Technical Tidbits™

As you may remember from several of my previous posts - RUBotted Popup and Microsoft Bulletins and Botnets,  just to name a few – that I use Trend Micro’s RUbotted regularly and recommend using it.

I’ve noticed that there is a continuous false positive appearing on my pop-up message every time I visit a specific forum I belong to on Bravenet.

Specifically, I receive this message:

(Click to see larger image)

Not only do I receive the “Botnet found” pop-up message when visiting the forum, I get the reported results that Trend Micro RUBotted has, “detected DNS query of malicious domain” without giving a IP address or a malicious domain to verify what’s up with that.

Since I’m running Trend Micro Internet Security, I don’t click the message to run House Call.  But I did run all my other tools to check for some kind strange botnet-like behavior on my machine.  And that included checking all my open connections on my computer to see if there was something running in the background that I wasn’t aware of.

But, alas and alack, there was nothing.

So that led me to start researching what the heck this message might be related to.  I researched the message, “detected DNS query of malicious domain” only to find others experiencing the same kind of problem but on different sites.

I then started looking for the trigger point of this message on the forum I belong to – which has led me to the conclusion that this is a false positive for me.

Now don’t get me wrong, there are sites that will trigger this because an advertisement or hidden code in the site page programming could be triggering it. So don’t assume that all the “detected DNS query of malicious domain” messages are all false positives. THEY ARE NOT!

For those of you who are bit more technically inclined than others, let me explain how I researched this so you can do your own bot check on a site triggering the RUBotted pop-up.

Once I was in the forum on Bravenet and I received the pop-up message that there was a botnet found, I accessed the View Page Source to see the coding behind the page I was seeing.  I looked at every single link to see if there was some outside IP address or outside website that this would trigger. All references in the links on the page referred to the forum at bravenet’s website.

However, on certain pages, there are links to websites from people writing in the forum and upon researching one of those links, I found that it had been listed as a potential malware site.  So, it isn’t necessarily the site you’re visiting that creates the false positive, it could be something on the page itself, or a link to a potential or known malware site.

There are also questions raised out there that Bravenet itself is a malicious site, but because it hosts FREE forums on the site, there’s no doubt in my mind that someone may have set up a forum with the intent of directing people to a malicious site.  But I went to Bravenet the dot com and did not receive the RUBotted message pop-up. So it was definitely not that site that was the malicious domain.

The take away point of this post is, sometimes you will get false positives.

When in doubt, assume the worse unless you know with all certainty that the site you are on is indeed safe.  In my case, the forum I belong to is an invitation only forum of professional people.

Remember, advertisements such as Google ads and others can alternate malware advertisers on a site that would trigger RUBotted. So if the site you’re visiting is heavily laden with advertising, you can safely assume that it was an ad that triggered the query of a malicious domain.

As I say repeatedly, ALWAYS err on the side of caution when it comes to security!  And I think Trend Micro’s RUBotted does that.

I hope this has helped resolve some of the confusion out there.

I recently had to reformat my Windows partitions because an update for my Vista partition crashed my system and totally lost my DVD Drive.

I have reinstalled the XP partition, but when I went to burn a data DVD, the burn kept failing.  Could not figure out why!

I searched online for answers and the most interesting part of what I found is that not a single tech support forum pointed folks into the direction of the manufacturers website!

I have a Lite-On DVDRW LH-20A1S, so I did a Google search for that.

A lot of sites showed up offering me a file to download from their forum. No thanks! I wasn’t born yesterday!

So, this got me wondering who the manufacturer was. I mean was it Lite-on? liteon? Something else altogether?

Well, I found it and I found the niftiest tool I’d like to share with you! (No, I’m not offering the download here!)

First of all, you can search for the drivers for your specific model of Lite-on drive. For my particular model, there’s a flash firmware file to update the firmware on the drive.

For those of you who are clueless as to what I’m saying when I use the term “firmware“, it’s the software that makes the drive (hardware) work. Because you’re installing programming into a piece of hardware, it’s called firmware because it doesn’t have an operating system like your computer does. And normally, firmware is written in a different language like, Assembly or machine code.

That being said, if you need to update your firmware or reinstall your drivers, go to Lite-On IT Corporation! That’s the name of the company that manufacturers these things. The main website page is: http://us.liteonit.com

To find your specific user guide, drivers, firmware and such, go to the page where you get to pick your specific device here: LITE-ON IT Downloads.

They also have an awesome utility for the LH-20A1S called, PLDS Smart Pack Utility. And it supports all Lite-On optical drives! So you need to get that because it will automatically search for a new firmware update for you! This thing is painless!

Let me explain how you do it!

Go to the Downloads page and select: Optical/Storage from the category drop-down.

Then, select your model number from the drop-down menu.

What’s that? You don’t know you’re model number? Ok, here’s how you find that!

1. Open My Computer.

2. Find the drive itself – it will be labeled CD-ROM, DVDRW or something like that.

3. Right click and choose properties.

4. Click on the Hardware tab and you should see the device with the model number as shown in the picture below.

(Click to see full sized image)

Notice the LH-20A1S after the drive information? That’s my model number and you will find yours there also.

Okay, so after you have found your model number in the drop-down box on the drivers page, click the Search button and you will be taken to the page that contains your firmware and other software.

On the left side navigation links, you should have a text link that says, Utilities. Click that.

You want to download and install the Smart Pack Utility! Once it’s installed, you can have it get the update to the software, and then run it once more to get your firmware update.

Now there’s an IMPORTANT thing you need to know about running the flash utility to update your firmware. DO NOT HAVE A CD OR DVD IN THE DRIVE WHEN YOU RUN IT!

This doesn’t use Adobe Flash in the way you commonly think of the term “flash.”   This is a method of installing firmware to devices that actually writes to the device itself.  Therefore, nothing can be in that drive when you “flash” it.

After I ran this nifty utility, it flashed my DVD and my burns completed! No more problems! YEA!

So, for those of you who continuously post to forums looking for answers and getting nowhere, you can come here and ask me! I’ll find the correct answer and make a blog post about it! The contact tab is at the top right of this page in the navigation bar!

And for those of you who came here through a search engine, subscribe to our newsletter and RSS feed! You just never know what I’m going to come up with next! (SMILE)

Did you download the recent patch Tuesday patches only to face a Black Screen of Death? Not to be confused with the Blue Screen of Death (BSOD) that Microsoft has been so notoriously known for!

Fierce CIO Tech Watch reported this apparent “oops” in their December 1 online article: New ‘black screen of death’ prompts investigation by Microsoft.

The article goes on to say:

The problem appears to stem from some changes made to the Access Control List that not all applications are aware of. The result is applications that stop working, especially Security-related software–resulting in the above symptom.

I’ve said it repeatedly and I’ll say it again, AND YOU WANT TO TRUST MICROSOFT WITH YOUR SECURITY?

That being said, the article also gives a link to a fix for this problem by a security company Prevx (sounds like one of those pills you take for acid reflux, doesn’t it?) that supposedly fixes the registry problem.

Go to the article link below if you need the fix and want to try it out.

Personally, that file makes me nervous but I also don’t have the problem!

If you do have to apply the patch, and you find the file valid and safe, please come back and comment here to let us all know!