[Dshield] FW: Windows 9x Security Update Beta Invite

Brad dshield-list at izallgood.net
Sat Dec 6 22:50:56 GMT 2003

Everything seems to point that the www.betaplace.com belongs to Microsoft,
I find it hard to beleive that Microsoft would have let this go un-noticed
if they were not offering such a program. This site has been hosted in
Microsoft IP space for sometime now, I find it very unlikely that this  is
not authentic. 

If somebody just wants your .NET uername/password they put way way to much
time in such an attack. If they are THAT good at makeing an authentic
looking Microsoft website, why not go after a major bank? That would have
a much greater pay off in the type of data they would gain access to. 

My guess is that somwhere you clicked  a box or something at said you
would be intrested in beta testing something. The only think I don't
understand is why they just didn't send a link to buy the Windows XP so
that you can get the  latest and greatest that virus writers have to offer
like everybody else.

Thats just my 2c.


bash-2.05$ dig www.betaplace.com A

; <<>> DiG 8.3 <<>> www.betaplace.com A 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;;      www.betaplace.com, type = A, class = IN

www.betaplace.com.      1H IN CNAME     betaplace.com.
betaplace.com.          1H IN A

;; Total query time: 179 msec
;; FROM: laluz.izallgood.net to SERVER: default --
;; WHEN: Sat Dec  6 15:44:49 2003
;; MSG SIZE  sent: 35  rcvd: 65

bash-2.05$ whois

OrgName:    Microsoft Corp
OrgID:      MSFT
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

NetRange: -
NetHandle:  NET-207-46-0-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Assignment
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
RegDate:    1997-03-31
Updated:    2002-12-05

TechHandle: ZM39-ARIN
TechName:   Microsoft
TechPhone:  +1-425-936-4200
TechEmail:  noc at microsoft.com

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse at microsoft.com

OrgNOCHandle: ZM23-ARIN
OrgNOCName:   Microsoft Corporation
OrgNOCPhone:  +1-425-882-8080
OrgNOCEmail:  noc at microsoft.com

OrgTechHandle: MSFTP-ARIN
OrgTechName:   MSFT-POC
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  iprrms at microsoft.com

# ARIN WHOIS database, last updated 2003-12-05 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.


 Trust in the LORD with all your heart; do not depend on your own
 understanding.  Seek his will in all you do, and he will direct 
 your paths. -- Proverbs 3:5-6 (NLT)		      		 
 I have wondered at times what the Ten Commandments would have 
 looked like if Moses had run them through the U.S. Congress.
 --President Ronald Reagan

On Sat, 6 Dec 2003, M Cook wrote:

> Date: Sat, 06 Dec 2003 14:26:16 -0500
> From: M Cook <dshieldlists at versateam.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: General DShield Discussion List <list at dshield.org>
> Subject: Re: [Dshield] FW: Windows 9x Security Update Beta Invite
> I think one would find that they say they won't *distribute* patches by 
> email. They notify people about the availability of patches all the time 
> by email. Some of the patches (e.g. a service pack) are available as CDs 
> to be ordered, so I would say that the patch is thereby marketed by 
> email (even though you have to go to a M$ web site to order it), there 
> being a difference between marketing (advertising) something and 
> distributing it.
> One could say that this "come participate in a beta test" email by 
> Microsoft (almost surely legit) is so close to the "come change your 
> account settings" spoofing techniques being used against paypal and ebay 
> (definitely *not* legit) that Microsoft should be strongly encouraged to 
> stop using it. I agree, though, that I would recommend to local users 
> that they be very careful with such an invitation, and if they needed a 
> rule, the rule would be "don't trust things that look like this".
> I'd also second the notion that the path to betaplace.com should at 
> least start at microsoft.com, though the ebay/paypal spoofs show that a 
> spoofed web address can be made to look legitimate. Microsoft (or any 
> other company that is a potential target for malicious exploits) needs 
> to minimize/simplify (make foolproof?) the number of techiques a user 
> must learn in order to verify its products or messages. The problem 
> isn't so much that betaplace.com isn't secure or legitimate, it is that 
> many mere mortals won't be able to distinguish between this legitimate 
> invitation and one that is spoofed. Just the number of emails on this 
> list describing how to analyze the certificate hierarchy or work through 
> IE quirks and bugs to verify the site's validity supports the notion 
> that this is way too complex for a normal user, and therefore the 
> security expert's rule would be "don't trust it".
> Alan Frayer wrote:
> >Since Microsoft has already stated 1) that they wouldn't market patches
> >by e-mail, and 2) they would no longer provide free support of the 9x
> >series, and since the web site they want you to visit isn't part of
> >Microsoft's vast domain, I'm going to say no, this is not legit.
> >  
> >
> >
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list