Technical Tidbits™

As you may remember from several of my previous posts - RUBotted Popup and Microsoft Bulletins and Botnets,  just to name a few – that I use Trend Micro’s RUbotted regularly and recommend using it.

I’ve noticed that there is a continuous false positive appearing on my pop-up message every time I visit a specific forum I belong to on Bravenet.

Specifically, I receive this message:

(Click to see larger image)

Not only do I receive the “Botnet found” pop-up message when visiting the forum, I get the reported results that Trend Micro RUBotted has, “detected DNS query of malicious domain” without giving a IP address or a malicious domain to verify what’s up with that.

Since I’m running Trend Micro Internet Security, I don’t click the message to run House Call.  But I did run all my other tools to check for some kind strange botnet-like behavior on my machine.  And that included checking all my open connections on my computer to see if there was something running in the background that I wasn’t aware of.

But, alas and alack, there was nothing.

So that led me to start researching what the heck this message might be related to.  I researched the message, “detected DNS query of malicious domain” only to find others experiencing the same kind of problem but on different sites.

I then started looking for the trigger point of this message on the forum I belong to – which has led me to the conclusion that this is a false positive for me.

Now don’t get me wrong, there are sites that will trigger this because an advertisement or hidden code in the site page programming could be triggering it. So don’t assume that all the “detected DNS query of malicious domain” messages are all false positives. THEY ARE NOT!

For those of you who are bit more technically inclined than others, let me explain how I researched this so you can do your own bot check on a site triggering the RUBotted pop-up.

Once I was in the forum on Bravenet and I received the pop-up message that there was a botnet found, I accessed the View Page Source to see the coding behind the page I was seeing.  I looked at every single link to see if there was some outside IP address or outside website that this would trigger. All references in the links on the page referred to the forum at bravenet’s website.

However, on certain pages, there are links to websites from people writing in the forum and upon researching one of those links, I found that it had been listed as a potential malware site.  So, it isn’t necessarily the site you’re visiting that creates the false positive, it could be something on the page itself, or a link to a potential or known malware site.

There are also questions raised out there that Bravenet itself is a malicious site, but because it hosts FREE forums on the site, there’s no doubt in my mind that someone may have set up a forum with the intent of directing people to a malicious site.  But I went to Bravenet the dot com and did not receive the RUBotted message pop-up. So it was definitely not that site that was the malicious domain.

The take away point of this post is, sometimes you will get false positives.

When in doubt, assume the worse unless you know with all certainty that the site you are on is indeed safe.  In my case, the forum I belong to is an invitation only forum of professional people.

Remember, advertisements such as Google ads and others can alternate malware advertisers on a site that would trigger RUBotted. So if the site you’re visiting is heavily laden with advertising, you can safely assume that it was an ad that triggered the query of a malicious domain.

As I say repeatedly, ALWAYS err on the side of caution when it comes to security!  And I think Trend Micro’s RUBotted does that.

I hope this has helped resolve some of the confusion out there.

I’d like to take this minute to publicly thank the donor who bought me a cup of coffee by dropping a tip in my tip jar! Thank you! That was very sweet of you and very much appreciated!

Sometimes it really bothers me to be right!

You may remember that throughout the RUBotted pop-up discussions and my predictions for the year, I stated that:

There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

The keywords in my rants and my predictions have always been that the new malware will be pumped through ad servers.  Remember that?

Well, it’s not the huge Weapon of Mass Destruction but it could be heading in that direction.

Microsoft issued a security bulletin today. And it seems there is a bit of a problem with the way Internet Explorer handles CSS. Yes, you’ve read that right. Cascading Style Sheets! A standard on the web!

In fact, here’s what their Bulletin MS09-002 says:

A remote code execution vulnerability exists in the way Internet Explorer handles Cascading Style Sheets (CSS). An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

And as they’ve told us repeatedly,  Microsoft knows all about security and all about web standards!

But this is not the BEST part!

The Mitigating Factors section or the conditions in which this vulnerability becomes a problem states:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Now, what was it I said in the RUBotted pop-up discussion about ad servers possibly pushing the malware? Hmmm, maybe I’m not such a joke after all Symantec employee – huh?

The other part of that above quoted section makes me want to laugh myself off my chair.

In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Dear Idiots at Microsoft, if the fracking thing can be exploited through hosted ads, nobody needs to be directed to a website! Nearly every freaking website has hosted ads now!

Am I the only one that sees how lame and ridiculous this is?

So needless to say, if you’ve got your auto-updates turned off as I do, then make sure you install the fix for this baby.  But since we know there will be more fixes just move to Firefox and be done with it!

For the technical information on the new release see: Microsoft Bulletin Summary for February.

On another note, the RUBotted issue. My pop-ups are not as frequent as they were in the beginning, but I’m still getting a few here and there.

I think I’ve found multiple reasons for the message and although I tried to contact TrendMicro through our partner program and their twitter account, no one is responding – so what else is new?

One web site set off my RUBotted pop-up and I found a piece of code in the header that could explain it. The code was trying to activate my Firefox Skype toolbar  – which I don’t have.

I’ve inserted the code at the bottom of this post so you can see it for yourself.

Upon researching what this does, I found that this code snippet is inserted by accident when someone is editing a web page and using the Skype toolbar add-on for Firefox.

However, since the Skype toolbar add-on makes it easy to call from FireFox, the JS file associated with this toolbar led me to believe that it was trying to activate something on the toolbar which set off RUBotted.

Remember, all the RUBotted pop-up messages claim that something is trying to launch a program remotely! And that’s exactly what the script does!

(To see the JS file associated with this script code, visit here: Koders Code Search.)

Next, I have seen several other pop-ups associated with Flash files on a web site – either ads or just plain flash files on a web site.

Did you ever notice how you can right click over a flash file and get to the settings?

Just go to adobe.com and there’s a huge flash section in the upper section. Right mouse click and select the settings.

The first thing that appears is the privacy settings and you can allow or deny flash player to access your web cam or microphone – if you have them – and I do.

What if, there’s something attempting to access the flash player on those sites that are giving us the pop-up?

I don’t have the answer yet because it’s very time consuming and quite difficult to go through every flash ad and try to reverse engineer it to find out what it’s doing.

But I was correct about the ad servers and malware, just didn’t know about the CSS vulnerability. How many other ad server vulnerabilities are there that we still don’t know about? Or is this someone doing some testing for the next round of malware?

So, who’s to say I’m not right about these flash pop-ups either?

There is one flaw in my thinking however. My housemate didn’t have flash player installed when he first got hit with his pop-up. And…. he doesn’t have a web cam nor a microphone.

But! Could his pop-ups have been related to the Skype toolbar issue? Or something else?

I’ve had several people contact me with theories and thoughts, and another big possibility is the attempt to launch your messaging program, chat, or instant messenger.

We continue investigating flash files, JavaScript files, and lines and lines of code!

Are you getting sick of these posts? I know I am!

Anthony has decompiled the flash file I sent him and the file is benign – meaning it’s harmless.

So, this confirms what our readers have been saying – it’s not in the flash stupid!

That being said, where does that leave us?

Well, we’ve done some investigative work with other ads and sites that are not producing the pop-up but have some interesting activity in the pages and scripts. And that’s where we’re leaning now – PHP and Javascripts.

The PHP code in some pages allows for the rotation of content without the user knowing or being aware. The Javascripts nestled inside of javascripts, inside of javascripts provide for some very interesting behaviors.

As I’ve posted before, I think the advertising companies are clueless as to the state of their advertisers pushing malware and maybe it’s time we deliver the wake-up call.

We will, as always, keep you posted!

As a related side note: Do you remember a time when we all scrambled to get a pop-up blocker? Whether it was in the form of a toolbar or a browser add-on, we wanted the pop-up ads to stop.

Whatever happened with that?

I’ve noticed I’m getting pop-up ads again whether they pop-up on a page, pop-under a page, or roll back from the corner of the page. So much for pop-up blockers huh?