Technical Tidbits™

This post will probably affect maybe 1% of our readership, but I felt it worthy of posting anyway.

I have been having problems for quite some time using HootSuite for my social networking in both Firefox and IE 8 browsers. I finally found that it worked best in IE8 if that was the only thing running. Meaning, I didn’t have other tabs open like I so often do with Firefox. And, I can run IE 8 with HooteSuite while having my Firefox open with all the tabs I want without interference.

This morning, I made an amazing discovery! I had HooteSuite running in my IE and I had opened Firefox to log in to my BlogTalk radio show. Panic set in!

BlogTalk radio would not load properly and even when I tried to call in to the switchboard, the phone call would not connect and my switchboard items became dimmed out.  (Now why the calling part would be related to the online switchboard I don’t know.) With less than 3 minutes to show time, I started panicking!

I don’t know what made me shut down IE and HootesSuite, but as soon as I did, I was able to connect to the BlogTalk radio switchboard and my call went through!

When I decided to write this post, I went back to each page – HooteSuite and BlogTalk Radio – and looked at the page sources to see what might be conflicting.

Both sites use JavaScript but I’ve never had a problem having multiple tabs open with JavaScripts running on each page. Even the most complex JavaScript doesn’t seem to be resource intensive by any means.

The problem appears to be Flash. I don’t know whether each of these sites are so Flash intensive that the browsers (both IE and Firefox) can’t handle it, or whether there is a conflict with the resources being used by each and the way the browsers manage it.

Even now as I type this post, I have the radio switchboard open in one tab and HooteSuite open in another and I’m getting a lag in the typing here in the WordPress blog tab.  It seems to happen when either HooteSuite is updating the tweets, or when BlogTalk radio refreshes the page for the advertising at the top. Which appears to be handled by JavaScript so I’m really confused!

Anyway, I wanted to put this out there so anyone who might be having a problem using HooteSuite might benefit from knowing that you may have to restrict using it with other resource intensive sites.  At least until we can upgrade to such a powerful computer that it won’t matter how resource intensive a web app is for the browser! (Where is an affordable terabyte processor when you need one? )

So, if you’ve been kicked out of our radio show chat or lost your sound during a show, make sure that you’re not running HooteSuite in the background while you’re listening to the show live. I bet you won’t experience any problems during the show!

BTW, I know that friend of the show, Charles Taggart, uses TweetDeck during the show and he has never reported being kicked out of the live chat nor losing sound. (Yes Charles, I’ve heard the chirps over our phone conversations! LOL) So, whatever the difference is between how TweetDeck and HooteSuite is programmed to work, is where the problem is.

And I’m not going to blame the browsers on this one! Are you surprised? (GRIN)

Over the weekend the roomie notifies me that not only did Trend Micro catch a few Trojan viruses, there appeared to be some malcode in his Firefox folder!

First, the Trend Micro results prompted the roomie to do a full Malwarebytes scan.  That turned up the interesting results shown below.

(Click to view full image)

Trend Micro had by this time quarantined or deleted some of the other files.  All were the same Trojan with variant extensions.

Notice in the image above, that the worm and Trojan agent are found in what is usually the “typical” installation of Firefox. If you install Firefox on a Windows computer, it will put Mozilla Firefox folder in the Program Files. But notice I also said, a “typical” installation of Firefox!

My roomie is aware of the dangers of the web. He’s no stranger to this stuff. (Wonder why?)  So, he NEVER installed his Firefox browser on his computer. Instead, he uses the Portable Apps version that is on his Flash Drive or USB stick.

It never was a typical installation – which may have been what saved his computer from a whole lot of damage!

The files that were found beneath this folder give me an indication that this was a theme or persona he tried out when the new Firefox was released.  The install.rdf resembles – somewhat – the typical install.rdf in a theme with some minor alterations to the file. (Please note: I’ve saved the original files as TEXT so you can see what I see.)

There were a few other files that I will need to open in another program to read as they are not text readable.  Not sure exactly what kind of code it is yet and frankly, it doesn’t look like it’s even English programming code.  But if anyone from Mozilla would like the files, I’ll be happy to turn them over to someone in that community or to any security researcher.

There was another strange code inside a folder which was structured like this: C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.  As far as I can remember, I do not remember seeing a timer anything in Firefox files.

So, I opened that up in my text editor to find this:

This code led to a site that does not have a home page if you back out the extraneous stuff after the .com.  So, full security enabled, I went to the full link to be displayed a blank page. However, I right clicked on that page and saw that there was code beneath the blank white page.

This:

PLEASE DO NOT ACCESS THESE SITES ON YOUR OWN! I have a high level of security on my test machine and do not put my own private PC at risk.

I won’t get into the details of what the code does but suffice it to say that it’s really redirecting you to the site specified in the code.  And guess what Trend Micro says about that site?

Interesting that if you do a search on this website, it’s listed as everything from web search hijacker to a virus!

And it’s run by some shady characters.  Just look here – it’s safe – http://www.robtex.com/dns/mysearchcorp.com.html.

Okay, so we tracked down the bad guys. The point is how did this get into my roomie’s computer?

He was downloading and trying on different Themes and Persona’s.  And due to the fact that all the code points to a directory on his computer that should have never been created because he uses Firefox on his flash drive, AND the fact that it created an install.rdf and a few other files synonymous with a theme.  Plus the fact that the timer.xul has references to an “overlay” and a blacked out background makes me also suspicious.

When my roomie went back to Trend because we couldn’t see the network shared folder so he could pass on these files to me, it was discovered that all his Network Protocol entries under his firewall settings had been damaged or deleted. He had to uninstall and reinstall Trend Micro once again.  In all my years of working with Trend Micro, I’ve never seen anything take out the protocols under the firewall before! Very scary!

Lastly, he tells me that around this time, he may – or may not – have had his Trend Micro RUBotted trigger when he was visiting sites.  Bad sign!

Since many of the files were damaged or deleted in the scans, I can’t say with 100% certainty that this was a theme or persona. But I am saying BE CAREFUL in case it is a new attack vector. We’ve seen some Firefox add-ons removed due to their containing malware in the past. Did the jerks move to persona’s and themes next?

In a recent InfoWorld article (see link at the end), Paul Venezia talks about the Google’s safe browsing practices where he states that Google finds you guilty by association.

Safe browsing is the term used for Google’s crawling of your website and if finds malware, an attack attempt or other such nasties, your URL is put on the blacklist. When browsers like Firefox and Chrome (who use the Google safe browsing rating) attempt to visit your page, both Firefox and Chrome will give the user a warning that your site is infected and should not be visited.

Venezia goes on to explain how difficult it is to have the blacklist removed, and if you listened to Monday’s Frontline Results Radio show, you heard that it took Sam McArthur several months to get back her ranking in the search engines.

But here’s one side of this practice that doesn’t relate to Sam’s hack or the usual intentional malware page that Venezia doesn’t cover. And that is the one where Google’s own ads deliver the malware!

I have found many such ads being delivered through credible sites. I’ve reported them here. But because the ads are rotated so often – you may only get hit with one every so many thousand of ad rotations.

So why is it Google can find the websites delivering up malicious content but they can’t find it from their own advertisers? Oh, that’s right! We don’t pay Google! Enough said?

via Google Safe Browsing practices guilt by association | Web applications – InfoWorld.