Premise ATTENTION: PremiseSystems.com = MalWare

NOTE: This issue was brought to my attention by etc6849 and I have confirmed it presents a security threat to Premise users.


Back in the days when Premise Home Control was a commercial product, premisesystems.com was its home. Premise's Builder program is hard-coded to display the site each and every time you run it.

After Motorola shelved Premise, someone bought the premisesystems.com domain and posted a catch-all web page containing links having nothing to do with Premise Home Control. Viewed within Builder, it was nothing more than a visual nuisance, but now it is a source of a Javascript-based Trojan that Microsoft Security Essentials rates as a severe threat.

Fortunately, it has always been possible to change Builder's default startup URL. In the past it was purely cosmetic but now it is a must. Builder's startup URL is hard-coded in psysui.dll and can be changed to anything you want including nothing at all.

The following post described how to change builder's startup URL. You will need to download free software to perform the modification. If you want a simpler solution, I have posted a modified version of psysui.dll, in Premise Downloads, whose startup URL is blank.

I was unaware of this threat because I eliminated Builder's startup URL a long time ago. etc6849 reported the issue to me recently. Today I installed a new instance of Premise on a Windows 7 PC, using his excellent installation instructions. I encountered the issue the instant I started Builder when Microsoft Security Essentials blocked and reported the trojan.

If you are installing Premise for the first time, I recommend you eliminate, or modify, Builder's startup URL prior to running Builder. It is no longer a cosmetic fix but a necessity.

Thanks for the heads-up, just replaced my file.

Thanks 123 and etc6849. I am rebuilding my server as I type, so it's nice to know this now and not be surprisded

123, thanks for verifying this. Should we pin this topic so that it shows up at the top of the forum?

FWIW, you should also be able to just put an entry in your Windows hosts file and directpremisesystems.com and www.premisesystems.com to 127.0.0.1

Terry

I was wondering about that the other day when I saw the "for rent" sign on the domain.... Knowing those sites are often scooped up by evil doers. My testing thin client probably got hit, but there's nothing else on it, and I don't use it, so I will just reflash with new XPe.


My win7 PC I couldn't get Builder to launch. Sys installed OK, the services were running, but Builder gave me "navigation cancelled". That was before seeing this post, so I guess it was a good thing.

Tim

Yes, lets pin it...although I will investigate to see what hooligans have purchased that url...(probably one of those Homeseer people...RELAX, ITS a JOKE!!!)

Roussell,

Thanks for the tip. I read about that one and another where you add the offending domain to Internet Explorer's restricted content list. Premise uses the IE engine so I thought it'd be a little easier to use IE than edit a host list (or a DLL!). I added the URL in IE then used IE to navigate to the URL. IE popped up a message indicating the destination was blocked and, here's the kicker, Security Essentials warned me that it detected the Trojan (again)! What kind of lame URL blocking is that? After experiencing that example of unimpressive performance, I didn't bother to test it with Builder and didn't try the host list technique but my guess it would prove to be effective.

You should be able to block it at your router. My router has a filter that I can block websites.

123 said:

Roussell,

Thanks for the tip. I read about that one and another where you add the offending domain to Internet Explorer's restricted content list. Premise uses the IE engine so I thought it'd be a little easier to use IE than edit a host list (or a DLL!). I added the URL in IE then used IE to navigate to the URL. IE popped up a message indicating the destination was blocked and, here's the kicker, Security Essentials warned me that it detected the Trojan (again)! What kind of lame URL blocking is that? After experiencing that example of unimpressive performance, I didn't bother to test it with Builder and didn't try the host list technique but my guess it would prove to be effective.

Click to expand...

I've used hosts files quite extensively in my sys admin past to add an additional layer of blocking nasties from user computers. I once had a host file that I would push via a login script that contained several thousand entries. Everything from porn, hate groups, known malware and virus sites, etc. was listed in there. It was compiled from several sources on the net along with updates from our internal filter on sites that had been blocked. Yes, the corp web filter would stop the activity while at work, but when a user too their laptop home, Starbucks, etc. they weren't on my network so I couldn't stop the bad guys as eaisly. The mega host file helped to protect them from themselves when there were away from the mother network. It works because th default bechavior across windows, mac and linux PC is to check the host file for name resolution first, then cached local dns (if available on the platform), then query a dns server before giving up.

BTW, for the lazy among us, the following pasted into a DOS window will take care of the addition:

This will work in XP and 2000 and 2003. For 2008, Vista and Win7 you may have to adjust the permission on the hosts file depending on your users access level...

Terry