Crescent City Networking

Parent memory reserve with dynamic memory

Virtual PC Guy — Fri, 03 Sep 2010 22:01:00 +0000

Most people I know who have spent a lot of time with Hyper-V have had the experience of accidentally taking too much memory away from the parent partition. This happens when they start too many virtual machines – and all of a sudden the performance and responsiveness of the parent partition goes down significantly.

The response from people who hit this is usually to stop the last virtual machine that they started, to reduce its memory, and then start it up again.

This solution has worked in the past – but is no longer an option with dynamic memory. The reason why this will not work is because if you stop the last virtual machine – you just leave the memory available for your other virtual machines to use – getting you straight back where you started.

For this reason, with dynamic memory we have implemented a new “parent memory reserve” for Hyper-V. Here we attempt to calculate an appropriate amount memory to keep for the parent partition and ensure that virtual machines with dynamic memory enabled cannot eat into this reserved memory.

That said – this reserve is not perfect. Specifically – it only accounts for the memory requirements of Hyper-V in the parent partition. If you are running other workloads in the parent partition (contrary to our best practice guidance) then you may still see parent partition memory starvation.

To help mitigate this issue – we are also providing a new registry entry that lets you override our parent memory reserve with your own static memory reserve. This registry entry does not exist by default – but if you go to the HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization registry key and create a new DWORD entry with a name of memoryreserve – you can then set the value to the static amount of memory that you want to reserve for the parent.

You should be warned – if you set this value too low; virtual machines will be able to use too much memory and cause performance issues for you. Equally – the higher you set this the fewer virtual machines you can run.

That said – I have found this to be very useful on my laptop – where I use Hyper-V like a desktop operating system. By setting this value to 2048 (on my laptop with 8GB of RAM) I can run multiple virtual machines and know that they will not cause Outlook / Internet Explorer in the parent partition to be affected.

Cheers,
Ben

So, how did they “credit my favor” with $4.5 M if they didn’t know my name?

Tom Kelchner — Fri, 03 Sep 2010 18:26:00 +0000

Are grade schoolers writing the spam these days?

What does: “revert ASAP” mean?

From: From International Commercial Bank of Ghana [felistax@yahoo.com]
Sent: Friday, September 03, 2010 2:15 PM
Subject: Attn: Beneficiary, From International Commercial Bank of Ghana.

Attn:Beneficiary,

This is to notify you that $4.5 million has been credited in your favor, contact Mr. James Appiah, with the following information to enable your fund transferred via bank to bank, AS THE CASE MAY BE.

Your full name, Age, Sex, Nationality, Direct phone number, Residential Address, Occupation.

Thank you for banking with us
Revert ASAP
Regards,
James Appiah

You’d think a bank official would have a title and company email instead of a Yahoo account.

Tom Kelchner

Clearwater backhoe incident: 09/02

Tom Kelchner — Fri, 03 Sep 2010 14:13:00 +0000

GFI Sunbelt Internet connectivity was lost when a fiber optic line was cut in Clearwater, Fla., near the end of the business day yesterday.

Service provider Time Warner said the line was accidentally cut by a construction crew near the GFI Sunbelt headquarters about 4:50 p.m. Service was restored about 11:10 p.m.

VIPRE definition Version 6827 was issued at 11:17 p.m. (GMT-5)

Alex Eckelberry, general manager of GFI’s Security Business Unit said: “We are currently in the process of reorganizing our data center locations to avoid such an occurrence again.”

Tom Kelchner

Zombie game inspires scammers to target your brains

paperghost — Fri, 03 Sep 2010 07:17:00 +0000

Zombies. Whether they’re shuffling Romero types, the wisecracking “send more cops” variety or even the crumbling Fulci efforts it’s important to be prepared (no, I’m not counting the ones that run. Those are stupid).

As you can see, I’m ready for pretty much anything:

Nobody is immune to the zombie menace, however, so I thought it might be useful to let you go forth and warn friends & relatives about a new zombie scam popping up on the internet.

Dead Rising: Case Zero has just been released on XBox Live as a standalone chapter for the upcoming Dead Rising 2, and of course scammers want a tasty slice of zombie pie.

Forums and sites such as Youtube (surprise!) are filling up with posts and videos promoting various websites claiming to offer “cracks” and redeemable download codes to let you get your hands on the game for free.

Click to Enlarge

I’ve also seen a few videos claim to offer up a PC version (lies) and another one offering up a “Wii version” (more lies, these versions of the game don’t exist).

Here’s a sample:

Click to Enlarge

I took this screenshot a day or two ago; let’s make a tenuous reference to zombies and say they’re now multiplying uncontrollably, and you’ll probably have to go live in a supermarket or whatever.

Anyway. The majority of the videos seem to link to one particular website – deadrising2casezero(dot)blogspot(dot)com. Here it is:

Click to Enlarge

There’s a lot of nonsense on the site about the download being restricted to the first 2,000 users – and the “total downloads so far” indicator seems to be stuck on 354 people. Following a similar pattern to the recent DC Universe Online scam, attempting to download the program will give you some wonderful surveys to fill in.

Click to Enlarge

I’m almost certain I have more important things to worry about in the middle of a zombie apocalypse than whether or not I’m Justin Bieber’s ideal girl but oh well. Filling in one of the surveys will give you this somewhat unimpressive program on your desktop:

I say unimpressive, because it’s about as much use as slapping a zombie in the face with a wet newspaper. Just like the DC Universe fakeout, the program will “generate” about 20 or so codes that just repeat themselves endlessly.

A bit like these "free app / here's a survey" scams, perhaps.

Now if you’ll excuse me, I’m off to meet an ironic doom at the hands of some running zombies. While I’m donating my brains to the undead community, please try to avoid any and all “freebies” related to Dead Rising: Case Zero.

Christopher Boyd

Safe Web Surfing Rule # 1: READ the URL

Tom Kelchner — Thu, 02 Sep 2010 19:54:00 +0000

Safe Web Surfing Rule # 2: See Rule # 1

Email and social networking sites might be a global phenomena, but English remains widely used in URLs and elsewhere on the Internet. In the English verbiage in malicious email, URLs and web sites there are words that instantly raise red flags to native speakers. However those red flags may not wave for those who speak no English or it is their second language. Here is yet one more example.

It starts with a Facebook post with a picture of a cute girl (not shown since the photo might be misappropriated) and a link to what looks like Facebook chat. The hyphens that are used in the URL instead of periods should be one giveaway. The fact that it’s a URL with a country domain TK should be another giveaway (probably in any language). That's Tokelau, a territory of New Zealand in the South Pacific.

(click on graphic to enlarge it)

So the unwise Albanian Web user, seeking to chat with a pretty girl in Tokelau, possibly thinking she's in Turkey (country domain "TR" ) , goes to the site:

(click on graphic to enlarge it)

The Facebook page is initially grayed out, so the average computer user clicks on it. The gray goes away. However, if he (and you can be sure this would be a he) watches the browser bar, the site has redirected to: http://h1.ripway.com/hacker1992/login.php.

(click on graphic to enlarge it)

Oh, that’s just adding insult to injury – actually putting the word “hacker” in the URL – assuming you know enough English to recognize the word “hacker” and know the implications. Of course “ripway.com” is almost as blatant.

The ripway.com site was registered yesterday with an address in Highlands Ranch, Colorado.

Google Translate says the language is Albanian. You can be sure it’s a scheme to snatch email addresses and Facebook logins of Albanian-speaking Facebook users or get them to set up new accounts AND snatch their information:
(click on graphic to enlarge it)

Tom Kelchner

Guest Paging vs. Virtualization Paging and Negative Memory Availability

Virtual PC Guy — Thu, 02 Sep 2010 19:08:00 +0000

Jeff has discussed this at some length over on the virtualization team blog, but as a general rule of thumb we believe that it is much better to have paging occur inside the guest operating system rather than at the virtualization layer (if paging is needed).

The simple reason for this is that the guest operating system has far better understanding of which are the best sections of memory to page out – where as all the virtualization layer can do is to guess at what should be paged out.

In my recent demonstrations of dynamic memory I came upon another interesting angle to consider. Here is a screenshot of task manager from a virtual machine that is running at –23% memory availability (i.e. it does not have enough memory available and is paging in the guest):

What is fascinating about this screenshot is that even though this virtual machine is significantly short of memory, the guest operating system is still keeping 112mb memory available / as file cache. The reason for this is that the copy of Windows inside the virtual machine knows that even though it is short of memory – it can provide the best experience for the user of the virtual machine by not using all the memory that it has and by keeping a little bit free to serve as a cache / be there for new applications.

It is exactly this sort of logic that gets lost when paging is done at the virtualization layer instead of inside the guest operating system.

Cheers,
Ben

U.S. Labor Day: phishers won’t be on holiday

Tom Kelchner — Thu, 02 Sep 2010 17:18:00 +0000

Holidays are times when we see a big uptick in email retail advertising. They are also a time when we should be especially aware of threats from phishing schemes in all those ads.

In that surge of emails promoting holiday sales we can expect fraudulent messages with links to sites that download malicious software or phishing sites set up to steal personal information.

Phishing tracker site Phishtank.com, estimates there are more than 2,900 active phishing web sites currently verified on the internet. Popular social media sites such as Facebook and Twitter are increasingly attractive platforms for holiday-themed attacks.

Here are three simple rules that can help you reduce your risk of becoming a victim:

-- Make sure your computer is protected against the newest malware threats by installing a combined antivirus and antispyware solution. This is your first point of protection against dangerous viruses and Trojans – and one without the other is no longer effective.

-- Never click on a link in an email to make a credit card purchase. The email you’ve received may look legitimate, but there’s a high probability that the link will take you to a spoofed site where your credit card information will be stolen by cyber criminals.

Instead, navigate to the retailer’s Web site directly through your browser. The email may look harmless, but it’s better to be safe than sorry.

-- Even when you visit a trusted Web site, be vigilant about anything that looks out of the ordinary. Social networking sites like Facebook, Twitter and MySpace have all served as points of infection recently. Do not download anything, even from a trusted site, unless you are 100 sure it’s safe.

Every Labor Day, we see a wave of phishing attacks taking advantage of consumers’ expectations of increased retail email promotions connected with the holiday

Cyber criminals see an opportunity to slip by unnoticed among the legitimate promotions. Along with making sure virus updates and security software patches are current, consumers need to stay vigilant and use common sense in order to avoid any unnecessary headaches that these fraudulent emails look to deliver over the long weekend.

Tom Kelchner

Faulty Fiverrs

paperghost — Thu, 02 Sep 2010 10:43:00 +0000

Fiverr is an excellent site that allows you to buy / sell services – all of which cost $5.

There’s all sorts of crazy things on there, but does it attract rogues and individuals who generally want to mess up your day?

You bet. With a little furtive digging you can uncover all sorts of dubious antics up for grabs – for the low, low price of $5!

There’s this guy, who is selling an XBox Live account (not something we’d advise purchasing, as more often than not XBox Live accounts up for sale have been phished):

We also have someone claiming they can “unlock all achievements” in your games. This will be done by using custom made software to tamper with the data on your XBox profile (again, not advisable) and unlock all the gaming achievements artificially.

Click to Enlarge

Note that unless they do it the “right” way (and this is a very tricky thing to pull off), Microsoft can easily tell which profiles have been fiddled with leading to a banhammer – and there’s no guarantee the seller will give you your account back at the end of it.

The Playstation network isn’t safe from these kinds of sales either:

Click to Enlarge

Moving the notch up a little bit, you can find a lot of spreading guides and hacking tutorials (cpalead surveys and i-stealers are popular topics of conversation):

Click to Enlarge

Can we find guidance on how to phish accounts and sell them on for a profit too? You bet:

Click to Enlarge

Some users also spend their time offering up “undetectable keyloggers”:

I’m not entirely sure what the deal is with the odd Blue Steel pose there, but if you really want to be annoying you can find people who will happily delete accounts on sites such as Facebook:

Ouch.

I don’t know about you, but I’m going to stick to “Learn to be a Ninja” and “Will sing any song in Hindi for $5”.

Christopher Boyd

GFI/Sunbelt Labs quarterly briefing is on Web

Tom Kelchner — Wed, 01 Sep 2010 19:38:00 +0000

“Turn the Tables on the Bad Guys, Malware Unmasked”

The Sunbelt Labs quarterly briefing “Turn the Tables on the Bad Guys, Malware Unmasked” is available for your viewing pleasure.

Malware Unmasked 2 from OEM Sales on Vimeo.

Schwartzkopf began by describing GFI's recent acquisition of Sunbelt Software. Schwartzkopf said the move will enable GFI to merge innovative VIPRE technology into GFI’s email and Web security products and move into new markets.

The presentation features a 25-minute PowerPoint presentation and 20 minutes of Q&A.

In the presentation, Glenn and Jack discuss the details of the TDL 3 (TDSS or Alureon) rootkit and the Sunbelt Labs CWSandbox.
(click to enlarge image)

They credit CWSandbox with VIPRE’s recent showing in Virus Bulletin’s Reactive and Proactive (RAP) analysis of detection rates. VIPRE was evaluated as the AV engine with the highest proactive behavioral detection rate.

Glenn and Jack also discussed their analysis of the zero-day Stuxnet exploit, the first malicious code that can infect 64-bit systems running Windows 7.
Next webinar: December 8, 9 a.m. and 2 p.m. Eastern Time

Sign up here.

(click to enlarge image)

Tom Kelchner

Looking at Dynamic Memory Performance Counters

Virtual PC Guy — Wed, 01 Sep 2010 18:56:00 +0000

With Windows Server 2008 R2 SP1 we have added a number of new performance counters for dynamic memory. These counters allow you to get some extra insight into what is actually happening with memory on your Hyper-V server. The counters are grouped in two categories. First is “Hyper-V Dynamic Memory VM”:

These counters allow you to access specific information about dynamic memory inside each of the virtual machines on your system. The second category is “Hyper-V Dynamic Memory Balancer”:

These counters allow you to view information about dynamic memory across the entire physical computer.

One thing to note is that unlike the user interface – which uses the concept of “memory availability” (which I discussed yesterday) – the performance counters instead talk about memory pressure. This is measuring the same thing as memory availability (i.e. how much memory does the virtual machine have compared to how much memory does it need) but the math is slightly different. A virtual machine with a pressure of 100 has exactly the amount of memory that it needs (this is equivalent to a memory availability of 0%). If the virtual machine pressure goes over 100 – it now has less memory than it needs (equivalent to a negative memory availability) and if the virtual machine pressure is under 100 then the virtual machine has more memory than it needs.

Virtual machine pressure is simply calculated by taking the amount of memory the virtual machine wants, dividing it by the amount of memory the virtual machine has and then multiplying the result by 100.

My favorite performance counter is the “Average Pressure” counter under the “Hyper-V Dynamic Memory Balancer” category. This gives you a very simple view of the overall memory allocation of your system:

As long as this number is under 100, you know that there is enough memory is your system to service your virtual machines. Ideally this value should be at 80 or lower. The closer this gets to 100, the closer you are to running out of memory. Once this number goes over 100 then you can pretty much guarantee that you have virtual machines that are paging in the guest operating system.

Cheers,
Ben