Technical Tidbits™

As you may remember from several of my previous posts - RUBotted Popup and Microsoft Bulletins and Botnets,  just to name a few – that I use Trend Micro’s RUbotted regularly and recommend using it.

I’ve noticed that there is a continuous false positive appearing on my pop-up message every time I visit a specific forum I belong to on Bravenet.

Specifically, I receive this message:

(Click to see larger image)

Not only do I receive the “Botnet found” pop-up message when visiting the forum, I get the reported results that Trend Micro RUBotted has, “detected DNS query of malicious domain” without giving a IP address or a malicious domain to verify what’s up with that.

Since I’m running Trend Micro Internet Security, I don’t click the message to run House Call.  But I did run all my other tools to check for some kind strange botnet-like behavior on my machine.  And that included checking all my open connections on my computer to see if there was something running in the background that I wasn’t aware of.

But, alas and alack, there was nothing.

So that led me to start researching what the heck this message might be related to.  I researched the message, “detected DNS query of malicious domain” only to find others experiencing the same kind of problem but on different sites.

I then started looking for the trigger point of this message on the forum I belong to – which has led me to the conclusion that this is a false positive for me.

Now don’t get me wrong, there are sites that will trigger this because an advertisement or hidden code in the site page programming could be triggering it. So don’t assume that all the “detected DNS query of malicious domain” messages are all false positives. THEY ARE NOT!

For those of you who are bit more technically inclined than others, let me explain how I researched this so you can do your own bot check on a site triggering the RUBotted pop-up.

Once I was in the forum on Bravenet and I received the pop-up message that there was a botnet found, I accessed the View Page Source to see the coding behind the page I was seeing.  I looked at every single link to see if there was some outside IP address or outside website that this would trigger. All references in the links on the page referred to the forum at bravenet’s website.

However, on certain pages, there are links to websites from people writing in the forum and upon researching one of those links, I found that it had been listed as a potential malware site.  So, it isn’t necessarily the site you’re visiting that creates the false positive, it could be something on the page itself, or a link to a potential or known malware site.

There are also questions raised out there that Bravenet itself is a malicious site, but because it hosts FREE forums on the site, there’s no doubt in my mind that someone may have set up a forum with the intent of directing people to a malicious site.  But I went to Bravenet the dot com and did not receive the RUBotted message pop-up. So it was definitely not that site that was the malicious domain.

The take away point of this post is, sometimes you will get false positives.

When in doubt, assume the worse unless you know with all certainty that the site you are on is indeed safe.  In my case, the forum I belong to is an invitation only forum of professional people.

Remember, advertisements such as Google ads and others can alternate malware advertisers on a site that would trigger RUBotted. So if the site you’re visiting is heavily laden with advertising, you can safely assume that it was an ad that triggered the query of a malicious domain.

As I say repeatedly, ALWAYS err on the side of caution when it comes to security!  And I think Trend Micro’s RUBotted does that.

I hope this has helped resolve some of the confusion out there.

Over the past several days, I’ve received phone calls and requests for assistance because of some new mal-ads pushing yet another drive-by download.

Based on the discussion with one of these callers and their cry for help, I was able to get at some of the underlying script which was a PHP redirect.

Now for those of you who are unfamiliar with what that is, the simple explanation is that the page or ad being served up, has a code in it using PHP language (my WP blog is written in PHP language) that rotates what is displayed in the ad. I guess you could call it an ad rotation script.

What causes the problem is that when the rotation script calls up an ad that actually redirects you to a file that downloads into your temporary Internet files and launches a pop-up or pop-under page.  Once you click the pop-up/pop-under page, you’ve launched the malware.

I described in a previous post: How To Stop The New Malware, the steps to take to stop this from happening.  But like anything else security related, no one listens until they are infected!

So let me remind you one more time! First, go to this post and change your settings according to the browser you are using.  (It covers IE and Firefox. If you want Safari and Chrome settings, leave a comment and I’ll post those too!)

Next,  if the pop-up/pop-under appears, hold down the Control (CRTL) key, then the ALT key (hold it down too), and then the DEL (delete) key to bring up your Task Manager. Just do that once, because doing it twice will cause your machine to reboot!

Click to view Larger Image

When the Task Manager appears, click the Applications tab (if it’s not already on it) and click on the Internet Explorer or Firefox (whichever applies to your browser) and then click the End Task button on the bottom.

Note: You will lose your entire browsing session but it’s better to lose your browsing session then to get hit with this horrible malware right?

If you end task the way I described here, for now, the malware software will not be able to launch.

The biggest offender is still the FAKEAV (fake AV) malware, this includes the Antivirus 2009 malware. Trend Micro reports the loss to victims in an article:  Rogue AV Scams Result in US$150M in Losses

(Read more: http://blog.trendmicro.com/rogue-av-scams-result-in-us150m-in-losses/#ixzz0b766AKur) That being said, I have a theory why this is on the rise again. I tweeted an article today about the increase in online sales over the holiday season.  Specifically, Online Shopping Breaks Records at InformationWeek. The article says that,

“November marks the official start of the holiday shopping season as millions of Americans search for gifts and deals both online and in stores,” said Jack Flanagan, executive VP of comScore Media Metrix, in a statement. “With nearly 4 out of 5 Americans online visiting a retail site during November, the Internet clearly represents an increasingly important channel for retailers during the holiday season and beyond.”

Now, we’ve discussed in the past the online shadow economy and how they benefit from this malware. Now, add to that the fact that more and more Americans are shopping online and you have a hackers and identity thief’s heaven! Is it any wonder there’s an increase in the number of mal-ads being pushed through the ad servers?

You may remember my earlier post: On Botnets, Lie and Corporate BullS#&t, or perhaps you saw the New Trend in Trend post where I discussed the fact that not only were mal-ads being served up through the ad servers, but that my Trend Micro was actually blocking them!

Well, alas and alack, this weekend there were some interesting developments along these lines.

I’ve been a bit of a funk lately and took the weekend off to play my online games and catch up on some personal reading. I have this tendency to leave my MySpace Mafia Wars* open in one tab, while I go look at other sites so I can wait until my 3 hours are up to collect on my Cuba Business! Those of you who play Mafia Wars know what I’m talking about! (GRIN)

Anyway, I had Mafia Wars open on one tab and then opened Tarot.com on the other so I could read my horoscope and find the SuperKC for the day. (Don’t ask! But if you’re interested: Click here for a FREE Tarot Reading**) I walked away from the computer to grab a cup of coffee or something, and when I returned, my Tarot page was switched to the following:

(Click to View Full Size Image)

Now, you might say, Debbie, how do you know it’s tarot.com that delivered the malware? Glad you asked that! Because, other people were reporting the same in the forums!

(Click to view larger image)

I also tried for several hours to reproduce the behavior as I was running my screen capture program and here’s what I discovered!

It’s very difficult – if not impossible – to catch this bugger in the act because of the way the many ads and ad programs they are running rotates. I was able to capture at least 11 different ad servers that were rotating on that site. Specifically:

• a367.yahoofs.com
• ads.lucidmedia.com
• ad.reduxmedia.com
• pixel.quantserve.com
• s7.addthis.com
• m1.2mdn.net
• doubleclick.net
• googleads
• ak.imgfarm.com
• clk.atdmt.com
• img.mediaplex.com

As I would refresh the page trying to get the mal-ad to show up again, these 11 ad servers (and more) would rotate on the page and also rotate the ads they were showing. Therefore, there are hundreds, if not millions of different possible ads that could show up at any given time on that site and individual pages!

I spent nearly 2 hours refreshing the various pages to no avail. I could not capture the mal-ad again.

But this clearly demonstrates how slick this method of pushing malware through the ad servers is!

In case you do not remember, the anti-virus scanner is one of those Trojan downloaders – AKA Drive-by downloads – that are so hard to get rid of!

If you are using Firefox – make sure your options are set correctly to help avoid these drive-bys. The first setting is to adjust your Main tab to show the download and always ask you where to save it. This gives you the heads-up that the drive-by is trying to install, AND, you can then cancel it before it installs or saves itself to your temporary folder. IE saves a copy to your temp folder long before you ever get a pop-up notice that it even blocked it. By then, it’s too late!

See the section with the red line around it below to adjust yours as I have mine adjusted:

(Click to view larger image)

Also, allow Firefox to protect you by blocking known bad sites by altering your Security options as follows:

(Click to view larger image)

If you are still stupid enough – AND YES, I CALLED YOU STUPID – to be using Internet Explorer, and you get caught with this drive-by download, (because there are other sites still dishing it out!) then go to MalwareBytes.org and download their free tool to remove it.  I am not an affiliate of this company, I don’t make any money off recommending their program to you, I just know that I’ve used it to remove these drive-bys from my clients machines. And to be honest, it’s the only thing I found that works!

Now, one final point of clarity, if this is the first time you’re reading about any of this information and you just now found our blog, then I do apologize for calling you stupid. You’re not. You are in fact very smart for finding us!

However, for the numerous amount of readers that we have on a repeat basis, if you are still using IE after I’ve preached, and shown you how dangerous it is, then you fit the stupid category! Strong words, Yes. But I don’t know what else to do to get you to listen to me!

These problems perpetuate because you are not protecting yourself! You are not educating yourself! You owe it to every other Internet citizen to stop the insanity by making this kind of behavior unprofitable to the people who send this crap out!

Okay, I’ll get off my soapbox now. Enough said?

*Please feel free to add me as a friend if you play MySpace Mafia Wars!

**TIIM This is my affiliate link to tarot.com. I earn Karma Coins if you sign up.

CORRECTION ADDED 10/11/09 Addthis.com is not an ad server! Thank you Joel for setting the record straight and thank you for letting us know!