personal database product named Access, and a desktop publishing program named Publisher.  Different editions of Office include different combinations of packages and licensing and Microsoft mixes them up with each new version.  By now, Office is the de-facto standard for electronic document formats.

With Office 2013, Microsoft combined the audacity that comes with monopoly power with technological incompetence.  What possible rational reason could anyone give to force customers to create a unique login on the Microsoft website for every single retail copy of Office Home and Business?  If you own, say, 50 computers and you have 50 copies of Office Home and Business, you need 50 Microsoft logins to make it work.

Sheer insanity.  Or is it?  Microsoft is filled with competent engineers and savvy marketers.  Microsoft did this for a reason, and this is really a story about a 21st century shakedown scheme.  But it’s buried underneath a pile of technical jargon so very few will notice.

With Office 2013, Microsoft offers three licensing choices, called Volume licensing, retail licensing, and a subscription service named Office 365.  Office 365 is new, the rest have been around a long time.

Volume licenses come with lots of flexibility businesses care about.  Companies can deploy volume licenses any way they see fit.  A volume license for Microsoft Office Standard edition includes only Word, Excel, and Outlook and lists for roughly $370.  Microsoft Office Professional Plus includes all the Office packages and lists for roughly $500 per seat.

Retail licenses cost less, but are less flexible.  For example, Office Home and Business includes Excel, Outlook, Powerpoint, and Word – more packages than Office Standard, but with a lower price of around $220.  The Home and Business license is only good for one computer.  Once installed on any computer, that license is married to that computer forever.  If your PC dies and you need to reinstall Office Home and Business, you need permission from Microsoft.

So far, so good.  Here comes the audacious part.

Starting with Office 2013, Microsoft purposely made Office Home and Business a nightmare to install by adding an artificial impediment.  Microsoft now requires a unique login on its website for every single individual copy of Office 2013 Home and Business.  For each individual login, you must specify the name, phone number, address, email address, and other identifying information.  After setting up this login, you can download and install your individually tailored copy of Office 2013 Home and Business.  The download is roughly 2.2 gigabytes. Customers who use T1 Internet connections will need almost 4 hours per download and each installation now requires its own download. 50 installations means 50 downloads.

If anything goes wrong – a network hiccup during the download, a wrong answer to a question, anything – you’ll spend hours fiddling with registry entries and deleting files by hand because it won’t remove cleanly. I had 4 identical brand new computers and spent most of a day cleaning the remnants of a botched installation on one, with lots of telephone advice from Microsoft Customer Support about undocumented registry entries.

And finally comes the new offering, Office 365.  It’s a Microsoft hosted solution, meaning you connect to a website and work on your documents from there.  The cost is $99 per year or around $10 per month.   No installation hassles, quick and easy to set up, no up-front financial pain for end users.  Your documents live inside a Microsoft cloud, so they are accessible globally and you don’t need a server anymore. Naïve CFOs and Purchasing Departments will love it.

P. T. Barnum reportedly once said ”there’s a sucker born every minute” and he may be laughing in his grave at this modern massive con job. Why would Microsoft price its hosted offering so low relative to a locally installed copy of Office?  Why would Microsoft take such apparently boneheaded steps to artifically complicate installations of Office Home and Business?  And why would Microsoft spend $millions for the cloud capacity to store and manage millions and millions of new user accounts?

Only one answer makes sense – increased revenue.   How does spending $millions to host all this stuff generate revenue?

I can think of only one answer – and I promise, you won’t like it.  Microsoft wants to be the repository for all your personal and business content.  Office 365 will capture your documents, Outlook.com will capture your email, Lync will capture your video meetings.  If Microsoft can make your installation experience expensive and miserable when installing on your own computer, and make it hassle free and low cost when hosting in its cloud, many people will opt for the path of least resistance and put their documents in the Microsoft cloud.  Millions of Office 365 users will blindly trust Microsoft with their most private data because getting started is cheap and easy.

Once Microsoft captures all your content, marketers will pay Microsoft a holy fortune to slice, dice, and analyze your content.  You will provide raw material for marketers and you will pay Microsoft for the privilege.   But marketers will pay much more.  Marketing will be the real Microsoft revenue source – your $99 per year subscription is just a few giblets on the real gravy train.

What to do about it?  If you don’t care if an army of marketers digs deep into your content, trust Microsoft.  If you do care about privacy, maybe now is the time to start looking at alternatives.  Several are available, including Libre Office and other free and minimal cost offerings.  If enough people start adopting some of today’s great alternatives, maybe Microsoft’s monoply power can be tamed.  But if history is a good predictor, this probably won’t happen.