Re: Microsoft the source of all evil?? Simple question

[Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems to be a legitimate domain created only to mock Microsoft,
since:

===================================
$ nslookup thesource.ofallevil.com

Non-authoritative answer:
thesource.ofallevil.com canonical name = www.microsoft.com.
www.microsoft.com       canonical name = toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net        canonical name = g.www.ms.akadns.net.
g.www.ms.akadns.net     canonical name = lb1.www.ms.akadns.net.
Name:   lb1.www.ms.akadns.net
Address: 207.46.192.254
Name:   lb1.www.ms.akadns.net
Address: 207.46.193.254
Name:   lb1.www.ms.akadns.net
Address: 207.46.19.190
Name:   lb1.www.ms.akadns.net
Address: 207.46.19.254
===================================

the hostname "thesource.ofallevil.com" is a CNAME record (a pointer)
to www.microsoft.com .

As it's currently configured, it's just nonsense.

One doesn't have to be too paranoid, however, to think that an
attack of the form:

 - create this domain in this way;
 - get Google results in place pointing to that domain;
 - get people used to seeing it, over time; and then
 - change the entry and point the site to something actually "evil".

might be perpetrated this way.
- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 13 Feb 2008, James Moore wrote:

> I went looking for more documentation on Powershell on Google.
>
>
>
> The string that I used was "guide powershell"
>
>
>
> It came back with
>
>
> Download details: Windows PowerShell 1.0 Documentation Pack
> <http://thesource.ofallevil.com/downloads/details.aspx?FamilyId=B4720B00
> -9A66-430F-BD56-EC48BFCA154F&displaylang=en>
> <http://www.siteadvisor.com/sites/ofallevil.com?ref=safesearch&client_ve
> r=FF_26.5_6256&locale=en-US&premium=false&aff_id=0>
>
> Documentation of Windows PowerShell 1.0, which includes the Windows
> PowerShell Getting Started Guide, the Windows PowerShell Primer, the
> Windows PowerShell ...
> thesource.ofallevil.com/.../details.aspx?FamilyId=B4720B00-9A66-430F-BD5
> 6-EC48BFCA154F&displaylang=en - 31k -
>
>
>
> Note the URL.
>
>
>
> Not having had my 2nd cup of coffee, and also trusting McAfee's
> SiteAdvisor(tm) , I clicked on it.
>
>
>
> The result looks surprisingly like a Microsoft site.  The URL doesn't.
>
>
>
> Anyone know more about "ofallevil.com".  Whois shows it in Bellevue, WA,
> but it is privacy protected.
>
>
>
> http://thesource.ofallevil.com/en/us/default.aspx looks very Microsoft.
>
>
>
> http://www.ofallevil.com/ returns a blank page.
>
>
>
> Jim
>
>
>
>
>
> Jim
>
> - - - -
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> (585) 475-5406 (office)
> (585) 475-4208 (lab)
> (585) 475-7950 (fax)
>
>
>
> "We will have a chance when we are as efficient at communicating
> information security best practices, as hackers and criminals are at
> sharing attack information"  - Peter Presidio
>
> Confidentiality Notice:  Do the right thing.  If this has the words
> "Confidential" or "Private" in the subject line, or similar language in
> the email body, or as a label on any attachment, then think.  Do you
> know me?  Did you expect to receive this?  Do you recognize and work
> with the other addressees?  If not, then you probably received this in
> error.  Please, be respectful and courteous, and delete it immediately.
> Please, don't forward it to anyone.
>
> Now, wasn't that simple.  Just, if you had made an error in a sensitive
> email, and I received it, what would you want me to do with it?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFHsyikLyw7nZwiKgQRAtrzAKDcLJGPYV5pZSsU2G8drleVRP+R2ACg3nh0
zmo6YUNls9xuS3QHw3uP90s=
=5tbQ
-----END PGP SIGNATURE-----