Posts by :
RUbotted False Positives
August 18th, 2010
As you may remember from several of my previous posts - RUBotted Popup and Microsoft Bulletins and Botnets, just to name a few – that I use Trend Micro’s RUbotted regularly and recommend using it.
I’ve noticed that there is a continuous false positive appearing on my pop-up message every time I visit a specific forum I belong to on Bravenet.
Specifically, I receive this message:
(Click to see larger image)
Not only do I receive the “Botnet found” pop-up message when visiting the forum, I get the reported results that Trend Micro RUBotted has, “detected DNS query of malicious domain” without giving a IP address or a malicious domain to verify what’s up with that.
Since I’m running Trend Micro Internet Security, I don’t click the message to run House Call. But I did run all my other tools to check for some kind strange botnet-like behavior on my machine. And that included checking all my open connections on my computer to see if there was something running in the background that I wasn’t aware of.
But, alas and alack, there was nothing.
So that led me to start researching what the heck this message might be related to. I researched the message, “detected DNS query of malicious domain” only to find others experiencing the same kind of problem but on different sites.
I then started looking for the trigger point of this message on the forum I belong to – which has led me to the conclusion that this is a false positive for me.
Now don’t get me wrong, there are sites that will trigger this because an advertisement or hidden code in the site page programming could be triggering it. So don’t assume that all the “detected DNS query of malicious domain” messages are all false positives. THEY ARE NOT!
For those of you who are bit more technically inclined than others, let me explain how I researched this so you can do your own bot check on a site triggering the RUBotted pop-up.
Once I was in the forum on Bravenet and I received the pop-up message that there was a botnet found, I accessed the View Page Source to see the coding behind the page I was seeing. I looked at every single link to see if there was some outside IP address or outside website that this would trigger. All references in the links on the page referred to the forum at bravenet’s website.
However, on certain pages, there are links to websites from people writing in the forum and upon researching one of those links, I found that it had been listed as a potential malware site. So, it isn’t necessarily the site you’re visiting that creates the false positive, it could be something on the page itself, or a link to a potential or known malware site.
There are also questions raised out there that Bravenet itself is a malicious site, but because it hosts FREE forums on the site, there’s no doubt in my mind that someone may have set up a forum with the intent of directing people to a malicious site. But I went to Bravenet the dot com and did not receive the RUBotted message pop-up. So it was definitely not that site that was the malicious domain.
The take away point of this post is, sometimes you will get false positives.
When in doubt, assume the worse unless you know with all certainty that the site you are on is indeed safe. In my case, the forum I belong to is an invitation only forum of professional people.
Remember, advertisements such as Google ads and others can alternate malware advertisers on a site that would trigger RUBotted. So if the site you’re visiting is heavily laden with advertising, you can safely assume that it was an ad that triggered the query of a malicious domain.
As I say repeatedly, ALWAYS err on the side of caution when it comes to security! And I think Trend Micro’s RUBotted does that.
I hope this has helped resolve some of the confusion out there.
Top 5 Facebook Security Tips
August 16th, 2010There are a lot of things that I encounter that most people don’t due to the nature of my work. And honestly, many of the problems I’m called upon to fix can be avoided by taking simple steps to practice what I’d like to think is “common sense” security with a healthy dose of mild paranoia.
That being said, I’m going to relate to you, my top 5 Facebook security tips to help you learn some of these common sense techniques while employing that healthy dose of mild paranoia.
Tip #1: Assume that Facebook (or any social network for that matter) is not secure.
I know you read all the social networking articles about how Facebook has upgraded their security, changed their security settings to protect you better, and so on and so forth. However, there are about the same amount of news articles being posted of how the Facebook security settings didn’t work as they were intended which allowed everyone to view your profile information or your friends, how some hacker accessed Facebook account information on hundreds (and thousands) of users exposing login information and other personal data, and the list of flaws could go on.
The point is, as long as there are hackers and identity thieves, there will be flaws in even the most promising security. Assume that nothing is secure.
Tip #2: Don’t post anything you would not want a stranger to see.
Just recently, a friend of mine saw that two of his Facebook connections had posted their new cell phone number on their wall. When my friend decided to call them out on such behavior, the two friends replied that only their select friends could see the post based on the security setting used when posting. See Tip #1 above if you believe that the information you’ve posted and set to secure is indeed secure.
Tip #3: Social Engineering is the hackers tool of choice.
Social engineering is the art of becoming friendly with a person and thereby gaining your trust. Once trust is established, the hacker can then casually get you to disclose your personal information easily and effortlessly.
As part of my student’s assignment in my computer security courses, they are taught how to employ social engineering and have the assignment of just watching for signs that someone is using it. One student took those skills to a cell phone kiosk and while chatting casually with a woman about a cell phone she was using, gained information about her 4 digit pin code to lock her phone and that she used that number for everything including ATM machines. By the end of the conversation, he knew where she worked, her full name, and what she did for a living. He did all this by pretending he wanted to buy the phone she was holding in her hand! He was shocked not only by the fact that he was able to effortlessly get this information out of her, but that he, with little training was able to accomplish it.
Keep in mind that most hackers don’t need complex scripts or tools to betray you. You give them the information freely every day. And if you have any doubt about that, think about how many times you hear people disclosing personal information while on their cell phones near you!
Tip #4: Pay attention to your friends.
The biggest sign that something isn’t right is when your friends start behaving in ways that are not common for them to behave. What I mean by that is, recently, I had one of my Facebook friends inbox me that she was in the U.K. stranded and needed some money to get home. As it turned out, her account was hacked and this message went to all her friends. I knew she wasn’t in the U.K. but had just launched a new solo business. Because I was paying attention to her posts and the way she interacts, I didn’t fall for the scam.
Many times, account hacks are not so easily detected. For example, a teen received a link from a friend in Facebook chat. The friend always sends various links to him via the chat. The sad news was that the link was to a malware site that totally destroyed his laptop. This situation leads me to Tip # 5 below.
Tip #5: Always err on the side of caution.
This is where the healthy dose of paranoia comes in.
As in the case of the teen given the link from Tip #4 above, the teen should always respond back to the friend before clicking the link. If the hacker is on the friends account, one of two things will happen. Either he/she won’t respond back to the chat ping, or they will not be able to answer the question regarding the link properly.
Let me explain. Let’s say that this teen and his friend normally share links having to do with monster trucks because they both love them. But they hate cross-overs and SUVs. The teen could have responded to the chat link with the following message, “Is this another video about that awesome Cadillac Escalade?” A hacker, not knowing that their being baited, will respond, “Yes!” Thinking that this should be the appropriate response. If the friend legitimately sent the link, then the friend will definitely ask you if you are a hacker on the account because his friend would never respond like that!
The point is, there is a way to test your friends using very intimate details about your relationship that only the two of you know and has not been publicly announced on your Facebook wall. Obviously, if this teen and his friends bash cross-overs or SUVs, then this example might not work. But I think you get the picture.
Remember, security is a process – not an endpoint.
Our New WP 3.0 Theme!
August 14th, 2010Well, what do you think?
 |
 |
 |
|
||
 |
|
 |
|
||
Join today and receive a FREE copy of our "Why is My PC So Slow?" eBook!
