Technical Tidbits™

Posts Tagged ‘mal-ads’

Over the past several days, I’ve received phone calls and requests for assistance because of some new mal-ads pushing yet another drive-by download.

Based on the discussion with one of these callers and their cry for help, I was able to get at some of the underlying script which was a PHP redirect.

Now for those of you who are unfamiliar with what that is, the simple explanation is that the page or ad being served up, has a code in it using PHP language (my WP blog is written in PHP language) that rotates what is displayed in the ad. I guess you could call it an ad rotation script.

What causes the problem is that when the rotation script calls up an ad that actually redirects you to a file that downloads into your temporary Internet files and launches a pop-up or pop-under page.  Once you click the pop-up/pop-under page, you’ve launched the malware.

I described in a previous post: How To Stop The New Malware, the steps to take to stop this from happening.  But like anything else security related, no one listens until they are infected!

So let me remind you one more time! First, go to this post and change your settings according to the browser you are using.  (It covers IE and Firefox. If you want Safari and Chrome settings, leave a comment and I’ll post those too!)

Next,  if the pop-up/pop-under appears, hold down the Control (CRTL) key, then the ALT key (hold it down too), and then the DEL (delete) key to bring up your Task Manager. Just do that once, because doing it twice will cause your machine to reboot!

Click to view Larger Image

When the Task Manager appears, click the Applications tab (if it’s not already on it) and click on the Internet Explorer or Firefox (whichever applies to your browser) and then click the End Task button on the bottom.

Note: You will lose your entire browsing session but it’s better to lose your browsing session then to get hit with this horrible malware right?

If you end task the way I described here, for now, the malware software will not be able to launch.

The biggest offender is still the FAKEAV (fake AV) malware, this includes the Antivirus 2009 malware. Trend Micro reports the loss to victims in an article:  Rogue AV Scams Result in US$150M in Losses

“November marks the official start of the holiday shopping season as millions of Americans search for gifts and deals both online and in stores,” said Jack Flanagan, executive VP of comScore Media Metrix, in a statement. “With nearly 4 out of 5 Americans online visiting a retail site during November, the Internet clearly represents an increasingly important channel for retailers during the holiday season and beyond.”

This post is dedicated to Mary, one of our blog readers who actually called me and asked me how to block the mal-ads because her TrendMicro RUBotted was continually alerting her. Thank you Mary! It’s so nice to know readers are gaining value from what I write. You truly made my day today!

There are several ways to block the advertising mal-ad sites. I will start with the simplest ways first and work down to the more difficult and list the pros and cons of each method.

Easiest: The first, and easiest method I’ve found to block the malware pushing ads on even the most legitimate sites (tarot.com to name a huge guilty site that’s actually legitimate!), is to install Firefox web browser with the AdBlock Plus Plug-in.

Firefox: http://www.mozilla.com/en-US/
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865

Important Notes: If you are new to Firefox, Add-ons do not automatically install like ActiveX controls in Internet Explorer (IE). You have to click the Add To Firefox button, then, after it loads in the small window, click Install Now to complete the installation. This is actually a double security measure which is why Firefox is more secure than IE.

After the add-on installs it will ask you to restart Firefox. Firefox also saves your current tabs or window your browser was open to so reinstall without worries. You’ll open back up to the page you were on.

Once you install AdBlock Plus, you should see a small stop sign in the upper right corner with the letters ABP in the middle.

AdBlock Plus Icon

(Click on the image to see full view)

Clicking on the down arrow of the icon allows you to control ad blocking on the site or page you are on.

AdBlock Plus Controls

(Click the image to see full view)

Since I’ve installed this handy plug-in, I’ve not seen any RUBotted pop-ups and 99% of the ads I used to see are completely gone. Even all the ones at tarot.com!

Pros: Easy to install and use. Updates itself. No further user steps necessary once installed.

Cons: It also blocks some of the forms on web sites – particularly from Internet marketer sites but also some legitimate ones too. If you see something on the page that instructs you to enter your email address below and you don’t find the form, it’s AdBlock Plus blocking it. Just disable AdBlock for that page or site, refresh the page, and you should see your form available.

Next Easiest - If you are a die-hard IE user and you insist on using IE, Install Spybot S&D (Search and Destroy) from safer-networking.org (use a safer-networking mirror to download).

Once you get past running it the first time, open the program and change the MODE at the top menu to Advanced mode. It will prompt you with a message and click yes to that message.

In advanced mode, you will see 3 bars on the lower right pane of the window. Click Tools.

In the right window, check the box next to IE Tweaks and Host Files if they are not already checked. You will notice after checking them, IE Tweaks and Host Files links are available on the left pane. (I know they do not look like links, but they are!)

Click the Host Files in the left pane and you will see a different right window appear. Click the button to Add Host Files and the list will populate.

When the host files are complete, click the IE Tweaks link on the left pane. Check the box to Lock the host files if it is not already checked. Close Spybot.

Now when you go to IE, you should see this available from the Tools menu:

Spybot S&D in Internet Explorer

(Click the image for full view)

If you click that link, you will see that Spybot has installed the host files and is silently blocking the bad pages.

Spybot S&D Silent Blocking

(Click the image for full view)

Pros: Easy to install, easy to use, and protects you from spyware with regular scanning. Plays nice with Lavasoft’s Ad-aware. And there are a lot of advanced features you can use if you download my free tutorial PDF from this blog post: Spybot Search & Destroy in Advanced Mode.

Cons: Unless you use the advanced configuration to schedule updates and scan regularly, you have to manually remember to do it. If Spybot is installed on a machine prior to installing Trend Micro, you have to uninstall Spybot first, install Trend and reinstall Spybot.

PLEASE NOTE: You cannot immunize with Spybot if you are using one of the major security vendors software! When you immunize, Spybot takes control of the files to monitor them from alterations. The major security software vendors do the same. What you end up with is a huge struggle between files and vendors and your computer slows to a crawl. If you immunized and are experiencing a crawling computer, undo the immunization. And it make take several tries to get fully cleared out but your computer speed will return to normal. Major security vendors are: TrendMicro, Symantec, Norton, McAfee, AVAST, Eset, Kaspersky, Panda, Webroot, and possibly AVG.

Next Easiest – Another one for the die hard IE users. Go to the following site and run the handy tool called, MVPS.bat

The site is: www.mvps.org and you want the zip file midway down the page.

This is a batch file (Dos file) that installs the most recent host files (bad websites) into the appropriate place. The command window will pop-up and tell you it’s done.

Pros: Very simple to install.

Cons: You have to check back frequently with this site because the host files change and require you to update them manually. For every malware site they find or is shut down, ten more appear. So you have to remember to check back frequently.

More difficult and not free. Install Trend Micro Internet Security.

Trend blocks the major mal-ad providers as I illustrated in a previous blog post:  New Trend in Trend

Pros: Effective against most mal-ads, extremely affected against malware, with added security features of Firewall protection, spam protection (Outlook spam toolbar), and a scan to check your windows installation for missing security patches. Works regardless of the browser of you are using.

Cons: It’s not free, although competitively priced.

Most Difficult. The most difficult and most time consuming is to manually add the list of known ad servers to your IE restricted zone.

There are several sites that list the known host files including a text version of the MVPS.bat file.

I list some of the sites here:
http://www.mvps.org/winhelp2002/hosts.txt
http://www.malwaredomainlist.com/mdl.php
http://www.malware.com.br/lists.shtml

To manually add the host files into your restricted zone, you can add them through the Interent Options settings in your Control Panel, or through the browser (IE) itself under Tools – Internet Options. Click on the Security Tab, and select the Restricted Sites Icon. Click the Sites Button to add whatever sites you wish to restrict.

Pros: You can customize the list to allow you to view specific ads.

Cons: Tedious, time consuming, and still requires manual updating.

Now, there are many other methods for doing this which gets into more complicated explanations. So my geeky readers, don’t be emailing me telling me I left out this and that because I meant this to be a quick tutorial for my not-so-techie readers.

Mary, I hope this helped and again, thank you for the phone call!

And as a reminder to Mary and others reading this blog, we are getting the courses back online and will have a huge announcement soon. The training area is located at: http://training.mice.org

Please feel free to leave a comment if you found this information valuable!

You may remember my earlier post: On Botnets, Lie and Corporate BullS#&t, or perhaps you saw the New Trend in Trend post where I discussed the fact that not only were mal-ads being served up through the ad servers, but that my Trend Micro was actually blocking them!

Well, alas and alack, this weekend there were some interesting developments along these lines.

I’ve been a bit of a funk lately and took the weekend off to play my online games and catch up on some personal reading. I have this tendency to leave my MySpace Mafia Wars* open in one tab, while I go look at other sites so I can wait until my 3 hours are up to collect on my Cuba Business! Those of you who play Mafia Wars know what I’m talking about! (GRIN)

Anyway, I had Mafia Wars open on one tab and then opened Tarot.com on the other so I could read my horoscope and find the SuperKC for the day. (Don’t ask! But if you’re interested: Click here for a FREE Tarot Reading**) I walked away from the computer to grab a cup of coffee or something, and when I returned, my Tarot page was switched to the following:

(Click to View Full Size Image)

Now, you might say, Debbie, how do you know it’s tarot.com that delivered the malware? Glad you asked that! Because, other people were reporting the same in the forums!

(Click to view larger image)

I also tried for several hours to reproduce the behavior as I was running my screen capture program and here’s what I discovered!

It’s very difficult – if not impossible – to catch this bugger in the act because of the way the many ads and ad programs they are running rotates. I was able to capture at least 11 different ad servers that were rotating on that site. Specifically:

• a367.yahoofs.com
• ads.lucidmedia.com
• ad.reduxmedia.com
• pixel.quantserve.com
• s7.addthis.com
• m1.2mdn.net
• doubleclick.net
• googleads
• ak.imgfarm.com
• clk.atdmt.com
• img.mediaplex.com

As I would refresh the page trying to get the mal-ad to show up again, these 11 ad servers (and more) would rotate on the page and also rotate the ads they were showing. Therefore, there are hundreds, if not millions of different possible ads that could show up at any given time on that site and individual pages!

I spent nearly 2 hours refreshing the various pages to no avail. I could not capture the mal-ad again.

But this clearly demonstrates how slick this method of pushing malware through the ad servers is!

In case you do not remember, the anti-virus scanner is one of those Trojan downloaders – AKA Drive-by downloads – that are so hard to get rid of!

If you are using Firefox – make sure your options are set correctly to help avoid these drive-bys. The first setting is to adjust your Main tab to show the download and always ask you where to save it. This gives you the heads-up that the drive-by is trying to install, AND, you can then cancel it before it installs or saves itself to your temporary folder. IE saves a copy to your temp folder long before you ever get a pop-up notice that it even blocked it. By then, it’s too late!

See the section with the red line around it below to adjust yours as I have mine adjusted:

(Click to view larger image)

Also, allow Firefox to protect you by blocking known bad sites by altering your Security options as follows:

(Click to view larger image)

If you are still stupid enough – AND YES, I CALLED YOU STUPID – to be using Internet Explorer, and you get caught with this drive-by download, (because there are other sites still dishing it out!) then go to MalwareBytes.org and download their free tool to remove it.  I am not an affiliate of this company, I don’t make any money off recommending their program to you, I just know that I’ve used it to remove these drive-bys from my clients machines. And to be honest, it’s the only thing I found that works!

Now, one final point of clarity, if this is the first time you’re reading about any of this information and you just now found our blog, then I do apologize for calling you stupid. You’re not. You are in fact very smart for finding us!

However, for the numerous amount of readers that we have on a repeat basis, if you are still using IE after I’ve preached, and shown you how dangerous it is, then you fit the stupid category! Strong words, Yes. But I don’t know what else to do to get you to listen to me!

These problems perpetuate because you are not protecting yourself! You are not educating yourself! You owe it to every other Internet citizen to stop the insanity by making this kind of behavior unprofitable to the people who send this crap out!

Okay, I’ll get off my soapbox now. Enough said?

*Please feel free to add me as a friend if you play MySpace Mafia Wars!

**TIIM This is my affiliate link to tarot.com. I earn Karma Coins if you sign up.

CORRECTION ADDED 10/11/09 Addthis.com is not an ad server! Thank you Joel for setting the record straight and thank you for letting us know!