Joel Esler

Okay, so, it should be strikingly obvious that I probably hate Outlook. I stopped using Outlook in 2001, had to use it for a customer for awhile, and my love for it hasn’t gotten any fonder.
Non-Standards compliant. Really Microsoft? You didn’t like how all the other email programs that have been around for years have been doing it? You had to go create that MIME format crap that not only isn’t standards compliant, but that every other email program has issues with.Calendar invites. Seriously? Why are Outlook’s Calendar invites so screwed up when sending them to people not on the same Exchange server as you? CALDAV anyone?Exchange? Didn’t like the standards based email servers that were out there? Had to go create one? “But there wasn’t one that did all these “X” features on one server” Wa. Cry me a river. Apple did it. Yeah so what they had to invent a couple open standards and submit them.Top-Posting by default?! Seriously? Lotus Notes you are guilty too, don’t think…

Okay, so, it should be strikingly obvious that I probably hate Outlook. I stopped using Outlook in 2001, had to use it for a customer for awhile, and my love for it hasn’t gotten any fonder.
Non-Standards compliant. Really Microsoft? You didn’t like how all the other email programs that have been around for years have been doing it? You had to go create that MIME format crap that not only isn’t standards compliant, but that every other email program has issues with.Calendar invites. Seriously? Why are Outlook’s Calendar invites so screwed up when sending them to people not on the same Exchange server as you? CALDAV anyone?Exchange? Didn’t like the standards based email servers that were out there? Had to go create one? “But there wasn’t one that did all these “X” features on one server” Wa. Cry me a river. Apple did it. Yeah so what they had to invent a couple open standards and submit them.Top-Posting by default?! Seriously? Lotus Notes you are guilty too, don’t think…

Someone wrote in and asked me why I named my blog “Finshake”. Well..

Finshake is an internal joke between me and the guys in VRT at Sourcefire. A while ago, I was an author on the “Snort IDS and IPS toolkit” book from Syngress. Well, with the rush to deadlines and things, there are several mistakes in the book. Okay, so there are alot of mistakes made in the book...

Well, one of the biggest mistakes in the book, actually happened in my chapter. (Chapter 6). I was talking about TCP Session initiation and TCP Session tear down and how Snort interprets those. In the final book, I wanted pictures of the TCP Handshake for session initiation, and the TCP exchange for session tear down.

In my copy of the manuscript I simply indicated where the pictures should go:




I didn’t actually draw the pictures. I knew Syngress had the pictures from the 2.1 book, and I just asked them to use those.

So in my final proofread of the pdf that I got from the publisher:


The place holder was there, but no pic…

Okay, so MS08-067 Worm(s). I got some intel from some various listservers that I belong to about a new worm (or worms) that were starting to be seen in the wild. So I got a few url’s to play with and started poking around. Note, these are not all the url’s that I tried to get the exploit/worm from. They are not all of the same worm, and they may or not be related... BTW -- I am not a very good malware analyzer, Just an FYI.
It appears, one of the variants of this worm that I am looking at attempts to spread, not only though network vulnerabilities (08-067), but also through P2P networks like Emule.
So, I tried to get one of the files, named 6767.exe in this case. This EXE file does several things, some of which are very unclear as to the reason... as I said, I’m not a malware guy...


This exe downloads, and upon execution (again, in my particular sample, I am sure it will change), from a network perspective, on MY machine, it didn’t do anything. I have read several write ups of t…