Technical Tidbits™

Posts Tagged ‘botnet’

You may remember my earlier post: On Botnets, Lie and Corporate BullS#&t, or perhaps you saw the New Trend in Trend post where I discussed the fact that not only were mal-ads being served up through the ad servers, but that my Trend Micro was actually blocking them!

Well, alas and alack, this weekend there were some interesting developments along these lines.

I’ve been a bit of a funk lately and took the weekend off to play my online games and catch up on some personal reading. I have this tendency to leave my MySpace Mafia Wars* open in one tab, while I go look at other sites so I can wait until my 3 hours are up to collect on my Cuba Business! Those of you who play Mafia Wars know what I’m talking about! (GRIN)

Anyway, I had Mafia Wars open on one tab and then opened Tarot.com on the other so I could read my horoscope and find the SuperKC for the day. (Don’t ask! But if you’re interested: Click here for a FREE Tarot Reading**) I walked away from the computer to grab a cup of coffee or something, and when I returned, my Tarot page was switched to the following:

Now, you might say, Debbie, how do you know it’s tarot.com that delivered the malware? Glad you asked that! Because, other people were reporting the same in the forums!

I also tried for several hours to reproduce the behavior as I was running my screen capture program and here’s what I discovered!

It’s very difficult – if not impossible – to catch this bugger in the act because of the way the many ads and ad programs they are running rotates. I was able to capture at least 11 different ad servers that were rotating on that site. Specifically:

• a367.yahoofs.com
• ads.lucidmedia.com
• ad.reduxmedia.com
• pixel.quantserve.com
• s7.addthis.com
• m1.2mdn.net
• doubleclick.net
• googleads
• ak.imgfarm.com
• clk.atdmt.com
• img.mediaplex.com

As I would refresh the page trying to get the mal-ad to show up again, these 11 ad servers (and more) would rotate on the page and also rotate the ads they were showing. Therefore, there are hundreds, if not millions of different possible ads that could show up at any given time on that site and individual pages!

I spent nearly 2 hours refreshing the various pages to no avail. I could not capture the mal-ad again.

But this clearly demonstrates how slick this method of pushing malware through the ad servers is!

In case you do not remember, the anti-virus scanner is one of those Trojan downloaders – AKA Drive-by downloads – that are so hard to get rid of!

If you are using Firefox – make sure your options are set correctly to help avoid these drive-bys. The first setting is to adjust your Main tab to show the download and always ask you where to save it. This gives you the heads-up that the drive-by is trying to install, AND, you can then cancel it before it installs or saves itself to your temporary folder. IE saves a copy to your temp folder long before you ever get a pop-up notice that it even blocked it. By then, it’s too late!

See the section with the red line around it below to adjust yours as I have mine adjusted:

Also, allow Firefox to protect you by blocking known bad sites by altering your Security options as follows:

If you are still stupid enough – AND YES, I CALLED YOU STUPID – to be using Internet Explorer, and you get caught with this drive-by download, (because there are other sites still dishing it out!) then go to MalwareBytes.org and download their free tool to remove it.  I am not an affiliate of this company, I don’t make any money off recommending their program to you, I just know that I’ve used it to remove these drive-bys from my clients machines. And to be honest, it’s the only thing I found that works!

Now, one final point of clarity, if this is the first time you’re reading about any of this information and you just now found our blog, then I do apologize for calling you stupid. You’re not. You are in fact very smart for finding us!

However, for the numerous amount of readers that we have on a repeat basis, if you are still using IE after I’ve preached, and shown you how dangerous it is, then you fit the stupid category! Strong words, Yes. But I don’t know what else to do to get you to listen to me!

These problems perpetuate because you are not protecting yourself! You are not educating yourself! You owe it to every other Internet citizen to stop the insanity by making this kind of behavior unprofitable to the people who send this crap out!

Okay, I’ll get off my soapbox now. Enough said?

*Please feel free to add me as a friend if you play MySpace Mafia Wars!

**TIIM This is my affiliate link to tarot.com. I earn Karma Coins if you sign up.

CORRECTION ADDED 10/11/09 Addthis.com is not an ad server! Thank you Joel for setting the record straight and thank you for letting us know!

Do you remember those e-mails that go around listing the Darwin Awards for stupidity? Well, here’s my first award nomination to what I think is the stupidest phisher I’ve ever seen!

The whole idea behind phishing is to look like such a legitimate e-mail that you get the person to click on your link and perform the requested task – which is usually to enter a username and password or your credit card information.

I had to include a full copy of the e-mail for you to appreciate the genius behind the phishing e-mail!

Where’s the link I’m supposed to click on so I can give you my username and password?

And thank you for  “the time in expense”????  Are you NOT from the U.S.? In which case, we could not fault you on the butchering of our language. But if you are from the U.S. then you deserve a second Darwin award!

Also, stupid phisher person, if you said you’re updating your database don’t give a second lame excuse in the next paragraph that says you’re doing something else! Pick a reason!

And my God! Learn how to spell and use English correctly if you want to phish in this country!

That being said, anyone recognizing the e-mail address or the IP for this phishing e-mail needs to take some action!

The Headers are as follows:

Delivery-date: Sat, 17 Jan 2009 06:29:38 -0800
Received: from smtp.andrew.cmu.edu ([128.2.10.159])
	by [mymail.serverremoved.com] with esmtps
	(Exim 4.69)
	(envelope-from <error@webupdate.com>)
	id 1LOCB2-0001uN-HN
	for [Myemailremoved]; Sat, 17 Jan 2009 06:29:38 -0800
Received: from webmail.andrew.cmu.edu (WEBMAIL8.andrew.cmu.edu [128.2.10.55])
	(user=anniel mech=GSSAPI (56 bits))
	by smtp.andrew.cmu.edu (8.13.8/8.13.8) with ESMTP id n0HESGRo002727;
	Sat, 17 Jan 2009 09:29:25 -0500
Received: from 41.211.223.254
        (SquirrelMail authenticated user anniel@ANDREW.CMU.EDU);
        by webmail.andrew.cmu.edu with HTTP;
        Sat, 17 Jan 2009 09:29:29 -0500 (EST)
Message-ID: <13098.41.211.223.254.1232202569.squirrel@41.211.223.254>
Date: Sat, 17 Jan 2009 09:29:29 -0500 (EST)
Subject: Confirm Your Webmail Account
From: "Webmail Account  Support Team" <error@webupdate.com>
Reply-To: surportteam55@mail2webmaster.com
User-Agent: SquirrelMail/1.5.1 [CVS]

So this gets way better!

I looked up the first IP address: 41.21..223.254 and it’s some broadband  location in Sapele, Nigeria!

But I also looked up andrew.cmu.edu and here’s what the website says this is:

The www.andrew.cmu.edu server provides a place for members of the Carnegie Mellon community to publish course, organization, and user web pages.

Then! I looked up the 128.2.10.55 and guess what??? It’s definitely Carnegie Mellon’s webmail!

So, it looks like you might have to clean up your servers Carnegie Mellon! Someone may have a botnet on their machines!

And in case you’re wondering why I’m getting such a big freaking kick of busting out Carnegie Mellon, guess what they run?

CERT! Computer Emergency Response Team and they’re the one’s issuing all kinds of security advisories all the time! Check it out! They are also a part of Homeland Security!

http://www.kb.cert.org/vuls/

But hey, what do I know!?  Certainly not as much as they do!  Do you think I’ll get the men in black on my doorstep if I nominate them for a Darwin Award too?

ROFLMAO

I know, an odd title, isn’t it? But you’ll see why soon.

I must also add a caveat: This post does contain adult language!

Did you see the movie ‘Network‘? The one where the new anchor loses it on the air, throws his television out the window, and screams, “I’m mad as hell and I’m not going to take it anymore!” Yeah, THAT movie!

Well, I know how the Anchorman feels.

Yesterday, while researching this continuing Botnet issue, I came across a very interesting press release on DoubleClick’s web site. But before I share I that with you, let me digress for a moment.

Remember the big to-do about Google partnering with Yahoo? Remember Microsoft (M$) whinning and complaining about the ’supposed unfair advantage and monopoly’ a partnership between Google and Yahoo would create? Whaa, whaa, whaa! Poor Microsoft!

Then recently, the headlines hit the blogosphere that Google was hours away from being named a monopoly by the U.S. Department of Justice when Google backed off.

Now that I’ve refreshed your memory, fast forward to my noting a press release on DoubleClick’s web site yesterday.

Pop Quiz!

1. Who owns DoubleClick?
2. Who owns and created Silverlight?
3. Who is serving video ads to Silverlight?

Answer Key:

1. Who owns DoubleClick?  Google
2. Who owns and created Silverlight?  Microsoft
3. Who is serving video ads to Silverlight?  Google owned DoubleClick

Now, doesn’t that seem like someone is sleeping with the enemy?

Read it yourself here: http://www.doubleclick.com/about/news_details.aspx?id=1406&linkidentifier=id&itemid=1406

You see folks, what I’ve come to realize is that all this media spin and “woe is me” from Microsoft is nothing more than Microsoft crying wolf. And why? $$$MONEY$$$

What’s that saying? “Money talks, bulls#&t walks?”

It’s okay for Microsoft Silverlight to run Google-owned DoubleClick ads because Microsoft is making money!

It’s NOT okay for Google to partner with Yahoo because Microsoft ISN’T making money!

And why won’t Google, DoubleClick, Yahoo, Right Media, and all the rest of the online advertising companies do something about malware being pushed through their ads? Because they are COLLECTING  MONEY from the advertisers! And because to put a procedure in place to screen those ads and protect visitors, would COST  them MONEY!

Small companies like ours make nothing on the research we do, and practically nothing on the small amount of ads we do run on our site.

Hell, the top day of our Google adsense at the peak of this botnet issue earned us a whopping 27 cents! Whoo Hoo! I’ll take that to the bank as soon as Google decides it adds up to $100 in any given month – READ: I won’t hold my breath waiting.

The truth of the matter is my friends, that we are being fed a HUGE plate of Corporate BS with a side of lies.

Microsoft cares less about Google’s unfair competition with Yahoo. It wants Yahoo for the ad generating revenue it can earn under Yahoo’s name. And why? Because Microsoft’s name can’t earn it!

I could find better search results reading the sediment in my septic tank (like tea leaf reading only grosser) than find anything from Live or MSN Search.

Microsoft knows their search is useless! So they want Yahoo’s name to hide behind so they can rake in the advertising dough.

And if I’m right with my prediction about the upcoming botnet from hell, all the advertising companies will make a fortune from it!

Think about it!

They’ll collect revenue from the advertisers wanting to push the malware. (What better way to deliver an Internet Weapon of Mass Destruction (IWMD) then through ads that are on nearly every single web site!)

Then, they’ll collect a fortune off the adwords related to this new malware and the fix being searched for as millions of broken, infected PCs go online to search for help.

And the botnet creators will make a fortune off the information it gets from every single infected computer and compromised corporate network! (And if you have yet to read the report about this underground economy, please pick up the report here: The Online Shadow Economy.  My paranoia is based on real facts!)

The only people not getting rich off this whole scam are the poor shmucks at the bottom of this food chain. The small companies, small bloggers, and the average Internet users. The very same ones who have to pay for the damage because Corporate A**holes don’t give a s#&t about us!

It’s days like this that I wonder why the h@ll I even bother!

But then, I get an additional reader, or a new subscriber. Perhaps a few new comments posted, and I have hope again. I have hope that there are others like me still out there that are paying attention. Vigilantly watching to maintain the integrity of the Internet.

And YOU make it all worthwhile!

So, for those of you – like me – who want to prepare for what might be coming, I’m going to teach you over the next several posts how to prepare to protect yourself. I think we might be able to avoid the impending damage if we cover our assets, so to speak.

Tomorrow, we will learn how to block the ad servers. Yes, I know, I’m cutting off my 27 cents in revenue by teaching you how to do this. But you never know. If I’m correct in my line of thinking and research, we just might get a legitimate sponsor for this blog! Or maybe someone will donate or buy something from us! You never know! It could happen!

So tune in tomorrow! We’re going to play Medieval Europe and secure the castles!

It doesn’t matter what OS or what browser you’re using. We’ll cover them all!

Oh! I should note however, that so far, our research is showing the Ubuntu (Linux) has not been affected by any of this!